Where Are We Looking for Security Concerns? Understanding Android Security Static Analysis

Static analysis is a traditional technique for software transformation and type analysis. Recently, static analysis has become a technique to identify cyber security vulnerabilities and malware. Specifically, static analysis has been extended into the mobile-computing arena for security-related analyses. This research examines many top security papers that are published in major conferences, journals and technical reports, and characterizes the current research characterize static analysis research. The papers identified in this paper were selected based their high citings by top research or because they introduced either a novel analysis technique or a novel security issue analysis. This research systematically constructs a static analysis landscape by charting and characterizing analysis strengths and limitations in both accuracy and security threats. The findings are reported online at www.technologyinthepark.com. This research has identified two types of static analysis motivations which affect the soundness of an analysis methodology: techniques for analyzing software for vulnerabilities and techniques used to examine applications for malware. Building on earlier research, for completeness and to aid the community by providing a coverage map, this research has connected technique motivations found to Mitre's attack taxonomy, Mitre's vulnerability taxonomy as well as the National Institute of Standards and Technology's (NIST's) Bugs Framework (BF) taxonomy. The findings include identifying vulnerabilities which are not being systematically researched.