Empowering the Experts

Towards a Secure and Trustworthy Software Ecosystem

Dominik Wermke

dwermke.com/empowering

Dominik Wermke

Security & Privacy Researcher

CISPA Helmholtz Center for Information Security

dwermke.com/empowering

Usable Security & Privacy

Security & Privacy

Usable Security & Privacy

If it's not the users fault ...

Log4Shell vulnerability
Heartbleed, Cloudbleed
Shellshock vulnerability, Bashdoor

... is it the developers fault?

Usable Security & Privacy

Usable Security & Privacy for Developers

How can we help ...

Developers
Administrators
Team Leads
...

Research Goal

Empowering and enabeling software experts to develop and deploy secure, privacy-respecting, and trustworthy software.

Why Experts?

Users
Administrators
Maintainers
Developers
Project Leads

Why Experts?

Users
Administrators
Maintainers
Developers
Project Leads

Why Experts?

1,000,000s of end users
1000s of deployments
100s of lines of code
10s of projects

Experts but not Security Experts

The New Stack

Experts but not Security Experts

Ars Technica, 2023-01-05

Experts but not Security Experts

Tech Monitor, 2023-01-03

Experts as Weakest Link

Companies spend millions of dollars on firewalls and secure access devices, and it's money wasted because none of these measures address the weakest link in the security chain:

the people who use, administer and operate computer systems

~ Kevin Mitnick

Technology Only Can't Solve The Problem

The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.

New York Times, 2023-01-05

Technology Only Can't Solve The Problem

Given 89 scenarios, about 40 per cent of the computer programs made with the help of Copilot had potentially exploitable vulnerabilities.

The Register

My Approach

Towards enabling experts to deploy secure, privacy-respecting, and trustworthy software

Methods I utilized

Populations I work with

Full-Stack

Human-Centered
Security Researcher

Full-Stack

Study Environments
[SOUPS 22], [CSET 17], [SOUPS 17]
A/B Software examples
[SOUPS 21b], [ACSAC 18], [SOUPS 18], [CCS 17]
Large-scale data analysis
[Sec 21], [SOUPS 21a], [SOUPS 21b], [ACSAC 18]

Research Outline

Committed to Trust
Wermke et al.
IEEE S&P 2022

Distinguished Paper Award

Committed to Trust
Wermke et al.
IEEE S&P 2022

Distinguished Paper Award

A Large Scale Investigation of Obfuscation Use in Google Play
Wermke et al.
ACSAC 2018

Committed to Trust
Wermke et al.
IEEE S&P 2022

Distinguished Paper Award

A Large Scale Investigation of Obfuscation Use in Google Play
Wermke et al.
ACSAC 2018

Cloudy with a Chance of Misconceptions
Wermke et al.
SOUPS 2020

Committed to Trust
Wermke et al.
IEEE S&P 2022

Distinguished Paper Award

A Large Scale Investigation of Obfuscation Use in Google Play
Wermke et al.
ACSAC 2018

Cloudy with a Chance of Misconceptions
Wermke et al.
SOUPS 2020

Open Source & Supply Chain

[S&P 22]

[Sec 21]
[SOUPS 17]
2 Ongoing

Supporting Developers

[ACSAC 18]

[SOUPS 18]
[CCS 17]
1 Ongoing

User Insights & Perceptions

[SOUPS 20]

[SOUPS 21a]
[SOUPS 21b]

[S&P 22], [Sec 21], [SOUPS 17], 2 Ongoing

Open Source

Open Source Software

Open Source Supply Chain

Open Source code appears as foundation, glue, or during the build process in many software projects.

Adopted from xkcd 2347

Incident: FakerJS

Nov 2020

Respectfully, I am no longer going to support Fortune 500s ( and other smaller sized companies ) with my free work.
There isn't much else to say.

Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.

Incident: Protestware node-ipc

Mar 2022

Committed to Trust

A Qualitative Study on Security & Trust in Open Source Software Projects

IEEE S&P 2022

Distinguished Paper Award

Research Questions

RQ1:

How are open source projects structured behind-the-scenes?
RQ2:

If and what guidance and policies are provided by open source projects?
RQ3:

How do open source projects approach security and trust challenges?

Interviews

Participants

Findings

Security

Trust

Processes

Security

Trust

Processes

Past Incidents

Security incidents encountered in the past:

None --- Some / Other

Past Incidents

Security incidents encountered in the past:

None (16) --- Some / Other (11)

Past Challenges

Most commonly encountered security challenges

(That not necessarily resulted in an incident)

(15) Suspicious or low quality commits
(8) Vulnerability introduced by dependencies

[T]here’s definitely been people that have intentionally tried to put malicious code in projects, but it’s always very easy to spot immediately. It’s like those spam emails where they have bad grammar and stuff

Summary

Security

Few projects have experienced an outright security incident
Many of our participants were familiar with suspicious or low quality commits and potential vulnerabilities introduced by dependencies

Trust

Security

Trust

Processes

Trust Incidents

Trust incidents encountered in the past:

None --- Some / Other

Trust Incidents

Trust incidents encountered in the past:

None (20) --- Some / Other (7)

Trust Incidents

Trust incidents encountered in the past:

Drive-by cryptocurrency miner commits
Failed background checks
Pro-active block after potential SSH key theft

Summary

Trust Processes

Most use some form of meritocracy for establishing trust with new contributors.
Some even assume trustworthiness by default to facilitate first-time contributions.
The majority never experienced a trust incident in their projects and did not establish specific trust incident strategies.

Processes

Security

Trust

Processes

Guidance

Most mentioned guidances

(14) Guidance for contributing to the project
(13) Programming language-specific guidance
(8) General guidance for project setup and infrastructure

Guidance

Somebody would have to write the guide, and I am the only one who can write it. I mean, there is nobody paid to write it and I am also not paid to write it.

Summary

Guidance & Policies

Participants diverge on their opinions regarding the helpfulness of (written) guidance
Security policies: larger projects mentioned dedicated security teams, smaller projects mentioned a security contact channel
Most projects included some type of disclosure policy or at least contact for security issues

Summary

Committed To Trust

Projects are highly diverse in deployed security measures, trust processes, motivations
Growing scope and contributors → growing needs for security and trust processes
Smaller projects handle security and trust incidents "as they happen"

Additional Work

Open Source & Software Supply Chain
- Industry
  - Security Challenges in the Open Source Supply Chain
  - Security in SMEs [Sec 21]
- Artifact Security
  - Reproducible Builds
- Research Validity
  - Security Studies with GitHub Users [SOUPS 17]

[Under Submission]

Security Challenges in the OS Supply Chain

Other side of the open source supply chain

25 in-depth interviews with devs, architects, and engineers from industry projects
Processes, decisions, and considerations around external open source code

"Not Your Average Supply Chain"

For companies:

Treating the open source ecosystem as a typical supply chain might result in bad surprises, miscommunications, and bad publicity
Instead support utilized open source components by donating, e.g., money, developer-hours, knowledge, or code
Following the guideline of always contribute back

[Sec 21]

Information Security in SMEs

Part of a larger research project funded by the German government
5,000 computer-assisted telephone-interviews with representatives of small and medium enterprises
Found differences in reported cybercrime incidences for enterprises based on their industry sector, company size and security awareness
Enabled stakeholders to more directly identify and target security shortcomings depending on the type of enterprise

[Under Submission]

Reproducible Builds

To what extent should one trust a statement that a program is free of Trojan horses?
Perhaps it is more important to trust the people who wrote the software.

~ Ken Thompson

[Under Submission]

Reproducible Builds

Reproducible Builds provide a defenses for arbitrary attacks against build systems by ensuring identical build artifacts
24 semi-structured expert interviews with participants from the ReproducibleBuilds.org project
We identify experiences that help and hinder adoption, which heavily include communication with upstream projects

[SOUPS 17]

Security Studies on GitHub

Investigating how GitHub users perform when working on security-related tasks
Experiment with 307 GitHub users solving security-relevant programming tasks
We found that if overall experience is controlled for, students and professionals on GitHub can be recruited for studying usable security and privacy problems

Takeaways

Open Source & Supply Chain

Community of Communities → Not one size fits all
Open Source is not your typical supply chain
Always contribute back

Recap

Usable Security for Experts
Research Outline
- Empowering stakeholders by tackling the hard problems of security and trust in the (open source) software supply chain

[ACSAC 18], [CCS 17], [SOUPS 18], 1 Ongoing

Supporting Developers

Usable Security & Privacy

Usable Security & Privacy for Developers

Android Developers

One of the largest app ecosystems with billions of downloads annually
Key population for delivering more secure and privacy-respecting apps to millions of end-users

A Large Scale Investigation of Obfuscation Use in Google Play

ACSAC 2018

Decompiling Apps

Decompiling Apps: Fairly straight forward on Android
Obfuscation: Used to prevent or slow down reverse engineering

Security Through Obscurity?

Yes, don't use obfuscation for hiding security implementation details
But: First line of defense against app repackaging and phishing attempts by novice attackers

Basic Obfuscation


											public class a {
												private int a;
												public a(int b);
											}


										[01:23] [com.example.android.a.a.a ??:??]:
										"Failed to parse input at 'b.a'"

Unobfuscated Snippet


				// Print "Hello World"
				class HelloWorld {
					public static void main(String[] args) {
						System.out.println("Hello, World!");
					}
				}

Anti-Reverse Engineering


				// id:c114
				class HelloWorld {
					public static void main(String[] args) {
						if (!binaryExists("/sbin/su")){
							System.out.println("Hello, World!");
				}}}

String Encryption


				// Print "IO_h6M=FC[PEe4qoR_43aQ0M/\dpam"
				class HelloWorld {
					public static void main(String[] args) {
						System.out.println(
							decrypt("IO_h6M=FC[PEe4qoR_43aQ0M/\dpam")
						);
					}
				}

Full App Encryption


							exec(decrypt("""8Kp{#MymA2wfs59{q_yNl?=a
								E_vTZkCGK#=5Bm9:TovQUZv?un^-|kYf5?+*e
								8o\nj67?&2APKhkEa[CvQ2e4=nZVv5z2VM2vQ
								YuOK~b)y`aBW\|qAUU&J?WJ3JBEHvleR95[a
								L''c:d)HRRI^%F_r4gz~K`My[yHW$]1S}$QM@
								/^JNneQ3.OfzPRPy0O*b&~0!cXfO[^(H1iPma
								`3E)\6Wnx1^SBG_Ohq|Y6D(9b\cP^87\(VHB"""
							))

Research Questions

RQ1:

How many apps are obfuscated and what techniques are used?
RQ2:

What are developers' awareness, threat models, experiences, and attitudes about obfuscation?
RQ3:

How usable is the leading obfuscation tool ProGuard?

Approach

Large-scale analysis (1.7M apps)
Online developer survey (308 valid part.)
Task-based follow-up study (70 part.)

Large-scale Analysis

Static analysis using self-written tool
1.7M apps from Play Store
Identifies different obfuscation features
Analysis linked to store metadata

RQ1: How many apps are obfuscated and what techniques are used?

Obfuscation rate low (24.92%)
ProGuard most used tool by far

Developer Survey

Online survey targeting Android app developers (308 valid participants)

Obfuscation Experience

78% (241) heard about obfuscation in general
68% (210) heard about obfuscation in the contex of Android apps
vs. 25% actual obfuscation rate in the Play Store

Likely not caused by missing knowledge/awareness about obfuscation

Reasons against obfuscation

No reason to protect their app (81; 54.8%)

No valuable intellectual property (64)
Open source (17)

Overwhelmed by complexity (52; 35%)

RQ2: What are developers' awareness, threat models, experiences, and attitudes about obfuscation?

Participants were aware of obfuscation
But estimate risk for own apps as low
Obfuscation simply not worth the effort

Task-based Study

Participants were provided with a link to source files and asked to send us their results

Task 1: Activate ProGuard for a basic project

Task 2: Activate ProGuard and configure it to keep a certain class unobfuscated

Study Results

Of 70 participants:

all succeeded at task 1
17 succeeded at task 2

Common error: copy+paste configs from the web

RQ3: How usable is the leading obfuscation tool ProGuard?

Trivial configuration: easy
(Slightly) more complex tasks: hard

Takeaways

Investigation of Obfuscation

Security through insignificance:
Most developers told us, they thought their apps were too small/insignificant

Optional obfuscation:
I will obfuscate my app if it gets popular and/or repackaged

Additional Work

Supporting Developers
- Cryptographic APIs
  - IDE plugin for supporting Android devs' security decisions [CCS 17]
  - Integrating security warnings and advice in APIs [SOUPS 18]
- Development Processes
  - Secrets in Repositories

Cryptography is Hard!

Even the bad guys fail

[CCS 17]

Stitch in Time

Developed the FixDroid IDE plugin supporting Android developers' security decisions
Programming task based experiment + exit survey with Android developers
We found that such a tool helps improving the security of produced code

[SOUPS 18]

Security Warnings for Devs

Integrated security advice and warnings in cryptographic libraries
Experiment with 53 participants solving programming tasks
Significantly improved code security with 73% of the participants receiving advice fixing their insecure code

[Ongoing]

Secrets in Repositories

Developers accidentally expose code secrets in their repositories like API keys or passwords to the public
Mixed methods study with survey (109 developers) + in-depth interviews for insights
30.3% participants encountered secret leakage in the past, are facing several challenges with secret leakage prevention and remediation
Providing recommendations for developers and source code platform providers to reduce the risk of secret leakage

Many software projects use online repositories like GitHub and GitLab for storing, building, and deploying their projects

These processes often involves API keys, passwords, or secret keys that can be accidentally committed to the repository and leaked to the public
In this currently ongoing work, we conducted a mixed methods study consisting of a survey with 109 developers and additional in-depth interviews to investigate developers' experiences and awareness around these secret leaks
We found that about one third of our participants encountered secret leakage in the past, and that they are facing several challenges with prevention and remediation approaches
Based on our findings, we are providing recommendations for developers and code hosting platforms to reduce the risk of secret leakage

Takeaways

Supporting Developers

Dev tools might hide security challenges and complexity
Misusing libraries can introduce vulnerabilities
Encryption is still hard!

Recap

Usable Security for Experts
Research Outline
- Empowering open source stakeholders
- Empowering developers by supporting them in writing secure software

[SOUPS 20], [SOUPS 21a], [SOUPS 21b], Poster

User Insights & Perceptions

What:

Researching population not necessarily limited to experts
How:

Studying other populations allows to better support experts
Why:

Empowering Experts Through User Insights

Cloudy With a Chance of Misconceptions

Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites

SOUPS 2020

Fortune

Ars Technica

Research Questions

RQ1:

How and why do our participants interact with cloud office applications?
RQ2:

What are end users’ awareness, perceptions, and attitudes about privacy in cloud office applications?
RQ3:

What are participants’ understandings and related mental models regarding protection and security of their cloud documents?

Our participants ...

Prefer to store data on the platform they edit with
Agree on benefits: free access and easy collaboration
Generally prefer their local system over cloud storage
Think that in case of unauthorized access the cloud provider should inform them via email

Summary

Cloudy with a Chance of Misconceptions

Participants have strong opinions on how comfortable they are with the access of certain parties
But are somewhat unsure about who actually has access to their documents
Our findings enable administrators to make more user-friendly choices regarding office software.
(E.g., our institute offered alternatives to Google Forms for feedback)

Additional Work

User Insights & Perceptions
- Visualization of End-to-End Encryption [SOUPS 21a]
- Perceptions around the German COVID Warn App [SOUPS 21b]
- User Awareness of WebAuthn [Poster]

[SOUPS 21]

E2E Messaging Visualization

[SOUPS 21]

E2E Messaging Visualization

[SOUPS 21]

E2E Messaging Visualization

Five user studies with a total of 683 participants investigating whether adding encryption UI visualizations to a messaging would increase perceptions of trust, security, and privacy
We did not find a positive effect for more involved visualizations such as icons and animations compared to basic text disclosures

[SOUPS 21]

COVID Warning App

The discussion around COVID Tracking apps in Germany focused on the trade-off between a centralized or decentralized approach
Study with quota sample (n = 744) investigating knowledge about app, willingness to use, and potential app properties
We found many false beliefs, especially concerning technical features such as the (non-existant) location tracking

Poster at S&P 22

WebAuthn Awareness

Takeaways

User Insights & Perceptions

User insights can help experts with security and privacy decisions
User perception is an important guideline for privacy-respecting and trustworthy software design

Recap

Usable Security for Experts
Research Outline
- Empowering open source stakeholders
- Empowering developers
- Empowering experts by providing user insights

Research Agenda

Research Goal

Empowering and enabeling software experts to develop and deploy secure, privacy-respecting, and trustworthy software.

Multi-Disciplinary Approach

Software Engineering to provide and manage required tooling for experts

Multi-Disciplinary Approach

Software Supply Chain Research to ensure security and trustworthyness of depencencies

Multi-Disciplinary Approach

Human-compute interaction research to protect and empower experts as the weakest link

Multi-Disciplinary Approach

Security Research to enable experts to defent their software against vulnerabilities and exploits

Foundations

Applications

within the realm of software

Ongoing Research

Improving Security and Trust in the Open Source Software Supply Chain and Beyond

Supporting Software Developers

Towards Sustainable Open Source Research

Improving Security and Trust

in the Open Source Software Supply Chain and beyond.

Past

[S&P 22]
[Sec 21]
[SOUPS 17]

Ongoing

Industry Consideration
Reproducible Builds
Library Measurement

Supporting Software Developers

Past

[SOUPS 18b]
[ACSAC 18]
[SecDev 18]
[CCS 17]

Ongoing

Repository Secrets
Ethical Consideration

Towards Sustainable Open Source Research

Past

[S&P 22]
[SOUPS 22]
[CSET 17]
[SOUPS 17]

Ongoing

Research recruiting Open Source

Future Challenges

AI and Developers
Targeted Supply Chain Attacks

AI and Developers

Given 89 scenarios, about 40 per cent of the computer programs made with the help of Copilot had potentially exploitable vulnerabilities.

Targeted Supply Chain Attacks

[A]n unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session.

CircleCI

Collaborations

Acknowledgements

Yasemin Acar, Sabrina Amft, Adam Aviv, Michael Backes, Niklas Busch, Karoline Busse, Duc Cuong Nguyen, Arne Dreißigacker, Sascha Fahl, Marcel Fourné, Eva Gerlitz, Mirja Griga, Jan H. Klemmer, Nicolas Huaman, Maximilian Häring, Sandra Höltervennhoff, Harjot Kaur, Doowon Kim, Philip Klostermeyer, Alexander Krause, Markus Kötter, Simson L. Garfinkel, Michelle L. Mazurek, Peter Leo Gorski, Luigi Lo Iacono, Elissa M. Redmiles, Sebastian Möller, Bradley Reaves, Juliane Schmüser, Johanna Schrader, Matthew Smith, Harshini Sri Ramulu, Christian Stransky, Christian Tiefenau, Mindy Tran, Patrick Traynor, Blase Ur, Miranda Wei, Charles Weir, Noah Wöhler, Bennet von Skarczinski

Takeaways

Goal:

Enable software developers and system operators to deploy secure, privacy-respecting, and trustworthy software.
What:

I am committed to tackling the hard problems of secure, trustworthy, and privacy-preserving software right at its source.
How:

By enabling, supporting, and providing the involved experts with the right resources, processes, and tooling.

Dominik Wermke

Security & Privacy Researcher

Committed to Trust
Wermke et al.
IEEE S&P 2022

Distinguished Paper Award

A Large Scale Investigation of Obfuscation Use in Google Play
Wermke et al.
ACSAC 2018

Cloudy with a Chance of Misconceptions
Wermke et al.
SOUPS 2020

Socials

dwermke.com dwermke.com/empowering

dominikwermke@gmail.com

dominik.wermke@cispa.de

@sun_grazer

Discussion Inspirations

Supporting the Experts

Large impact

Technology only?

Providing experts with user insights

Best resources and tooling

Increasing Supply Chain Attacks

New challenges

Role of Open Source

Experts: weakest link?

Needed change in company culture?

Developers supported by AI

Chance or Mistake?

Compared to current resources?

Ways forward (or any way back?)

References

[SOUPS 22]

If You Can’t Get Them to the Lab: Evaluating a Virtual Study Environment with Security Information Workers
Nicolas Huaman, Alexander Krause, Dominik Wermke, Christian Stransky, Jan H. Klemmer, Yasemin Acar, and Sascha Fahl.
SOUPS 2022, Eighteenth Symposium on Usable Privacy and Security, Santa Clara, CA, USA, August 7-9, 2022.

[S&P 22]

Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects
Dominik Wermke, Noah Wöhler, Jan H. Klemmer, Marcel Fourné, Yasemin Acar, and Sascha Fahl.
IEEE S&P 2022, In 43rd IEEE Symposium on Security and Privacy, May 23-26, 2022.

[Sec 21]

A Large-Scale Interview Study on Information Security in and Attacks against Small and Medium-sized Enterprises
Nicolas Huaman, Bennet von Skarczinski, Dominik Wermke, Christian Stransky, Yasemin Acar, Arne Dreißigacker, and Sascha Fahl.
USENIX Security '21, In 30th USENIX Security Symposium, August 11-13, 2021.

[SOUPS 21a]

On the Limited Impact of Visualizing Encryption: Perceptions of E2E Messaging Security
Christian Stransky, Dominik Wermke, Johanna Schrader, Nicolas Huaman, Yasemin Acar, Anna Lena Fehlhaber, Miranda Wei, Blase Ur, and Sascha Fahl.
SOUPS 2021, Seventeenth Symposium on Usable Privacy and Security, August 8-10, 2021.

[SOUPS 21b]

Never ever or no matter what: Investigating Adoption Intentions and Misconceptions about the Corona-Warn-App in Germany
Maximilian Häring, Eva Gerlitz, Christian Tiefenau, Matthew Smith, Dominik Wermke, Sascha Fahl, and Yasemin Acar.
SOUPS 2021, Seventeenth Symposium on Usable Privacy and Security, August 8-10, 2021.

[SOUPS 20]

Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites
Dominik Wermke, Christian Stransky, Nicolas Huaman, Niklas Busch, Yasemin Acar, and Sascha Fahl.
SOUPS 2020, Sixteenth Symposium on Usable Privacy and Security, August 12-14, 2020.

[ACSAC 18]

A Large Scale Investigation of Obfuscation Use in Google Play
Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl.
ACSAC 2018, Proceedings of the 34th Annual Computer Security Applications Conference, San Juan, PR, USA, December 03-07, 2018.

[SOUPS 18]

Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse
Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl.
SOUPS 2018, Fourteenth Symposium on Usable Privacy and Security, Baltimore, MD, USA, August 12-14, 2018.

[CCS 17]

A Stitch in Time: Supporting Android Developers in WritingSecure Code
Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl.
CCS 2017, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, October 30 - November 03, 2017.

[SecDev 17]

Developers Need Support, Too: A Survey of Security Advice for Software Developers
Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl.
SecDev 2017, IEEE Cybersecurity Development, Cambridge, MA, USA, September 24-26, 2017.

[SOUPS 17]

Security Developer Studies with GitHub Users: Exploring a Convenience Sample
Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl.
SOUPS 2017, Thirteenth Symposium on Usable Privacy and Security, Santa Clara, CA, USA, July 12-14, 2017.

Additional Slides

Interviews

Project Demographics

Security Challenges

Guidance & Policies

Project Structure

Release & Updates

Roles & Responsibilities

Trust Processes

Opinions & Improvements

Interview Structure

Project Demographics

Release & Updates

Releases and updates based on direct community input and feedback
Exceptions from schedule for vulnerability fixes

Roles & Responsibilities

Projects have a variety of contributor hierarchies which are mostly relatively flat with two levels
Most of the projects do not staff teams dedicated to project security

Reputation

Internal

Amongst the people on the project, everybody trusts it a lot.

We follow very, very high standards there, mainly because we have a few people who are very, very keen on that.

Reputation

External

Similar for external reputation
Many participants are unsure about the actual awareness of the project outside of their community

Improvements

Suggested improvements mainly require

(15) More person-hours
(9) More money
(9) Different infrastructure

Improvements

Technical Debt

If I could, I would write the entire stack myself.

[…] I would rewrite a lot of the code. That’s just a historical thing, because it has already become big and complex […] It’s just like building a house; you’d have to build it three times before it becomes good.

“What I’d like to do is oxidize [the project] over time, to integrate Rust and Rust code into the codebase – which is quite an undertaking […] and an incredibly tedious task to do it well."

Improvements

Review Processes

So the first thing I do is that a group of people would review every pull request exclusively from the view of security.

“I could always use more participants in the review process and so if I could hire some people, if I had the disposable income to do that, I would probably hire people to get more eyes on pull requests than just myself […]"

Improvements

Tooling

[W]ith unlimited resources, I would like some more investment into automatic tools that are better in like finding vulnerabilities and problems with code

“I think getting more tools and more CI-type tools to watch for that, because I think humans are vulnerable […] If I had unlimited budget and unlimited engineers, I’d really work on improving our testing systems."

Improvements

Summary

Our participants take pride in their projects, but are quite humble about their importance and reach in the OSS ecosystem
Overall, even improvements initially requiring more money or a different infrastructure ended up targeting the project’s need for more contributors

Libraries

Scope	Packages	Unique APKs
com.google.ads.*	1,919,976	681,102
com.google.android.gms.*	24,095,920	651,952
android.support.v4.*	1,811,806	192,497
com.unity3d.*	432,856	152,668
org.fmod.*	135,524	135,524
android.support.v7.*	992,843	117,680
com.facebook.*	1,309,276	106,178
com.startapp.*	2,234,609	88,242
com.chartboost.*	491,612	87,781
com.pollfish.*	537,046	44,851

Results: App Popularity

Downloads	Apps	Obfs. Main Package
0+	115,683	27.30%
10+	343,652	26.34%
100+	499,018	24.74%
1,000+	383,046	24.13%
10,000+	234,213	23.95%
100,000+	80,302	25.50%
1,000,000+	16,335	29.15%
10,000,000+	1940	36.80%
100,000,000+	160	50.00%