An Economic Study of the Effect of Android Platform Fragmentation on Security Updates

Vendors in the Android ecosystem typically customize their devices by modifying Android Open Source Project (AOSP) code, adding in-house developed proprietary software, and pre-installing third-party applications. However, research has documented how various security problems are associated with this customization process. We develop a model of the Android ecosystem utilizing the concepts of game theory and product differentiation to capture the competition involving two vendors customizing the AOSP platform. We show how the vendors are incentivized to differentiate their products from AOSP and from each other, and how prices are shaped through this differentiation process. We also consider two types of consumers: security-conscious consumers who understand and care about security, and na\"ive consumers who lack the ability to correctly evaluate security properties of vendor-supplied Android products or simply ignore security. It is evident that vendors shirk on security investments in the latter case. Regulators such as the U.S. Federal Trade Commission have sanctioned Android vendors for underinvestment in security, but the exact effects of these sanctions are difficult to disentangle with empirical data. Here, we model the impact of a regulator-imposed fine that incentivizes vendors to match a minimum security standard. Interestingly, we show how product prices will decrease for the same cost of customization in the presence of a fine, or a higher level of regulator-imposed minimum security.Comment: 22nd International Conference on Financial Cryptography and Data Security (FC 2018

Caveats in Eliciting Mobile App Requirements

Factors such as app stores or platform choices heavily affect functional and non-functional mobile app requirements. We surveyed 45 companies and interviewed ten experts to explore how factors that impact mobile app requirements are understood by requirements engineers in the mobile app industry. We observed a lack of knowledge in several areas. For instance, we observed that all practitioners were aware of data privacy concerns, however, they did not know that certain third-party libraries, usage aggregators, or advertising libraries also occasionally leak sensitive user data. Similarly, certain functional requirements may not be implementable in the absence of a third-party library that is either banned from an app store for policy violations or lacks features, for instance, missing desired features in ARKit library for iOS made practitioners turn to Android. We conclude that requirements engineers should have adequate technical experience with mobile app development as well as sufficient knowledge in areas such as privacy, security and law, in order to make informed decisions during requirements elicitation.Comment: The 24th International Conference on Evaluation and Assessment in Software Engineering (EASE 2020

Human Factors in Secure Software Development

While security research has made significant progress in the development of theoretically secure methods, software and algorithms, software still comes with many possible exploits, many of those using the human factor. The human factor is often called ``the weakest link'' in software security. To solve this, human factors research in security and privacy focus on the users of technology and consider their security needs. The research then asks how technology can serve users while minimizing risks and empowering them to retain control over their own data. However, these concepts have to be implemented by developers whose security errors may proliferate to all of their software's users. For example, software that stores data in an insecure way, does not secure network traffic correctly, or otherwise fails to adhere to secure programming best practices puts all of the software's users at risk. It is therefore critical that software developers implement security correctly. However, in addition to security rarely being a primary concern while producing software, developers may also not have extensive awareness, knowledge, training or experience in secure development. A lack of focus on usability in libraries, documentation, and tools that they have to use for security-critical components may exacerbate the problem by blowing up the investment of time and effort needed to "get security right". This dissertation's focus is how to support developers throughout the process of implementing software securely. This research aims to understand developers' use of resources, their mindsets as they develop, and how their background impacts code security outcomes. Qualitative, quantitative and mixed methods were employed online and in the laboratory, and large scale datasets were analyzed to conduct this research. This research found that the information sources developers use can contribute to code (in)security: copying and pasting code from online forums leads to achieving functional code quickly compared to using official documentation resources, but may introduce vulnerable code. We also compared the usability of cryptographic APIs, finding that poor usability, unsafe (possibly obsolete) defaults and unhelpful documentation also lead to insecure code. On the flip side, well-thought out documentation and abstraction levels can help improve an API's usability and may contribute to secure API usage. We found that developer experience can contribute to better security outcomes, and that studying students in lieu of professional developers can produce meaningful insights into developers' experiences with secure programming. We found that there is a multitude of online secure development advice, but that these advice sources are incomplete and may be insufficient for developers to retrieve help, which may cause them to choose un-vetted and potentially insecure resources. This dissertation supports that (a) secure development is subject to human factor challenges and (b) security can be improved by addressing these challenges and supporting developers. The work presented in this dissertation has been seminal in establishing human factors in secure development research within the security and privacy community and has advanced the dialogue about the rigorous use of empirical methods in security and privacy research. In these research projects, we repeatedly found that usability issues of security and privacy mechanisms, development practices, and operation routines are what leads to the majority of security and privacy failures that affect millions of end users

Systemic Efficiencies in Competition Law: Evidence from the ICT Industry

This article introduces the concept of systemic efficiencies, traces its theoretical underpinnings in economics, management and technology, and applies it to recent high profile cases. Systemic efficiencies occur in large complex systems through the interaction of multiple distributed components, a process which is commonly coordinated by an entity that can exercise pervasive control over the components and their interactions. This type of extensive control can manifest itself as potentially anticompetitive practices, like tying, refusal to deal and full line forcing, causing the reaction of competition authorities. However, at the same time, systemic efficiencies can have significant benefits that cannot be generated by smaller scale, simpler, more isolated efficiencies, and are therefore of great interest to society, and of high redeeming value as antitrust defence to the introducing entities. To demonstrate how systemic efficiencies and their benefits materialize in practice this article also discusses two series of cases: the recent IBM mainframes cases in the US and the US, and the ongoing Google Android cases in the US and the EU. Both cases belong in the ICT industry, which is frequently said to consist of paradigmatic examples of large complex systems that can give rise to systemic efficiencies

More Competitive Search Through Regulation

This paper identifies a set of possible regulations that could be used both to make the search market more competitive and simultaneously ameliorate the harms flowing from Google's current monopoly position. The purpose of this paper is to identify conceptual problems and solutions based on sound economic principles and to begin a discussion from which robust and specific policy recommendations can be drafted

Effective memory management for mobile environments

Smartphones, tablets, and other mobile devices exhibit vastly different constraints compared to regular or classic computing environments like desktops, laptops, or servers. Mobile devices run dozens of so-called “apps” hosted by independent virtual machines (VM). All these VMs run concurrently and each VM deploys purely local heuristics to organize resources like memory, performance, and power. Such a design causes conflicts across all layers of the software stack, calling for the evaluation of VMs and the optimization techniques specific for mobile frameworks. In this dissertation, we study the design of managed runtime systems for mobile platforms. More specifically, we deepen the understanding of interactions between garbage collection (GC) and system layers. We develop tools to monitor the memory behavior of Android-based apps and to characterize GC performance, leading to the development of new techniques for memory management that address energy constraints, time performance, and responsiveness. We implement a GC-aware frequency scaling governor for Android devices. We also explore the tradeoffs of power and performance in vivo for a range of realistic GC variants, with established benchmarks and real applications running on Android virtual machines. We control for variation due to dynamic voltage and frequency scaling (DVFS), Just-in-time (JIT) compilation, and across established dimensions of heap memory size and concurrency. Finally, we provision GC as a global service that collects statistics from all running VMs and then makes an informed decision that optimizes across all them (and not just locally), and across all layers of the stack. Our evaluation illustrates the power of such a central coordination service and garbage collection mechanism in improving memory utilization, throughput, and adaptability to user activities. In fact, our techniques aim at a sweet spot, where total on-chip energy is reduced (20–30%) with minimal impact on throughput and responsiveness (5–10%). The simplicity and efficacy of our approach reaches well beyond the usual optimization techniques

Open Source, Modular Platforms, and the Challenge of Fragmentation

Open source and modular platforms represent two powerful conceptual paradigms that have fundamentally transformed the software industry. While generally regarded complementary, the freedom inherent in open source rests in uneasy tension with the strict structural requirements required by modularity theory. In particular, third party providers can produce noncompliant components, and excessive experimentation can fragment the platform in ways that reduce its economic benefits for end users and app providers and force app providers to spend resources customizing their code for each variant. The classic solutions to these problems are to rely on some form of testing to ensure that the components provided by third parties comply with a compatibility standard and to subject the overall system to some form of governance. The history of the three leading open source operating systems (Unix, Symbian, and Linux) confirms this insight. The question is thus not whether some constraints will apply, but rather how restrictive those constraints will be. Finally, the governance regimes range from very restrictive to relatively open and permissive. Competition policy authorities should take into account where certain practices fall along that spectrum when enforcing competition law. Exposing the more permissive practices to demanding scrutiny runs the risk of causing operating systems to turn to more restrictive approaches

The effect of open-source software technologies in health-tech startups

Abstract. The research investigates how open-source technology improves product efficiency and identifies the challenges encountered by startups when introducing open-source software technologies in the startups. The semi-structured interviews were conducted with healthcare startups based in Oulu. Thematic data analysis was performed to analyse the collected data and identified common themes and sub-themes to the research objective