AndroVul: a repository for Android security vulnerabilities

Security issues in mobile apps are increasingly relevant as these software have become part of the daily life for billions. As the dominant OS, Android is a primary target for ill-intentioned programmers willing to exploit vulnerabilities and spread malwares. Significant research has been devoted to the identification of these malwares. The current paper aims to contribute to that research effort, with a focus on providing an additional benchmark of Android vulnerabilities to be used in the detection of malwares. Our proposal is AndroVul, a repository for Android security vulnerabilities, including dangerous permissions, security code smells and dangerous shell commands. Our work builds on AndroZoo, a well known Android app dataset, and proposes data on vulnerabilities for a representative sample of about 16,000 Android apps. Moreover, we briefly describe and make available the scripts we wrote to automate the extraction of security vulnerabilities, given a list of apps; this allows any researcher to readily recreate a custom repository build from his or her apps of interest. Finally, we propose preliminary findings on the effectiveness of the vulnerability metrics present in our dataset, with respect to the detection of malicious apps. Our results show that the collected metrics, as input to even basic classifiers, are enough to achieve competitive results with respect to some recent malware detection works. Overall, Androvul, with its scripts and datasets, is intended as a starting package for mobile security researchers interested in jump-starting their investigations.