Since the appearance of the Apple App Store the software engineering community has a huge repository of untapped data to analyse. Although this data is compiled code (for source code we already have some projects mining open source repositories) there are some interesting possibilities that, until now  nobody was exploring:

  • Library adoption: identify and track which libraries are being currently used by applications.
  • Software programming best practices: checking the use of unsupported APIs or unsafe idioms (fairly common in C/Objective C).
  • Checking for Intellectual Property issues: like including non licensed content.
  • Security analysis: including passwords in source code or downright crazy insecure programming practices.

Of course this level of detail requires an advanced understanding of low level analysis techniques, but already have techniques to mine all this data and get the useful information.

And I said before ‘until now’, because after reading “Amazon Is Downloading Apps From Google Play and Inspecting Them”  we see Amazon is tapping this huge amount of applications to check for good security practices.

Of course these kind of techniques should be applied in the publishing phase of the application, but because currently no app store is doing this level of analysis during publication the first case of binary analysis has been done by Amazon (a platform provider) to ensure the good use of the API.

 

Personally I want to congratulate Amazon for his interest to improve his platform security (and their users) doing a binary analysis of the applications.