Vulvet: Vetting of Vulnerabilities in Android Apps to Thwart Exploitation

Abstract

Data security and privacy of Android users is one of the challenging security problems addressed by the security research community. A major source of the security vulnerabilities in Android apps is attributed to bugs within source code, insecure APIs, and unvalidated code before performing sensitive operations. Specifically, the major class of app vulnerabilities is related to the categories such as inter-component communication (ICC), networking, web, cryptographic APIs, storage, and runtime-permission validation. A major portion of current contributions focus on identifying a smaller subset of vulnerabilities. In addition, these methods do not discuss how to remove detected vulnerabilities from the affected code. In this work, we propose a novel vulnerability detection and patching framework, Vulvet, which employs static analysis approaches from different domains of program analysis for detection of a wide range of vulnerabilities in Android apps. We propose an additional light-weight technique, FP-Validation, to mitigate false positives in comparison to existing solutions owing to over-approximation. In addition to improved detection, Vulvet provides an automated patching of apps with safe code for each of the identified vulnerability using bytecode instrumentation. We implement Vulvet as an extension of Soot. To demonstrate the efficiency of our proposed framework, we analyzed 3,700 apps collected from various stores and benchmarks consisting of various weak implementations. Our results indicate that Vulvet is able to achieve vulnerability detection with 95.23% precision and 0.975 F-measure on benchmark apps; a significant improvement in comparison to recent works along with successful patching of identified vulnerabilities.