A comprehensive study on static application security testing (SAST) tools for Android

Author

Jingyun ZHU
Kaixuan LI
Sen CHEN
Lingling FAN
Junjie WANG
Xiaofei XIE, Singapore Management UniversityFollow

Publication Type

Journal Article

Version

publishedVersion

Publication Date

12-2024

Abstract

To identify security vulnerabilities in Android applications, numerous static application security testing (SAST) tools have been proposed. However, it poses significant challenges to assess their overall performance on diverse vulnerability types. The task is non-trivial and poses considerable challenges. Firstly, the absence of a unified evaluation platform for defining and describing tools’ supported vulnerability types, coupled with the lack of normalization for the intricate and varied reports generated by different tools, significantly adds to the complexity. Secondly, there is a scarcity of adequate benchmarks, particularly those derived from real-world scenarios. To address these problems, we are the first to propose a unified platform named VulsTotal, supporting various vulnerability types, enabling comprehensive and versatile analysis across diverse SAST tools. Specifically, we begin by meticulously selecting 11 free and open-sourced SAST tools from a pool of 97 existing options, adhering to clearly defined criteria. After that, we invest significant efforts in comprehending the detection rules of each tool, subsequently unifying 67 general/common vulnerability types for Android SAST tools. We also redefine and implement a standardized reporting format, ensuring uniformity in presenting results across all tools. Additionally, to mitigate the problem of benchmarks, we conducted a manual analysis of huge amounts of CVEs to construct a new CVE-based benchmark based on our comprehension of Android app vulnerabilities. Leveraging the evaluation platform, which integrates both existing synthetic benchmarks and newly constructed CVE-based benchmarks from this study, we conducted a comprehensive analysis to evaluate and compare these selected tools from various perspectives, such as general vulnerability type coverage, type consistency, tool effectiveness, and time performance. Our observations yielded impressive findings, like the technical reasons underlying the performance, which provide insights for different stakeholders.

Keywords

SAST, Vulnerability, Android app

Discipline

Software Engineering

Research Areas

Intelligent Systems and Optimization

Areas of Excellence

Digital transformation

Publication

IEEE Transactions on Software Engineering

Volume

50

Issue

12

First Page

3385

Last Page

3402

ISSN

0098-5589

Identifier

10.1109/TSE.2024.3488041

Publisher

Institute of Electrical and Electronics Engineers

Citation

ZHU, Jingyun; LI, Kaixuan; CHEN, Sen; FAN, Lingling; WANG, Junjie; and XIE, Xiaofei. A comprehensive study on static application security testing (SAST) tools for Android. (2024). IEEE Transactions on Software Engineering. 50, (12), 3385-3402.
Available at: https://ink.library.smu.edu.sg/sis_research/10331

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/TSE.2024.3488041