publication . Preprint . Conference object . 2017

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Fischer, F.; Böttinger, K.; Xiao, H.; Stransky, C.; Acar, Y.; Backes, M.; Fahl, S.;
Open Access English
  • Published: 09 Oct 2017
  • Country: Germany
Abstract
Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and often times ready-to-use code snippets. Previous research identified Stack Overflow as one of the most important information sources developers rely on. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown. We answer this highly important question...
Subjects
free text keywords: Computer Science - Cryptography and Security, Stochastic gradient descent, Cryptography, business.industry, business, Code reuse, Classifier (linguistics), Software, Application security, Static analysis, Computer security, computer.software_genre, computer, Database, Android (operating system), Computer science
51 references, page 1 of 4

[1] A. Porter Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android Permissions Demystified,” in Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM Press, Oct. 2011.

[2] S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumga¨rtner, and B. Freisleben, “Why Eve and Mallory love Android: An analysis of Android SSL (in) security,” in Proc. 19th ACM Conference on Computer and Communication Security (CCS'12). ACM, 2012.

[3] M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An empirical study of cryptographic misuse in android applications,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ser. CCS '13, 2013. [OpenAIRE]

[4] Oracle, “Java SE 8,” http://www.oracle.com/technetwork/java/javase/ tech/index-jsp-136007.html.

[5] A. Zhitnitsky, “Libraries on github,” http://blog.takipi.com/ we-analyzed-60678-libraries-on-github-here-are-the-top-100, 2015.

[6] T. Duong and J. Rizzo, “Cryptography in the web: The case of cryptographic design flaws in asp.net,” in 2011 IEEE Symposium on Security and Privacy, 2011.

[7] A. Dey and S. Weis, “Keyczar: A cryptographic toolkit,” 2008.

[8] jasypt, “Java simplified encryption,” http://www.jasypt.org, 2014.

[9] D. Gonza´lez, O. Esparza, J. L. Mun˜oz, J. Alins, and J. Mata, Future Network Systems and Security: First International Conference, FNSS 2015, Paris, France, June 11-13, 2015, Proceedings. Cham: Springer International Publishing, 2015, ch. Evaluation of Cryptographic Capabilities for the Android Platform, pp. 16-30.

[10] B. Dagenais and L. Hendren, “Enabling static analysis for partial java programs,” in Proceedings of the 23rd ACM SIGPLAN Conference on Object-oriented Programming Systems Languages and Applications, ser. OOPSLA '08, 2008. [OpenAIRE]

[11] S. Subramanian, L. Inozemtseva, and R. Holmes, “Live api documentation,” in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014, 2014.

[12] Y. Sheffer and R. Holz, “Recommendations for secure use of transport layer security (tls) and datagram transport layer security (dtls),” Tech. Rep., 2015. [OpenAIRE]

[13] B. Kaliski, “PKCS #5: Password-Based cryptography specification version 2.0,” Internet Engineering Task Force, RFC 2898, Sep. 2000. [Online]. Available: http://www.rfc-editor.org/rfc/rfc2898.txt

[14] J. Manger, “A chosen ciphertext attack on rsa optimal asymmetric encryption padding (oaep) as standardized in pkcs #1 v2.0,” in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO '01, 2001.

[15] E. Barker and A. Roginsky, “Transitions: Recommendation for transitioning the use of cryptographic algorithms and key lengths,” http:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf.

51 references, page 1 of 4
Abstract
Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and often times ready-to-use code snippets. Previous research identified Stack Overflow as one of the most important information sources developers rely on. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown. We answer this highly important question...
Subjects
free text keywords: Computer Science - Cryptography and Security, Stochastic gradient descent, Cryptography, business.industry, business, Code reuse, Classifier (linguistics), Software, Application security, Static analysis, Computer security, computer.software_genre, computer, Database, Android (operating system), Computer science
51 references, page 1 of 4

[1] A. Porter Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android Permissions Demystified,” in Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM Press, Oct. 2011.

[2] S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumga¨rtner, and B. Freisleben, “Why Eve and Mallory love Android: An analysis of Android SSL (in) security,” in Proc. 19th ACM Conference on Computer and Communication Security (CCS'12). ACM, 2012.

[3] M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An empirical study of cryptographic misuse in android applications,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ser. CCS '13, 2013. [OpenAIRE]

[4] Oracle, “Java SE 8,” http://www.oracle.com/technetwork/java/javase/ tech/index-jsp-136007.html.

[5] A. Zhitnitsky, “Libraries on github,” http://blog.takipi.com/ we-analyzed-60678-libraries-on-github-here-are-the-top-100, 2015.

[6] T. Duong and J. Rizzo, “Cryptography in the web: The case of cryptographic design flaws in asp.net,” in 2011 IEEE Symposium on Security and Privacy, 2011.

[7] A. Dey and S. Weis, “Keyczar: A cryptographic toolkit,” 2008.

[8] jasypt, “Java simplified encryption,” http://www.jasypt.org, 2014.

[9] D. Gonza´lez, O. Esparza, J. L. Mun˜oz, J. Alins, and J. Mata, Future Network Systems and Security: First International Conference, FNSS 2015, Paris, France, June 11-13, 2015, Proceedings. Cham: Springer International Publishing, 2015, ch. Evaluation of Cryptographic Capabilities for the Android Platform, pp. 16-30.

[10] B. Dagenais and L. Hendren, “Enabling static analysis for partial java programs,” in Proceedings of the 23rd ACM SIGPLAN Conference on Object-oriented Programming Systems Languages and Applications, ser. OOPSLA '08, 2008. [OpenAIRE]

[11] S. Subramanian, L. Inozemtseva, and R. Holmes, “Live api documentation,” in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014, 2014.

[12] Y. Sheffer and R. Holz, “Recommendations for secure use of transport layer security (tls) and datagram transport layer security (dtls),” Tech. Rep., 2015. [OpenAIRE]

[13] B. Kaliski, “PKCS #5: Password-Based cryptography specification version 2.0,” Internet Engineering Task Force, RFC 2898, Sep. 2000. [Online]. Available: http://www.rfc-editor.org/rfc/rfc2898.txt

[14] J. Manger, “A chosen ciphertext attack on rsa optimal asymmetric encryption padding (oaep) as standardized in pkcs #1 v2.0,” in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO '01, 2001.

[15] E. Barker and A. Roginsky, “Transitions: Recommendation for transitioning the use of cryptographic algorithms and key lengths,” http:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf.

51 references, page 1 of 4
Powered by OpenAIRE Open Research Graph
Any information missing or wrong?Report an Issue
publication . Preprint . Conference object . 2017

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Fischer, F.; Böttinger, K.; Xiao, H.; Stransky, C.; Acar, Y.; Backes, M.; Fahl, S.;