TY - GEN
T1 - Negative results on mining crypto-API usage rules in android apps
AU - Gao, Jun
AU - Kong, Pingfan
AU - Li, Li
AU - Bissyande, Tegawende F.
AU - Klein, Jacques
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/5
Y1 - 2019/5
N2 - Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.
AB - Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that 'developers update API usage instances to fix misuses', we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.
KW - Android
KW - Cryptography
KW - Rule mining
UR - https://www.scopus.com/pages/publications/85072307902
U2 - 10.1109/MSR.2019.00065
DO - 10.1109/MSR.2019.00065
M3 - 会议稿件
AN - SCOPUS:85072307902
T3 - IEEE International Working Conference on Mining Software Repositories
SP - 388
EP - 398
BT - Proceedings - 2019 IEEE/ACM 16th International Conference on Mining Software Repositories, MSR 2019
PB - IEEE Computer Society
T2 - 16th IEEE/ACM International Conference on Mining Software Repositories, MSR 2019
Y2 - 26 May 2019 through 27 May 2019
ER -