Secure Android Coding Tool
SACH is an educational tool that helps students learn about vulnerabilities in android programs. SACH uses 9 rules published by Computer Emergency Readiness Team (CERT)that covers security vulnerabilities in android programs ranging from coding practices to protecting sensitive data. CERT developed a set of secure coding rules published by the Software Engineering Institute at Carnegie Mellon University to help android developers identify vulnerabilities in their code [5].The 9 rules SACH uses are:1. (DRD01-J) Limit the accessibility of an app’s sensitive content provider.2. (DRD02-J) Do not allow WebView to access sensitive local resource through file scheme.3. (DRD03-J) Do not broadcast sensitive information using an implicit intent.4. (DRD04-J) Do not log sensitive information. 5. (DRD08-J) Always canonicalize a URL received by a content provider. 6. (DRD09-J) Restrict access to sensitive activities.7. (DRD10-J) Do not release apps that are debuggable.8. (DRD15-J) Consider privacy concerns when using Geolocation API.9. (DRD19-J) Properly verify server certificate on SSL/TLS.The current SACH tool was not developed with accessibility in mind. It does not account for visual, auditory or ambulatory disability in mind. For example, it isn’t fully compatible with on screen readers, nor are the colors uniquely selected for the visually impaired. It also is not fully accessible with either a keyboard or mouse for those with ambulatory disability. the introduction interface for the previous SACH tool. This screen displays an introduction to the functionality of SACH. There is also a tab that allows the user to access tools to begin the scan. Figure 2 shows a result table after SACH analyzes an android project. This table has two columns. The first columnshows the name of the application. The second column shows the corresponding error code. The user can press the Detailsbutton to see more informatiTOOLS FOR ACCESSIBILITYWe leveraged several tools to discover accessibility issues within SACH. These include Color Oracle, screen readers, and Microsoft Office. a.Color Oracle- a color blindness simulator for Mac, Windows and Linux. Color Oracle applies a full screenfilter in order to simulate the 3 types of color blindness,which are Deuteranopia, Protanopia, and Tritanopia.Figure 3 shows how the user can specify the type of color blindness to simulate.
aws Screen Reader – a paid screen reading app that was not used in this project but is an alternative to Narrator for windows. Jaws Screen Reader does not come pre-installed on Windows [12].f. Microsoft Office – All Microsoft Office applications are equipped with an accessibility checker tool that finds accessibility issues in Word document (Figure 6), Outlook emails, PowerPoint presentations and Excel spreadsheets. The accessibility checker indicates an error if the document includes content that is very hard for people with disabilities to comprehend. The tool indicates a warning if the document contains content that might be challenging for people to understand. The tool gives tips on content that are good but could be better [11].Keyboard ShortcutsThe redesign of SACH includes a keyboard shortcut for each button/tab on the tool that allows users to fully navigate SACH with only a keyboard. Figure 7 shows the Analyze Codescreen where users select different files used to run the vulnerability test. This screen has been redesigned to have a keyboard shortcut associated with each function. The figure shows the redesigned interface for selecting the needed filesSACH uses colors to display the various vulnerabilities that an application has. The goal is to make sure these colors are distinct and visible by people with color blindness. Using Color Oracle, a blindness simulator, we can simulate color blindness to make sure the colors are distinct.Figure 8a shows the color scheme of the original SACH tool. We use Color Oracle to simulate Deuteranopia vision. As seen in Figure 8b, the red and green are identical for a person with Deuteranopia vision .codeshoppy
This paper describes an improved version of SACH, a tool implemented to help android developers write more secure code. SACH crawls through the android code and uses a list of secure android coding techniques to scan for vulnerabilities. The improved version mainly focuses on making the SACH tool more accessible to users with auditory, visual and ambulatory disabilities.Keyboard shortcuts were added for every function (buttons, tabs, etc.) to make SACH more accessible to users with ambulatory disabilities. We utilized Color Oracle to test and make changes to the SACH color scheme to ensure they are distinctly visible to users with deuteranopia, protanopia, and tritanopia color blindness. Changes were made to all SACH windows and dialog boxes to ensure screen readers were able to capture and sound out all pertinent text back to the user. Thus, users with visual, auditory, and ambulatory disabilities can now access all the functionalities that the SACH tool provides. Future work includes testing the accessibility on Linux and redesigning the GUI using more current technology (e.g. Swift, C#) to make SACH more user friendly. This ensures that the application is running at its best capacity on all operating systems.