Vulnerability analysis and exploitation are two processes in penetration testing that identify and verify dangerous vulnerabilities in computer systems. These two processes are often automated to improve speed and scalability. In recent years, Large Language Models (or LLMs) have become widespread, changing the way developers and cybersecurity researchers work. Innovations are being developed to augment the functionality of LLMs, such as the Model Context Protocol (MCP), which connects LLMs to external data sources. LLMs have also been used in cybersecurity, where cybersecurity experts employ them to automate penetration testing by identifying violations and assessing their severity using Artificial Intelligence or LLM-based approaches. This thesis project focuses on Automated Vulnerability Detection and exploitation of Android applications using an LLM connected to an MCP server. This project is divided into two parts: in the first part, I leverage LLMs and MCP servers to detect violations of Google security guidelines in Android applications. In the second part, I generate Proof-of-Concept (PoC) exploits to test whether the violations are exploitable. I considered 10 real-world applications that have already been analyzed with the static analysis tool SPECK, and 31 rules defined from the security guidelines. For the first part, I gave each rule to the LLM, along with the APK file decompiled with JADX (using the JADX MCP server to extract the code), and asked it to detect rule violations. I compared the results with the results of SPECK. For the second part, the LLM developed attacks affecting insecure manifest components and network communication: I submitted the rule, the violation found by SPECK, and the decompiled APK file to the LLM and asked it to generate a PoC to verify whether the vulnerability is exploitable. For the Automated Vulnerability Detection part, I managed to achieve a mean precision of 63.90% and a mean recall of 53.97%, indicating that, on average, more than half of the violations found by the LLM were also found by SPECK. For the Automated Exploit Generation part, I achieved a PoC success rate of 30.45% across 266 vulnerabilities, demonstrating that this approach can quickly prototype PoCs and validate vulnerabilities.

Vulnerability analysis and exploitation are two processes in penetration testing that identify and verify dangerous vulnerabilities in computer systems. These two processes are often automated to improve speed and scalability. In recent years, Large Language Models (or LLMs) have become widespread, changing the way developers and cybersecurity researchers work. Innovations are being developed to augment the functionality of LLMs, such as the Model Context Protocol (MCP), which connects LLMs to external data sources. LLMs have also been used in cybersecurity, where cybersecurity experts employ them to automate penetration testing by identifying violations and assessing their severity using Artificial Intelligence or LLM-based approaches. This thesis project focuses on Automated Vulnerability Detection and exploitation of Android applications using an LLM connected to an MCP server. This project is divided into two parts: in the first part, I leverage LLMs and MCP servers to detect violations of Google security guidelines in Android applications. In the second part, I generate Proof-of-Concept (PoC) exploits to test whether the violations are exploitable. I considered 10 real-world applications that have already been analyzed with the static analysis tool SPECK, and 31 rules defined from the security guidelines. For the first part, I gave each rule to the LLM, along with the APK file decompiled with JADX (using the JADX MCP server to extract the code), and asked it to detect rule violations. I compared the results with the results of SPECK. For the second part, the LLM developed attacks affecting insecure manifest components and network communication: I submitted the rule, the violation found by SPECK, and the decompiled APK file to the LLM and asked it to generate a PoC to verify whether the vulnerability is exploitable. For the Automated Vulnerability Detection part, I managed to achieve a mean precision of 63.90% and a mean recall of 53.97%, indicating that, on average, more than half of the violations found by the LLM were also found by SPECK. For the Automated Exploit Generation part, I achieved a PoC success rate of 30.45% across 266 vulnerabilities, demonstrating that this approach can quickly prototype PoCs and validate vulnerabilities.

Detection and Exploitation of Vulnerabilities in Android Applications Using Large Language Models and Model Context Protocol

RAVAGNAN, NICOLA
2025/2026

Abstract

Vulnerability analysis and exploitation are two processes in penetration testing that identify and verify dangerous vulnerabilities in computer systems. These two processes are often automated to improve speed and scalability. In recent years, Large Language Models (or LLMs) have become widespread, changing the way developers and cybersecurity researchers work. Innovations are being developed to augment the functionality of LLMs, such as the Model Context Protocol (MCP), which connects LLMs to external data sources. LLMs have also been used in cybersecurity, where cybersecurity experts employ them to automate penetration testing by identifying violations and assessing their severity using Artificial Intelligence or LLM-based approaches. This thesis project focuses on Automated Vulnerability Detection and exploitation of Android applications using an LLM connected to an MCP server. This project is divided into two parts: in the first part, I leverage LLMs and MCP servers to detect violations of Google security guidelines in Android applications. In the second part, I generate Proof-of-Concept (PoC) exploits to test whether the violations are exploitable. I considered 10 real-world applications that have already been analyzed with the static analysis tool SPECK, and 31 rules defined from the security guidelines. For the first part, I gave each rule to the LLM, along with the APK file decompiled with JADX (using the JADX MCP server to extract the code), and asked it to detect rule violations. I compared the results with the results of SPECK. For the second part, the LLM developed attacks affecting insecure manifest components and network communication: I submitted the rule, the violation found by SPECK, and the decompiled APK file to the LLM and asked it to generate a PoC to verify whether the vulnerability is exploitable. For the Automated Vulnerability Detection part, I managed to achieve a mean precision of 63.90% and a mean recall of 53.97%, indicating that, on average, more than half of the violations found by the LLM were also found by SPECK. For the Automated Exploit Generation part, I achieved a PoC success rate of 30.45% across 266 vulnerabilities, demonstrating that this approach can quickly prototype PoCs and validate vulnerabilities.
2025
Detection and Exploitation of Vulnerabilities in Android Applications Using Large Language Models and Model Context Protocol
Vulnerability analysis and exploitation are two processes in penetration testing that identify and verify dangerous vulnerabilities in computer systems. These two processes are often automated to improve speed and scalability. In recent years, Large Language Models (or LLMs) have become widespread, changing the way developers and cybersecurity researchers work. Innovations are being developed to augment the functionality of LLMs, such as the Model Context Protocol (MCP), which connects LLMs to external data sources. LLMs have also been used in cybersecurity, where cybersecurity experts employ them to automate penetration testing by identifying violations and assessing their severity using Artificial Intelligence or LLM-based approaches. This thesis project focuses on Automated Vulnerability Detection and exploitation of Android applications using an LLM connected to an MCP server. This project is divided into two parts: in the first part, I leverage LLMs and MCP servers to detect violations of Google security guidelines in Android applications. In the second part, I generate Proof-of-Concept (PoC) exploits to test whether the violations are exploitable. I considered 10 real-world applications that have already been analyzed with the static analysis tool SPECK, and 31 rules defined from the security guidelines. For the first part, I gave each rule to the LLM, along with the APK file decompiled with JADX (using the JADX MCP server to extract the code), and asked it to detect rule violations. I compared the results with the results of SPECK. For the second part, the LLM developed attacks affecting insecure manifest components and network communication: I submitted the rule, the violation found by SPECK, and the decompiled APK file to the LLM and asked it to generate a PoC to verify whether the vulnerability is exploitable. For the Automated Vulnerability Detection part, I managed to achieve a mean precision of 63.90% and a mean recall of 53.97%, indicating that, on average, more than half of the violations found by the LLM were also found by SPECK. For the Automated Exploit Generation part, I achieved a PoC success rate of 30.45% across 266 vulnerabilities, demonstrating that this approach can quickly prototype PoCs and validate vulnerabilities.
Mobile
Software security
LLM
Android
MCP
File in questo prodotto:
File Dimensione Formato  
Ravagnan_Nicola.pdf

accesso aperto

Dimensione 2.24 MB
Formato Adobe PDF
2.24 MB Adobe PDF Visualizza/Apri

The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12608/108170