[Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9714 distinct URLs used in 3376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies. [Results] We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks. [Conclusions] Poor app server maintenance greatly hampers security.
@article{arxiv.2108.07188,
title = {Security Smells Pervade Mobile App Servers},
author = {Pascal Gadient and Marc-Andrea Tarnutzer and Oscar Nierstrasz and Mohammad Ghafari},
journal= {arXiv preprint arXiv:2108.07188},
year = {2021}
}
Comments
ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2021)