Security Code Smells in Apps: Are We Getting Better?
Users increasingly rely on mobile apps for everyday tasks, including security- and privacy-sensitive tasks such as online banking, e-health, and e-government. Additionally, a wealth of sensors captures the movements and habits of the users for fitness tracking and convenience. Despite legal regulations imposing requirements and limits on the processing of privacy-sensitive data, users must still trust the app developers to apply suffcient protections. In this paper, we investigate the state of security in Android apps and how security-related code smells have evolved since the introduction of the Android operating system.
With an analysis of 300 apps per year over 12 years between 2010 and 2021 from the Google Play Store, we find that the number of code scanner findings per thousand lines of code decreases over time. Still, this development is offset by the increase in code size. Apps have more and more findings, suggesting that the overall security level decreases. This trend is driven by flaws in the use of cryptography, insecure compiler flags, insecure uses of WebView components, and insecure uses of language features such as reflection. Based on our data, we argue for stricter controls on apps before admission to the store.
Mon 14 NovDisplayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change
16:00 - 17:30
Program Analysis IResearch Papers / Industry Paper at SRC LT 50
Chair(s): Marcel Böhme MPI-SP, Germany and Monash University, Australia
|Input Splitting for Cloud-Based Static Application Security Testing Platforms|
Maria Christakis MPI-SWS, Thomas Cottenier Amazon Web Services, Antonio Filieri AWS and Imperial College London, Linghui Luo Amazon Web Services, Muhammad Numair Mansur MPI-SWS, Lee Pike Amazon Web Services, Nicolás Rosner Amazon Web Services, Martin Schäf Amazon Web Services, Aritra Sengupta Amazon Web Services, Willem Visser Amazon Web ServicesDOI Media Attached
|Static Executes-Before Analysis for Event Driven Programs|
Rekha Pai IISc Bangalore, Abhishek Uppar IISc Bangalore, Akshatha Shenoy TCS Research, Pranshul Kushwaha IISc Bangalore, Deepak D'Souza IISc BangaloreDOI
|Security Code Smells in Apps: Are We Getting Better?|
Steven Arzt Fraunhofer SIT; ATHENEDOI
|Large-Scale Analysis of Non-Termination Bugs in Real-World OSS Projects|
Xiuhan Shi Tianjin University, Xiaofei Xie Singapore Management University, Yi Li Nanyang Technological University, Yao Zhang Tianjin University, Sen Chen Tianjin University, Xiaohong Li Tianjin UniversityDOI
|On-the-Fly Syntax Highlighting using Neural Networks|
Marco Edoardo Palma University of Zurich, Pasquale Salza University of Zurich, Harald Gall University of ZurichDOI Pre-print
|Declarative Smart Contracts|
Haoxian Chen University of Pennsylvania, Gerald Whitters University of Pennsylvania, Mohammad Javad Amiri University of Pennsylvania, Yuepeng Wang Simon Fraser University, Boon Thau Loo University of PennsylvaniaDOI