An Empirical Study on
Android-related Vulnerabilities



Abstract


Mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. For this and other reasons, mobile devices, and in particular the software that runs on them, are considered first-class citizens in the softwarevulnerabilities landscape.

Several studies investigated the software-vulnerabilities phenomenon in the context of mobile apps and, more in general, mobile devices. Most of these studies focused on vulnerabilities that could affect mobile apps, while just few investigated vulnerabilities affecting the underlying platform on which mobile apps run: the mobile Operating System (OS). Also, these studies have been run on a very limited set of vulnerabilities.

In this paper we present the largest study at date investigating Android-related vulnerabilities, with a specific focus on the ones affecting the Android OS. In particular, we (i) define a detailed taxonomy of the types of vulnerability generally affecting the Android OS; (ii) investigate the layers and subsystems from the Android OS affected by vulnerabilities; (iii) study the survivability of vulnerabilities (i.e., the number of days between the vulnerability introduction and its fixing). Our findings could help OS and apps developers in focusing their verification & validation activities, and researchers in building vulnerability detection tools tailored for the mobile world.


Keywords



Android OS, Security Vulnerabilities


Resources



Authors


Mario Linares Vasquez

Assistant Professor at Systems and Computing Engineering Department, Universidad de los Andes, Bogotá, Colombia


Gabriele Bavota

Assistant Professor at Faculty of Informatics, Università della Svizzera Italiana, Lugano, Switzerland


Camilo Escobar Velásquez

MSc. Software Engineering Student
Universidad de los Andes, Colombia