“We need to train well-intended developers to avoid common security and privacy-relevant errors and to prioritize security and privacy along with functionality."
Mazurek Receives NIST Grant for Secure Mobile App Development
Michelle Mazurek, an assistant professor of computer science with joint appointments in the Maryland Cybersecurity Center and the Human-Computer Interaction Lab, recently received a grant from the National Institute of Standards and Technology (NIST) to improve security and privacy decision-making by developers of mobile applications.
The $333K grant will fund research and innovation to help mobile developers improve security of their apps by avoiding poor encryption practices and privacy-invasive actions that can put users’ data at risk.
“We need to train well-intended developers to avoid common security and privacy-relevant errors and to prioritize security and privacy along with functionality,” Mazurek says.
Security and privacy issues on mobile platforms are becoming an increasing concern, she says. A recent study found that 88 percent of apps in the Google Play market that used cryptographic library functions made at least one important error.
Collaborating with Mazurek on the project are second-year computer science doctoral student Doowon Kim, two doctoral students at Saarland University in Germany; two Saarland postdoctoral researchers; and two researchers at NIST.
Mazurek, who is principal investigator on the project, says the team is starting its research by conducting diagnostic studies to try and understand what makes it difficult for mobile developers to code securely.
“Currently we're examining how the resources developers use—for example, stack overflow or the official Android documentation—impact their security choices,” she says.
Mazurek adds the group is also working with NIST on a survey to examine whether and how larger corporate developers currently use cryptography standards.
The grant will be awarded over the course of three years and will encompass several different studies. For the study this fall, the team is hoping to recruit 70 participants.
“Helping developers improve their security is a topic that's really interesting to me and that I hope can have a lot of impact: one developer improving their practices makes things better for all of their users,” Mazurek says.
—Story by Melissa Brachfeld
October 16, 2015