- Volume 14 Issue 10
The dissemination and use of mobile applications have been rapidly expanding these days. And in such a situation, the security of mobile applications has emerged as a new issue. Although the safety of general software such as desktop and enterprise software is systematically achieved from the development phase to the verification phase through secure coding, there have been not sufficient studies on the safety of mobile applications yet. This paper deals with deriving weakness enumeration specialized in mobile applications and implementing a tool that can automatically analyze the derived weakness. Deriving the weakness enumeration can be achieved based on CWE(Common Weakness Enumeration) and CERT(Computer Emergency Response Team) relating to the event-driven method that is generally used in developing mobile applications. The analysis tool uses the dynamic tests to check whether there are specified vulnerabilities in the source code of mobile applications. Moreover, the derived vulnerability could be used as a guidebook for programmers to develop mobile applications.
Pogramming Language;Secure Coding;Weakness Analyzer;Event-Driven Programming
- Gartner, Nov 2005, http://gartner.com
- A. B. Tucker and R. E. Noonan, Programming Languages: Principles and Paradigms, Mc-Graw Hill, 2007.
- Gary McGraw, Software Security, Addison- Wesley, February 2006.
- John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, September 2001.
- Common Weakness Enumeration(CWE), A Community-Developed Dictionary of Software Weakness Types, http://cwe.mitre.org.
- Richard Ford and Michael Howard, "Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities," IEEE Security & Privacy, Vol.7, Issue 3, pp. 68-71, 2009.
- J. McManus and D. Mohindra, The CERT Sun Microsystems Secure Coding Standard for Java, CERT, 2009.
- Lockheed Martin Corporation, J oint Strike Fighter: Air Vehicle C++ Coding Standards for The System Development and Demonstration Program, 2005.
- MISRA, Guidelines for The Use Of The C Language in Vehicle Based Software, 1998.
- Y. W. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo, "Securing Web Application Code by Static Analysis and Runtime Protection," Proceedings of the 13th Conference on World Wide Web, pp. 40-52, 2004.
- A.V. Aho, R. Sethi, and J. D. Ulman, Compilers: Principles, Techniques, and Tools, Addison Wesley, 2007.
- H. Chen and D. Wagner, "MOPS: an Infrastructure for Examining Security Properties of Software," Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 235-244, 2002.
- Plum Hall Inc., Overview of Safe-Secure Project: Safe-Secure C/C++, http://www.plumhall.com/SSCC_MP_071b.pdf.
- Coverity Inc., Coverity Static Analysis, http://www.coverity.com/products/static-analysis.html.
- Fortify Software Inc., Fortify Source Code Analysis(SCA), http://www.fortify.com/products/sca.
- Fasoo.com, About Sparrow, http://www.spaarrow.com/.
- 하경휘, 김상영, 최진우, 우종우, 김홍철, 박상서, "안전한 소스코드 작성을 위한 자동화 분석 도구의 개발," 한국멀티미디어학회 추계학술발표대회논문집, pp. 980-983, 2003.
- Samsung Electronics, bada Developers, http://developer.bada.com.
- Ben Morris, Manfred Bortenschlager, Cheng Luo, Michelle Sommerville, and Jon Lansdell, Introduction to bada: A Developer's Guide, Wiley, 2010.
- Roger S. Pressman, Software Engineering: A Practitioner's Approach, McGraw-Hill, 2009.
- Assessing Web Browser Security Vulnerabilities with respect to CVSS vol.18, pp.2, 2015, https://doi.org/10.9717/kmms.2015.18.2.199
- Design of the Specific IP Access Deny for the Database vol.39C, pp.8, 2014, https://doi.org/10.7840/kics.2014.39C.8.716
- Quantitative Risk Assessment in Major Smartphone Operating Systems in Asian Countries vol.17, pp.12, 2014, https://doi.org/10.9717/kmms.2014.17.12.1494