A Comparative Study of Static Code Metrics and Behavioural Metrics for Predicting Risk Scores in Android Apps

Abstract

Identifying security flaws and distinguishing non-susceptible code from vulnerable code is a difficult undertaking. Security flaws are usually inert until they are exploited. Software metrics have been widely utilized to forecast and signal a variety of software quality features. We investigate static code metrics and behavioral code metrics, their correlation, and their association with security vulnerabilities in Android applications. The aim of the study is to understand: (i) the comparison between static software metrics and behavioral code metrics; (ii) the ability of these metrics to predict security vulnerabilities, and (iii) which are the strongly correlated static code metrics and behavioral code metrics. From our study, we have found that even though static code metrics require higher computational power, it provides better results to predict the risky behavior of android applications and Random Forest Regression provides more stable results with a better R2 score for this specified dataset which we create for our thesis.