Security code smells in Android ICC

被引:0
|
作者
Pascal Gadient
Mohammad Ghafari
Patrick Frischknecht
Oscar Nierstrasz
机构
[1] University of Bern,Software Composition Group
来源
Empirical Software Engineering | 2019年 / 24卷
关键词
Security code smells; Vulnerability; Static analysis; Android;
D O I
暂无
中图分类号
学科分类号
摘要
Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.
引用
收藏
页码:3046 / 3076
页数:30
相关论文
共 50 条
  • [1] Security code smells in Android ICC
    Gadient, Pascal
    Ghafari, Mohammad
    Frischknecht, Patrick
    Nierstrasz, Oscar
    [J]. EMPIRICAL SOFTWARE ENGINEERING, 2019, 24 (05) : 3046 - 3076
  • [2] Security Smells in Android
    Ghafari, Mohammad
    Gadient, Pascal
    Nierstrasz, Oscar
    [J]. 2017 IEEE 17TH INTERNATIONAL WORKING CONFERENCE ON SOURCE CODE ANALYSIS AND MANIPULATION (SCAM), 2017, : 121 - 130
  • [3] Incorporating Android Code Smells into Java']Java Static Code Metrics for Security Risk Prediction of Android Applications
    Gong, Ai
    Zhong, Yi
    Zou, Weiqin
    Shi, Yangyang
    Fang, Chunrong
    [J]. 2020 IEEE 20TH INTERNATIONAL CONFERENCE ON SOFTWARE QUALITY, RELIABILITY, AND SECURITY (QRS 2020), 2020, : 30 - 40
  • [4] Understanding Code Smells in Android Applications
    Mannan, Umme Ayda
    Ahmed, Iftekhar
    Almurshed, Rana Abdullah M.
    Dig, Danny
    Jensen, Carlos
    [J]. 2016 IEEE/ACM INTERNATIONAL CONFERENCE ON MOBILE SOFTWARE ENGINEERING AND SYSTEMS (MOBILESOFT 2016), 2016, : 225 - 236
  • [5] On the Survival of Android Code Smells in the Wild
    Habchi, Sarra
    Rouvoy, Romain
    Moha, Naouel
    [J]. 2019 IEEE/ACM 6TH INTERNATIONAL CONFERENCE ON MOBILE SOFTWARE ENGINEERING AND SYSTEMS (MOBILESOFT 2019), 2019, : 87 - 98
  • [6] Android code smells: From introduction to refactoring
    Habchi, Sarra
    Moha, Naouel
    Rouvoy, Romain
    [J]. JOURNAL OF SYSTEMS AND SOFTWARE, 2021, 177
  • [7] Different Kind of Smells: Security Smells in Infrastructure as Code Scripts
    Rahman, Akond
    Williams, Laurie
    [J]. IEEE SECURITY & PRIVACY, 2021, 19 (03) : 33 - 41
  • [8] On Relating Code Smells to Security Vulnerabilities
    Abu Elkhail, Abdulrahman
    Cerny, Tomas
    [J]. 2019 IEEE 5TH INTL CONFERENCE ON BIG DATA SECURITY ON CLOUD (BIGDATASECURITY) / IEEE INTL CONFERENCE ON HIGH PERFORMANCE AND SMART COMPUTING (HPSC) / IEEE INTL CONFERENCE ON INTELLIGENT DATA AND SECURITY (IDS), 2019, : 7 - 12
  • [9] An Empirical Study of the Performance Impacts of Android Code Smells
    Hecht, Geoffrey
    Moha, Naouel
    Rouvoy, Romain
    [J]. 2016 IEEE/ACM INTERNATIONAL CONFERENCE ON MOBILE SOFTWARE ENGINEERING AND SYSTEMS (MOBILESOFT 2016), 2016, : 59 - 69
  • [10] An empirical study of Android behavioural code smells detection
    Prestat, Dimitri
    Moha, Naouel
    Villemaire, Roger
    [J]. EMPIRICAL SOFTWARE ENGINEERING, 2022, 27 (07)
12345