Write a Blog >>
ESEC/FSE 2022
Mon 14 - Fri 18 November 2022 Singapore
Mon 14 Nov 2022 16:30 - 16:45 at SRC LT 50 - Program Analysis I Chair(s): Marcel Böhme

Users increasingly rely on mobile apps for everyday tasks, including security- and privacy-sensitive tasks such as online banking, e-health, and e-government. Additionally, a wealth of sensors captures the movements and habits of the users for fitness tracking and convenience. Despite legal regulations imposing requirements and limits on the processing of privacy-sensitive data, users must still trust the app developers to apply suffcient protections. In this paper, we investigate the state of security in Android apps and how security-related code smells have evolved since the introduction of the Android operating system.

With an analysis of 300 apps per year over 12 years between 2010 and 2021 from the Google Play Store, we find that the number of code scanner findings per thousand lines of code decreases over time. Still, this development is offset by the increase in code size. Apps have more and more findings, suggesting that the overall security level decreases. This trend is driven by flaws in the use of cryptography, insecure compiler flags, insecure uses of WebView components, and insecure uses of language features such as reflection. Based on our data, we argue for stricter controls on apps before admission to the store.

Mon 14 Nov

Displayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change

16:00 - 17:30
Program Analysis IResearch Papers / Industry Paper at SRC LT 50
Chair(s): Marcel Böhme MPI-SP, Germany and Monash University, Australia
16:00
15m
Talk
Input Splitting for Cloud-Based Static Application Security Testing Platforms
Industry Paper
Maria Christakis MPI-SWS, Thomas Cottenier Amazon Web Services, Antonio Filieri AWS and Imperial College London, Linghui Luo Amazon Web Services, Muhammad Numair Mansur MPI-SWS, Lee Pike Amazon Web Services, Nico Rosner Amazon Web Services, Martin Schäf Amazon Web Services, Aritra Sengupta Amazon Web Services, Willem Visser Amazon Web Services
DOI Media Attached
16:15
15m
Talk
Static Executes-Before Analysis for Event Driven Programs
Research Papers
Rekha Pai IISc Bangalore, Abhishek Uppar IISc Bangalore, Akshatha Shenoy TCS Research, Pranshul Kushwaha IISc Bangalore, Deepak D'Souza IISc Bangalore
DOI
16:30
15m
Talk
Security Code Smells in Apps: Are We Getting Better?
Research Papers
Steven Arzt Fraunhofer SIT; ATHENE
DOI
16:45
15m
Talk
Large-Scale Analysis of Non-Termination Bugs in Real-World OSS Projects
Research Papers
Xiuhan Shi Tianjin University, Xiaofei Xie Singapore Management University, Yi Li Nanyang Technological University, Yao Zhang Tianjin University, Sen Chen Tianjin University, Xiaohong Li Tianjin University
DOI
17:00
15m
Talk
On-the-Fly Syntax Highlighting using Neural Networks
Research Papers
Marco Edoardo Palma University of Zurich, Pasquale Salza University of Zurich, Harald Gall University of Zurich
DOI Pre-print
17:15
15m
Talk
Declarative Smart Contracts
Research Papers
Haoxian Chen University of Pennsylvania, Gerald Whitters University of Pennsylvania, Mohammad Javad Amiri University of Pennsylvania, Yuepeng Wang Simon Fraser University, Boon Thau Loo University of Pennsylvania
DOI