Skip to main content
Erschienen in:

01.02.2025

From guidelines to practice: assessing Android app developer compliance with google’s security recommendations

verfasst von: Shishuai Yang, Qinsheng Hou, Shuang Li, Fenghao Xu, Wenrui Diao

Erschienen in: Empirical Software Engineering | Ausgabe 1/2025

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The popularity of Android OS is largely credited to massive number of apps, and many app developers are involved in this ecosystem. On the other hand, various vulnerabilities are introduced into apps by developers carelessly, bringing security risks to users. To facilitate secure development and avoid common API misuses, Google provides a series of security guidelines and development practices for developers on official developer community websites. However, the adoption rate of these security guidelines in the real-world has not been systematically evaluated. In this work, through large-scale app measurement (108,091 apps from Google Play) and analysis, we investigated whether app developers follow the official Android security guidelines and the possible reasons behind it. In practice, we selected nine guidelines and mapped them to four OWASP MASVS control groups (MASVS-STORAGE, MASVS-NETWORK, MASVS-PLATFORM, and MASVS-CODE) as representatives, covering: (1) sensitive data storage; (2) validation check for file paths; (3) network security measures; (4) custom permission protection; (5) webview objects usage; (6) intent vulnerability; (7) secure file creation modes; (8) hardware ID usage; (9) man-in-the-middle attacks. We also designed the corresponding detection strategies to identify violations of the guidelines. The results show that most developers (> 90%) comply with Guidelines 1 and 7. However, some guidelines have not been followed properly. For Guidelines 2, 3, 4, 5, 6, and 8, less than 60% of developers followed Google security suggestions.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Fußnoten
1
Package name: com.infonuascape.osrshelper
 
2
Package name: com.familylocator.gpstracker
 
3
In most cases, signature and signatureOrSystem are equivalent.
 
4
Package name: com.wFishingNemo_9006313
 
5
Package name: com.petrguskov.AerialPlatformsWallpaper
 
6
Package name: com.africasunrise.skinseed
 
Literatur
Zurück zum Zitat Allix K, Bissyandé TF, Klein J, Traon YL (2016) Androzoo: collecting millions of android apps for the research community. In: Kim M, Robbes R, Bird C (eds) Proceedings of the 13th international conference on mining software repositories (MSR), Austin, TX, USA, May 14-22, 2016. https://doi.org/10.1145/2901739.2903508 Allix K, Bissyandé TF, Klein J, Traon YL (2016) Androzoo: collecting millions of android apps for the research community. In: Kim M, Robbes R, Bird C (eds) Proceedings of the 13th international conference on mining software repositories (MSR), Austin, TX, USA, May 14-22, 2016. https://​doi.​org/​10.​1145/​2901739.​2903508
Zurück zum Zitat Egele M, Brumley D, Fratantonio Y, Kruegel C (2013) An empirical study of cryptographic misuse in android applications. In: Proceedings of the 20th ACM SIGSAC conference on computer and communications security (CCS), Berlin, Germany, November 4-8, 201. https://doi.org/10.1145/2508859.2516693 Egele M, Brumley D, Fratantonio Y, Kruegel C (2013) An empirical study of cryptographic misuse in android applications. In: Proceedings of the 20th ACM SIGSAC conference on computer and communications security (CCS), Berlin, Germany, November 4-8, 201. https://​doi.​org/​10.​1145/​2508859.​2516693
Zurück zum Zitat Gao J, Li L, Kong P, Bissyandé TF, Klein J (2021) Understanding the evolution of android app vulnerabilities. IEEE Trans Reliab 70(1):212–230CrossRef Gao J, Li L, Kong P, Bissyandé TF, Klein J (2021) Understanding the evolution of android app vulnerabilities. IEEE Trans Reliab 70(1):212–230CrossRef
Zurück zum Zitat Li L, Gao J, Bissyandé TF, Ma L, Xia X, Klein J (2020) CDA: characterising deprecated android APIs. Empir Softw Eng 25(3):2058–2098CrossRef Li L, Gao J, Bissyandé TF, Ma L, Xia X, Klein J (2020) CDA: characterising deprecated android APIs. Empir Softw Eng 25(3):2058–2098CrossRef
Zurück zum Zitat Luo T, Wu J, Yang M, Zhao S, Wu Y, Wang Y (2018) MAD-API: detection, correction and explanation of API misuses in distributed android applications. In: Proceedings of the 7th international conference on artificial intelligence and mobile services (AIMS), Seattle, WA, USA, June 25-30, 201. https://doi.org/10.1007/978-3-319-94361-9_10 Luo T, Wu J, Yang M, Zhao S, Wu Y, Wang Y (2018) MAD-API: detection, correction and explanation of API misuses in distributed android applications. In: Proceedings of the 7th international conference on artificial intelligence and mobile services (AIMS), Seattle, WA, USA, June 25-30, 201. https://​doi.​org/​10.​1007/​978-3-319-94361-9_​10
Zurück zum Zitat Shao Y, Ott J, Jia YJ, Qian Z, Mao ZM (2016) The misuse of android unix domain sockets and security implications. In: Proceedings of the 23rd ACM SIGSAC conference on computer and communications security (CCS), Vienna, Austria, October 24-28, 201.https://doi.org/10.1145/2976749.2978297 Shao Y, Ott J, Jia YJ, Qian Z, Mao ZM (2016) The misuse of android unix domain sockets and security implications. In: Proceedings of the 23rd ACM SIGSAC conference on computer and communications security (CCS), Vienna, Austria, October 24-28, 201.https://​doi.​org/​10.​1145/​2976749.​2978297
Zurück zum Zitat Vásquez ML, Bavota G, Bernal-Cárdenas C, Penta MD, Oliveto R, Poshyvanyk D (2013) API change and fault proneness: a threat to the success of android apps. In: Proceedings of the 9th joint meeting of the european software engineering conference and the ACM SIGSOFT symposium on the foundations of software engineering (ESEC/FSE), Saint Petersburg, Russian Federation, August 18-26, 201. https://doi.org/10.1145/2491411.2491428 Vásquez ML, Bavota G, Bernal-Cárdenas C, Penta MD, Oliveto R, Poshyvanyk D (2013) API change and fault proneness: a threat to the success of android apps. In: Proceedings of the 9th joint meeting of the european software engineering conference and the ACM SIGSOFT symposium on the foundations of software engineering (ESEC/FSE), Saint Petersburg, Russian Federation, August 18-26, 201. https://​doi.​org/​10.​1145/​2491411.​2491428
Zurück zum Zitat Vásquez ML, Bavota G, Penta MD, Oliveto R, Poshyvanyk D (2014) How do API changes trigger stack overflow discussions? a study on the android SDK. In: Proceedings of the 22nd international conference on program comprehension (ICPC), Hyderabad, India, June 2-3, 201. https://doi.org/10.1145/2597008.2597155 Vásquez ML, Bavota G, Penta MD, Oliveto R, Poshyvanyk D (2014) How do API changes trigger stack overflow discussions? a study on the android SDK. In: Proceedings of the 22nd international conference on program comprehension (ICPC), Hyderabad, India, June 2-3, 201. https://​doi.​org/​10.​1145/​2597008.​2597155
Zurück zum Zitat Yang S, Hou Q, Li S, Diao W (2023) Do app developers follow the android official data security guidelines? – an empirical measurement on app data security. In: Proceedings of the 30th asia-pacific software engineering conference (APSEC), Seoul, Korea, December 4-7, 2023. https://doi.org/10.1109/APSEC60848.2023.00017 Yang S, Hou Q, Li S, Diao W (2023) Do app developers follow the android official data security guidelines? – an empirical measurement on app data security. In: Proceedings of the 30th asia-pacific software engineering conference (APSEC), Seoul, Korea, December 4-7, 2023. https://​doi.​org/​10.​1109/​APSEC60848.​2023.​00017
Zurück zum Zitat Yang S, Li R, Chen J, Diao W, Guo S (2022) Demystifying android non-SDK APls: measurement and understanding. In: Proceedings of the 44th IEEE/ACM international conference on software engineering (ICSE), , Pittsburgh, PA, USA, May 25-27, 202. https://doi.org/10.1145/3510003.3510045 Yang S, Li R, Chen J, Diao W, Guo S (2022) Demystifying android non-SDK APls: measurement and understanding. In: Proceedings of the 44th IEEE/ACM international conference on software engineering (ICSE), , Pittsburgh, PA, USA, May 25-27, 202. https://​doi.​org/​10.​1145/​3510003.​3510045
Zurück zum Zitat Zhang T, Upadhyaya G, Reinhardt A, Rajan H, Kim M (2018) Are code examples on an online Q &A forum reliable? a study of API misuse on stack overflow. In: Proceedings of the 40th international conference on software engineering (ICSE), Gothenburg, Sweden, May 27 - June 03, 2018. https://doi.org/10.1145/3180155.3180260 Zhang T, Upadhyaya G, Reinhardt A, Rajan H, Kim M (2018) Are code examples on an online Q &A forum reliable? a study of API misuse on stack overflow. In: Proceedings of the 40th international conference on software engineering (ICSE), Gothenburg, Sweden, May 27 - June 03, 2018. https://​doi.​org/​10.​1145/​3180155.​3180260
Zurück zum Zitat Zhou R, Hamdaqa M, Cai H, Hamou-Lhadj A (2020) MobiLogLeak: a preliminary study on data leakage caused by poor logging practices. In: Proceedings of the 27th IEEE international conference on software analysis, evolution and reengineering (SANER), London, ON, Canada, February 18-21, 2020. https://doi.org/10.1109/SANER48275.2020.9054831 Zhou R, Hamdaqa M, Cai H, Hamou-Lhadj A (2020) MobiLogLeak: a preliminary study on data leakage caused by poor logging practices. In: Proceedings of the 27th IEEE international conference on software analysis, evolution and reengineering (SANER), London, ON, Canada, February 18-21, 2020. https://​doi.​org/​10.​1109/​SANER48275.​2020.​9054831
Metadaten
Titel
From guidelines to practice: assessing Android app developer compliance with google’s security recommendations
verfasst von
Shishuai Yang
Qinsheng Hou
Shuang Li
Fenghao Xu
Wenrui Diao
Publikationsdatum
01.02.2025
Verlag
Springer US
Erschienen in
Empirical Software Engineering / Ausgabe 1/2025
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI
https://doi.org/10.1007/s10664-024-10559-0