Professional Documents
Culture Documents
Web APIssec
Web APIssec
Web APIssec
Abstract—Web communication has become an indispensable We manually studied the use of common web communi-
characteristic of mobile apps. However, it is not clear what cation frameworks in 160 randomly selected Android mobile
data the apps transmit, to whom, and what consequences such apps, i.e., more than 4.7% of the whole dataset, and developed
transmissions have.
We analyzed the web communications found in mobile apps a static analysis tool to investigate whether network commu-
arXiv:2001.00195v2 [cs.CR] 1 Jun 2020
from the perspective of security. We first manually studied 160 nications in 3 376 closed-source and open-source apps differ.
Android apps to identify the commonly-used communication We manually inspected the tool’s output for 100 random apps,
libraries, and to understand how they are used in these apps. and used the reported URLs to connect to the servers and
We then developed a tool to statically identify web API URLs to investigate their response. We found eight security code
used in the apps, and restore the JSON data schemas including
the type and value of each parameter. smells, i.e., symptoms in the code that signal the prospect
We extracted 9 714 distinct web API URLs that were used in of a security vulnerability [6], on both ends, dominated by
3 376 apps. We found that developers often use the java.net the use of embedded computer languages. We handcrafted
package for network communication, however, third-party li- regular expressions to automatically identify the use of those
braries like OkHttp are also used in many apps. We discovered languages, and other languages prevalent on GitHub.
that insecure HTTP connections are seven times more prevalent
in closed-source than in open-source apps, and that embedded In this work we address the following research questions:
SQL and JavaScript code is used in web communication in more RQ1 : Which API frameworks are used in Android mobile
than 500 different apps. This finding is devastating; it leaves apps, and what is the nature of the data that apps transmit
billions of users and API service providers vulnerable to attack. through these frameworks? We identified six different web
API communication libraries, and learned that open-source
Index Terms—Web APIs, network libraries, communication,
security apps rely on simpler request paths including only one or two
path segments, while closed-source apps mostly include two
I. I NTRODUCTION or three path segments. Unexpectedly, the opposite is true for
Mobile applications (apps) increasingly rely on web com- key-value pairs: Open-source apps frequently use one to three
munication to provide their services. Apps access the internet pairs, while closed-source apps mainly use one pair. Fragments
through web APIs in order to use an increasing number of have only been used very sparsely in both types of apps. We
public web services, or to communicate with private backends. found that open-source and closed-source apps are similar in
Researchers have recently studied the use of such APIs in the choice of web communication libraries, but advertising
mobile apps, and, for instance, found that a large number of services are more prevalent in closed-source apps.
web requests are not directly traceable to source code [1], RQ2 : What security smells are present in web commu-
cloud and mail service credentials are hard-coded in the nication? We found eight security smells in the apps and
apps [2], many web requests are harmful [3], many web links the server software. For instance, 500 apps use embedded
targeting well-known advertisement networks impose serious computer languages (e.g., SQL, and JavaScript commands)
risks on users [4], and lax input validation in many web APIs in web API communications, thus introducing the threat of
could compromise the security and privacy of millions of code injection attacks. A horrific 67% of the closed-source
users [5]. and 9.5% of the open-source apps communicate with servers
We could not, however, find any publicly available tool that over insecure HTTP connections. Many apps neglect to use
researchers can use to study web APIs. Also, There are several the HTTP strict transport security policy. Finally, we observed
third-party libraries to implement network communication, a lack of authentication and authorization mechanisms for
but existing studies are mainly limited to java.net APIs. services that are supposed to be private.
Finally, dissecting the distribution of elements that comprise In summary, this work attempts to shed more light on the
the web API URLs is never studied, which is necessary for use of web APIs in mobile apps, by studying what data the
collecting security-related information stored in query keys apps transmit, to whom, and for what purpose. The tool and
and values, as well as to fuzz web APIs. the obtained results in this study are available online.1