SEBASTiAn: a Static and Extensible Black-box Application Security
Testing tool for iOS and Android applications
- Francesco Pagano ,
- Andrea Romdhana ,
- Davide Caputo ,
- Luca Verderame ,
- Alessio Merlo
Abstract
Despite decades of research, the automatic detection of vulnerabilities
in mobile apps remains an open challenge. Among the possible solutions,
SAST tools uncover source or compiled code security flaws without
needing the app to be executed and tested in a controlled environment.
However, SAST tools share several limitations, such as the detection of
narrowed vulnerability classes, lack of updates, and limited resiliency
to obfuscation techniques. This paper presents SEBASTiAn, a black-box
automatic static analysis tool for security vetting Android and iOS
apps. It relies on a modular approach to cope with new vulnerabilities.