{"id":"https://openalex.org/W4417130940","doi":"https://doi.org/10.1109/jiot.2025.3641441","title":"A Systematic Literature Review on Vulnerability Detection Approaches for IoT Mobile Applications","display_name":"A Systematic Literature Review on Vulnerability Detection Approaches for IoT Mobile Applications","publication_year":2025,"publication_date":"2025-12-08","ids":{"openalex":"https://openalex.org/W4417130940","doi":"https://doi.org/10.1109/jiot.2025.3641441"},"language":null,"primary_location":{"id":"doi:10.1109/jiot.2025.3641441","is_oa":false,"landing_page_url":"https://doi.org/10.1109/jiot.2025.3641441","pdf_url":null,"source":{"id":"https://openalex.org/S2480266640","display_name":"IEEE Internet of Things Journal","issn_l":"2327-4662","issn":["2327-4662","2372-2541"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Internet of Things Journal","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5092602284","display_name":"Meyo Zongo","orcid":"https://orcid.org/0000-0001-9633-4758"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Zongo Meyo","raw_affiliation_strings":["Department of Computer Science and Software Engineering, Concordia University, Montreal, QC, Canada","Department of Computer Science and Software Engineering, Concordia University, Montr&#x00E9;al, Canada"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Software Engineering, Concordia University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I60158472"]},{"raw_affiliation_string":"Department of Computer Science and Software Engineering, Concordia University, Montr&#x00E9;al, Canada","institution_ids":["https://openalex.org/I60158472"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052508987","display_name":"Rodrigo Morales","orcid":"https://orcid.org/0000-0001-7766-5770"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]},{"id":"https://openalex.org/I97750245","display_name":"Software (Spain)","ror":"https://ror.org/02ethns06","country_code":"ES","type":"company","lineage":["https://openalex.org/I4210087817","https://openalex.org/I97750245"]}],"countries":["CA","ES"],"is_corresponding":false,"raw_author_name":"Rodrigo Morales Alvarado","raw_affiliation_strings":["Department of Computer Science and Software Engineering, Concordia University, Montreal, QC, Canada","Department of Computer Science and Software Engineering, Montr&#x00E9;al, Canada"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Software Engineering, Concordia University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I60158472"]},{"raw_affiliation_string":"Department of Computer Science and Software Engineering, Montr&#x00E9;al, Canada","institution_ids":["https://openalex.org/I97750245"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030357891","display_name":"Ildik\u00f3 Pete","orcid":null},"institutions":[{"id":"https://openalex.org/I4210086658","display_name":"Z\u00fcrich Airport (Switzerland)","ror":"https://ror.org/002g3kz75","country_code":"CH","type":"company","lineage":["https://openalex.org/I4210086658"]},{"id":"https://openalex.org/I4210110659","display_name":"Z\u00fcrcher Fachhochschule","ror":"https://ror.org/01sxmzj91","country_code":"CH","type":"education","lineage":["https://openalex.org/I4210110659"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Ildiko Pete","raw_affiliation_strings":["resides, Z&#xFC;rich, Switzerland","independent researcher, Zurick, Switzerland"],"affiliations":[{"raw_affiliation_string":"resides, Z&#xFC;rich, Switzerland","institution_ids":["https://openalex.org/I4210086658"]},{"raw_affiliation_string":"independent researcher, Zurick, Switzerland","institution_ids":["https://openalex.org/I4210110659"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5048594006","display_name":"Yann\u2010Ga\u00ebl Gu\u00e9h\u00e9neuc","orcid":"https://orcid.org/0000-0002-4361-2563"},"institutions":[{"id":"https://openalex.org/I60158472","display_name":"Concordia University","ror":"https://ror.org/0420zvk78","country_code":"CA","type":"education","lineage":["https://openalex.org/I60158472"]},{"id":"https://openalex.org/I97750245","display_name":"Software (Spain)","ror":"https://ror.org/02ethns06","country_code":"ES","type":"company","lineage":["https://openalex.org/I4210087817","https://openalex.org/I97750245"]}],"countries":["CA","ES"],"is_corresponding":false,"raw_author_name":"Yann-Ga\u00ebl Gu\u00e9h\u00e9neuc","raw_affiliation_strings":["Department of Computer Science and Software Engineering, Concordia University, Montreal, QC, Canada","Department of Computer Science and Software Engineering, Montr&#x00E9;al, Canada"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science and Software Engineering, Concordia University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I60158472"]},{"raw_affiliation_string":"Department of Computer Science and Software Engineering, Montr&#x00E9;al, Canada","institution_ids":["https://openalex.org/I97750245"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5092602284"],"corresponding_institution_ids":["https://openalex.org/I60158472"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.47648093,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"13","issue":"3","first_page":"3965","last_page":"3987"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.3073999881744385,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.3073999881744385,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.30559998750686646,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.12479999661445618,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5976999998092651},{"id":"https://openalex.org/keywords/systematic-review","display_name":"Systematic review","score":0.5612999796867371},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.49779999256134033},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.47040000557899475},{"id":"https://openalex.org/keywords/mobile-device","display_name":"Mobile device","score":0.4584999978542328},{"id":"https://openalex.org/keywords/strengths-and-weaknesses","display_name":"Strengths and weaknesses","score":0.43050000071525574},{"id":"https://openalex.org/keywords/mobile-computing","display_name":"Mobile computing","score":0.4244999885559082},{"id":"https://openalex.org/keywords/internet-of-things","display_name":"Internet of Things","score":0.4018000066280365}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8492000102996826},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5976999998092651},{"id":"https://openalex.org/C189708586","wikidata":"https://www.wikidata.org/wiki/Q1504425","display_name":"Systematic review","level":3,"score":0.5612999796867371},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5293999910354614},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.49779999256134033},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.48249998688697815},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.47040000557899475},{"id":"https://openalex.org/C186967261","wikidata":"https://www.wikidata.org/wiki/Q5082128","display_name":"Mobile device","level":2,"score":0.4584999978542328},{"id":"https://openalex.org/C63882131","wikidata":"https://www.wikidata.org/wiki/Q17122954","display_name":"Strengths and weaknesses","level":2,"score":0.43050000071525574},{"id":"https://openalex.org/C144543869","wikidata":"https://www.wikidata.org/wiki/Q2738570","display_name":"Mobile computing","level":2,"score":0.4244999885559082},{"id":"https://openalex.org/C81860439","wikidata":"https://www.wikidata.org/wiki/Q251212","display_name":"Internet of Things","level":2,"score":0.4018000066280365},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.35530000925064087},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.3427000045776367},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.33230000734329224},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.3125},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.30979999899864197},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.296099990606308},{"id":"https://openalex.org/C2778464652","wikidata":"https://www.wikidata.org/wiki/Q309849","display_name":"Open research","level":2,"score":0.2937999963760376},{"id":"https://openalex.org/C10511746","wikidata":"https://www.wikidata.org/wiki/Q899388","display_name":"Data security","level":3,"score":0.2750999927520752},{"id":"https://openalex.org/C95491727","wikidata":"https://www.wikidata.org/wiki/Q992968","display_name":"Mobile telephony","level":3,"score":0.26820001006126404},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2574999928474426},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.25589999556541443},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.2547000050544739},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2540999948978424}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/jiot.2025.3641441","is_oa":false,"landing_page_url":"https://doi.org/10.1109/jiot.2025.3641441","pdf_url":null,"source":{"id":"https://openalex.org/S2480266640","display_name":"IEEE Internet of Things Journal","issn_l":"2327-4662","issn":["2327-4662","2372-2541"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Internet of Things Journal","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":42,"referenced_works":["https://openalex.org/W1575539335","https://openalex.org/W1988036170","https://openalex.org/W2083755826","https://openalex.org/W2106956101","https://openalex.org/W2274307588","https://openalex.org/W2508433864","https://openalex.org/W2774305472","https://openalex.org/W2788819230","https://openalex.org/W2789983203","https://openalex.org/W2790835090","https://openalex.org/W2791018263","https://openalex.org/W2803054784","https://openalex.org/W2806069482","https://openalex.org/W2886354130","https://openalex.org/W2890559797","https://openalex.org/W2898545807","https://openalex.org/W2912255229","https://openalex.org/W2943456024","https://openalex.org/W2974058390","https://openalex.org/W2983028905","https://openalex.org/W2984855628","https://openalex.org/W2997600417","https://openalex.org/W3005115843","https://openalex.org/W3007249573","https://openalex.org/W3014420343","https://openalex.org/W3097816029","https://openalex.org/W3109519143","https://openalex.org/W3155102819","https://openalex.org/W4206245961","https://openalex.org/W4220682970","https://openalex.org/W4223462666","https://openalex.org/W4282042624","https://openalex.org/W4285048570","https://openalex.org/W4308089080","https://openalex.org/W4308408710","https://openalex.org/W4383221413","https://openalex.org/W4386041582","https://openalex.org/W4392359842","https://openalex.org/W4400062199","https://openalex.org/W4400121209","https://openalex.org/W4401809447","https://openalex.org/W4403606026"],"related_works":[],"abstract_inverted_index":{"Internet":[0],"of":[1,122,142,198,213,252,263],"Things":[2],"(IoT)":[3],"systems":[4,40],"are":[5,94],"pervasive":[6],"and":[7,31,37,59,62,99,130,133,172,181,186,231,242,255,272,279],"increasingly":[8],"managed":[9],"through":[10],"mobile":[11,16,84,115],"applications.":[12],"However,":[13],"poorly":[14],"designed":[15],"applications":[17,80],"can":[18],"expose":[19],"sensitive":[20],"information":[21],"to":[22,33,239,275],"external":[23],"adversaries.":[24],"Mitigating":[25],"such":[26,51],"vulnerabilities":[27,103,148],"requires":[28],"both":[29],"developers":[30,241],"researchers":[32],"apply":[34],"well-established":[35],"practices":[36],"design":[38],"secure":[39,253],"based":[41,138],"on":[42,88,139],"clearly":[43],"defined":[44],"approaches":[45],"for":[46,73,113,145],"vulnerability":[47],"detection.":[48],"Although":[49],"databases":[50],"as":[52],"Open":[53],"Worldwide":[54],"Application":[55],"Security":[56],"Project":[57],"(OWASP)":[58],"Common":[60],"Vulnerabilities":[61],"Exposures":[63],"(CVE)":[64],"catalog":[65],"known":[66],"IoT":[67,78,83,114],"vulnerabilities,":[68,201],"no":[69],"standardised":[70],"methodology":[71],"exists":[72],"detecting":[74,146],"security":[75,102,147,200],"weaknesses":[76],"in":[77,104,149,206,244,269,286],"Mobile":[79],"(IoTMas)":[81],"during":[82],"application":[85],"development.":[86],"Building":[87],"prior":[89],"research,":[90],"our":[91],"research":[92,191,267],"objectives":[93],"to:":[95],"(1)":[96,196],"identify,":[97],"classify,":[98],"prioritize":[100],"critical":[101,203],"IoTMAs,":[105],"(2)":[106,211],"survey":[107],"existing":[108,123,143,270,277],"Vulnerability":[109],"Detection":[110],"Approaches":[111],"(VDAs)":[112],"applications,":[116],"(3)":[117,217],"critically":[118],"evaluate":[119],"the":[120,140,182,250],"effectiveness":[121,220],"VDAs":[124,219],"by":[125],"analyzing":[126],"their":[127],"evaluation":[128,221],"methodologies":[129],"dataset":[131],"validation,":[132],"(4)":[134,237],"formulate":[135],"evidence-based":[136],"recommendations":[137,238,274],"limitations":[141],"methods":[144],"IoTMAs.":[150],"We":[151],"performed":[152],"a":[153],"systematic":[154],"literature":[155],"review":[156],"(SLR)":[157],"from":[158,167],"selected":[159],"primary":[160],"studies":[161],"(PSs).":[162],"From":[163],"856":[164],"papers":[165],"retrieved":[166],"six":[168],"academic":[169],"databases\u2014Scopus,":[170],"Springer,":[171],"Engineering":[173],"Village,":[174],"which":[175],"hosts":[176],"Compendex":[177],"(covering":[178],"IEEE":[179],"Xplore":[180],"ACM":[183],"Digital":[184],"Library),":[185],"Inspec":[187],"(IET)\u2014we":[188],"reviewed":[189],"39":[190],"papers.":[192],"Our":[193,259],"findings":[194],"include:":[195],"identification":[197],"52":[199],"eight":[202],"(i.e,":[204],"reported":[205],"at":[207],"least":[208],"four":[209],"studies);":[210],"discovery":[212],"seven":[214],"distinct":[215],"VDAs;":[216],"comprehensive":[218],"using":[222],"empirical":[223],"metrics,":[224],"accuracy":[225],"assessments,":[226],"reproducibility":[227],"analysis,":[228],"comparative":[229],"studies,":[230],"validation":[232],"across":[233],"diverse":[234],"IoTMAs":[235,254],"marketplaces;":[236],"guide":[240,280],"practitioners":[243],"selecting":[245],"appropriate":[246],"VDAs,":[247,265],"thereby":[248],"supporting":[249,283],"development":[251],"enhanced":[256],"penetration":[257],"testing.":[258],"study":[260],"raises":[261],"awareness":[262],"state-of-the-art":[264],"identifies":[266],"gaps":[268],"approaches,":[271],"provides":[273],"enhance":[276],"techniques":[278],"new":[281],"development,":[282],"software":[284],"engineers":[285],"making":[287],"informed":[288],"technique":[289],"selection":[290],"decisions.":[291]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-12-08T00:00:00"}