SCG News

Security Code Smells in Android ICC

Pascal Gadient, Mohammad Ghafari, Patrick Frischknecht, and Oscar Nierstrasz. Security Code Smells in Android ICC. In Empirical Software Engineering Special Issue, 2018. Details.

Abstract

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.

Posted by scg at 16 December 2018, 12:15 am comment link

Smelly APIs in Android ICC Analysis of source code and relevant metadata

Astrid Ytrehorn. Smelly APIs in Android ICC Analysis of source code and relevant metadata. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

The Android ecosystem allows development of apps with relative ease through the extensive Android API. When developing the apps, security issues are often overlooked by the developers. This thesis is based on a previous work which identified 12 such Inter Component Communication (ICC) security smells that can lead to numerous security breaches in the system. A static code analysis tool based on Android Lint was developed to identify them. To further understand why some of these smells are so prominent, this thesis evaluated their appearances based on several aspects. First the influence of developers in the projects was examined. The association of developers to different apps was cross-referenced with the occurrence of smells per project and we found that for most smells the developers have a tendency to make the mistake over more than one project. We also examined how updates affect smells. The updates rarely brought a change in smells and if they did they tended to have a negative impact. We performed a manual analysis of 100 apps with the most smells. The lint-based tool was found to have a good and correct detection rate. In the next study we examined if the smells that went unreported by the tool were correctly labeled as such and the reason for not them not being detected. In most cases this was due to the relevant Android API not being used. Finally, we did a study on the location of smells in the code base. We expanded the existing linting tool to include more metadata and analyzed all the apps once more. The different smell categories tended to have a varying degree of displacement of individual smells in the code base. The average number of distinct locations grew in the order of Java package, containing class and surrounding method for most of the smells. This thesis aims to help spread awareness abut ICC security smells and thereby fundamentally reduce the attack surface in Android.

Posted by scg at 4 September 2018, 4:15 pm comment link

Software Testing in Industry — Assessing Unit Testing in an Industrial Software Project

Markus Eggimann. Software Testing in Industry — Assessing Unit Testing in an Industrial Software Project. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

Automated testing is an important technique to ensure the quality of a software system, and there is a general consensus in industry that testing is a critical part of the development process. However, recent studies suggest that unit testing is not that widely practiced. In this thesis, we studied an industrial software project called EPOF with respect to testing. We tried to answer the question whether the discovery of bugs pushes the writing of tests, whether unit tests help to prevent bugs, and whether the system’s architecture facilitates or impedes unit testing. To answer those questions, we studied the bug reports and associated bug fix reports of the project. Our results showed that the test coverage was rather low, and most bugs were fixed without adding or changing any tests, most bugs were detected by manual testers or customers and not by the existing tests and that the testability of the code is low in most parts of the system. In 2017, the development team decided to give unit testing higher priority. Our results show that this decision, together with other development process improvements, indeed had a positive effect on the bug rate and the testability of the system.

Posted by scg at 2 September 2018, 4:15 pm comment link

Modular Exceptions — A system for handling exceptions in a modular way

Patrick Indermühle. Modular Exceptions — A system for handling exceptions in a modular way. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

Exception handling is an integral part of programming. However, it is often not written in a way that makes it easily reusable. We have found exception handling code to often be copy pasted across multiple catch blocks instead of being made into a method. We also found that there are certain patterns across different methods when it comes to exception handling. That is why reusable exception handling would be a helpful feature for software development. By creating Modular Exceptions we offer a solution that enables programmers to easily apply and reuse exception handling to multiple methods. We achieved this by analyzing the knowledge gathered in previous research about exception handling and performing our own research of exception handling in Smalltalk. We then studied different implementation approaches such as dynamically rewriting the source code and method wrappers until we found the optimal approach. Our final product is written in Java and uses AspectJ in order to dynamically insert try-catch blocks into methods and to add exception handling into already existing catch blocks. These handler blocks are compatible with many methods and classes, and the user only has to write a few lines of code to get a specific method covered.

Posted by scg at 2 September 2018, 4:15 pm comment link

Smelly APIs in Android ICC Analysis of source code and relevant metadata

Astrid Ytrehorn. Smelly APIs in Android ICC Analysis of source code and relevant metadata. Bachelor’s thesis, University of Bern, September 2018. Details.

Abstract

The Android ecosystem allows development of apps with relative ease through the extensive Android API. When developing the apps, security issues are often overlooked by the developers. This thesis is based on a previous work which identified 12 such Inter Component Communication (ICC) security smells that can lead to numerous security breaches in the system. A static code analysis tool based on Android Lint was developed to identify them. To further understand why some of these smells are so prominent, this thesis evaluated their appearances based on several aspects. First the influence of developers in the projects was examined. The association of developers to different apps was cross-referenced with the occurrence of smells per project and we found that for most smells the developers have a tendency to make the mistake over more than one project. We also examined how updates affect smells. The updates rarely brought a change in smells and if they did they tended to have a negative impact. We performed a manual analysis of 100 apps with the most smells. The lint-based tool was found to have a good and correct detection rate. In the next study we examined if the smells that went unreported by the tool were correctly labeled as such and the reason for not them not being detected. In most cases this was due to the relevant Android API not being used. Finally, we did a study on the location of smells in the code base. We expanded the existing linting tool to include more metadata and analyzed all the apps once more. The different smell categories tended to have a varying degree of displacement of individual smells in the code base. The average number of distinct locations grew in the order of Java package, containing class and surrounding method for most of the smells. This thesis aims to help spread awareness abut ICC security smells and thereby fundamentally reduce the attack surface in Android.

Posted by scg at 2 September 2018, 4:15 pm comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009