Mobile Software Assurance Informed through Knowledge Graph Construction: The OWASP Threat of Insecure Data Storage

Source:
By:Author(s)

DOI: https://doi.org/10.30564/jcsr.v2i2.1765

Abstract: Many organizations, to save costs, are moving to the Bring Your Own Mobile Device (BYOD) model and adopting applications built by third-parties at an unprecedented rate. Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection, mitigation, and prevention. This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project (OWASP). OWASP maintains lists of the top ten security threats to web and mobile applications. We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code. We analyze 200+ healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats, the threat of “Insecure Data Storage.” We find that many of the applications are storing personally identifying information (PII) in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data. References:

[1] Allemang, D., Hendler, J.. Semantic Web for the Working Ontologist: Effective Modeling in RDFS and OWL. Morgan Kaufmann Publishers Inc., 2011. [2] Goknil, A., Topaloglu, Y.. Ontological perspective in metamodeling for model transformations. In Proceedings of the 2005 symposia on Metainformatics (MIS ’05). New York, NY, USA: Association for Computing Machinery, 2005: 7-es. [3] L. Yu. A Developers Guide to the Semantic Web. Springer Publishing Company, Incorporated, 2015. [4] Noy, N., McGuinness, D.. Ontology development 101: A guide to creating your first ontology. Palo Alto, CA, USA: Technical report at Stanford Knowledge Systems Laboratory, 2001. [5] Lacy, L. W.. OWL: Representing Information Using the Web Ontology Language. Victoria, BC, Canada: Trafford, 2005. [6] Patel, I., Dube, I., Tao, L., & Jiang, N.. Extending OWL to Support Custom Relations. 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing. New York, NY, USA: IEEE, 2015: 494-499. [7] Kafali, Ö., Jones, J., Petruso, M., Williams, L., Singh, M. P.. How good is a security policy against real breaches?: a HIPAA case study. Proceedings of the 39th International Conference on Software Engineering. Buenos Aires, Argentina: IEEE Press, 2017: 530-540. DOI: https://doi.org/10.1109/ICSE.2017.55 [8] MITRE. Common Weakness Enumeration (CWE), 2020. Retrieved from: https://cwe.mitre.org/ [9] MITRE. Common Attack Pattern Enumeration and Classification (CAPEC™), 2020. Retrieved from: https://capec.mitre.org/about/index.html [10] NIST. Bug Framework (BF), 2020. Retrieved from: https://samate.nist.gov/BF/ [11] Schmeelk, S.. Where are we looking for security concerns? Understanding Android Security Static Analysis. Proceedings of the Future Technologies Conference (FTC) 2019. San Francisco, CA: Springer, 2019: 1-9. [12] Schmeelk, S.. Where are we looking? Understanding android static analysis techniques. In 2019 IEEE International Conference on Services Computing. Milan, Italy: IEEE, 2019. [13] Schmeelk, S., & Aho, A.. Defending android applications availability. 2017 IEEE 28th Annual Software Technology Conference (STC). Gaithersburg, MD: IEEE, 2017: 1-5. [14]Schmeelk, S., Yang, J., Aho, A.. Android malware static analysis techniques. In Proceedings of the 10th Annual Cyber and Information Security Research Conference CISR ’15. New York, NY, USA: ACM, 2015: 51–58. [15] OWASP.. Mobile Top 10 2016-M2-Insecure Data Storage, 2018. Retrieved from owasp.org: https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage [16] NIST. Guide for Conducting Risk Assessments, 2012. Retrieved from: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final [17] Google. Data and file storage overview. 2020. Retrieved from: https://developer.android.com/guide/topics/data/data-storage#db [18] Google. Security Tips. 2020. Retrieved from: https://developer.android.com/training/articles/security-tips [19] Google. Context. 2020. Retrieved from: https://developer.android.com/reference/android/content/Context#openFileOutput(java.lang.String,%20int) [20] Rajab, A.. How to prevent database and shared preferences from being hacked. 2017. Retrieved from Stack overflow: https://stackoverflow.com/questions/47207420/howto-prevent-database-and-shared-preferences-frombeing-hacked [21] User3898539. How the SharedPreferences works and is it safe. 2014. Retrieved from Stack overflow: https://stackoverflow.com/questions/25373145/howthe-sharedpreferences-works-and-is-it-safe [22] Google.). Save key-value data. 2020. Retrieved from developer.android.com:https://developer.android.com/training/data-storage/shared-preferences [23] Google Developers.. Saving Files. 2020. Retrieved from stuff.mit.edu: https://stuff.mit.edu/afs/sipb/project/android/docs/training/basics/data-storage/files.html [24] Google.. Save data using SQLite. 2020. Retrieved from developer.android.com: https://developer.android.com/training/data-storage/sqlite [25] Google.. Save files on device storage. 2020. Retrieved from developer.android.com: https://developer.android.com/training/data-storage/files#java [26] OWASP.. Mobile Top 10 2016-Top 10. 2020. Retrieved from owasp.org: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10