Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security (1710.03135v1)

Published 9 Oct 2017 in cs.CR

Abstract: Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown. We answer this highly important question by quantifying the proliferation of security-related code snippets from Stack Overflow in Android applications available on Google Play. Access to the rich source of information available on Stack Overflow including ready-to-use code snippets provides huge benefits for software developers. However, when it comes to code security there are some caveats to bear in mind: Due to the complex nature of code security, it is very difficult to provide ready-to-use and secure solutions for every problem. Hence, integrating a security-related code snippet from Stack Overflow into production software requires caution and expertise. Unsurprisingly, we observed insecure code snippets being copied into Android applications millions of users install from Google Play every day. To quantitatively evaluate the extent of this observation, we scanned Stack Overflow for code snippets and evaluated their security score using a stochastic gradient descent classifier. In order to identify code reuse in Android applications, we applied state-of-the-art static analysis. Our results are alarming: 15.4% of the 1.3 million Android applications we analyzed, contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet.

Authors (7)

Felix Fischer (31 papers)
Konstantin Böttinger (28 papers)
Huang Xiao (5 papers)
Christian Stransky (3 papers)
Yasemin Acar (19 papers)
Michael Backes (157 papers)
Sascha Fahl (13 papers)

Citations (258)

View on Semantic Scholar

Summary

Evaluation of Crowd-sourced Code and Its Impact on Android Application Security: A Study of Stack Overflow

The paper "Stack Overflow Considered Harmful? The Impact of Copy-Paste on Android Application Security" presents a thorough investigation into how developers' reliance on peer-sourced code, particularly from Stack Overflow, introduces vulnerabilities into Android applications. This research explores the pervasive practice of copying and pasting code snippets from online discussion platforms into production software, with an emphasis on security-related implications in the Android ecosystem. The authors' approach involves quantitatively assessing the propagation of insecure code snippets from Stack Overflow into a vast array of Android applications available on Google Play.

Methodology

The research commences by extracting and identifying security-related code snippets from Stack Overflow. This is achieved via an oracle-based filter that discerns such snippets by recognizing API elements specific to several Java security libraries. The relevant snippets are then classified for security purposes using a stochastic gradient descent classifier, which annotates them as either secure or insecure based on predefined security metrics for different categories like SSL/TLS, cryptography, secure random generation, and more.

The paper applies state-of-the-art static analysis to detect instances of these snippets being reused in over 1.3 million Android applications. This entails transforming snippets and applications to an intermediate representation and checking for code reuse based on program dependency graphs.

Findings

The findings reveal an alarming trend: 15.4% of the examined Android applications contained security-related snippets sourced from Stack Overflow, with an overwhelming 97.9% of those being insecure. The paper highlights specific security violations, such as the incorrect handling of TLS connections by overriding Trust Manager implementations, leading to potential Man-In-The-Middle attacks. Similarly, it underscores issues in cryptographic practices, such as the use of static keys or weak encryption modes, which are evident in numerous snippets.

Implications

From a theoretical standpoint, this paper informs the broader discourse on secure coding practices by evidencing the real-world risks posed by decentralized and possibly unreliable sources of programming knowledge. Pragmatically, these results suggest a necessity for enhanced developer education regarding the security consequences of inadequate code copying practices, especially from platforms not predominantly designed for secure code auditing.

Future Directions

Potential advancements in AI and machine learning could significantly empower automated tools for classifying the security of code snippets with greater precision and efficiency, potentially deployed via browser plugins to inform developers in real-time about potential security risks. This could mitigate the propagated dangers of insecure community-contributed code infiltrating commercial software ecosystems.

The implications of this research underscore the need for ongoing vigilance and improvement in software development practices, particularly as they pertain to integrating external code snippets. Future work could expand this methodology to other platforms and ecosystems, providing a comprehensive understanding of the impact of crowdsourced code on global software security.

PDF Markdown

Related Papers

Find Related Papers