TeamUSEC

How Internet Resources Might Be Helping You Develop Faster but Less Securely

Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek and Christian Stransky.
IEEE Secur. Priv., 15 (2), p. 50-60, 2017.
PDF Abstract Cite DOI

Abstract

In an experiment, Android developers using Stack Overflow to solve common security issues produced functional—but less secure—code. Given today’s time constraints and economic pressures, developers need improved official documentation that’s both secure and usable.

Mobile devices in general and Android in particular are a growing market, rapidly surpassing desktops and attracting many sometimes-new developers. Security and privacy problems in mobile apps are well-documented; they are sometimes attributed to developers who are inexperienced, distracted, or overwhelmed. For example, developers often request more permissions than are actually needed, fail to correctly use secure networking or cryptographic APIs, use insecure options for intercomponent communications (ICCs), and fail to store sensitive information in private areas. Researchers and practitioners have speculated that one root cause for these programming errors is APIs that are too complicated or insufficiently documented, sending developers to a search engine for help to solve unfamiliar problems. These searches often lead to official API documentation, blog posts, or Q&A forums such as Stack Overflow; the security quality of content available at these resources can vary widely. Author Sascha Fahl and his colleagues, for example, interviewed Android developers whose use of pasted code snippets from Stack Overflow made their code vulnerable to man-in-the-middle (MITM) attacks.

Reference

@article{DBLP:journals/ieeesp/AcarBFKMS17,
 author = {Yasemin Acar and
Michael Backes and
Sascha Fahl and
Doowon Kim and
Michelle L. Mazurek and
Christian Stransky},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/journals/ieeesp/AcarBFKMS17.bib},
 doi = {10.1109/MSP.2017.24},
 journal = {IEEE Secur. Priv.},
 number = {2},
 pages = {50--60},
 title = {How Internet Resources Might Be Helping You Develop Faster but Less
Securely},
 url = {https://doi.org/10.1109/MSP.2017.24},
 volume = {15},
 year = {2017}
}