AndroScanner: Automated Backend Vulnerability Detection for Android Applications
Provides a practical tool for Android developers to identify backend security risks before deployment, addressing a gap in automated vulnerability detection for mobile backends.
AndroScanner is an automated pipeline that detects backend vulnerabilities in Android apps via static and dynamic analysis. It found 5 vulnerabilities across 2 apps, including a zero-day Excessive Data Exposure in a production app with 50k+ downloads.
Mobile applications rely on complex backends that introduce significant security risks, yet developers often lack the tools to assess these risks effectively. This paper presents AndroScanner, an automated pipeline for detecting vulnerabilities in Android application backends through combined static and dynamic analysis. AndroScanner extracts backend API calls from APK files using apktool, Androguard, and Frida-based dynamic instrumentation, then vets them against the OWASP API Security Top 10 using APIFuzzer. We evaluate AndroScanner on two Android applications: a purposely vulnerable bank application and a production recruitment application with over 50,000 downloads on Google Play Store. Across both applications, AndroScanner extracted 24 APIs and identified 5 vulnerabilities, including a previously unreported zero-day Excessive Data Exposure vulnerability (ranked 3rd in the OWASP API Security Top 10) in the production application. The vulnerability was responsibly disclosed to the development team prior to publication. AndroScanner is available upon request to assist developers in identifying and remediating backend security risks before deployment.