The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

Research output: Chapter in book/report/conference proceedingConference contributionResearchpeer review

Authors

  • Marten Oltrogge
  • Erik Derr
  • Christian Stransky
  • Yasemin Acar
  • Sascha Fahl
  • Christian Rossow
  • Giancarlo Pellegrino
  • Sven Bugiel
  • Michael Backes

Research Organisations

External Research Organisations

  • Saarland University
  • Stanford University
View graph of relations

Details

Original languageEnglish
Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages634-647
Number of pages14
ISBN (electronic)9781538643525
Publication statusPublished - 23 Jul 2018
Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
Duration: 21 May 201823 May 2018

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2018-May
ISSN (Print)1081-6011

Abstract

Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.

Keywords

    Android, app analysis, App Generator, Citizen Developer

ASJC Scopus subject areas

Cite this

The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. / Oltrogge, Marten; Derr, Erik; Stransky, Christian et al.
Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 634-647 8418628 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May).

Research output: Chapter in book/report/conference proceedingConference contributionResearchpeer review

Oltrogge, M, Derr, E, Stransky, C, Acar, Y, Fahl, S, Rossow, C, Pellegrino, G, Bugiel, S & Backes, M 2018, The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. in Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018., 8418628, Proceedings - IEEE Symposium on Security and Privacy, vol. 2018-May, Institute of Electrical and Electronics Engineers Inc., pp. 634-647, 39th IEEE Symposium on Security and Privacy, SP 2018, San Francisco, United States, 21 May 2018. https://doi.org/10.1109/SP.2018.00005
Oltrogge, M., Derr, E., Stransky, C., Acar, Y., Fahl, S., Rossow, C., Pellegrino, G., Bugiel, S., & Backes, M. (2018). The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (pp. 634-647). Article 8418628 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00005
Oltrogge M, Derr E, Stransky C, Acar Y, Fahl S, Rossow C et al. The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 634-647. 8418628. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP.2018.00005
Oltrogge, Marten ; Derr, Erik ; Stransky, Christian et al. / The Rise of the Citizen Developer : Assessing the Security Impact of Online App Generators. Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 634-647 (Proceedings - IEEE Symposium on Security and Privacy).
Download
@inproceedings{e0cd5a5d7fc94d3ca821f428b3eaf9f1,
title = "The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators",
abstract = "Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.",
keywords = "Android, app analysis, App Generator, Citizen Developer",
author = "Marten Oltrogge and Erik Derr and Christian Stransky and Yasemin Acar and Sascha Fahl and Christian Rossow and Giancarlo Pellegrino and Sven Bugiel and Michael Backes",
note = "Funding Information: We would like to thank the anonymous reviewers for their valuable feedback. This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0345, 16KIS0656), the projects SmartPriv (FKZ: 16KIS0377K) and CAMRICS (FKZ: 16KIS0656) and the CISPA-StanfordCenter for Cybersecurity (FKZ: 13N1S0762). ; 39th IEEE Symposium on Security and Privacy, SP 2018 ; Conference date: 21-05-2018 Through 23-05-2018",
year = "2018",
month = jul,
day = "23",
doi = "10.1109/SP.2018.00005",
language = "English",
series = "Proceedings - IEEE Symposium on Security and Privacy",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "634--647",
booktitle = "Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018",
address = "United States",

}

Download

TY - GEN

T1 - The Rise of the Citizen Developer

T2 - 39th IEEE Symposium on Security and Privacy, SP 2018

AU - Oltrogge, Marten

AU - Derr, Erik

AU - Stransky, Christian

AU - Acar, Yasemin

AU - Fahl, Sascha

AU - Rossow, Christian

AU - Pellegrino, Giancarlo

AU - Bugiel, Sven

AU - Backes, Michael

N1 - Funding Information: We would like to thank the anonymous reviewers for their valuable feedback. This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) (FKZ: 16KIS0345, 16KIS0656), the projects SmartPriv (FKZ: 16KIS0377K) and CAMRICS (FKZ: 16KIS0656) and the CISPA-StanfordCenter for Cybersecurity (FKZ: 13N1S0762).

PY - 2018/7/23

Y1 - 2018/7/23

N2 - Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.

AB - Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem's security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services' app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user's trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.

KW - Android

KW - app analysis

KW - App Generator

KW - Citizen Developer

UR - http://www.scopus.com/inward/record.url?scp=85051045043&partnerID=8YFLogxK

U2 - 10.1109/SP.2018.00005

DO - 10.1109/SP.2018.00005

M3 - Conference contribution

AN - SCOPUS:85051045043

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 634

EP - 647

BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 21 May 2018 through 23 May 2018

ER -