Home > Research > Publications & Outputs > Schrödinger’s Security

Electronic data

  • ICSE_20___Baseline

    Rights statement: © ACM, 2020. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 2020 https://dl.acm.org/doi/abs/10.1145/3377811.3380394

    Accepted author manuscript, 915 KB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

View graph of relations

Schrödinger’s Security: Opening the Box on App Developers’ Security Rationale

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published

Standard

Schrödinger’s Security: Opening the Box on App Developers’ Security Rationale. / van der Linden, Dirk; Anthonysamy, Pauline; Nuseibeh, Bashar et al.
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. New York: Association for Computing Machinery (ACM), 2020. p. 149-160.

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Harvard

van der Linden, D, Anthonysamy, P, Nuseibeh, B, Tun, TT, Petre, M, Levine, M, Towse, J & Rashid, A 2020, Schrödinger’s Security: Opening the Box on App Developers’ Security Rationale. in ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. Association for Computing Machinery (ACM), New York, pp. 149-160. https://doi.org/10.1145/3377811.3380394

APA

van der Linden, D., Anthonysamy, P., Nuseibeh, B., Tun, T. T., Petre, M., Levine, M., Towse, J., & Rashid, A. (2020). Schrödinger’s Security: Opening the Box on App Developers’ Security Rationale. In ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (pp. 149-160). Association for Computing Machinery (ACM). https://doi.org/10.1145/3377811.3380394

Vancouver

van der Linden D, Anthonysamy P, Nuseibeh B, Tun TT, Petre M, Levine M et al. Schrödinger’s Security: Opening the Box on App Developers’ Security Rationale. In ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. New York: Association for Computing Machinery (ACM). 2020. p. 149-160 doi: 10.1145/3377811.3380394

Author

van der Linden, Dirk ; Anthonysamy, Pauline ; Nuseibeh, Bashar et al. / Schrödinger’s Security : Opening the Box on App Developers’ Security Rationale. ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering. New York : Association for Computing Machinery (ACM), 2020. pp. 149-160

Bibtex

@inproceedings{4335cbfaa68a4d718b3ada6ad32004b5,
title = "Schr{\"o}dinger{\textquoteright}s Security: Opening the Box on App Developers{\textquoteright} Security Rationale",
abstract = "Research has established the wide variety of security failures in mobile apps, their consequences, and how app developers introduce or exacerbate them. What is not well known is why developers do so—what is the rationale underpinning the decisions they make which eventually strengthen or weaken app security? This is all the more complicated in modern app development{\textquoteright}s increasingly di- verse demographic: growing numbers of independent, solo, or small team developers who do not have the organizational structures and support that larger software development houses enjoy.Through two studies, we open the box on developer rationale, by performing a holistic analysis of the rationale underpinning various activities in which app developers engage when developing an app.The first study does so through a task-based study with app developers (N=44) incorporating six distinct tasks for which this developer demographic must take responsibility: setting up a devel- opment environment, reviewing code, seeking help, seeking testers, selecting an advertisement SDK, and software licensing. We found that, while on first glance in several activities participants seemed to prioritize security, only in the code task such prioritization was underpinned by a security rationale–indicating that development behavior perceived to be secure may only be an illusion until the box is opened on their rationale.The second study confirms these findings through a wider sur- vey of app developers (N=274) investigating to what extent they find the activities of the task-based study to affect their app{\textquoteright}s se- curity. In line with the task-based study, we found that developers perceived actively writing code and actively using external SDKs as the only security-relevant, while similarly disregarding other activities having an impact on app security.Our results suggest the need for a stronger focus on the tasks and activities surrounding the coding task – all of which need to be underpinned by a security rationale. Without such a holistic focus, developers may write “secure code{"} but not produce “secure apps”.",
author = "{van der Linden}, Dirk and Pauline Anthonysamy and Bashar Nuseibeh and Tun, {Thein T.} and Marian Petre and Mark Levine and John Towse and Awais Rashid",
note = "{\textcopyright} ACM, 2020. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 2020 https://dl.acm.org/doi/abs/10.1145/3377811.3380394",
year = "2020",
month = may,
day = "23",
doi = "10.1145/3377811.3380394",
language = "English",
pages = "149--160",
booktitle = "ICSE '20",
publisher = "Association for Computing Machinery (ACM)",
address = "United States",

}

RIS

TY - GEN

T1 - Schrödinger’s Security

T2 - Opening the Box on App Developers’ Security Rationale

AU - van der Linden, Dirk

AU - Anthonysamy, Pauline

AU - Nuseibeh, Bashar

AU - Tun, Thein T.

AU - Petre, Marian

AU - Levine, Mark

AU - Towse, John

AU - Rashid, Awais

N1 - © ACM, 2020. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 2020 https://dl.acm.org/doi/abs/10.1145/3377811.3380394

PY - 2020/5/23

Y1 - 2020/5/23

N2 - Research has established the wide variety of security failures in mobile apps, their consequences, and how app developers introduce or exacerbate them. What is not well known is why developers do so—what is the rationale underpinning the decisions they make which eventually strengthen or weaken app security? This is all the more complicated in modern app development’s increasingly di- verse demographic: growing numbers of independent, solo, or small team developers who do not have the organizational structures and support that larger software development houses enjoy.Through two studies, we open the box on developer rationale, by performing a holistic analysis of the rationale underpinning various activities in which app developers engage when developing an app.The first study does so through a task-based study with app developers (N=44) incorporating six distinct tasks for which this developer demographic must take responsibility: setting up a devel- opment environment, reviewing code, seeking help, seeking testers, selecting an advertisement SDK, and software licensing. We found that, while on first glance in several activities participants seemed to prioritize security, only in the code task such prioritization was underpinned by a security rationale–indicating that development behavior perceived to be secure may only be an illusion until the box is opened on their rationale.The second study confirms these findings through a wider sur- vey of app developers (N=274) investigating to what extent they find the activities of the task-based study to affect their app’s se- curity. In line with the task-based study, we found that developers perceived actively writing code and actively using external SDKs as the only security-relevant, while similarly disregarding other activities having an impact on app security.Our results suggest the need for a stronger focus on the tasks and activities surrounding the coding task – all of which need to be underpinned by a security rationale. Without such a holistic focus, developers may write “secure code" but not produce “secure apps”.

AB - Research has established the wide variety of security failures in mobile apps, their consequences, and how app developers introduce or exacerbate them. What is not well known is why developers do so—what is the rationale underpinning the decisions they make which eventually strengthen or weaken app security? This is all the more complicated in modern app development’s increasingly di- verse demographic: growing numbers of independent, solo, or small team developers who do not have the organizational structures and support that larger software development houses enjoy.Through two studies, we open the box on developer rationale, by performing a holistic analysis of the rationale underpinning various activities in which app developers engage when developing an app.The first study does so through a task-based study with app developers (N=44) incorporating six distinct tasks for which this developer demographic must take responsibility: setting up a devel- opment environment, reviewing code, seeking help, seeking testers, selecting an advertisement SDK, and software licensing. We found that, while on first glance in several activities participants seemed to prioritize security, only in the code task such prioritization was underpinned by a security rationale–indicating that development behavior perceived to be secure may only be an illusion until the box is opened on their rationale.The second study confirms these findings through a wider sur- vey of app developers (N=274) investigating to what extent they find the activities of the task-based study to affect their app’s se- curity. In line with the task-based study, we found that developers perceived actively writing code and actively using external SDKs as the only security-relevant, while similarly disregarding other activities having an impact on app security.Our results suggest the need for a stronger focus on the tasks and activities surrounding the coding task – all of which need to be underpinned by a security rationale. Without such a holistic focus, developers may write “secure code" but not produce “secure apps”.

U2 - 10.1145/3377811.3380394

DO - 10.1145/3377811.3380394

M3 - Conference contribution/Paper

SP - 149

EP - 160

BT - ICSE '20

PB - Association for Computing Machinery (ACM)

CY - New York

ER -