Mobile Software Security Threats in the Software Ecosystem, a Call to Arms

  • Andrey Krupskiy
  • Remmelt Blessinga
  • Jelmer Scholte
  • Slinger Jansen
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 304)


This paper studies security policies of the Android and iOS software ecosystems. These platforms have experienced security issues since their public release in 2007. This research creates an overview of the results that security issues cause and the actions available to limit security infractions based on scientific literature. Following the overview, this paper attempts to explain premises of those issues by analyzing the security recommendations of both platforms and comparing them to OWASP security guidelines. This is done by comparing development guidelines set up by both platforms and assessing the importance of each of these guidelines in the ecosystem perspective. The conclusion highlights vulnerabilities in the developer guidelines of mobile platforms and recommends appropriate action to improve the situation.


Software ecosystems Software security OWASP Development policies 


  1. 1.
    Jansen, S., Finkelstein, A., Brinkkemper, S.: A sense of community: a research agenda for software ecosystems. In: 31st International Conference on Software Engineering-Companion Volume. ICSE-Companion 2009, pp. 187–190 (2009)Google Scholar
  2. 2.
    Asokan, N., Davi, L., Dmitrienko, A., Heuser, S., Kostiainen, K., Reshetova, E., Sadeghi, A.R.: Mobile Platform Security Synthesis Lectures on Information Security, Privacy, and Trust. Morgan & Claypool Publishers (2013)Google Scholar
  3. 3.
    Jansen, S., Bloemendal, E.: Defining app stores: the role of curated marketplaces in software ecosystems. In: Herzwurm, G., Margaria, T. (eds.) ICSOB 2013. LNBIP, vol. 150, pp. 195–206. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39336-5_19 CrossRefGoogle Scholar
  4. 4.
    Rashidi, B., Fung, C.: A survey of android security threats and defenses. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 6(3), 3–35 (2015)Google Scholar
  5. 5.
    Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Permission evolution in the android ecosystem. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 31–40. ACM (2012)Google Scholar
  6. 6.
    Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In: NDSS, vol. 14, p. 19 (2012)Google Scholar
  7. 7.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  8. 8.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-18178-8_30 CrossRefGoogle Scholar
  9. 9.
    Meng, X., Song, C., Ji, Y., Shih, M.-W., Kangjie, L., Zheng, C., Duan, R., Jang, Y., Lee, B., Qian, C., et al.: Toward engineering a secure android ecosystem: a survey of existing techniques. ACM Comput. Surv. (CSUR) 49(2), 38 (2016)Google Scholar
  10. 10.
    Mulliner, C., Robertson, W., Kirda, E.: VirtualSwindle: an automated attack against in-app billing on android. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 459–470. ACM (2014)Google Scholar
  11. 11.
    Orikogbo, D., Büchler, M., Egele, M.: CRiOS: toward large-scale iOS application analysis. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 33–42. ACM (2016)Google Scholar
  12. 12.
    Heider, J., El Khayari, E.: iOS keychain weakness FAQ. Frauenhofer Institute for Secure Information Technology (SIT) (2012)Google Scholar
  13. 13.
  14. 14.
    Han, J., Yan, Q., Gao, D., Zhou, J., Deng, R.H.: Comparing mobile privacy protection through cross-platform applications (2013)Google Scholar
  15. 15.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2011)Google Scholar
  16. 16.
    Miller, C.: Inside iOS code signing. In: Symposium on Security for Asia Network (SyScan) (2011)Google Scholar
  17. 17.
    Meng, W., Luo, X., Furnell, S., Zhou, J.: Protecting mobile networks and devices: challenges and solutions (2016)Google Scholar
  18. 18.
    Teufl, P., Zefferer, T., Stromberger, C., Hechenblaikner, C.: iOS encryption systems: Deploying iOS devices in security-critical environments. In: 2013 International Conference on Security and Cryptography (SECRYPT), pp. 1–13. IEEE (2013)Google Scholar
  19. 19.
    Manikas, K., Hansen, K.M.: Software ecosystems-a systematic literature review. J. Syst. Softw. 86(5), 1294–1306 (2013)CrossRefGoogle Scholar
  20. 20.
    Hoehle, H., Venkatesh, V.: Mobile application usability: conceptualization and instrument development. MIS Q. 39(2), 435–472 (2015)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Andrey Krupskiy
    • 1
  • Remmelt Blessinga
    • 1
  • Jelmer Scholte
    • 1
  • Slinger Jansen
    • 1
  1. 1.Utrecht UniversityUtrechtThe Netherlands

Personalised recommendations