Security Smells Pervade Mobile App Servers
Pascal Gadient, Marc-Andrea Tarnutzer, Oscar Nierstrasz and, Mohammad Ghafari
TL;DR
This study reveals that a significant majority of mobile app servers suffer from security smells, such as misconfigurations and unprotected communication, which pose substantial security risks and are caused by poor maintenance practices.
Contribution
It provides an empirical analysis of security smells in mobile app servers and highlights their prevalence and security implications.
Findings
Over 69% of apps have at least three security smells.
Unprotected communication and misconfigurations are very common.
Source-code leaks and lack of updates increase security risks.
Abstract
[Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9714 distinct URLs used in 3376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies. [Results] We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks. [Conclusions] Poor app server maintenance greatly hampers security.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.