Security Smells Pervade Mobile App Servers
This work highlights widespread security vulnerabilities in mobile app servers, which is an incremental finding for developers and security practitioners.
The study analyzed the prevalence of six security smells in mobile app servers using a dataset of 9714 URLs from 3376 Android apps, finding that over 69% of apps suffer from three types of smells, with unprotected communication and misconfigurations being common.
[Background] Web communication is universal in cyberspace, and security risks in this domain are devastating. [Aims] We analyzed the prevalence of six security smells in mobile app servers, and we investigated the consequence of these smells from a security perspective. [Method] We used an existing dataset that includes 9714 distinct URLs used in 3376 Android mobile apps. We exercised these URLs twice within 14 months and investigated the HTTP headers and bodies. [Results] We found that more than 69% of tested apps suffer from three kinds of security smells, and that unprotected communication and misconfigurations are very common in servers. Moreover, source-code and version leaks, or the lack of update policies expose app servers to security risks. [Conclusions] Poor app server maintenance greatly hampers security.