Mitigating Bring Your Own Device Risks by Static Analysis Empowered by Knowledge Graphs from Open Web Application Security Project

Suzanna Schmeelk, Pace University

Abstract

Many organizations, to save costs, are moving to Bring Your Own Mobile Device (BYOD). In these scenarios, organizations have a Mobile Device Management (MDM) system in place. MDM solutions lower cyber security risks by providing remote wipe procedures, geo-location fencing, among others. However, MDM systems are not yet focused on application-level security with a fine-level of granularity. MDM systems currently may not monitor for data loss prevention (DLP), or even standard web-application vulnerabilities that a penetration tester would examine. In addition, organizations around the world are adopting applications built by third-parties at an unprecedented rate. This research contributes an examination of mobile application security through the construction of a knowledge graph for the OWASP Top 10 2014 and 2016 threats. The knowledge graph contribution links threats from the different years to show changes in time and to help determine security changes over time. Currently, only the National Institute of Standards and Technology (NIST) Bug Framework has built any such graph representation to inform analysis. This high-level graphic shows potential vulnerabilities such as the insecure storage of sensitive data and insufficient cryptography, which depending on how the code is utilized can occur heavy fines for the mismanagement of sensitive information. This research then contributes how specific mobile device source code, specifically Android in this research, can useful to inform static analysis. In this research we focus on source code analysis; however, the knowledge-graph can be connected to byte code or entirely other mobile device application languages such as Swift, JavaScript, and C/C++. We then make a contribution to analyze over 200 healthcare Android applications source code from GitHub to learn what, if any, security concerns are being deployed to improve secure source code development for sensitive data. Some of the applications analyzed collect highly sensitive information such a body weight, body signals (e.g. blood pressure, temperature), obstetrics/gynecology measurements, mental health measurements, among others. Specifically, in this research, we analyzed applications for components of the constructed-knowledge graphs, specifically, components of the confidentiality and integrity of their sensitive information. As our world moves more-and-more to the edges with the Internet of Things and mobile application development, security concerns and the storage and transmission of sensitive data is becoming a serious concern. In fact, recent regulatory changes are occurring at unprecedented rates with adoptions of new laws at local, national and international levels. Having a clearer picture of security on our mobile devices is now an industry necessity.

Subject Area

Computer science

Recommended Citation

Schmeelk, Suzanna, "Mitigating Bring Your Own Device Risks by Static Analysis Empowered by Knowledge Graphs from Open Web Application Security Project" (2020). ETD Collection for Pace University. AAI27961049.
https://digitalcommons.pace.edu/dissertations/AAI27961049

Share

COinS

Remote User: Click Here to Login (must have Pace University remote login ID and password. Once logged in, click on the View More link above)