Details
Originalsprache | Englisch |
---|---|
Titel des Sammelwerks | Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 |
Herausgeber (Verlag) | Institute of Electrical and Electronics Engineers Inc. |
Seiten | 634-647 |
Seitenumfang | 14 |
ISBN (elektronisch) | 9781538643525 |
Publikationsstatus | Veröffentlicht - 23 Juli 2018 |
Veranstaltung | 39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, USA / Vereinigte Staaten Dauer: 21 Mai 2018 → 23 Mai 2018 |
Publikationsreihe
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Band | 2018-May |
ISSN (Print) | 1081-6011 |
Abstract
Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.
ASJC Scopus Sachgebiete
- Ingenieurwesen (insg.)
- Sicherheit, Risiko, Zuverlässigkeit und Qualität
- Informatik (insg.)
- Software
- Informatik (insg.)
- Computernetzwerke und -kommunikation
Zitieren
- Standard
- Harvard
- Apa
- Vancouver
- BibTex
- RIS
Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. S. 634-647 8418628 (Proceedings - IEEE Symposium on Security and Privacy; Band 2018-May).
Publikation: Beitrag in Buch/Bericht/Sammelwerk/Konferenzband › Aufsatz in Konferenzband › Forschung › Peer-Review
}
TY - GEN
T1 - The Rise of the Citizen Developer
T2 - 39th IEEE Symposium on Security and Privacy, SP 2018
AU - Oltrogge, Marten
AU - Derr, Erik
AU - Stransky, Christian
AU - Acar, Yasemin
AU - Fahl, Sascha
AU - Rossow, Christian
AU - Pellegrino, Giancarlo
AU - Bugiel, Sven
AU - Backes, Michael
N1 - Funding Information: We would like to thank the anonymous reviewers for their valuable feedback. This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0345, 16KIS0656), the projects SmartPriv (FKZ: 16KIS0377K) and CAMRICS (FKZ: 16KIS0656) and the CISPA-StanfordCenter for Cybersecurity (FKZ: 13N1S0762).
PY - 2018/7/23
Y1 - 2018/7/23
N2 - Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.
AB - Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.
KW - Android
KW - app analysis
KW - App Generator
KW - Citizen Developer
UR - http://www.scopus.com/inward/record.url?scp=85051045043&partnerID=8YFLogxK
U2 - 10.1109/SP.2018.00005
DO - 10.1109/SP.2018.00005
M3 - Conference contribution
AN - SCOPUS:85051045043
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 634
EP - 647
BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 21 May 2018 through 23 May 2018
ER -