Security of mobile apps affects the security of their users. This has
fueled the development of techniques to automatically detect vulnerabilities
in mobile apps and help developers secure their apps;
specifically, in the context of Android platform due to openness and
ubiquitousness of the platform. Despite a slew of research efforts
in this space, there is no comprehensive repository of up-to-date
and lean benchmarks that contain most of the known Android
app vulnerabilities and, consequently, can be used to rigorously
evaluate both existing and new vulnerability detection techniques
and help developers learn about Android app vulnerabilities. In
this paper, we describe Ghera, an open source repository of benchmarks
that capture 35 known vulnerabilities in Android apps (as
pairs of exploited/benign and exploiting/malicious apps). We also
present desirable characteristics of vulnerability benchmarks and
repositories that we uncovered while creating Ghera.