Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Fri 10 Jul 2020 15:00 - 15:12 at Silla - A21-Testing and Debugging 3 Chair(s): Tingting Yu

Research has established the wide variety of security failures in mobile apps, their consequences, and how app developers introduce or exacerbate them. What is not well known is why developers do so—what is the rationale underpinning the decisions they make which eventually strengthen or weaken app security? This is all the more complicated in modern app development’s increasingly diverse demographic: growing numbers of independent, solo, or small team developers who do not have the organizational structures and support that larger software development houses enjoy.

Through two studies, we open the box on developer rationale, by performing a holistic analysis of the rationale underpinning various activities in which app developers engage when developing an app.

The first study does so through a task-based study with app developers (N=44) incorporating six distinct tasks for which this developer demographic must take responsibility: setting up a development environment, reviewing code, seeking help, seeking testers, selecting an advertisement SDK, and software licensing. We found that, while on first glance in several activities participants seemed to prioritize security, only in the code task such prioritization was underpinned by a security rationale—indicating that development behavior perceived to be secure may only be an illusion until the box is opened on their rationale.

The second study confirms these findings through a wider survey of app developers (N=274) investigating to what extent they find the activities of the task-based study to affect their app’s security. In line with the task-based study, we found that developers perceived actively writing code and actively using external SDKs as the only security-relevant, while similarly disregarding other activities having an impact on app security.

Our results suggest the need for a stronger focus on the tasks and activities surrounding the coding task—all of which need to be underpinned by a security rationale. Without such a holistic focus, developers may write “secure code” but not produce “secure apps”.

Fri 10 Jul
Times are displayed in time zone: (UTC) Coordinated Universal Time change

15:00 - 16:00: A21-Testing and Debugging 3Paper Presentations / Journal First / Technical Papers at Silla
Chair(s): Tingting YuUniversity of Kentucky
15:00 - 15:12
Talk
Technical Papers
Dirk van der LindenUniversity of Bristol, Pauline AnthonysamyGoogle Inc., Bashar NuseibehThe Open University (UK) & Lero (Ireland), Thein Tun, Marian PetreThe Open University, Mark LevineLancaster University, John TowseLancaster University, Awais RashidUniversity of Bristol, UK
15:12 - 15:20
Talk
Journal First
Van-Thuan PhamMonash University, Marcel BöhmeMonash University, Andrew SantosaNational University of Singapore, Alexandru Răzvan CăciulescuUiPath, Abhik RoychoudhuryNational University of Singapore, Singapore
15:20 - 15:28
Talk
Journal First
Xuan HuoNanjing University, Ferdian ThungSingapore Management University, Ming LiNanjing University, David LoSingapore Management University, Shu-Ting ShiNanjing University
15:28 - 15:36
Talk
Journal First
Mozhan SoltaniLeiden University, Pouria DerakhshanfarDelft University of Technology, Xavier DevroeyDelft University of Technology, Arie van DeursenDelft University of Technology
Link to publication DOI Pre-print Media Attached
15:36 - 15:48
Talk
Technical Papers
Sadia TabassumUniversity of Birmingham, UK, Leandro MinkuUniversity of Birmingham, UK, Danyi FengXiLiu Tech, George CabralUniversidade Federal Rural de Pernambuco, Liyan SongUniversity of Birmingham
15:48 - 15:56
Talk
Journal First
Taher Ahmed GhalebQueen's University, Daniel Alencar Da CostaUniversity of Otago, Ying ZouQueen's University, Kingston, Ontario
Link to publication DOI Pre-print