Received May 4, 2020, accepted May 23, 2020, date of publication May 27, 2020, date of current version

June 17, 2020.

Digital Object Identifier 10.1109/ACCESS.2020.2998043

Vulnerability Detection on Android

Apps–Inspired by Case Study on Vulnerability
Related With Web Functions
JIAWEI QIN1 , HUA ZHANG 1 , (Member, IEEE), JING GUO2 , SENMIAO WANG1 ,
QIAOYAN WEN 1 , AND YIJIE SHI1
1 State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
2 National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China
Corresponding author: Hua Zhang ([email protected])
This work was supported in part by the National Key Research and Development Program of China under Grant 2018YFB0804703.

ABSTRACT Nowadays, people’s lifestyle is more and more dependent on mobile applications (Apps),
such as shopping, financial management and surfing the internet. However, developers mainly focus on the
implementation of Apps and the improvement of user experience while ignoring security issues. In this
paper, we perform the comprehensive study on vulnerabilities caused by misuse of APIs and form a
methodology for this type of vulnerability analysis. We investigate the security of three types of Android
Apps including finance, shopping and browser which are closely related to human life. And we analyze four
vulnerabilities including Improper certificate validation(CWE-295:ICV), WebView bypass certificate vali-
dation vulnerability(CVE-2014-5531:WBCVV), WebView remote code execution vulnerability(CVE-2014-
1939:WRCEV) and Alibaba Cloud OSS credential disclosure vulnerability(CNVD-2017-09774:ACOCDV).
In order to verify the effectiveness of our analysis method in large-scale Apps on the Internet, we propose
a novel scalable tool - VulArcher, which is based on heuristic method and used to discover if the above
vulnerabilities exist in Apps. We download a total of 6114 of the above three types of samples in App stores,
and we use VulArcher to perform the above vulnerability detection for each App. We perform manual
verification by randomly selecting 100 samples of each vulnerability. We find that the accuracy rate for
ACOCDV can reach 100%, the accuracy rate for WBCVV can reach 95%, and the accuracy rate for the other
two vulnerabilities can reach 87%. And one of vulnerabilities detected by VulArcher has been included in
China National Vulnerability Database (CNVD) ID(CNVD-2017-23282). Experiments show that our tool
is feasible and effective. For the convenience of researchers in related communities, We make our data and
tool available at https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-launched.

INDEX TERMS Static analysis, vulnerability, mobile agents, security, application software, detection
algorithms.

I. INTRODUCTION including static [1]–[8] and dynamic [9], [10] methods.

With the rapid growth of functional requirement of mobile
Apps, the development iteration of Apps is more and more
rapid. In this circumstance, developers focus on how to
quickly implement the logical functions of Apps and make
it more user-friendly. Nevertheless, they spend little time on
security issues of Apps.
The security issues of Apps are complex and challenging.
Related research on Android security has been proposed,
The associate editor coordinating the review of this manuscript and
approving it for publication was Kashif Saleem . vulnerabilities. Mu et al. [17] contributed to how to quickly
Wei et al. [11] just analyzed Android vulnerabilities which
are assosiated with JavaScript. Mutchler et al. [12] and
Chin and Wagner [13] analyzed a large-scale of mobile web
Apps, and found that vulnerabilities are presented in all
corners of the Android ecosystem. They did not propose
methods for vulnerability verification. Li et al. [14] analysed
a small set of Android music Apps and focused on the issue
of data leakage during client and server communication.
Li et al. [15], [16] proposed a solution to quickly identify
Android source code vulnerability ignoring to analyse Apps’

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 8, 2020 106437
 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
reproduce the vulnerabilities by combining the vulnerabil-
ity reports with widely crowdsourced information. In 2019,
Diao et al. [8] analyzed one vulnerability caused by the usage
of the accessibility API. Amin et al. [9] focused on proposing
a detection tool for Android vulnerabilities, they did not give
out a methodology for analyzing Android vulnerabilities.
Luo et al. [18] was concerned about the vulnerabilities of the
Android Framework and adopt a symbolic execution method
to detect vulnerabilities. Wu et al. [19] conducted a system-
atic study for Android system vulnerabilities.
Aforementioned vulnerabilities researches are related to
the web vulnerabilities [20]. Although these vulnerabilities
have been reported for a long time, they have received little
attention. Moreover, researchers did not consider how to ana-
lyze the vulnerabilities of these Apps if it is packed [21]–[23].
To the best of our knowledge, there is little effective analysis
on aforementioned vulnerabilities. There is a very serious
problem that many vulnerabilities reported early still exist in
latest Apps, even in the same App. The main reason is that
there is no feasible and complete vulnerability verification
workflows for developers. In additional, more and more web
functions are used in Apps [24], these functions may also
increase new vulnerabilities of Apps. Users send their infor-
mation through the network in the process of Apps,which
makes it is particular important for Apps to ensure(assure)
their security.
In this paper, our target of vulnerabilities are related to
web functions. By manual analysis of 400 Apps, we find
the vulnerabilities caused by the misuse of APIs accounted
for the majority, and the most of vulnerabilities caused
by API misuse are WRCEV, WBCVV, ICV and ACOCDV.
So we chose these four vulnerabilities as our study goals.
At the same time, we divide the above four vulnerabilities
into three categories based on their behaviors: Overridden
method(Cat1:OM), Use unsafe settings(Cat2:USS) and Data
leakage of sensitive information(Cat3:DLSI).
Contributions. Based on the above analysis, we explore the
severity of these vulnerabilities and perform the comprehen-
sive study on the four vulnerabilities caused by the misuse of
APIs and form an analysis methodology for each category
of vulnerabilities. In order to mitigate them, we propose
corresponding improvement recommendations. Based on the
methodology, we propose a vulnerability verification work-
flow for each vulnerability. In order to verify the effective-
ness of our analysis methodology in large-scale Apps on the
Internet. Based on our findings, we propose a vulnerability
detection tool, named VulArcher. It can detect the above four
vulnerabilities in packed or unpacked Android Apps,and the
average accuracy rate is 91%.The main contributions are as
follows:
(1) For the four vulnerabilities that are caused by the
misuse of APIs, we divide them into three categories based on
their behaviors. we perform the comprehensive study on them
and form an analysis methodology for each vulnerability,
which can help researchers to discover other vulnerabilities
in the three categories. Based on the analysis, we provide
106438
improvement recommendations to mitigate the vulnerability
threat.
(2) Based on the methodology, we propose a vulnerabil-
ity verification for workflow for each vulnerability, relevant
researchers can verify corresponding vulnerabilities follow-
ing them.
(3) In order to verify our methodologies in large-scale
Apps, we propose a static and scalable vulnerabilities
detection tool based on our findings for vulnerability anal-
ysis,VulArcher. We download 6,177 Android Apps con-
taining transactions from the Internet, which are the latest
version in 2018. After our random manual verification
of the results of VulArcher, it shows that the average
accuracy rate is 91%. In addition, VulArcher can also
detect the vulnerabilities on packed Apps. By adding rules
in a configuration file, VulArcher can detect other cat-
egories of vulnerabilities. We will share VulArcher at
https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-
launched.
II. BACKGROUD
A. ANDROID APP OVERVIEW
An Android App file is a compressed file that contains
AndroidManifest.xml file, certificate files, dex file, static
resource files and so on.
1) Androidmanifest.xml, which defined and included in
every App, describes the name, version, permissions,
component name and other information of the App.
2) Certificate files hold the signature information that
ensures the integrity of the App.
3) Dex file is an executable file, which contains all the
operating instructions and runtime data of an the App.
Its structure is as follows:
(1) Header: containing metadata, and a body which
contains the majority of the data.
(2) String_ids: recording the offsets of each string in
the data area.
(3) Type_ids: recording the string indexs for each type.
(4) Proto_ids: recording the declaration strings of
methods, return type strings, parameter lists.
(5) Field_ids: recording the classes, type, and method
name which belongs to.
(6) Method_ids: recording the classes’ name, declara-
tion and the name of the methods and other informa-
tion.
(7) Class_defs: containing the type, inheritance hierar-
chy, access metadata, and other class metadata.
(8) Data: containing data of each classes.
4) Static resource files that exist in the res folder mainly
contain pictures, audios and layout files of the App.
B. ANDROID API AND ANDROID SDK
An Android API is an interface provided to developers to
invoke system services, making App development more effi-
cient and convenient. Here are a few Android APIs related to
this paper.
VOLUME 8, 2020
J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
TABLE 1. WebView APIs’ name and their functions.
TABLE 2. Some commonly used APIs for certificate validation.
TABLE 3. Some APIs provided by Alibaba Cloud OSS service.
WebView is an Android component that displays webpages
and supports the execution of JavaScript. And its APIs are
designed to customize WebView for developers. TABLE 1
shows the WebView APIs and their functional description.
Certificate verification APIs are used for HTTPs commu-
nication process of Apps, through which developers can cus-
tomize the verfification rules. TABLE 2 summarizes related
APIs.
SDK is a set of tools provided by an organization, and are
used to develop Android applications. For example, SDK pro-
vided by Alibaba help developers use the company’s services.
TABLE 3 shows APIs in Alibaba OSS Cloud service SDK.
III. CASE STUDY
A. SELECTING VULNERABILITIES
1) IMPROPER CERTIFICATE VALIDATION (ICV)
HTTPs is an extension of the Hypertext Transfer Protocol
(HTTP). It is used for secure communication over a computer
network, and is widely used on Apps. In the use of such a
network transmission protocol, the App verifies whether the
certificate on the server side is a compliant certificate, so that
both sides of the communication can be trusted. Apps use the
X509TrustManager class to trust certificates. The weakness
that the App improper certificate validation is described in
CWE-295, when a certificate is invalid, it might allow an
attacker to spoof a trusted entity by using a man-in-the-middle
(MITM) attack. The weakness code is shown in Fig 1.
VOLUME 8, 2020
TABLE 4. Statistics of Vulnerabilities in the 100 Apps (‘ICV’ refers to
‘Improper certificate validation, ‘WBCVV’ refers to ‘WebView bypass
certificate validation vulnerability’, ‘WRCEV’ refers to ‘WebView remote
code execution vulnerability’ and ‘ACOCDV’ refers to ‘Alibaba Cloud OSS
credential disclosure vulnerability’).
FIGURE 1. The sample code of Improper certificate validation(md5 of this
App is 621fd4c77d310312a1916c12d6dc2c32).
We extract 100 Apps in the dataset, After manual analyzing,
we find that 81 of these Apps with the weakness, as shown
in Table 4. Hence we analysis this weakness in the paper.
2) WebView BYPASS CERTIFICATE VALIDATION
VULNERABILITY (WBCVV)
The WebView component supports certificate verification
when loading webpages with HTTPs protocol. As described
in CVE-2014-5531, when an App is displaying data through
WebView, at the same time, the function of verifying the
validity of the certificate in this component does not work.
In this case, the App will be vulnerable to man-in-the-middle
attacks, And attacks can obtain sensitive information via a
crafted certificate. As shown in Fig 2, the WebView is used
to load the webpage, when the certificate verification fails,
it still allows the data exchange between the App and the
server side of the crafted certificate. Table 4 shows that we
find 86 Apps in 100 have this vulnerability, so it is worthwhile
to analyze the vulnerability in detail.
3) WebView REMOTE CODE EXECUTION
VULNERABILITY (WRCEV)
According to Google [25], there are 2 billion active devices
on Android monthly, and close to 10% are running in
Android 4.3 or lower versions and more than 4% are run-
ning in Android 4.1 or lower versions. That indicates that
JS-to-Java interface vulnerabilities may still affect hun-
dreds of millions of users. Table 1 describes some of the
APIs for the WebView component. The addJavascriptInter-
face(Object object, String name) function provides a way
106439
 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
FIGURE 2. The sample code of WBCVV(md5 of this App is
28ac441942de453dd3c5756b2b223f9d).
FIGURE 3. The sample code of WRCEV(md5 of this App is
ef400edb1ece62a44b97edabfdc5e076).
to bridge between JavaScript and Java. It is equivalent to
inject a Java object into the environment of JavaScript. So
the JavaScript code running in the WebView can call all
the public methods of the Java object by the object name.
However, in this scenario, proper security measures are not
used, which can lead to WRCEV as described in CVE-2014-
1939, an attacker can fake a malicious JavaScript script to
attack an App. The code shown in Fig 3 that uses this Java-
to-JavaScript, but it does not have security restrictions, so it
causes the vulnerability. Table 4 shows that the vulnerability
exists in current App Stores, and we should analyze why this
vulnerability still occupies a high proportion.
4) ALIBABA CLOUD OSS CREDENTIAL DISCLOSURE
VULNERABILITY (ACOCDV)
ACOCDV is a new vulnerability with wide influence in 2017.
Alibaba cloud Object Storage Service (OSS) is a massive,
safe and highly reliable cloud storage service provided by
Alibaba. As shown in Fig 4, when developers use Alibaba
cloud OSS service framework by the SDK, sensitive infor-
mation, such as AccessKey and AccessKeySecret, is directly
written into the code (for data protection, we perform sensi-
tive information erasure processing). An attacker can easily
106440
FIGURE 4. The sample code of ACOCDV(md5 of this App is
0aa8d5d2e46902509d4343077c14d15e).
get sensitive information through reversing the App, it causes
data leakage from developers on cloud services. The data
in Table 4 shows that the vulnerability the existence rate of
the vulnerability is 20%, so the vulnerability of data leakage
should be taken seriously.
B. CASE STUDY 1-WebView REMOTE CODE EXECUTION
vulnerability(WRCEV)
1) VULNERABILITY TO EXPLAIN
java/android/webkit/BrowserFrame.java in Android 4.4 and
earlier uses the addJavascriptInterface in conjunction with
creating an object of SearchBoxImpl class, which allows
attackers to execute arbitrary Java code by leveraging access
to the SearchBoxJavaBridge_ interface at certain Android
version.
An App in the above environment, when the WebView
component uses the addJavascriptInterface(Object object,
String name) API to establish the connection between
JavaScript and Java without security restrictions. JavaScript
in the webpage not only has permission to call Java object’s
methods in its runtime environment, but to execute Android
system commands.
The above description of the vulnerability is summarized
that when the App runtime environment belongs to Android
version 4.4 or below, if the WebView addJavascriptInter-
face(Object object, String name) API is used in the App and
the developer has not added security restrictions, an attacker
can build malicious JavaScript code perform instruction exe-
cution on the App.
2) VULNERABILITY POC
(1) File MD5: cdc18db0cad812225d8412be4e27182b
(2) version: 4.2
(3) Exploit: The App supports running under Android
version 4.4. Fig 5 shows the code that causes the vulnerability
in the App, it uses the WebView component to display a
VOLUME 8, 2020
J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
TABLE 5. The functions to remove WRCEV.
FIGURE 5. The vulnerability code of WebView Remote Code Execution.
webpage. Also, it uses addJavascriptInterface(Object object,
String name) API to make the JavaScript code can call the
b object by string a method in the called HTML page. How-
ever, this App does not limit the vulnerability through some
protection methods, so the App has the vulnerability.
We install the App on an Android emulator, we open
the browser to tap an url, such as https://www.yahoo.com.
As is shown in Fig 6a, the App correctly displays the page
passed by the url. Viaing a MITM attack, we forged mali-
cious JavaScript code into the webpage. Malicious JavaScript
code executes the command ‘‘ls - al /MNT/sdcard/’’ to read
file information in sdcard. As shown in Fig 6b, malicious
JavaScript normally runs on the vulnerable App, which reads
the file information from the sdcard directory of the Android
device. It indicates that this vulnerability exists and can be
exploited in the App.
3) INSIGHT
When developers use the addJavascriptInterface (Object
object, String name) API to call a web page. As summarized
in Table 5, the functions of removing the risk interface should
be added to limit the permission of JavaScript code. They can
eliminate the WRCEV in Apps.
C. CASE STUDY 2-ALIBABA CLOUD OSS CREDENTIAL
DISCLOSURE VULNERABILITY (ACOCDV)
1) VULNERABILITY TO EXPLAIN
Alibaba Cloud Object Storage Service (OSS) is a secure and
reliable cloud Storage Service provided by Alibaba. When the
service is used in an Android App, the APIs provided by the
VOLUME 8, 2020
FIGURE 6. Get the sdcard information by using WRCEV.
FIGURE 7. The demo code provided by documentation of Alibaba cloud
OSS.
SDK of the service need to be called in the App. However,
developers usually simply copy the official sample code and
don’t consider the security weekness of programming. Fig 7
is the demo code provided by the Alibaba cloud. Attackers
can obtain this set of credentials by using the OSS man-
agement tool to get the data in the service easily. It will
result in information leakage and constitute a serious security
weekness.
2) VULNERABILITY POC
(1) File MD5: fea5226fdf7a1a1ed95d6c24a6e30f06
(2) version: 4.37
(3) Exploit: In order to facilitate the manual analysis and
reading of the source code of the App, we use the Jeb [26] tool
to reverse the App when manually verifying the vulnerability.
Because the App is packed, we use our unpacking tool [27]
to get the source code of the App. As shown in Fig 8,
it is the source code which is obtained after unpacking the
App.
Fig 9 is the code which contains sensitive information
in the App. In onCreate method, we find construct the
object Alibaba cloud storage service initializes the object.
When constructing an object, this method directly invoke the
accessKeyId and accessKeySecret, and both of these sensitive
values are hard coded by the developer in the program, thus
it causes the weakness of sensitive information.
106441
 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
FIGURE 8. Get its source code through decompiling the unpacked App.
3) INSIGHT
Inorder to prevent data leakage of sensitive information
of accessKeyId and accessKeySecret. Developers should
encrypt sensitive information when using the Alibaba OSS
SDK.
D. VULNERABILITY CHARACTERISTICS
As shown in TABLE 6, the characteristics of vulnerabilities
are summarized after a comprehensive case study of each vul-
nerability. In addition, after a lot of manual analysis of Apps
of above vulnerabilities. We divided the four vulnerabilities
into three categories, and generalized the analysis methods
and characteristics of each type of vulnerability based on
the four specific vulnerabilities. The details are described as
follows.
1) IMPROPER CERTIFICATE VALIDATION (ICV)
An App uses the method of checkServerTrusted. No cer-
tificate verification operation is performed in it, or in this
method, only the expiration time of the certificate is verified,
and no other information is verified.
106442
FIGURE 9. The vulnerability code in the App.
2) WebView BYPASS CERTIFICATE VALIDATION
VULNERABILITY (WBCVV)
An App uses the WebView API for certificate verifica-
tion, but the method onReceivedSslError(WebView view,
SslErrorHandler handler, SslError error) which is for han-
dling the exception certificate does not perform any pro-
cessing. This causes the abnormal certificate to pass the
verification.
Vulnerability in overridden method (OM). The functions
that lead to the above two vulnerabilities have common char-
acteristics in analytical methods. These are subclass methods
provided by the Android system to developers to customize
the strong validation logic, and the parent class methods
they inherit have the vulnerable logic in default. Developers
don’t strictly follow the security specifications to customize
the security policy code. The analysis method for this type
of vulnerability is described in TABLE 6. An App has a
overridden method that is to do the security validation, and
its inherited parent method is a weak logic in default. If the
method of the App is not written with strong verification, then
the App is vulnerable.
3) WebView REMOTE CODE EXECUTION
VULNERABILITY (WRCEV)
There are three elements that can cause an App to have
this vulnerability. First, the App needs to support to run on
Android version 4.4 or below. Second, the App uses Web-
View’s API addJavascriptInterface(Object Object, String
name) to allow JavaScript to run Java. Finally, the App does
not add an API as shown in TABLE 5 to remove the weekness
interface in the context of using the above API.
Vulnerability of using unsafe APIs (USS). For an App,
it uses a potentially vulnerable API, and the developer does
not perform codes to protect against the vulnerability in the
VOLUME 8, 2020
J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
TABLE 6. Vulnerability characteristics with case study(‘OM’ refers to
‘Overridden method’, ‘USS’ refers to ‘Use unsafe settings’, ‘DLSI’ refers to
‘Data leakage of sensitive information’; ‘ICV’ refers to ‘Improper
certificate validation, ‘WBCVV’ refers to ‘WebView bypass certificate
validation vulnerability’, ‘WRCEV’ refers to ‘WebView remote code
execution vulnerability’ and ‘ACOCDV’ refers to ‘Alibaba Cloud OSS
credential disclosure vulnerability’).
calling link and the context of it. Because some vulnerabilities
are related to the Android environment, API level required for
Apps is also one of the elements to identify the vulnerability.
We can combine the above elements to determine whether the
vulnerability exists.
4) ALIBABA CLOUD OSS CREDENTIAL DISCLOSURE
VULNERABILITY (ACOCDV)
For an App that uses the API OSSPlainTextAKSKCre-
dentialProvider provided by the Alibaba OSS SDK to
create credential information with server, its secretKey
needed in the method is hard coded in the program.
This causes the existence of information disclosure
vulnerability.
Data leakage of sensitive information (DLSI). The analy-
sis and characteristics of this category vulnerabiliy is shown
in TABLE 6. An App has an invoke method that uses sensitive
information. The object of the sensitive information is traced
to determine whether it is hard-coded in the App. If it is
hard-coded in it then the vulnerability exists.
VOLUME 8, 2020
IV. VulArcher-A TOOL TO DETECT VULNERABILITIES
A. SYSTEM OVERVIEW
As shown in Fig 10, the working process of VulArcher can be
divided into the following steps:
1) DECOMPILATION
For an App, VulArcher decompresses it to obtain the
classes.dex file which contains the source code, the Android-
Manifest.xml file which contains component information,
permissions and the resource files. VulArcher reverses the
classes.dex based on Androgurd [28]. Through this process,
It obtains the classes and methods in the source code of
the App. Also it decompiles the AndroidManifest.xml file to
obtain registered component information and configuration
information.
2) PACKER IDENTITION
VulArcher recognizes whether an App is packed accord-
ing to formula (1) and (2). AC indicates the number of all
components registered by the App, and CC indicates the
number of classes in classes.dex which can obtain from the
AC. Because the packed App almost hides all components
and other logic codes, classes.dex does not contain these
information. Some packing methods have signature files, ie.
libexe*.so and libexecma**.so. In order to further clarify
packing methods, VulArcher uses the fingerprint to identify
the detailed packing type and version of the App.
CC
F= (1)
( AC
unpacked, if F ≥ 0.8
App (2)
packed, otherwise
3) UNPACKING
At present, more and more Apps are packed. Static analysis
can not directly get the real code of the packed Apps. This
causes static detection to fail to analyze vulnerabilities of
such Apps. Therefore, the analysis of packed Apps should be
carried out by unpacking method, for extracting the original
code of Apps. The unpacking method used in this system
DexX [27] is a result of our previous research. It can handle
the six packers, such as Ali [29], Baidu [30], Bangcle [31],
Tencent [32], Qihoo 360 Mobile [33], and ijiami [34]. This
paper does not elaborate too much for the method.
4) BUILDING TAINT PATH
VulArcher creates a taint control flow graph(TCFG) of
a classes.dex, the algorithm is shown in Algorithm 1.
VulArcher creates a control flow graph(CFG) of the
classes.dex. the set V of p nodes in CFG is shown in for-
mula (3). Each vk contains the package name(pkgk ), class
name(ck ) and method(mk ). As shown in formula (4), the set
IA of m interested APIs is a subset of V . For each iAj ,
we follow the heuristic method to find its taint path tpj , it’s
shown in formula (5). V 0 is a subset of V , the points in V 0 are
related to the control flow of iAj . If vk has a control flow to vw ,
106443
 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability

FIGURE 10. The overview of VulArcher, it describes the modules of the overall tool, as well as the
workflow.(‘‘Y’’ indicates that the App is packed and ‘‘N’’ indicates that it is unpacked).

Algorithm 1 The Algorithm of Building TCFG as described in Algorithm 2, so that we can avoid match-
1: Input: IA, CFG {IA the set of interested APIs.} ing vulnerability rules of all App code. For tpj , VulArcher
2: Output: TCFG extracts its context slices(csj ). R is a set of vulnerability rules.
3: INITIALIZE TCFG = ∅ The input to function f(.) is R and CS. If the m matchs the
4: for each iAj ∈ IA do vr, the App is commented with the vulnerability which vr
5: tpj ⇐ HeuPath(CFG, iAj ) {A heuristic method to find represents.
taint path tpj of iAj .}
6: BuildG(TCFG, tpj ) {Building the TCFG with tpj .} CS = {csj |j = 1, . . . , r} (7)
7: end for R = {vr1 , vr2 , . . . , vrn } (8)
(
8: return TCFG Vul, if vri is matched in CS
f (R, CS) (9)
notVul, otherwise

we think there is a taint control flow relationship from vk to
vw <vk , vw >, we denote the set of all the above relationships
as E 0 . As shown in formula (6), TCFG is composed of all
tpj (j = 1, . . . . ., m).
V = {vk = (pkgk , ck , mk )|k = 1, . . . , p} (3)
IA = {iAj = (pkgj , cj , mj )|j = 1, . . . , m, and m ≤ p}
(4)
tpj = {(Vj , Ej )| < vj k, vj w >∈ Ej ,
0 0 0
Vj0 = {vj k|k = 1, . . . , q}}
TCFG = {tpj |j = 1, . . . , m}
5) DETECTION
VulArcher uses the rules of above vulnerabilities and the
TCFG of an App generated in the Building Taint Path
for vulnerability judgment. In order to detect vulnerabilities
faster, we propose a heuristic vulnerability search algorithm
We just need to find interesting points directly in the paths of
the vulnerabilities. In this way, the entire vulnerability search
process is fast and accurate.
B. EXTRACT SUSPICIOUS CODE SEGMENT
An App contains many classes and methods, if we iterate
through each method to search vulnerabilities and weak-
nesses, it will certainly affect the efficiency of detection. So
we first built the TCFG of the App, recording classes and
methods that contain suspicious interesting paths. When we
(5) are looking for vulnerabilities, we can use the heuristic-based
(6) approach described in Algorithm 2 to find out if a vulnera-
bility exists. The interestSet in the algorithm represents all
sensitive APIs and methods that may cause vulnerabilities in
the App. FR represents a collection of rules for vulnerability
fixes and TR represents the set of rules that trigger the vul-
nerability. The algorithm first obtains a suspected vulnerable
point in interestSet, then in the already constructed TCFG,
it constructs the relevant slice content of all objects and

106444 VOLUME 8, 2020

J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability

Algorithm 2 A Heuristic Vulnerability Search Algorithm

1: Input: interestSet, FR, TR {interestSet in the algorithm
represents all sensitive APIs and methods that may cause
vulnerabilities in the App. FR represents a collection of
rules for vulnerability fixes and TR represents the set of
rules that the vulnerability triggers.}
2: Output: output(path,contextSlice) {This stores the
detailed code snippet of the vulnerability and the path
where the vulnerability is located.}
3: INITIALIZE output(path,contextSlice) = ∅
{FindPath can find the caller paths in the APK through a
function that is suspected of a vulnerability.}
4: for each ti ∈ InterestSet do FIGURE 11. Attack architecture for Certificate validation vulnerability.
5: path ⇐ FindPath(TCFG,ti)
6: contextSlice ⇐ GetContextSlice(path) {Geting
detailed function information by the path.}
7: if (FR 6 = ∅) and (TR 6 = ∅) then
8: if HeuSearch(contextSlice,TR) == True and
HeuSearch(contextSlice,FR) == False then
9: output(path,contextSlice)
10: end if
11: end if
12: if FR 6 = ∅ then
13: if HeuSearch(contextSlice,FR) == True then
14: continue
15: else
16: output(path,contextSlice) FIGURE 12. Attack architecture for WRCEV.

17: end if
18: end if
19: if TR 6 = ∅ then been reported for a long time. In this paper, we provide
20: if HeuSearch(contextSlice,TR) == True then semi-automated verification methods and workflow for the
21: output(path,contextSlice) vulnerabilities and weaknesses we analyzed. This work can
22: else verify the detection results of VulArcher and provides readers
23: continue with clear methods of vulnerabilities’ verifications.
24: end if
25: end if 1) A VERIFICATION METHOD FOR MAN-IN-MIDDLE ATTACK
26: end for VULNERABILITY CAUSED BY WEAK CERTIFICATE
27: return output(path,contextSlice) VERIFICATION
Fig 11 depicts the attack architecture for this weakness. First,
we set up the environment to enable Burpsuite [35] to block
all network traffic from mobile. We write a script based
variables in the point, that is, contextSlice. It uses a heuristic on Burpsuite, which is mainly responsible for analyzing the
search algorithm to search in contextSlice. If there is a rule traffic information of mobile, extracting the Host and body
for repairing the vulnerability in the slice, then the App does and sending it to the server. The web service module is mainly
not have the vulnerability. Otherwise, if it finds the rule responsible for auto installing Apps and recycling the results
for triggering the vulnerability in slice through the search of analyzing network traffic, also, determining whether the
algorithm, then it records the complete path information and App is attacked by MIMT automately.
slice of the vulnerability of the App.
2) A VERIFICATION METHOD FOR WRCEV
C. VERIFY METHOD AND WORKFLOW As shown in Fig 12, our verification method is mainly to
Nowadays there are more and more vulnerability detection inject malicious JavaScript code in to the App’s network traf-
tools. To some certain extent, they can detect some vulnera- fic by MIMT. We use Burpsuite to block all traffic sent by the
bilities and weaknesses. But they do not provide developers mobile and injecting the written malicious JavaScript code
with some way to reproduce vulnerabilities. This is the reason in the response. If the JavaScript can successfully execute
why more and more vulnerabilities are ignored by developers, malicious code, the code will send a record to the web service
as a result, many Apps still have vulnerabilities that have to record whether the App exists the vulnerability.

VOLUME 8, 2020 106445

 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
TABLE 7. The distribution of three types of Apps from January to
August 2018(‘S’ refer to ‘Shop’, ‘F’ refers to ‘Financial’, ‘B’ refers to
‘Browser’ and ‘T’ refers to ‘Total’).
TABLE 8. Three types of Apps’ size distribution(Mb)(‘S’ refers to ‘Shop’, ‘F’
refers to ‘Financial’, ‘B’ refers to ‘Browser’ and ‘T’ refers to ‘Total’).
TABLE 9. All types of vulnerability of the Apps test results manually(‘N’
refers to ‘Numbers of Samples’ and ‘NFP’ refers to ‘Numbers of False
Positives’;’ICV’ refers to ‘Improper certificate validation, ‘WBCVV’ refers to
‘WebView bypass certificate validation vulnerability’, ‘WRCEV’ refers to
‘WebView remote code execution vulnerability’ and ‘ACOCDV’ refers to
‘Alibaba Cloud OSS credential disclosure vulnerability’).
3) A VERIFICATION METHOD FOR ACOCDV
We use the Jeb to reverse the App, and we look for the code
module initialized by OSSClient in the reverse smali code.
We find out whether initialize method by using plaintext
accessKey and secretKey. We get these keys, and use the
OSSUtils to connect the service.
V. EXPERIMENT
Our experiments are performed in the following environment:
The CPU is e5-2640v4, the memory is 32G, system is Linux
64 and python 2.7.
A. COLLECT ORIGINAL SAMPLES
In this paper, the main types of Apps we focus on are
financial, shopping, and browser. We downloaded a total
of 6177 Apps from the Baidu [36], Wandoujia [37], Qihoo
[38] and Huawei [39] App Stores, which were released from
January to August 2018. Of these, 3,160 Apps are in the
financial category, 2,954 Apps are in the shopping category,
and the remaining 63 Apps are in the browser category.
Table 7 shows the distribution of three types of Apps from
January to August 2018. It includes classification by sample
category of Apps, classification by time. Table 8 shows the
distribution of three types of Apps’ size.
B. ANALYZE THE RESULTS
TABLE 10 shows the details of the test results of all the Apps.
We divide the samples vulnerability type into two categories
106446
FIGURE 13. The relationship between sizes of Apps and vulnerabilities.(
‘ACOCDV’ refers to ‘Alibaba Cloud OSS credential disclosure vulnerability’,
‘WRCEV’ refers to ‘WebView remote code execution vulnerability’, ‘WBCVV’
refers to ‘WebView bypass certificate validation vulnerability’ and ‘ICV’
refers to ‘Improper certificate validation’).
according to whether or not is packed. It can be seen that
even if the App is packed, vulnerabilities cannot be fixed.
Through the results, WBCVV and ICV have a high ratio,
because most of the Apps’ network communication protocols
now use HTTPs, developers use APIs to develop these func-
tions, and ignore the security of certificate verification for the
convenience of the development process. WRCEV is the least,
there may be a direct relationship with the current Apps that
rarely supports version of Android 4.4 and below.
Finding 1: Although the WRCEV was first reported
in 2014, there is still a 4.7% Apps in the currently released
browser Apps.
Finding 2: When the JS-to-Java reflection function in
WebView is used in Apps, it is able to strictly limit the
Android version to be greater than 17, and use the interface
function shown in TABLE 5.
Manually Verfify. We randomly select samples with and
without vulnerabilities in the detection results. We manually
analyze those samples. For those which need a user account
to use, and these accounts are not free to register externally,
these are not the scope we consider. The analysis results
are shown in TABLE 9, it is showed that VulArcher detects
ACOCDV with high accuracy.
Finding 3: When we do the MITM, we find that many
Apps not only do not carry out certificate verification, but
also transmit sensitive data such as user name and password
in plaintext. It is very easy to cause the leakage of sensitive
information. So it is necessary to encrypt sensitive informa-
tion.
Finding 4: The detection accuracy for ACOCDV can reach
100%, and for WBCVV can reach 95%. Also the accuracy is
lightly lower and can reach 87% for the other two vulnera-
bilities. VulArcher can help developers detect vulnerabilities
before Apps are released. It can avoid releasing Apps with the
above vulnerabilities.
The irrelevance of vulnerabilities and sizes of Apps.
Fig 13 shows the number of vulnerabilities in Apps with
different sizes. It can be seen that the same category of
VOLUME 8, 2020
J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
TABLE 10. Summary table of all sample detection results.(‘P’ refers to ‘Probability of vulnerability(%)’; ‘ICV’ refers to ‘Improper certificate validation,
‘WBCVV’ refers to ‘WebView bypass certificate validation vulnerability’, ‘WRCEV’ refers to ‘WebView remote code execution vulnerability’ and ‘ACOCDV’
refers to ‘Alibaba Cloud OSS credential disclosure vulnerability’).
FIGURE 14. Distribution of vulnerabilities in different category of
Apps.(‘ACOCDV’ refers to ‘Alibaba Cloud OSS credential disclosure
vulnerability’, ‘WRCEV’ refers to ‘WebView remote code execution
vulnerability’, ‘WBCVV’ refers to ‘WebView bypass certificate validation
vulnerability’ and ‘ICV’ refers to ‘Improper certificate validation’).
vulnerabilities have almost the same probability distribution
in different sized apps. Both WBCVV and ICV have a high
percentage in Apps of different sizes.
Finding 5: The number and the type of vulnerabilities in
Apps are independent of the size of them.
The relationship between vulnerabilities and cate-
gories. Fig 14 shows the probability of vulnerabilities for
each of the categories of Apps. ACOCDV does not exist
in the browser Apps, because they do not need to use this
service to store a large number of images. The reason that
the percentage of WRCEV in these Apps is slightly higher
than the other two types of Apps is most of these Apps use
the WebView component and many of them support for the
Android 4.4 version.
Finding 6: More and more Apps face the vulnerability
of MITM, because developers do not validate certificate for
convenience. So certificate validation must be done strictly in
the development.
Finding 7: Although Alibaba OSS SDK has released
new instructions to circumvent this credential information
leak [40], results in Fig 14 shows that many Apps still have
this vulnerability. This means that Apps should be timely
updated the SDKversion to fix the vulnerability.
The trend of the vulnerability. Fig 15 shows the trend
of probability of vulnerabilities for Apps in each month from
January to August in 2018. It can be intuitively reflected that
VOLUME 8, 2020
FIGURE 15. Distribution of vulnerabilities per month in 2018. (‘ACOCDV’
refers to ‘Alibaba Cloud OSS credential disclosure vulnerability’, ‘WRCEV’
refers to ‘WebView remote code execution vulnerability’, ‘WBCVV’ refers
to ‘WebView bypass certificate validation vulnerability’ and ‘ICV’ refers to
‘Improper certificate validation’).
there are vulnerabilities and weekneses in the monthly release
of Apps, and the number of vulnerabilities does not decline
over time.
Finding 8: As shown in Fig 15, the trend of vulnerabilities
tends to be in a stable state. This shows that various vulnera-
bilities still exist in Apps and developers do not mitigate these
vulnerabilities.
C. VulArcher PERFORMANCE
Efficiency. VulArcher takes an average of one minute to
analyze an App. However, if the analysis App is packed, then
the time to unpack it is an average of 50 seconds.
Computing cost. For an App, the memory consumption is
400M, CPU utilization is 40%.
Scalability. VulArcher supports the rules of vulnerabilities
to detect them. Hence, for a new vulnerability, VulArcher
only need to konw the vulnerability rule to complete the
detection of the new vulnerability.
VI. DISCUSSIONS AND LIMITATIONS
We download the Apps to analyze the four types of vulnera-
bilities, but the Apps was two years ago. We should use the
latest data for analysis. However, the latest Apps compared
with the previous ones, the Android system versions they
support has not been updated much, the APIs used in them
has not been updated. Our findings are not biased.
106447
 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
TABLE 11. Details of 98 Apps with Webview bypass certificate validation risk.
The vulnerability results detected by VulArcher contain
both third-party components and the App itself. At present,
we regard these two aspects as all the vulnerabilities of
the App. If we want to distinguish the vulnerability results.
We can organize a third-party component library, which con-
tains information such as the package name of the com-
ponent. The vulnerability results detected by VulArcher
contains the package name and class name of a vulner-
ability, so we use the package name and the class name
to go back to the component library to check whether
the vulnerability belongs to the App itself or third-party
components.
VII. RELATED WORK
The study of Android vulnerabilities can be divided into two
aspects, one is about the Apps and the other is about the
Android OS.
Li et al. [14] just conducted a detail analysis of the vulnera-
bilities that will occur in the music Apps. The music Apps that
are analyzed mainly produce man-in-the-middle hijacking
attacks when communicating with servers. Qian et al. [23]
proposed a structure called app property graph (APG) for
Android vulnerabilities. Based on this feature representation
method, a detection tool is proposed for five common vulner-
abilities. But they did not give workflows for the verification
106448
of the vulnerabilities. Chen et al. [41] manually analysed sev-
eral OAuth providers for Apps and determined how differ-
ences between the Apps and browser environments lead to
the OAuth vulnerability. Wu et al. [1] proposed a detection
method for the confused deputy vulnerability in Android
applications based on features of AndroidManifest.xml file
and Control Flow Graph (CFG). Fang et al. [5] studyed an
input validation vulnerability in Android inter-component
communication. This kind of vulnerability is caused by the
incomplete security verification mechanism of Apps develop-
ers. Yang et al. [10] used a combination of static and dynamic
methods to analyze the App’s dynamic loading vulnerabil-
ity. This kind of vulnerability is caused by the insecure
verification on the loaded executable file. Yang et al. [20]
studyed about security issues caused by mixed postMessage
Origin Stripping Vulnerability(OSV) in Apps. Ranganath
and Mitra [42] proposed a detection tool for supporting
large-scale Android vulnerabilities, they didn’t conduct anal-
ysis method for vulnerabilities. Farhang et al. [43] focused
on how different when vendors deal with Android vulnera-
bilities.
Other studies explored different vulnerabilities from we
studied. Feng and Shin [44] analyzed some vulnerabilities
related to Binderin Android, and proposed an automated tool
for detecting this type of vulnerabilities from the analysis of
VOLUME 8, 2020
J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability

TABLE 12. Details of 99 Apps with Improper certificate validation.

TABLE 13. Details of 20 Apps with Alibaba cloud OSS certificate information leakage vulnerability.

TABLE 14. Details of 28 Apps with Webview remote code execution vulnerability.

the causes of the vulnerabilities. Linares-Vásquez et al. [45] system-level vulnerabilities. Through analysis rules and
analyzed Android system vulnerabilities by using the Bul- results, they proposed a detection tool for this type of vul-
letin resource. Zhang et al. [21] mainly studyed the Android nerabilities.

VOLUME 8, 2020 106449

 J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability
VIII. CONCLUSIONS
We deeply analyzed the four kinds of vulnerabilities on a data
set with more than 6000 Android Apps. The aforementioned
vulnerabilities are ACOCDV, WRCEV, WBCVV and ICV. We
found that webview and HTTPs are existed in most of finance
and shopping apps. According to this, attackers can easily
perform MITM. As for WRCEV which has been disclosed for
a long time, it still exist in browser Apps, because developers
lack the methods of vulnerability identification and security
development awareness. Apps that use Alibaba Cloud OSS
services, information leakage vulnerability of Alibaba cloud
OSS credentials is caused by the weak secure awareness
of developers. We developed a vulnerability detection tool,
VulArcher. The experiments show that it can automatically
detect the above vulnerabilities, and has good scalability.
One of vulnerabilities which VulArcher detected had been
included in China National Vulnerability Database (CNVD)
ID(CNVD-2017-23282). It detected more than 6000 Apps
and found nearly 3000 Apps with the above vulnerabilities.
and we have manually verified the accuracy of results among
nearly 300 Apps. The source codes of VulArcher and sam-
ple data presented in this paper can be utilized by further
researchers. We incentivize this by making our data publicly
available [46].
APPENDIX
Table 13 gives the the attack results of ‘‘Alibaba Cloud OSS
credential disclosure vulnerability ’’. Table 14 gives the attack
results of ‘‘WebView remote code execution vulnerability’’.
Since there are no more than 100 Apps for the above two
types of vulnerabilities, we have all analyzed. Table 11 gives
a detailed description of 98 Apps randomly selected which
were detected ‘‘WebView bypass certificate validation vul-
nerability’’. As Table 12 shown, we selected 99 Apps that
were taged as ‘‘Improper certificate validation’’, and we
recorded whether or not it can be attacked for each App.
REFERENCES
[1] J. Wu, T. Cui, T. Ban, S. Guo, and L. Cui, ‘‘Paddyfrog: Systematically
detecting confused deputy vulnerability in Android applications,’’ Secur.
Commun. Netw., vol. 8, no. 13, pp. 2338–2349, 2015.
[2] A. Hovsepyan, R. Scandariato, W. Joosen, and J. Walden, ‘‘Software
vulnerability prediction using text analysis techniques,’’ in Proc. 4th Int.
workshop Secur. Meas. metrics, 2012, pp. 7–10.
[3] R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen, ‘‘Predicting
vulnerable software components via text mining,’’ IEEE Trans. Softw. Eng.,
vol. 40, no. 10, pp. 993–1006, Oct. 2014.
[4] S. Ma, F. Thung, D. Lo, C. Sun, and R. H. Deng, ‘‘VuRLE: Automatic vul-
nerability detection and repair by learning from examples,’’ in ESORICS.
Springer, 2017, pp. 229–246.
[5] Z. Fang, Q. Liu, Y. Zhang, K. Wang, and Z. Wang, ‘‘IVDroid: Static detec-
tion for input validation vulnerability in Android inter-component com-
munication,’’ in Information Security Practice and Experience. Springer,
2015, pp. 378–392.
[6] F. Wu, J. Wang, J. Liu, and W. Wang, ‘‘Vulnerability detection with
deep learning,’’ in Proc. 3rd IEEE Int. Conf. Comput. Commun. (ICCC),
Feb. 2017, pp. 1298–1302.
[7] G. Lin, J. Zhang, W. Luo, L. Pan, Y. Xiang, O. De Vel, and P. Montague,
‘‘Cross-project transfer representation learning for vulnerable function
discovery,’’ IEEE Trans. Ind. Informat., vol. 14, no. 7, pp. 3289–3297,
Jul. 2018.
106450
[8] W. Diao, Y. Zhang, L. Zhang, Z. Li, F. Xu, X. Pan, X. Liu, J. Weng,
K. Zhang, and X. Wang, ‘‘Kindness is a risky business: On the usage of
the accessibility apis in android,’’ in Proc. 22nd Int. Symp. Res. Attacks,
Intrusions Defenses, 2019, pp. 261–275.
[9] A. Amin, A. Eldessouki, M. T. Magdy, N. Abdeen, H. Hindy, and I. Hegazy,
‘‘Androshield: Automated Android applications vulnerability detection, a
hybrid static and dynamic analysis approach,’’ Information, vol. 10, no. 10,
p. 326, 2019.
[10] T. Yang, H. Cui, and S. Niu, ‘‘Dynamic loading vulnerability detection
for Android applications through ensemble learning,’’ Chin. J. Electron.,
vol. 26, no. 5, pp. 960–965, 2017.
[11] S. Wei, Q. Huang, and J. Huang, ‘‘Understanding javascript vulnerabilities
in large real-world Android applications,’’ IEEE Trans. Dependable Secure
Comput. early access, Jun. 11, 2018, doi: 10.1109/TDSC.2018.2845851.
[12] P. Mutchler, A. Doupé, J. Mitchell, C. Kruegel, and G. Vigna, ‘‘A large-
scale study of mobile Web app security,’’ in Proc. Mobile Secur. Technol.
Workshop (MoST), 2015, pp. 1–8.
[13] E. Chin and D. Wagner, ‘‘Bifocals: Analyzing Web view vulnerabilities
in Android applications,’’ in Information Security Applications, Y. Kim,
H. Lee, and A. Perrig, Eds. Cham, Switzerland: Springer, 2014,
pp. 138–159.
[14] H. Li, L. Qian, S. Zhang, H. Zhang, and J. Liu, ‘‘Data leakage between C/A
communication: A case study on Android music app,’’ in Proc. Int. Conf.
Wireless Commun. Signal Process., 2017, pp. 1–7.
[15] Z. Li, D. Zou, S. Xu, H. Jin, H. Qi, and J. Hu, ‘‘Vulpecker: An automated
vulnerability detection system based on code similarity analysis,’’ in Proc.
32nd Annu. Conf. Comput. Secur. Appl., 2016, pp. 201–213.
[16] Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong,
‘‘Vuldeepecker: A deep learning-based system for vulnerability detec-
tion,’’ in Proc. NDSS, 2018, pp. 1–8.
[17] D. Mu, A. Cuevas, L. Yang, H. Hu, X. Xing, B. Mao, and G. Wang,
‘‘Understanding the reproducibility of crowd-reported security vulnerabil-
ities,’’ in Proc. 27th USENIX Secur. Symp., Baltimore, MD, USA, 2018,
pp. 919–936.
[18] L. Luo, Q. Zeng, C. Cao, K. Chen, J. Liu, L. Liu, N. Gao, M. Yang,
X. Xing, and P. Liu, ‘‘Tainting-assisted and context-migrated symbolic
execution of Android framework for vulnerability discovery and exploit
generation,’’ IEEE Trans. Mobile Comput., early access, Aug. 20, 2019,
doi: 10.1109/TMC.2019.2936561.
[19] D. Wu, D. Gao, K. T. Eric Cheng, Y. Cao, J. Jiang, and H. R. Deng,
‘‘Towards understanding Android system vulnerabilities: Techniques and
insights,’’ in Proc. ACM Asia Conf. Comput. Commun. Secur., New York,
NY, USA, 2019, pp. 295–306.
[20] G. Yang, J. Huang, G. Gu, and A. Mendoza, ‘‘Study and mitigation
of origin stripping vulnerabilities in hybrid-postmessage enabled mobile
applications,’’ in Proc. IEEE Symp. Secur. Privacy (SP), Oct. 2018,
pp. 742–755.
[21] J. Zhang, Y. Yao, X. Li, J. Xie, and G. Wu, ‘‘An Android vulnerability
detection system,’’ in Network and System Security, Z. Yan, R. Molva,
W. Mazurczyk, R. Kantola, Eds. Cham, Switzerland: Springer, 2017,
pp. 169–183.
[22] F. Yamaguchi, N. Golde, D. Arp, and K. Rieck, ‘‘Modeling and discovering
vulnerabilities with code property graphs,’’ in Proc. IEEE Symp. Secur.
Privacy, May 2014, pp. 590–604.
[23] C. Qian, X. Luo, Y. Le, and G. Gu, ‘‘VulHunter: Toward discovering
vulnerabilities in Android applications,’’ IEEE Micro, vol. 35, no. 1,
pp. 44–53, Jan. 2015.
[24] S. M. Kerner. Mobile Internet Traffic Growing Fast. Accessed:
May 10, 2019. [Online]. Available: http://www.enterprisenetworkingpl
anet.com/netsp/mobile-internet-traffic-growing-fast.html
[25] B. Popper. Google Announces. Accessed: Jun. 4, 2018. [Online]. Avail-
able: https://www.theverge.com/2017/5/17/15654454/ android-reaches2-
billion-monthly-active-users
[26] PNF. Accessed: Jul. 8, 2018. [Online]. Available: https://www.
pnfsoftware.com/
[27] C. Sun, H. Zhang, S. Qin, N. He, J. Qin, and H. Pan, ‘‘Dexx: A double layer
unpacking framework for android,’’ IEEE Access, vol. 6, pp. 61267–61276,
2018.
[28] Androgurd. Accessed: May 6, 2018. [Online]. Available: https://github.
com/androguard/androguard
[29] Alibaba. Accessed: Jun. 8, 2018. [Online]. Available: http://jaq.
alibaba.com/
[30] Baidu. Accessed: Jun. 8, 2018. [Online]. Available: http://apkprotect.
baidu.com/
VOLUME 8, 2020
J. Qin et al.: Vulnerability Detection on Android Apps–Inspired by Case Study on Vulnerability

[31] Bangcle. Accessed: Jun. 8, 2018. [Online]. Available: http://www. JING GUO received the B.S. degree from the
bangcle.com Beijing University of Posts and Telecommuni-
[32] Tencent. Accessed: Jun. 8, 2018. [Online]. Available: http://www. cations (BUPT), in 2004, and the Ph.D. degree
qcloud.com/product/product.php?item=appup in information and communication system from
[33] Qihoo360. Accessed: Jun. 8, 2018. [Online]. Available: http://dev.360. Tsinghua University, in 2011. She is currently a
cn/protect/welcome Senior Engineer with National Internet Emergency
[34] Ijiami. Accessed: Jun. 8, 2018. [Online]. Available: http://www. Center. Her research interests include network
ijiami.cn
security situation awareness, protection of critical
[35] Burpsuite. Accessed: Jul. 18, 2018. [Online]. Available: https://
information infrastructure, and the IoT security.
portswigger.net/burp/
[36] Baidu. Accessed: Apr. 10, 2018. [Online]. Available:
http://pcappstore.baidu.com/en/index.php
[37] Wandoujia. Accessed: Apr. 10, 2018. [Online]. Available: https://www.
wandoujia.com/
[38] Qihoo360. Accessed: Apr. 10, 2018. [Online]. Available: http://
zhushou.360.cn/
[39] Huawei. Accessed: Apr. 10, 2018. [Online]. Available: http://app.
hicloud.com/ SENMIAO WANG received the B.Eng. degree in
[40] Alibaba. Accessed: Feb. 2, 2020. [Online]. Available: https://help. software engineering from the Dalian University
aliyun.com/knowledge_detail/66168.html of Technology, in 2017. She is currently pursu-
[41] E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague, ‘‘Oauth demys- ing the Ph.D. degree with the State Key Labo-
tified for mobile application developers,’’ in Proc. ACM Conf. Comput. ratory of Networking and Switching Technology,
Commun. Secur. (CCS), Nov. 2014, pp. 892–903. Beijing University of Posts and Telecommunica-
[42] V.-P. Ranganath and J. Mitra, ‘‘Are free Android app security analysis tions, China. Her current research interests include
tools effective in detecting known vulnerabilities?’’ Empirical Softw. Eng., mobile security and machine learning.
vol. 25, no. 1, pp. 178–219, 2020.
[43] S. Farhang, M. Bahadir Kirdan, A. Laszka, and J. Grossklags, ‘‘An
empirical study of Android security bulletins in different vendors,’’ 2020,
arXiv:2002.09629. [Online]. Available: http://arxiv.org/abs/2002.09629
[44] H. Feng and G. Kang Shin, ‘‘Understanding and defending the binder
attack surface in android,’’ in Proc. 32nd Annu. Conf. Comput. Secur. Appl.,
New York, NY, USA, 2016, pp. 398–409.
[45] M. Linares-Vásquez, G. Bavota, and C. Escobar-Velásquez, ‘‘An empirical
study on android-related vulnerabilities,’’ in Proc. 14th Int. Conf. Mining QIAOYAN WEN received the B.S. and M.S.
Softw. Repositories, Oct. 2017, pp. 2–13. degrees in mathematics from Shaanxi Normal Uni-
[46] H. Zhang and J. Qin. (2019). Experimental Material. [Online]. Available: versity, Xi’an, China, in 1981 and 1984, respec-
https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-launched tively, and the Ph.D. degree in cryptography from
Xidian University, Xi’an, in 1997. She is cur-
rently a Professor with the Beijing University
JIAWEI QIN received the B.S. degree in com- of Posts and Telecommunications. Her current
puter science from Shenyang Aerospace Univer- research interests include coding theory, cryptog-
sity, China, in 2015. He is currently pursuing raphy, information security, internet security, and
the Ph.D. degree in computer science with the applied mathematics.
Beijing University of Posts and Telecommunica-
tions, China. His research interests include mal-
ware analysis, and security of mobile systems and
Apps.

YIJIE SHI received the B.S. degree in radio tech-

HUA ZHANG (Member, IEEE) received the
B.S. and M.S. degrees from Xidian University,
in 2002 and 2005, respectively, and the Ph.D.
degree in cryptology from the Beijing Univer-
sity of Posts and Telecommunications (BUPT),
in 2008. She is currently an Associate Professor
with the Institute of Network Technology, BUPT.
Her research interests include cryptographic pro-
tocols, cloud computing security, and industrial
control systems security.
nology from the Dalian University of Technology,
Dalian, Liaoning, China, in 1997, and the M.S.
degree in cryptography and the Ph.D. degree in
computer science from the Beijing University of
Posts and Telecommunications, Beijing, China,
in 2000 and 2014, respectively. She is currently a
Lecturer with the Beijing University of Posts and
Telecommunications. Her major research inter-
ests include security of industrial control systems,
security of cloud computing, and cryptography.

VOLUME 8, 2020 106451