TY - GEN

T1 - A Stitch in Time

T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017

AU - Nguyen, Duc Cuong

AU - Wermke, Dominik

AU - Acar, Yasemin

AU - Backes, Michael

AU - Weir, Charles

AU - Fahl, Sascha

PY - 2017/10/30

Y1 - 2017/10/30

N2 - Despite security advice in the official documentation and an extensive body of security research about vulnerabilities and exploits, many developers still fail to write secure Android applications. Frequently, Android developers fail to adhere to security best practices, leaving applications vulnerable to a multitude of attacks. We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security. Using the FixDroid™ IDE plug-in, we show that professional and hobby app developers can work with and learn from an in-environment tool without it impacting their normal work; and by performing studies with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly less security problems. Perfecting and adding such tools to the Android development environment is an essential step in getting both security and privacy for the next generation of apps.

AB - Despite security advice in the official documentation and an extensive body of security research about vulnerabilities and exploits, many developers still fail to write secure Android applications. Frequently, Android developers fail to adhere to security best practices, leaving applications vulnerable to a multitude of attacks. We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security. Using the FixDroid™ IDE plug-in, we show that professional and hobby app developers can work with and learn from an in-environment tool without it impacting their normal work; and by performing studies with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly less security problems. Perfecting and adding such tools to the Android development environment is an essential step in getting both security and privacy for the next generation of apps.

KW - Android Security

KW - Cryptographic API

KW - Support Developers

KW - Usable Security

UR - http://www.scopus.com/inward/record.url?scp=85041431059&partnerID=8YFLogxK

U2 - 10.1145/3133956.3133977

DO - 10.1145/3133956.3133977

M3 - Conference contribution

AN - SCOPUS:85041431059

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1065

EP - 1077

BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery (ACM)

Y2 - 30 October 2017 through 3 November 2017

ER -