---
_id: '63834'
abstract:
- lang: eng
text: "Abstract\r\n \r\n Many
Android apps collect data from users, and the European Union’s General Data Protection
Regulation (GDPR) mandates clear disclosures of such data collection. However,
apps often use third-party code, complicating accurate disclosures. This paper
investigates how accurately current Android apps fulfill these requirements. In
this work, we present a multi-layered definition of privacy-related data to correctly
report data collection in Android apps. We further create a dataset of privacy-sensitive
data classes that may be used as input by an Android app. This dataset takes into
account data collected both through the user interface and system APIs. Based
on this, we implement a semi-automated prototype that detects and labels privacy-related
data collected by a given Android app. We manually examine the data safety sections
of 70 Android apps to observe how data collection is reported, identifying instances
of over- and under-reporting. We compare our prototype’s results with the data
safety sections of 20 apps revealing reporting discrepancies. Using the results
from two Messaging and Social Media apps (Signal and Instagram), we discuss how
app developers under-report and over-report data collection, respectively, and
identify inaccurately reported data categories. A broader study of 7,500 Android
apps reveals that apps most frequently collect data that can\r\n partially
identify\r\n users. Although system APIs consistently
collect large amounts of privacy-related data, user interfaces exhibit some more
diverse data collection patterns. A more focused study on various domains of apps
reveals that the largest fraction of apps collecting personal data belong to the
domain of\r\n Messaging and Social Media\r\n
\ . Our findings show that location is collected frequently
by apps, specially from the\r\n E-commerce and
Shopping\r\n domain. However, it is often under-reported
in app data safety sections. Our results highlight the need for greater consistency
in privacy-aware app development and reporting practices.\r\n "
article_number: '45'
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Ambuj
full_name: Kumar Mondal, Ambuj
last_name: Kumar Mondal
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Khedkar M, Kumar Mondal A, Bodden E. A study of privacy-related data collected
by Android apps. Automated Software Engineering. 2026;33(2). doi:10.1007/s10515-025-00589-3
apa: Khedkar, M., Kumar Mondal, A., & Bodden, E. (2026). A study of privacy-related
data collected by Android apps. Automated Software Engineering, 33(2),
Article 45. https://doi.org/10.1007/s10515-025-00589-3
bibtex: '@article{Khedkar_Kumar Mondal_Bodden_2026, title={A study of privacy-related
data collected by Android apps}, volume={33}, DOI={10.1007/s10515-025-00589-3},
number={245}, journal={Automated Software Engineering}, publisher={Springer Science
and Business Media LLC}, author={Khedkar, Mugdha and Kumar Mondal, Ambuj and Bodden,
Eric}, year={2026} }'
chicago: Khedkar, Mugdha, Ambuj Kumar Mondal, and Eric Bodden. “A Study of Privacy-Related
Data Collected by Android Apps.” Automated Software Engineering 33, no.
2 (2026). https://doi.org/10.1007/s10515-025-00589-3.
ieee: 'M. Khedkar, A. Kumar Mondal, and E. Bodden, “A study of privacy-related data
collected by Android apps,” Automated Software Engineering, vol. 33, no.
2, Art. no. 45, 2026, doi: 10.1007/s10515-025-00589-3.'
mla: Khedkar, Mugdha, et al. “A Study of Privacy-Related Data Collected by Android
Apps.” Automated Software Engineering, vol. 33, no. 2, 45, Springer Science
and Business Media LLC, 2026, doi:10.1007/s10515-025-00589-3.
short: M. Khedkar, A. Kumar Mondal, E. Bodden, Automated Software Engineering 33
(2026).
date_created: 2026-02-02T12:36:22Z
date_updated: 2026-02-11T18:33:12Z
ddc:
- '006'
department:
- _id: '76'
doi: 10.1007/s10515-025-00589-3
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2026-02-11T18:32:52Z
date_updated: 2026-02-11T18:32:52Z
file_id: '64127'
file_name: s10515-025-00589-3-1.pdf
file_size: 3363479
relation: main_file
success: 1
file_date_updated: 2026-02-11T18:32:52Z
has_accepted_license: '1'
intvolume: ' 33'
issue: '2'
language:
- iso: eng
publication: Automated Software Engineering
publication_identifier:
issn:
- 0928-8910
- 1573-7535
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: A study of privacy-related data collected by Android apps
type: journal_article
user_id: '88024'
volume: 33
year: '2026'
...
---
_id: '64823'
abstract:
- lang: eng
text: "Current legal frameworks enforce that Android developers accurately report
the data their apps collect. However, large codebases can make this reporting
challenging. This paper employs an empirical approach to understand developers'
experience with Google Play Store's Data Safety Section (DSS) form.\r\n\r\nWe
first survey 41 Android developers to understand how they categorize privacy-related
data into DSS categories and how confident they feel when completing the DSS form.
To gain a broader and more detailed view of the challenges developers encounter
during the process, we complement the survey with an analysis of 172 online developer
discussions, capturing the perspectives of 642 additional developers. Together,
these two data sources represent insights from 683 developers.\r\n\r\nOur findings
reveal that developers often manually classify the privacy-related data their
apps collect into the data categories defined by Google-or, in some cases, omit
classification entirely-and rely heavily on existing online resources when completing
the form. Moreover, developers are generally confident in recognizing the data
their apps collect, yet they lack confidence in translating this knowledge into
DSS-compliant disclosures. Key challenges include issues in identifying privacy-relevant
data to complete the form, limited understanding of the form, and concerns about
app rejection due to discrepancies with Google's privacy requirements.\r\nThese
results underscore the need for clearer guidance and more accessible tooling to
support developers in meeting privacy-aware reporting obligations. "
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Mohamed Aboubakr Mohamed
full_name: Soliman, Mohamed Aboubakr Mohamed
id: '102489'
last_name: Soliman
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Schlichtig M, Soliman MAM, Bodden E. Challenges in Android Data
Disclosure: An Empirical Study. In: Proceedings of the IEEE/ACM 13th International
Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association
for Computing Machinery, New York, NY, USA, 65–68. ; 2026.'
apa: 'Khedkar, M., Schlichtig, M., Soliman, M. A. M., & Bodden, E. (2026). Challenges
in Android Data Disclosure: An Empirical Study. Proceedings of the IEEE/ACM
13th International Conference on Mobile Software Engineering and Systems (MOBILESoft
’26). Association for Computing Machinery, New York, NY, USA, 65–68. 13th
International Conference on Mobile Software Engineering and Systems 2024, Rio
de Janeiro, Brazil.'
bibtex: '@inproceedings{Khedkar_Schlichtig_Soliman_Bodden_2026, title={Challenges
in Android Data Disclosure: An Empirical Study.}, booktitle={Proceedings of the
IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems
(MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.},
author={Khedkar, Mugdha and Schlichtig, Michael and Soliman, Mohamed Aboubakr
Mohamed and Bodden, Eric}, year={2026} }'
chicago: 'Khedkar, Mugdha, Michael Schlichtig, Mohamed Aboubakr Mohamed Soliman,
and Eric Bodden. “Challenges in Android Data Disclosure: An Empirical Study.”
In Proceedings of the IEEE/ACM 13th International Conference on Mobile Software
Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery,
New York, NY, USA, 65–68., 2026.'
ieee: 'M. Khedkar, M. Schlichtig, M. A. M. Soliman, and E. Bodden, “Challenges in
Android Data Disclosure: An Empirical Study.,” presented at the 13th International
Conference on Mobile Software Engineering and Systems 2024, Rio de Janeiro, Brazil,
2026.'
mla: 'Khedkar, Mugdha, et al. “Challenges in Android Data Disclosure: An Empirical
Study.” Proceedings of the IEEE/ACM 13th International Conference on Mobile
Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery,
New York, NY, USA, 65–68., 2026.'
short: 'M. Khedkar, M. Schlichtig, M.A.M. Soliman, E. Bodden, in: Proceedings of
the IEEE/ACM 13th International Conference on Mobile Software Engineering and
Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA,
65–68., 2026.'
conference:
end_date: 2026-04-18
location: Rio de Janeiro, Brazil
name: 13th International Conference on Mobile Software Engineering and Systems 2024
start_date: 2026-04-12
date_created: 2026-03-04T08:10:43Z
date_updated: 2026-03-13T12:10:10Z
department:
- _id: '76'
external_id:
arxiv:
- '2601.20459'
keyword:
- static analysis
- data collection
- data protection
- privacy-aware reporting
language:
- iso: eng
publication: Proceedings of the IEEE/ACM 13th International Conference on Mobile Software
Engineering and Systems (MOBILESoft '26). Association for Computing Machinery, New
York, NY, USA, 65–68.
status: public
title: 'Challenges in Android Data Disclosure: An Empirical Study.'
type: conference
user_id: '88024'
year: '2026'
...
---
_id: '64821'
article_number: '56'
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Nihad
full_name: Atakishiyev, Nihad
last_name: Atakishiyev
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Schlichtig M, Atakishiyev N, Bodden E. Between Law and Code: Challenges
and Opportunities for Automating Privacy Assessments. Automated Software Engineering
. 2026;33(2). doi:10.1007/s10515-026-00601-4'
apa: 'Khedkar, M., Schlichtig, M., Atakishiyev, N., & Bodden, E. (2026). Between
Law and Code: Challenges and Opportunities for Automating Privacy Assessments.
Automated Software Engineering , 33(2), Article 56. https://doi.org/10.1007/s10515-026-00601-4'
bibtex: '@article{Khedkar_Schlichtig_Atakishiyev_Bodden_2026, title={Between Law
and Code: Challenges and Opportunities for Automating Privacy Assessments}, volume={33},
DOI={10.1007/s10515-026-00601-4},
number={256}, journal={Automated Software Engineering }, publisher={Springer US},
author={Khedkar, Mugdha and Schlichtig, Michael and Atakishiyev, Nihad and Bodden,
Eric}, year={2026} }'
chicago: 'Khedkar, Mugdha, Michael Schlichtig, Nihad Atakishiyev, and Eric Bodden.
“Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments.”
Automated Software Engineering 33, no. 2 (2026). https://doi.org/10.1007/s10515-026-00601-4.'
ieee: 'M. Khedkar, M. Schlichtig, N. Atakishiyev, and E. Bodden, “Between Law and
Code: Challenges and Opportunities for Automating Privacy Assessments,” Automated
Software Engineering , vol. 33, no. 2, Art. no. 56, 2026, doi: 10.1007/s10515-026-00601-4.'
mla: 'Khedkar, Mugdha, et al. “Between Law and Code: Challenges and Opportunities
for Automating Privacy Assessments.” Automated Software Engineering , vol.
33, no. 2, 56, Springer US, 2026, doi:10.1007/s10515-026-00601-4.'
short: M. Khedkar, M. Schlichtig, N. Atakishiyev, E. Bodden, Automated Software
Engineering 33 (2026).
date_created: 2026-03-04T08:03:14Z
date_updated: 2026-03-13T12:10:38Z
department:
- _id: '76'
doi: 10.1007/s10515-026-00601-4
intvolume: ' 33'
issue: '2'
language:
- iso: eng
publication: 'Automated Software Engineering '
publication_identifier:
unknown:
- 1573-7535
publisher: Springer US
status: public
title: 'Between Law and Code: Challenges and Opportunities for Automating Privacy
Assessments'
type: journal_article
user_id: '88024'
volume: 33
year: '2026'
...
---
_id: '64909'
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Schlichtig M, Bodden E. Source Code-Driven GDPR Documentation:
Supporting RoPA with Assessor View. In: IEEE International Conference on Software
Analysis, Evolution and Reengineering (SANER 2026). ; 2026.'
apa: 'Khedkar, M., Schlichtig, M., & Bodden, E. (2026). Source Code-Driven GDPR
Documentation: Supporting RoPA with Assessor View. IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER 2026).'
bibtex: '@inproceedings{Khedkar_Schlichtig_Bodden_2026, title={Source Code-Driven
GDPR Documentation: Supporting RoPA with Assessor View}, booktitle={IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER 2026)}, author={Khedkar,
Mugdha and Schlichtig, Michael and Bodden, Eric}, year={2026} }'
chicago: 'Khedkar, Mugdha, Michael Schlichtig, and Eric Bodden. “Source Code-Driven
GDPR Documentation: Supporting RoPA with Assessor View.” In IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER 2026),
2026.'
ieee: 'M. Khedkar, M. Schlichtig, and E. Bodden, “Source Code-Driven GDPR Documentation:
Supporting RoPA with Assessor View,” 2026.'
mla: 'Khedkar, Mugdha, et al. “Source Code-Driven GDPR Documentation: Supporting
RoPA with Assessor View.” IEEE International Conference on Software Analysis,
Evolution and Reengineering (SANER 2026), 2026.'
short: 'M. Khedkar, M. Schlichtig, E. Bodden, in: IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER 2026), 2026.'
date_created: 2026-03-13T12:16:09Z
date_updated: 2026-03-13T12:17:01Z
department:
- _id: '76'
language:
- iso: eng
main_file_link:
- url: https://mugdhak30.github.io/assets/Preprints/RoPA_SANER2026.pdf
publication: IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER 2026)
status: public
title: 'Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View'
type: conference
user_id: '88024'
year: '2026'
...
---
_id: '65017'
abstract:
- lang: eng
text: Static Application Security Testing (SAST) tools play a vital role in modern
software development by automatically detecting potential vulnerabilities in source
code. However, their effectiveness is often limited by a high rate of false positives,
which wastes developer's effort and undermines trust in automated analysis. This
work presents a Graph Convolutional Network (GCN) model designed to predict SAST
reports as true and false positive. The model leverages Code Property Graphs (CPGs)
constructed from static analysis results to capture both, structural and semantic
relationships within code. Trained on the CamBenchCAP dataset, the model achieved
an accuracy of 100% on the test set using an 80/20 train-test split. Evaluation
on the CryptoAPI-Bench benchmark further demonstrated the model's practical applicability,
reaching an overall accuracy of up to 96.6%. A detailed qualitative inspection
revealed that many cases marked as misclassifications corresponded to genuine
security weaknesses, indicating that the model effectively reflects conservative,
security-aware reasoning. Identified limitations include incomplete control-flow
representation due to missing interprocedural connections. Future work will focus
on integrating call graphs, applying graph explainability techniques, and extending
training data across multiple SAST tools to improve generalization and interpretability.
author:
- first_name: Tom
full_name: Ohlmer, Tom
last_name: Ohlmer
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Ohlmer T, Schlichtig M, Bodden E. FP-Predictor - False Positive Prediction
for Static Analysis Reports. arXiv:260310558. Published online 2026.
apa: Ohlmer, T., Schlichtig, M., & Bodden, E. (2026). FP-Predictor - False Positive
Prediction for Static Analysis Reports. In arXiv:2603.10558.
bibtex: '@article{Ohlmer_Schlichtig_Bodden_2026, title={FP-Predictor - False Positive
Prediction for Static Analysis Reports}, journal={arXiv:2603.10558}, author={Ohlmer,
Tom and Schlichtig, Michael and Bodden, Eric}, year={2026} }'
chicago: Ohlmer, Tom, Michael Schlichtig, and Eric Bodden. “FP-Predictor - False
Positive Prediction for Static Analysis Reports.” ArXiv:2603.10558, 2026.
ieee: T. Ohlmer, M. Schlichtig, and E. Bodden, “FP-Predictor - False Positive Prediction
for Static Analysis Reports,” arXiv:2603.10558. 2026.
mla: Ohlmer, Tom, et al. “FP-Predictor - False Positive Prediction for Static Analysis
Reports.” ArXiv:2603.10558, 2026.
short: T. Ohlmer, M. Schlichtig, E. Bodden, ArXiv:2603.10558 (2026).
date_created: 2026-03-16T17:38:33Z
date_updated: 2026-03-16T17:40:31Z
department:
- _id: '76'
external_id:
arxiv:
- '2603.10558'
language:
- iso: eng
publication: arXiv:2603.10558
status: public
title: FP-Predictor - False Positive Prediction for Static Analysis Reports
type: preprint
user_id: '32312'
year: '2026'
...
---
_id: '65030'
author:
- first_name: Luis
full_name: Amaral, Luis
last_name: Amaral
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Wagner
full_name: Emanuel, Wagner
last_name: Emanuel
- first_name: Joilton
full_name: Almeida, Joilton
last_name: Almeida
- first_name: Carine
full_name: Ferreira, Carine
last_name: Ferreira
- first_name: Jérôme
full_name: Kempf, Jérôme
last_name: Kempf
- first_name: Rodrigo
full_name: Bonifácio, Rodrigo
last_name: Bonifácio
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Laerte
full_name: Peotta, Laerte
last_name: Peotta
- first_name: Gustavo
full_name: Pinto, Gustavo
last_name: Pinto
- first_name: Márcio
full_name: Ribeiro, Márcio
last_name: Ribeiro
citation:
ama: 'Amaral L, Schlichtig M, Emanuel W, et al. From Legacy Designs to Vulnerability
Fixes: Understanding SAST Adoption in Non-Technological Companies. In: 2026
IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER). ; 2026.'
apa: 'Amaral, L., Schlichtig, M., Emanuel, W., Almeida, J., Ferreira, C., Kempf,
J., Bonifácio, R., Bodden, E., Peotta, L., Pinto, G., & Ribeiro, M. (2026).
From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in Non-Technological
Companies. 2026 IEEE International Conference on Software Analysis, Evolution
and Reengineering (SANER).'
bibtex: '@inproceedings{Amaral_Schlichtig_Emanuel_Almeida_Ferreira_Kempf_Bonifácio_Bodden_Peotta_Pinto_et
al._2026, title={From Legacy Designs to Vulnerability Fixes: Understanding SAST
Adoption in Non-Technological Companies}, booktitle={2026 IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER)}, author={Amaral, Luis
and Schlichtig, Michael and Emanuel, Wagner and Almeida, Joilton and Ferreira,
Carine and Kempf, Jérôme and Bonifácio, Rodrigo and Bodden, Eric and Peotta, Laerte
and Pinto, Gustavo and et al.}, year={2026} }'
chicago: 'Amaral, Luis, Michael Schlichtig, Wagner Emanuel, Joilton Almeida, Carine
Ferreira, Jérôme Kempf, Rodrigo Bonifácio, et al. “From Legacy Designs to Vulnerability
Fixes: Understanding SAST Adoption in Non-Technological Companies.” In 2026
IEEE International Conference on Software Analysis, Evolution and Reengineering
(SANER), 2026.'
ieee: 'L. Amaral et al., “From Legacy Designs to Vulnerability Fixes: Understanding
SAST Adoption in Non-Technological Companies,” 2026.'
mla: 'Amaral, Luis, et al. “From Legacy Designs to Vulnerability Fixes: Understanding
SAST Adoption in Non-Technological Companies.” 2026 IEEE International Conference
on Software Analysis, Evolution and Reengineering (SANER), 2026.'
short: 'L. Amaral, M. Schlichtig, W. Emanuel, J. Almeida, C. Ferreira, J. Kempf,
R. Bonifácio, E. Bodden, L. Peotta, G. Pinto, M. Ribeiro, in: 2026 IEEE International
Conference on Software Analysis, Evolution and Reengineering (SANER), 2026.'
date_created: 2026-03-17T11:59:09Z
date_updated: 2026-03-17T12:02:14Z
department:
- _id: '76'
language:
- iso: eng
publication: 2026 IEEE International Conference on Software Analysis, Evolution and
Reengineering (SANER)
status: public
title: 'From Legacy Designs to Vulnerability Fixes: Understanding SAST Adoption in
Non-Technological Companies'
type: conference
user_id: '32312'
year: '2026'
...
---
_id: '65261'
author:
- first_name: Roman
full_name: Trentinaglia, Roman
id: '49934'
last_name: Trentinaglia
orcid: 0000-0001-9728-4991
- first_name: Thorsten
full_name: Koch, Thorsten
id: '13616'
last_name: Koch
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Trentinaglia R, Koch T, Bodden E. Using Attack and Failure Propagation Analysis
for Context-Aware Security Control Suggestions. In: Proceedings of the 14th
International Conference on Model-Based Software and Systems Engineering.
SCITEPRESS - Science and Technology Publications; 2026. doi:10.5220/0014278000004058'
apa: Trentinaglia, R., Koch, T., & Bodden, E. (2026). Using Attack and Failure
Propagation Analysis for Context-Aware Security Control Suggestions. Proceedings
of the 14th International Conference on Model-Based Software and Systems Engineering.
https://doi.org/10.5220/0014278000004058
bibtex: '@inproceedings{Trentinaglia_Koch_Bodden_2026, title={Using Attack and Failure
Propagation Analysis for Context-Aware Security Control Suggestions}, DOI={10.5220/0014278000004058},
booktitle={Proceedings of the 14th International Conference on Model-Based Software
and Systems Engineering}, publisher={SCITEPRESS - Science and Technology Publications},
author={Trentinaglia, Roman and Koch, Thorsten and Bodden, Eric}, year={2026}
}'
chicago: Trentinaglia, Roman, Thorsten Koch, and Eric Bodden. “Using Attack and
Failure Propagation Analysis for Context-Aware Security Control Suggestions.”
In Proceedings of the 14th International Conference on Model-Based Software
and Systems Engineering. SCITEPRESS - Science and Technology Publications,
2026. https://doi.org/10.5220/0014278000004058.
ieee: 'R. Trentinaglia, T. Koch, and E. Bodden, “Using Attack and Failure Propagation
Analysis for Context-Aware Security Control Suggestions,” 2026, doi: 10.5220/0014278000004058.'
mla: Trentinaglia, Roman, et al. “Using Attack and Failure Propagation Analysis
for Context-Aware Security Control Suggestions.” Proceedings of the 14th International
Conference on Model-Based Software and Systems Engineering, SCITEPRESS - Science
and Technology Publications, 2026, doi:10.5220/0014278000004058.
short: 'R. Trentinaglia, T. Koch, E. Bodden, in: Proceedings of the 14th International
Conference on Model-Based Software and Systems Engineering, SCITEPRESS - Science
and Technology Publications, 2026.'
date_created: 2026-03-31T13:52:36Z
date_updated: 2026-03-31T13:53:55Z
department:
- _id: '241'
- _id: '662'
doi: 10.5220/0014278000004058
language:
- iso: eng
publication: Proceedings of the 14th International Conference on Model-Based Software
and Systems Engineering
publication_status: published
publisher: SCITEPRESS - Science and Technology Publications
status: public
title: Using Attack and Failure Propagation Analysis for Context-Aware Security Control
Suggestions
type: conference
user_id: '49934'
year: '2026'
...
---
_id: '60583'
abstract:
- lang: eng
text: Assessing and communicating software security has become a crucial
concern in the era of digital transformation. As software systems grow more complex
and interconnected, it becomes increasingly challenging to effectively evaluate
and communicate a product's security status to both technical and non-technical
stakeholders. The Software Product Health Assistant (SPHA) is designed to automatically
collect and aggregate data from existing expert tools and derive, among other
scores, a transparent Security Score. SPHA is designed to present and explain
this Security Score to decision-makers to support their responsibilities. In this
paper, we demonstrate how to integrate data from SMARAGD (System Modeler for Architectural
Risk Assessment and Guidance on Defenses), a safety-informed threat modeling tool,
into SPHA to enhance the existing definition of its Security Score. To achieve
this, we combine information about known vulnerabilities with architectural and
threat data to calculate a realistic risk score for the product in question.
author:
- first_name: Jan-niclas
full_name: Strüwer, Jan-niclas
last_name: Strüwer
- first_name: Roman
full_name: Trentinaglia, Roman
id: '49934'
last_name: Trentinaglia
orcid: 0000-0001-9728-4991
- first_name: Benedict
full_name: Wohlers, Benedict
id: '53786'
last_name: Wohlers
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Roman
full_name: Dumitrescu, Roman
id: '16190'
last_name: Dumitrescu
citation:
ama: 'Strüwer J, Trentinaglia R, Wohlers B, Bodden E, Dumitrescu R. Assessing and
Communicating Software Security: Enhancing Software Product Health with Architectural
Threat Analysis. In: AHFE International. Vol 168. AHFE International; 2025.
doi:10.54941/ahfe1006145'
apa: 'Strüwer, J., Trentinaglia, R., Wohlers, B., Bodden, E., & Dumitrescu,
R. (2025). Assessing and Communicating Software Security: Enhancing Software Product
Health with Architectural Threat Analysis. AHFE International, 168.
https://doi.org/10.54941/ahfe1006145'
bibtex: '@inproceedings{Strüwer_Trentinaglia_Wohlers_Bodden_Dumitrescu_2025, title={Assessing
and Communicating Software Security: Enhancing Software Product Health with Architectural
Threat Analysis}, volume={168}, DOI={10.54941/ahfe1006145},
booktitle={AHFE International}, publisher={AHFE International}, author={Strüwer,
Jan-niclas and Trentinaglia, Roman and Wohlers, Benedict and Bodden, Eric and
Dumitrescu, Roman}, year={2025} }'
chicago: 'Strüwer, Jan-niclas, Roman Trentinaglia, Benedict Wohlers, Eric Bodden,
and Roman Dumitrescu. “Assessing and Communicating Software Security: Enhancing
Software Product Health with Architectural Threat Analysis.” In AHFE International,
Vol. 168. AHFE International, 2025. https://doi.org/10.54941/ahfe1006145.'
ieee: 'J. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, and R. Dumitrescu, “Assessing
and Communicating Software Security: Enhancing Software Product Health with Architectural
Threat Analysis,” in AHFE International, 2025, vol. 168, doi: 10.54941/ahfe1006145.'
mla: 'Strüwer, Jan-niclas, et al. “Assessing and Communicating Software Security:
Enhancing Software Product Health with Architectural Threat Analysis.” AHFE
International, vol. 168, AHFE International, 2025, doi:10.54941/ahfe1006145.'
short: 'J. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, R. Dumitrescu, in: AHFE
International, AHFE International, 2025.'
date_created: 2025-07-10T06:37:42Z
date_updated: 2025-07-10T06:39:03Z
department:
- _id: '241'
- _id: '662'
doi: 10.54941/ahfe1006145
intvolume: ' 168'
language:
- iso: eng
publication: AHFE International
publication_identifier:
issn:
- 2771-0718
publication_status: published
publisher: AHFE International
status: public
title: 'Assessing and Communicating Software Security: Enhancing Software Product
Health with Architectural Threat Analysis'
type: conference
user_id: '49934'
volume: 168
year: '2025'
...
---
_id: '61108'
abstract:
- lang: eng
text: "Greybox fuzzing is used extensively in research and practice. There
are umpteen publications that improve greybox fuzzing. However, to what extent
do these improvements affect the internal components or internals of a given fuzzer
is not yet understood as the improvements are mostly evaluated using code coverage
and bug finding capability. Such an evaluation is insufficient to understand the
effect of improvements on the fuzzer internals. Some of the literature visualizes
the outcomes of fuzzing to enhance the understanding. However, they only focus
on high-level information and no previous research on visualization has been dedicated
to understanding fuzzing internals.\r\n To close this
gap, we propose the first step towards development of a fuzzing-specific visualization
framework: a taxonomy of visualization analysis tasks that fuzzing experts desire
to help them understand the fuzzing internals. Our approach involves conducting
interviews with fuzzing experts and using qualitative data analysis to systematically
extract the task taxonomy from the interview data. We also evaluate the support
of existing fuzzing visualization tools through the lens of our taxonomy. In our
study, we have conducted 33 interviews with fuzzing practitioners and extracted
a taxonomy of 120 visualization analysis tasks. Our evaluation shows that the
existing fuzzing visualization tools only provide aids to support 10 of them."
article_number: '3718346'
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Miao
full_name: Miao, Miao
last_name: Miao
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Shiyi
full_name: Wei, Shiyi
last_name: Wei
citation:
ama: Kummita S, Miao M, Bodden E, Wei S. Visualization Task Taxonomy to Understand
the Fuzzing Internals. ACM Transactions on Software Engineering and Methodology.
Published online 2025. doi:10.1145/3718346
apa: Kummita, S., Miao, M., Bodden, E., & Wei, S. (2025). Visualization Task
Taxonomy to Understand the Fuzzing Internals. ACM Transactions on Software
Engineering and Methodology, Article 3718346. https://doi.org/10.1145/3718346
bibtex: '@article{Kummita_Miao_Bodden_Wei_2025, title={Visualization Task Taxonomy
to Understand the Fuzzing Internals}, DOI={10.1145/3718346},
number={3718346}, journal={ACM Transactions on Software Engineering and Methodology},
publisher={Association for Computing Machinery (ACM)}, author={Kummita, Sriteja
and Miao, Miao and Bodden, Eric and Wei, Shiyi}, year={2025} }'
chicago: Kummita, Sriteja, Miao Miao, Eric Bodden, and Shiyi Wei. “Visualization
Task Taxonomy to Understand the Fuzzing Internals.” ACM Transactions on Software
Engineering and Methodology, 2025. https://doi.org/10.1145/3718346.
ieee: 'S. Kummita, M. Miao, E. Bodden, and S. Wei, “Visualization Task Taxonomy
to Understand the Fuzzing Internals,” ACM Transactions on Software Engineering
and Methodology, Art. no. 3718346, 2025, doi: 10.1145/3718346.'
mla: Kummita, Sriteja, et al. “Visualization Task Taxonomy to Understand the Fuzzing
Internals.” ACM Transactions on Software Engineering and Methodology, 3718346,
Association for Computing Machinery (ACM), 2025, doi:10.1145/3718346.
short: S. Kummita, M. Miao, E. Bodden, S. Wei, ACM Transactions on Software Engineering
and Methodology (2025).
date_created: 2025-09-01T10:15:26Z
date_updated: 2025-09-01T10:16:03Z
department:
- _id: '76'
doi: 10.1145/3718346
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Visualization Task Taxonomy to Understand the Fuzzing Internals
type: journal_article
user_id: '15249'
year: '2025'
...
---
_id: '61546'
abstract:
- lang: eng
text: Fuzzing is a powerful software testing technique renowned for its
effectiveness in identifying software vulnerabilities. Traditional fuzzing evaluations
typically focus on overall fuzzer performance across a set of target programs,
yet few benchmarks consider how fine-grained program features influence fuzzing
effectiveness. To bridge this gap, we introduce FeatureBench, a novel benchmark
designed to generate programs with configurable, fine-grained program features
to enhance fuzzing evaluations. We reviewed 25 recent grey-box fuzzing studies,
extracting 7 program features related to control-flow and data-flow that can impact
fuzzer performance. Using these features, we generated a benchmark consisting
of 153 programs controlled by 10 fine-grained configurable parameters. We evaluated
11 fuzzers using this benchmark, with each fuzzer representing either distinct
claimed improvements or serving as a widely used baseline in fuzzing evaluations.
The results indicate that fuzzer performance varies significantly based on the
program features and their strengths, highlighting the importance of incorporating
program characteristics into fuzzing evaluations.
author:
- first_name: Miao
full_name: Miao, Miao
last_name: Miao
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Shiyi
full_name: Wei, Shiyi
last_name: Wei
citation:
ama: Miao M, Kummita S, Bodden E, Wei S. Program Feature-Based Benchmarking for
Fuzz Testing. Proceedings of the ACM on Software Engineering. 2025;2(ISSTA):527-549.
doi:10.1145/3728899
apa: Miao, M., Kummita, S., Bodden, E., & Wei, S. (2025). Program Feature-Based
Benchmarking for Fuzz Testing. Proceedings of the ACM on Software Engineering,
2(ISSTA), 527–549. https://doi.org/10.1145/3728899
bibtex: '@article{Miao_Kummita_Bodden_Wei_2025, title={Program Feature-Based Benchmarking
for Fuzz Testing}, volume={2}, DOI={10.1145/3728899},
number={ISSTA}, journal={Proceedings of the ACM on Software Engineering}, publisher={Association
for Computing Machinery (ACM)}, author={Miao, Miao and Kummita, Sriteja and Bodden,
Eric and Wei, Shiyi}, year={2025}, pages={527–549} }'
chicago: 'Miao, Miao, Sriteja Kummita, Eric Bodden, and Shiyi Wei. “Program Feature-Based
Benchmarking for Fuzz Testing.” Proceedings of the ACM on Software Engineering
2, no. ISSTA (2025): 527–49. https://doi.org/10.1145/3728899.'
ieee: 'M. Miao, S. Kummita, E. Bodden, and S. Wei, “Program Feature-Based Benchmarking
for Fuzz Testing,” Proceedings of the ACM on Software Engineering, vol.
2, no. ISSTA, pp. 527–549, 2025, doi: 10.1145/3728899.'
mla: Miao, Miao, et al. “Program Feature-Based Benchmarking for Fuzz Testing.” Proceedings
of the ACM on Software Engineering, vol. 2, no. ISSTA, Association for Computing
Machinery (ACM), 2025, pp. 527–49, doi:10.1145/3728899.
short: M. Miao, S. Kummita, E. Bodden, S. Wei, Proceedings of the ACM on Software
Engineering 2 (2025) 527–549.
date_created: 2025-10-08T08:29:39Z
date_updated: 2025-10-08T08:32:57Z
department:
- _id: '76'
- _id: '662'
doi: 10.1145/3728899
intvolume: ' 2'
issue: ISSTA
language:
- iso: eng
page: 527-549
publication: Proceedings of the ACM on Software Engineering
publication_identifier:
issn:
- 2994-970X
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Program Feature-Based Benchmarking for Fuzz Testing
type: journal_article
user_id: '15249'
volume: 2
year: '2025'
...
---
_id: '61969'
abstract:
- lang: eng
text: Assessing and communicating software security has become a crucial
concern in the era of digital transformation. As software systems grow more complex
and interconnected, it becomes increasingly challenging to effectively evaluate
and communicate a product's security status to both technical and non-technical
stakeholders. The Software Product Health Assistant (SPHA) is designed to automatically
collect and aggregate data from existing expert tools and derive, among other
scores, a transparent Security Score. SPHA is designed to present and explain
this Security Score to decision-makers to support their responsibilities. In this
paper, we demonstrate how to integrate data from SMARAGD (System Modeler for Architectural
Risk Assessment and Guidance on Defenses), a safety-informed threat modeling tool,
into SPHA to enhance the existing definition of its Security Score. To achieve
this, we combine information about known vulnerabilities with architectural and
threat data to calculate a realistic risk score for the product in question.
author:
- first_name: Jan-Niclas
full_name: Strüwer, Jan-Niclas
last_name: Strüwer
- first_name: Roman
full_name: Trentinaglia, Roman
last_name: Trentinaglia
- first_name: Benedict
full_name: Wohlers, Benedict
last_name: Wohlers
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Roman
full_name: Dumitrescu, Roman
id: '16190'
last_name: Dumitrescu
citation:
ama: 'Strüwer J-N, Trentinaglia R, Wohlers B, Bodden E, Dumitrescu R. Assessing
and Communicating Software Security: Enhancing Software Product Health with Architectural
Threat Analysis. In: AHFE International. Vol 168. AHFE International; 2025.
doi:10.54941/ahfe1006145'
apa: 'Strüwer, J.-N., Trentinaglia, R., Wohlers, B., Bodden, E., & Dumitrescu,
R. (2025). Assessing and Communicating Software Security: Enhancing Software Product
Health with Architectural Threat Analysis. AHFE International, 168.
https://doi.org/10.54941/ahfe1006145'
bibtex: '@inproceedings{Strüwer_Trentinaglia_Wohlers_Bodden_Dumitrescu_2025, title={Assessing
and Communicating Software Security: Enhancing Software Product Health with Architectural
Threat Analysis}, volume={168}, DOI={10.54941/ahfe1006145},
booktitle={AHFE International}, publisher={AHFE International}, author={Strüwer,
Jan-Niclas and Trentinaglia, Roman and Wohlers, Benedict and Bodden, Eric and
Dumitrescu, Roman}, year={2025} }'
chicago: 'Strüwer, Jan-Niclas, Roman Trentinaglia, Benedict Wohlers, Eric Bodden,
and Roman Dumitrescu. “Assessing and Communicating Software Security: Enhancing
Software Product Health with Architectural Threat Analysis.” In AHFE International,
Vol. 168. AHFE International, 2025. https://doi.org/10.54941/ahfe1006145.'
ieee: 'J.-N. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, and R. Dumitrescu,
“Assessing and Communicating Software Security: Enhancing Software Product Health
with Architectural Threat Analysis,” in AHFE International, 2025, vol.
168, doi: 10.54941/ahfe1006145.'
mla: 'Strüwer, Jan-Niclas, et al. “Assessing and Communicating Software Security:
Enhancing Software Product Health with Architectural Threat Analysis.” AHFE
International, vol. 168, AHFE International, 2025, doi:10.54941/ahfe1006145.'
short: 'J.-N. Strüwer, R. Trentinaglia, B. Wohlers, E. Bodden, R. Dumitrescu, in:
AHFE International, AHFE International, 2025.'
date_created: 2025-10-24T06:56:54Z
date_updated: 2025-10-24T08:12:16Z
department:
- _id: '563'
doi: 10.54941/ahfe1006145
intvolume: ' 168'
language:
- iso: eng
publication: AHFE International
publication_identifier:
issn:
- 2771-0718
publication_status: published
publisher: AHFE International
status: public
title: 'Assessing and Communicating Software Security: Enhancing Software Product
Health with Architectural Threat Analysis'
type: conference
user_id: '15782'
volume: 168
year: '2025'
...
---
_id: '62973'
abstract:
- lang: eng
text: "Large Language Models (LLMs) are increasingly being explored for their potential
in software engineering, particularly in static analysis tasks. In this study,
we investigate the potential of current LLMs to enhance call-graph analysis and
type inference for Python and JavaScript programs. We empirically evaluated 24
LLMs, including OpenAI's GPT series and open-source models like LLaMA and Mistral,
using existing and newly developed benchmarks. Specifically, we enhanced TypeEvalPy,
a micro-benchmarking framework for type inference in Python, with auto-generation
capabilities, expanding its scope from 860 to 77,268 type annotations for Python.
Additionally, we introduced SWARM-CG and SWARM-JS, comprehensive benchmarking
suites for evaluating call-graph construction tools across multiple programming
languages.\r\n Our findings reveal a contrasting performance of LLMs in static
analysis tasks. For call-graph generation, traditional static analysis tools such
as PyCG for Python and Jelly for JavaScript consistently outperform LLMs. While
advanced models like mistral-large-it-2407-123b and gpt-4o show promise, they
still struggle with completeness and soundness in call-graph analysis across both
languages. In contrast, LLMs demonstrate a clear advantage in type inference for
Python, surpassing traditional tools like HeaderGen and hybrid approaches such
as HiTyper. These results suggest that, while LLMs hold promise in type inference,
their limitations in call-graph analysis highlight the need for further research.
Our study provides a foundation for integrating LLMs into static analysis workflows,
offering insights into their strengths and current limitations."
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Rose
full_name: Sunil, Rose
id: '97670'
last_name: Sunil
- first_name: Samkutty
full_name: Sabu, Samkutty
last_name: Sabu
- first_name: Amir M.
full_name: Mir, Amir M.
last_name: Mir
- first_name: Sofia
full_name: Reis, Sofia
last_name: Reis
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Shivarpatna Venkatesh AP, Sunil R, Sabu S, Mir AM, Reis S, Bodden E. An Empirical
Study of Large Language Models for Type and Call Graph Analysis in Python and
JavaScript. Empirical Software Engineering. 2025;30(6). doi:10.48550/ARXIV.2410.00603
apa: Shivarpatna Venkatesh, A. P., Sunil, R., Sabu, S., Mir, A. M., Reis, S., &
Bodden, E. (2025). An Empirical Study of Large Language Models for Type and Call
Graph Analysis in Python and JavaScript. Empirical Software Engineering,
30(6). https://doi.org/10.48550/ARXIV.2410.00603
bibtex: '@article{Shivarpatna Venkatesh_Sunil_Sabu_Mir_Reis_Bodden_2025, title={An
Empirical Study of Large Language Models for Type and Call Graph Analysis in Python
and JavaScript}, volume={30}, DOI={10.48550/ARXIV.2410.00603},
number={6}, journal={Empirical Software Engineering}, publisher={Springer}, author={Shivarpatna
Venkatesh, Ashwin Prasad and Sunil, Rose and Sabu, Samkutty and Mir, Amir M. and
Reis, Sofia and Bodden, Eric}, year={2025} }'
chicago: Shivarpatna Venkatesh, Ashwin Prasad, Rose Sunil, Samkutty Sabu, Amir M.
Mir, Sofia Reis, and Eric Bodden. “An Empirical Study of Large Language Models
for Type and Call Graph Analysis in Python and JavaScript.” Empirical Software
Engineering 30, no. 6 (2025). https://doi.org/10.48550/ARXIV.2410.00603.
ieee: 'A. P. Shivarpatna Venkatesh, R. Sunil, S. Sabu, A. M. Mir, S. Reis, and E.
Bodden, “An Empirical Study of Large Language Models for Type and Call Graph Analysis
in Python and JavaScript,” Empirical Software Engineering, vol. 30, no.
6, 2025, doi: 10.48550/ARXIV.2410.00603.'
mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “An Empirical Study of Large Language
Models for Type and Call Graph Analysis in Python and JavaScript.” Empirical
Software Engineering, vol. 30, no. 6, Springer, 2025, doi:10.48550/ARXIV.2410.00603.
short: A.P. Shivarpatna Venkatesh, R. Sunil, S. Sabu, A.M. Mir, S. Reis, E. Bodden,
Empirical Software Engineering 30 (2025).
date_created: 2025-12-08T13:20:30Z
date_updated: 2025-12-08T13:25:49Z
department:
- _id: '76'
doi: 10.48550/ARXIV.2410.00603
intvolume: ' 30'
issue: '6'
language:
- iso: eng
publication: Empirical Software Engineering
publisher: Springer
status: public
title: An Empirical Study of Large Language Models for Type and Call Graph Analysis
in Python and JavaScript
type: journal_article
user_id: '15249'
volume: 30
year: '2025'
...
---
_id: '65018'
abstract:
- lang: eng
text: "Android applications collecting data from users must protect it according
to the current legal frameworks. Such data protection has become even more important
since in 2018 the European Union rolled out the General Data Protection Regulation
(GDPR). Since app developers are not legal experts, they find it difficult to
integrate privacy-aware practices into source code development. Despite these
legal obligations, developers have limited tool support to reason about data protection
throughout their app development process.\r\n This paper explores the use of
static program slicing and software visualization to analyze privacy-relevant
data flows in Android apps. We introduce SliceViz, a web tool that analyzes an
Android app by slicing all privacy-relevant data sources detected in the source
code on the back-end. It then helps developers by visualizing these privacy-relevant
program slices.\r\n We conducted a user study with 12 participants demonstrating
that SliceViz effectively aids developers in identifying privacy-relevant properties
in Android apps.\r\n Our findings indicate that program slicing can be employed
to identify and reason about privacy-relevant data flows in Android applications.
With further usability improvements, developers can be better equipped to handle
privacy-sensitive information."
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Santhosh
full_name: Mohan, Santhosh
last_name: Mohan
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Khedkar M, Schlichtig M, Mohan S, Bodden E. Visualizing Privacy-Relevant Data
Flows in Android Applications. arXiv:250316640. Published online 2025.
apa: Khedkar, M., Schlichtig, M., Mohan, S., & Bodden, E. (2025). Visualizing
Privacy-Relevant Data Flows in Android Applications. In arXiv:2503.16640.
bibtex: '@article{Khedkar_Schlichtig_Mohan_Bodden_2025, title={Visualizing Privacy-Relevant
Data Flows in Android Applications}, journal={arXiv:2503.16640}, author={Khedkar,
Mugdha and Schlichtig, Michael and Mohan, Santhosh and Bodden, Eric}, year={2025}
}'
chicago: Khedkar, Mugdha, Michael Schlichtig, Santhosh Mohan, and Eric Bodden. “Visualizing
Privacy-Relevant Data Flows in Android Applications.” ArXiv:2503.16640,
2025.
ieee: M. Khedkar, M. Schlichtig, S. Mohan, and E. Bodden, “Visualizing Privacy-Relevant
Data Flows in Android Applications,” arXiv:2503.16640. 2025.
mla: Khedkar, Mugdha, et al. “Visualizing Privacy-Relevant Data Flows in Android
Applications.” ArXiv:2503.16640, 2025.
short: M. Khedkar, M. Schlichtig, S. Mohan, E. Bodden, ArXiv:2503.16640 (2025).
date_created: 2026-03-16T17:39:12Z
date_updated: 2026-03-16T17:40:56Z
department:
- _id: '76'
external_id:
arxiv:
- '2503.16640'
language:
- iso: eng
publication: arXiv:2503.16640
status: public
title: Visualizing Privacy-Relevant Data Flows in Android Applications
type: preprint
user_id: '32312'
year: '2025'
...
---
_id: '52663'
abstract:
- lang: eng
text: "Context\r\nStatic analyses are well-established to aid in understanding bugs
or vulnerabilities during the development process or in large-scale studies. A
low false-positive rate is essential for the adaption in practice and for precise
results of empirical studies. Unfortunately, static analyses tend to report where
a vulnerability manifests rather than the fix location. This can cause presumed
false positives or imprecise results.\r\nMethod\r\nTo address this problem, we
designed an adaption of an existing static analysis algorithm that can distinguish
between a manifestation and fix location, and reports error chains. An error chain
represents at least two interconnected errors that occur successively, thus building
the connection between the fix and manifestation location. We used our tool CogniCryptSUBS
for a case study on 471 GitHub repositories, a performance benchmark to compare
different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe
found that 50 % of the projects with a report had at least one error chain. Our
runtime benchmark demonstrated that our improvement caused only a minimal runtime
overhead of less than 4 %. The results of our expert interview indicate that with
our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur
results indicate that error chains occur frequently in real-world projects, and
ignoring them can lead to imprecise evaluation results. The runtime benchmark
indicates that our tool is a feasible and efficient solution for detecting error
chains in real-world projects. Further, our results gave a hint that the usability
of static analyses may benefit from supporting error chains."
author:
- first_name: Anna-Katharina
full_name: Wickert, Anna-Katharina
last_name: Wickert
- first_name: Michael
full_name: Schlichtig, Michael
id: '32312'
last_name: Schlichtig
orcid: 0000-0001-6600-6171
- first_name: Marvin
full_name: Vogel, Marvin
last_name: Vogel
- first_name: Lukas
full_name: Winter, Lukas
last_name: Winter
- first_name: Mira
full_name: Mezini, Mira
last_name: Mezini
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.;
2024.
apa: Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden,
E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation
Results and Enhanced Usability.
bibtex: '@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting
Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability},
author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and
Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }'
chicago: Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter,
Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for
Precise Evaluation Results and Enhanced Usability, 2024.
ieee: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability. 2024.
mla: Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis
for Precise Evaluation Results and Enhanced Usability. 2024.
short: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden,
Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability, 2024.
date_created: 2024-03-20T09:28:36Z
date_updated: 2024-03-20T09:32:29Z
department:
- _id: '76'
keyword:
- Static analysis
- error chains
- false positive re- duction
- empirical studies
language:
- iso: eng
main_file_link:
- url: https://arxiv.org/abs/2403.07808
status: public
title: Supporting Error Chains in Static Analysis for Precise Evaluation Results and
Enhanced Usability
type: misc
user_id: '32312'
year: '2024'
...
---
_id: '53938'
abstract:
- lang: eng
text: Previous work has shown that one can often greatly speed up static analysis
by computing data flows not for every edge in the program’s control-flow graph
but instead only along definition-use chains. This yields a so-called sparse static
analysis. Recent work on SparseDroid has shown that specifically taint analysis
can be “sparsified” with extraordinary effectiveness because the taint state of
one variable does not depend on those of others. This allows one to soundly omit
more flow-function computations than in the general case. In this work, we now
assess whether this result carries over to the more generic setting of so-called
Interprocedural Distributive Environment (IDE) problems. Opposed to taint analysis,
IDE comprises distributive problems with large or even infinitely broad domains,
such as typestate analysis or linear constant propagation. Specifically, this
paper presents Sparse IDE, a framework that realizes sparsification for any static
analysis that fits the IDE framework. We implement Sparse IDE in SparseHeros,
as an extension to the popular Heros IDE solver, and evaluate its performance
on real-world Java libraries by comparing it to the baseline IDE algorithm. To
this end, we design, implement and evaluate a linear constant propagation analysis
client on top of SparseHeros. Our experiments show that, although IDE analyses
can only be sparsified with respect to symbols and not (numeric) values, Sparse
IDE can nonetheless yield significantly lower runtimes and often also memory consumptions
compared to the original IDE.
author:
- first_name: Kadiray
full_name: Karakaya, Kadiray
id: '70410'
last_name: Karakaya
orcid: https://orcid.org/0000-0001-9266-2084
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Karakaya K, Bodden E. Symbol-Specific Sparsification of Interprocedural Distributive
Environment Problems. In: Proceedings of the IEEE/ACM 46th International Conference
on Software Engineering. ACM; 2024. doi:10.1145/3597503.3639092'
apa: Karakaya, K., & Bodden, E. (2024). Symbol-Specific Sparsification of Interprocedural
Distributive Environment Problems. Proceedings of the IEEE/ACM 46th International
Conference on Software Engineering. https://doi.org/10.1145/3597503.3639092
bibtex: '@inproceedings{Karakaya_Bodden_2024, title={Symbol-Specific Sparsification
of Interprocedural Distributive Environment Problems}, DOI={10.1145/3597503.3639092},
booktitle={Proceedings of the IEEE/ACM 46th International Conference on Software
Engineering}, publisher={ACM}, author={Karakaya, Kadiray and Bodden, Eric}, year={2024}
}'
chicago: Karakaya, Kadiray, and Eric Bodden. “Symbol-Specific Sparsification of
Interprocedural Distributive Environment Problems.” In Proceedings of the IEEE/ACM
46th International Conference on Software Engineering. ACM, 2024. https://doi.org/10.1145/3597503.3639092.
ieee: 'K. Karakaya and E. Bodden, “Symbol-Specific Sparsification of Interprocedural
Distributive Environment Problems,” 2024, doi: 10.1145/3597503.3639092.'
mla: Karakaya, Kadiray, and Eric Bodden. “Symbol-Specific Sparsification of Interprocedural
Distributive Environment Problems.” Proceedings of the IEEE/ACM 46th International
Conference on Software Engineering, ACM, 2024, doi:10.1145/3597503.3639092.
short: 'K. Karakaya, E. Bodden, in: Proceedings of the IEEE/ACM 46th International
Conference on Software Engineering, ACM, 2024.'
date_created: 2024-05-06T11:20:21Z
date_updated: 2024-05-06T11:23:06Z
department:
- _id: '76'
doi: 10.1145/3597503.3639092
language:
- iso: eng
publication: Proceedings of the IEEE/ACM 46th International Conference on Software
Engineering
publication_status: published
publisher: ACM
status: public
title: Symbol-Specific Sparsification of Interprocedural Distributive Environment
Problems
type: conference
user_id: '15249'
year: '2024'
...
---
_id: '53958'
abstract:
- lang: eng
text: "To detect security vulnerabilities, static analysis tools need to be configured
with security-relevant methods. Current approaches can automatically identify
such methods using binary relevance machine learning approaches. However, they
ignore dependencies among security-relevant methods, over-generalize and perform
poorly in practice. Additionally, users have to nevertheless manually configure
static analysis tools using the detected methods. Based on feedback from users
and our observations, the excessive manual steps can often be tedious, error-prone
and counter-intuitive.\r\n In this paper, we present Dev-Assist, an IntelliJ IDEA
plugin that detects security-relevant methods using a multi-label machine learning
approach that considers dependencies among labels. The plugin can automatically
generate configurations for static analysis tools, run the static analysis, and
show the results in IntelliJ IDEA. Our experiments reveal that Dev-Assist's machine
learning approach has a higher F1-Measure than related approaches. Moreover, the
plugin reduces and simplifies the manual effort required when configuring and
using static analysis tools."
author:
- first_name: Oshando
full_name: Johnson, Oshando
id: '66583'
last_name: Johnson
- first_name: Goran
full_name: Piskachev, Goran
id: '41936'
last_name: Piskachev
orcid: 0000-0003-4424-5838
- first_name: Ranjith
full_name: Krishnamurthy, Ranjith
id: '78060'
last_name: Krishnamurthy
orcid: 0000-0002-0906-5463
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Johnson O, Piskachev G, Krishnamurthy R, Bodden E. Detecting Security-Relevant
Methods using Multi-label Machine Learning. In: Proceedings of the 46th International
Conference on Software Engineering, IDE Workshop. ; 2024. doi:10.48550/ARXIV.2403.07501'
apa: Johnson, O., Piskachev, G., Krishnamurthy, R., & Bodden, E. (2024). Detecting
Security-Relevant Methods using Multi-label Machine Learning. Proceedings of
the 46th International Conference on Software Engineering, IDE Workshop. https://doi.org/10.48550/ARXIV.2403.07501
bibtex: '@inproceedings{Johnson_Piskachev_Krishnamurthy_Bodden_2024, title={Detecting
Security-Relevant Methods using Multi-label Machine Learning}, DOI={10.48550/ARXIV.2403.07501},
booktitle={Proceedings of the 46th International Conference on Software Engineering,
IDE Workshop}, author={Johnson, Oshando and Piskachev, Goran and Krishnamurthy,
Ranjith and Bodden, Eric}, year={2024} }'
chicago: Johnson, Oshando, Goran Piskachev, Ranjith Krishnamurthy, and Eric Bodden.
“Detecting Security-Relevant Methods Using Multi-Label Machine Learning.” In Proceedings
of the 46th International Conference on Software Engineering, IDE Workshop,
2024. https://doi.org/10.48550/ARXIV.2403.07501.
ieee: 'O. Johnson, G. Piskachev, R. Krishnamurthy, and E. Bodden, “Detecting Security-Relevant
Methods using Multi-label Machine Learning,” 2024, doi: 10.48550/ARXIV.2403.07501.'
mla: Johnson, Oshando, et al. “Detecting Security-Relevant Methods Using Multi-Label
Machine Learning.” Proceedings of the 46th International Conference on Software
Engineering, IDE Workshop, 2024, doi:10.48550/ARXIV.2403.07501.
short: 'O. Johnson, G. Piskachev, R. Krishnamurthy, E. Bodden, in: Proceedings of
the 46th International Conference on Software Engineering, IDE Workshop, 2024.'
date_created: 2024-05-06T11:43:19Z
date_updated: 2024-05-06T11:47:14Z
department:
- _id: '76'
- _id: '662'
doi: 10.48550/ARXIV.2403.07501
language:
- iso: eng
publication: Proceedings of the 46th International Conference on Software Engineering,
IDE Workshop
status: public
title: Detecting Security-Relevant Methods using Multi-label Machine Learning
type: conference
user_id: '15249'
year: '2024'
...
---
_id: '53959'
abstract:
- lang: eng
text: In light of the growing interest in type inference research for Python, both
researchers and practitioners require a standardized process to assess the performance
of various type inference techniques. This paper introduces TypeEvalPy, a comprehensive
micro-benchmarking framework for evaluating type inference tools. TypeEvalPy contains
154 code snippets with 845 type annotations across 18 categories that target various
Python features. The framework manages the execution of containerized tools, transforms
inferred types into a standardized format, and produces meaningful metrics for
assessment. Through our analysis, we compare the performance of six type inference
tools, highlighting their strengths and limitations. Our findings provide a foundation
for further research and optimization in the domain of Python type inference.
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Samkutty
full_name: Sabu, Samkutty
last_name: Sabu
- first_name: Jiawei
full_name: Wang, Jiawei
last_name: Wang
- first_name: Amir M.
full_name: Mir, Amir M.
last_name: Mir
- first_name: Li
full_name: Li, Li
last_name: Li
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Sabu S, Wang J, Mir AM, Li L, Bodden E. TypeEvalPy:
A Micro-benchmarking Framework for Python Type Inference Tools. In: Proceedings
of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion
Proceedings. ICSE-Companion 24. Association for Computing Machinery; 2024:49-53.
doi:10.1145/3639478.3640033'
apa: 'Shivarpatna Venkatesh, A. P., Sabu, S., Wang, J., Mir, A. M., Li, L., &
Bodden, E. (2024). TypeEvalPy: A Micro-benchmarking Framework for Python Type
Inference Tools. Proceedings of the 2024 IEEE/ACM 46th International Conference
on Software Engineering: Companion Proceedings, 49–53. https://doi.org/10.1145/3639478.3640033'
bibtex: '@inproceedings{Shivarpatna Venkatesh_Sabu_Wang_Mir_Li_Bodden_2024, place={New
York, NY, USA}, series={ICSE-Companion 24}, title={TypeEvalPy: A Micro-benchmarking
Framework for Python Type Inference Tools}, DOI={10.1145/3639478.3640033},
booktitle={Proceedings of the 2024 IEEE/ACM 46th International Conference on Software
Engineering: Companion Proceedings}, publisher={Association for Computing Machinery},
author={Shivarpatna Venkatesh, Ashwin Prasad and Sabu, Samkutty and Wang, Jiawei
and Mir, Amir M. and Li, Li and Bodden, Eric}, year={2024}, pages={49–53}, collection={ICSE-Companion
24} }'
chicago: 'Shivarpatna Venkatesh, Ashwin Prasad, Samkutty Sabu, Jiawei Wang, Amir
M. Mir, Li Li, and Eric Bodden. “TypeEvalPy: A Micro-Benchmarking Framework for
Python Type Inference Tools.” In Proceedings of the 2024 IEEE/ACM 46th International
Conference on Software Engineering: Companion Proceedings, 49–53. ICSE-Companion
24. New York, NY, USA: Association for Computing Machinery, 2024. https://doi.org/10.1145/3639478.3640033.'
ieee: 'A. P. Shivarpatna Venkatesh, S. Sabu, J. Wang, A. M. Mir, L. Li, and E. Bodden,
“TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference Tools,”
in Proceedings of the 2024 IEEE/ACM 46th International Conference on Software
Engineering: Companion Proceedings, Lisbon, Portugal, 2024, pp. 49–53, doi:
10.1145/3639478.3640033.'
mla: 'Shivarpatna Venkatesh, Ashwin Prasad, et al. “TypeEvalPy: A Micro-Benchmarking
Framework for Python Type Inference Tools.” Proceedings of the 2024 IEEE/ACM
46th International Conference on Software Engineering: Companion Proceedings,
Association for Computing Machinery, 2024, pp. 49–53, doi:10.1145/3639478.3640033.'
short: 'A.P. Shivarpatna Venkatesh, S. Sabu, J. Wang, A.M. Mir, L. Li, E. Bodden,
in: Proceedings of the 2024 IEEE/ACM 46th International Conference on Software
Engineering: Companion Proceedings, Association for Computing Machinery, New York,
NY, USA, 2024, pp. 49–53.'
conference:
location: Lisbon, Portugal
date_created: 2024-05-06T11:49:22Z
date_updated: 2024-08-05T07:49:33Z
department:
- _id: '76'
doi: 10.1145/3639478.3640033
external_id:
arxiv:
- '2312.16882'
language:
- iso: eng
page: 49-53
place: New York, NY, USA
publication: 'Proceedings of the 2024 IEEE/ACM 46th International Conference on Software
Engineering: Companion Proceedings'
publication_identifier:
isbn:
- '9798400705021'
publisher: Association for Computing Machinery
series_title: ICSE-Companion 24
status: public
title: 'TypeEvalPy: A Micro-benchmarking Framework for Python Type Inference Tools'
type: conference
user_id: '15249'
year: '2024'
...
---
_id: '55516'
author:
- first_name: Ashwin Prasad
full_name: Shivarpatna Venkatesh, Ashwin Prasad
id: '66637'
last_name: Shivarpatna Venkatesh
- first_name: Samkutty
full_name: Sabu, Samkutty
last_name: Sabu
- first_name: Amir M.
full_name: Mir, Amir M.
last_name: Mir
- first_name: Sofia
full_name: Reis, Sofia
last_name: Reis
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Shivarpatna Venkatesh AP, Sabu S, Mir AM, Reis S, Bodden E. The Emergence
of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks.
In: Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation
Models and Software Engineering. ACM; 2024. doi:10.1145/3650105.3652288'
apa: 'Shivarpatna Venkatesh, A. P., Sabu, S., Mir, A. M., Reis, S., & Bodden,
E. (2024). The Emergence of Large Language Models in Static Analysis: A First
Look through Micro-Benchmarks. Proceedings of the 2024 IEEE/ACM First International
Conference on AI Foundation Models and Software Engineering. https://doi.org/10.1145/3650105.3652288'
bibtex: '@inproceedings{Shivarpatna Venkatesh_Sabu_Mir_Reis_Bodden_2024, title={The
Emergence of Large Language Models in Static Analysis: A First Look through Micro-Benchmarks},
DOI={10.1145/3650105.3652288},
booktitle={Proceedings of the 2024 IEEE/ACM First International Conference on
AI Foundation Models and Software Engineering}, publisher={ACM}, author={Shivarpatna
Venkatesh, Ashwin Prasad and Sabu, Samkutty and Mir, Amir M. and Reis, Sofia and
Bodden, Eric}, year={2024} }'
chicago: 'Shivarpatna Venkatesh, Ashwin Prasad, Samkutty Sabu, Amir M. Mir, Sofia
Reis, and Eric Bodden. “The Emergence of Large Language Models in Static Analysis:
A First Look through Micro-Benchmarks.” In Proceedings of the 2024 IEEE/ACM
First International Conference on AI Foundation Models and Software Engineering.
ACM, 2024. https://doi.org/10.1145/3650105.3652288.'
ieee: 'A. P. Shivarpatna Venkatesh, S. Sabu, A. M. Mir, S. Reis, and E. Bodden,
“The Emergence of Large Language Models in Static Analysis: A First Look through
Micro-Benchmarks,” 2024, doi: 10.1145/3650105.3652288.'
mla: 'Shivarpatna Venkatesh, Ashwin Prasad, et al. “The Emergence of Large Language
Models in Static Analysis: A First Look through Micro-Benchmarks.” Proceedings
of the 2024 IEEE/ACM First International Conference on AI Foundation Models and
Software Engineering, ACM, 2024, doi:10.1145/3650105.3652288.'
short: 'A.P. Shivarpatna Venkatesh, S. Sabu, A.M. Mir, S. Reis, E. Bodden, in: Proceedings
of the 2024 IEEE/ACM First International Conference on AI Foundation Models and
Software Engineering, ACM, 2024.'
date_created: 2024-08-05T09:12:59Z
date_updated: 2024-08-05T09:14:11Z
department:
- _id: '76'
doi: 10.1145/3650105.3652288
language:
- iso: eng
publication: Proceedings of the 2024 IEEE/ACM First International Conference on AI
Foundation Models and Software Engineering
publication_status: published
publisher: ACM
status: public
title: 'The Emergence of Large Language Models in Static Analysis: A First Look through
Micro-Benchmarks'
type: conference
user_id: '15249'
year: '2024'
...
---
_id: '59411'
abstract:
- lang: eng
text: As our lives, our businesses, and indeed our world economy become
increasingly reliant on the secure operation of many interconnected software systems,
the software engineering research community is faced with unprecedented research
challenges, but also with exciting new opportunities. In this roadmap paper, we
outline our vision of Software Security Analysis for the systems of the future.
Given the recent advances in generative AI, we need new methods to assess and
maximize the security of code co-written by machines. As our systems become increasingly
heterogeneous, we need practical approaches that work even if some functions are
automatically generated, e.g., by deep neural networks. As software systems depend
evermore on the software supply chain, we need tools that scale to an entire ecosystem.
What kind of vulnerabilities exist in future systems and how do we detect them?
When all the shallow bugs are found, how do we discover vulnerabilities hidden
deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless
protect our system? To answer these questions, we start our roadmap with a survey
of recent advances in software security, then discuss open challenges and opportunities,
and conclude with a long-term perspective for the field.
author:
- first_name: Marcel
full_name: Böhme, Marcel
last_name: Böhme
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Tevfik
full_name: Bultan, Tevfik
last_name: Bultan
- first_name: Cristian
full_name: Cadar, Cristian
last_name: Cadar
- first_name: Yang
full_name: Liu, Yang
last_name: Liu
- first_name: Giuseppe
full_name: Scanniello, Giuseppe
last_name: Scanniello
citation:
ama: 'Böhme M, Bodden E, Bultan T, Cadar C, Liu Y, Scanniello G. Software Security
Analysis in 2030 and Beyond: A Research Roadmap. ACM Transactions on Software
Engineering and Methodology. Published online 2024. doi:10.1145/3708533'
apa: 'Böhme, M., Bodden, E., Bultan, T., Cadar, C., Liu, Y., & Scanniello, G.
(2024). Software Security Analysis in 2030 and Beyond: A Research Roadmap. ACM
Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3708533'
bibtex: '@article{Böhme_Bodden_Bultan_Cadar_Liu_Scanniello_2024, title={Software
Security Analysis in 2030 and Beyond: A Research Roadmap}, DOI={10.1145/3708533},
journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association
for Computing Machinery (ACM)}, author={Böhme, Marcel and Bodden, Eric and Bultan,
Tevfik and Cadar, Cristian and Liu, Yang and Scanniello, Giuseppe}, year={2024}
}'
chicago: 'Böhme, Marcel, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and
Giuseppe Scanniello. “Software Security Analysis in 2030 and Beyond: A Research
Roadmap.” ACM Transactions on Software Engineering and Methodology, 2024.
https://doi.org/10.1145/3708533.'
ieee: 'M. Böhme, E. Bodden, T. Bultan, C. Cadar, Y. Liu, and G. Scanniello, “Software
Security Analysis in 2030 and Beyond: A Research Roadmap,” ACM Transactions
on Software Engineering and Methodology, 2024, doi: 10.1145/3708533.'
mla: 'Böhme, Marcel, et al. “Software Security Analysis in 2030 and Beyond: A Research
Roadmap.” ACM Transactions on Software Engineering and Methodology, Association
for Computing Machinery (ACM), 2024, doi:10.1145/3708533.'
short: M. Böhme, E. Bodden, T. Bultan, C. Cadar, Y. Liu, G. Scanniello, ACM Transactions
on Software Engineering and Methodology (2024).
date_created: 2025-04-07T10:04:48Z
date_updated: 2025-04-07T10:05:15Z
department:
- _id: '76'
doi: 10.1145/3708533
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: 'Software Security Analysis in 2030 and Beyond: A Research Roadmap'
type: journal_article
user_id: '15249'
year: '2024'
...
---
_id: '52235'
abstract:
- lang: eng
text: "Android applications collecting data from users must protect it according
to the current legal frameworks. Such data protection has become even more important
since the European Union rolled out the General Data Protection Regulation (GDPR).
Since app developers are not legal experts, they find it difficult to write privacy-aware
source code. Moreover, they have limited tool support to reason about data protection
throughout their app development process.\r\nThis paper motivates the need for
a static analysis approach to diagnose and explain data protection in Android
apps. The analysis will recognize personal data sources in the source code, and
aims to further examine the data flow originating from these sources. App developers
can then address key questions about data manipulation, derived data, and the
presence of technical measures. Despite challenges, we explore to what extent
one can realize this analysis through static taint analysis, a common method for
identifying security vulnerabilities. This is a first step towards designing a
tool-based approach that aids app developers and assessors in ensuring data protection
in Android apps, based on automated static program analysis. "
author:
- first_name: Mugdha
full_name: Khedkar, Mugdha
id: '88024'
last_name: Khedkar
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
citation:
ama: 'Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection.
In: Proceedings of the IEEE/ACM 11th International Conference on Mobile Software
Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery,
New York, NY, USA, 65–68. ; 2024. doi:10.1145/3647632.3651389'
apa: Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach
for Data Protection. Proceedings of the IEEE/ACM 11th International Conference
on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing
Machinery, New York, NY, USA, 65–68. 11th International Conference on Mobile
Software Engineering and Systems 2024, Lisbon, Portugal. https://doi.org/10.1145/3647632.3651389
bibtex: '@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis
Approach for Data Protection}, DOI={10.1145/3647632.3651389},
booktitle={Proceedings of the IEEE/ACM 11th International Conference on Mobile
Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery,
New York, NY, USA, 65–68.}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024}
}'
chicago: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach
for Data Protection.” In Proceedings of the IEEE/ACM 11th International Conference
on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing
Machinery, New York, NY, USA, 65–68., 2024. https://doi.org/10.1145/3647632.3651389.
ieee: 'M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for
Data Protection,” presented at the 11th International Conference on Mobile Software
Engineering and Systems 2024, Lisbon, Portugal, 2024, doi: 10.1145/3647632.3651389.'
mla: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach
for Data Protection.” Proceedings of the IEEE/ACM 11th International Conference
on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing
Machinery, New York, NY, USA, 65–68., 2024, doi:10.1145/3647632.3651389.
short: 'M. Khedkar, E. Bodden, in: Proceedings of the IEEE/ACM 11th International
Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association
for Computing Machinery, New York, NY, USA, 65–68., 2024.'
conference:
end_date: 2024-04-15
location: Lisbon, Portugal
name: 11th International Conference on Mobile Software Engineering and Systems 2024
start_date: 2024-04-14
date_created: 2024-03-03T14:37:53Z
date_updated: 2026-03-04T08:11:48Z
ddc:
- '006'
department:
- _id: '76'
doi: 10.1145/3647632.3651389
external_id:
arxiv:
- '2402.07889'
file:
- access_level: closed
content_type: application/pdf
creator: khedkarm
date_created: 2024-03-03T14:39:08Z
date_updated: 2024-03-03T14:39:08Z
file_id: '52236'
file_name: 2402.07889v1.pdf
file_size: 530812
relation: main_file
success: 1
file_date_updated: 2024-03-03T14:39:08Z
has_accepted_license: '1'
keyword:
- static program analysis
- data protection and privacy
- GDPR compliance
language:
- iso: eng
publication: Proceedings of the IEEE/ACM 11th International Conference on Mobile Software
Engineering and Systems (MOBILESoft '24). Association for Computing Machinery, New
York, NY, USA, 65–68.
status: public
title: Toward an Android Static Analysis Approach for Data Protection
type: conference
user_id: '88024'
year: '2024'
...