Undergraduate SE students impress conference with research into Android app vulnerabilities

By Fran Broderick

Three Golisano College software engineering students were recently awarded 1st prize in the poster session at the Rochester Institute of Electrical and Electronics Engineers (IEEE) Joint Chapters Meeting. The students, Adam Blaine ‘15, Casey Klimkowsky ‘15, and Shannon Trudeau ‘15 presented, “Evolution of Android Applications,” which explores questions such as “How does the “permissions gap” evolve over time?” and “How do vulnerabilities evolve over time, and what are some of their root causes?”

“The project involves the initial collection of approximately 10,000 Android applications, with a collecting mechanism automatically downloading new applications and versions as they are made available from a variety of Android application sources, including Google Play,” explained faculty advisor and Golisano College lecturer Daniel Krutz. The team’s data set will ultimately be posted online for others to explore in an effort to gain better understanding of threats to Android devices. The students, who are all undergraduates, were competing against twenty other posters, mostly from Ph.D. students, making their victory all the more impressive.

Team member Shannon Trudeau explained, “Winning was so awesome! We totally weren't expecting it at all, and it was really great to see that other people saw the value of our work.  We are passionate about the project, and ecstatic that other people think it is interesting and beneficial as well.” Trudeau described the “permissions gap” as a gap between the permissions an app needs and the permissions an app asks for.  Many apps ask for blanket permissions rather than specifying necessary permissions and the team felt these excess permissions could present security risks.

“Personally, I find the difference between the iOS and Android permissions models interesting, and I am curious whether overprivileged applications are at a higher risk for security issues,” said Klimkowsky.

The team will continue their work through the end of the semester however Krutz feels the impact of their research can reverberate long after semester’s end: This is a great group of students who have worked very hard to learn about mobile development and the research process. They have laid substantial groundwork for future research in mobile computing in a variety of areas including vulnerability analysis, malware detection and defect analysis.”