cispa_all_1189.pdf (491.87 kB)

The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

Download (491.87 kB)
conference contribution
posted on 2023-11-29, 18:07 authored by Marten OltroggeMarten Oltrogge, Erik Derr, Christian Stransky, Yasemin Acar, Sascha FahlSascha Fahl, Christian RossowChristian Rossow, Giancarlo PellegrinoGiancarlo Pellegrino, Sven BugielSven Bugiel, Michael BackesMichael Backes
Mobile apps are increasingly created using online application generators (OAGs) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. However, as the pervasiveness of these tools increases, so does their overall influence on the mobile ecosystem’s security, as security lapses by such generators affect thousands of generated apps. The security of such generated apps, as well as their impact on the security of the overall app ecosystem, has not yet been investigated. We present the first comprehensive classification of commonly used OAGs for Android and show how to fingerprint uniquely generated apps to link them back to their generator. We thereby quantify the market penetration of these OAGs based on a corpus of 2,291,898 free Android apps from Google Play and discover that at least 11.1% of these apps were created using OAGs. Using a combination of dynamic, static, and manual analysis, we find that the services’ app generation model is based on boilerplate code that is prone to reconfiguration attacks in 7/13 analyzed OAGs. Moreover, we show that this boilerplate code includes well-known security issues such as code injection vulnerabilities and insecure WebViews. Given the tight coupling of generated apps with their services' backends, we further identify security issues in their infrastructure. Due to the blackbox development approach, citizen developers are unaware of these hidden problems that ultimately put the end-users sensitive data and privacy at risk and violate the user’s trust assumption. A particular worrisome result of our study is that OAGs indeed have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.


Preferred Citation

Marten Oltrogge, Erik Derr, Christian Stransky, Yasemin Acar, Sascha Fahl, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel and Michael Backes. The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. In: IEEE Symposium on Security and Privacy (S&P). 2018.

Primary Research Area

  • Reliable Security Guarantees

Secondary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_1189, title = "The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators", author = "Oltrogge, Marten and Derr, Erik and Stransky, Christian and Acar, Yasemin and Fahl, Sascha and Rossow, Christian and Pellegrino, Giancarlo and Bugiel, Sven and Backes, Michael", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2018", }

Usage metrics


    No categories selected


    Ref. manager