The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

Marten Oltrogge, Erik Derr, Christian Stransky, Yasemin Acar, Sascha Fahl, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel, and Michael Backes
2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA
PDF Abstract Bibtex DOI

Abstract

Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem’s security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated.

We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services’ app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services’ backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden prob- lems that ultimately put the end-users sensitive data and privacy at risk and violate the user’s trust assumption.

A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.

Reference

@inproceedings{DBLP:conf/sp/OltroggeDSAFRPB18,
 author = {Marten Oltrogge and
Erik Derr and
Christian Stransky and
Yasemin Acar and
Sascha Fahl and
Christian Rossow and
Giancarlo Pellegrino and
Sven Bugiel and
Michael Backes},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/bib/conf/sp/OltroggeDSAFRPB18},
 booktitle = {2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings,
21-23 May 2018, San Francisco, California, USA},
 doi = {10.1109/SP.2018.00005},
 month = {May},
 pages = {634--647},
 title = {The Rise of the Citizen Developer: Assessing the Security Impact of
Online App Generators},
 url = {https://doi.org/10.1109/SP.2018.00005},
 year = {2018}
}