Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting Misuse of Security APIs: A Systematic Review

Zahra Mousavi, Chadni Islam, M. Ali Babar, Alsharif Abuadbba, Kristen Moore

TL;DR

This systematic review targets the detection of security API misuse by mapping security API types, misuse patterns, detection techniques, and evaluation methodologies across 69 studies. It identifies six API categories, 30 misuses, and distinguishes heuristic‑ and ML‑based detection, noting a heavy reliance on static, rule‑based approaches with limited ML adoption. The review highlights the scarcity and narrow scope of evaluation benchmarks and calls for broader, cross‑language tools, standardized evaluation frameworks, and more user‑centered, repair‑oriented solutions. Collectively, the findings emphasize aligning security API development with developer needs, expanding ML/LLM methods, and expanding benchmarks to better assess real‑world effectiveness and scalability. The work provides a structured knowledge base to guide future research and practice toward more secure API usage in diverse programming environments.

Abstract

Security Application Programming Interfaces (APIs) are crucial for ensuring software security. However, their misuse introduces vulnerabilities, potentially leading to severe data breaches and substantial financial loss. Complex API design, inadequate documentation, and insufficient security training often lead to unintentional misuse by developers. The software security community has devised and evaluated several approaches to detecting security API misuse to help developers and organizations. This study rigorously reviews the literature on detecting misuse of security APIs to gain a comprehensive understanding of this critical domain. Our goal is to identify and analyze security API misuses, the detection approaches developed, and the evaluation methodologies employed along with the open research avenues to advance the state-of-the-art in this area. Employing the systematic literature review (SLR) methodology, we analyzed 69 research papers. Our review has yielded (a) identification of 6 security API types; (b) classification of 30 distinct misuses; (c) categorization of detection techniques into heuristic-based and ML-based approaches; and (d) identification of 10 performance measures and 9 evaluation benchmarks. The review reveals a lack of coverage of detection approaches in several areas. We recommend that future efforts focus on aligning security API development with developers' needs and advancing standardized evaluation methods for detection technologies.

Detecting Misuse of Security APIs: A Systematic Review

TL;DR

This systematic review targets the detection of security API misuse by mapping security API types, misuse patterns, detection techniques, and evaluation methodologies across 69 studies. It identifies six API categories, 30 misuses, and distinguishes heuristic‑ and ML‑based detection, noting a heavy reliance on static, rule‑based approaches with limited ML adoption. The review highlights the scarcity and narrow scope of evaluation benchmarks and calls for broader, cross‑language tools, standardized evaluation frameworks, and more user‑centered, repair‑oriented solutions. Collectively, the findings emphasize aligning security API development with developer needs, expanding ML/LLM methods, and expanding benchmarks to better assess real‑world effectiveness and scalability. The work provides a structured knowledge base to guide future research and practice toward more secure API usage in diverse programming environments.

Abstract

Security Application Programming Interfaces (APIs) are crucial for ensuring software security. However, their misuse introduces vulnerabilities, potentially leading to severe data breaches and substantial financial loss. Complex API design, inadequate documentation, and insufficient security training often lead to unintentional misuse by developers. The software security community has devised and evaluated several approaches to detecting security API misuse to help developers and organizations. This study rigorously reviews the literature on detecting misuse of security APIs to gain a comprehensive understanding of this critical domain. Our goal is to identify and analyze security API misuses, the detection approaches developed, and the evaluation methodologies employed along with the open research avenues to advance the state-of-the-art in this area. Employing the systematic literature review (SLR) methodology, we analyzed 69 research papers. Our review has yielded (a) identification of 6 security API types; (b) classification of 30 distinct misuses; (c) categorization of detection techniques into heuristic-based and ML-based approaches; and (d) identification of 10 performance measures and 9 evaluation benchmarks. The review reveals a lack of coverage of detection approaches in several areas. We recommend that future efforts focus on aligning security API development with developers' needs and advancing standardized evaluation methods for detection technologies.
Paper Structure (56 sections, 15 figures, 7 tables)

This paper contains 56 sections, 15 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Security API
  4. Misuse of Security APIs
  5. Research methodology
  6. Search Strategy
  7. Search Method
  8. Search String
  9. Inclusion-Exclusion Criteria
  10. Selection of the Primary Studies
  11. Data Extraction and Synthesis
  12. Distribution of Studies
  13. RQ1: Security APIs
  14. API Taxonomy
  15. Cryptographic primitives APIs
  16. ...and 41 more sections

Figures (15)

  • Figure 1: A misuse of SSL/TLS API leading to the leakage of user personal information
  • Figure 2: Primary studies selection process and their distribution over years and publication venues
  • Figure 3: a) Symmetric Encryption b) Asymmetric Encryption c) Signing and Verification in Digital Signature
  • Figure 4: (a) An overview of a simplified SSL handshake, (b) OAuth authorization code grant flow between user, relying party (RP), and service provider (SP), and (c) attestation process performed using Google SafetyNet Attestation API [S69]
  • Figure 5: Distribution of types of software artifacts analyzed by reviewed studies
  • ...and 10 more figures