-
How the Future Works at SOUPS: Analyzing Future Work Statements and Their Impact on Usable Security and Privacy Research
Authors:
Jacques Suray,
Jan H. Klemmer,
Juliane Schmüser,
Sascha Fahl
Abstract:
Extending knowledge by identifying and investigating valuable research questions and problems is a core function of research. Research publications often suggest avenues for future work to extend and build upon their results. Considering these suggestions can contribute to develo** research ideas that build upon previous work and produce results that tie into existing knowledge. Usable security…
▽ More
Extending knowledge by identifying and investigating valuable research questions and problems is a core function of research. Research publications often suggest avenues for future work to extend and build upon their results. Considering these suggestions can contribute to develo** research ideas that build upon previous work and produce results that tie into existing knowledge. Usable security and privacy researchers commonly add future work statements to their publications. However, our community lacks an in-depth understanding of their prevalence, quality, and impact on future research.
Our work aims to address this gap in the research literature. We reviewed all 27 papers from the 2019 SOUPS proceedings and analyzed their future work statements. Additionally, we analyzed 978 publications that cite any paper from SOUPS 2019 proceedings to assess their future work statements' impact. We find that most papers from the SOUPS 2019 proceedings include future work statements. However, they are often unspecific or ambiguous, and not always easy to find. Therefore, the citing publications often matched the future work statements' content thematically, but rarely explicitly acknowledged them, indicating a limited impact. We conclude with recommendations for the usable security and privacy community to improve the utility of future work statements by making them more tangible and actionable, and avenues for future work.
△ Less
Submitted 30 May, 2024;
originally announced May 2024.
-
Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns
Authors:
Jan H. Klemmer,
Stefan Albert Horstmann,
Nikhil Patnaik,
Cordelia Ludden,
Cordell Burton Jr,
Carson Powers,
Fabio Massacci,
Akond Rahman,
Daniel Votipka,
Heather Richter Lipford,
Awais Rashid,
Alena Naiakshina,
Sascha Fahl
Abstract:
Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear.…
▽ More
Following the recent release of AI assistants, such as OpenAI's ChatGPT and GitHub Copilot, the software industry quickly utilized these tools for software development tasks, e.g., generating code or consulting AI for advice. While recent research has demonstrated that AI-generated code can contain security issues, how software professionals balance AI assistant usage and security remains unclear. This paper investigates how software professionals use AI assistants in secure software development, what security implications and considerations arise, and what impact they foresee on secure software development. We conducted 27 semi-structured interviews with software professionals, including software engineers, team leads, and security testers. We also reviewed 190 relevant Reddit posts and comments to gain insights into the current discourse surrounding AI assistants for software development. Our analysis of the interviews and Reddit posts finds that despite many security and quality concerns, participants widely use AI assistants for security-critical tasks, e.g., code generation, threat modeling, and vulnerability detection. Their overall mistrust leads to checking AI suggestions in similar ways to human code, although they expect improvements and, therefore, a heavier use for security tasks in the future. We conclude with recommendations for software professionals to critically check AI suggestions, AI creators to improve suggestion security and capabilities for ethical security tasks, and academic researchers to consider general-purpose AI in software development.
△ Less
Submitted 10 May, 2024;
originally announced May 2024.
-
"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
Authors:
Jan H. Klemmer,
Marco Gutfleisch,
Christian Stransky,
Yasemin Acar,
M. Angela Sasse,
Sascha Fahl
Abstract:
Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usabil…
▽ More
Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST.
We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.
△ Less
Submitted 26 November, 2023; v1 submitted 1 September, 2023;
originally announced September 2023.
-
"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments
Authors:
Sabrina Amft,
Sandra Höltervennhoff,
Nicolas Huaman,
Alexander Krause,
Lucy Simko,
Yasemin Acar,
Sascha Fahl
Abstract:
Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will…
▽ More
Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.
△ Less
Submitted 19 September, 2023; v1 submitted 16 June, 2023;
originally announced June 2023.
-
Committed by Accident: Studying Prevention and Remediation Strategies Against Secret Leakage in Source Code Repositories
Authors:
Alexander Krause,
Jan H. Klemmer,
Nicolas Huaman,
Dominik Wermke,
Yasemin Acar,
Sascha Fahl
Abstract:
Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have…
▽ More
Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have illustrated that developers are blameworthy of committing code secrets, such as private encryption keys, passwords, or API keys, accidentally to public source code repositories. However, making secrets publicly available might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers and conducted 14 in-depth semi-structured interviews with developers which experienced secret leakage in the past. We find that 30.3% of our participants have encountered secret leakage in the past, and that developers are facing several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, e. g., estimating risks of leaked secrets, and needs of developers in remediating and preventing code secret leaks, e. g., low adoption requirements. We also give recommendations for developers and source code platform providers to reduce the risk of secret leakage.
△ Less
Submitted 14 November, 2022; v1 submitted 11 November, 2022;
originally announced November 2022.
-
"Please help share!": Security and Privacy Advice on Twitter during the 2022 Russian Invasion of Ukraine
Authors:
Juliane Schmüser,
Noah Wöhler,
Harshini Sri Ramulu,
Christian Stransky,
Dominik Wermke,
Sascha Fahl,
Yasemin Acar
Abstract:
The Russian Invasion of Ukraine in early 2022 resulted in a rapidly changing (cyber) threat environment. This changing environment incentivized the sharing of security advice on social media, both for the Ukrainian population, as well as against Russian cyber attacks at large. Previous research found a significant influence of online security advice on end users.
We collected 8,920 tweets posted…
▽ More
The Russian Invasion of Ukraine in early 2022 resulted in a rapidly changing (cyber) threat environment. This changing environment incentivized the sharing of security advice on social media, both for the Ukrainian population, as well as against Russian cyber attacks at large. Previous research found a significant influence of online security advice on end users.
We collected 8,920 tweets posted after the Russian Invasion of Ukraine and examined 1,228 in detail, including qualitatively coding 232 relevant tweets and 140 linked documents for security and privacy advice. We identified 221 unique pieces of advice which we divided into seven categories and 21 subcategories, and advice targeted at individuals or organizations. We then compared our findings to those of prior studies, finding noteworthy similarities. Our results confirm a lack of advice prioritization found by prior work, which seems especially detrimental during times of crisis. In addition, we find offers for individual support to be a valuable tool and identify misinformation as a rising threat in general and for security advice specifically.
△ Less
Submitted 24 August, 2022;
originally announced August 2022.
-
Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites
Authors:
Christine Utz,
Sabrina Amft,
Martin Degeling,
Thorsten Holz,
Sascha Fahl,
Florian Schaub
Abstract:
Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied,…
▽ More
Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors' privacy.
We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives third-party adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used.
△ Less
Submitted 4 October, 2022; v1 submitted 21 March, 2022;
originally announced March 2022.
-
(Un)informed Consent: Studying GDPR Consent Notices in the Field
Authors:
Christine Utz,
Martin Degeling,
Sascha Fahl,
Florian Schaub,
Thorsten Holz
Abstract:
Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websit…
▽ More
Since the adoption of the General Data Protection Regulation (GDPR) in May 2018 more than 60 % of popular websites in Europe display cookie consent notices to their visitors. This has quickly led to users becoming fatigued with privacy notifications and contributed to the rise of both browser extensions that block these banners and demands for a solution that bundles consent across multiple websites or in the browser.
In this work, we identify common properties of the graphical user interface of consent notices and conduct three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent. We find that users are more likely to interact with a notice shown in the lower (left) part of the screen. Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually. We also show that the wide-spread practice of nudging has a large effect on the choices users make. Our experiments show that seemingly small implementation decisions can substantially impact whether and how people interact with consent notices. Our findings demonstrate the importance for regulation to not just require consent, but also provide clear requirements or guidance for how this consent has to be obtained in order to ensure that users can make free and informed choices.
△ Less
Submitted 22 October, 2019; v1 submitted 5 September, 2019;
originally announced September 2019.
-
A Large Scale Investigation of Obfuscation Use in Google Play
Authors:
Dominik Wermke,
Nicolas Huaman,
Yasemin Acar,
Brad Reaves,
Patrick Traynor,
Sascha Fahl
Abstract:
Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to s…
▽ More
Android applications are frequently plagiarized or repackaged, and software obfuscation is a recommended protection against these practices. However, there is very little data on the overall rates of app obfuscation, the techniques used, or factors that lead to developers to choose to obfuscate their apps. In this paper, we present the first comprehensive analysis of the use of and challenges to software obfuscation in Android applications. We analyzed 1.7 million free Android apps from Google Play to detect various obfuscation techniques, finding that only 24.92% of apps are obfuscated by the developer. To better understand this rate of obfuscation, we surveyed 308 Google Play developers about their experiences and attitudes about obfuscation. We found that while developers feel that apps in general are at risk of plagiarism, they do not fear theft of their own apps. Developers also self-report difficulties applying obfuscation for their own apps. To better understand this, we conducted a follow-up study where the vast majority of 70 participants failed to obfuscate a realistic sample app even while many mistakenly believed they had been successful. Our findings show that more work is needed to make obfuscation tools more usable, to educate developers on the risk of their apps being reverse engineered, their intellectual property stolen, their apps being repackaged and redistributed as malware and to improve the health of the overall Android ecosystem.
△ Less
Submitted 20 February, 2018; v1 submitted 8 January, 2018;
originally announced January 2018.
-
Studying the Impact of Managers on Password Strength and Reuse
Authors:
Sanam Ghorbani Lyastani,
Michael Schilling,
Sascha Fahl,
Sven Bugiel,
Michael Backes
Abstract:
Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systemati…
▽ More
Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically.
In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.
△ Less
Submitted 24 December, 2017;
originally announced December 2017.
-
Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security
Authors:
Felix Fischer,
Konstantin Böttinger,
Huang Xiao,
Christian Stransky,
Yasemin Acar,
Michael Backes,
Sascha Fahl
Abstract:
Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-…
▽ More
Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown. We answer this highly important question by quantifying the proliferation of security-related code snippets from Stack Overflow in Android applications available on Google Play. Access to the rich source of information available on Stack Overflow including ready-to-use code snippets provides huge benefits for software developers. However, when it comes to code security there are some caveats to bear in mind: Due to the complex nature of code security, it is very difficult to provide ready-to-use and secure solutions for every problem. Hence, integrating a security-related code snippet from Stack Overflow into production software requires caution and expertise. Unsurprisingly, we observed insecure code snippets being copied into Android applications millions of users install from Google Play every day. To quantitatively evaluate the extent of this observation, we scanned Stack Overflow for code snippets and evaluated their security score using a stochastic gradient descent classifier. In order to identify code reuse in Android applications, we applied state-of-the-art static analysis. Our results are alarming: 15.4% of the 1.3 million Android applications we analyzed, contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet.
△ Less
Submitted 9 October, 2017;
originally announced October 2017.