Mobile apps provide various critical services, such as banking, communication, and healthcare. To this end, they have access to our personal information and have the ability to perform actions on our behalf. Hence, securing mobile apps is crucial to ensuring the privacy and safety of its users. Recent research efforts have focused on developing solutions to secure mobile ecosystems (i.e., app platforms, apps, and app stores), specifically in the context of detecting vulnerabilities in Android apps. Despite this attention, known vulnerabilities are often found in mobile apps, which can be exploited by malicious apps to harm the user. Further, fixing vulnerabilities after developing an app has downsides in terms of time, resources, user inconvenience, and information loss. In an attempt to address this concern, we have developed SeMA, a mobile app development methodology that builds on existing mobile app design artifacts such as storyboards. With SeMA, security is a first-class citizen in an app's design -- app designers and developers can collaborate to specify and reason about the security properties of an app at an abstract level without being distracted by implementation level details. Our realization of SeMA using Android Studio tooling demonstrates the methodology is complementary to existing design and development practices. An evaluation of the effectiveness of SeMA shows the methodology can detect and help prevent 49 vulnerabilities known to occur in Android apps. Further, a usability study of the methodology involving ten real-world developers shows the methodology is likely to reduce the development time and help developers uncover and prevent known vulnerabilities while designing apps.
翻译:移动应用程序提供各种关键服务,例如银行、通信和医疗保健。 为此,他们可以获取我们的个人信息,并有能力代表我们采取行动。 因此,确保移动应用程序对于确保用户的隐私和安全至关重要。 最近的研究重点是制定解决方案,确保移动生态系统的安全(即应用程序平台、应用程序和应用程序仓库),特别是在发现安纳罗应用程序的脆弱性方面。尽管如此,在移动应用程序中经常发现已知的弱点,这些弱点可能被恶意应用程序用来伤害用户。此外,在开发一个应用程序后,在时间、资源、用户不便和信息损失方面弥补脆弱性。为了解决这一关切,我们开发了SEMA,这是一个移动应用程序开发方法,它以现有移动应用程序设计工艺如故事板为基础。与SEMA, 安全是软件设计的一流公民 -- -- 应用程序设计师和开发商可以合作,在不因执行层细节而分心的情况下,确定一个软件的安全特性和理由。我们利用SEMA进行的时间评估后,使用安纳罗比工具方法进行设计,同时展示SeMA的实用性方法,以现有的方法为补充性。