Weir, Charles and Rashid, Awais and Noble, James (2017) How to Improve the Security Skills of Mobile App Developers : An Analysis of Expert Knowledge. Masters thesis, Lancaster University.
2017weirmbr.pdf - Published Version
Available under License Creative Commons Attribution-NoDerivs.
Download (1MB)
Abstract
Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat. We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution. Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning. The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventional processes and checklists, and A shift in perspective from process to dialectic. Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.