security in android applications - portalscg.unibe.ch/download/softwarecomposition/2017-08-29... ·...

Security in Android ApplicationsMaster Thesis

Pascal Gadient

Software Composition GroupUniversity of BernSwitzerland

Security in Android Applications

Introduction

What are security code smells?

How prevalent are they?

Why identifying security smells is helpful?

Conclusion

Agenda

02

Security in Android Applications

Software is Everywhere

https://www.youtube.com/watch?v=SB_0vRnkeOk

03

Security in Android Applications

We Love Apps

04

Security in Android Applications

Mobile Device Addiction

05

Security in Android Applications

Mobile Security is Vital

06

Security in Android Applications

Software Insecurity Thrives

07

Security in Android Applications

Security Code Smell

Definition:

Symptoms in the code that indicate

the prospect of security and privacy vulnerabilities

08

Security in Android Applications

Research Goals

RQ1: What are the security code smells in Android apps?

RQ2: How prevalent are security smells in benign apps?

RQ3: To which extent identifying such smells facilitates detecting security vulnerabilities?

09

Security in Android Applications

Literature Review

Inspection

of citations and cited papers

Agreement

by discussion

Collection

of worklisted papers

Reading

of abstracts and introductions

KeywordSearch

10

Security in Android Applications

What are the security code smells in Android apps?

11

Security in Android Applications

Insufficient Attack Protection

Unreliable Information Sources

Untrustworthy / Outdated Libraries

Native Code

Open to Piggybacking

Unnecessary Permissions

12

Security in Android Applications

Security Invalidation

Weak Crypto Algorithm or Configuration

Improper Certificate Use

Unacknowledged Distribution

13

Security in Android Applications

Broken Access Control

Insecure Inter-Component Communication

Unprotected System Sockets

Custom Scheme Channel

14

Security in Android Applications

Sensitive Data Exposure

Insecure Storage

Exposed Identifiers

15

Security in Android Applications

Lax Input Validation

Unverified JavaScript Code

Dynamic Code Loading

SQL Injection

16

Security in Android Applications

How prevalent are security smells in apps?

17

Security in Android Applications

Scope of the Study

Random apps from AndroZoo

Corpora size:

46,000 apps

440 GB

Lightweight analysis

10 out of 28 smells analysed

18

Security in Android Applications

Subjects of the Study

19

Apktool

Web parser

Security in Android Applications

Prevalence of Smells

20

# of different smells apps suffer

Security in Android Applications

Prevalence of Smells

20

# of different smells apps suffer

Security in Android Applications

Prevalence of Smells

20

# of different smells apps suffer

Security in Android Applications

Distribution of Each Smell

21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%

Security in Android Applications

Distribution of Each Smell

21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%

Security in Android Applications

Distribution of Each Smell

21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%

Security in Android Applications

Distribution of Each Smell

21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%

Security in Android Applications

Distribution of Each Smell in API Levels

22

API level

% o

f se

curi

ty s

mel

ls

Security in Android Applications

Distribution of Each Smell in API Levels

22

API level

% o

f se

curi

ty s

mel

ls

Security in Android Applications

Distribution of Each Smell in API Levels

22

API level

% o

f se

curi

ty s

mel

ls

Security in Android Applications

Distribution of Each Smell in API Levels

22

API level

% o

f se

curi

ty s

mel

ls

Security in Android Applications

The Impact of Number of Downloads

23

popularity

# o

f se

curi

ty s

mel

ls

Security in Android Applications

The Impact of User Ratings

24

user ratings

# o

f se

curi

ty s

mel

ls

Security in Android Applications

To which extent identifying security smells facilitates detecting vulnerabilities?

25

Security in Android Applications

Study Design

26

?

Security in Android Applications

Result

27

level

of

agre

emen

t

Security in Android Applications

Where Vulnerability Reports Failed?

Header Attachment

Data sensitivity of headers

Improper Certificate Validation

Customised TrustManagers with pinning support

Insecure Network Protocol

Local web resources in middleware

Exposed Clipboard

Data sensitivity of content

28

Security in Android Applications

Summary

29

Security in Android Applications

Our Contribution

Increase in security awareness

Evaluation of security smell distribution

Lightweight analysis assessment

In future: In-depth exploration

30

Security in Android Applications

Thank youfor your attention!

31