Abstract
During Android application development, ensuring adequate security is a crucial and intricate aspect. However, many applications are released without adequate security measures due to the lack of vulnerability identification and code verification at the initial development stages. To address this issue, machine learning models can be employed to automate the process of detecting vulnerabilities in the code. However, such models are inadequate for real-time Android code vulnerability mitigation. In this research, an open-source AI-powered plugin named Android Code Vulnerabilities Early Detection (ACVED) was developed using the LVDAndro dataset. Utilising Android source code vulnerabilities, the dataset is categorised based on Common Weakness Enumeration (CWE). The ACVED plugin, featuring an ensemble learning model, is implemented in the backend to accurately and efficiently detect both source code vulnerabilities and their respective CWE categories, with a 95% accuracy rate. The model also leverages explainable AI techniques to provide source code vulnerability prediction probabilities for each word. When integrated with Android Studio, the ACVED plugin can provide developers with the vulnerability status of their current source code line in real-time, assisting them in mitigating vulnerabilities. The plugin, model, and scripts can be found on GitHub, and it receives regular updates with new training data from the LVDAndro dataset, enabling the detection of novel vulnerabilities recently added to CWE.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albakri, A., et al.: Survey on reverse-engineering tools for android mobile devices. Math. Probl. Eng. 2022 (2022). https://doi.org/10.1155/2022/4908134
Bhatnagar, P.: Explainable AI (XAI) - a guide to 7 packages in Python to explain your models (2021). https://towardsdatascience.com/explainable-ai-xai-a-guide-to-7-packages_in-python-to-explain-your-models-932967f0634b. Accessed 03 Feb 2023
Corporation, M.: Common weakness enumeration (CWE) (2023). https://cwe.mitre.org/. Accessed 01 Feb 2023
Corporation, M.: CVE details (2023). https://www.cvedetails.com/. Accessed 01 Feb 2023
Gajrani, J., Tripathi, M., Laxmi, V., Somani, G., Zemmari, A., Gaur, M.S.: Vulvet: vetting of vulnerabilities in android apps to thwart exploitation. Digit. Threats Res. Pract. 1(2), 1–25 (2020). https://doi.org/10.1145/3376121
Garg, S., Baliyan, N.: Android security assessment: a review, taxonomy and research gap study. Comput. Secur. 100, 102087 (2021). j.cose.2020.102087
Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4) (Aug 2017). https://doi.org/10.1145/3092566
Kouliaridis, V., Kambourakis, G.: A comprehensive survey on machine learning techniques for android malware detection. Information 12(5), 185 (2021). https://doi.org/10.3390/info12050185
Krasner, H.: The cost of poor software quality in the us: a 2020 report. In: Proceedings of Consortium Information and Software QualityTM (CISQTM) (2021)
Mahindru, A., Singh, P.: Dynamic permissions based android malware detection using machine learning techniques. In: Proceedings of the 10th Innovations in Software Engineering Conference, pp. 202–210 (2017). https://doi.org/10.1145/3021460.3021485
McDermid, J.A., Jia, Y., Porter, Z., Habli, I.: Artificial intelligence explainability: the technical and ethical dimensions. Phil. Trans. R. Soc. A 379(2207), 20200363 (2021)
Mitra, J., Ranganath, V.P.: Ghera: A repository of android app vulnerability benchmarks. In: Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering, pp. 43–52. PROMISE, Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3127005.3127010
Nagaria, B., Hall, T.: How software developers mitigate their errors when developing code. IEEE Trans. Softw. Eng. 48(6), 1853–1867 (2022). https://doi.org/10.1109/TSE.2020.3040554
Namrud, Z., Kpodjedo, S., Talhi, C.: Androvul: a repository for android security vulnerabilities. In: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering, pp. 64–71. IBM Corp., USA (2019). https://dl.acm.org/doi/abs/10.5555/3370272.3370279
NIST: National vulnerability database (2023). https://nvd.nist.gov/vuln. Accessed 21 Feb 2023
Rajapaksha, S., Senanayake, J., Kalutarage, H., Al-Kadri, M.O.: Ai-powered vulnerability detection for secure source code development. In: Bella, G., Doinea, M., Janicke, H. (eds.) SecITC 2022. LNCS, vol. 13809, pp. 275–288. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-32636-3_16
Senanayake, J., Kalutarage, H., Al-Kadri, M.O.: Android mobile malware detection using machine learning: a systematic review. Electronics 10(13), 1606 (2021). https://doi.org/10.3390/electronics10131606
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Developing secured android applications by mitigating code vulnerabilities with machine learning. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. ASIA CCS ’22, pp. 1255–1257. Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3488932.3527290
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Android source code vulnerability detection: a systematic literature review. ACM Comput. Surv. 55(9) (2023). https://doi.org/10.1145/3556974
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Labelled vulnerability dataset on android source code (lvdandro) to develop AI-based code vulnerability detection models. In: Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT (2023, accepted)
Shezan, F.H., Afroze, S.F., Iqbal, A.: Vulnerability detection in recent android apps: an empirical study. In: 2017 International Conference on Networking, Systems and Security (NSysS), pp. 55–63. IEEE, Dhaka, Bangladesh (2017). https://doi.org/10.1109/NSysS.2017.7885802
Srivastava, G., et al.: XAI for cybersecurity: state of the art, challenges, open issues and future directions (2022). https://doi.org/10.48550/ARXIV.2206.03585
Statcounter: Mobile operating system market share worldwide (2023). https://gs.statcounter.com/os-market-share/mobile/worldwide/. Accessed 01 Apr 2023
Statista: Average number of new android app releases via google play per month from March 2019 to March 2023 (2023). https://www.statista.com/statistics/1020956/android-app-releases-worldwide/. Accessed 03 Apr 2022
Tang, J., Li, R., Wang, K., Gu, X., Xu, Z.: A novel hybrid method to analyze security vulnerabilities in android applications. Tsinghua Sci. Technol. 25(5), 589–603 (2020). https://doi.org/10.26599/TST.2019.9010067
Thomas, G., Devi, A.: A study and overview of the mobile app development industry. Int. J. Appl. Eng. Manag. Lett. 115–130 (2021). https://doi.org/10.5281/zenodo.4966320
de Vicente Mohino, J., Bermejo Higuera, J., Bermejo Higuera, J.R., Sicilia Montalvo, J.A.: The application of a new secure software development life cycle (s-sdlc) with agile methodologies. Electronics 8(11) (2019). https://doi.org/10.3390/electronics8111218
Zhuo, L., Zhimin, G., Cen, C.: Research on android intent security detection based on machine learning. In: 2017 4th International Conference on Information Science and Control Engineering (ICISCE), pp. 569–574. IEEE (2017). https://doi.org/10.1109/ICISCE.2017.124
Acknowledgment
We thank Robert Gordon University - UK and the Accelerating Higher Education Expansion and Development grant (AHEAD) of Sri Lanka, University of Kelaniya - Sri Lanka for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Once the plugin has been integrated (as in Fig. 9), to activate the quick check feature, the user can navigate to Tools - Check Source Vulnerability or use the shortcut key CTRL+ALT+E within the Android Studio. This feature provides a rapid search for identifying vulnerabilities, notifying the developer of the specific lines of vulnerable code and their corresponding CWE-IDs as depicted in Fig. 10 and Fig. 11.
Android Studio Tools Menu after Integrating ACVED
Quick Check Notifications - No Any Vulnerable Code Lines
Quick Check Notifications - Contain Vulnerable Code Lines
Alternatively, the detailed check feature can be activated by selecting Tools - Check Code Vulnerability or by using the shortcut key CTRL+ALT+A while the cursor is focused on a particular code line. Figure 12 presents an example of a detailed check executed on a vulnerable code line where the cursor is positioned on the statement Log.e(“Login Failure for username :”, “user123”);.
Detailed Check - Balloon Notification
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L. (2023). Android Code Vulnerabilities Early Detection Using AI-Powered ACVED Plugin. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-37586-6_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37585-9
Online ISBN: 978-3-031-37586-6
eBook Packages: Computer ScienceComputer Science (R0)