Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei, Mohammad; Vaniea, Kami; Beznosov, Konstantin; Wolters, Maria

doi:10.1145/3411764.3445616

Cited by 21 publications

(10 citation statements)

References 86 publications

(145 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…But there are few tools that help developers write things like user-friendly consent popups and accurate privacy policies, and even fewer that take into account both regulations and the current behaviours of common third-party APIs [44,46], like ad networks. A line of future research would be to look into the practicalities of creating such a tool, potentially learning from usability studies in security APIs [16,23] and notifcations [47]. Ad networks also implied that making the more privacy-friendly choices would negatively impact developers' ability to make money from the ads.…”

Section: Discussion and Future Workmentioning

confidence: 99%

“Developers Are Responsible”: What Ad Networks Tell Developers About Privacy

Tahaei

Vaniea

2021

Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems

Self Cite

View full text Add to dashboard Cite

Advertising networks enable developers to create revenue, but using them potentially impacts user privacy and requires developers to make legal decisions. To understand what privacy information ad networks give developers, we did a walkthrough of four popular ad network guidance pages with a senior Android developer by looking at the privacy-related information presented to developers. We found that information is focused on complying with legal regulations, and puts the responsibility for such decisions on the developer. Also, sample code and settings often have privacyunfriendly defaults laced with dark patterns to nudge developers' decisions towards privacy-unfriendly options such as sharing sensitive data to increase revenue. We conclude by discussing future research around empowering developers and minimising the negative impacts of dark patterns. CCS CONCEPTS• Security and privacy → Human and societal aspects of security and privacy; • Software and its engineering → Software creation and management; • Information systems → Online advertising.

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

“Developers Are Responsible”: What Ad Networks Tell Developers About Privacy

Tahaei

Vaniea

2021

Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…After recognition of the human factor as one of the main elements of secure systems in the early 2000s [1,87], in the 2010s, researchers started to study security and privacy interfaces directed at developers. Early work found that security libraries and tools can be unusable and counterintuitive (e.g., cryptographic libraries and static analysis tools), resulting in developers not being able to fully benefit from these tools or sometimes making mistakes that can lead to security vulnerabilities [21,24,28,73,79]. Moving to the privacy domain, privacy is often overloaded with legal language, which makes it difficult for developers first to understand it and second to transfer it to technical requirements [11,77].…”

Section: Privacy Studies With Developersmentioning

confidence: 99%

“…We recruited participants from four channels: Freelancer.com, CS student mailing list, Prolific, and social media. These channels have been used to recruit participants for studies with developers [73,79,84].…”

Section: Recruitmentmentioning

confidence: 99%

Charting App Developers’ Journey Through Privacy Regulation Features in Ad Networks

Tahaei

Ramokapane

et al. 2022

PoPETs

Self Cite

View full text Add to dashboard Cite

Mobile apps enable ad networks to collect and track users. App developers are given “configurations” on these platforms to limit data collection and adhere to privacy regulations; however, the prevalence of apps that violate privacy regulations because of third parties, including ad networks, begs the question of how developers work through these configurations and how easy they are to utilize. We study privacy regulations-related interfaces on three widely used ad networks using two empirical studies, a systematic review and think-aloud sessions with eleven developers, to shed light on how ad networks present privacy regulations and how usable the provided configurations are for developers. We find that information about privacy regulations is scattered in several pages, buried under multiple layers, and uses terms and language developers do not understand. While ad networks put the burden of complying with the regulations on developers, our participants, on the other hand, see ad networks responsible for ensuring compliance with regulations. To assist developers in building privacy regulations-compliant apps, we suggest dedicating a section to privacy, offering easily accessible configurations (both in graphical and code level), building testing systems for privacy regulations, and creating multimedia materials such as videos to promote privacy values in the ad networks’ documentation.

show abstract

“…The study conducted in [116] performed an online experiment where Android developers were the participants. Vulnerable code samples containing hard-coded credentials, encryptions, Structured Query Language (SQL) injections, and logging with sensitive data were given to the participants together with the guidance of static analysis tools and asked to indicate the appropriate fix.…”

Section: Static Dynamic and Hybrid Source Code Analysismentioning

confidence: 99%

Android Mobile Malware Detection Using Machine Learning: A Systematic Review

2021

View full text Add to dashboard Cite

With the increasing use of mobile devices, malware attacks are rising, especially on Android phones, which account for 72.2% of the total market share. Hackers try to attack smartphones with various methods such as credential theft, surveillance, and malicious advertising. Among numerous countermeasures, machine learning (ML)-based methods have proven to be an effective means of detecting these attacks, as they are able to derive a classifier from a set of training examples, thus eliminating the need for an explicit definition of the signatures when developing malware detectors. This paper provides a systematic review of ML-based Android malware detection techniques. It critically evaluates 106 carefully selected articles and highlights their strengths and weaknesses as well as potential improvements. Finally, the ML-based methods for detecting source code vulnerabilities are discussed, because it might be more difficult to add security after the app is deployed. Therefore, this paper aims to enable researchers to acquire in-depth knowledge in the field and to identify potential future research and development directions.

show abstract

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Cited by 21 publications

References 86 publications

“Developers Are Responsible”: What Ad Networks Tell Developers About Privacy

“Developers Are Responsible”: What Ad Networks Tell Developers About Privacy

Charting App Developers’ Journey Through Privacy Regulation Features in Ad Networks

Android Mobile Malware Detection Using Machine Learning: A Systematic Review

Contact Info

Product

Resources

About