Android: Improvement of Security Smell detections and evaluation on practitioners
This project is intended for MSc students
The feature usage in Android apps increases continuously and therefore the risks of using insecure code, e.g., represented by Security Smells, evolves widely.
Based on these risks various threats could evolve such as data manipulation and breach, app hijacking, or different kinds of extortion.
State of the art
The current work on Security Smells includes a definition of common smells in the Android ecosystem with a refined list for Android ICC smells. Furthermore, a tool exists that detects and reports the smells not only in compiled binaries but also during live programming sessions in Android Studio, greatly supporting security-inexperienced practitioners.
The goal is first to design sophisticated detection strategies to improve the quality of results further, second, to implement these strategies, before finally, an evaluation of the improved tool has to be performed with students and other practitioners that agree to participate in the project.
The focus of this project lies in the elaboration of existing smells and their implementation in Java, the AST traversal, and ultimately, the tool evaluation.
Guiding research questions
- How can we improve the quality of the results?
- How and to what extent does the tool influence the workflow of developers?
- What are the security gains using the tool?