Mobile Software Assurance Informed through Knowledge Graph Construction: The OWASP Threat of Insecure Data Storage
AbstractMany organizations, to save costs, are moving to the Bring Your Own Mobile Device (BYOD) model and adopting applications built by third-parties at an unprecedented rate. Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection, mitigation, and prevention. This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project (OWASP). OWASP maintains lists of the top ten security threats to web and mobile applications. We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code. We analyze 200+ healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats, the threat of “Insecure Data Storage.” We find that many of the applications are storing personally identifying information (PII) in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.
Keywords:Cybersecurity, Secure software development, Penetration testing, Risk assessment
 Allemang, D., Hendler, J.. Semantic Web for the Working Ontologist: Effective Modeling in RDFS and OWL. Morgan Kaufmann Publishers Inc., 2011.
 Goknil, A., Topaloglu, Y.. Ontological perspective in metamodeling for model transformations. In Proceedings of the 2005 symposia on Metainformatics (MIS ’05). New York, NY, USA: Association for Computing Machinery, 2005: 7-es.
 L. Yu. A Developers Guide to the Semantic Web. Springer Publishing Company, Incorporated, 2015.
 Noy, N., McGuinness, D.. Ontology development 101: A guide to creating your first ontology. Palo Alto, CA, USA: Technical report at Stanford Knowledge Systems Laboratory, 2001.
 Lacy, L. W.. OWL: Representing Information Using the Web Ontology Language. Victoria, BC, Canada: Trafford, 2005.
 Patel, I., Dube, I., Tao, L., & Jiang, N.. Extending OWL to Support Custom Relations. 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing. New York, NY, USA: IEEE, 2015: 494-499.
 Kafali, Ö., Jones, J., Petruso, M., Williams, L., Singh, M. P.. How good is a security policy against real breaches?: a HIPAA case study. Proceedings of the 39th International Conference on Software Engineering. Buenos Aires, Argentina: IEEE Press, 2017: 530-540. DOI: https://doi.org/10.1109/ICSE.2017.55
 MITRE. Common Weakness Enumeration (CWE), 2020. Retrieved from: https://cwe.mitre.org/
 MITRE. Common Attack Pattern Enumeration and Classification (CAPEC™), 2020. Retrieved from: https://capec.mitre.org/about/index.html
 NIST. Bug Framework (BF), 2020. Retrieved from: https://samate.nist.gov/BF/
 Schmeelk, S.. Where are we looking for security concerns? Understanding Android Security Static Analysis. Proceedings of the Future Technologies Conference (FTC) 2019. San Francisco, CA: Springer, 2019: 1-9.
 Schmeelk, S.. Where are we looking? Understanding android static analysis techniques. In 2019 IEEE International Conference on Services Computing. Milan, Italy: IEEE, 2019.
 Schmeelk, S., & Aho, A.. Defending android applications availability. 2017 IEEE 28th Annual Software Technology Conference (STC). Gaithersburg, MD: IEEE, 2017: 1-5.
 Schmeelk, S., Yang, J., Aho, A.. Android malware static analysis techniques. In Proceedings of the 10th Annual Cyber and Information Security Research Conference CISR ’15. New York, NY, USA: ACM, 2015: 51–58.
 OWASP.. Mobile Top 10 2016-M2-Insecure Data Storage, 2018. Retrieved from owasp.org: https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage
 NIST. Guide for Conducting Risk Assessments, 2012. Retrieved from: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
 Google. Data and file storage overview. 2020. Retrieved from: https://developer.android.com/guide/topics/data/data-storage#db
 Google. Security Tips. 2020. Retrieved from: https://developer.android.com/training/articles/security-tips
 Google. Context. 2020. Retrieved from: https://developer.android.com/reference/android/content/Context#openFileOutput(java.lang.String,%20int)
 Rajab, A.. How to prevent database and shared preferences from being hacked. 2017. Retrieved from Stack overflow: https://stackoverflow.com/questions/47207420/howto-prevent-database-and-shared-preferences-frombeing-hacked
 User3898539. How the SharedPreferences works and is it safe. 2014. Retrieved from Stack overflow: https://stackoverflow.com/questions/25373145/howthe-sharedpreferences-works-and-is-it-safe
 Google.). Save key-value data. 2020. Retrieved from developer.android.com:https://developer.android.com/training/data-storage/shared-preferences
 Google Developers.. Saving Files. 2020. Retrieved from stuff.mit.edu: https://stuff.mit.edu/afs/sipb/project/android/docs/training/basics/data-storage/files.html
 Google.. Save data using SQLite. 2020. Retrieved from developer.android.com: https://developer.android.com/training/data-storage/sqlite
 Google.. Save files on device storage. 2020. Retrieved from developer.android.com: https://developer.android.com/training/data-storage/files#java
 OWASP.. Mobile Top 10 2016-Top 10. 2020. Retrieved from owasp.org: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
How to Cite
Copyright (c) 2020 Author(s)
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.