Stack Overflow Considered Harmful? The Impact of Copy&amp;Paste on Android Application Security

Fischer, Felix; Böttinger, Konstantin; Xiao, Huang; Stransky, Christian; Acar, Yasemin; Backes, Michael; Fahl, Sascha

doi:10.1109/sp.2017.31

Cited by 221 publications

(166 citation statements)

References 35 publications

Supporting

Mentioning

161

Contrasting

Order By: Relevance

“…In the case of navigating large files, there are two buttons that assist users to jump to the highlighted lines quickly. Under each returned example, users can read related information regarding the example's misuses (3). Finally, users can navigate for more examples (4).…”

Section: The Workflow Of Cryptoexplorermentioning

confidence: 99%

“…Code snippets obtained from online information sources are untrustworthy too. A study of 1.3 million Android apps showed that 196 403 (i.e., 15%) used vulnerable code snippets that were very likely copied from the Stack Overflow website [3]. Examination of 217 818 Stack Overflow posts also showed that 31% suffer from potential API misuses that could lead to unexpected behavior such as program crashes and resource leaks [4].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Hazhirpasand

Ghafari

Nierstrasz

2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Research has shown that cryptographic APIs are hard to use. Consequently, developers resort to using code examples available in online information sources that are often not secure.We have developed a web platform, named CryptoExplorer, stocked with numerous real-world secure and insecure examples that developers can explore to learn how to use cryptographic APIs properly. This platform currently provides 3 263 secure uses, and 5 897 insecure uses of Java Cryptography Architecture mined from 2 324 Java projects on GitHub.A preliminary study shows that CryptoExplorer provides developers with secure crypto API use examples instantly, developers can save time compared to searching on the internet for such examples, and they learn to avoid using certain algorithms in APIs by studying misused API examples.We have a pipeline to regularly mine more projects, and, on request, we offer our dataset to researchers.

show abstract

Section: The Workflow Of Cryptoexplorermentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Hazhirpasand

Ghafari

Nierstrasz

2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

show abstract

“…Another recommendation for future work is a comprehensive survey equivalent to [46] for Android textbooks; [50] looked specifically at the use of resources from Stack Overflow in Android applications.…”

Section: Androidmentioning

confidence: 99%

A UK Case Study on Cybersecurity Education and Accreditation

Crick

Davenport

Irons

et al. 2019

2019 IEEE Frontiers in Education Conference (FIE)

View full text Add to dashboard Cite

This paper presents a national case study-based analysis of the numerous dimensions to cybersecurity education and how they are prioritised, implemented and accredited; from understanding the interaction of hardware and software, moving from theory to practice (and vice versa), to human factors, policy and politics (as well as various other important facets). A multitude of model curricula and recommendations have been presented and discussed in international fora in recent years, with varying levels of impact on education, policy and practice. This paper address three key questions: i) what is taught and what should be taught for cybersecurity to general computer science students; ii) should cybersecurity be taught stand-alone or in an integrated manner to general computer science students; and iii) can accreditation by national professional, statutory and regulatory bodies enhance the provision of cybersecurity within a body's jurisdiction?Evaluating how cybersecurity is taught in all aspects of computer science is clearly a task of considerable size, one that is beyond the scope of this paper. Instead a case study-based research approach -primarily focusing on the UK -has been adopted to evaluate the evidence of the teaching of cybersecurity within general computer science to university-level students. Thus, in the context of widespread international computer science/engineering curriculum reform, what does this need to embed cybersecurity knowledge and skills mean more generally for institutions and educators, and how can we teach this subject more effectively? Through this UK case study, and by contrasting with related initiatives in the US, we demonstrate the positive effect that national accreditation requirements can have, and offer some recommendations both for future research and curriculum developments.

show abstract

“…SO examples are created for illustration purposes, which can serve as a good starting point. However, these examples may be insufficient to be ported to a production environment, as previous studies find that SO examples may suffer from API usage violations [7], insecure coding practices [8], unchecked obsolete usage [9], and incomplete code * Both the first author and the second author contributed significantly and this research is led by UCLA. fragments [10].…”

Section: Introductionmentioning

confidence: 99%

Analyzing and Supporting Adaptation of Online Code Examples

Zhang

Yang

Lopes

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Developers often resort to online Q&A forums such as Stack Overflow (SO) for filling their programming needs.Although code examples on those forums are good starting points, they are often incomplete and inadequate for developers' local program contexts; adaptation of those examples is necessary to integrate them to production code. As a consequence, the process of adapting online code examples is done over and over again, by multiple developers independently. Our work extensively studies these adaptations and variations, serving as the basis for a tool that helps integrate these online code examples in a target context in an interactive manner.We perform a large-scale empirical study about the nature and extent of adaptations and variations of SO snippets. We construct a comprehensive dataset linking SO posts to GitHub counterparts based on clone detection, time stamp analysis, and explicit URL references. We then qualitatively inspect 400 SO examples and their GitHub counterparts and develop a taxonomy of 24 adaptation types. Using this taxonomy, we build an automated adaptation analysis technique on top of GumTree to classify the entire dataset into these types. We build a Chrome extension called EXAMPLESTACK that automatically lifts an adaptation-aware template from each SO example and its GitHub counterparts to identify hot spots where most changes happen. A user study with sixteen programmers shows that seeing the commonalities and variations in similar GitHub counterparts increases their confidence about the given SO example, and helps them grasp a more comprehensive view about how to reuse the example differently and avoid common pitfalls.

show abstract

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Cited by 221 publications

References 35 publications

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

A UK Case Study on Cybersecurity Education and Accreditation

Analyzing and Supporting Adaptation of Online Code Examples

Contact Info

Product

Resources

About