research-article

On the Evaluation of the Security Usability of Bitcoin's APIs

Authors:

Philipp Tschannen,

Ali AhmedAuthors Info & Claims

EASE '20: Proceedings of the 24th International Conference on Evaluation and Assessment in Software Engineering

Pages 405 - 412

https://doi.org/10.1145/3383219.3383277

Published: 17 April 2020 Publication History

Abstract

Bitcoin is a peer-to-peer software system that is primarily used as digital money. There exist many software libraries supporting various programming languages that allow access to the Bitcoin system via an Application Programming Interface (API). APIs that are inappropriately used would lead to bugs and security vulnerabilities, which are hard to discover resulting in serious zero-day attacks. Making APIs usable is, therefore, an essential aspect related to the quality and robustness of software. This paper surveys the general academic literature concerning API usability and usable security. Furthermore, it evaluates the API usability of libbitcoin, a well-known C++ implementation of the bitcoin system, and assesses how the findings of this evaluation could affect the applications that use libbitcoin. In addition, the paper proposes two static analysis tools for such a purpose. The findings of this research have improved libbitcoin in many places as will be shown in the paper.

References

[1]

Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle Mazurek, and Christian Stransky. 2016. You Get Where You're Looking For The Impact of Information Sources on Code Security. IEEE, San Jose, CA, USA, 289--305.

[2]

Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle Mazurek, and Sascha Fahl. 2017. Security Developer Studies with GitHub Users: Exploring a Convenience Sample. In The thirteenth Symposium on Usable Privacy and Security {SOUPS}. {USENIX} Association, Santa Clara, CA, 81--95.

[3]

Andreas M. Antonopoulos. 2017. Mastering Bitcoin: Programming the Open Blockchain (second edition ed.). O'Reilly. OCLC: 988250213.

[4]

Muhammad Asaduzzaman, Chanchal K. Roy, Kevin A. Schneider, and Daqing Hou. 2014. CSCC: Simple, Efficient, Context Sensitive Code Completion. In 2014 IEEE International Conference on Software Maintenance and Evolution. IEEE, 71--80.

[5]

Somak Das, Vineet Gopal, Kevin King, and Amruth Venkatraman. 2014. IV = 0 Security Cryptographic Misuse of Libraries. (2014).

[6]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS '13. ACM Press, 73--84.

Digital Library

[7]

P L Gorski and L L Iacono. 2016. Towards the Usability Evaluation of Security APIs. In HAISA 2016.

[8]

M. Green and M. Smith. 2016. Developers Are Not the Enemy!: The Need for Usable Security APIs. IEEE Security Privacy 14, 5 (2016), 40--46.

Digital Library

[9]

Soumya Indela, Mukul Kulkarni, Kartik Nayak, and Tudor Dumitraş. 2016. Helping Johnny Encrypt: Toward Semantic Interfaces for Cryptographic Frameworks. In Proceedings of the 2016 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward! 2016). ACM, New York, NY, USA, 180--196.

Digital Library

[10]

S. Indela, M. Kulkarni, K. Nayak, and T. Dumitraş. 2016. Toward Semantic Cryptography APIs. In 2016 IEEE Cybersecurity Development (SecDev). 9--14.

[11]

Sujin Choi Sooyong Park Kari Smolander Jesse Yli-Huumo, Deokyoon Ko. 2016. Where Is Current Research on Blockchain Technology? A Systematic Review. PLoS ONE 10, 11 (Oct. 2016).

[12]

Pavneet Singh Kochhar and David Lo. 2017. Revisiting Assert Use in GitHub Projects. In Proceedings of the 21st International Conference on Evaluation and Assessment in Software Engineering (EASE'17). ACM, New York, NY, USA, 298--307.

Digital Library

[13]

S. Krüger, S. Nadi, M. Reif, K. Ali, M. Mezini, E. Bodden, F. Göpfert, F. Günther, C. Weinert, D. Demmler, and R. Kamath. 2017. CogniCrypt: Supporting Developers in Using Cryptography. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). 931--936.

[14]

Luigi Lo Iacono and Peter Leo Gorski. 2017. I Do and I Understand. Not Yet True for Security APIs. So Sad. In Proceedings 2nd European Workshop on Usable Security. Internet Society.

[15]

Siqi Ma, David Lo, Teng Li, and Robert H. Deng. 2016. CDRep: Automatic Repair of Cryptographic Misuses in Android Applications. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security - ASIA CCS'16. ACM Press, 711--722.

[16]

S. G. McLellan, A. W. Roesler, J. T. Tempest, and C. I. Spinuzzi. 1998. Building more usable APIs. IEEE Software 15, 3 (May 1998), 78--86.

Digital Library

[17]

Ibéria Medeiros, Nuno Neves, and Miguel Correia. 2016. DEKANT: A Static Analysis Tool That Learns to Detect Web Application Vulnerabilities. In Proceedings of the 25th International Symposium on Software Testing and Analysis -ISSTA 2016. ACM Press, 1--11.

Digital Library

[18]

Dr. Divyakant Meva. 2018. Issues and Challenges with Blockchain: A Survey. INTERNATIONAL JOURNAL OF COMPUTER SCIENCES AND ENGINEERING 6 (12 2018), 488--491.

[19]

Kai Mindermann. 2016. Are Easily Usable Security Libraries Possible and How Should Experts Work Together to Create Them? Proceedings of the 9th International Workshop on Cooperative and Human Aspects of Software Engineering - CHASE '16 (2016), 62--63. arXiv:1603.07086

Digital Library

[20]

Kai Mindermann, Philipp Keck, and Stefan Wagner. 2018. How Usable Are Rust Cryptography APIs?. In 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS). IEEE, 143--154.

[21]

Kai Mindermann and Stefan Wagner. 2018. Usability and Security Effects of Code Examples on Crypto APIs - CryptoExamples: A Platform for Free, Minimal, Complete and Secure Crypto Examples. (2018). arXiv:cs/1807.01095

[22]

Eduardo Mosqueira-Rey, David Alonso-Ríos, Vicente Moret-Bonillo, Isaac Fernández-Varela, and Diego Álvarez Estévez. 2018. A Systematic Approach to API Usability: Taxonomy-Derived Criteria and a Case Study. Information and Software Technology 97 (2018), 46--63.

[23]

Emerson Murphy-Hill, Caitlin Sadowski, Andrew Head, John Daughtry, Andrew Macvean, Ciera Jaspan, and Collin Winter. 2018. Discovering API Usability Problems at Scale. In Proceedings of the 2Nd International Workshop on API Usage and Evolution (WAPI '18). ACM, New York, NY, USA, 14--17.

Digital Library

[24]

Brad A. Myers and Jeffrey Stylos. 2016. Improving API Usability. Commun. ACM 59, 6 (May 2016), 62--69.

Digital Library

[25]

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping through Hoops: Why Do Java Developers Struggle with Cryptography APIs?. In Proceedings of the 38th International Conference on Software Engineering - ICSE '16. ACM Press, 935--946.

Digital Library

[26]

Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17 (2017), 311--328. arXiv:1708.08759

Digital Library

[27]

Daniela Seabra Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, and Rahul Bobhate. 2018. API Blindspots: Why Experienced Developers Write Vulnerable Code. In Proceedings of the Fourteenth Symposium on Usable Privacy and Security.

[28]

Rumen Paletov, Petar Tsankov, Veselin Raychev, and Martin Vechev. 2018. Inferring Crypto API Rules from Code Changes. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). ACM, New York, NY, USA, 450--464.

Digital Library

[29]

M. Piccioni, C. A. Furia, and B. Meyer. 2013. An Empirical Study of API Usability. In 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement. 5--14.

[30]

Olgierd Pieczul, Simon Foley, and Mary Ellen Zurko. 2017. Developer-Centered Security and the Symmetry of Ignorance. In Proceedings of the 2017 New Security Paradigms Workshop on ZZZ - NSPW 2017. ACM Press, 46--56.

Digital Library

[31]

Girish Maskeri Rama and Avinash Kak. 2015. Some Structural Measures of API Usability. Softw. Pract. Exper. 45, 1 (Jan. 2015), 75--110.

Digital Library

[32]

M. P. Robillard. 2009. What Makes APIs Hard to Learn? Answers from Developers. IEEE Software 26, 6 (Nov 2009), 27--34.

Digital Library

[33]

Richard Smith. 2017. Working Draft, Standard for Programming Language C++. (March 2017). N4296.

[34]

J. Stylos, B. Graf, D. K. Busse, C. Ziegler, R. Ehret, and J. Karstens. 2008. A case study of API redesign for improved usability. In 2008 IEEE Symposium on Visual Languages and Human-Centric Computing. 189--192.

[35]

C. Vassallo, S. Panichella, F. Palomba, S. Proksch, A. Zaidman, and H. C. Gall. 2018. Context is king: The developer perspective on the usage of static analysis tools. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). 38--49.

[36]

S. Weber, M. Coblenz, B. Myers, J. Aldrich, and J. Sunshine. 2017. Empirical Studies on the Security and Usability Impact of Immutability. In 2017 IEEE Cybersecurity Development (SecDev). 50--53.

[37]

Chamila Wijayarathna and Nalin A G Arachchilage. 2018. Am I Responsible for End-User's Security? A Programmer's Perspective. 4.

[38]

Chamila Wijayarathna and Nalin A. G. Arachchilage. 2018. Why Johnny Can't Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing. In Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018 - EASE'18. ACM Press, 205--210.

Cited By

Houy SSchmid PBartel A(2023)Security Aspects of Cryptocurrency Wallets—A Systematic Literature ReviewACM Computing Surveys10.1145/359690656:1(1-31)Online publication date: 28-Aug-2023
https://doi.org/10.1145/3596906
Tschannen PAhmed A(2020)Bitcoin’s APIs in Open-Source Projects: Security Usability EvaluationElectronics10.3390/electronics90710779:7(1077)Online publication date: 30-Jun-2020
https://doi.org/10.3390/electronics9071077

Index Terms

On the Evaluation of the Security Usability of Bitcoin's APIs
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories

Recommendations

User perception of Bitcoin usability and security across novice users
Highlights
- Users perceived the usability of credit/debit cards higher than Bitcoin.
- Low ...
Abstract
This paper investigates users’ perceptions and experiences of an anonymous digital payment system (Bitcoin) and its influence on users in terms of usability and security in comparison to other non-anonymous payment systems such as ...
A systematic mapping study of API usability evaluation methods
Abstract
An Application Programming Interface (API) provides a programmatic interface to a software component that is often offered publicly and may be used by programmers who are not the API’s original designers. APIs play a key role in software reuse. ...
API usability peer reviews: a method for evaluating the usability of application programming interfaces
CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

We describe a usability inspection method to evaluate Application Programming Interfaces (APIs). We found the method useful as it identified usability defects in Microsoft's .NET Framework, of which 59% were new and 21% were fixed. Based on a comparison ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

EASE '20: Proceedings of the 24th International Conference on Evaluation and Assessment in Software Engineering

April 2020

544 pages

ISBN:9781450377317

DOI:10.1145/3383219

General Chairs:
Jingyue Li
Norwegian University of Science and Technology, Norway
,
Letizia Jaccheri
Norwegian University of Science and Technology, Norway
,
Program Chairs:
Torgeir Dingsøyr
SINTEF Digital and Norwegian University of Science and Technology, Norway
,
Ruzanna Chitchyan
University of Bristol, UK

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

NTNU: Norwegian University of Science and Technology

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EASE '20

EASE '20: Evaluation and Assessment in Software Engineering

April 15 - 17, 2020

Trondheim, Norway

Acceptance Rates

Overall Acceptance Rate 71 of 232 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
221
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)2

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Houy SSchmid PBartel A(2023)Security Aspects of Cryptocurrency Wallets—A Systematic Literature ReviewACM Computing Surveys10.1145/359690656:1(1-31)Online publication date: 28-Aug-2023
https://doi.org/10.1145/3596906
Tschannen PAhmed A(2020)Bitcoin’s APIs in Open-Source Projects: Security Usability EvaluationElectronics10.3390/electronics90710779:7(1077)Online publication date: 30-Jun-2020
https://doi.org/10.3390/electronics9071077

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents