Should I Protect You? Understanding Developers' Behavior to Privacy-Preserving APIs

Jain, Shubham; Lindqvist, Janne

doi:10.14722/usec.2014.23045

Cited by 38 publications

(26 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our sample, 34 papers include quotes from participants. For example, Jain and Lindqvist incorporate relevant quotes in the text which fosters the results validity and also work as examples of how authors interpret the interviews [66].…”

Section: Discussionmentioning

confidence: 99%

“…The features provided by readily available APIs can also impact security and privacy choices of developers. In a case of geo-location libraries, developers who have access to a library with privacy-preserving options are more willing to use coarse location information over those with only access to the standard library [66].…”

Section: F Application Programming Interfaces (Apis)mentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Developer-Centred Security

Tahaei

Vaniea

2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

Software developers are key players in the security ecosystem as they produce code that runs on millions of devices. Yet we continue to see insecure code being developed and deployed on a regular basis despite the existence of support infrastructures, tools, and research into common errors. This work provides a systematised overview of the relatively new field of Developer-Centred Security which aims to understand the context in which developers produce security-relevant code as well as provide tools and processes that that better support both developers and secure code production. We report here on a systematic literature review of 49 publications on security studies with software developer participants. We provide an overview of both the types of methodologies currently being used as well as the current research in the area. Finally, we also provide recommendations for future work in Developer-Centred Security.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: F Application Programming Interfaces (Apis)mentioning

confidence: 99%

A Survey on Developer-Centred Security

Tahaei

Vaniea

2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

show abstract

“…Balebako et al performed interviews and online surveys to investigate how app developers make decisions about privacy and security, identifying several hurdles and suggesting improvements that would help user-privacy [3,4]. Jain et al suggested design changes to the Android Location API based on the results of a developer lab study [32]. Fahl et al and Oltrogge et al conducted developer surveys and interviews, revealing deficits in the handling of TLS/SSL and suggesting several improvements [20,21,41].…”

Section: Related Workmentioning

confidence: 99%

A Large Scale Investigation of Obfuscation Use in Google Play

Wermke

Huaman

Acar

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also self-report difficulties applying obfuscation for their own apps. To better understand this, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. Our findings show that more work is needed to make obfuscation tools more usable, to educate developers on the risk of their apps being reverse engineered, their intellectual property stolen, their apps being repackaged and redistributed as malware and to improve the health of the overall Android ecosystem.

show abstract

“…Obvious further work would be to understand if the shortened Request permission, in addition to being cost-effective, is effective in informing app consumers and helps them to make appropriate decisions. In our previous work, we have also explored alternative approaches to mobile app security & privacy, including explicitly showing users when their location is requested [11], showing network accesses of apps with Securacy [10], automated app analysis [2], crowdsourced privacy mental models [17] and privacy-preserving API design [13].…”

Section: Discussionmentioning

confidence: 99%

No time at all

Clark

Sarode

Lindqvist

2016

Proceedings of the 3rd Workshop on Hot Topics in Wireless

Self Cite

View full text Add to dashboard Cite

App permissions detail the privacy-sensitive access to users' location, contact information, network access, and more. In this paper, we draw from the motivational work of McDonald and Cranor [18] on web privacy policies to investigate the opportunity cost for users and the United States if people would read these permission screens on mobile devices during installation or launch time. We also demonstrate the time and cost differences between different versions of Android's permissions model. Based on our findings, an average user of Android M may spend less than two minutes annually viewing permission screens. This would mean a maximum annual opportunity cost of $1.29 and a minimum of $0.16 based on whether it was read at work or leisure. Reading detailed permissions screens in older versions of Android could require a user to spend nearly 90 minutes annually with a maximum cost of $67.24 and a minimum of $8.40. In our estimates, the United States would have to invest between a leisure cost of $36.67 million and a work cost of $293.6 million for Android M. However, these costs are small in comparison to costs needed in older versions of Android that could use up to as much as $1.87 billion in leisure costs and $15.03 billion in work costs. We conclude that updates to Google's permissions layout has reduced the time and opportunity cost to the point where, with Android M, they are at an all-time low.

show abstract

Should I Protect You? Understanding Developers' Behavior to Privacy-Preserving APIs

Cited by 38 publications

References 20 publications

A Survey on Developer-Centred Security

A Survey on Developer-Centred Security

A Large Scale Investigation of Obfuscation Use in Google Play

No time at all

Contact Info

Product

Resources

About