Early Report: How to Improve Programmers’ Expertise at App Security? Charles Weir Awais Rashid James Noble Security Lancaster Security Lancaster Victoria University Lancaster University Lancaster University Wellington, NZ c.weir1@lancaster.ac.uk a.rashid@lancaster.ac.uk kjx@ecs.vuw.ac.nz 1. Research Approach Abstract For this research we interviewed a dozen experts in mobile app security: developers, architects and team Apps present a significant security risk. leaders. We chose our interviewees opportunistically Developer inexperience of security is a major through contacts and referrals; they average some 30 contributor to this risk. Based on interviews years of industry experience, are typically quite senior with a dozen app security experts we identify in their professions, and work in organisations ranging that most app programmers simply do not care from start-ups to global software giants. Since the about security. Only by working on the purpose was to find positive approaches to app factors influencing programmers’ motivation, security, the interview questions derived from and afterwards developing their whole system Appreciative Inquiry [Reed06], and focussed on security skills, shall we shall we begin to see success stories and aspirations. To analyse the results, the kind of secure apps that industry needs. we used Grounded Theory [GlSt73], transcribing and coding the interviews to draw out the participants’ The western world relies heavily on apps. Apps run concerns as themes and correlations between on mobile phones, on PC browsers, as PC native apps, interviews. This report is based on overview results of or as the software running on sensors and controllers in all twelve interviews plus detailed analysis of the first the Internet of Things, but all share a number of four, and includes quotations. common features. Typically they communicate with The results surprised us. We’d hoped the experts one or at most a few services on the internet; they are would tell us of learning resources and successful not advertised on the Internet in the way that services security training methods. The participants, even those must be; and in many cases they may contain data, who’d been active in creating resources for have access to data, or control services that could programmers to learn, didn’t feel that such resources embarrass or harm an individual or organisation if they had solved the problems. Instead they highlighted two are compromised. main issues: So securing apps that run on such services is becoming increasingly important. There are two questions that address this, both worthwhile: (1) how 1.1 Lack of interest in security can we improve the systems and compilers that host Programmers simply aren’t motivated to get security and produce such apps; and (2) how can we improve right. The youth and inexperience of many the security skills of the developers who produce them? programmers means they don’t have a feeling for the Most existing work, such as [EOMC11], has studied possible impact of a security problem: “It's not that the kinds of mistakes programmers make, but there has [programmers] have passed judgement on it, and that it been little exploration of underlying causes, though a is unimportant – they just don't realise that it is recent survey of US organisations [Pone15] found that important”. 73% of respondents saw developer lack of skills as a Also, few of the stakeholders in apps are interested major cause of app security issues. This paper, in security at all – most non-experts, if they think of it therefore, is an early report of an ongoing research at all, expect security to happen automatically; security project to explore the second question. is seen as an additional cost, and not one justified by industry experience of apps so far: “You can see that from the Apps World [exhibition] where there’s no Copyright © by the paper's authors. Copying permitted for private and mention of security at all. It’s not on people’s radar.” academic purposes. This volume is published and copyrighted by its editors. 1.2 Need for whole system security In: D. Aspinall, L. Cavallaro, M. N. Seghir, M. Volkamer (eds.): Proceedings of the Workshop on Innovations in Mobile Privacy and Much of the literature and research has focussed on Security IMPS at ESSoS'16, London, UK, 06-April-2016, published at small-scale aspects of security, such as correct use of http://ceur-ws.org APIs, and approaches for securing data. But in practice 49 a main source of security issues is wider, typically formal and informal risk assessments combining the related to the problem domain or the way systems likelihood of each attack with its potential impact. interconnect: “The things that are the most challenging Effective communication: They find good ways of around security really are trying to understand the communicating security decisions in ways their threat landscape and trying to understand how threats stakeholders can understand: “this data may be visible are realised”. to an attacker. Do you mind?” To address these requires developers who can Development techniques: They use processes to analyse security threats, and who can explain security avoid the kinds of defect in software that can lead to a issues to stakeholders in ways that allow them to make security breach. Examples are pair programming, code decisions. reviews, using code analysis tools and security-aware choices of libraries and environments. 2. Tackling these issues Continuous feedback: They ensure they receive security status information from released products; Most of the interviewees had significant experience they analyse emergent security issues and plan fixes of a variety of projects involving software security, and into the development stream for the future. they offered a variety of practical solutions to these Continuous enhancement: They emphasise the problems. We’ll look at each in turn. continuous nature of security: the need for regular upgrades of the live software. They also use 2.1 Tackling programmers’ lack of interest in development contracts and system architectures that security allow for this rather than the more traditional ‘fire and forget’ approach. Different interviewees suggested different ways to address this. Most common was an approach we’d sum up as ‘corporate interest’. Here the organisation itself 3. Summary and next steps drives programmer interest: company targets, product So a major threat to app security is that few app specifications, project processes and team organisation programmers are motivated to do anything about it. all focus on app security, including whole system And for those that are, the major wins will be in security. The result is that every team member takes an addressing skills in whole system security. interest; it becomes an exciting part of their normal This paper represents early findings; further work day’s work. will expand the taxonomy of solutions in section 2. Where this corporate interest is lacking, some This will provide insights into the issues underpinning suggested enforcing it as part of professional app programmers’ security behaviour, and into discipline: app security and motivation to be included mitigation measures that work in practice. in university courses and as a necessity for professional qualifications. Others prefer to wait for app-based security breaches that will change industry ways of 4. References thinking. [EOMC11] ENCK, WILLIAM ; OCTEAU, DAMIEN ; One interviewee, who uses developers in an external MCDANIEL, PATRICK ; CHAUDHURI, SWARAT: A company that hadn’t been security-aware, finds it very Study of Android Application Security. In: USENIX effective to have a long discussion with each new security symposium (2011), Nr. August developer on his projects, getting to know a bit about their life and relating their experiences to the security [GlSt73] GLASER, BARNEY G ; STRAUSS, ANSELM L: The requirements of his project. Discovery of Grounded Theory : Strategies for Qualitative Research, Observations. Chicago : Aldine Transaction, 1973 — ISBN 9780202302607 2.2 Tackling Whole System Security Our interviewees highlighted a variety of successful [Pone15] PONEMON INSTITUTE: The State of Mobile techniques they use to achieve app security, including: Application Insecurity, 2015 Analysis: They use ideation sessions working with stakeholders and penetration testing experts of different [Reed06] REED, JAN: Appreciative inquiry: Research for possible attacks on the system; they analyse reasons for change : Sage, 2006 — ISBN 1452279020 attacks and profiles of possible attackers; and they do 50