TECHNICAL REPORT

Report No. UI-SE-MDSERG-2018-09Date: April 20, 2018

The evaluation results of VAnDroidfor the selected apps from GooglePlay and F-Droid

Atefeh NirumandBahman ZamaniBehrouz Tork Ladani

Department of Software EngineeringUniversity of IsfahanHezar-Jerib Ave.Isfahan

Tel: +98-31-37934537Fax: +98-31-36699529 , +98-31-37932670zamani@eng.ui.ac.ir

http://mdse.ui.ac.ir/TR

The evaluation results of VAnDroid forthe selected apps from Google Play and

F-Droid

Atefeh Nirumand, Bahman Zamani, and Behrouz Tork LadaniDepartment of Software Engineering

University of IsfahanIsfahan, Iran.

{atefehnirumand, zamani, ladani}@eng.ui.ac.ir

Abstract: This report provides the evaluation details of the VAn-Droid. VAnDroid is a tool which has been developed by Nirumand etal. This tool automatically identifies the Intent Spoofing and Unau-thorized Intent Receipt as two attacks related to the Android applica-tion communication model. To evaluate the tool, it has been appliedto several real-world Android applications, including 20 apps fromGoogle Play and 110 apps from the F-Droid repository.

The evaluation results of VAnDroid forthe selected apps from Google Play and

F-Droid

Atefeh Nirumand, Bahman Zamani, and Behrouz Tork LadaniDepartment of Software Engineering

University of IsfahanIsfahan, Iran.

{atefehnirumand, zamani, ladani}@eng.ui.ac.ir

Abstract: This report provides the evaluation details of the VAn-Droid. VAnDroid is a tool which has been developed by Nirumand etal. This tool automatically identifies the Intent Spoofing and Unau-thorized Intent Receipt as two attacks related to the Android applica-tion communication model. To evaluate the tool, it has been appliedto several real-world Android applications, including 20 apps fromGoogle Play and 110 apps from the F-Droid repository.

Contents

1 Introduction 3

2 Selected apps from the Google Play store 3

3 Selected apps from the F-Droid repository 6

List of Tables

1 The evaluation results for the selected apps from Google Play. . . . . 4

2 The evaluation results for the selected apps from Google Play (Con-tinued). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 The evaluation results of applications from Phone & SMS category. . 7

4 The evaluation results of applications from Games category. . . . . . 8

5 The evaluation results of applications from Science & Education category. 9

1

6 The evaluation results of applications from Sports & Health category. 10

7 The evaluation results of applications from Security category. . . . . . 11

8 The evaluation results of applications from Money category. . . . . . 12

9 The evaluation results of applications from Reading category. . . . . . 13

10 The evaluation results of applications from Graphics category. . . . . 14

11 The evaluation results of applications from Multimedia category. . . . 15

12 The evaluation results of applications from Navigation category. . . . 16

13 The evaluation results of applications from Internet category. . . . . . 17

2

1 Introduction

VAnDroid is an Eclipse-based tool in the field of Android security. In order to demon-strate the ability of the this tool to analyze real Android applications and detectvulnerabilities correctly, the implemented tool has been applied to several real-worldAndroid applications. In this evaluation, 20 apps from the Google Play and 110 appsfrom the F-Droid repository are selected as case studies.

2 Selected apps from the Google Play store

The Google Play store is a digital distribution service developed by Google. Thisservice is considered as the official app store for the Android operating system, al-lowing users to browse and download Android apps. The results of evaluation for 20apps from the Google Play are shown in Tables 1 and 2. As an example, considerthe Android Pay app which is indicated with a red box in Table 1. This app includes23 Activities, of which four have Activity Launch (with data) and two have ActivityLaunch (without data) vulnerabilities. The app also has 15 Services, of which onehas Service Launch (with data) and six have Service Launch (without data) vulner-abilities. The app consists of 15 Broadcast Receivers, of which three have BroadcastInjection (with data) and ten have Broadcast Injection (without data) vulnerabilities.The number of intent mechanisms used by the app is 126, of which six have ActivityHijacking (with data), 11 have Activity Hijacking (without data), four have ServiceHijacking (with data), two have Service Hijacking (without data), two have Broad-cast Theft (with data), and two have Broadcast Theft (without data) vulnerabilities.Therefore, the VAnDroid tool has been able to detect the existing vulnerabilities inthis app.

3

Table 1: The evaluation results for the selected apps from Google Play.

4

Table 2: The evaluation results for the selected apps from Google Play (Continued).

5

3 Selected apps from the F-Droid repository

F-Droid is a repository for Android applications. This repository only includes appsthat are free and open source. The F-Droid repository is composed of over 2,300applications. This repository has several categories of Android apps. In this evalua-tion, eleven categories are considered: Phone & SMS, Games, Science & Education,Sports & Health, Security, Money, Reading, Graphics, Multimedia, Navigation, andInternet. The details of the evaluation are shown in Tables 3-13, where each table isrelated to a specific category of the applications from the F-Droid repository. In eachtable, the name of the app, and the number of its components and vulnerabilities arespecified.

6

Table 3: The evaluation results of applications from Phone & SMS category.

7

Table 4: The evaluation results of applications from Games category.

8

Table 5: The evaluation results of applications from Science & Education category.

9

Table 6: The evaluation results of applications from Sports & Health category.

10

Table 7: The evaluation results of applications from Security category.

11

Table 8: The evaluation results of applications from Money category.

12

Table 9: The evaluation results of applications from Reading category.

13

Table 10: The evaluation results of applications from Graphics category.

14

Table 11: The evaluation results of applications from Multimedia category.

15

Table 12: The evaluation results of applications from Navigation category.

16

Table 13: The evaluation results of applications from Internet category.

17