Schrödinger's Security: Opening the Box on App Developers' Security Rationale

Dirk Van Der Linden, Pauline Anthonysamy, Bashar Nuseibeh, Thein Tan Tun, Marian Petre, Mark Levine, John N. Towse, Awais Rashid

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

30 Citations (Scopus)
414 Downloads (Pure)

Abstract

Research has established the wide variety of security failures in mobile apps, their consequences, and how app developers introduce or exacerbate them. What is not well known is why developers do so—what is the rationale underpinning the decisions they make which eventually strengthen or weaken app security? This is all the more complicated in modern app development’s increasingly diverse demographic: growing numbers of independent, solo, or small team developers who do not have the organizational structures and support that larger software development houses enjoy.

Through two studies, we open the box on developer rationale, by performing a holistic analysis of the rationale underpinning various activities in which app developers engage when developing an app.

The first study does so through a task-based study with app developers (N=44) incorporating six distinct tasks for which this developer demographic must take responsibility: setting up a development environment, reviewing code, seeking help, seeking testers, selecting an advertisement SDK, and software licensing. We found that, while on first glance in several activities participants seemed to prioritize security, only in the code task such prioritization was underpinned by a security rationale—indicating that development behavior perceived to be secure may only be an illusion until the box is opened on their rationale.

The second study confirms these findings through a wider survey of app developers (N=274) investigating to what extent they find the activities of the task-based study to affect their app’s security. In line with the task-based study, we found that developers perceived actively writing code and actively using external SDKs as the only security-relevant, while similarly disregarding other activities having an impact on app security.

Our results suggest the need for a stronger focus on the tasks and activities surrounding the coding task—all of which need to be underpinned by a security rationale. Without such a holistic focus, developers may write “secure code” but not produce “secure apps”.
Original languageEnglish
Title of host publicationICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages149-160
Number of pages12
ISBN (Electronic)978-1-4503-7121-6
DOIs
Publication statusPublished - 1 Jun 2020
EventThe 42nd International Conference on Software Engineering - https://conf.researchr.org/home/icse-2020, Seoul, Korea, Republic of
Duration: 23 May 202029 May 2020
Conference number: 42
https://conf.researchr.org/home/icse-2020

Publication series

Name
ISSN (Print)2574-1926

Conference

ConferenceThe 42nd International Conference on Software Engineering
Abbreviated titleICSE 2020
Country/TerritoryKorea, Republic of
CitySeoul
Period23/05/2029/05/20
Internet address

Research Groups and Themes

  • Cyber Security

Access to Document

  • Full-text PDF (accepted author manuscript)

    This is the author accepted manuscript (AAM). The final published version (version of record) is available online via Institute of Electrical and Electronics Engineers at https://dl.acm.org/doi/abs/10.1145/3377811.3380394 . Please refer to any applicable terms of use of the publisher.

    Accepted author manuscript, 2.45 MB
  • Supplementary informationAccepted author manuscript, 1.26 MB

Handle.net

Other files and links

    Fingerprint

    Dive into the research topics of 'Schrödinger's Security: Opening the Box on App Developers' Security Rationale'. Together they form a unique fingerprint.
    View full fingerprint

    Cite this