There are numerous efforts focused on creating tools and techniques to detect vulnerabilities in Android apps. So, with these tools and techniques, it should be possible to secure Android apps. Is this really the case? Are these tools effective in detecting known vulnerabilities and helping app developers really secure their apps? If so, to what extent? If not, what are the shortcomings? Can app developers compare the abilities of tools and pick the best one suited for weed out vulnerabilities in their apps?
What is Rekha?
Rekha is an effort to answer the above questions in a rigorous manner. It continuously evaluates the effectiveness of Android app security analysis tools in detecting known vulnerabilities documented in Ghera repository.
We conducted the first evaluation in May 2018. In this iteration, we empirically evaluated 14 vulnerability detection tools and 5 malicious behavior detection tools against 42 benchmarks of the Ghera repository. Links to the results from this evaluation can be found below.
Artifacts and Findings
- Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities?, the manuscript describing the observations from May 2018 evaluation
- Dashboard of findings from all evaluations
- Repository of artifacts and results from Ghera representativeness evaluation
- Repository of raw artifacts and results May 2018 evaluation