Towards Finding Code Snippets on a Question and Answer Website Causing Mobile App Vulnerabilities

Hiroki NAKANO  Fumihiro KANEI  Yuta TAKATA  Mitsuaki AKIYAMA  Katsunari YOSHIOKA  

IEICE TRANSACTIONS on Information and Systems   Vol.E101-D   No.11   pp.2576-2583
Publication Date: 2018/11/01
Publicized: 2018/08/22
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2017ICP0009
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Mobile Application and Web Security
Mobile App,  Vulnerabilities,  Question and Answer Website,  Code Snippets,  

Full Text: PDF(1MB)>>
Buy this Article

Android app developers sometimes copy code snippets posted on a question-and-answer (Q&A) website and use them in their apps. However, if a code snippet has vulnerabilities, Android apps containing the vulnerable snippet could also have the same vulnerabilities. Despite this, the effect of such vulnerable snippets on the Android apps has not been investigated in depth. In this paper, we investigate the correspondence between the vulnerable code snippets and vulnerable apps. we collect code snippets from a Q&A website, extract possibly vulnerable snippets, and calculate similarity between those snippets and bytecode on vulnerable apps. Our experimental results show that 15.8% of all evaluated apps that have SSL implementation vulnerabilities (Improper host name verification), 31.7% that have SSL certificate verification vulnerabilities, and 3.8% that have WEBVIEW remote code execution vulnerabilities contain possibly vulnerable code snippets from Stack Overflow. In the worst case, a single problematic snippet has caused 4,844 apps to contain a vulnerability, accounting for 31.2% of all collected apps with that vulnerability.