Fadi Mohsen

Fadi Mohsen, Dimka Karastoyanova, George Azzopardi

Mobile app stores are the key distributors of mobile applications. They regularly apply vetting processes to the deployed apps. Yet, some of these vetting processes might be inadequate or applied late. The late removal of applications might have unpleasant consequences for developers and users alike. Thus, in this work we propose a data-driven predictive approach that determines whether the respective app will be removed or accepted. It also indicates the features' relevance that help the stakeholders in the interpretation. In turn, our approach can support developers in improving their apps and users in downloading the ones that are less likely to be removed. We focus on the Google App store and we compile a new data set of 870,515 applications, 56% of which have actually been removed from the market. Our proposed approach is a bootstrap aggregating of multiple XGBoost machine learning classifiers. We propose two models: user-centered using 47 features, and developer-centered using 37 features, the ones only available before deployment. We achieve the following Areas Under the ROC Curves (AUCs) on the test set: user-centered = 0.792, developer-centered = 0.762.

Fadi Mohsen, Loran Oosterhaven, Fatih Turkmen

Java programming language has been long used to develop native Android mobile applications. In the last few years many companies and freelancers have switched into using Kotlin partially or entirely. As such, many projects are released as binaries and employ a mix of Java and Kotlin language constructs. Yet, the true security and privacy implications of this shift have not been thoroughly studied. In this work, a state-of-the-art tool, KotlinDetector, is developed to directly extract any Kotlin presence, percentages, and numerous language features from Android Application Packages (APKs) by performing heuristic pattern scanning and invocation tracing. Our evaluation study shows that the tool is considerably efficient and accurate. We further provide a use case in which the output of the KotlinDetector is combined with the output of an existing vulnerability scanner tool called AndroBugs to infer any security and/or privacy implications.