Αυτοματοποιημένος έλεγχος ασφαλείας του Android API μέσω fuzzing
Automated security testing of Android API using fuzzing
Today, the vast evolution of the technology of smart devices and their operating systems is offering enormous potential for the development of the emerging industry producing applications appropriate for such devices. At the same time, the mobile operating systems become more and more exposed to the danger of malware. The Application Programming Interface provided by Google’s Android operating system to software developers undergoes often upgrades and evolves, offering multiple capabilities regarding the exploitation of the device resources. This, in conjunction with the fact that many Android devices are affordable in general, has caused the Android application development market to take off, giving a boost to malicious applications’ evolution too. The permissions system that Android operating system utilizes in order to give third party applications access to user’s sensitive data and vital systems resources of the device, is one of the fundamental security measures of this system. Since October of 2015 it has been upgraded so that the device’s end user has more visibility over that access, by granting the permissions at the point of the actual usage of the respective feature by the applications, instead of once at installation time. However, not all potential security dangers have been eliminated by this enhancement. Moreover, the further usage of the Android API by the application programmers poses new risks, and the platform should be designed to enforce its own proper use. For this reason, in order to protect users, Google for Android uses automated ways for the daily evaluation of hundreds of thousands of applications, regarding their ability to potentially harm the devices. Under the context of this work, the fuzzing test tool XenonAutomated was developed and used for an extended security check of possible ‘extreme’ or ‘bad’ usage of the Android API levels from 21 to 28. The results of this test work are presented hereby.