PolyU research: Android app developers should have security mindset

Running afoul with privacy regulations

Besides finding that many Android apps have security loopholes that hackers can exploit to gain access to users’ mobile devices, the results also showed that there are many privacy issues in existing apps.

Employing the team’s PPChecker tool to scrutinize 1,680 popular apps in Google Play and their privacy policies, they found that 484 apps (28.8%) contain at least one kind of problems in their privacy policies.

“This may result in app owners paying fines for violation of privacy laws, and it may result in the app’s removal,” Luo said.

He noted that developers may not be familiar with privacy regulations and the APIs used to create the apps.

“They may also not be cognizant in the different approaches that can be used to protect the private information of Android phone users.”

He stressed again the need to train developers not only to build secure apps but ones that adhere to specified privacy policies.

“When building an app, does its developer or owner provide enough information to end-users of its data privacy policies… most of the time they do not know how to create clear privacy notes to users,” Luo said.

Combating sophisticated malware

Another major takeaway from the security assessment project is that today’s malware adopts advanced techniques to evade detection.

“Our research shows that malware is becoming more sophisticated. And new techniques are needed to analyze and detect them.”

Luo added: “We should conduct further research to design new methods and tools for detecting malware, discovering vulnerable apps and identifying privacy issues in apps and their privacy policies.

Seeing the shortcomings of cybersecurity protection in Android apps, Luo called for more public awareness around mobile security and privacy.

“The short development cycles and insufficient security development guidelines have led to many vulnerable apps that can be exploited by attackers to compromise the smartphones. This has motivated us to design methodologies and tools to assess the security of Android apps to help security analysts to defend against mobile malware, to help developers to identify security and privacy issues, and to protect users from malicious attacks via mobile apps,” Luo said.

Meanwhile, Luo and his team are continuing on the next phase of the project.

“We will continue the research on this direction because: the arms-race between malware and security researchers continues; new techniques in smartphone deserve further research on their implications in the mobile security and privacy protection; and, developers need more advanced tools to help them identify and avoid various issues,” Luo said.