"Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs?
To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide f...
Saved in:
| Published in | Proceedings / International Conference on Software Engineering pp. 935 - 946 |
|---|---|
| Main Authors | , , , |
| Format | Conference Proceeding |
| Language | English |
| Published |
ACM
01.05.2016
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 1558-1225 |
| DOI | 10.1145/2884781.2884790 |
Cover
| Abstract | To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions. |
|---|---|
| AbstractList | To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions. |
| Author | Kruger, Stefan Nadi, Sarah Mezini, Mira Bodden, Eric |
| Author_xml | – sequence: 1 givenname: Sarah surname: Nadi fullname: Nadi, Sarah email: nadi@cs.tu-darmstadt.de – sequence: 2 givenname: Stefan surname: Kruger fullname: Kruger, Stefan email: stefan.krueger@cased.de – sequence: 3 givenname: Mira surname: Mezini fullname: Mezini, Mira email: mezini@cs.tu-darmstadt.de – sequence: 4 givenname: Eric surname: Bodden fullname: Bodden, Eric email: eric.bodden@uni-paderborn.de |
| BookMark | eNotjE1LwzAAhqMouM2dPXgJu3cmaT69yOjUbQwcOPE4kjb9kG4pSTvpv7eo8MDDAy_vGFyd3MkCcIfRHGPKHoiUVEg8_7VCF2CqhqQMxbFCCF-CEWZMRpgQdgPGIXwhhDhVagR2s013bKpTAfeld11RwpVzTZg9ws-yh5mDG33WcGnPtnaN9QG-t74ritrC76otYeL7pnWF182wXuzW4ekWXOe6Dnb67wn4eHneJ6to-_a6ThbbSBMq2khipplVJmYmzzOOc8RSy4k0yuhYG21yygfSNGOYGUxpmmfCIEE0IUgYGU_A_d9vZa09NL46at8fhJRccRX_ACP_UEs |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1145/2884781.2884790 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Xplore IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Xplore url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9781450339001 145033900X |
| EISSN | 1558-1225 |
| EndPage | 946 |
| ExternalDocumentID | 7886969 |
| Genre | orig-research |
| GroupedDBID | -~X .4S .DC 123 23M 29O 5VS 6IE 6IF 6IH 6IK 6IL 6IM 6IN 8US AAJGR AAWTH ABLEC ADZIZ AFFNX ALMA_UNASSIGNED_HOLDINGS APO ARCSS AVWKF BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO EDO FEDTE I-F I07 IEGSK IJVOP IPLJI M43 OCL RIE RIL RIO RNS XOL |
| ID | FETCH-LOGICAL-a247t-815a5e9b35bffd61f05ce628b9ba3ababf46f46ccd515b144cfd7b072a2207b83 |
| IEDL.DBID | RIE |
| IngestDate | Wed Aug 27 02:07:20 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a247t-815a5e9b35bffd61f05ce628b9ba3ababf46f46ccd515b144cfd7b072a2207b83 |
| PageCount | 12 |
| ParticipantIDs | ieee_primary_7886969 |
| PublicationCentury | 2000 |
| PublicationDate | 2016-May |
| PublicationDateYYYYMMDD | 2016-05-01 |
| PublicationDate_xml | – month: 05 year: 2016 text: 2016-May |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings / International Conference on Software Engineering |
| PublicationTitleAbbrev | ICSE |
| PublicationYear | 2016 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssj0006499 |
| Score | 2.46384 |
| Snippet | To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 935 |
| SubjectTerms | API misuse Complexity theory Cryptography empirical software engineering Encryption Face Java Libraries Public key |
| Title | "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? |
| URI | https://ieeexplore.ieee.org/document/7886969 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3Pa8IwFH6op53cpmO_CbLjWtu0SZtdxpCJExwelHmTvDTdYMPKrAP31y9Nq8LYYRBIKIE2Cc378vK99wHc-DrwJYbcYQEyx-B_dKSHkSO0sfdYeN0seXz0zAfTcDhjsxrc7mJhtNaWfKbdomnv8pNMrQtXWdcc17jgog71KOZlrNZu1-UGulepe_yQdWkcF0GUrq3thrvXTrGmo9-E0falJWPk3V3n6KrvX_kY__tVh9DeB-mR8c78HEFNL46huVVpINVP24JxZ2iWzHQhk1KThwyybLnq3JGXtw1JMjKUX5JU5CEDBokVN3790KTw0ZLe52aZV3mtycP4aXXfhmn_cdIbOJWOgiNpGOVO7DPJtMCAYZom3E89pjSnMQqUgUSJachNUSox4AbNCUulSYReRCWlXoRxcAKNRbbQp0CE4iqUPKIcg1B7KBQTKRVK-0J6VLAzaBUTNF-WqTLm1dyc__34Ag4M_uAlf_ASGmZ4-srY-Byv7eL-AH-rp20 |
| linkProvider | IEEE |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3PS8MwFA5zHvQ0dRN_G4ZHW9s0SRsvIsPRzW3ssOFuIy9NFZR1uE6Yf73pj20gHoRAQgm0SWjel5fvvQ-hG1d7rgTKLeYBswz-B0s64FtCG3sPmdctJ4_3Bzwc0-6ETSrodhMLo7XOyWfazpr5XX6UqGXmKrszxzUuuNhBu4xSyoporc2-yw14L5P3uJTdkSDIwijtvM633K16Sm482jXUX7-24Iy828sUbPX9KyPjf7_rADW2YXp4uDFAh6iiZ0eottZpwOVvW0fDZtcsmumCR4UqDw6TZL5o3uOXtxWOEtyVXxKX9CEDB3Eub_z6oXHmpcWtz9U8LTNb48dhZ_HQQOP206gVWqWSgiUJ9VMrcJlkWoDHII4j7sYOU5qTAARIT4KEmHJTlIoMvAFzxlJx5IPjE0mI40PgHaPqLJnpE4SF4opK7hMOHtUOCMVETITSrpAOEewU1bMJms6LZBnTcm7O_n58jfbCUb837XUGz-do36ARXrAJL1DVDFVfGoufwlW-0D9yoKq6 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+%2F+International+Conference+on+Software+Engineering&rft.atitle=%22Jumping+Through+Hoops%22%3A+Why+do+Java+Developers+Struggle+with+Cryptography+APIs%3F&rft.au=Nadi%2C+Sarah&rft.au=Kruger%2C+Stefan&rft.au=Mezini%2C+Mira&rft.au=Bodden%2C+Eric&rft.date=2016-05-01&rft.pub=ACM&rft.eissn=1558-1225&rft.spage=935&rft.epage=946&rft_id=info:doi/10.1145%2F2884781.2884790&rft.externalDocID=7886969 |