A Developer-Centric Study Exploring Mobile Application Security Practices and Challenges
ShehanPeruma
106 views
19 slides
Oct 12, 2024
Slide 1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
About This Presentation
This presentation examines mobile application security practices and challenges from a developer's perspective. Based on a survey of 137 mobile app developers from 22 countries, the study investigates real-world security implementation practices, common challenges, and the effectiveness of curre...
Slide Content
A Developer-Centric Study Exploring Mobile
Application Security Practices and Challenges
Anthony Peruma, Timothy Huo, Ana Catarina Araújo, Jake Imanaka, Rick Kazman
International Conference on Software Maintenance and Evolution
October 2024 | Flagstaff, AZ, United States
Application Security Practices and Challenges
Anthony Peruma, Timothy Huo, Ana Catarina Araújo, Jake Imanaka, Rick Kazman
International Conference on Software Maintenance and Evolution
October 2024 | Flagstaff, AZ, United States
The Mobile App Landscape
4+ Million Apps
on major app stores
https://www.s tatis ta.com/s tatistic s/271644/worldwide-free-and-paid-mobile-app-store-downloads https://www-statis ta.com/forecasts/1262892/mobile-app-revenue-worldwide-by-segment
257 Billion
app downloads in 2023
$467 Billion
mobile app revenue in 2023
https://www-statis ta.com/s tatis tics /276623/number-of-apps-available-in-leading-app-stores
4+ Million Apps
on major app stores
https://www.s tatis ta.com/s tatistic s/271644/worldwide-free-and-paid-mobile-app-store-downloads https://www-statis ta.com/forecasts/1262892/mobile-app-revenue-worldwide-by-segment
257 Billion
app downloads in 2023
$467 Billion
mobile app revenue in 2023
https://www-statis ta.com/s tatis tics /276623/number-of-apps-available-in-leading-app-stores
There's an app for that!
Morning Coffee Finding Love Everything Else
From our morning routines to our social lives, apps
have become an integral part of our daily existence
Morning Coffee Finding Love Everything Else
From our morning routines to our social lives, apps
have become an integral part of our daily existence
There's an app for that!
Starbucks
(2014)
Tinder
(2018)
Android Apps
(2024)
Stored user credentials
in plain text
Transmitted user images
unencrypted
Path traversal vulnerability
in multiple apps
Starbucks
(2014)
Tinder
(2018)
Android Apps
(2024)
Stored user credentials
in plain text
Transmitted user images
unencrypted
Path traversal vulnerability
in multiple apps
•Mining software repositories
•Reverse engineering distribution
packages
•Implementing security-specific tools
•Examining specific domains
•Lack of comprehensive developer
perspective
•Limited understanding of real-world
practices
•Outdated insights
(last major study in 2014)
Existing Research Research Gap
Existing Work
•Reverse engineering distribution
packages
•Implementing security-specific tools
•Examining specific domains
•Lack of comprehensive developer
perspective
•Limited understanding of real-world
practices
•Outdated insights
(last major study in 2014)
Existing Research Research Gap
Existing Work
Understand
Real-world practices and challenges
Discover
Sources influencing app security practices
Insight
Gaps in mobile app security education
Research Objectives
Real-world practices and challenges
Discover
Sources influencing app security practices
Insight
Gaps in mobile app security education
Research Objectives
STUDY DESIGN
07
137 completed
responses
600 invitations
No compensation
Anonymous
No follow-ups
Keyword search
Manual profile review
24 survey questions
07
137 completed
responses
600 invitations
No compensation
Anonymous
No follow-ups
Keyword search
Manual profile review
24 survey questions
Results
Participant Demographics
●137 participants from 22 countries
●92.70% employed (116 full-time)
●Majority have 3+ years of general programming experience (123 participants)
Most of the
time
27%
All of the
time
58%
Other
15%
JOB INVOLVEMENT IN MOBILE APP
DEVELOPMENT
< 1 year
4%
6–10 years
23%
3–5 years
46%
1–2 years
13%
> 10 years
14%
MOBILE APP DEVELOPMENT EXPERIENCE
●137 participants from 22 countries
●92.70% employed (116 full-time)
●Majority have 3+ years of general programming experience (123 participants)
Most of the
time
27%
All of the
time
58%
Other
15%
JOB INVOLVEMENT IN MOBILE APP
DEVELOPMENT
< 1 year
4%
6–10 years
23%
3–5 years
46%
1–2 years
13%
> 10 years
14%
MOBILE APP DEVELOPMENT EXPERIENCE
RQ 1 –Features, Practices, and Challenges
Other
28%
Extremely
important
29%
Very
important
43%
IMPORTANCE OF MOBILE APP SECURITY
DURING DEVELOPMENT
0 20 40 60 80 100 120
Authentication
Permissions
Secure Storage
Data Encryption
Participants
COMMONLY IMPLEMENTED SECURITY FEATURES
98% consider security as important
➢72.27% consider security very or
extremely important
Other
28%
Extremely
important
29%
Very
important
43%
IMPORTANCE OF MOBILE APP SECURITY
DURING DEVELOPMENT
0 20 40 60 80 100 120
Authentication
Permissions
Secure Storage
Data Encryption
Participants
COMMONLY IMPLEMENTED SECURITY FEATURES
98% consider security as important
➢72.27% consider security very or
extremely important
RQ 1 –Features, Practices, and Challenges
50.66%
Adhere to secure
codingpractices
25.11%
Use security
testing tools
21.15%
Conduct regular
security audits
34.07%
Regularly update
dependencies
12.22%
Use vulnerability
scanners
39.26%
Use trusted
libraries
50.66%
Adhere to secure
codingpractices
25.11%
Use security
testing tools
21.15%
Conduct regular
security audits
34.07%
Regularly update
dependencies
12.22%
Use vulnerability
scanners
39.26%
Use trusted
libraries
RQ 1 –Features, Practices, and Challenges
0 1020304050607080
Limited security resources
Balancing security and UX
Third-party vulnerabilities
Managing permissions
Reverse engineering protection
Participants
COMMONLY SECURITY CHALLENGES
Developers face both
technicaland non-
technicalchallenges in
securing their apps.
0 1020304050607080
Limited security resources
Balancing security and UX
Third-party vulnerabilities
Managing permissions
Reverse engineering protection
Participants
COMMONLY SECURITY CHALLENGES
Developers face both
technicaland non-
technicalchallenges in
securing their apps.
RQ 2 –Mobile App Security Resources
Official
Documentation
Online Articles,
Videos, Blogs
Security-Specific
Documentation
Generative AI
Chatbots
Books & Research
Publications
Internal Organizational
Resources
Online
Forums
Official
Documentation
Online Articles,
Videos, Blogs
Security-Specific
Documentation
Generative AI
Chatbots
Books & Research
Publications
Internal Organizational
Resources
Online
Forums
RQ 3 -Effectiveness of Learning Materials
Developers Report Inadequate
Mobile App Security Education
59%
Developers Report Inadequate
Mobile App Security Education
59%
RQ 3 -Effectiveness of Learning Materials
Learning Gaps in Mobile App Security:
Focus on Basic Functionality
“Most of the online materials are more
focused on the UI design”
Need for Specialized Courses
“If you wannalearn about security you need to
search for a specific course about it”
Outdated or Incomplete Materials
“The documentation didn’t explain certain
specific topics”
Security as a Secondary Concern
“Developing mobile apps was just starting so
security was not a priority”
Reliance on Platform-Specific Security Features
“On iOS, by nature of the platform you are forced to be
aware of certain security features”
On The Job Learning
“When I started working on real projects
my mentor at the company started to
suggest me best practices”
Learning Gaps in Mobile App Security:
Focus on Basic Functionality
“Most of the online materials are more
focused on the UI design”
Need for Specialized Courses
“If you wannalearn about security you need to
search for a specific course about it”
Outdated or Incomplete Materials
“The documentation didn’t explain certain
specific topics”
Security as a Secondary Concern
“Developing mobile apps was just starting so
security was not a priority”
Reliance on Platform-Specific Security Features
“On iOS, by nature of the platform you are forced to be
aware of certain security features”
On The Job Learning
“When I started working on real projects
my mentor at the company started to
suggest me best practices”
RQ 3 -Developer Recommendations
Continuous
Learning
Proactive Security
Integration
Use Trusted Libraries
and Security Tools
Prioritize Data
Protection
Involve Security
Professionals
Follow Best Practices
and Standards
Gain Hands-on
Experience
Continuous Maintenance
and Testing
Knowledge
Sharing
Continuous
Learning
Proactive Security
Integration
Use Trusted Libraries
and Security Tools
Prioritize Data
Protection
Involve Security
Professionals
Follow Best Practices
and Standards
Gain Hands-on
Experience
Continuous Maintenance
and Testing
Knowledge
Sharing
Key Implications of Our Research
Need for improved security education and training in mobile app development
Disconnect: Security Importance vs. Developer Preparedness
Need for a holistic, security-driven development approach throughout the SDLC
Adopting Security-Driven Development
Organizations should establish comprehensive online Security Resource Centers
Organizational Security Resource Centers
Need for improved security education and training in mobile app development
Disconnect: Security Importance vs. Developer Preparedness
Need for a holistic, security-driven development approach throughout the SDLC
Adopting Security-Driven Development
Organizations should establish comprehensive online Security Resource Centers
Organizational Security Resource Centers
Mahalo!
(Thank You!)
PREPRINT
(Thank You!)
PREPRINT
Tags
software engineering research
software development
mobile apps
mobile application development
security
mobile application security
mobile development practices
mobile app vulnerabilities
mobile security best practices
developer security awareness
security resources
mobile security education
third-party vulnerabilities
security-driven development
secure coding practices
software maintenance
software maintenance and evolution
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 106
- Slides 19
- Age 416 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views