The Dilemma of Security Smells and How to Escape It

Gadient, Pascal (2022). The Dilemma of Security Smells and How to Escape It. (Dissertation, University of Bern)

Preview

Text
Gadi22a.pdf - Published Version
Available under License Creative Commons: Attribution-Share Alike (CC-BY-SA).
Download (8MB) | Preview

Official URL: http://scg.unibe.ch/archive/phd/Gadi22a.pdf

A single mobile app can now be more complex than entire operating systems ten years ago, thus security becomes a major concern for mobile apps. Unfortunately, previous studies focused rather on particular aspects of mobile application security and did not provide a holistic overview of security issues. Therefore, they could not accurately understand the fundamental flaws to propose effective solutions to common security problems. In order to understand these fundamental flaws, we followed a hybrid strategy, i.e., we collected reported issues from existing work, and we actively identified security-related code patterns that violate best practices in software development. We further introduced the term ``security smell,'' i.e., a security issue that could potentially lead to a vulnerability. As a result, we were able to establish comprehensive security smell catalogues for Android apps and related components, i.e., inter-component communication, web communication, app servers, and HTTP clients. Furthermore, we could identify a dilemma of security smells, because most security smells require unique fixes that increase the code complexity, which in return increases the risk of introducing more security smells. With this knowledge, we investigate the interaction of our security smells with the 192 Mitre CAPEC attack mechanism categories of which the majority could be mitigated with just a few additional security measures. These measures, a String class with behavior and the more thorough use of secure default values and paradigms, would simplify the application logic and at the same time largely increase security if implemented appropriately. We conclude that application security has to focus on the String class, which has not largely changed over the last years, and secure default values and paradigms since they are the smallest common denominator for a strong foundation to build resilient applications. Moreover, we provide an initial implementation for a String class with behavior, however the further exploration remains future work. Finally, the term ``security smell'' is now widely used in academia and eases the communication among security researchers.

Item Type:	Thesis (Dissertation)
Division/Institute:	08 Faculty of Science > Institute of Computer Science (INF) 08 Faculty of Science > Institute of Computer Science (INF) > Software Composition Group (SCG) [discontinued]
UniBE Contributor:	Gadient, Pascal Josef
Subjects:	000 Computer science, knowledge & systems
Language:	English
Submitter:	Oscar Nierstrasz
Date Deposited:	15 Aug 2022 14:07
Last Modified:	02 Dec 2023 04:23
Uncontrolled Keywords:	scg-phd snf-asa3 scg22 jb22
BORIS DOI:	10.48350/171923
URI:	https://boris.unibe.ch/id/eprint/171923

Actions (login required)

Edit item

The Dilemma of Security Smells and How to Escape It

Interest & Impact

Downloads

Citations

Search

Services

Actions (login required)

Item Type:

Division/Institute:

UniBE Contributor:

Subjects:

Language:

Submitter:

Date Deposited:

Last Modified:

Uncontrolled Keywords:

BORIS DOI:

URI:

Actions (login required)