Security Source Code Analysis of Applications in Android OS


  • Sami Azam
  • Rajvinder Singh Sumra
  • Bharanidharan Shanmugam
  • Kheng Cher Yeo
  • Mirjam Jonokman
  • Ganthan Narayana Samy





Android security, Android testing tools, Dynamic analysis, Information leakage detection, Static analysis.


It is a known fact that Android mobile phones’ security has room for improvement. Many malicious app developers have targeted     android mobile phones, mainly because android as an open operating system provides great flexibility to developers and there are many android phones which do not have the latest security updates. With the update of marshmallow in android, applications request           permission only during runtime, but not all users have this update. This is important because user permission is required to perform    certain actions. The permissions may be irrelevant to the features provided by an application. The purpose of this research is to          investigate the use and security risk of seeming irrelevant permissions in applications available from Google store. Two different        applications which seem to ask irrelevant permissions during installation were selected from Google store. To test these applications, static analysis, dynamic analysis and reverse engineering tools were used. Findings show potentially malicious behavior, demonstrating that downloading apps from Google play store do not guarantee security.




[1] Waddell, K. (2017). When apps secretly team up to steal your data.

[2] Sikorski, M., & Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press.

[3] Sadeghi, A., Bagheri, H., & Malek, S. (2015). Analysis of android inter-app security vulnerabilities using COVERT. Proceedings of the IEEE 37th International Conference on Software Engineering, pp. 725-728.

[4] Enck, W, Gilbert, P, Chun, B-G, Cox, L, Jung, J, McDaniel, P & Sheth, A. (2014). TaintDroid: An information flow tracking system for real-time privacy monitoring on smartphones. Communications of the ACM, 57(3), 99-106.

[5] Bhoraskar, R., Han, S., Jeon, J., Azim, T., Chen, S., Jung, J., Nath, S., Wang, R., & Wetherall, D. (2014). Brahmastra: Driving apps to test the security of third-party components. Proceedings of the USENIX Security Symposium, pp. 1021-1036.

[6] Enck, W., Octeau, D., McDaniel, P. D., & Chaudhuri, S. (2011). A study of android application security. Proceedings of the USENIX Security Symposium, pp. 1-38.

[7] Elenkov, N. (2014). Android security internals: An in-depth guide to Android's security architecture. No Starch Press.

[8] Dunham, K., Hartman, S., Quintans, M., Morales, J. A., & Strazzere, T. (2014). Android malware and analysis. Auerbach Publications.

[9] (2017). Security report. .pdf.

[10] Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M. S., Conti, M., & Rajarajan, M. (2015). Android security: A survey of issues, malware penetration, and defenses. IEEE Communications Surveys and Tutorials, 17(2), 998-1022.

[11] Oberoi, S. (2014). AndroSAT: Security analysis tool for Android applications. PhD thesis, Concordia University.

[12] Wang, P., Lin, W. H., Chao, W. J., Chao, K. M., & Lo, C. C. (2015). Using dynamic taint approach for malware threat. Proceedings of the IEEE 12th International Conference on e-Business Engineering, pp. 408-416.

[13] Sikorski, M., & Honig, A. (2012). Practical malware analysis: The hands-on guide to dissecting malicious software. No Starch Press.

[14] Androbugs (n.d) Androbugs framework.

[15] Androwarn (n.d). Androwarn.

View Full Article: