Back to overview

Security Smells Pervade Mobile App Servers

Type of publication Peer-reviewed
Publikationsform Proceedings (peer-reviewed)
Author Gadient Pascal, Tarnutzer Marc-Andrea, Nierstrasz Oscar, Ghafari Mohammad,
Project Agile Software Assistance
Show all

Proceedings (peer-reviewed)

Title of proceedings ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
DOI 10.1145/3475716.3475780

Open Access

Type of Open Access Repository (Green Open Access)


[Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9,714 distinct URLs used in 3,376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies. [Results] We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks. [Conclusions] Poor app server maintenance greatly hampers security.