Security Code Smells in Android ICC

Gadient, Pascal Josef; Ghafari, Mohammad; Frischknecht, Patrick Rolf; Nierstrasz, Oscar (2018). Security Code Smells in Android ICC. Empirical software engineering, 24(5), pp. 3046-3076. Springer 10.1007/s10664-018-9673-y

[img]
Preview
Text
Gadient2018_Article_SecurityCodeSmellsInAndroidICC.pdf - Published Version
Available under License Publisher holds Copyright.

Download (1MB) | Preview
[img]
Preview
Text
Gadi18a-postprint.pdf - Accepted Version
Available under License Publisher holds Copyright.

Download (1MB) | Preview

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15 of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

Item Type:

Journal Article (Original Article)

Division/Institute:

08 Faculty of Science > Institute of Computer Science (INF)
08 Faculty of Science > Institute of Computer Science (INF) > Software Composition Group (SCG) [discontinued]

UniBE Contributor:

Gadient, Pascal Josef, Ghafari, Mohammad, Frischknecht, Patrick Rolf, Nierstrasz, Oscar

Subjects:

000 Computer science, knowledge & systems

ISSN:

1573-7616

Publisher:

Springer

Language:

English

Submitter:

Oscar Nierstrasz

Date Deposited:

04 Jun 2019 17:09

Last Modified:

16 Dec 2022 00:25

Publisher DOI:

10.1007/s10664-018-9673-y

Uncontrolled Keywords:

Security code smells; Vulnerability; Static analysis; Android

BORIS DOI:

10.7892/boris.126932

URI:

https://boris.unibe.ch/id/eprint/126932

Actions (login required)

Edit item Edit item
Provide Feedback