DOI QR코드

DOI QR Code

A Proposed Framework for the Automated Authorization Testing of Mobile Applications

  • Alghamdi, Ahmed Mohammed (Department of Software Engineering, College of Computer Science and Engineering, University of Jeddah) ;
  • Almarhabi, Khalid (Department of Computer Science, College of Computing in Al-Qunfudah, Umm Al-Qura University)
  • Received : 2021.05.05
  • Published : 2021.05.30

Abstract

Recent studies have indicated that mobile markets harbor applications (apps) that are either malicious or vulnerable, compromising millions of devices. Some studies indicate that 96% of companies' employees have used at least one malicious app. Some app stores do not employ security quality attributes regarding authorization, which is the function of specifying access rights to access control resources. However, well-defined access control policies can prevent mobile apps from being malicious. The problem is that those who oversee app market sites lack the mechanisms necessary to assess mobile app security. Because thousands of apps are constantly being added to or updated on mobile app market sites, these security testing mechanisms must be automated. This paper, therefore, introduces a new mechanism for testing mobile app security, using white-box testing in a way that is compatible with Bring Your Own Device (BYOD) working environments. This framework will benefit end-users, organizations that oversee app markets, and employers who implement the BYOD trend.

Keywords

References

  1. A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Doley et al., "Google Android: A Comprehensive Security Assessment," IEEE Secur. Priv. Mag., vol. 8, no. 2, pp. 35-44, Mar. 2010, doi: 10.1109/MSP.2010.2.
  2. OWASP, "The Open Web Application Security Project (OWASP)," 2020. [Online]. Available: https://owasp.org/about/.
  3. OWASP, "OWASP Top Ten," 2020. [Online]. Available: https://owasp.org/www-project-top-ten/.
  4. N. Serrano, J. Hernantes, and G. Gallardo, "Mobile Web Apps," IEEE Softw., vol. 30, no. 5, pp. 22-27, 2013, doi: 10.1109/MS.2013.111.
  5. S. Charkaoui, Z. Adraoui, and E. H. Benlahmar, "Cross-platform mobile development approaches," in 2014 Third IEEE International Colloquium in Information Science and Technology (CIST), 2014, pp. 188-191, doi: 10.1109/CIST.2014.7016616.
  6. Android Developers, "Android developer guides," Google, 2021. [Online]. Available: https://developer.android.com/docs.
  7. R. Mahmood, N. Esfahani, T. Kacem, N. Mirzaei, S. Malek et al., "A whitebox approach for automated security testing of Android applications on the cloud," in 2012 7th International Workshop on Automation of Software Test (AST), 2012, pp. 22-28, doi: 10.1109/IWAST.2012.6228986.
  8. K. Almarhabi, K. Jambi, F. Eassa, and O. Batarfi, "Survey on access control and management issues in cloud and BYOD environment," Int. J. Comput. Sci. Mob. Comput., vol. 6, no. 12, pp. 44-54, 2017.
  9. A. B. Garba, J. Armarego, D. Murray, and W. Kenworthy, "Review of the information security and privacy challenges in Bring Your Own Device (BYOD) environments," J. Inf. Priv. Secur., vol. 11, no. 1, pp. 38-54, 2015, doi: 10.1080/15536548.2015.1010985.
  10. K. Almarhabi, K. Jambi, F. Eassa, and O. Batarfi, "An Evaluation of the Proposed Framework for Access Control in the Cloud and BYOD Environment," Int. J. Adv. Comput. Sci. Appl., vol. 18, no. 2, pp. 144-152, 2018, doi: 10.14569/IJACSA.2018.091026.
  11. M. Finneran, "Mobile security gaps abound," Information Week, 2012.
  12. P. K. Gajar, A. Ghosh, and S. Rai, "BRING YOUR OWN DEVICE (BYOD): SECURITY RISKS AND MITIGATING STRATEGIES," J. Glob. Res. Comput. Sci., vol. 4, no. 4, pp. 62-70, 2013.
  13. N. Zahadat, P. Blessner, T. Blackburn, and B. A. Olson, "BYOD security engineering: A framework and its analysis," Comput. Secur., vol. 55, pp. 81-99, 2015, doi: 10.1016/j.cose.2015.06.011.
  14. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, "Efficient software-based fault isolation," in Proceedings of the fourteenth ACM symposium on Operating systems principles - SOSP '93, 1993, pp. 203-216, doi: 10.1145/168619.168635.
  15. V. Prevelakis and D. Spinellis, "Sandboxing Applications," in Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, 2001, pp. 119-126.
  16. Android Developers, "Application Sandbox," Google, 2021. [Online]. Available: https://source.android.com/security/appsandbox?hl=en.
  17. R. S. Sandhu and P. Samarati, "Access control: principle and practice," IEEE Commun. Mag., vol. 32, no. 9, pp. 40-48, Sep. 1994, doi: 10.1109/35.312842.
  18. C. Wang, J. Pang, R. Zhao, and X. Liu, "Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior," in 2009 International Conference on Communication Software and Networks, 2009, pp. 544-548, doi: 10.1109/ICCSN.2009.60.
  19. P. Beaucamps, I. Gnaedig, and J.-Y. Marion, "Behavior Abstraction in Malware Analysis," 2010, pp. 168-182.
  20. Q. Do, G. Yang, M. Che, D. Hui, and J. Ridgeway, "Regression Test Selection for Android Applications," in 2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft), 2016, pp. 27-28, doi: 10.1109/MobileSoft.2016.023.
  21. C. M. Prathibhan, A. Malini, N. Venkatesh, and K. Sundarakantham, "An automated testing framework for testing Android mobile applications in the cloud," in 2014 IEEE International Conference on Advanced Communications, Control and Computing Technologies, 2014, pp. 1216-1219, doi: 10.1109/ICACCCT.2014.7019292.
  22. B. N. Puspika, B. Hendradjaya, and W. Danar Sunindyo, "Towards an automated test sequence generation for mobile application using colored Petri Net," in 2015 International Conference on Electrical Engineering and Informatics (ICEEI), 2015, pp. 445-449, doi: 10.1109/ICEEI.2015.7352542.