Print Email Facebook Twitter Vulnerability Detection in Mobile Applications Using State Machine Modeling Title Vulnerability Detection in Mobile Applications Using State Machine Modeling Author van der Lee, Wesley (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Verwer, Sicco (mentor) Degree granting institution Delft University of Technology Date 2018-01-16 Abstract Mobile applications play a critical role in modern society. Although mobile apps are widely adopted, everyday news shows that the applications often contain severe security vulnerabilities. Recent work indicates that state machine learning has proven to be an effective method for vulnerability detection in software implementations. The state machine that can be learned about a software implementation provides additional insight into the internal software structure. The insight can then be used as input for security assessment which most of the times is performed by manual evaluation of the learned model.In this thesis, we aim to extend state machine learning to improve the security of mobile applications in an automated way, solving two problem. The first problem is the lack of a methodology to learn state machines for mobile apps. The second problem is the need for an approach that detects vulnerabilities from the inferred models. To the best of our knowledge, there exists no framework that automatically infers behavioral state machine models on mobile Android applications, nor does there exist a methodology for automatic vulnerability detection on the inferred models.We propose two solutions to the aforementioned problems. For the former, a framework for inferring a state machine model on general mobile Android applications is presented, which uses active state machine learning algorithms to ensure time optimization and model correctness on the learning process. For the latter, we designed algorithms that use the inferred models and determine the presence of vulnerabilities. We combine both solutions and propose a novel testing methodology that gains new insights into the behavior of an app and achieves the goal of vulnerability detection. The methodology identified relevant security weaknesses in numerous Android apps. Moreover, the solution can detect rogue applications such as a malicious WhatsApp version in the Android Play Store, which affected over a million devices in three days on November 2017. To reference this document use: http://resolver.tudelft.nl/uuid:8699be26-b226-4c55-bf0a-fd290455cd57 Part of collection Student theses Document type master thesis Rights © 2018 Wesley van der Lee Files PDF MSc._Thesis_Wesley_van_der_Lee.pdf 5.48 MB Close viewer /islandora/object/uuid:8699be26-b226-4c55-bf0a-fd290455cd57/datastream/OBJ/view