Secure Android Code Helper (Sach): A Tool For Assisting Secure Android Application Development
Abstract
Mobile devices now store a lot of sensitive data. With many users adapting to the technical advancement of mobile devices, security of the user's sensitive data becomes imperative. Security vulnerabilities in the mobile apps will lead to leakage of user's sensitive data. The goal of this research is to propose a tool to help programmers create secure Android applications. The tool will warn developers about specific classes or methods that include security vulnerabilities such as data leakage and access control vulnerabilities. The tool analyzes Android source code using two approaches: 1) Parse the source code and XML to report vulnerabilities based on CERT secure coding rules for Android application development and 2) Run FlowDroid on source code, parse the output of FlowDroid and look for device ID, GPS location data being leaked to a log file or through implicit intent. The results from these approaches are combined into reports that inform developers of security vulnerabilities. The proof of concept of the tool has been implemented and tested. Future work includes completing implementation of the tool and running tests on a large number of source codes to evaluate its effectiveness.