Fraunhofer SIT publishes vulnerability scanner for Android
CeBIT 2014: New Tools Facilitate Security by Design

Fraunhofer SIT has published a vulnerability scanner for Android, allowing app developers to find and close a frequently occurring SSL security gap automatically. The software can be downloaded free of charge at 'https://sit.sit.fraunhofer.de/eclipse/howto-ssl/' and has been developed at the European Center for Security and Privacy by Design (EC SPRIDE) in Darmstadt, which is funded by the Federal Ministry of Education and Research. The EC SPRIDE scientists develop new testing tools for both Android and Java code that use innovative analysis techniques and that can be integrated directly into development environments. The tools even allow the fast detection of errors that are usually difficult to find in programming code. Fraunhofer SIT will present the tools and procedure at the CeBIT in Hanover from March 10 until 14 at its stand in hall 9, booth E40.

Many security vulnerabilities are the result of simple programming mistakes which, due to an ever increasing complexity of software products, are becoming harder and harder to avoid. Software frequently consists of various program parts, sometimes written by various development teams. Programmers can no longer fully comprehend the interaction of the different software components. This is why today’s software enterprises use tools with which programming code can be tested automatically. Conventional vulnerability scanners, however, which can be operated on one’s personal computer, are often limited to detecting simple errors. But the complex errors are the ones that are hard to find and avoid. To detect such complex security vulnerabilities in programming code, software enterprises previously had to have their own code analyzed by external companies, e.g. by expensive testing services from overseas. However, enterprises often receive the results with a considerable time delay. By the time an issue is reported, the developers are probably already busy with completely different things.

Therefore, Prof. Dr. Eric Bodden at Fraunhofer SIT and his team at the cyber-security center EC SPRIDE have developed an efficient analysis framework and integrated it into testing tools. These new vulnerability scanners can be run on simple computers, but they are more powerful than the expensive external analytical services and find a greater number of complex errors in shorter time. The Darmstadt researchers’ scanning tools often deliver results even in milliseconds. This is possible due to new analysis techniques that can review even complex interactions quickly in the code. „Secure software development is just like a maze“, Bodden declares, „it is very easy to take a wrong turn but very difficult to find the correct route. This is why companies use testing tools to reach their goal as quickly as possible. But conventional tools allow developers just to glance around the next corner. With our tools they can look the next ten corners ahead.“ The analysis techniques can be used with different programming languages and may be optimized for specific tasks.

The current analysis framework supports highly complex data-flow analyses. A simpler but in practice very relevant example is the now published scanner for SSL vulnerabilities. It is an eclipse plug-in that programmers can implement easily into typical development environments. The testing tool helps app developers to detect flawed implementations of the secure socket layer protocol (SSL) in Android code and can be used free of charge as an open source software. The dimension of the SSL problem in apps was demonstrated last year, when Fraunhofer SIT found errors in a multitude of apps that partially involved great risks for users.