January 8, 2019
K-State computer science team cited by Android Security Awards Program
A team of computer science graduate students at Kansas State University, led by assistant professor Venkatesh-Prasad Ranganath in the Secure-It-I research group, has identified a high-security bug in the Android system. As a result, the group has been awarded $2,500 from the Android Security Awards Program.
With increasing interest in app security as well as overall security in software engineering, Joydeep Mitra, doctoral student, wanted to devise a methodology to build secure mobile apps by identifying security vulnerabilities that could be prevented by such a methodology.
In summer 2017, under the direction of Ranganath, Mitra created Ghera, an open repository of benchmarks that capture known Android app vulnerabilities. Starting from an initial set of 25 benchmarks, with contributions from fellow graduate students Aditya Narkar and Nasik Nafi, and computer science alumna Catherine Mansfield, Ghera has grown to catalog 55 known Android app vulnerabilities.
In creating one of the benchmarks, Mitra found that a feature of the Android framework, which caused a known vulnerability, was also used by a core Android component incorporated by many apps to provide access to data. The Ghera team decided to report this issue to the Android Security Team for further examination.
After examining the report, the Android Security Team acknowledged it as a high-severity bug. The team from K-State participated in a coordinated disclosure with the Android team. Approximately 90 days after the issue had been reported, the Android Security Team released a fix for the issue and presented the K-State research group with a monetary reward.
"While we were glad to have made Android a little more secure and to have received the monetary reward, we were really happy to see Ghera having a small and unexpected, yet important, impact," Ranganath said.
"This was our first time to report a security issue to Android as well as participate in a coordinated disclosure, thus affording us firsthand experience in how these activities transpire in the real world. In short, it was a great learning experience on many fronts."