PolyU research: Android app developers should have security mindset

Android app developers not only need to build secure apps but also ones that adhMobile developers should be trained how to build secure apps. This was one of the key recommendations of Dr. Daniel Xiapu Luo, research assistant professor at The Hong Kong Polytechnic University (PolyU).

“Given the limited time and resources allocated for testing, it is difficult to identify all vulnerabilities. And developers may not know how to create secure apps,” Luo told Computerworld Hong Kong.

Luo spearheaded a research project that conducted a security assessment of Android apps. The project won for Dr. Luo the distinction of being one of the honorees in the 11th Annual Asia Pacific Information Security Leadership Achievements (Asia Pacific ISLA) awards recently handed out in Hong Kong hosted by (ISC)2.

The first phase of the project spanned nearly four years from 2013 to early 2017 and focused on the creation of the platform for analysis of the security of Android mobile apps.

According to Luo, the results of the security assessment of about 500,000 Android apps worldwide showed that many of them have vulnerabilities that could be exploited by malware. And they have not passed the rigorous security checks that were part of the project.

“By using our tool (i.e., VulHunter) to scan 557 randomly collected apps, each of which has at least 1 million installations, we found that 375 apps (67.3%) have at least one vulnerability,” he noted.

Using new security tools

Under the guidance of Dr. Luo, his team of five researchers investigated the security of Android apps from four aspects: static bytecode analysis, dynamic behavior analysis, metadata analysis and traffic analysis.

Luo and his team usually use prototype tools for each research paper on mobile security and privacy. Some tools have been released to the public such as NDroid, which is a dynamic taint analysis engine for Android apps using native codes.

“We have proposed and developed advance malware analysis tools, such as DexHunter and PackerGrind for unpacking hardened mobile malware, as well as Malton for conducting fine-grained cross-layer inspection on stealthy mobile malware,” he said.

According to Luo, they have shared their tools with security companies with whom PolyU is conducting joint research.