So {U} R CERER: Developer-Driven Security Testing Framework for Android Apps

Abstract

Frequently advised secure development recommendations often fall short in practice for app developers. Tool-driven (e.g., using static analysis tools) approaches lack context and domain-specific requirements of an app being tested. App developers struggle to find an actionable and prioritized list of vulnerabilities from a laundry list of security warnings reported by static analysis tools. Process-driven (e.g., applying threat modeling methods) approaches require substantial resources (e.g., security testing team, budget) and security expertise, which small to medium-scale app dev teams could barely afford. To help app developers securing their apps, we propose SO{U}RCERER11Sourcerer is a fictional character depicted in the fantasy novel series ‘Discworld’ written by Terry Pratchett. https://discworld.fandom.com/wiki/Sourcerer, a guiding framework for Android app developers for security testing. So{u}rcererguides developers to identify domain-specific assets of an app, detect and prioritize vulnerabilities, and mitigate those vulnerabilities based on secure development guidelines. We evaluated So{u}rcererwith a case study on analyzing and testing 36 Android mobile money apps. We found that by following activities guided by So{ U} Rcerer,an app developer could get a concise and actionable list of vulnerabilities (24–61 % fewer security warnings produced by So{u}rcererthan a standalone static analyzer), directly affecting a mobile money app's critical assets, and devise a mitigation plan. Our findings from this preliminary study indicate a viable approach to Android app security testing without being overwhelmingly complex for app developers.