Master’s Thesis Presentation • Software Engineering — Detecting Exploitable Vulnerabilities in Android Applications

Thursday, May 20, 2021 1:00 pm - 1:00 pm EDT (GMT -04:00)

Please note: This master’s thesis presentation will be given online.

Shivasurya Sankarapandian, Master’s candidate
David R. Cheriton School of Computer Science

Supervisor: Professor Mei Nagappan

The world is moving towards remote-first and giving rise to many mobile tools and applications to get the work done. As more application moving towards the cloud and therefore requires remote access, the attack surface is getting wider. This results in more security vulnerabilities and pain for organizations to manage them. So, organizations have to scale their security operations, and engineers work overtime to detect, verify and mitigate security vulnerability at scale. This includes codebase, infrastructure, corporate assets. Security tools detecting and reporting, are readily available in the market. However, they tend to produce many false-positive results, which are then manually verified by the organization’s security engineers. Reproducibility of the security vulnerability and reducing the false positive are the primary goals of the security engineer.

To overcome this challenge, we propose the Detecting Exploitable Vulnerabilities in Android Application framework (DEVAA) to help security engineers to automate security test cases and verify security vulnerability at scale. We envision to fit into the continuous integration and continuous delivery pipeline. By extending the DEVAA framework similar to JUnit testcase framework, security engineers could automate security testing and verify the actual exploit with feedback from the system without fuzzing them.

Additionally, the extension is per vulnerability category type rather than exact vulnerability location which helps security engineers to detect and verify them by leveraging the common framework. DEVAA helps verify security vulnerability flagged by the security scanners by reducing the false positives and confirming security vulnerability reproducibility at scale. Our primary goal while implementing DEVAA is extendability by which security engineers and developers could leverage the base framework to add their application-specific payloads and flows to verify the security vulnerability.

Most of the organizations who primarily manage application security and bugbounty programs can leverage DEVAA in implementing well-known security test cases and verifying them in the automated approach.


To join this master’s thesis presentation on Zoom, please go to https://zoom.us/j/99547686962?pwd=SmRlNE02d1NsUFFUZ09GcHV2Wkhidz09.