A Developer-Centric Study Exploring Mobile Application Security Practices and Challenges
0 likes106 views
This study analyzes mobile application security practices, highlighting the importance of security among developers despite gaps in education and resources. With responses from 137 participants across 22 countries, the research identifies common challenges in security implementation and advocates for improved educational resources and practices in mobile development. Key recommendations include proactive integration of security, ongoing training, and the establishment of comprehensive security resource centers.
A Developer-Centric Study Exploring Mobile Application Security Practices and Challenges
- 1. A Developer-Centric Study Exploring Mobile Application Security Practices and Challenges Anthony Peruma, Timothy Huo, Ana Catarina Araújo, Jake Imanaka, Rick Kazman International Conference on Software Maintenance and Evolution October 2024 | Flagstaff, AZ, United States
- 2. The Mobile App Landscape 4+ Million Apps on major app stores https://www.statista.com/statistics/271644/worldwide-free-and-paid-mobile-app-store-downloads https://www-statista.com/forecasts/1262892/mobile-app-revenue-worldwide-by-segment 257 Billion app downloads in 2023 $467 Billion mobile app revenue in 2023 https://www-statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores
- 3. There's an app for that! Morning Coffee Finding Love Everything Else From our morning routines to our social lives, apps have become an integral part of our daily existence
- 4. There's an app for that! Starbucks (2014) Tinder (2018) Android Apps (2024) Stored user credentials in plain text Transmitted user images unencrypted Path traversal vulnerability in multiple apps
- 5. • Mining software repositories • Reverse engineering distribution packages • Implementing security-specific tools • Examining specific domains • Lack of comprehensive developer perspective • Limited understanding of real-world practices • Outdated insights (last major study in 2014) Existing Research Research Gap Existing Work
- 6. Understand Real-world practices and challenges Discover Sources influencing app security practices Insight Gaps in mobile app security education Research Objectives
- 7. STUDY DESIGN 07 137 completed responses 600 invitations No compensation Anonymous No follow-ups Keyword search Manual profilereview 24 survey questions
- 8. Results
- 9. Participant Demographics ● 137 participants from 22 countries ● 92.70% employed (116 full-time) ● Majority have 3+ years of general programming experience (123 participants) Most of the time 27% All of the time 58% Other 15% JOB INVOLVEMENT IN MOBILE APP DEVELOPMENT < 1 year 4% 6–10 years 23% 3–5 years 46% 1–2 years 13% > 10 years 14% MOBILE APP DEVELOPMENT EXPERIENCE
- 10. RQ 1 – Features, Practices, and Challenges Other 28% Extremely important 29% Very important 43% IMPORTANCE OF MOBILE APP SECURITY DURING DEVELOPMENT 0 20 40 60 80 100 120 Authentication Permissions Secure Storage Data Encryption Participants COMMONLY IMPLEMENTED SECURITY FEATURES 98% consider security as important ➢ 72.27% consider security very or extremely important
- 11. RQ 1 – Features, Practices, and Challenges 50.66% Adhere to secure coding practices 25.11% Use security testing tools 21.15% Conduct regular security audits 34.07% Regularly update dependencies 12.22% Use vulnerability scanners 39.26% Use trusted libraries
- 12. RQ 1 – Features, Practices, and Challenges 0 10 20 30 40 50 60 70 80 Limited security resources Balancing security and UX Third-party vulnerabilities Managing permissions Reverse engineering protection Participants COMMONLY SECURITY CHALLENGES Developers face both technical and non- technical challenges in securing their apps.
- 13. RQ 2 – Mobile App Security Resources Official Documentation Online Articles, Videos, Blogs Security-Specific Documentation Generative AI Chatbots Books & Research Publications Internal Organizational Resources Online Forums
- 14. RQ 3 - Effectiveness of Learning Materials Developers Report Inadequate Mobile App Security Education 59%
- 15. RQ 3 - Effectiveness of Learning Materials Learning Gaps in Mobile App Security: Focus on Basic Functionality “Most of the online materials are more focused on the UI design” Need for Specialized Courses “If you wanna learn about security you need to search for a specific course about it” Outdated or Incomplete Materials “The documentation didn’t explain certain specific topics” Security as a Secondary Concern “Developing mobile apps was just starting so security was not a priority” Reliance on Platform-Specific Security Features “On iOS, by nature of the platform you are forced to be aware of certain security features” On The Job Learning “When I started working on real projects my mentor at the company started to suggest me best practices”
- 16. RQ 3 - Developer Recommendations Continuous Learning Proactive Security Integration Use Trusted Libraries and Security Tools Prioritize Data Protection Involve Security Professionals Follow Best Practices and Standards Gain Hands-on Experience Continuous Maintenance and Testing Knowledge Sharing
- 17. Key Implications of Our Research Need for improved security education and training in mobile app development Disconnect: Security Importance vs. Developer Preparedness Need for a holistic, security-driven development approach throughout the SDLC Adopting Security-Driven Development Organizations should establish comprehensive online Security Resource Centers Organizational Security Resource Centers