IEICE TRANSACTIONS on Information
Towards Finding Code Snippets on a Question and Answer Website Causing Mobile App Vulnerabilities
Summary :
Android app developers sometimes copy code snippets posted on a question-and-answer (Q&A) website and use them in their apps. However, if a code snippet has vulnerabilities, Android apps containing the vulnerable snippet could also have the same vulnerabilities. Despite this, the effect of such vulnerable snippets on the Android apps has not been investigated in depth. In this paper, we investigate the correspondence between the vulnerable code snippets and vulnerable apps. we collect code snippets from a Q&A website, extract possibly vulnerable snippets, and calculate similarity between those snippets and bytecode on vulnerable apps. Our experimental results show that 15.8% of all evaluated apps that have SSL implementation vulnerabilities (Improper host name verification), 31.7% that have SSL certificate verification vulnerabilities, and 3.8% that have WEBVIEW remote code execution vulnerabilities contain possibly vulnerable code snippets from Stack Overflow. In the worst case, a single problematic snippet has caused 4,844 apps to contain a vulnerability, accounting for 31.2% of all collected apps with that vulnerability.
- Publication
- IEICE TRANSACTIONS on Information Vol.E101-D No.11 pp.2576-2583
- Publication Date
- 2018/11/01
- Publicized
- 2018/08/22
- Online ISSN
- 1745-1361
- DOI
- 10.1587/transinf.2017ICP0009
- Type of Manuscript
- Special Section PAPER (Special Section on Information and Communication System Security)
- Category
- Mobile Application and Web Security
Authors
Hiroki NAKANO
Yokohama National University,NTT Secure Platform Laboratories
Fumihiro KANEI
NTT Secure Platform Laboratories
Yuta TAKATA
NTT Secure Platform Laboratories
Mitsuaki AKIYAMA
NTT Secure Platform Laboratories
Katsunari YOSHIOKA
Yokohama National University
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Hiroki NAKANO, Fumihiro KANEI, Yuta TAKATA, Mitsuaki AKIYAMA, Katsunari YOSHIOKA, "Towards Finding Code Snippets on a Question and Answer Website Causing Mobile App Vulnerabilities" in IEICE TRANSACTIONS on Information,
vol. E101-D, no. 11, pp. 2576-2583, November 2018, doi: 10.1587/transinf.2017ICP0009.
Abstract: Android app developers sometimes copy code snippets posted on a question-and-answer (Q&A) website and use them in their apps. However, if a code snippet has vulnerabilities, Android apps containing the vulnerable snippet could also have the same vulnerabilities. Despite this, the effect of such vulnerable snippets on the Android apps has not been investigated in depth. In this paper, we investigate the correspondence between the vulnerable code snippets and vulnerable apps. we collect code snippets from a Q&A website, extract possibly vulnerable snippets, and calculate similarity between those snippets and bytecode on vulnerable apps. Our experimental results show that 15.8% of all evaluated apps that have SSL implementation vulnerabilities (Improper host name verification), 31.7% that have SSL certificate verification vulnerabilities, and 3.8% that have WEBVIEW remote code execution vulnerabilities contain possibly vulnerable code snippets from Stack Overflow. In the worst case, a single problematic snippet has caused 4,844 apps to contain a vulnerability, accounting for 31.2% of all collected apps with that vulnerability.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2017ICP0009/_p
Copy
@ARTICLE{e101-d_11_2576,
author={Hiroki NAKANO, Fumihiro KANEI, Yuta TAKATA, Mitsuaki AKIYAMA, Katsunari YOSHIOKA, },
journal={IEICE TRANSACTIONS on Information},
title={Towards Finding Code Snippets on a Question and Answer Website Causing Mobile App Vulnerabilities},
year={2018},
volume={E101-D},
number={11},
pages={2576-2583},
abstract={Android app developers sometimes copy code snippets posted on a question-and-answer (Q&A) website and use them in their apps. However, if a code snippet has vulnerabilities, Android apps containing the vulnerable snippet could also have the same vulnerabilities. Despite this, the effect of such vulnerable snippets on the Android apps has not been investigated in depth. In this paper, we investigate the correspondence between the vulnerable code snippets and vulnerable apps. we collect code snippets from a Q&A website, extract possibly vulnerable snippets, and calculate similarity between those snippets and bytecode on vulnerable apps. Our experimental results show that 15.8% of all evaluated apps that have SSL implementation vulnerabilities (Improper host name verification), 31.7% that have SSL certificate verification vulnerabilities, and 3.8% that have WEBVIEW remote code execution vulnerabilities contain possibly vulnerable code snippets from Stack Overflow. In the worst case, a single problematic snippet has caused 4,844 apps to contain a vulnerability, accounting for 31.2% of all collected apps with that vulnerability.},
keywords={},
doi={10.1587/transinf.2017ICP0009},
ISSN={1745-1361},
month={November},}
Copy
TY - JOUR
TI - Towards Finding Code Snippets on a Question and Answer Website Causing Mobile App Vulnerabilities
T2 - IEICE TRANSACTIONS on Information
SP - 2576
EP - 2583
AU - Hiroki NAKANO
AU - Fumihiro KANEI
AU - Yuta TAKATA
AU - Mitsuaki AKIYAMA
AU - Katsunari YOSHIOKA
PY - 2018
DO - 10.1587/transinf.2017ICP0009
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E101-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2018
AB - Android app developers sometimes copy code snippets posted on a question-and-answer (Q&A) website and use them in their apps. However, if a code snippet has vulnerabilities, Android apps containing the vulnerable snippet could also have the same vulnerabilities. Despite this, the effect of such vulnerable snippets on the Android apps has not been investigated in depth. In this paper, we investigate the correspondence between the vulnerable code snippets and vulnerable apps. we collect code snippets from a Q&A website, extract possibly vulnerable snippets, and calculate similarity between those snippets and bytecode on vulnerable apps. Our experimental results show that 15.8% of all evaluated apps that have SSL implementation vulnerabilities (Improper host name verification), 31.7% that have SSL certificate verification vulnerabilities, and 3.8% that have WEBVIEW remote code execution vulnerabilities contain possibly vulnerable code snippets from Stack Overflow. In the worst case, a single problematic snippet has caused 4,844 apps to contain a vulnerability, accounting for 31.2% of all collected apps with that vulnerability.
ER -
English
