Showing 1–2 of 2 results for author: Tarnutzer, M

Security Smells Pervade Mobile App Servers

Authors: Pascal Gadient, Marc-Andrea Tarnutzer, Oscar Nierstrasz, Mohammad Ghafari

Abstract: [Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9714 distinct URLs used in 3376 Android mobile apps. We exercised these URLs t… ▽ More [Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9714 distinct URLs used in 3376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies. [Results] We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks. [Conclusions] Poor app server maintenance greatly hampers security. △ Less

Submitted 16 August, 2021; originally announced August 2021.

Comments: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2021)

Web APIs in Android through the Lens of Security

Authors: Pascal Gadient, Mohammad Ghafari, Marc-Andrea Tarnutzer, Oscar Nierstrasz

Abstract: Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have. We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how the… ▽ More Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have. We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter. We extracted 9,714 distinct web API URLs that were used in 3,376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack. △ Less

Submitted 1 June, 2020; v1 submitted 1 January, 2020; originally announced January 2020.

Comments: 27th IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). London, Ontario, Canada, February 18-21, 2020