skip to main content
10.1145/3133956.3133977acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

A Stitch in Time: Supporting Android Developers in WritingSecure Code

Published: 30 October 2017 Publication History

Abstract

Despite security advice in the official documentation and an extensive body of security research about vulnerabilities and exploits, many developers still fail to write secure Android applications. Frequently, Android developers fail to adhere to security best practices, leaving applications vulnerable to a multitude of attacks. We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security. Using the FixDroid IDE plug-in, we show that professional and hobby app developers can work with and learn from an in-environment tool without it impacting their normal work; and by performing studies with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly less security problems. Perfecting and adding such tools to the Android development environment is an essential step in getting both security and privacy for the next generation of apps.

Supplemental Material

MP4 File

References

[1]
Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick McDaniel, and Matthew Smith. 2016. SoK: Lessons Learned From Android Security Research For Appified Software Platforms. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP '16).
[2]
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016. You Get Where You're Looking For: The Impact Of Information Sources On Code Security. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP '16).
[3]
R Balebako, A Marsh, J Lin, and J Hong. 2014. The Privacy and Security Behaviors of Smartphone App Developers. In Workshop on Usable Security (USEC'14). http://www.mathcs.richmond.edu/~dszajda/classes/cs334/Fall_2014/papers/Balebako_privacy_security_behaviors_smartphone_app_developers.pdf
[4]
John Brooke. 1996. "SUS-A quick and dirty usability scale." Usability evaluation in industry. CRC Press. https://www.crcpress.com/product/isbn/9780748404605 ISBN: 9780748404605.
[5]
K. P. Burnham. 2004. Multimodel Inference: Understanding AIC and BIC in Model Selection. Sociological Methods & Research 33, 2 (2004), 261--304. https://doi.org/10.1177/0049124104268644
[6]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing Inter-application Communication in Android. In Proc. 9th International Conference on Mobile Systems, Applications, and Services (MobiSys'11). ACM. https: //doi.org/10.1145/1999995.2000018
[7]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proc. 9th International Conference on Mobile Systems, Applications, and Services (MobiSys'11). ACM.
[8]
Erika Michelle Chin. 2013. Helping Developers Construct Secure Mobile Applica- tions. UC Berkeley: Computer Science. http://escholarship.org/uc/item/4x48p6rz
[9]
Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proc. 20th ACM Conference on Computer and Communication Security (CCS'13). ACM. https://doi.org/10.1145/2508859.2516693
[10]
Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1065--1074.
[11]
William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. 2011. A Study of Android Application Security. In Proc. 20th Usenix Security Symposium (SEC'11). USENIX Association. http://www.enck.org/pubs/enck-sec11.pdf
[12]
Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. In Proc. 19th ACM Conference on Computer and Communication Security (CCS'12). ACM. https://doi.org/10.1145/2382196. 2382205
[13]
Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. 2013. Rethinking SSL Development in an Appified World. In Proc. 20th ACM Conference on Computer and Communication Security (CCS'13). ACM. https: //doi.org/10.1145/2508859.2516655
[14]
Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security. In Symposium on Security and Privacy (Oakland'17). IEEE.
[15]
Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The Most Dangerous Code in the World: Validating SSL Certificates in Non-browser Software. In Proc. 19th ACM Conference on Computer and Communication Security (CCS'12). ACM. https://doi.org/10.1145/2382196. 2382204
[16]
Randall A Gordon and Richard D Arvey. 2004. Age Bias in Laboratory and Field Settings: A Meta-Analytic Investigation1. Journal of applied social psychology 34, 3 (2004), 468--492.
[17]
Nielsen Norman Group. [n. d.]. Field Studies. https://www.nngroup.com/articles/ field-studies/. ([n. d.]). Last visited: 12/09/2016.
[18]
Gerard J Holzmann. 2016. Cobra: a light-weight tool for static and dynamic program analysis. Innovations in Systems and Software Engineering (2016), 1--15.
[19]
S. C. Johnson. 1978. Lint, a C Program Checker. In COMP. SCI. TECH. REP. 78--1273.
[20]
Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. In Security and Privacy, 2006 IEEE Symposium on. IEEE, 6--pp.
[21]
B. Kaliski. 2000. PKCS #5: Password-Based Cryptography Specification Version 2.0. (2000).
[22]
Miryung Kim, Lawrence Bergman, Tessa Lau, and David Notkin. 2004. An ethno- graphic study of copy and paste programming practices in OOPL. In Empirical Software Engineering, 2004. ISESE'04. Proceedings. 2004 International Symposium on. IEEE, 83--92.
[23]
Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. Chex: statically vetting android apps for component hijacking vulnerabilities. In Pro- ceedings of the 2012 ACM conference on Computer and communications security. ACM, 229--240.
[24]
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In Proc. 27th Annual Computer Security Applications Conference (ACSAC'11). ACM.
[25]
Stacey Watson Madiha Tabassum and Heather Richter Lipford. 2017. Comparing Educational Approaches to Secure programming: Tool vs. TA. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/soups2017/workshop-program/ wsiw2017/tabassum
[26]
Vitaly Shmatikov Martin Georgiev, Suman Jana. 2014. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks. In Proc. 21st Annual Network and Distributed System Security Symposium (NDSS'14). The Internet Society.
[27]
Patrick Mutchler, Adam Doupé, John Mitchell, Christopher Kruegel, and Giovanni Vigna. 2015. A Large-Scale Study of Mobile Web App Security. In Proc. 2015 Mobile Security Technologies Workshop (MoST'15). IEEE.
[28]
Marco Pistoia, Omer Tripp, and David Lubensky. 2016. Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps. Mobile Application Development, Usability, and Security (2016), 68.
[29]
Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute This! Analyzing Unsafe and Malicious Dy- namic Code Loading in Android Applications. In Proc. 21st Annual Network and Distributed System Security Symposium (NDSS'14). The Internet Society.
[30]
A. Porter Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. 2011. Android Permis- sions Demystified. In Proc. 18th ACM Conference on Computer and Communication Security (CCS'11). ACM.
[31]
Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. 2011. Permission Re-Delegation: Attacks and Defenses. In Proc. 20th Usenix Security Symposium (SEC'11). USENIX Association.
[32]
S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. 2007. The Emperor's New Security Indicators. In 2007 IEEE Symposium on Security and Privacy (SP '07). 51--65. https://doi.org/10.1109/SP.2007.35
[33]
Yaron Sheffer, Peter Saint-Andre, and Ralph Holz. 2015. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7525. (May 2015). https://doi.org/10.17487/rfc7525
[34]
Pan Shi, Heng Xu, and Xiaolong (Luke) Zhang. 2011. Informing Security Indicator Design in Web Browsers. In Proceedings of the 2011 iConference (iConference '11). ACM, New York, NY, USA, 569--575. https://doi.org/10.1145/1940761.1940839
[35]
Sooel Son, Kathryn S McKinley, and Vitaly Shmatikov. 2011. Rolecast: finding missing security checks when you do not know what checks are. ACM SIGPLAN Notices 46, 10 (2011), 1069--1084.
[36]
Android Team. 2017. Android Lint tool. https://developer.android.com/studio/ write/lint.html. (2017). Last visited: 17/05/2017.
[37]
Tyler W. Thomas, Heather Lipford, Bill Chu, Justin Smith, and Emerson Murphy- Hill. 2016. What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO. https://www.usenix. org/conference/soups2016/workshop-program/wsiw16/presentation/thomas
[38]
Serge Vaudenay. 1996. On the weak keys of blowfish. Springer Berlin Heidelberg, Berlin, Heidelberg, 27--32. https://doi.org/10.1007/3-540-60865-6_39
[39]
Serge Vaudenay. 2002. Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS .... In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '02). Springer-Verlag, London, UK, UK, 534--546. http://dl.acm.org/ citation.cfm?id=647087.715705
[40]
Rui Wang, Luyi Xing, XiaoFeng Wang, and Shuo Chen. 2013. Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation. In Proc. 20th ACM Conference on Computer and Communication Security (CCS'13). ACM.

Cited By

View all
  • (2025)Developer-Centred SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1578(634-636)Online publication date: 8-Jan-2025
  • (2024)Voice app developer experiences with alexa and google assistantProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699182(5035-5052)Online publication date: 14-Aug-2024
  • (2024)"I don't know if we're doing good. I don't know if we're doing bad": investigating how practitioners scope, motivate, and conduct privacy work when developing AI productsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699173(4873-4890)Online publication date: 14-Aug-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
October 2017
2682 pages
ISBN:9781450349468
DOI:10.1145/3133956
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. android security
  2. cryptographic api
  3. support developers
  4. usable security

Qualifiers

  • Research-article

Funding Sources

  • CISPA

Conference

CCS '17
Sponsor:

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)90
  • Downloads (Last 6 weeks)11
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Developer-Centred SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1578(634-636)Online publication date: 8-Jan-2025
  • (2024)Voice app developer experiences with alexa and google assistantProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699182(5035-5052)Online publication date: 14-Aug-2024
  • (2024)"I don't know if we're doing good. I don't know if we're doing bad": investigating how practitioners scope, motivate, and conduct privacy work when developing AI productsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699173(4873-4890)Online publication date: 14-Aug-2024
  • (2024)An Investigation into Misuse of Java Security APIs by Large Language ModelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661134(1299-1315)Online publication date: 1-Jul-2024
  • (2024)Poisoned ChatGPT Finds Work for Idle Hands: Exploring Developers’ Coding Practices with Insecure Suggestions from Poisoned AI Models2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00046(1141-1159)Online publication date: 19-May-2024
  • (2024)"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00019(3979-3997)Online publication date: 19-May-2024
  • (2024)Enhanced Analysis of Cryptographic Library Usage Patterns and Trends in Android Applications2024 IEEE Conference on Dependable and Secure Computing (DSC)10.1109/DSC63325.2024.00031(88-93)Online publication date: 6-Nov-2024
  • (2024)CryptoLLM: Harnessing the Power of LLMs to Detect Cryptographic API MisuseComputer Security – ESORICS 202410.1007/978-3-031-70879-4_18(353-373)Online publication date: 5-Sep-2024
  • (2023)Penerapan Gamifikasi dan Personal Extreme Programming pada Aplikasi Ensiklopedia terkait Secure Coding Berbasis AndroidJurnal Sistem dan Informatika (JSI)10.30864/jsi.v17i1.48317:1(19-29)Online publication date: 30-Apr-2023
  • (2023)PARROTProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35808807:1(1-37)Online publication date: 28-Mar-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media