Security Requirements Metrics for Pattern-Lock Applications on Mobile Devices

Full Text (PDF, 665KB), PP.1-13

Views: 0 Downloads: 0

Author(s)

Irfan Afifullah 1,* Bayu Hendradjaya 1

1. School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Indonesia

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2016.11.01

Received: 11 Mar. 2016 / Revised: 1 Jun. 2016 / Accepted: 10 Aug. 2016 / Published: 8 Nov. 2016

Index Terms

GQM, Pattern-Lock, Requirement Statements, Security Requirements Metrics, Threat Statements

Abstract

Pattern-Lock is one of graphical authentication schemes that shows high popularity today. Based on recent research, the security requirements metrics of Pattern-Lock applications have not proposed yet. The goal of this study is to define security requirements metrics for Pattern-Lock applications on mobile devices. Our study has identified 12 threat statements and 18 requirements statements by analyzing STRIDE (Spoofing the identity, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and Extended Misuse Case diagram. To develop the metrics we have used Goal-Question-Metric (GQM) paradigm. Based on these, we develop 3 Goals and 7 Questions and resulted in 20 metrics for security requirements. The metrics have been evaluated using 30 App Locker Android applications, and the results show that some metrics have higher values than others. Number of Pattern Characteristics that Successfully Detected, Ability to Relock, and Grid Size metrics have the three highest values. These metrics requires higher priorities to look into when developers need to build the App Locker applications. Moreover, developers should ensure that App Locker applications have values higher than average of security goals and metrics achievements.

Cite This Paper

Irfan Afifullah, Bayu Hendradjaya, "Security Requirements Metrics for Pattern-Lock Applications on Mobile Devices", International Journal of Computer Network and Information Security(IJCNIS), Vol.8, No.11, pp.1-13, 2016. DOI:10.5815/ijcnis.2016.11.01

Reference

[1]A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, “Smudge Attacks on Smartphone Touch Screens,” in Proceedings of the 4th USENIX Conference on Offensive Technologies, Berkeley, CA, USA, 2010, pp. 1–7.
[2]H. Gao, W. Jia, F. Ye, and L. Ma, “A survey on the use of graphical passwords in security,” Journal of Software, vol. 8, no. 7, Jul. 2013.
[3]P. Andriotis, T. Tryfonas, and G. Oikonomou, “Complexity Metrics and User Strength Perceptions of the Pattern-Lock Graphical Authentication Method,” presented at the International Conference on Human Aspects of Information Security, Privacy, and Trust, 2014, pp. 115–126.
[4]C. Kern, A. Kesavan, and N. Daswani, Foundations of Security: What Every Programmer Needs to Know, 2007th ed. Berkeley, CA : New York: Apress, 2007.
[5]R. Savola, “Information security evaluation based on requirements, metrics and evidence information,” in Proceedings of the 6th Annual Security Conference, Las Vegas, NV, 2007.
[6]Y. Song, G. Cho, S. Oh, H. Kim, and J. H. Huh, “On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks,” in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, New York, NY, USA, 2015, pp. 2343–2352.
[7]E. von Zezschwitz, A. De Luca, P. Janssen, and H. Hussmann, “Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns,” in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, New York, NY, USA, 2015, pp. 2339–2342.
[8]S. Uellenbeck, M. Dürmuth, C. Wolf, and T. Holz, “Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, New York, NY, USA, 2013, pp. 161–172.
[9]V. R. Basili, G. Caldiera, and H. D. Rombach, “Goal Question Metric Paradigm,” Encyclopedia of Software Engineering 2 Volume Set, vol. 1. John Wiley & Sons, pp. 528–532, 1994.
[10]E. von Zezschwitz, A. Koslow, A. De Luca, and H. Hussmann, “Making Graphic-based Authentication Secure Against Smudge Attacks,” in Proceedings of the 2013 International Conference on Intelligent User Interfaces, New York, NY, USA, 2013, pp. 277–286.
[11]W. Hu, X. Wu, and G. Wei, “The Security Analysis of Graphical Passwords,” in Proceedings of the International Conference on Communications and Intelligence Information Security (ICCIIS), 2010, pp. 200–203.
[12]A. de L. Simao, F. Sicoli, L. de Melo, and R. de Sousa, “Acquisition of digital evidence in android smartphones,” Australian Digital Forensics Conference, pp. 116–124, Jan. 2011.
[13]Y.-C. Tsai and C.-H. Yang, Physical Forensic Acquisition and Pattern Unlock on Android Smart Phones. Springer Netherlands, 2013.
[14]I. Sommerville, Software Engineering, 9th ed. USA: Pearson Education, 2011.
[15]R. S. Pressman, Software Engineering: A Practitioner’s Approach, 7th ed. USA: McGraw-Hill Education, 2010.
[16]A. Shostack, Wiley: Threat Modeling: Designing for Security. USA: John Wiley & Sons, 2014.
[17]L. R?stad, “An extended misuse case notation: Including vulnerabilities and the insider threat,” in Proceedings of the 12th Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ), 2006.
[18]G. Sindre and A. L. Opdahl, “Eliciting Security Requirements with Misuse Cases,” Journal Requirements Engineering, vol. 10, no. 1, pp. 34–44, Jan. 2005.
[19]S. Myagmar, A. J. Lee, and W. Yurcik, “Threat modeling as a basis for security requirements,” in Symposium on requirements engineering for information security (SREIS), 2005, vol. 2005, pp. 1–8.
[20]D. Firesmith, “Engineering Security Requirements.,” The Journal of Object Technology, vol. 2, no. 1, p. 53, 2003.
[21]S. Islam and P. Falcarin, “Measuring security requirements for software security,” in 2011 IEEE 10th International Conference on Cybernetic Intelligent Systems (CIS), 2011, pp. 70–75.
[22]A. A. Abdulrazeg, N. M. Norwawi, and N. Basir, “Security measurement based on GQM to improve application security during requirements stage,” International Journal of Cyber-Security and Digital Forensics (IJCSDF), vol. 1, no. 3, pp. 211–220, 2012.
[23]N. E. Fenton and S. L. Pfleeger, Software Metrics: A Rigorous & Practical Approach, 2nd ed. Pws Pub Co, 1996.
[24]N. F. Schneidewind, “Methodology for validating software metrics,” IEEE Transactions on Software Engineering, vol. 18, no. 5, pp. 410–422, May 1992.
[25]V. R. Basili, L. C. Briand, and W. L. Melo, “A validation of object-oriented design metrics as quality indicators,” IEEE Transactions on Software Engineering, vol. 22, no. 10, pp. 751–761, 1996.
[26]R. Savola, “On the feasibility of utilizing security metrics in software-intensive systems,” International Journal of Computer Science and Network Security (IJCSNS), vol. 10, no. 1, pp. 230–239, 2010.
[27]“The Kingo Android Root Website,” 2015. [Online]. Available: https://www.kingoapp.com/.
[28]“The iKeyMonitor Key Logger Spy App Website,” 2015. [Online]. Available: https://ikeymonitor.com/.
[29]“The Globfone Website,” 2016. [Online]. Available: https://globfone.com/.