Show simple item record

dc.contributor.authorSankarapandian, Shivasurya 14:55:08 (GMT) 14:55:08 (GMT)
dc.description.abstractThe world is moving towards remote-first and giving rise to many mobile tools and applications to get the work done. As more applications are moving towards the cloud and therefore require remote access, the attack surface is getting wider. This results in more security vulnerabilities and pain for organizations to manage them. So, organizations have to scale their security operations, and engineers work overtime to detect, verify and mitigate security vulnerability at scale. This includes codebase, infrastructure, corporate assets.For detecting and reporting, security tools are readily available in the market. However, they tend to produce many false-positive results, which are then manually verified by the organization's security engineers. Reproducibility of the security vulnerability and reducing the false positive are the primary goals of the security engineer. To overcome this challenge, we propose the Detecting Exploitable Vulnerabilities in Android Application framework (DEVAA) to help security engineers to automate security test cases and verify security vulnerabilities at scale. We envision the solution to be incorporated within continuous integration and continuous delivery pipeline.By extending the DEVAA framework similar to JUnit testcase framework, security engineers could automate security testing and verify the actual exploit with feedback from the system without fuzzing them. Additionally, the extension is per vulnerability category type rather than exact vulnerability location which helps security engineers to detect and verify them by leveraging the common framework. DEVAA helps verify security vulnerability flagged by the security scanners by reducing the false positives and confirming security vulnerability reproducibility at scale. Our primary goal while implementing DEVAA is extendability by which security engineers and developers could leverage the base framework to add their application-specific payloads and flows to verify the security vulnerability. Most of the organizations who primarily manage application security and bugbounty programs can leverage DEVAA in implementing well-known security test cases and verifying them in the automated approach.en
dc.publisherUniversity of Waterlooen
dc.subjectsoftware engineeringen
dc.subjectsoftware securityen
dc.titleDetecting Exploitable Vulnerabilities in Android Applicationsen
dc.typeMaster Thesisen
dc.pendingfalse R. Cheriton School of Computer Scienceen Scienceen of Waterlooen
uws-etd.degreeMaster of Mathematicsen
uws.contributor.advisorNagappan, Meiyappan
uws.contributor.affiliation1Faculty of Mathematicsen

Files in this item


This item appears in the following Collection(s)

Show simple item record


University of Waterloo Library
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4883

All items in UWSpace are protected by copyright, with all rights reserved.

DSpace software

Service outages