Security Smells in Android

Ghafari, Mohammad; Gadient, Pascal; Nierstrasz, Oscar

doi:10.1109/scam.2017.24

Cited by 49 publications

(41 citation statements)

References 40 publications

(46 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The horizontal axis shows the different Android releases apps are targeting in their configuration, whereas the vertical axis shows the contribution of a specific smell to the total amount of smells detected. As in previous work [10], we see changes in some of the security smells apps suffer from. We believe that the positive trend in Unauthorized Intent within apps is the consequence of built-in sharing functionalities to external services.…”

Section: Evolutionsupporting

confidence: 71%

“…Given this situation, in previous work we identified 28 security code smells, i.e., symptoms in the code that signal potential security vulnerabilities [10]. We studied the prevalence of ten such smells, and realized that despite the diversity of apps in popularity, size, and release date, the majority suffer from at least three different security smells, and such smells are in fact good indicators of actual security vulnerabilities.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Security code smells in Android ICC

et al. 2018

Self Cite

View full text Add to dashboard Cite

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

show abstract

Section: Evolutionsupporting

confidence: 71%

mentioning

confidence: 99%

Security code smells in Android ICC

et al. 2018

Self Cite

View full text Add to dashboard Cite

show abstract

“…In previous work, we defined the notion of security code smells and investigated their appearance in 46 000 closedsource Android apps from the official market [6]. We identified 28 different security smells in five different categories, and found that XSS-like Code Injection, Dynamic Code Loading, and Custom Scheme Channel are the most prevalent smells.…”

Section: Related Workmentioning

confidence: 99%

“…We manually inspected the tool's output for 100 random apps, and used the reported URLs to connect to the servers and to investigate their response. We found eight security code smells, i.e., symptoms in the code that signal the prospect of a security vulnerability [6], on both ends, dominated by the use of embedded computer languages. We handcrafted regular expressions to automatically identify the use of those languages, and other languages prevalent on GitHub.…”

Section: Introductionmentioning

confidence: 99%

Web APIs in Android through the Lens of Security

Gadient

Ghafari

Tarnutzer

et al. 2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have.We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter.We extracted 9 714 distinct web API URLs that were used in 3 376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack.

show abstract

“…Although Google encourages Android developers to use Android IPCs, some still use Unix domain sockets, known as local sockets [15]. This practice occurs not only because using UNIX domain sockets for IPC is more efficient but also because Android IPCs are unsuitable for communication between the Java language in which most apps are written and native processes/threads [16]. Both the Android software development kit (SDK) and the Android native development kit (NDK) [17] provide APIs for Unix domain sockets.…”

Section: Introductionmentioning

confidence: 99%

Unix Domain Sockets Applied in Android Malware Should Not Be Ignored

Jiang

Zhang

2018

Information

View full text Add to dashboard Cite

Increasingly, malicious Android apps use various methods to steal private user data without their knowledge. Detecting the leakage of private data is the focus of mobile information security. An initial investigation found that none of the existing security analysis systems can track the flow of information through Unix domain sockets to detect the leakage of private data through such sockets, which can result in zero-day exploits in the information security field. In this paper, we conduct the first systematic study on Unix domain sockets as applied in Android apps. Then, we identify scenarios in which such apps can leak private data through Unix domain sockets, which the existing dynamic taint analysis systems do not catch. Based on these insights, we propose and implement JDroid, a taint analysis system that can track information flows through Unix domain sockets effectively to detect such privacy leaks.

show abstract

Security Smells in Android

Cited by 49 publications

References 40 publications

Security code smells in Android ICC

Security code smells in Android ICC

Web APIs in Android through the Lens of Security

Unix Domain Sockets Applied in Android Malware Should Not Be Ignored

Contact Info

Product

Resources

About