Stack Overflow Considered Harmful? The Impact of Copy & Paste on Android Application Security

Proceedings of the 2017 IEEE Symposium on Security and Privacy - Oakland 2017 (to appear)

Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Previous research identified Stack Overflow as one of the most important information sources developers rely on. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown.

We answer this highly important question by quantifying the proliferation of security-related code snippets from Stack Overflow in Android applications available on Google Play. Access to the rich source of information available on Stack Overflow including ready-to-use code snippets provides huge benefits for software developers. However, when it comes to code security there are some caveats to bear in mind: Due to the complex nature of code security, it is very difficult to provide ready-to-use and secure solutions for every problem. Hence, integrating a security-related code snippet from Stack Overflow into production software requires caution and expertise. Unsurprisingly, we observed insecure code snippets being copied into Android applications millions of users install from Google Play every day.

To quantitatively evaluate the extent of this observation, we scanned Stack Overflow for code snippets and evaluated their security score using a stochastic gradient descent classifier. In order to identify code reuse in Android applications, we applied state-of-the-art static analysis. Our results are alarming: 15.4% of the 1.3 million Android applications we analyzed, contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet.

38th IEEE Symposium on Security and Privacy

Felix Fischer on his Paper "Stack Overflow Considered Harmful? The Impact of Copy & Paste on Android Application Security"

;

Paper Download

Dataset Download

Bibtex

Authors

Contact Press / Media

Felix  Fischer

Fraunhofer AISEC

Contact Press / Media

Konstantin  Böttinger

Fraunhofer AISEC

Contact Press / Media

Huang  Xiao

Fraunhofer AISEC

Contact Press / Media

Christian  Stransky

CISPA, Saarland University

Contact Press / Media

Yasemin  Acar

CISPA, Saarland University

Contact Press / Media

Michael  Backes

CISPA, Saarland University

Contact Press / Media

Sascha  Fahl

CISPA, Saarland University

Stack Overflow Security Analysis

We identified all Android posts on Stack Overflow, extracted all (4,019) security-related code snippets and analyzed their security using a robust machine learning approach. As a result we provide a security analysis for all security-related Android code snippets available on Stack Overflow.

Google Play Analysis

We applied state-of-the-art static code analysis techniques to detect extracted code snippets from Stack Overflow in 1.3 million Android applications. We found that 15.4% of all 1.3 million Android applications contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet.

Processing Pipeline

We designed and implemented a fully automated large-scale processing pipeline for measuring the flow of security-related code snippets from Stack Overflow into Android applications.

Feedback

Copy-paste development is dangerous

Improving the safety of code snippets

Oakland'17, the IEEE Symposium on Security and Privacy