Security Smells Pervade Mobile App Servers (ESEM 2021 - Technical Papers)

Who

Pascal Gadient, Marc-Andrea Tarnutzer, Oscar Nierstrasz, Mohammad Ghafari

Track

ESEM 2021 Technical Papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Tue 12 Oct 2021 15:45 - 16:00 at ESEM ROOM - Testing & Security 2 Chair(s): Davide Fucci

Abstract

Background. Web communication is universal in cyberspace, and security risks in this domain are devastating.

Aims. We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective.

Method. We used an existing dataset that includes 9 714 distinct URLs used in 3 376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies.

Results. We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks.

Conclusions. Poor app server maintenance greatly hampers security.

Link to Preprint

https://arxiv.org/pdf/2108.07188.pdf

Pascal Gadient

University of Bern

Switzerland

Marc-Andrea Tarnutzer

University of Bern

Switzerland

Oscar Nierstrasz

University of Bern, Switzerland

Switzerland

Mohammad Ghafari

University of Auckland

New Zealand

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Tue 12 Oct
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

15:30 - 16:35	Testing & Security 2Technical Papers / Emerging Results and Vision papers at ESEM ROOM Chair(s): Davide Fucci Blekinge Institute of Technology

15:30 15m Talk		Barriers to Shift-Left Security: The Unique Pain Points of Writing Automated Tests Involving Security Controls Technical Papers Danielle Gonzalez Rochester Institute of Technology and Microsoft, Paola Peralta Perez Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology DOI
15:45 15m Talk		Security Smells Pervade Mobile App Servers Technical Papers Pascal Gadient University of Bern, Marc-Andrea Tarnutzer University of Bern, Oscar Nierstrasz University of Bern, Switzerland, Mohammad Ghafari University of Auckland Pre-print
16:00 15m Talk		Who are Vulnerability Reporters? A Large-scale Empirical Study on FLOSS Technical Papers Nikolaos Alexopoulos Technical University of Darmstadt, Andy Meneely Rochester Institute of Technology, Dorian Arnouts Technical University of Darmstadt, Max Mühlhäuser Technical University of Darmstadt Pre-print
16:15 10m Talk		Python Crypto Misuses in the Wild Emerging Results and Vision papers Anna-Katharina Wickert TU Darmstadt, Germany, Lars Baumgärtner TU Darmstadt, Florian Breitfelder TU Darmstadt, Mira Mezini TU Darmstadt, Germany Pre-print Media Attached
16:25 10m Talk		Web Application Testing: Using Tree Kernels to Detect Near-duplicate States in Automated Model Inference Emerging Results and Vision papers Anna Corazza Università degli Studi di Napoli Federico II, Sergio Di Martino Università degli Studi di Napoli Federico II, Adriano Peron Università degli Studi di Napoli Federico II, Luigi Libero Lucio Starace Università degli Studi di Napoli Federico II Pre-print Media Attached

Information for Participants

Tue 12 Oct 2021 15:30 - 16:35 at ESEM ROOM - Testing & Security 2 Chair(s): Davide Fucci

Info for room ESEM ROOM:

https://www.youtube.com/c/ESEM_Conference