Web APIs in Android through the Lens of Security

Gadient, Pascal; Ghafari, Mohammad; Tarnutzer, Marc-Andrea; Nierstrasz, Oscar (March 2020). Web APIs in Android through the Lens of Security. In: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) 2020 (pp. 13-22). IEEE 10.1109/SANER48275.2020.9054850

[img] Text
Gadi20a.pdf - Accepted Version
Restricted to registered users only
Available under License Publisher holds Copyright.

Download (194kB)

Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have. We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter. We extracted 9,714 distinct web API URLs that were used in 3,376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack.

Item Type:

Conference or Workshop Item (Paper)

Division/Institute:

08 Faculty of Science > Institute of Computer Science (INF)
08 Faculty of Science > Institute of Computer Science (INF) > Software Composition Group (SCG) [discontinued]

UniBE Contributor:

Gadient, Pascal Josef, Ghafari, Mohammad, Nierstrasz, Oscar

Subjects:

000 Computer science, knowledge & systems
500 Science > 510 Mathematics

ISBN:

978-1-7281-5143-4

Publisher:

IEEE

Funders:

[4] Swiss National Science Foundation

Language:

English

Submitter:

Oscar Nierstrasz

Date Deposited:

15 Apr 2021 10:02

Last Modified:

05 Dec 2022 15:49

Publisher DOI:

10.1109/SANER48275.2020.9054850

Uncontrolled Keywords:

scg-pub security snf-asa3 scg20 jb20 snf-imad

BORIS DOI:

10.48350/154500

URI:

https://boris.unibe.ch/id/eprint/154500

Actions (login required)

Edit item Edit item
Provide Feedback