By Sam Malek
Security has become the Achilles’ heel of most modern software systems. Techniques ranging from manual inspection to automated static and dynamic code analyses are commonly employed to identify security vulnerabilities prior to the release of software. However, these techniques are time-consuming and cannot keep pace with the growth of software repositories, such as Google Play and the Apple App Store, that host millions of apps.
An opportunity to tackle this issue is presented by the fact that the software products in these repositories are increasingly being organized into categories. Some examples are SourceForge for open source and Google Play for Android applications. In addition to helping users search and browse for apps, categorized repositories have been shown to be good predictors of the common features found within software of a particular category.
In a recent publication, Quandary Peak software expert Prof. Sam Malek and his team of researchers at George Mason University show that knowing the category of an Android application is sufficient for accurately predicting the types of security vulnerabilities that application may have. The approach works by mining a large number of apps available on the public app markets (e.g., Google Play). The apps are then analyzed for known security vulnerabilities, which can be detected through a variety of static analysis tools. The vulnerabilities detected in these apps are then used to build a classifier that can determine with a very high accuracy the types of security vulnerabilities one may encounter in a new app of a certain category.
This research has significant implications for the consumers and app market operators, as it allows them to determine the types of security risks posed by applications of different category without requiring any specialized tools or detailed analysis of the software. It could also help a security analyst to target the […]