Essential Site Maintenance: Authorea-powered sites will be updated circa 15:00-17:00 Eastern on Tuesday 5 November.
There should be no interruption to normal services, but please contact us at [email protected] in case you face any issues.

loading page

Security-based code smell definition, detection, and impact quantification in Android
  • +2
  • Mengyu Shi,
  • Yi Zhong,
  • Jiawei He,
  • Chunrong Fang,
  • Zhenyu Chen
Mengyu Shi
State Key Laboratory of Novel Software Technology

Corresponding Author:[email protected]

Author Profile
Yi Zhong
State Key Laboratory of Novel Software Technology
Author Profile
Jiawei He
State Key Laboratory of Novel Software Technology
Author Profile
Chunrong Fang
State Key Laboratory of Novel Software Technology
Author Profile
Zhenyu Chen
State Key Laboratory of Novel Software Technology
Author Profile

Abstract

Android occupies a high market share, and its broad functions make Android security matter. Research reveals that many security issues are caused by insecure coding practices. As a poor design indicator, code smell threatens the safety and quality assurance of Android applications (apps). Although previous works revealed specific problems associated with code smells, the field still lacks research reflecting Android features. Moreover, the cost and time limit developers to repairing numerous smells timely. We conducted a study, including definition, detection, and impact quantification for Android code smell (DefDIQ): (1) define 15 novel code smells in Android from a security programming perspective; meanwhile, we provide suggestions on how to eliminate or mitigate them; (2) implement DACS to automatically detect the custom code smells based on ASTs; (3) investigate the correlation between individual smells with DACS detection results, and select suitable code smells to construct fault counting models, then quantify their impact on quality, and thereby generating code smell repair priorities. We conducted experiments on 4,575 open-source apps, and the findings are: (i) Lin’s CCC between DACS and manual detection results reaches 0.9994, verifying the validity; (ii) the fault counting model constructed by ZINB is superior to NB (AIC = 517.32, BIC = 522.12); some smells do indicate fault-proneness, and we identify such avoidable poor designs; (iii) different code smells have different importance and the repair priorities constructed provide a practical guideline for researchers and inexperienced developers.
25 Oct 2022Submitted to Software: Practice and Experience
25 Oct 2022Submission Checks Completed
25 Oct 2022Assigned to Editor
04 Nov 2022Review(s) Completed, Editorial Evaluation Pending
06 Nov 2022Reviewer(s) Assigned
11 Apr 2023Editorial Decision: Revise Major
09 Jul 20231st Revision Received
10 Jul 2023Submission Checks Completed
10 Jul 2023Assigned to Editor
10 Jul 2023Review(s) Completed, Editorial Evaluation Pending
10 Jul 2023Reviewer(s) Assigned
05 Aug 2023Editorial Decision: Accept