Tatsuhiko Yasumatsu
Tatsuya Mori
ABSTRACT
This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.
- AdColony, Inc. {n. d.}. AdColony - Elevating mobile advertising across today's hottest apps. Retrieved September 22, 2018 from https://www.adcolony.com/Google Scholar
- Alessandro Aldini, Fabio Martinelli, Andrea Saracino, and Daniele Sgandurra. {n. d.}. Detection of repackaged mobile applications through a collaborative approach. Concurrency and Computation: Practice and Experience 27, 11 ({n. d.}), 2818--2838. Google ScholarDigital Library
- AppBrain. 2018. Google Play stats. Retrieved September 22, 2018 from http: //www.appbrain.com/stats/Google Scholar
- Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable Third-Party Library Detection in Android and Its Security Applications. In Proc. of ACM CCS, 2016. 356--367. Google ScholarDigital Library
- Gabriele Bavota, Mario Linares Vásquez, Carlos Eduardo Bernal-Cárdenas, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. 2015. The Impact of API Change- and Fault-Proneness on the User Ratings of Android Apps. IEEE Transactions on Software Engineering 41, 4 (April 2015), 384--407.Google ScholarDigital Library
- Ben Manes. 2018. GitHub - Gradle Versions Plugin. Retrieved September 24, 2018 from https://github.com/ben-manes/gradle-versions-pluginGoogle Scholar
- Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving Apps to Test the Security of Third-Party Components.. In Proc. of USENIX Security, 2014. 1021--1036. Google ScholarDigital Library
- Theodore Book, Adam Pridgen, and Dan S. Wallach. 2013. Longitudinal Analysis of Android Ad Library Permissions. CoRR abs/1303.0857 (2013). arXiv:1303.0857 http://arxiv.org/abs/1303.0857Google Scholar
- Bogdan Carbunar and Rahul Potharaju. 2015. A longitudinal study of the Google app market. In Proc of IEEE/ACM ASONAM, 2015. 242--249. Google ScholarDigital Library
- Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou. 2016. Following devil's footprints: Cross-platform analysis of potentially harmful libraries on android and ios. In Proc. of the IEEE SP, 2016. 357--376.Google Scholar
- Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, and Michael Backes. 2017. Keep Me Updated: An Empirical Study of Third-Party Library Updatability on Android. In Proc. of ACM CCS, 2017. 2187--2200. Google ScholarDigital Library
- Dion Hinchcliffe. 2017. The advent of the citizen developer. Retrieved September 22, 2018 from https://www.zdnet.com/article/ the-advent-of-the-citizen-developer/Google Scholar
- Facebook, Inc. {n. d.}. Android SDK - Facebook for Developers. Retrieved September 22, 2018 from https://developers.facebook.com/docs/android/Google Scholar
- F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy amp;Paste on Android Application Security. In Proc. of the IEEE SP, 2017. 121--136.Google Scholar
- Fisher, Anne. 2017. How Companies Are Developing More Apps With Fewer Developers. Retrieved September 22, 2018 from http://fortune.com/2016/08/30/ quickbase-coding-apps-developers/Google Scholar
- Forum of Incident Response and Security Teams. {n. d.}. Common Vulnerability Scoring System SIG. Retrieved September 22, 2018 from https://www.first.org/ cvss/Google Scholar
- Forum of Incident Response and Security Teams. {n. d.}. Common Vulnerability Scoring System v3.0: Specification Document. Retrieved September 22, 2018 from https://www.first.org/cvss/specification-documentGoogle Scholar
- The Apache Software Foundation. {n. d.}. Apache Commons Collections Security Vulnerabilities. Retrieved September 22, 2018 from https://commons.apache. org/proper/commons-collections/security-reports.htmlGoogle Scholar
- Yanick Fratantonio, Antonio Bianchi, William Robertson, Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2015. On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users. In Proc. of DIMVA, 2015. 282--303. Google ScholarDigital Library
- Hugo Gonzalez, Natalia Stakhanova, and Ali A. Ghorbani. 2016. Measuring code reuse in Android apps. In Proc. of PST, 2016. 187--195.Google Scholar
- Google Inc. 2018. App Security Improvement Program. https://developer.android. com/google/play/asi.htmlGoogle Scholar
- Google, Inc. 2018. GitHub - google/gson: A Java serialization/deserialization library to convert Java Objects into JSON and back. Retrieved September 22, 2018 from https://sites.google.com/site/gson/Google Scholar
- Google Play API 2012. Google Play API. Retrieved September 22, 2018 from https://github.com/egirault/googleplay-apiGoogle Scholar
- Michael C. Grace,Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe Exposure Analysis of Mobile In-app Advertisements. In Proc. of ACM WISEC, 2012 (WISEC '12). 101--112. Google ScholarDigital Library
- Heqing Huang, Cong Zheng, Junyuan Zeng, Wu Zhou, Sencun Zhu, Peng Liu, Suresh Chari, and Ce Zhang. 2016. Android malware development on public malware scanning platforms: A large-scale data-driven study. In Proc. of IEEE Big Data, 2016. 1090--1099.Google Scholar
- Yuta Ishii, Takuya Watanabe, Mitsuaki Akiyama, and Tatsuya Mori. 2016. Clone or Relative?: Understanding the Origins of Similar Android Apps. In Proc. of ACM IWSPA, 2016. 25--32. Google ScholarDigital Library
- Yuta Ishii, TakuyaWatanabe, Fumihiro Kanei, Yuta Takata, Eitaro Shioji, Mitsuaki Akiyama, Takeshi Yagi, Bo Sun, and Tatsuya Mori. 2017. Understanding the security management of global third-party Android marketplaces. In Proc. of ACM WAMA, 2017. 12--18. Google ScholarDigital Library
- Li Li, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. 2016. An Investigation into the Use of Common Libraries in Android Apps. In Proc. of SANER, 2016.Google ScholarCross Ref
- Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. Libd: Scalable and precise third-party library detection in Android markets. In Proc. of ICSE, 2017. 335--346. Google ScholarDigital Library
- Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. LibRadar: fast and accurate detection of third-party libraries in Android apps. In Proc. of IEEE/ACM ICSE, 2016. 653--656. Google ScholarDigital Library
- Tyler McDonnell, Baishakhi Ray, and Miryung Kim. 2013. An Empirical Study of API Stability and Adoption in the Android Ecosystem. In Proc. of IEEE ICSME, 2013. 70--79. Google ScholarDigital Library
- Stuart McIlroy, Nasir Ali, and Ahmed E Hassan. 2016. Fresh apps: an empirical study of frequently-updated mobile apps in the Google play store. Empirical Software Engineering 21, 3 (2016), 1346--1370. Google ScholarDigital Library
- MITRE Corporation. 2018. CVE - Common Vulnerabilities and Exposures (CVE). Retrieved September 22, 2018 from https://cve.mitre.org/Google Scholar
- The Hacker News. 2014. Facebook SDK Vulnerability Puts Millions of Smart- phone Users' Accounts at Risk. https://thehackernews.com/2014/07/ facebook-sdk-vulnerability-puts.htmlGoogle Scholar
- I. J. Mojica Ruiz, M. Nagappan, B. Adams, T. Berger, S. Dienst, and A. E. Hassan. 2014. Impact of Ad Libraries on Ratings of Android Mobile Apps. IEEE Software 31, 6 (Nov 2014), 86--92.Google ScholarCross Ref
- Israel J Mojica Ruiz, Meiyappan Nagappan, Bram Adams, Thorsten Berger, Steffen Dienst, and Ahmed E Hassan. 2016. Analyzing ad library updates in android apps. IEEE Software 33, 2 (2016), 74--80. Google ScholarDigital Library
- Vincent F. Taylor and Ivan Martinovic. 2017. To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution. In Proc. of ASIA CCS, 2017. 45--57. Google ScholarDigital Library
- Tom Preston-Werner. {n. d.}. Semantic Versioning 2.0.0. Retrieved September 22, 2018 from https://semver.orgGoogle Scholar
- U.S. National Institute of Standards and Technology. 2017. CVE-2014--8889 Detail. Retrieved September 22, 2018 from https://nvd.nist.gov/vuln/detail/ CVE-2014--8889Google Scholar
- U.S. National Institute of Standards and Technology. 2017. CVE-2016--2402 Detail. Retrieved September 22, 2018 from https://nvd.nist.gov/vuln/detail/ CVE-2016--2402Google Scholar
- U.S. National Institute of Standards and Technology. 2018. National Vulnerability Database. Retrieved September 22, 2018 from https://nvd.nist.gov/Google Scholar
- Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A Measurement Study of Google Play. In Proc. of SIGMETRICS, 2014 (SIGMETRICS '14). 221--233. Google ScholarDigital Library
- TakuyaWatanabe, Mitsuaki Akiyama, Fumihiro Kanei, Eitaro Shioji, Yuta Takata, Bo Sun, Yuta Ishi, Toshiki Shibahara, Takeshi Yagi, and Tatsuya Mori. 2017. Understanding the Origins of Mobile App Vulnerabilities: A Large-scale Measurement Study of Free and Paid Apps. In Proc. of MSR, 2017. 14--24. Google ScholarDigital Library
- Daoyuan Wu, Ximing Liu, Jiayun Xu, David Lo, and Debin Gao. 2017. Measuring the Declared SDK Versions and Their Consistency with API Calls in Android Apps. In Proc. of WASA, 2017. 678--690.Google Scholar
- Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, and Hao Chen. 2018. Detecting third-party libraries in Android applications with high precision and recall. In Proc. of SANER, 2018. 141--152.Google Scholar
- Yajin Zhou, Lei Wu, Zhi Wang, and Xuxian Jiang. 2015. Harvesting Developer Credentials in Android Apps. In Proc. of ACM WiSec, 2015. Article 23, 23:1-- 23:12 pages. Google ScholarDigital Library
Index Terms
- Understanding the Responsiveness of Mobile App Developers to Software Library Updates
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps
MSR '17: Proceedings of the 14th International Conference on Mining Software RepositoriesThis paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us ...
Characterizing the global mobile app developers: a large-scale empirical study
MOBILESoft '19: Proceedings of the 6th International Conference on Mobile Software Engineering and SystemsThe rapid growth of the mobile app ecosystem has attracted a great number of mobile app developers. However, few previous studies have analyzed app developers comprehensively at a large scale, and little is known of the characteristics of mobile app ...
Comments