Security-based code smell definition, detection, and impact
quantification in Android
Abstract
Android occupies a high market share, and its broad functions make
Android security matter. Research reveals that many security issues are
caused by insecure coding practices. As a poor design indicator, code
smell threatens the safety and quality assurance of Android applications
(apps). Although previous works revealed specific problems associated
with code smells, the field still lacks research reflecting Android
features. Moreover, the cost and time limit developers to repairing
numerous smells timely. We conducted a study, including definition,
detection, and impact quantification for Android code smell (DefDIQ):
(1) define 15 novel code smells in Android from a security programming
perspective; meanwhile, we provide suggestions on how to eliminate or
mitigate them; (2) implement DACS to automatically detect the custom
code smells based on ASTs; (3) investigate the correlation between
individual smells with DACS detection results, and select suitable code
smells to construct fault counting models, then quantify their impact on
quality, and thereby generating code smell repair priorities. We
conducted experiments on 4,575 open-source apps, and the findings are:
(i) Lin’s CCC between DACS and manual detection results reaches 0.9994,
verifying the validity; (ii) the fault counting model constructed by
ZINB is superior to NB (AIC = 517.32, BIC = 522.12); some smells do
indicate fault-proneness, and we identify such avoidable poor designs;
(iii) different code smells have different importance and the repair
priorities constructed provide a practical guideline for researchers and
inexperienced developers.