{"id":"https://openalex.org/W4403918533","doi":"https://doi.org/10.1109/tse.2024.3488041","title":"A Comprehensive Study on Static Application Security Testing (SAST) Tools for Android","display_name":"A Comprehensive Study on Static Application Security Testing (SAST) Tools for Android","publication_year":2024,"publication_date":"2024-10-30","ids":{"openalex":"https://openalex.org/W4403918533","doi":"https://doi.org/10.1109/tse.2024.3488041"},"language":"en","primary_location":{"id":"doi:10.1109/tse.2024.3488041","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2024.3488041","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://ink.library.smu.edu.sg/sis_research/10331","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5059029887","display_name":"Jingyun Zhu","orcid":null},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jingyun Zhu","raw_affiliation_strings":["College of Intelligence and Computing, Tianjin University, Tianjin, China","College of Intelligence and Computing, Tianjin University, China"],"raw_orcid":"https://orcid.org/0009-0000-5919-6552","affiliations":[{"raw_affiliation_string":"College of Intelligence and Computing, Tianjin University, Tianjin, China","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"College of Intelligence and Computing, Tianjin University, China","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100713124","display_name":"Kaixuan Li","orcid":"https://orcid.org/0000-0002-3517-353X"},"institutions":[{"id":"https://openalex.org/I66867065","display_name":"East China Normal University","ror":"https://ror.org/02n96ep67","country_code":"CN","type":"education","lineage":["https://openalex.org/I66867065"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Kaixuan Li","raw_affiliation_strings":["East China Normal University, Shanghai, China","East China Normal University, China"],"raw_orcid":"https://orcid.org/0000-0002-3517-353X","affiliations":[{"raw_affiliation_string":"East China Normal University, Shanghai, China","institution_ids":["https://openalex.org/I66867065"]},{"raw_affiliation_string":"East China Normal University, China","institution_ids":["https://openalex.org/I66867065"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100658276","display_name":"Sen Chen","orcid":"https://orcid.org/0000-0001-9477-4100"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Sen Chen","raw_affiliation_strings":["College of Intelligence and Computing, Tianjin University, Tianjin, China","College of Intelligence and Computing, Tianjin University, China"],"raw_orcid":"https://orcid.org/0000-0001-9477-4100","affiliations":[{"raw_affiliation_string":"College of Intelligence and Computing, Tianjin University, Tianjin, China","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"College of Intelligence and Computing, Tianjin University, China","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Lingling Fan","orcid":"https://orcid.org/0000-0002-2428-9297"},"institutions":[{"id":"https://openalex.org/I205237279","display_name":"Nankai University","ror":"https://ror.org/01y1kjr75","country_code":"CN","type":"education","lineage":["https://openalex.org/I205237279"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Lingling Fan","raw_affiliation_strings":["Nankai University, Tianjin, China","Nankai University, China"],"raw_orcid":"https://orcid.org/0000-0002-2428-9297","affiliations":[{"raw_affiliation_string":"Nankai University, Tianjin, China","institution_ids":["https://openalex.org/I205237279"]},{"raw_affiliation_string":"Nankai University, China","institution_ids":["https://openalex.org/I205237279"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Junjie Wang","orcid":"https://orcid.org/0009-0002-3847-6760"},"institutions":[{"id":"https://openalex.org/I162868743","display_name":"Tianjin University","ror":"https://ror.org/012tb2g32","country_code":"CN","type":"education","lineage":["https://openalex.org/I162868743"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Junjie Wang","raw_affiliation_strings":["College of Intelligence and Computing, Tianjin University, Tianjin, China","College of Intelligence and Computing, Tianjin University, China"],"raw_orcid":"https://orcid.org/0009-0002-3847-6760","affiliations":[{"raw_affiliation_string":"College of Intelligence and Computing, Tianjin University, Tianjin, China","institution_ids":["https://openalex.org/I162868743"]},{"raw_affiliation_string":"College of Intelligence and Computing, Tianjin University, China","institution_ids":["https://openalex.org/I162868743"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5084396416","display_name":"Xiaofei Xie","orcid":"https://orcid.org/0000-0002-1288-6502"},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Xiaofei Xie","raw_affiliation_strings":["Singapore Management University, Singapore"],"raw_orcid":"https://orcid.org/0000-0002-1288-6502","affiliations":[{"raw_affiliation_string":"Singapore Management University, Singapore","institution_ids":["https://openalex.org/I79891267"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5059029887"],"corresponding_institution_ids":["https://openalex.org/I162868743"],"apc_list":null,"apc_paid":null,"fwci":2.832,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.91943103,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":99},"biblio":{"volume":"50","issue":"12","first_page":"3385","last_page":"3402"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9549999833106995,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9420999884605408,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8497745990753174},{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.6111238598823547},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.5071697235107422},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.5004489421844482},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.4866214692592621},{"id":"https://openalex.org/keywords/software-testing","display_name":"Software testing","score":0.4829367995262146},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.2854989767074585},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.26665836572647095},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.220270037651062},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.21864104270935059},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.17094063758850098},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.12396401166915894}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8497745990753174},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.6111238598823547},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.5071697235107422},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.5004489421844482},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.4866214692592621},{"id":"https://openalex.org/C2984328558","wikidata":"https://www.wikidata.org/wiki/Q188522","display_name":"Software testing","level":3,"score":0.4829367995262146},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.2854989767074585},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.26665836572647095},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.220270037651062},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.21864104270935059},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.17094063758850098},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.12396401166915894}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tse.2024.3488041","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2024.3488041","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"},{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-11332","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/sis_research/10331","pdf_url":null,"source":{"id":"https://openalex.org/S4306401925","display_name":"Singapore Management University Institutional Knowledge (InK) (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://doi.org/10.1109/TSE.2024.3488041","raw_type":"Journal Article"}],"best_oa_location":{"id":"pmh:oai:ink.library.smu.edu.sg:sis_research-11332","is_oa":true,"landing_page_url":"https://ink.library.smu.edu.sg/sis_research/10331","pdf_url":null,"source":{"id":"https://openalex.org/S4306401925","display_name":"Singapore Management University Institutional Knowledge (InK) (Singapore Management University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I79891267","host_organization_name":"Singapore Management University","host_organization_lineage":["https://openalex.org/I79891267"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://doi.org/10.1109/TSE.2024.3488041","raw_type":"Journal Article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G332475328","display_name":null,"funder_award_id":"22JCYBJC01010","funder_id":"https://openalex.org/F4320323993","funder_display_name":"Natural Science Foundation of Tianjin City"},{"id":"https://openalex.org/G5022488743","display_name":null,"funder_award_id":"62102283","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6076090489","display_name":null,"funder_award_id":"62472309","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320323993","display_name":"Natural Science Foundation of Tianjin City","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":24,"referenced_works":["https://openalex.org/W1975675278","https://openalex.org/W2019230987","https://openalex.org/W2045057497","https://openalex.org/W2407313496","https://openalex.org/W2535386169","https://openalex.org/W2742429299","https://openalex.org/W2796301966","https://openalex.org/W2803054784","https://openalex.org/W2811320115","https://openalex.org/W2973035781","https://openalex.org/W3003370586","https://openalex.org/W3090910431","https://openalex.org/W3200506265","https://openalex.org/W4244726870","https://openalex.org/W4245027182","https://openalex.org/W4247801608","https://openalex.org/W4285490477","https://openalex.org/W4292491372","https://openalex.org/W4313563659","https://openalex.org/W4382724811","https://openalex.org/W4389159189","https://openalex.org/W4393563263","https://openalex.org/W6696346372","https://openalex.org/W6754332104"],"related_works":["https://openalex.org/W2791662519","https://openalex.org/W4389273713","https://openalex.org/W3036603968","https://openalex.org/W2334842536","https://openalex.org/W2347608037","https://openalex.org/W2090301720","https://openalex.org/W3116842536","https://openalex.org/W2523437542","https://openalex.org/W2008194781","https://openalex.org/W2129479435"],"abstract_inverted_index":{"To":[0,90],"identify":[1],"security":[2,10],"vulnerabilities":[3],"in":[4,150,179],"Android":[5,165,213],"applications,":[6],"numerous":[7],"static":[8],"application":[9],"testing":[11],"(SAST)":[12],"tools":[13,131,245],"have":[14],"been":[15],"proposed.":[16],"However,":[17],"it":[18],"poses":[19,36],"significant":[20,148],"challenges":[21],"to":[22,73,98,140,186,202,239],"assess":[23],"their":[24],"overall":[25],"performance":[26],"on":[27,209],"diverse":[28,117],"vulnerability":[29,53,109,162,252],"types.":[30],"The":[31],"task":[32],"is":[33,78],"non-trivial":[34],"and":[35,49,64,113,128,171,226,241,259],"considerable":[37],"challenges.":[38],"Firstly,":[39],"the":[40,57,62,74,96,152,188,217,268,272],"absence":[41],"of":[42,59,81,135,155,190,197,200,212],"a":[43,79,100,133,173,194,204,236],"unified":[44,101],"evaluation":[45,218],"platform":[46,102],"for":[47,61,164,277],"defining":[48],"describing":[50],"tools\u2019":[51],"supported":[52],"types,":[54,110],"coupled":[55],"with":[56],"lack":[58],"normalization":[60],"intricate":[63],"varied":[65],"reports":[66],"generated":[67],"by":[68,123],"different":[69,278],"tools,":[70],"significantly":[71],"adds":[72],"complexity.":[75],"Secondly,":[76],"there":[77],"scarcity":[80],"adequate":[82],"benchmarks,":[83,191],"particularly":[84],"those":[85],"derived":[86],"from":[87,132,231,246],"real-world":[88],"scenarios.":[89],"address":[91],"these":[92,243],"problems,":[93],"we":[94,121,146,192,234],"are":[95],"first":[97],"propose":[99],"named":[103],"<italic":[104],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[105],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">VulsTotal</i>,":[106],"supporting":[107],"various":[108,247],"enabling":[111],"comprehensive":[112,237],"versatile":[114],"analysis":[115,196,238],"across":[116,182],"SAST":[118,130,166],"tools.":[119,167,184],"Specifically,":[120],"begin":[122],"meticulously":[124],"selecting":[125],"11":[126],"free":[127],"open-sourced":[129],"pool":[134],"97":[136],"existing":[137,223],"options,":[138],"adhering":[139],"clearly":[141],"defined":[142],"criteria.":[143],"After":[144],"that,":[145],"invest":[147],"efforts":[149],"comprehending":[151],"detection":[153],"rules":[154],"each":[156],"tool,":[157],"subsequently":[158],"unifying":[159],"67":[160],"general/common":[161],"types":[163],"We":[168],"also":[169],"redefine":[170],"implement":[172],"standardized":[174],"reporting":[175],"format,":[176],"ensuring":[177],"uniformity":[178],"presenting":[180],"results":[181],"all":[183],"Additionally,":[185],"mitigate":[187],"problem":[189],"conducted":[193,235],"manual":[195],"huge":[198],"amounts":[199],"CVEs":[201],"construct":[203],"new":[205],"CVE-based":[206,229],"benchmark":[207],"based":[208],"our":[210],"comprehension":[211],"app":[214],"vulnerabilities.":[215],"Leveraging":[216],"platform,":[219],"which":[220,274],"integrates":[221],"both":[222],"synthetic":[224],"benchmarks":[225,230],"newly":[227],"constructed":[228],"this":[232],"study,":[233],"evaluate":[240],"compare":[242],"selected":[244],"perspectives,":[248],"such":[249],"as":[250],"general":[251],"type":[253,255],"coverage,":[254],"consistency,":[256],"tool":[257],"effectiveness,":[258],"time":[260],"performance.":[261],"Our":[262],"observations":[263],"yielded":[264],"impressive":[265],"findings,":[266],"like":[267],"technical":[269],"reasons":[270],"underlying":[271],"performance,":[273],"provide":[275],"insights":[276],"stakeholders.":[279]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":8}],"updated_date":"2026-05-21T09:19:25.381259","created_date":"2025-10-10T00:00:00"}