A development methodology to help build secure mobile apps

Abstract

Mobile apps provide various critical services, such as banking, communication, and healthcare. To this end, they have access to our personal information and have the ability to perform actions on our behalf. Hence, securing mobile apps is crucial to ensuring the privacy and safety of its users. Recent research efforts have focused on developing solutions to help secure mobile ecosystems (i.e., app platforms, apps, and app stores), specifically in the context of detecting vulnerabilities in Android apps. Despite this attention, known vulnerabilities are often found in mobile apps, which can be exploited by malicious apps to cause harm to the user. Further, fixing vulnerabilities after developing an app has downsides in terms of time, resources, user inconvenience, and information loss. Consequently, there is scope to explore alternative approaches that will help developers construct secure mobile apps. Since Android and the apps that run on it are most readily available and widely used, this dissertation investigates mobile app security and solutions to secure mobile apps in the context of Android apps in two ways: (1) systematically catalog vulnerabilities known to occur in Android apps in a benchmark suite with desirable characteristics called Ghera. Ghera facilitates the continuous and rigorous evaluation of Android app security analysis tools and techniques, and (2) extend existing mobile app design artifacts such as storyboards to enable a mobile app development methodology called SeMA. SeMA considers security as a first-class citizen of an app's design and shows that many known vulnerabilities can be detected and eliminated while constructing an app's storyboard. A realization of SeMA using Android Studio tooling can prevent 49 of the 60 vulnerabilities known to occur in Android apps. A usability study with ten real-world developers using the methodology shows that the methodology is likely to help reduce development time and uncover vulnerabilities in an app's design.