Skip to content

Latest commit

 

History

History
120 lines (81 loc) · 3.49 KB

README.md

File metadata and controls

120 lines (81 loc) · 3.49 KB
Raw

Static Code Analyzer for Android Vulnerabilities

This project provides a comprehensive static analysis framework for detecting common vulnerabilities in Android code (Java, Kotlin, and Flutter/Dart). It uses machine learning models fine-tuned on CodeBERT to detect security issues, suggest fixes, and classify the severity of the vulnerabilities.

Features

  • Vulnerability Detection: Detects ten key types of vulnerabilities:
    • Hardcoded Credentials
    • Insecure Data Storage
    • SQL Injection
    • Insecure Random
    • Insecure File Permissions
    • Memory Leaks
    • Lack of Data Obfuscation
    • Lack of Hashing
    • Rooted Device Access
    • No Vulnerability
  • Severity Scoring: Classifies the severity of the detected vulnerabilities into:
    • Safe
    • Low
    • Medium
    • High
  • Fix Suggestions: Provides automatic suggestions to fix the identified vulnerabilities.

Why Choose Us?

Unlike traditional static analysis tools like SonarQube, MobSF, Android Lint, and Snyk, our CodeBERT-based approach offers significant advantages. It leverages machine learning to go beyond rule-based systems, providing context-aware analysis, reducing false positives, and offering customized, accurate fix suggestions.

To learn more about how our approach compares to existing tools and why it provides a better solution for Android security, see the detailed Why Choose Us? file.

Setup

Prerequisites

  • Python 3.11 or later
  • Docker (if deploying with Docker)

Install Dependencies

You can install the required dependencies by running the following command:

pip install -r requirements.txt

Alternatively, you can use the provided Docker setup for easy deployment.

Docker Setup

To run the application using Docker, follow these steps:

  1. Build the Docker image:

    docker build -t static-analyzer .

  2. Run the Docker container:

    docker run -p 8000:8000 static-analyzer

  3. The FastAPI server will start on http://0.0.0.0:8000.

API Usage

The FastAPI server exposes a POST endpoint to analyze Java code for vulnerabilities.

POST /analyze

  • Input: JSON object containing the Java code to analyze.
  • Output: JSON response with the predicted vulnerability, severity score, and fix suggestion.

Example input:

{
  "code": "public class Sample { ... }"
}

Example response:

{
  "vulnerability": "insecure_file_permissions",
  "line_number": 10,
  "line_content": "File file = new File(\"sensitive_data.txt\");",
  "severity": "Medium",
  "fix": "Restrict file permissions to only those who require access."
}

Testing with Postman

You can test the API with Postman by sending a POST request to the following URL:

http://localhost:8000/analyze
  • Request Body: Raw JSON with the key "code" and the Java code to analyze as the value.

Models

The models are hosted on Hugging Face under the repository BhardwajArjit/static_analyzer_models, and include:

  • Severity Scoring Model: Used to classify the severity of vulnerabilities.
  • Fix Suggestions Model: Provides automated suggestions for resolving vulnerabilities.
  • Vulnerability Detection Model: Detects different types of vulnerabilities in the code.

Known Limitations

  • Fix suggestions are currently generalized.
  • Analysis of Proguard and Gradle files has not been implemented.

License

This project is licensed under the MIT License. See the LICENSE file for details.