The Project for CS858 - Android Security
This project recreated some aspects of research done by Oltrogge et al. (2018) in analyzing the general security of apps created by online app generators on a smaller scale using manual analysis. We developed four and generated four apps with different levels of runtime permissions and decompiled them to get to the resources that were needed.
The project is divided into two main parts:
-
IDE - Apps created using Android Studio and their apk files. We developed four simple apps — a greeting app and a hello world app that both display a greeting message, an SMS app that sends a message to a provided number, and a location app that displays the current location of the device. The apps were developed using Android Studio and were coded to ensure that they only use the permissions that are necessary for their functionality. The apk files for these apps can be found in the IDE folder.
-
OAG - Apps created using Online App Generators and their apk files. We generated four apps using two online app generators — Andromo and AppInventor. The apps generated by Andromo are a greeting app and a hello world app that both display a greeting message, and the app generated by AppInventor is an SMS app that sends a message to a provided number and a location app that displays the current location of the device. The apk files for these apps can be found in the OAG folder.
The analysis of the apps was done by comparing the AndroidManifest.xml and the Dex bytecode of the apps to identify the security implications of using online app generators to create apps. The analysis involved investigating the permissions used by the apps, the components used by the apps, and the boilerplate code used by the apps.
The results of the analysis showed that the apps generated by online app generators use more permissions than they need to function correctly. The apps also use boilerplate code that would lead to reconfiguration attacks and more critical vulnerabilities. The apps also use components that exceed the need of the particular apps that we created. Due to the use of boilerplate code and the prevalence of apps generated by online app generators in the market, vulnerabilities caused by these app generators have a significant impact. However, this fact cannot be denied that online app generators ease the process and reduce costs in developing mobile applications. They can be used with more trust if they adhere to security best practices.
See the Reports folder for the proposal, progress report, and final report of the project.