Security Vulnerabilities in Android OS Applications

Authors

  • P. R. Chernenko National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”
  • M. M. Orlova National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”

DOI:

https://doi.org/10.31649/1997-9266-2020-150-3-43-50

Keywords:

Android OS, APK, Ostorlab, vulnerabilities scan, social networks, confidential information

Abstract

During the past few years, commercial organizations and businesses are actively developing and using mobile applications to increase the efficiency of their business processes. As a result, employees, customers and suppliers get increased productivity in the work environment through real-time information exchange, mobility, and better functionality.

Despite the advantages of mobile apps, their usage can lead to potentially dangerous security issues. Like legacy enterprise solutions, mobile apps can contain vulnerabilities that can be attacked and lead to leaks of data.

Vulnerabilities and privacy risks that are present in Android apps that are installed on millions of devices can be used by hackers to gain unauthorized access to an organization’s information resources or private user data. Most Android mobile apps initiate connections to the network, other apps, or third-party services, making a reckless user more vulnerable to malicious attacks. Therefore, security, mobile encryption, and thorough application vulnerability testing are required at the application development stage.

This work demonstrates some standard tools for performing static analysis of Android OS applications without running them on the user’s device. Social networks are currently the most important media place in the world and the most widely used channel for data, video, and audio transmission. Therefore, the above-mentioned static analysis methods were used to test eight popular social network applications that are currently used by millions of users. The paper demonstrates the types of vulnerabilities that were found in these applications, also analyzes the threats with the most significant potential impact on the business environment and provides recommendations for reducing the risks of their occurrence.

Author Biographies

P. R. Chernenko, National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”

Post-Graduate Student of the Chair of System Programming and Specialized Computer Systems

M. M. Orlova, National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”

Cand. Sc. (Eng), Associate Professor of the Chair of System Programming and Specialized Computer Systems

References

A. Coyne, “ANZ retires Grow, goMoney apps,” 2018. [Online]. Available: https://www.itnews.com.au/news/anz-retires-grow-gomoney-apps-485437 .

Eavesdropper: How a Mobile Developer Error is Exposing Millions of Conversations, Industry report, Appthority, 2017

L. Stefanko, “Banking Trojans continue to surface on Google Play,” 2018. [Online]. Available: https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/ .

V. K. Velu, Mobile Application Penetration Testing, USA: Packt Publishing, 2016.

S. Quirolgico, J. Voas, T. Karygiannis, C. Michael, and K. Scarfone, “Vetting the Security of Mobile Applications,” NIST Special Publication 800-163, 2015. https://doi.org/10.6028/nist.Sp.800-163 .

Mobile Top 10 2014-M2, OWASP, 2014. [Online]. Available: https://www.owasp.org/index.php/Mobile_Top_10_2014-M2 .

Mobile Top 10 2014-M3, OWASP, 2014. [Online]. Available: https://www.owasp.org/index.php/Mobile_Top_10_2014-M3 .

CVE-2013-6271, National Vulnerability Database Common Vulnerabilities and Exposures, 2013. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6271 .

CVE-2011-3901, National Vulnerability Database Common Vulnerabilities and Exposures, 2011. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3901 .

CVE-2013-4710, National Vulnerability Database Common Vulnerabilities and Exposures, 2013. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4710 .

Mobile Malware Evolution, Kaspersky, 2016. [Online]. Available: https://securelist.com/files/2017/02/Mobile_report_2016.pdf .

Security Guidance for Critical Areas of Mobile Computing, Cloud Security Alliance, 2012. [Online]. Available: https://cloudsecurityalliance.org/artifacts/security-guidance-for-critical-areas-of-mobile-computing/ .

D. Maslennikov, ZeuS-in-the-Mobile for Android, 2011. [Online]. Available: https://securelist.com/zeus-in-the- mobile-for-android-10/29258/ .

M. Zhang, and S. Aimoto, Android Malware Harvests Facebook Account Details, 2018. [Online]. Available: https://www.symantec.com/blogs/threat-intelligence/android-malware-harvests-facebook-details .

Downloads

Abstract views: 230

Published

2020-06-24

How to Cite

[1]
P. R. Chernenko and M. M. Orlova, “Security Vulnerabilities in Android OS Applications”, Вісник ВПІ, no. 3, pp. 43–50, Jun. 2020.

Issue

No. 3 (2020)

Section

Information technologies and computer sciences

Metrics

Downloads

Download data is not yet available.

License

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).