Security code smells in Android ICC

Gadient, Pascal; Ghafari, Mohammad; Frischknecht, Patrick Rolf; Nierstrasz, Oscar

doi:10.1007/s10664-018-9673-y

Cited by 30 publications

(15 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this category we also found cases related to CWE-798: Use of Hard-coded Credentials, such as commit f92221f from the UserLAnd app. 13 These cases are mostly due to hard-coded credentials most likely for testing purposes. However, using these credentials and having them available in repositories and/or URLs could lead to attacks.…”

Section: Invalid User Cannot Resume Anmentioning

confidence: 99%

See 1 more Smart Citation

Taxonomy of Security Weaknesses in Java and Kotlin Android Apps

Mazuera-Rozo¹,

Escobar‐Velásquez²,

Espitia-Acero³

et al. 2022

Preprint

View full text Add to dashboard Cite

Android is nowadays the most popular operating system in the world, not only in the realm of mobile devices, but also when considering desktop and laptop computers. Such a popularity makes it an attractive target for security attacks, also due to the sensitive information often manipulated by mobile apps. The latter are going through a transition in which the Android ecosystem is moving from the usage of Java as the official language for developing apps, to the adoption of Kotlin as the first choice supported by Google. While previous studies have partially studied security weaknesses affecting Java Android apps, there is no comprehensive empirical investigation studying software security weaknesses affecting Android apps considering (and comparing) the two main languages used for their development, namely Java and Kotlin. We present an empirical study in which we: (i) manually analyze 681 commits including security weaknesses fixed by developers in Java and Kotlin apps, with the goal of defining a taxonomy highlighting the types of software security weaknesses affecting Java and Kotlin Android apps; (ii) survey 43 Android developers to validate and complement our taxonomy. Based on our findings, we propose a list of future actions that could be performed by researchers and practitioners to improve the security of Android apps.

show abstract

Section: Invalid User Cannot Resume Anmentioning

confidence: 99%

“…A paramount example is the volume of research focused on detecting vulnerabilities in Android apps (see e.g., [4,5,6,7,8,9,10,11,12,13]). The Android OS and devices have been also investigated in the context of previous studies aimed at categorizing their security weaknesses and exploits (e.g., [14,15,16,17,18,19,20,21]).…”

Section: Introductionmentioning

confidence: 99%

Taxonomy of Security Weaknesses in Java and Kotlin Android Apps

Mazuera-Rozo¹,

Escobar‐Velásquez²,

Espitia-Acero³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The declared permissions do not always require the use of a specific set of APIs. Moreover, permissions are not always described well in the documentation, causing developers to either lack relevant knowledge or misuse APIs during development [27], [28]. Karim et al proposed ApMiner to recommend permissions for an app based on given sets of Android APIs [29].…”

Section: A Permissions-based Android App Analysismentioning

confidence: 99%

FCDP: Fidelity Calculation for Description-to-Permissions in Android Apps

Chen

Lee

2021

IEEE Access

View full text Add to dashboard Cite

“…We identified 28 different security smells in five different categories, and found that XSS-like Code Injection, Dynamic Code Loading, and Custom Scheme Channel are the most prevalent smells. In a follow-up work, we studied the prevalence of Inter-Component Communication (ICC)-related security smells in more than 700 open-source apps, and manually inspected around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities [12]. We found that almost all apps suffer from the Common Task Affinity smell, and that Unauthorized Intent and Custom Scheme Channel are prevalent among mobile apps.…”

Section: Related Workmentioning

confidence: 99%

Web APIs in Android through the Lens of Security

Gadient

Ghafari

Tarnutzer

et al. 2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have.We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter.We extracted 9 714 distinct web API URLs that were used in 3 376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack.

show abstract

Security code smells in Android ICC

Cited by 30 publications

References 22 publications

Taxonomy of Security Weaknesses in Java and Kotlin Android Apps

Taxonomy of Security Weaknesses in Java and Kotlin Android Apps

FCDP: Fidelity Calculation for Description-to-Permissions in Android Apps

Web APIs in Android through the Lens of Security

Contact Info

Product

Resources

About