Identifying the Mutual Correlations and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity
Abstract
:1. Introduction
2. State of the Art
3. Proposed Methodology
3.1. Modelling the Subject Area of Mobile Application Security Assessment and Forecasting
- Excessive memory usage;
- Reputation damage;
- Material loss;
- Program unpredictable crashes;
- Fraud;
- Identity theft;
- Information leaks;
- Slow loading of UX graphic elements;
- Privacy violation;
- Code theft;
- Unauthorized access to data;
- Intellectual property theft;
- Information theft;
- External policy violation;
- Error occurrence.
= φ1(w2∙ids, w3∙icsc, w4∙iar, w5∙iazr, w7∙cfr, w8∙pcq, w9∙ide, w10∙rer),
={rd, ml, fr, it, itt, eo, emu, il, pv, ct, ipt, epv, uad, puc, slux}.
3.2. Method of Evaluating the Weights of Factors of Mobile Application Insecurity
- Identifying the common factors for the mobile application insecurity consequences:
- 1.1.
- Formation of a matrix of common factors for the mobile application insecurity consequences MAICJ = (maicjk,l)15×15 = ∩k=115∩l=115(MAICMk, MAICMl), where maicjk,l = {MAICMk ∩ MAICMl} is the k,l-th element of the matrix, which is the set of attributes, which are common to the k-th and l-th mobile application insecurity consequences; MAICMk and MAICMl are, respectively, the k-th and l-th mobile application insecurity consequences, represented by the sets of their factors according to the models represented by Equations (1)–(15), but the diagonal elements of the matrix are empty sets, i.e., maicjk,k = Ø;
- 1.2.
- Formation of a matrix of the number of common factors for the mobile application insecurity consequences MAICJN = (maicjnk,l)15×15, where maicjnk,l = |maicjk,l| = |{MAICMk ∩ MAICMl}| is the k,l-th element of the matrix, which is equal to the number of elements of the corresponding set maicjk,l, i.e., the number of common factors of the k-th and l-th mobile application insecurity consequences;
- 1.3.
- Formation of the set of common factors JF = {jf1, …, jfm} (where m is the number of relevant common factors) for the mobile application insecurity consequences based on the elements of the matrix MAICJ as a symmetric difference (disjunctive sum) of all set elements maicjk,l, for which the condition k < l is met (i.e., elements above the main diagonal): JF = {maicj1,2 maicj1,3 … maicjk,l maicj14,15};
- 1.4.
- Formation of the matrix of dependence of the mobile application insecurity consequences from common factors F = (fk,l)m×15, where the k,l-th element of the matrix fk,l = 1, if jfk € MAICMl, i.e., if the k-th common factor is included in the set of factors of the l-th consequence.
- Calculation of the weights of the mobile application insecurity factors based on the number of mobile application insecurity consequences that depend on these factors:
- 2.1.
- Counting the number of consequences kch, which depend on the h-th common factor: kch = kch + 1, if fh,l = 1 (l = 1…15), counting the number of “1s” in each row of the matrix F;
- 2.2.
- Calculation of the weight of the h-th factor by the formula: wh = kch/kf, where kf is the total number of factors (as shown above, now the mobile application insecurity consequences depend on 10 different factors, i.e., currently, kf = 10); the numerator of the weights of each factor indicates the number of mobile application insecurity consequences that depend on this factor, because if several factors leading to the same consequence are present but not identified or are not accurately determined, the validity of the obtained estimate of such a consequence of mobile application insecurity is significantly reduced, or the possibility of obtaining such an estimate disappears altogether.
4. Results and Discussion
4.1. Results: Evaluating the Weights of Factors of Mobile Application Insecurity
4.2. Results: Identifying the Mutual Correlations of Mobile Application Insecurity Factors and Consequences
4.3. Discussion
5. Conclusions
- The implementation of the ontology and weighted ontology of the subject area of assessing and forecasting the security of mobile applications, represented by Equations (20) and (22), respectively, using, for example, the Protégé platform;
- Establishing the dependencies of the mobile application insecurity consequences on the factors—the form of functions f1–f15, φ1–φ15, which are currently unknown;
- The design and implementation of ontology-based intelligent agents that will provide the ability to automatically process information on the subject area of assessing and forecasting the security of mobile applications, as well as the ability to automatically assess and forecast the security of mobile applications based on the received information;
- The design and development of methods and tools for forecasting, assessing, and ensuring the security of mobile applications;
- The research of other (in addition to OWASP) factors that affect mobile application security, the search for their mutual correlations, the calculation of their weights, and adding them to the developed ontologies.
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Liu, C.; Lu, J.; Feng, W.; Du, E.; Di, L.; Song, Z. MOBIPCR: Efficient, accurate, and strict ML-based mobile malware detection. Future Gener. Comput. Syst. 2023, 144, 140–150. [Google Scholar] [CrossRef]
- Tsai, C.-Y.; Shih, W.-L.; Hsieh, F.-P.; Chen, Y.-A.; Lin, C.-L.; Wu, H.-J. Using the ARCS model to improve undergraduates’ perceived information security protection motivation and behavior. Comput. Educ. 2022, 181, 104449. [Google Scholar] [CrossRef]
- Nirumand, A.; Zamani, B.; Tork-Ladani, B.; Klein, J.; Bissyandé, T.F. A model-based framework for inter-app Vulnerability analysis of Android applications. Softw.-Pract. Exp. 2023, 53, 895–936. [Google Scholar] [CrossRef]
- He, S.; Ficke, E.; Ahsan Pritom, M.M.; Chen, H.; Tang, Q.; Chen, Q.; Pendleton, M.; Njilla, L.; Xu, S. Blockchain-based automated and robust cyber security management. J. Parallel Distrib. Comput. 2022, 163, 62–82. [Google Scholar] [CrossRef]
- Zhu, P.; Hu, J.; Li, X.; Zhu, Q. Using Blockchain Technology to Enhance the Traceability of Original Achievements. IEEE Trans. Eng. Manag. 2023, 70, 1693–1707. [Google Scholar] [CrossRef]
- Kuo, S.-Y.; Tseng, F.-H.; Chou, Y.-H. Metaverse intrusion detection of wormhole attacks based on a novel statistical mechanism. Future Gener. Comput. Syst. 2023, 143, 179–190. [Google Scholar] [CrossRef]
- Nayak, P.; Swapna, G. Security issues in IoT applications using certificateless aggregate signcryption schemes: An overview. Internet Things 2023, 21, 100641. [Google Scholar] [CrossRef]
- Thien, H.T.; Tuan, P.-V.; Koo, I. A Secure-Transmission Maximization Scheme for SWIPT Systems Assisted by an Intelligent Reflecting Surface and Deep Learning. IEEE Access 2022, 10, 31851–31867. [Google Scholar] [CrossRef]
- Kovtun, V.; Izonin, I.; Gregus, M. Reliability model of the security subsystem countering to the impact of typed cyber-physical attacks. Sci. Rep. 2022, 12, 12849. [Google Scholar] [CrossRef]
- Shandilya, S.K.; Ganguli, C.; Izonin, I.; Nagar, A.K. Cyber attack evaluation dataset for deep packet inspection and analysis. Data Brief 2023, 46, 108771. [Google Scholar] [CrossRef]
- CVEdetails.com: The Ultimate Security Vulnerability Data Source. Available online: https://www.cvedetails.com/ (accessed on 12 April 2023).
- Zhu, H.; Wei, H.; Wang, L.; Xu, Z.; Sheng, V.S. An effective end-to-end android malware detection method. Expert Syst. Appl. 2023, 218, 119593. [Google Scholar] [CrossRef]
- Keyvanpour, M.R.; Barani Shirzad, M.; Heydarian, F. Android malware detection applying feature selection techniques and machine learning. Multimed. Tools Appl. 2023, 82, 9517–9531. [Google Scholar] [CrossRef]
- Saraswat, P. An inclusive analysis of Google’s android operating system and its security. AIP Conf. Proc. 2023, 2427, 020097. [Google Scholar] [CrossRef]
- Guerra-Manzanares, A.; Bahsi, H.; Luckner, M. Leveraging the first line of defense: A study on the evolution and usage of android security permissions for enhanced android malware detection. J. Comput. Virol. Hacking Tech. 2023, 19, 65–96. [Google Scholar] [CrossRef]
- Şahin, D.Ö.; Kural, O.E.; Akleylek, S.; Kılıç, E. A novel permission-based Android malware detection system using feature selection based on linear regression. Neural Comput. Appl. 2023, 35, 4903–4918. [Google Scholar] [CrossRef]
- A Decade in, How Safe Are Your iOS and Android Apps? Available online: https://www.nowsecure.com/blog/2018/07/11/a-decade-in-how-safe-are-your-ios-and-android-apps/ (accessed on 12 April 2023).
- Understanding OWASP Mobile Top 10 Risks with Real-World Cases. Available online: https://appinventiv.com/blog/owasp-mobile-top-10-real-world-cases/ (accessed on 12 April 2023).
- Papaioannou, M.; Pelekoudas-Oikonomou, F.; Mantas, G.; Serrelis, E.; Rodriguez, J.; Fengou, M.-A. A Survey on Quantitative Risk Estimation Approaches for Secure and Usable User Authentication on Smartphones. Sensors 2023, 23, 2979. [Google Scholar] [CrossRef]
- Byun, J.W. Towards serverless fast one round authentication with two mobile end devices. J. Supercomput. 2023, 79, 5684–5704. [Google Scholar] [CrossRef]
- Kaspersky Researchers Uncover Flaws in Popular Dating Apps Like Tinder, OkCupid, and Bumble. Available online: https://fortune.com/2017/10/25/tinder-kaspersky-okcupid-bumble-dating-app-security-hack/ (accessed on 12 April 2023).
- Watch Out for a Clever Touch ID Scam Hitting the App Store. Available online: https://www.wired.com/story/iphone-touch-id-scam-apps/ (accessed on 12 April 2023).
- IoT Vuln Disclosure: Children’s GPS Smart Watches (R7-2019-57). Available online: https://www.rapid7.com/blog/post/2019/12/11/iot-vuln-disclosure-childrens-gps-smart-watches-r7-2019-57/ (accessed on 12 April 2023).
- Weak Encryption Leaves Mobile Health App at Risk for Hacking. Available online: https://www.careersinfosecurity.com/weak-encryption-leaves-mobile-health-app-at-risk-for-hacking-a-11833 (accessed on 12 April 2023).
- Hacking Smart Car Alarm Systems. Available online: https://www.kaspersky.com/blog/hacking-smart-car-alarm-systems/26014/ (accessed on 12 April 2023).
- Hackers Used WhatsApp 0-Day Flaw to Secretly Install Spyware on Phones. Available online: https://thehackernews.com/2019/05/hack-whatsapp-vulnerability.html (accessed on 12 April 2023).
- Prabakaran, M.K.; Sundaram, P.M.; Chandrasekar, A.D. An enhanced deep learning-based phishing detection mechanism to effectively identify malicious URLs using variational autoencoders. IET Inf. Secur. 2023, 1–18. [Google Scholar] [CrossRef]
- How Pokémon Go Fans Hacked ‘Em All: And How to Prevent Similar Reverse-Engineering. Available online: https://nordicapis.com/how-pokemon-go-fans-hacked-em-all-and-how-to-prevent-similar-reverse-engineering/ (accessed on 12 April 2023).
- An Obscure App Flaw Creates Backdoors in Millions of Smartphones. Available online: https://www.wired.com/2017/04/obscure-app-flaw-creates-backdoors-millions-smartphones/ (accessed on 12 April 2023).
- Encalada, D.; Soto-Alvarado, M.; Chamba-Gonzalez, V. Perception of information security in mobile applications. In Proceedings of the 2022 Iberian Conference on Information Systems and Technologies, Madrid, Spain, 22–25 June 2022. [Google Scholar] [CrossRef]
- Phasinam, K.; Kassanuk, T. Evaluation of vulnerabilities in IoT-based intelligent agriculture systems. Auton. Veh. Smart Veh. Commun. 2022, 2, 237–258. [Google Scholar]
- Amelang, K. (Not) Safe to Use: Insecurities in Everyday Data Practices with Period-Tracking Apps. In Transforming Communication; Springer: Berlin/Heidelberg, Germany, 2022; pp. 297–321. [Google Scholar] [CrossRef]
- Chakraborty, R.; Prakasha, G.S.; Sripavithra, C.K. Factors Affecting Data-Privacy Protection and Promotion of Safe Digital Usage. CEUR-WS 2021, 3094, 49–58. [Google Scholar]
- Aljumah, A.; Altuwijri, A.; Alsuhaibani, T.; Selmi, A.; Alruhaily, N. Android Apps Security Assessment using Sentiment Analysis Techniques: Comparative Study. Int. J. Interact. Mob. Technol. 2021, 15, 123–133. [Google Scholar] [CrossRef]
- Bhardwaj, A.; Singh, A.J. Implementing ASBP: A novel framework for sanitizing android apps. Int. J. Eng. Adv. Technol. 2019, 8, 5366–5374. [Google Scholar] [CrossRef]
- Sanni, M.L.; Akinyemi, B.O.; Olalere, D.A.; Olajubu, E.A.; Aderounmu, G.A. A Predictive Cyber Threat Model for Mobile Money Services. Ann. Emerg. Technol. Comput. 2023, 7, 40–60. [Google Scholar] [CrossRef]
- Weichbroth, P.; Łysik, Ł. Mobile Security: Threats and Best Practices. Mob. Inf. Syst. 2020, 2020, 8828078. [Google Scholar] [CrossRef]
- Hovorushchenko, T. Methodology of Evaluating the Sufficiency of Information for Software Quality Assessment According to ISO 25010. J. Inf. Organ. Sci. 2018, 42, 63–85. [Google Scholar] [CrossRef]
- Hovorushchenko, T.; Pomorova, O. Methodology of Evaluating the Sufficiency of Information on Quality in the Software Requirements Specifications. In Proceedings of the 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies, Kyiv, Ukraine, 24–27 May 2018. [Google Scholar] [CrossRef]
- Hovorushchenko, T.; Pomorova, O. Evaluation of Mutual Influences of Software Quality Characteristics Based ISO 25010:2011. In Proceedings of the 2016 IEEE 11th International Conference on Computer Sciences and Information Technologies, Lviv, Ukraine, 6–10 September 2016. [Google Scholar] [CrossRef]
Company or Application Name | Cause or Factor of the Threat | Consequences |
---|---|---|
Tinder, OkCupid, Bumble dating applications [21] | Insecure data storage | Popular dating apps such as Tinder, OkCupid, and Bumble have vulnerabilities that make users’ personal information potentially available to stalkers, spammers, and hackers. Security breaches, which vary in severity and scope, can expose people’s names, logins, locations, message history, and other account activity. |
Fitness Balance app, Heart Monitor, Calories Tracker app [22] | Improper platform usage bypasses apple’s iOS Touch ID security system | Once you scan your fingerprint, the apps briefly display an in-app purchase pop-up, charging $90 to $120, while dimming the screen to make it hard to see the tip. In some cases, even if you refuse to use Touch ID to enable the feature, the app asks you to tap to continue and instead attempts an in-app payment scam. |
Children’s smart watches with GPS (R7-2019-57) [23] | Insecure client–server communication: interception of sensitive data in transit over the network | The watches were supposed to be contacted using approved contact numbers via a whitelist mode, but the company discovered that the filters did not even work. The watch even accepted customization commands via text messages. This meant a hacker could change the watch’s settings and put children at risk. |
Hacking of a US bank in 2019 due to a flaw in the bank’s website and bypassing two-factor authentication by a cyberattacker [18] | Insecure authentication risk | The attacker logged in with the victim’s stolen credentials, and when taken to a page that required a PIN or security response, the attacker used a modified string in the web address that set the computer up as recognized. This allowed them to cross the stage and start electronic transfers. |
Philips HealthSuite Health Android app [24] | Insufficient data encryption | The issue, which was traced to insufficient encryption reliability, opened the app up to hackers who could access users’ heart rate, blood pressure, sleep status, weight and body composition, and more. |
Pandora, a smart car alarm system [25] | Insecure authorization risk | Stealing a smart alarm user account is not only possible but not that difficult. You do not even need to buy the alarm itself (which can cost a hefty $5000) to steal a Viper or Pandora account. At the time of the study, all you had to do to access the system was to register an account on the website or app and use it to access any other account. |
WhatsApp Messenger [26] | Poor code quality | Until recently, WhatsApp had a serious vulnerability that was exploited by attackers to remotely install malware that would monitor “selected” smartphones after making a WhatsApp audio call to them. A WhatsApp exploit that installed Pegasus spyware on Android and iOS devices was discovered and adopted by the Israeli company NSO Group (the maker of the most advanced software tool). |
Target app from any application store [18,27] | Code forgery risk | The attacker uses code modification through malicious forms of mobile applications, available in app stores, which may resort to phishing attacks to force the user to install the application. |
Pokemon Go mobile game [28] | Reverse engineering | An attacker typically downloads a target app from an app store and analyzes it in their local environment using a variety of tools. After that, they can change the code and change the function of the app. Pokemon Go suffered a security breach when it emerged that users had re-engineered the app to know when Pokemon were nearby and catch them within minutes. |
The idea behind the Wi-Fi File Transfer application was to open a port on Android and allow a connection from a computer [29] | Extraneous functionality | A group of researchers from the University of Michigan discovered hundreds of apps in Google Play that performed an unexpected trick: by effectively turning the phone into a server, they allowed the owner to connect to that phone directly from their computer, just like a website or other Internet service. However, dozens of these apps left unprotected ports open on these smartphones. This allowed attackers to steal data, including contacts or photos, or even install malware. |
rd | ml | fr | it | itt | eo | emu | il | pv | ct | ipt | epv | uad | puc | slux | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
rd | 0 | 3 | 2 | 1 | 5 | 2 | 1 | 2 | 1 | 2 | 2 | 2 | 3 | 3 | 1 |
ml | 3 | 0 | 2 | 2 | 1 | 1 | 0 | 1 | 1 | 1 | 1 | 2 | 2 | 1 | 0 |
fr | 2 | 2 | 0 | 2 | 1 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 |
it | 1 | 2 | 2 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 |
itt | 5 | 1 | 1 | 0 | 0 | 1 | 0 | 1 | 1 | 2 | 1 | 0 | 2 | 2 | 0 |
eo | 2 | 1 | 0 | 0 | 1 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 2 | 1 |
emu | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
il | 2 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | 1 | 2 | 1 | 1 | 0 | 0 |
pv | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 0 | 1 | 2 | 1 | 1 | 0 | 0 |
ct | 2 | 1 | 0 | 0 | 2 | 1 | 0 | 1 | 1 | 0 | 1 | 0 | 1 | 1 | 0 |
ipt | 2 | 1 | 0 | 0 | 1 | 0 | 0 | 2 | 2 | 1 | 0 | 2 | 2 | 0 | 0 |
epv | 2 | 2 | 1 | 1 | 0 | 0 | 0 | 1 | 1 | 0 | 2 | 0 | 2 | 0 | 0 |
uad | 3 | 2 | 0 | 0 | 2 | 1 | 0 | 1 | 1 | 1 | 2 | 2 | 0 | 1 | 0 |
puc | 3 | 1 | 0 | 0 | 2 | 2 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 1 |
slux | 1 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 |
rd | ml | fr | it | itt | eo | emu | il | pv | ct | ipt | epv | uad | puc | slux | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ipu | 1 | 1 | 1 | 1 | |||||||||||
ids | 1 | 1 | 1 | 1 | 1 | ||||||||||
icsc | 1 | 1 | 1 | ||||||||||||
iar | 1 | 1 | 1 | ||||||||||||
iazr | 1 | 1 | 1 | ||||||||||||
efr | 1 | 1 | 1 | 1 | |||||||||||
cfr | 1 | 1 | 1 | 1 | 1 | 1 | 1 | ||||||||
pcq | 1 | 1 | 1 | 1 | 1 | ||||||||||
ide | 1 | 1 | 1 | 1 | 1 | 1 | |||||||||
rer | 1 | 1 | 1 | 1 | 1 | 1 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Zaitseva, E.; Hovorushchenko, T.; Pavlova, O.; Voichur, Y. Identifying the Mutual Correlations and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity. Systems 2023, 11, 242. https://doi.org/10.3390/systems11050242
Zaitseva E, Hovorushchenko T, Pavlova O, Voichur Y. Identifying the Mutual Correlations and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity. Systems. 2023; 11(5):242. https://doi.org/10.3390/systems11050242
Chicago/Turabian StyleZaitseva, Elena, Tetiana Hovorushchenko, Olga Pavlova, and Yurii Voichur. 2023. "Identifying the Mutual Correlations and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity" Systems 11, no. 5: 242. https://doi.org/10.3390/systems11050242
APA StyleZaitseva, E., Hovorushchenko, T., Pavlova, O., & Voichur, Y. (2023). Identifying the Mutual Correlations and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity. Systems, 11(5), 242. https://doi.org/10.3390/systems11050242