pith. sign in

arxiv: 2604.14431 · v1 · submitted 2026-04-15 · 💻 cs.CR · cs.NI· cs.SE

AndroScanner: Automated Backend Vulnerability Detection for Android Applications

Harini Dandu This is my paper

Pith reviewed 2026-05-10 12:34 UTC · model grok-4.3

classification 💻 cs.CR cs.NIcs.SE
keywords Android securitybackend vulnerability detectionAPI securitystatic analysisdynamic analysisOWASP API Top 10zero-day vulnerabilityautomated vulnerability scanning
0
0 comments X

The pith

AndroScanner extracts backend APIs from Android APK files and tests them for OWASP-listed vulnerabilities.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper describes AndroScanner as a pipeline that decompiles Android apps, uses static and dynamic analysis to find backend API calls, and then fuzzes those calls to check for security problems. Mobile apps depend on server backends that can expose user data or allow unauthorized access, yet many developers have no simple way to inspect those risks before release. The authors tested the tool on a vulnerable sample bank app and a live recruitment app downloaded more than 50,000 times. It pulled 24 APIs and reported five vulnerabilities, one of them a previously unknown excessive-data-exposure flaw. The finding was shared with the app team before the paper appeared.

Core claim

AndroScanner uses apktool to unpack APKs, Androguard for static analysis, Frida-based dynamic instrumentation to observe runtime API calls, and APIFuzzer to probe the extracted endpoints against the OWASP API Security Top 10. When run on two Android applications, the pipeline extracted 24 APIs and identified 5 vulnerabilities, including a previously unreported zero-day Excessive Data Exposure vulnerability in the production application.

What carries the argument

The AndroScanner pipeline that combines APK decompilation, static analysis, Frida dynamic instrumentation to discover backend APIs, and subsequent fuzzing to test them for OWASP API security issues.

If this is right

  • AndroScanner extracted 24 backend APIs across the two evaluated applications.
  • The pipeline identified five vulnerabilities consistent with the OWASP API Security Top 10.
  • One vulnerability was a new zero-day Excessive Data Exposure issue in the production recruitment application.
  • The zero-day vulnerability was responsibly disclosed to the development team before publication.
  • The tool is offered to developers for scanning their own applications prior to deployment.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the extraction and detection steps hold across a wider set of apps, developers could add automated backend checks to their build pipelines.
  • Routine use of such scanning might lower the incidence of data-exposure problems that reach users of popular Android apps.
  • The same static-plus-dynamic approach could be extended to other mobile platforms that communicate with remote backends.

Load-bearing premise

That apktool, Androguard, Frida instrumentation, and APIFuzzer together extract all relevant backend APIs and correctly flag real vulnerabilities without large numbers of false positives or missed problems.

What would settle it

Running AndroScanner on an app with a documented backend vulnerability and observing that the tool neither extracts the relevant API nor reports the known issue.

Figures

Figures reproduced from arXiv: 2604.14431 by Harini Dandu.

Figure 1
Figure 1. Figure 1: Workflow of AndroScanner Some of its features include Disassembling resources to their nearly original form (in￾cluding resources.arsc, classes.dex, and XMLs), rebuilding decoded resources back to binary APK/JAR, organizing and handling APKs that depend on framework resources, smali debug￾ging (removed in 2.1.0 in favor of IdeaSmali), helping with repetitive tasks. Details on how to install the application… view at source ↗
Figure 2
Figure 2. Figure 2: Extracting API Calls in AndroScanner running Frida trace, using Javascript, Frida can be hooked into these entry points. The parame￾ters used in the API calls are also extracted. An example of a frida hook using Javascript can be seen in [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: An example of frida hook in Javascript it analyzes, it outputs a pdf report containing the details of vulnerabilities present in a URL. The pdf document is reported to the user. V. REPORTING THE VULNERABILITIES The pdf document containing the vulnerability details given an API URL is presented to the user as an output. As an addition, after the analysis is completed, the vulnerabilities may be disclosed to… view at source ↗
Figure 4
Figure 4. Figure 4: Extracting changepassword API Call in Bank Application [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Reported Vulnerability by APIFuzzer for changepassword [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Comparison of Extracted APIs for Bank and Recruitment Applications [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
read the original abstract

Mobile applications rely on complex backends that introduce significant security risks, yet developers often lack the tools to assess these risks effectively. This paper presents AndroScanner, an automated pipeline for detecting vulnerabilities in Android application backends through combined static and dynamic analysis. AndroScanner extracts backend API calls from APK files using apktool, Androguard, and Frida-based dynamic instrumentation, then vets them against the OWASP API Security Top 10 using APIFuzzer. We evaluate AndroScanner on two Android applications: a purposely vulnerable bank application and a production recruitment application with over 50,000 downloads on Google Play Store. Across both applications, AndroScanner extracted 24 APIs and identified 5 vulnerabilities, including a previously unreported zero-day Excessive Data Exposure vulnerability (ranked 3rd in the OWASP API Security Top 10) in the production application. The vulnerability was responsibly disclosed to the development team prior to publication. AndroScanner is available upon request to assist developers in identifying and remediating backend security risks before deployment.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper presents AndroScanner, an automated pipeline combining static analysis (apktool and Androguard), dynamic instrumentation (Frida), and APIFuzzer to extract backend API calls from Android APKs and detect vulnerabilities against the OWASP API Security Top 10. Evaluation on two applications—a purposely vulnerable bank app and a production recruitment app (>50k downloads)—reports extraction of 24 APIs and identification of 5 vulnerabilities, including a zero-day Excessive Data Exposure issue in the production app that was responsibly disclosed.

Significance. If the pipeline's outputs prove reliable with low false positives, AndroScanner could offer a practical automated aid for developers to surface backend API risks in Android apps, filling a gap between static APK analysis and backend security testing. The responsible disclosure of a real zero-day in a deployed app and the tool's availability upon request are concrete strengths demonstrating potential utility.

major comments (3)
  1. [§5] §5 (Evaluation): The headline results (24 APIs extracted, 5 vulnerabilities found including a zero-day) rest on unvalidated tool outputs with no reported precision, recall, false-positive rate, or ground-truth comparison even on the intentionally vulnerable bank application. This directly weakens the central claim that the combined pipeline reliably identifies real vulnerabilities.
  2. [§5] §5: No description is given of how APIFuzzer alerts were triaged or manually verified for the production application, nor of coverage gaps (e.g., obfuscated code, non-HTTP backends, or authentication flows). The zero-day claim therefore lacks reproducible evidence that the tool did not miss or hallucinate issues.
  3. [§3–4] §3–4 (Design and Implementation): The manuscript asserts that apktool + Androguard + Frida-based instrumentation accurately extracts all relevant backend APIs, yet provides no quantitative validation or ablation study of this extraction step against any reference set of APIs.
minor comments (2)
  1. [Abstract and §5] The abstract and §5 use the phrase 'vets them against' without clarifying the exact matching or scoring procedure inside APIFuzzer; a short pseudocode or decision rule would improve clarity.
  2. [§5] No table or appendix lists the 24 extracted APIs or the 5 vulnerabilities with their OWASP mappings and confirmation status; adding one would make the results more transparent.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments correctly identify gaps in validation and reproducibility that we will address through revisions to strengthen the manuscript. We respond point by point to the major comments below.

read point-by-point responses

  1. Referee: [§5] §5 (Evaluation): The headline results (24 APIs extracted, 5 vulnerabilities found including a zero-day) rest on unvalidated tool outputs with no reported precision, recall, false-positive rate, or ground-truth comparison even on the intentionally vulnerable bank application. This directly weakens the central claim that the combined pipeline reliably identifies real vulnerabilities.

    Authors: We agree that the original evaluation section lacks quantitative performance metrics. Although the bank application is intentionally vulnerable and its outputs were manually inspected against known issues, we did not report precision, recall, or false-positive rates. We will revise §5 to include a ground-truth comparison for the bank app, with explicit metrics for both API extraction and vulnerability detection, plus a clear statement of observed false positives. revision: yes

  2. Referee: [§5] §5: No description is given of how APIFuzzer alerts were triaged or manually verified for the production application, nor of coverage gaps (e.g., obfuscated code, non-HTTP backends, or authentication flows). The zero-day claim therefore lacks reproducible evidence that the tool did not miss or hallucinate issues.

    Authors: We will expand §5 to describe the triage and manual verification process used for APIFuzzer alerts on the production app. This will include the steps taken to confirm the Excessive Data Exposure zero-day and its responsible disclosure (with developer acknowledgment). We will also add an explicit discussion of coverage limitations, such as obfuscated code, non-HTTP backends, and authentication flows. revision: yes

  3. Referee: [§3–4] §3–4 (Design and Implementation): The manuscript asserts that apktool + Androguard + Frida-based instrumentation accurately extracts all relevant backend APIs, yet provides no quantitative validation or ablation study of this extraction step against any reference set of APIs.

    Authors: The pipeline intentionally combines static and dynamic analysis to capture both declared and runtime API calls. We acknowledge the absence of an ablation study. In the revised manuscript we will add an ablation experiment on the bank application that quantifies the additional APIs discovered by the Frida dynamic step versus static analysis alone. revision: yes

Circularity Check

0 steps flagged

No circularity: tool pipeline and case-study results are self-contained empirical outputs

full rationale

The paper describes a composite pipeline (apktool + Androguard + Frida + APIFuzzer) that extracts backend API endpoints from APKs and checks them against the external OWASP API Security Top 10 list. It then reports concrete counts (24 APIs extracted, 5 vulnerabilities found) from two specific applications. No equations, fitted parameters, or derived predictions appear; the central claims are direct tool outputs rather than reductions of those outputs to themselves. No self-citations are invoked to justify uniqueness or load-bearing premises. The evaluation is therefore independent of any internal circular construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the assumption that standard reverse-engineering and fuzzing tools function correctly for API extraction and vulnerability detection in this context.

axioms (1)
  • domain assumption apktool, Androguard, Frida, and APIFuzzer correctly and completely extract and test backend API calls for OWASP vulnerabilities.
    The pipeline depends on these tools operating without extraction errors or testing inaccuracies.

pith-pipeline@v0.9.0 · 5474 in / 1235 out tokens · 27895 ms · 2026-05-10T12:34:57.601927+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

21 extracted references · 21 canonical work pages

  1. [1]

    Number of smartphone users worldwide from 2016 to 2022,

    S. O’Dea, “Number of smartphone users worldwide from 2016 to 2022,”Statista, Jun

    work page 2016

  2. [2]

    Available: https : / / www

    [Online]. Available: https : / / www . cybertalk.org/2022/06/10/10- eye- opening- mobile-malware-statistics-to-know/

    work page 2022

  3. [3]

    Security and Back-End Integration: Top Mobile Challenges,

    Alpha Software, “Security and Back-End Integration: Top Mobile Challenges,”Al- pha Software Blog, 2021. [Online]. Avail- able: https://www.alphasoftware.com/blog/ security - and - back - end - integration - top - mobile-challenges-says-survey

    work page 2021

  4. [4]

    Epic’s first Fortnite Installer allowed hackers to download and install any- thing on your Android phone silently,

    A. Martonik, “Epic’s first Fortnite Installer allowed hackers to download and install any- thing on your Android phone silently,”An- droid Central, Aug. 2018. [Online]. Avail- able: https : / / www . androidcentral . com / epic- games- first- fortnite- installer- allowed- hackers-download-install-silently

    work page 2018

  5. [5]

    Drozer: Android Secu- rity Assessment Framework,

    WithSecure Labs, “Drozer: Android Secu- rity Assessment Framework,” GitHub, 2022. [Online]. Available: https : / / github . com / WithSecureLabs/drozer

    work page 2022

  6. [6]

    Android-InsecureBankv2: Vul- nerable Android Application for Security Testing,

    D. Shetty, “Android-InsecureBankv2: Vul- nerable Android Application for Security Testing,” GitHub, 2020. [Online]. Available: https : / / github . com / dineshshetty / Android - InsecureBankv2

    work page 2020

  7. [7]

    Hirect: Direct Chat & Job Search App,

    Hirect, “Hirect: Direct Chat & Job Search App,”Google Play Store, 2022. [Online]. Available: https://play.google.com/store/apps/ details?id=in.hirect

    work page 2022

  8. [8]

    Unsecured Firebase Databases: Exposing Sensitive Data via Thousands of Mobile Apps,

    K. Watkins and S. M. Kywe, “Unsecured Firebase Databases: Exposing Sensitive Data via Thousands of Mobile Apps,” Appthority, Tech. Rep., 2018

    work page 2018

  9. [9]

    Authscope: Towards Automatic Discovery of Vulnerable Authorizations in Online Services,

    C. Zuo, Q. Zhao, and Z. Lin, “Authscope: Towards Automatic Discovery of Vulnerable Authorizations in Online Services,” inProc. 24th ACM Conf. Computer and Communica- tions Security (CCS), Dallas, TX, Oct. 2017

    work page 2017

  10. [10]

    Why Does Your Data Leak? Uncovering the Data Leak- age in Cloud from Mobile Apps,

    C. Zuo, Z. Lin, and Y . Zhang, “Why Does Your Data Leak? Uncovering the Data Leak- age in Cloud from Mobile Apps,” inProc. 40th IEEE Symp. Security and Privacy (Oak- land), San Francisco, CA, May 2019

    work page 2019

  11. [11]

    Apktool: A Tool for Re- verse Engineering Android APK Files,

    C. Brubaker, “Apktool: A Tool for Re- verse Engineering Android APK Files,” GitHub, 2022. [Online]. Available: https:// ibotpeaches.github.io/Apktool/

    work page 2022

  12. [12]

    Androguard: Reverse Engineering, Malware and Good- ware Analysis of Android Applications,

    A. Desnos and G. Gueguen, “Androguard: Reverse Engineering, Malware and Good- ware Analysis of Android Applications,” GitHub, 2022. [Online]. Available: https:// github.com/androguard/androguard

    work page 2022

  13. [13]

    APK API Key Extractor: Tool to Extract API Keys Embedded in Android Applications,

    A. D’Angelo, “APK API Key Extractor: Tool to Extract API Keys Embedded in Android Applications,” GitHub, 2019. [Online]. Avail- able: https://github.com/alessandrodd/apk api key extractor

    work page 2019

  14. [14]

    Frida: Dynamic Instrumentation Toolkit for Developers, Reverse-Engineers, and Security Researchers,

    O. Ahl, “Frida: Dynamic Instrumentation Toolkit for Developers, Reverse-Engineers, and Security Researchers,” 2022. [Online]. Available: https://frida.re/

    work page 2022

  15. [15]

    Android Debug Bridge (adb),

    Android Developers, “Android Debug Bridge (adb),”Android Developer Documentation, Google, 2022. [Online]. Available: https : / / developer.android.com/studio/command-line/ adb

    work page 2022

  16. [16]

    Reli- able Third-Party Library Detection in An- droid and its Security Applications,

    M. Backes, S. Bugiel, and E. Derr, “Reli- able Third-Party Library Detection in An- droid and its Security Applications,” inProc. ACM SIGSAC Conf. Computer and Com- munications Security, Vienna, Austria, 2016. [Online]. Available: https://github.com/reddr/ LibScout

    work page 2016

  17. [17]

    SoK: Security Evaluation of Home-Based IoT Deployments,

    O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose, “SoK: Security Evaluation of Home-Based IoT Deployments,” inProc. 40th IEEE Symp. Security and Privacy (Oak- land), San Francisco, CA, May 2019. [On- line]. Available: https : / / www. usenix . org / system/files/sec19-alrawi 0.pdf

    work page 2019

  18. [18]

    Black Box Testing,

    Imperva, “Black Box Testing,”Imperva Learning Center, 2022. [Online]. Available: https://www.imperva.com/learn/application- security/black-box-testing/

    work page 2022

  19. [19]

    APIFuzzer: Fuzz Your Applica- tion Using its Swagger/OpenAPI Definition,

    P. Kiss, “APIFuzzer: Fuzz Your Applica- tion Using its Swagger/OpenAPI Definition,” GitHub, 2022. [Online]. Available: https:// github.com/KissPeter/APIFuzzer

    work page 2022

  20. [20]

    OW ASP API Security Top 10,

    OW ASP Foundation, “OW ASP API Security Top 10,” OW ASP, 2019. [Online]. Available: https://owasp.org/www-project-api-security/

    work page 2019

  21. [21]

    Syxsense Patch Management So- lution,

    Syxsense, “Syxsense Patch Management So- lution,” 2022. [Online]. Available: https : / / www.syxsense.com/

    work page 2022