Security in Android Applications - Portalscg.unibe.ch/download/softwarecomposition/2017-08-29... ·...
Transcript of Security in Android Applications - Portalscg.unibe.ch/download/softwarecomposition/2017-08-29... ·...
Security in Android ApplicationsMaster Thesis
Pascal Gadient
Software Composition GroupUniversity of BernSwitzerland
Security in Android Applications
Introduction
What are security code smells?
How prevalent are they?
Why identifying security smells is helpful?
Conclusion
Agenda
02
Security in Android Applications
Software is Everywhere
https://www.youtube.com/watch?v=SB_0vRnkeOk
03
Security in Android Applications
We Love Apps
04
Security in Android Applications
Mobile Device Addiction
05
Security in Android Applications
Mobile Security is Vital
06
Security in Android Applications
Software Insecurity Thrives
07
Security in Android Applications
Security Code Smell
Definition:
Symptoms in the code that indicate
the prospect of security and privacy vulnerabilities
08
Security in Android Applications
Research Goals
RQ1: What are the security code smells in Android apps?
RQ2: How prevalent are security smells in benign apps?
RQ3: To which extent identifying such smells facilitates detecting security vulnerabilities?
09
Security in Android Applications
Literature Review
Inspection
of citations and cited papers
Agreement
by discussion
Collection
of worklisted papers
Reading
of abstracts and introductions
KeywordSearch
10
Security in Android Applications
What are the security code smells in Android apps?
11
Security in Android Applications
Insufficient Attack Protection
Unreliable Information Sources
Untrustworthy / Outdated Libraries
Native Code
Open to Piggybacking
Unnecessary Permissions
12
Security in Android Applications
Security Invalidation
Weak Crypto Algorithm or Configuration
Improper Certificate Use
Unacknowledged Distribution
13
Security in Android Applications
Broken Access Control
Insecure Inter-Component Communication
Unprotected System Sockets
Custom Scheme Channel
14
Security in Android Applications
Sensitive Data Exposure
Insecure Storage
Exposed Identifiers
15
Security in Android Applications
Lax Input Validation
Unverified JavaScript Code
Dynamic Code Loading
SQL Injection
16
Security in Android Applications
How prevalent are security smells in apps?
17
Security in Android Applications
Scope of the Study
Random apps from AndroZoo
Corpora size:
46,000 apps
440 GB
Lightweight analysis
10 out of 28 smells analysed
18
Security in Android Applications
Subjects of the Study
19
Apktool
Web parser
Security in Android Applications
Prevalence of Smells
20
# of different smells apps suffer
Security in Android Applications
Prevalence of Smells
20
# of different smells apps suffer
Security in Android Applications
Prevalence of Smells
20
# of different smells apps suffer
Security in Android Applications
Distribution of Each Smell
21
# o
f ap
ps
affe
cted
1%
10% 11% 12%
33%36%
41%44%
61%
85%
Security in Android Applications
Distribution of Each Smell
21
# o
f ap
ps
affe
cted
1%
10% 11% 12%
33%36%
41%44%
61%
85%
Security in Android Applications
Distribution of Each Smell
21
# o
f ap
ps
affe
cted
1%
10% 11% 12%
33%36%
41%44%
61%
85%
Security in Android Applications
Distribution of Each Smell
21
# o
f ap
ps
affe
cted
1%
10% 11% 12%
33%36%
41%44%
61%
85%
Security in Android Applications
Distribution of Each Smell in API Levels
22
API level
% o
f se
curi
ty s
mel
ls
Security in Android Applications
Distribution of Each Smell in API Levels
22
API level
% o
f se
curi
ty s
mel
ls
Security in Android Applications
Distribution of Each Smell in API Levels
22
API level
% o
f se
curi
ty s
mel
ls
Security in Android Applications
Distribution of Each Smell in API Levels
22
API level
% o
f se
curi
ty s
mel
ls
Security in Android Applications
The Impact of Number of Downloads
23
popularity
# o
f se
curi
ty s
mel
ls
Security in Android Applications
The Impact of User Ratings
24
user ratings
# o
f se
curi
ty s
mel
ls
Security in Android Applications
To which extent identifying security smells facilitates detecting vulnerabilities?
25
Security in Android Applications
Study Design
26
?
Security in Android Applications
Result
27
level
of
agre
emen
t
Security in Android Applications
Where Vulnerability Reports Failed?
Header Attachment
Data sensitivity of headers
Improper Certificate Validation
Customised TrustManagers with pinning support
Insecure Network Protocol
Local web resources in middleware
Exposed Clipboard
Data sensitivity of content
28
Security in Android Applications
Summary
29
Security in Android Applications
Our Contribution
Increase in security awareness
Evaluation of security smell distribution
Lightweight analysis assessment
In future: In-depth exploration
30
Security in Android Applications
Thank youfor your attention!
31