Vulnerability Prediction in Android Apps Aram Hovsepyan1, Riccardo Scandariato1, James Walden2, Viet Hung Nguyen3 Wouter Joosen1 1 iMinds-DistriNet, Katholieke Universiteit Leuven 2 Northern Kentucky University, 3 University of Trento Monday 10 June 13 week DistriNet Android apps are an attractive target Android has 75% market share as of Q1 2013 [IDC] Vulnerability Prediction in Android Apps Monday 10 June 13 week 2 DistriNet Android apps are an attractive target Google play has over 775K apps and over 48B total installs [IDC, Google I/O keynote] Vulnerability Prediction in Android Apps Monday 10 June 13 week 3 DistriNet Android apps are an attractive target App security is not guaranteed by the platform provider Ü Apps that are well intended, but not exploit free A single vulnerability could affect a massive number of users Not yet much explored Ü Focused on Mozilla Firefox / RHEL Vulnerability Prediction in Android Apps Monday 10 June 13 week 4 DistriNet How to find vulnerabilities? Vulnerability Prediction in Android Apps Monday 10 June 13 week 5 DistriNet How to find vulnerabilities? Code inspection Ü Manual verification is not feasible Ü Not all apps can afford security experts Ü Even security experts cannot analyze every line of code Vulnerability Prediction in Android Apps Monday 10 June 13 week 5 DistriNet How to find vulnerabilities? Code inspection Ü Manual verification is not feasible Ü Not all apps can afford security experts Ü Even security experts cannot analyze every line of code Penetration testing / security testing Vulnerability Prediction in Android Apps Monday 10 June 13 week 5 DistriNet How to find vulnerabilities? Code inspection Ü Manual verification is not feasible Ü Not all apps can afford security experts Ü Even security experts cannot analyze every line of code Penetration testing / security testing Static code analysis Vulnerability Prediction in Android Apps Monday 10 June 13 week 5 DistriNet How to find vulnerabilities? Code inspection Ü Manual verification is not feasible Ü Not all apps can afford security experts Ü Even security experts cannot analyze every line of code Penetration testing / security testing Static code analysis Magic Ü Vulnerability prediction models Vulnerability Prediction in Android Apps Monday 10 June 13 week 5 DistriNet Vulnerability prediction model Vulnerability Prediction in Android Apps Monday 10 June 13 week 6 DistriNet Vulnerability prediction model Source Source code Source code Source code Source code Source code code Vulnerability Prediction in Android Apps Monday 10 June 13 week 6 DistriNet Vulnerability prediction model Source Source code Source code Source code Source code Source code code Source Source code Source code Source code Source code Source code code Vulnerability Prediction in Android Apps Monday 10 June 13 week 6 DistriNet Vulnerability prediction model Source Source code Source code Source code Source code Source code code Source Source code Source code Source code Source code Source code code Machine learning Vulnerability Prediction in Android Apps Monday 10 June 13 week 6 DistriNet Our research Predict vulnerable Java files in Android apps! Predict vulnerable C++ components in Chrome/ Firefox Ü ongoing Predict vulnerable PHP files Ü summer work Vulnerability Prediction in Android Apps Monday 10 June 13 week 7 DistriNet Outline Existing tools and techniques Ü Vulnerability prediction models Our approach Results Conclusions and future research Vulnerability Prediction in Android Apps Monday 10 June 13 week 8 DistriNet Vulnerability prediction models Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Source Source code Source code Source code Source code Source code code Source Source code Source code Source code Source code Source code code Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Start from a hunch = feature Ü e.g., larger components are more likely to be vulnerable Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Start from a hunch = feature Ü e.g., larger components are more likely to be vulnerable Fetch the features from the components Ü e.g., calculate the size for each component Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Start from a hunch = feature Ü e.g., larger components are more likely to be vulnerable Fetch the features from the components Ü e.g., calculate the size for each component Determine the vulnerabilities Ü e.g., National Vulnerability Database, MFSA Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Start from a hunch = feature Ü e.g., larger components are more likely to be vulnerable Fetch the features from the components Ü e.g., calculate the size for each component Determine the vulnerabilities Ü e.g., National Vulnerability Database, MFSA Investigate the correlation Ü Use machine learning techniques Vulnerability Prediction in Android Apps Monday 10 June 13 week 9 DistriNet Vulnerability prediction models Vulnerability Prediction in Android Apps Monday 10 June 13 week 10 DistriNet Vulnerability prediction models Typical “hunches” Ü Use size and complexity metrics Ü Leverage developer activity metrics Ü Leverage code churn metrics Ü Leverage design churn metrics Ü Number of import statements Vulnerability Prediction in Android Apps Monday 10 June 13 week 10 DistriNet Vulnerability prediction models Typical “hunches” Ü Use size and complexity metrics Ü Leverage developer activity metrics Ü Leverage code churn metrics Ü Leverage design churn metrics Ü Number of import statements Inspired on the defect prediction work Ü Vulnerabilities are actually defects, but much more scarce (“needle in a haystack”) Vulnerability Prediction in Android Apps Monday 10 June 13 week 10 DistriNet Vulnerability prediction models The existing models are fairly complex Ü Typically several versions are necessary to collect all metrics Ü Developer activity metrics are required Ü Code evolution metrics are required Biased to the underlying “hunch” of the researcher Vulnerability Prediction in Android Apps Monday 10 June 13 week 11 DistriNet Outline Existing tools and techniques Ü Static code analysis Ü Vulnerability prediction using metrics Our approach Results Conclusions and future research Vulnerability Prediction in Android Apps Monday 10 June 13 week 12 DistriNet Our approach Use the source code itself in a tokenized form Use the token frequency as features Ü Simplicity Ü No explicit assumptions regarding the code characteristics #tex t an alys is # g n i r e t l i f SPAM Vulnerability Prediction in Android Apps Monday 10 June 13 week a m # in h c ea l e g n i rn 13 DistriNet Our approach Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 14 DistriNet Tokenizer Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 15 DistriNet Tokenizer Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 15 DistriNet Tokenizer Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Transform each source code token into a feature vector Ü each token (“monogram”) is a feature Ü tokenize by delimiters, mathematical and logical operations . , ! < > [ ] = + - ^ * / etc. Ü each feature has a count assigned to it Vulnerability Prediction in Android Apps Monday 10 June 13 week 15 DistriNet Feature vector Vulnerability Prediction in Android Apps Monday 10 June 13 week 16 DistriNet Feature vector Vulnerability Prediction in Android Apps Monday 10 June 13 week 16 DistriNet Feature vector package: 1 Vulnerability Prediction in Android Apps Monday 10 June 13 week 16 DistriNet Feature vector package: 1 1, com: 1 Vulnerability Prediction in Android Apps Monday 10 June 13 week 16 DistriNet Feature vector package: 1 1, com: 1 1, fsck: 1, k9: 1, import: 2, android: 2, text: 2, util: 1, Rfc822Tokenizer: 2, widget: 1, AutoCompleteTextView:1, Validator: 2, public: 3, class: 1, EmailAddressValidator: 1, implements: 1, CharSequence: 2, fixText: 1, invalidText: 1, return: 2, tokenize: 1, length: 1 Vulnerability Prediction in Android Apps Monday 10 June 13 week 16 DistriNet Vulnerability assignment Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 17 DistriNet Vulnerability assignment Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 17 DistriNet Vulnerability assignment Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Assign vulnerability to each Java file Ü use Fortify (static code analyzer) for this task Ü each file is either vulnerable or clean Vulnerability Prediction in Android Apps Monday 10 June 13 week 17 DistriNet Vulnerability assignment Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Assign vulnerability to each Java file Ü use Fortify (static code analyzer) for this task Ü each file is either vulnerable or clean package: 1, com: 1, fsck: 1, k9: 1, import: 2, android: 2, text: 2, util: 1, Rfc822Tokenizer: 2, widget: 1, AutoCompleteTextView:1, Validator: 2, public: 3, class: 1, EmailAddressValidator: 1, implements: 1, CharSequence: 2, fixText: 1, invalidText: 1, return: 2, tokenize: 1, length: 1 Vulnerability Prediction in Android Apps Monday 10 June 13 week 17 DistriNet Vulnerability assignment Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Assign vulnerability to each Java file Ü use Fortify (static code analyzer) for this task Ü each file is either vulnerable or clean package: 1, com: 1, fsck: 1, k9: 1, import: 2, android: 2, text: 2, util: 1, Rfc822Tokenizer: 2, widget: 1, AutoCompleteTextView:1, Validator: 2, public: 3, class: 1, EmailAddressValidator: 1, implements: 1, CharSequence: 2, fixText: 1, invalidText: 1, return: 2, tokenize: 1, length: 1 1, vulnerability: 0 Vulnerability Prediction in Android Apps Monday 10 June 13 week 17 DistriNet Machine learning Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 18 DistriNet Machine learning Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Vulnerability Prediction in Android Apps Monday 10 June 13 week 18 DistriNet Machine learning Tokenizer Feature vectors Source code (Java files) Machine Learning Fortify Static code analyzer Vulnerab ilities Leverage machine learning techniques to build a prediction model Ü Training set -> the data used to train the model Ü Testing set -> the data used to validate the model Various techniques available (SVM, Naive Bayes, Random Forest, CART, kNN) Vulnerability Prediction in Android Apps Monday 10 June 13 week 18 DistriNet Experiment 1 Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 1 Can we predict future versions of an app based on its first version? Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 1 Can we predict future versions of an app based on its first version? Ü Training set - the first version (v0) of an app Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 1 Can we predict future versions of an app based on its first version? Ü Training set - the first version (v0) of an app Ü Testing set - all subsequent versions of that app Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 1 Can we predict future versions of an app based on its first version? Ü Training set - the first version (v0) of an app Ü Testing set - all subsequent versions of that app Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 1 Can we predict future versions of an app based on its first version? Ü Training set - the first version (v0) of an app Ü Testing set - all subsequent versions of that app Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 1 Can we predict future versions of an app based on its first version? Ü Training set - the first version (v0) of an app Ü Testing set - all subsequent versions of that app Ü Repeat for all apps Vulnerability Prediction in Android Apps Monday 10 June 13 week 19 DistriNet Experiment 2 Vulnerability Prediction in Android Apps Monday 10 June 13 week 20 DistriNet Experiment 2 Can we build a generalized predictor that works on all apps? Ü Training set - the first version (v0) of an app Ü Testing set - first versions of all other apps Vulnerability Prediction in Android Apps Monday 10 June 13 week 20 DistriNet Applications (data from early 2012) Ü F-droid repository: 01/01/2010->31/12/2011 Ü Selection criteria: open-source, size, number of versions Vulnerability Prediction in Android Apps Monday 10 June 13 week 21 DistriNet Applications: descriptive statistics Vulnerability Prediction in Android Apps Monday 10 June 13 week 22 DistriNet Applications: descriptive statistics Vulnerability Prediction in Android Apps Monday 10 June 13 week 23 DistriNet Outline Existing tools and techniques Ü Static code analysis Ü Vulnerability prediction using metrics Our approach Results Conclusions and future research Vulnerability Prediction in Android Apps Monday 10 June 13 week 24 DistriNet Performance indicators Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Prediction vs. reality Ü True positive (TP) Ü True negative (TN) Ü False positive (FP) Ü False negative (FN) Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Prediction vs. reality Ü True positive (TP) Ü True negative (TN) Ü False positive (FP) Ü False negative (FN) FN FN TN TN TP TN FP FN TN FP TP TP Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Prediction vs. reality Ü True positive (TP) Ü True negative (TN) Ü False positive (FP) Ü False negative (FN) FN FN TN TN TP TN FP P = 3/5 FN TP TN FP TP Precision: P = TP/(TP+FP) Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Prediction vs. reality Ü True positive (TP) Ü True negative (TN) Ü False positive (FP) Ü False negative (FN) FN FN TN TN TP TN FP FN TN FP TP TP Precision: P = TP/(TP+FP) Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Prediction vs. reality Ü True positive (TP) Ü True negative (TN) Ü False positive (FP) Ü False negative (FN) FN FN TN TN TP TN FP R = 3/6 FN TP TN FP TP Precision: P = TP/(TP+FP) Recall: R = TP/(TP+FN) Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators Accuracy: percentage of correctly classified files Ü imagine 90% of the files are clean Ü saying all files are clean will achieve 90% accuracy Prediction vs. reality Ü True positive (TP) Ü True negative (TN) Ü False positive (FP) Ü False negative (FN) FN FN TN TN TP TN FP FN TN FP TP TP Precision: P = TP/(TP+FP) Recall: R = TP/(TP+FN) Vulnerability Prediction in Android Apps Monday 10 June 13 week 25 DistriNet Performance indicators: K9 Vulnerability Prediction in Android Apps Monday 10 June 13 week 26 DistriNet Performance indicators: K9 K9Mail#(Random#Forest)# 1.00# 0.90# 0.80# 0.70# 0.60# 0.50# Precision# 0.40# Recall# 0.30# 0.20# 0.10# M ar 01 0 Ap # r 01 0# M ay 01 0 Ju # n0 10 # Ju l01 0 Au # g0 10 Se # p0 10 Oc # t01 0 No # v0 10 De # c0 10 # Ja n0 11 Fe # b0 11 # M ar 01 1 Ap # r 01 1# M ay 01 1 Ju # n0 11 # Ju l01 1 Au # g0 11 Se # p0 11 Oc # t01 1 No # v0 11 De # c0 11 # 0.00# Vulnerability Prediction in Android Apps Monday 10 June 13 week 26 DistriNet Experiment 1: future predictions Vulnerability Prediction in Android Apps Monday 10 June 13 week 27 DistriNet Experiment 1: future predictions When do we need to build a new model? Ü Retrain when performance indicators drop with 10% Vulnerability Prediction in Android Apps Monday 10 June 13 week 27 DistriNet Experiment 1: future predictions When do we need to build a new model? Ü Retrain when performance indicators drop with 10% Application AnkiDroid BoardGameGeek ConnectBot CoolReader Crosswords FBReader K9Mail KeePassAndroid MileageTracker Mustard Retrain (months) -9 -10 2 -12 -1 -- -- no retraining is required Vulnerability Prediction in Android Apps Monday 10 June 13 week 27 DistriNet Results: most influential features Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Ü e, Exception, try, catch (error handling) Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Ü e, Exception, try, catch (error handling) Ü if (branching) Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Ü e, Exception, try, catch (error handling) Ü if (branching) Ü null (pointer algebra) Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Ü e, Exception, try, catch (error handling) Ü if (branching) Ü null (pointer algebra) Ü java, org (import statements) Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Ü e, Exception, try, catch (error handling) Ü if (branching) Ü null (pointer algebra) Ü java, org (import statements) Ü new, Log (others) Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Results: most influential features Most influential features Ü e, Exception, try, catch (error handling) Ü if (branching) Ü null (pointer algebra) Ü java, org (import statements) Ü new, Log (others) Produced by InfoGain Vulnerability Prediction in Android Apps Monday 10 June 13 week 28 DistriNet Validity threats Use of Fortify tool for vulnerability extraction Ü Some research results have shown that there are strong correlations between static analysis metrics and the quality of reported vulnerabilities Ü Manual validation seems to confirm our findings (work in progress)! Ü We are currently validating the same technique on Mozilla Firefox and the results are slightly better than the existing work Vulnerability Prediction in Android Apps Monday 10 June 13 week 29 DistriNet Conclusions and future research We have presented a novel technique for predicting vulnerable Java files in Android applications Ü The obtained results are very promising We are working in parallel on 2 additional tracks Ü Vulnerability prediction for Firefox/Chrome in C++ Ü Vulnerability prediction for PHP Vulnerability Prediction in Android Apps Monday 10 June 13 week 30 DistriNet Bring your own data We are looking to validate our technique further If you have data you are willing to share with us, we would be glad to collaborate Vulnerability Prediction in Android Apps Monday 10 June 13 week 31
© Copyright 2026 Paperzz