A Stitch in Time: Supporting Android Developers in WritingSecure Code

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2017-10-30 DOI:10.1145/3133956.3133977

Duc Cuong Nguyen, Dominik Wermke, Y. Acar, M. Backes, Charles Weir, S. Fahl

{"title":"A Stitch in Time: Supporting Android Developers in WritingSecure Code","authors":"Duc Cuong Nguyen, Dominik Wermke, Y. Acar, M. Backes, Charles Weir, S. Fahl","doi":"10.1145/3133956.3133977","DOIUrl":null,"url":null,"abstract":"Despite security advice in the official documentation and an extensive body of security research about vulnerabilities and exploits, many developers still fail to write secure Android applications. Frequently, Android developers fail to adhere to security best practices, leaving applications vulnerable to a multitude of attacks. We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security. Using the FixDroid IDE plug-in, we show that professional and hobby app developers can work with and learn from an in-environment tool without it impacting their normal work; and by performing studies with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly less security problems. Perfecting and adding such tools to the Android development environment is an essential step in getting both security and privacy for the next generation of apps.","PeriodicalId":191367,"journal":{"name":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","volume":"85 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"107","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3133956.3133977","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 107

Abstract

Despite security advice in the official documentation and an extensive body of security research about vulnerabilities and exploits, many developers still fail to write secure Android applications. Frequently, Android developers fail to adhere to security best practices, leaving applications vulnerable to a multitude of attacks. We point out the advantage of a low-time-cost tool both to teach better secure coding and to improve app security. Using the FixDroid IDE plug-in, we show that professional and hobby app developers can work with and learn from an in-environment tool without it impacting their normal work; and by performing studies with both students and professional developers, we identify key UI requirements and demonstrate that code delivered with such a tool by developers previously inexperienced in security contains significantly less security problems. Perfecting and adding such tools to the Android development environment is an essential step in getting both security and privacy for the next generation of apps.

查看原文本刊更多论文

A Stitch in Time:支持Android开发者编写安全代码

尽管官方文档中有安全建议，并且有大量关于漏洞和利用的安全研究，但许多开发人员仍然无法编写安全的Android应用程序。通常情况下，Android开发人员未能坚持安全最佳实践，使应用程序容易受到大量攻击。我们指出了低时间成本工具的优势，既可以教授更好的安全编码，又可以提高应用程序的安全性。使用FixDroid IDE插件，我们展示了专业和业余应用程序开发人员可以使用和学习环境中的工具，而不会影响他们的正常工作;通过与学生和专业开发人员一起进行研究，我们确定了关键的UI需求，并证明了以前在安全性方面缺乏经验的开发人员使用这种工具交付的代码包含的安全性问题要少得多。完善和添加这些工具到Android开发环境中是为下一代应用程序获得安全和隐私的重要一步。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量