Detecting Exploitable Vulnerabilities in Android Applications

dc.contributor.authorSankarapandian, Shivasurya
dc.date.accessioned2021-05-27T14:55:08Z
dc.date.available2021-05-27T14:55:08Z
dc.date.issued2021-05-27
dc.date.submitted2021-05-20
dc.description.abstractThe world is moving towards remote-first and giving rise to many mobile tools and applications to get the work done. As more applications are moving towards the cloud and therefore require remote access, the attack surface is getting wider. This results in more security vulnerabilities and pain for organizations to manage them. So, organizations have to scale their security operations, and engineers work overtime to detect, verify and mitigate security vulnerability at scale. This includes codebase, infrastructure, corporate assets.For detecting and reporting, security tools are readily available in the market. However, they tend to produce many false-positive results, which are then manually verified by the organization's security engineers. Reproducibility of the security vulnerability and reducing the false positive are the primary goals of the security engineer. To overcome this challenge, we propose the Detecting Exploitable Vulnerabilities in Android Application framework (DEVAA) to help security engineers to automate security test cases and verify security vulnerabilities at scale. We envision the solution to be incorporated within continuous integration and continuous delivery pipeline.By extending the DEVAA framework similar to JUnit testcase framework, security engineers could automate security testing and verify the actual exploit with feedback from the system without fuzzing them. Additionally, the extension is per vulnerability category type rather than exact vulnerability location which helps security engineers to detect and verify them by leveraging the common framework. DEVAA helps verify security vulnerability flagged by the security scanners by reducing the false positives and confirming security vulnerability reproducibility at scale. Our primary goal while implementing DEVAA is extendability by which security engineers and developers could leverage the base framework to add their application-specific payloads and flows to verify the security vulnerability. Most of the organizations who primarily manage application security and bugbounty programs can leverage DEVAA in implementing well-known security test cases and verifying them in the automated approach.en
dc.identifier.urihttp://hdl.handle.net/10012/17034
dc.language.isoenen
dc.pendingfalse
dc.publisherUniversity of Waterlooen
dc.subjectsoftware engineeringen
dc.subjectsoftware securityen
dc.titleDetecting Exploitable Vulnerabilities in Android Applicationsen
dc.typeMaster Thesisen
uws-etd.degreeMaster of Mathematicsen
uws-etd.degree.departmentDavid R. Cheriton School of Computer Scienceen
uws-etd.degree.disciplineComputer Scienceen
uws-etd.degree.grantorUniversity of Waterlooen
uws-etd.embargo.terms0en
uws.comment.hiddenKindly accept this submission as I have uploaded the thesis pdf file with PDF/A compliant versionen
uws.contributor.advisorNagappan, Meiyappan
uws.contributor.affiliation1Faculty of Mathematicsen
uws.peerReviewStatusUnrevieweden
uws.published.cityWaterlooen
uws.published.countryCanadaen
uws.published.provinceOntarioen
uws.scholarLevelGraduateen
uws.typeOfResourceTexten

Files

Original bundle

Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Sankarapandian_Shivasurya.pdf
Size:
998.89 KB
Format:
Adobe Portable Document Format
Description:
Thesis file

License bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
6.4 KB
Format:
Item-specific license agreed upon to submission
Description: