Security code smells in Android ICC

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoid...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	Empirical software engineering : an international journal 2019-10, Vol.24 (5), p.3046-3076
Hauptverfasser:	Gadient, Pascal, Ghafari, Mohammad, Frischknecht, Patrick, Nierstrasz, Oscar
Format:	Artikel
Sprache:	eng
Schlagworte:	Applications programs Compilers Computer Science Interpreters Lint Programming Languages Security Security management Software Engineering/Programming and Operating Systems Static code analysis
Online-Zugang:	Volltext
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	3076
container_issue	5
container_start_page	3046
container_title	Empirical software engineering : an international journal
container_volume	24
creator	Gadient, Pascal Ghafari, Mohammad Frischknecht, Patrick Nierstrasz, Oscar
description	Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.
doi_str_mv	10.1007/s10664-018-9673-y
format	Article
fullrecord	<record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2274961182</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2274961182</sourcerecordid><originalsourceid>FETCH-LOGICAL-c316t-fa7d539a709abe5c50fdd9dafd4382826b2fcf8dc6455689e75e3e05a2204b063</originalsourceid><addsrcrecordid>eNp1kMtKxDAYhYMoOI4-gLvCrKN_kiZplkPxMjDgQl2HNBfp0GnHpF307c1QwZWrcxbnAh9C9wQeCIB8TASEKDGQCishGZ4v0IrwbKQg4jJ7VlHMKBfX6CalAwAoWfIV2rx7O8V2nAs7OF-ko--6VLR9se1dHFpX7Or6Fl0F0yV_96tr9Pn89FG_4v3by67e7rFlRIw4GOk4U0aCMo3nlkNwTjkTXJnPKyoaGmyonBUl56JSXnLPPHBDKZQNCLZGm2X3FIfvyadRH4Yp9vlSUypLJQipaE6RJWXjkFL0QZ9iezRx1gT0mYVeWOjMQp9Z6Dl36NJJOdt_-fi3_H_pB9ESYBg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2274961182</pqid></control><display><type>article</type><title>Security code smells in Android ICC</title><source>SpringerLink Journals - AutoHoldings</source><creator>Gadient, Pascal ; Ghafari, Mohammad ; Frischknecht, Patrick ; Nierstrasz, Oscar</creator><creatorcontrib>Gadient, Pascal ; Ghafari, Mohammad ; Frischknecht, Patrick ; Nierstrasz, Oscar</creatorcontrib><description>Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.</description><identifier>ISSN: 1382-3256</identifier><identifier>EISSN: 1573-7616</identifier><identifier>DOI: 10.1007/s10664-018-9673-y</identifier><language>eng</language><publisher>New York: Springer US</publisher><subject>Applications programs ; Compilers ; Computer Science ; Interpreters ; Lint ; Programming Languages ; Security ; Security management ; Software Engineering/Programming and Operating Systems ; Static code analysis</subject><ispartof>Empirical software engineering : an international journal, 2019-10, Vol.24 (5), p.3046-3076</ispartof><rights>Springer Science+Business Media, LLC, part of Springer Nature 2018</rights><rights>Empirical Software Engineering is a copyright of Springer, (2018). All Rights Reserved.</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c316t-fa7d539a709abe5c50fdd9dafd4382826b2fcf8dc6455689e75e3e05a2204b063</citedby><cites>FETCH-LOGICAL-c316t-fa7d539a709abe5c50fdd9dafd4382826b2fcf8dc6455689e75e3e05a2204b063</cites><orcidid>0000-0001-6433-7356 ; 0000-0002-1986-9668 ; 0000-0002-9975-9791</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/s10664-018-9673-y$$EPDF$$P50$$Gspringer$$H</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/s10664-018-9673-y$$EHTML$$P50$$Gspringer$$H</linktohtml><link.rule.ids>314,780,784,27923,27924,41487,42556,51318</link.rule.ids></links><search><creatorcontrib>Gadient, Pascal</creatorcontrib><creatorcontrib>Ghafari, Mohammad</creatorcontrib><creatorcontrib>Frischknecht, Patrick</creatorcontrib><creatorcontrib>Nierstrasz, Oscar</creatorcontrib><title>Security code smells in Android ICC</title><title>Empirical software engineering : an international journal</title><addtitle>Empir Software Eng</addtitle><description>Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.</description><subject>Applications programs</subject><subject>Compilers</subject><subject>Computer Science</subject><subject>Interpreters</subject><subject>Lint</subject><subject>Programming Languages</subject><subject>Security</subject><subject>Security management</subject><subject>Software Engineering/Programming and Operating Systems</subject><subject>Static code analysis</subject><issn>1382-3256</issn><issn>1573-7616</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>AFKRA</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNp1kMtKxDAYhYMoOI4-gLvCrKN_kiZplkPxMjDgQl2HNBfp0GnHpF307c1QwZWrcxbnAh9C9wQeCIB8TASEKDGQCishGZ4v0IrwbKQg4jJ7VlHMKBfX6CalAwAoWfIV2rx7O8V2nAs7OF-ko--6VLR9se1dHFpX7Or6Fl0F0yV_96tr9Pn89FG_4v3by67e7rFlRIw4GOk4U0aCMo3nlkNwTjkTXJnPKyoaGmyonBUl56JSXnLPPHBDKZQNCLZGm2X3FIfvyadRH4Yp9vlSUypLJQipaE6RJWXjkFL0QZ9iezRx1gT0mYVeWOjMQp9Z6Dl36NJJOdt_-fi3_H_pB9ESYBg</recordid><startdate>20191001</startdate><enddate>20191001</enddate><creator>Gadient, Pascal</creator><creator>Ghafari, Mohammad</creator><creator>Frischknecht, Patrick</creator><creator>Nierstrasz, Oscar</creator><general>Springer US</general><general>Springer Nature B.V</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>L6V</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>M7S</scope><scope>P5Z</scope><scope>P62</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>S0W</scope><orcidid>https://orcid.org/0000-0001-6433-7356</orcidid><orcidid>https://orcid.org/0000-0002-1986-9668</orcidid><orcidid>https://orcid.org/0000-0002-9975-9791</orcidid></search><sort><creationdate>20191001</creationdate><title>Security code smells in Android ICC</title><author>Gadient, Pascal ; Ghafari, Mohammad ; Frischknecht, Patrick ; Nierstrasz, Oscar</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c316t-fa7d539a709abe5c50fdd9dafd4382826b2fcf8dc6455689e75e3e05a2204b063</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Applications programs</topic><topic>Compilers</topic><topic>Computer Science</topic><topic>Interpreters</topic><topic>Lint</topic><topic>Programming Languages</topic><topic>Security</topic><topic>Security management</topic><topic>Software Engineering/Programming and Operating Systems</topic><topic>Static code analysis</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Gadient, Pascal</creatorcontrib><creatorcontrib>Ghafari, Mohammad</creatorcontrib><creatorcontrib>Frischknecht, Patrick</creatorcontrib><creatorcontrib>Nierstrasz, Oscar</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies & Aerospace Collection</collection><collection>ProQuest Central</collection><collection>Technology Collection (ProQuest)</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Engineering Database</collection><collection>Advanced Technologies & Aerospace Database</collection><collection>ProQuest Advanced Technologies & Aerospace Collection</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>DELNET Engineering & Technology Collection</collection><jtitle>Empirical software engineering : an international journal</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Gadient, Pascal</au><au>Ghafari, Mohammad</au><au>Frischknecht, Patrick</au><au>Nierstrasz, Oscar</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Security code smells in Android ICC</atitle><jtitle>Empirical software engineering : an international journal</jtitle><stitle>Empir Software Eng</stitle><date>2019-10-01</date><risdate>2019</risdate><volume>24</volume><issue>5</issue><spage>3046</spage><epage>3076</epage><pages>3046-3076</pages><issn>1382-3256</issn><eissn>1573-7616</eissn><abstract>Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerabilities in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.</abstract><cop>New York</cop><pub>Springer US</pub><doi>10.1007/s10664-018-9673-y</doi><tpages>31</tpages><orcidid>https://orcid.org/0000-0001-6433-7356</orcidid><orcidid>https://orcid.org/0000-0002-1986-9668</orcidid><orcidid>https://orcid.org/0000-0002-9975-9791</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 1382-3256
ispartof	Empirical software engineering : an international journal, 2019-10, Vol.24 (5), p.3046-3076
issn	1382-3256 1573-7616
language	eng
recordid	cdi_proquest_journals_2274961182
source	SpringerLink Journals - AutoHoldings
subjects	Applications programs Compilers Computer Science Interpreters Lint Programming Languages Security Security management Software Engineering/Programming and Operating Systems Static code analysis
title	Security code smells in Android ICC
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-09T09%3A52%3A32IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Security%20code%20smells%20in%20Android%20ICC&rft.jtitle=Empirical%20software%20engineering%20:%20an%20international%20journal&rft.au=Gadient,%20Pascal&rft.date=2019-10-01&rft.volume=24&rft.issue=5&rft.spage=3046&rft.epage=3076&rft.pages=3046-3076&rft.issn=1382-3256&rft.eissn=1573-7616&rft_id=info:doi/10.1007/s10664-018-9673-y&rft_dat=%3Cproquest_cross%3E2274961182%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2274961182&rft_id=info:pmid/&rfr_iscdi=true