KotlinDetector: Towards Understanding the Implications of Using Kotlin in Android Applications

Abstract

Java programming language has been long used to develop native Android mobile applications. In the last few years many companies and freelancers have switched into using Kotlin partially or entirely. As such, many projects are released as binaries and employ a mix of Java and Kotlin language constructs. Yet, the true security and privacy implications of this shift have not been thoroughly studied. In this work, a state-of-the-art tool, KotlinDetector, is developed to directly extract any Kotlin presence, percentages, and numerous language features from Android Application Packages (APKs) by performing heuristic pattern scanning and invocation tracing. Our evaluation study shows that the tool is considerably efficient and accurate. We further provide a use case in which the output of the KotlinDetector is combined with the output of an existing vulnerability scanner tool called AndroBugs to infer any security and/or privacy implications.