Android is nowadays the most popular operating system in the world, not only in the realm of mobile devices, but also when considering desktop and laptop computers. Such a popularity makes it an attractive target for security attacks, also due to the sensitive information often manipulated by mobile apps. The latter are going through a transition in which the Android ecosystem is moving from the usage of Java as the official language for developing apps, to the adoption of Kotlin as the first choice supported by Google. While previous studies have partially studied security weaknesses affecting Java Android apps, there is no comprehensive empirical investigation studying software security weaknesses affecting Android apps considering (and comparing) the two main languages used for their development, namely Java and Kotlin. We present an empirical study in which we: (i) manually analyze 681 commits including security weaknesses fixed by developers in Java and Kotlin apps, with the goal of defining a taxonomy highlighting the types of software security weaknesses affecting Java and Kotlin Android apps; (ii) survey 43 Android developers to validate and complement our taxonomy. Based on our findings, we propose a list of future actions that could be performed by researchers and practitioners to improve the security of Android apps.
翻译:Android是当今世界最受欢迎的操作系统,不仅在移动设备领域,而且在考虑台式计算机和膝上型计算机时也是如此。这种受欢迎度使它成为安全攻击的吸引目标,这也是由于移动应用程序经常操纵的敏感信息。后者正在经历一个过渡,即Android生态系统正在从使用爪哇作为开发应用程序的官方语言过渡到采用Kotlin作为谷歌支持的第一个选择。虽然以前的研究部分研究了影响Java Android Apps的安全弱点,但并没有全面的经验调查研究影响Android Apps的软件安全弱点,以考虑(和比较)用于开发这些软件的两种主要语言,即Java和Kotlin。我们提出了一项实验性研究,我们在该研究中:(一) 人工分析681项承诺包括Java和Kotlin aps的开发者确定的安全弱点,目的是确定一个分类,突出影响Java和Kotlin Android Apps的软件安全弱点的类型;(二) 调查43个Android 开发者,以验证和补充我们的分类。根据我们的调查结果,我们提出了一个可以改进机器人研究的研究人员和操作者改进安全的未来行动清单。