Schrödinger's Security: Opening the Box on App Developers' Security Rationale (ICSE 2020 - Technical Papers)

Wed 24 June - Thu 16 July 2020

Who

Dirk van der Linden, Pauline Anthonysamy, Bashar Nuseibeh, Thein Tun, Marian Petre, Mark Levine, John Towse, Awais Rashid

Track

ICSE 2020 Technical Papers

Time Zone

The program is currently displayed in (UTC) Coordinated Universal Time.

Use conference time zone: (UTC) Coordinated Universal TimeSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 10 Jul 2020 15:00 - 15:12 at Silla - A21-Testing and Debugging 3 Chair(s): Tingting Yu

Abstract

Research has established the wide variety of security failures in mobile apps, their consequences, and how app developers introduce or exacerbate them. What is not well known is why developers do so—what is the rationale underpinning the decisions they make which eventually strengthen or weaken app security? This is all the more complicated in modern app development’s increasingly diverse demographic: growing numbers of independent, solo, or small team developers who do not have the organizational structures and support that larger software development houses enjoy.

Through two studies, we open the box on developer rationale, by performing a holistic analysis of the rationale underpinning various activities in which app developers engage when developing an app.

The first study does so through a task-based study with app developers (N=44) incorporating six distinct tasks for which this developer demographic must take responsibility: setting up a development environment, reviewing code, seeking help, seeking testers, selecting an advertisement SDK, and software licensing. We found that, while on first glance in several activities participants seemed to prioritize security, only in the code task such prioritization was underpinned by a security rationale—indicating that development behavior perceived to be secure may only be an illusion until the box is opened on their rationale.

The second study confirms these findings through a wider survey of app developers (N=274) investigating to what extent they find the activities of the task-based study to affect their app’s security. In line with the task-based study, we found that developers perceived actively writing code and actively using external SDKs as the only security-relevant, while similarly disregarding other activities having an impact on app security.

Our results suggest the need for a stronger focus on the tasks and activities surrounding the coding task—all of which need to be underpinned by a security rationale. Without such a holistic focus, developers may write “secure code” but not produce “secure apps”.

Dirk van der Linden

University of Bristol

Pauline Anthonysamy

Google Inc.

Bashar Nuseibeh

The Open University (UK) & Lero (Ireland)

United Kingdom

Thein Tun

Marian Petre

The Open University

United Kingdom

Mark Levine

Lancaster University

John Towse

Lancaster University

United Kingdom

Awais Rashid

University of Bristol, UK

United Kingdom

Time Zone

The program is currently displayed in (UTC) Coordinated Universal Time.

Use conference time zone: (UTC) Coordinated Universal TimeSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Fri 10 Jul
Displayed time zone: (UTC) Coordinated Universal Time change

15:00 - 16:00	A21-Testing and Debugging 3Journal First / Technical Papers at Silla Chair(s): Tingting Yu University of Kentucky

15:00 12m Talk		Schrödinger's Security: Opening the Box on App Developers' Security RationaleTechnical Technical Papers Dirk van der Linden University of Bristol, Pauline Anthonysamy Google Inc., Bashar Nuseibeh The Open University (UK) & Lero (Ireland), Thein Tun , Marian Petre The Open University, Mark Levine Lancaster University, John Towse Lancaster University, Awais Rashid University of Bristol, UK
15:12 8m Talk		Smart Greybox FuzzingJ1 Journal First Van-Thuan Pham Monash University, Marcel Böhme Monash University, Andrew Santosa National University of Singapore, Alexandru Răzvan Căciulescu UiPath, Abhik Roychoudhury National University of Singapore, Singapore
15:20 8m Talk		Deep Transfer Bug LocalizationJ1 Journal First Xuan Huo Nanjing University, Ferdian Thung Singapore Management University, Ming Li Nanjing University, David Lo Singapore Management University, Shu-Ting Shi Nanjing University
15:28 8m Talk		A Benchmark-Based Evaluation of Search-Based Crash ReproductionJ1 Journal First Mozhan Soltani Leiden University, Pouria Derakhshanfar Delft University of Technology, Xavier Devroey Delft University of Technology, Arie van Deursen Delft University of Technology Link to publication DOI Pre-print Media Attached
15:36 12m Talk		An Investigation of Cross-Project Learning in Online Just-In-Time Software Defect PredictionTechnical Technical Papers Sadia Tabassum University of Birmingham, UK, Leandro Minku University of Birmingham, UK, Danyi Feng XiLiu Tech, George Cabral Universidade Federal Rural de Pernambuco, Liyan Song University of Birmingham
15:48 8m Talk		An Empirical Study of the Long Duration of Continuous Integration BuildsJ1 Journal First Taher A Ghaleb Queen's University, Daniel Alencar Da Costa University of Otago, Ying Zou Queen's University, Kingston, Ontario Link to publication DOI Pre-print