Static Analysis of Cordova Apps

Apache Cordova is a widely used framework for writing mobile apps that follows the “hybrid app” paradigm. A hybrid app is a mobile app that is partly implemented in platform-neutral HTML5/JavaScript and partly in platform specific languages (e.g., Java or Objective C).

Static (dataflow) analysis of hybrid apps that supports the analysis of both the platform independent as well as the platform specific parts in a unified way (e.g., for finding injection attacks) is an unsolved problem.

Data Science for Secure Software Engineering

Analyzing data is an important part of evaluating the effectiveness and efficiency of activities to improve the security of software or to understand the security risk of software systems. Thus, everybody involved in secure software development should have at least a basic understanding of data science techniques.

If you want to learn more about using data science for analyzing your secure software development process, have a look at our book chapter on “Data Analytics for Software Security” [1].

End-to-End Secure Service Compositions

During the development of software systems, security is often understood as a task for specialists. This is unfortunate, as today any system need to fulfill a large variety of security (and privacy) properties of which many rely on input from domain experts that are often no security experts. To allow security interested developers of service-based systems, e.g., using micro-services, we developed a too-supported, model-based approach that allows to capture and analyze security properties on the level of composition models. Moreover, our approach supports “pushing security requirements” down to the implementation level, supporting developers in implementing the services securely.

Did You Patch Your Light Bulb today?

More and more devices that we buy today are “smart”, i.e., they can be connected to the Internet. Actually, many experts expect that by 2020, over 50 billion (smart) things will be connected to the Internet. Technically, a smart device contains a small computer which runs software and, as we all know from our daily experiences, software often has bugs that can lead to security vulnerabilities. In 2016, a botnet called Mirai targeted smart home devices and used them for attacking a domain registration service provider. This resulted in the unavailability of well-known services such as Google for Github for a large number of users.

It's More Than One - Monero Mining Chrome Extensions

During the last days, a researcher discovered that the SafeBrowse Chrome extension is using the computer of its users to mine Monero (an alternative crypto currency similar to Bitcoin). With over 140000 users - most likely, this is the most popular (and probably the first one) Chrome extension mining a cyrpto currency without users’ consent. it is not the only one …

Hybrid Apps - From Security Challenges to Secure Development

Cross-platform frameworks, such as Apache Cordova, are becoming increasingly popular. They promote the development of hybrid apps that combine native, i.e., system specific, code and system independent code, e.g., HTML5/JavaScript. Combining native with platform independent code opens Pandora’s box: all the the security risks for native development are multiplied with the security risk of web applications.