More Web Proxy on the site http://driver.im/

research-article

Security Smells Pervade Mobile App Servers

Authors:

Pascal Gadient,

Marc-Andrea Tarnutzer,

Oscar Nierstrasz,

Mohammad GhafariAuthors Info & Claims

ESEM '21: Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

Article No.: 19, Pages 1 - 10

https://doi.org/10.1145/3475716.3475780

Published: 11 October 2021 Publication History

Abstract

[Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9 714 distinct URLs used in 3 376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies. [Results] We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks. [Conclusions] Poor app server maintenance greatly hampers security.

References

[1]

Eman Salem Alashwali, Pawel Szalachowski, and Andrew Martin. 2020. Exploring HTTPS security inconsistencies: A cross-regional perspective. Computers & Security 97 (2020), 101975.

[2]

Pascal Gadient, Mohammad Ghafari, Patrick Frischknecht, and Oscar Nierstrasz. 2018. Security Code Smells in Android ICC. Empirical Software Engineering Special Issue (2018). https://doi.org/10.1007/s10664-018-9673-y

[3]

Pascal Gadient, Mohammad Ghafari, Marc-Andrea Tarnutzer, and Oscar Nierstrasz. 2020. Web APIs in Android through the Lens of Security. In 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 13--22.

[4]

M. Ghafari, P. Gadient, and O. Nierstrasz. 2017. Security Smells in Android. In 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM). 121--130. https://doi.org/10.1109/SCAM.2017.24

[5]

Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information flow analysis of Android applications in DroidSafe. In NDSS, Vol. 15. 110.

[6]

Qinwen Hu, Muhammad Rizwan Asghar, and Nevil Brownlee. 2021. A large-scale analysis of HTTPS deployments: Challenges, solutions, and recommendations. Journal of Computer Security Preprint (2021), 1--26.

[7]

Arturs Lavrenovs and F. Jesús Rubio Melón. 2018. HTTP security headers analysis of top one million websites. In 2018 10th International Conference on Cyber Conflict (CyCon). 345--370. https://doi.org/10.23919/CYCON.2018.8405025

[8]

Abner Mendoza, Phakpoom Chinprutthiwong, and Guofei Gu. 2018. Uncovering HTTP Header Inconsistencies and the Impact on Desktop/Mobile Websites. In Proceedings of the 2018 World Wide Web Conference (Lyon, France) (WWW '18). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 247--256. https://doi.org/10.1145/3178876.3186091

Digital Library

[9]

Abner Mendoza and Guofei Gu. 2018. Mobile application web API reconnaissance: Web-to-mobile inconsistencies & vulnerabilities. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 756--769.

[10]

Andrea Possemato and Yanick Fratantonio. 2020. Towards HTTPS Everywhere on Android: We Are Not There Yet. In 29th USENIX Security Symposium (USENIX Security 20). 343--360.

Digital Library

[11]

Akond Rahman, Chris Parnin, and Laurie Williams. 2019. The Seven Sins: Security Smells in Infrastructure As Code Scripts. In Proceedings of the 41st International Conference on Software Engineering (Montreal, Quebec, Canada) (ICSE '19). IEEE Press, Piscataway, NJ, USA, 164--175. https://doi.org/10.1109/ICSE.2019.00033

Digital Library

[12]

Marianna Rapoport, Philippe Suter, Erik Wittern, Ondřej Lhótak, and Julian Dolby. 2017. Who You Gonna Call?: Analyzing Web Requests in Android Applications. In Proceedings of the 14th International Conference on Mining Software Repositories (Buenos Aires, Argentina) (MSR '17). IEEE Press, Piscataway, NJ, USA, 80--90. https://doi.org/10.1109/MSR.2017.11

Digital Library

[13]

Longji Tang, Liubo Ouyang, and Wei-Tek Tsai. 2015. Multi-factor web API security for securing Mobile Cloud. In 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). 2163--2168. https://doi.org/10.1109/FSKD.2015.7382287

[14]

Erik Wittern, Annie T.T. Ying, Yunhui Zheng, Julian Dolby, and Jim A. Laredo. 2017. Statically Checking Web API Requests in JavaScript. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). 244--254. https://doi.org/10.1109/ICSE.2017.30

Digital Library

[15]

Yajin Zhou, Lei Wu, Zhi Wang, and Xuxian Jiang. 2015. Harvesting developer credentials in Android apps. In WISEC. 1--12.

Digital Library

[16]

Chaoshun Zuo and Zhiqiang Lin. 2017. SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution. In Proceedings of the 26th International Conference on World Wide Web (Perth, Australia) (WWW '17). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 867--876. https://doi.org/10.1145/3038912.3052609

Digital Library

[17]

Chaoshun Zuo, Zhiqiang Lin, and Yinqian Zhang. 2019. Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps. In 2019 IEEE Symposium on Security and Privacy (SP). 1296--1310. https://doi.org/10.1109/SP.2019.00009

Cited By

Martins SCruz FAraújo RSilva C(2024)Systematic literature review on security misconfigurations in web applicationsInternational Journal of Computers and Applications10.1080/1206212X.2024.239097746:10(840-852)Online publication date: 19-Aug-2024
https://doi.org/10.1080/1206212X.2024.2390977

Index Terms

Security Smells Pervade Mobile App Servers
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Code smells in iOS apps: how do they compare to Android?
MOBILESoft '17: Proceedings of the 4th International Conference on Mobile Software Engineering and Systems

With billions of app downloads, the Apple App Store and Google Play Store succeeded to conquer mobile devices. However, this success also challenges app developers to publish high-quality apps to keep attracting and satisfying end-users. In particular, ...
Mobile app recommendations with security and privacy awareness
KDD '14: Proceedings of the 20th ACM SIGKDD international conference on Knowledge discovery and data mining

With the rapid prevalence of smart mobile devices, the number of mobile Apps available has exploded over the past few years. To facilitate the choice of mobile Apps, existing mobile App recommender systems typically recommend popular mobile Apps to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEM '21: Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

October 2021

368 pages

ISBN:9781450386654

DOI:10.1145/3475716

General Chair:
Filippo Lanubile

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Schweizerischer Nationalfonds zur Förderung der Wissenschaftlichen Forschung

Conference

ESEM '21

Sponsor:

SIGSOFT

ESEM '21: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement

October 11 - 15, 2021

Bari, Italy

Acceptance Rates

ESEM '21 Paper Acceptance Rate 24 of 124 submissions, 19%;

Overall Acceptance Rate 130 of 594 submissions, 22%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
136
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)2

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Martins SCruz FAraújo RSilva C(2024)Systematic literature review on security misconfigurations in web applicationsInternational Journal of Computers and Applications10.1080/1206212X.2024.239097746:10(840-852)Online publication date: 19-Aug-2024
https://doi.org/10.1080/1206212X.2024.2390977

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents