Mobile Standards and Analysis

The Mobile Standards and Analysis research extends CERT Secure Coding Standards and our software analysis ( SCALe) research and development to mobile platforms, including Android, iOS (iPhone and iPad), and Windows Phone 8. Most of our work so far has been for the Android platform.


Mobile Standards and Analysis research began with a focus on the Android platform, because it dominates the worldwide smartphone market. Our approach includes research and development of secure coding rules and guidelines for Android apps, plus research and development of compliance-checkers with respect to secure coding rules and guidelines.

Our team is currently enhancing an Android app set analyzer we developed that looks for taint flows, where a data source is sensitive, and a dataflow containing it can reach a sink. The research challenge we focus on is to develop an analysis to determine taint flow endpoints with the following (sometimes conflicting) goals in mind: precision, soundness, speed, and conservation of memory/disk space.

As part of the work on the taint flow checker, we designed and implemented a novel taint flow analyzer for sets of apps. The two phases of the analysis are

  1. Given a set of applications, we determine the data flows enabled individually by each application and the conditions under which these are possible.
  2. We then build on these results to enumerate the potentially dangerous data flows enabled by the set of applications as a whole.

The most recent enhancements made to DidFail are described in the technical report, Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets. Our most recent blog post about DidFail, An Enhanced Tool for Securing Android Apps, explains how an enterprise system could incorporate DidFail into its IT systems, and describes the DidFail improvements we are currently working on. Our initial paper, Android Taint Flow Analysis for App Sets (from the SOAP 2014 workshop), describes our analysis method, implementation, and experimental results. The initial analyzer is described in extended detail in Amar Bhosale's Master's thesis, Precise Static Analysis of Taint Flow for Android Application Sets.

DidFail is freely available. Read the instructions for downloading and building all versions from the source code. It also provides commands to run DidFail. Details about information in key output files from both phases is provided on slides 31-37 of this presentation.

We are continuing to develop and improve the Android app set taint flow checker; if you are interested, please contact us for more information.

Some characteristics of the Android operating system and apps are listed below. These and many additional characteristics of this mobile platform must be considered to securely code for the platform.

  • Linux-based operating system (written in C)
  • Apps are written in Java using Android software development kit (SDK)
  • Apps may be written in C or C++ using the Android Native Development Kit (NDK)

iOS (iPhone and iPad)

We were recently awarded a grant for a new research project for iOS that will start in Fall 2014. In this research project, we have begun to extend our mobile platform work to iOS by developing additional analysis for the static analyzer associated with Clang to check for violations of a prioritized list of secure coding rules. Clang has been integrated into Apple's XCode IDE, which is the primary tool for developing software for iOS and OS X. Catching rule violations early would prevent these errors from propagating throughout the code base and would allow developers to learn secure coding techniques while programming. New checkers will be submitted into the main trunk of Clang and integrated into XCode (as well as any other IDEs that support Clang integration) improving software security for all developers who use Clang.

Separately from that funded project, in the future we also would like to develop more analyses against unchecked guidelines in The CERT Oracle Secure Coding Standard for Java and integrate many of these analyses into Eclipse and/or Oracle JDeveloper so that analysis results would be immediately available to Android platform developers.

We are poised to expand this research; if you are interested, please contact us for more information.

Windows Phone 8

We've proposed a new research project for Windows Phone 8 and are poised to begin if possible. In this research project, we would extend our mobile platform work to Windows 8 mobile devices, with an initial focus on secure development of Windows 8 mobile device development in C#/XAML and JavaScript/HTML5.

The outcome of this project would be a vetted set of secure coding rules and guidelines on the CERT Secure Coding Wiki for development of Windows 8 mobile device apps in two coding standards: C#/XAML and JavaScript/HTML5. By helping developers securely develop these types of Windows Store apps, our project would increase Windows 8 smartphone security, which advances our overall goal of making mobile software more secure. Moreover, many of the secure coding standards this project would develop for the Windows smartphone platform would be useful for a wide range of Microsoft Windows 8 devices, and for the large group of additional platforms and software that use C#/XAML and JavaScript/HTML5.

Potential collaborators and others interested in Windows Phone 8 secure coding research projects are invited to contact us.

Some characteristics of the Windows Phone 8 operating system and its apps are listed below. These and many additional characteristics of this mobile platform must be considered to securely code for it.

  • Five different application models for building Windows mobile device apps, which use different language combinations:
    • JavaScript and HTML5
    • C# and Extensible Application Markup Language (XAML)
    • Microsoft Visual Basic and XAML
    • Visual C++ component extensions (C++/CS) and XAML
    • C++/CX and Microsoft DirectX
  • Microsoft .NET Framework