research-article

Understanding the Responsiveness of Mobile App Developers to Software Library Updates

Authors:

Tatsuhiko Yasumatsu,

Takuya Watanabe,

Fumihiro Kanei,

Mitsuaki Akiyama,

Tatsuya MoriAuthors Info & Claims

CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

Pages 13 - 24

https://doi.org/10.1145/3292006.3300020

Published: 13 March 2019 Publication History

Abstract

This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.

References

[1]

AdColony, Inc. {n. d.}. AdColony - Elevating mobile advertising across today's hottest apps. Retrieved September 22, 2018 from https://www.adcolony.com/

[2]

Alessandro Aldini, Fabio Martinelli, Andrea Saracino, and Daniele Sgandurra. {n. d.}. Detection of repackaged mobile applications through a collaborative approach. Concurrency and Computation: Practice and Experience 27, 11 ({n. d.}), 2818--2838.

Digital Library

[3]

AppBrain. 2018. Google Play stats. Retrieved September 22, 2018 from http: //www.appbrain.com/stats/

[4]

Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable Third-Party Library Detection in Android and Its Security Applications. In Proc. of ACM CCS, 2016. 356--367.

Digital Library

[5]

Gabriele Bavota, Mario Linares Vásquez, Carlos Eduardo Bernal-Cárdenas, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. 2015. The Impact of API Change- and Fault-Proneness on the User Ratings of Android Apps. IEEE Transactions on Software Engineering 41, 4 (April 2015), 384--407.

Digital Library

[6]

Ben Manes. 2018. GitHub - Gradle Versions Plugin. Retrieved September 24, 2018 from https://github.com/ben-manes/gradle-versions-plugin

[7]

Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In Proc. of USENIX Security, 2014. 1021--1036.

Digital Library

[8]

Theodore Book, Adam Pridgen, and Dan S. Wallach. 2013. Longitudinal Analysis of Android Ad Library Permissions. CoRR abs/1303.0857 (2013). arXiv:1303.0857 http://arxiv.org/abs/1303.0857

[9]

Bogdan Carbunar and Rahul Potharaju. 2015. A longitudinal study of the Google app market. In Proc of IEEE/ACM ASONAM, 2015. 242--249.

Digital Library

[10]

Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou. 2016. Following devil's footprints: Cross-platform analysis of potentially harmful libraries on android and ios. In Proc. of the IEEE SP, 2016. 357--376.

[11]

Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, and Michael Backes. 2017. Keep Me Updated: An Empirical Study of Third-Party Library Updatability on Android. In Proc. of ACM CCS, 2017. 2187--2200.

Digital Library

[12]

Dion Hinchcliffe. 2017. The advent of the citizen developer. Retrieved September 22, 2018 from https://www.zdnet.com/article/ the-advent-of-the-citizen-developer/

[13]

Facebook, Inc. {n. d.}. Android SDK - Facebook for Developers. Retrieved September 22, 2018 from https://developers.facebook.com/docs/android/

[14]

F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy amp;Paste on Android Application Security. In Proc. of the IEEE SP, 2017. 121--136.

[15]

Fisher, Anne. 2017. How Companies Are Developing More Apps With Fewer Developers. Retrieved September 22, 2018 from http://fortune.com/2016/08/30/ quickbase-coding-apps-developers/

[16]

Forum of Incident Response and Security Teams. {n. d.}. Common Vulnerability Scoring System SIG. Retrieved September 22, 2018 from https://www.first.org/ cvss/

[17]

Forum of Incident Response and Security Teams. {n. d.}. Common Vulnerability Scoring System v3.0: Specification Document. Retrieved September 22, 2018 from https://www.first.org/cvss/specification-document

[18]

The Apache Software Foundation. {n. d.}. Apache Commons Collections Security Vulnerabilities. Retrieved September 22, 2018 from https://commons.apache. org/proper/commons-collections/security-reports.html

[19]

Yanick Fratantonio, Antonio Bianchi, William Robertson, Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2015. On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users. In Proc. of DIMVA, 2015. 282--303.

Digital Library

[20]

Hugo Gonzalez, Natalia Stakhanova, and Ali A. Ghorbani. 2016. Measuring code reuse in Android apps. In Proc. of PST, 2016. 187--195.

[21]

Google Inc. 2018. App Security Improvement Program. https://developer.android. com/google/play/asi.html

[22]

Google, Inc. 2018. GitHub - google/gson: A Java serialization/deserialization library to convert Java Objects into JSON and back. Retrieved September 22, 2018 from https://sites.google.com/site/gson/

[23]

Google Play API 2012. Google Play API. Retrieved September 22, 2018 from https://github.com/egirault/googleplay-api

[24]

Michael C. Grace,Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe Exposure Analysis of Mobile In-app Advertisements. In Proc. of ACM WISEC, 2012 (WISEC '12). 101--112.

Digital Library

[25]

Heqing Huang, Cong Zheng, Junyuan Zeng, Wu Zhou, Sencun Zhu, Peng Liu, Suresh Chari, and Ce Zhang. 2016. Android malware development on public malware scanning platforms: A large-scale data-driven study. In Proc. of IEEE Big Data, 2016. 1090--1099.

[26]

Yuta Ishii, Takuya Watanabe, Mitsuaki Akiyama, and Tatsuya Mori. 2016. Clone or Relative?: Understanding the Origins of Similar Android Apps. In Proc. of ACM IWSPA, 2016. 25--32.

Digital Library

[27]

Yuta Ishii, TakuyaWatanabe, Fumihiro Kanei, Yuta Takata, Eitaro Shioji, Mitsuaki Akiyama, Takeshi Yagi, Bo Sun, and Tatsuya Mori. 2017. Understanding the security management of global third-party Android marketplaces. In Proc. of ACM WAMA, 2017. 12--18.

Digital Library

[28]

Li Li, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. 2016. An Investigation into the Use of Common Libraries in Android Apps. In Proc. of SANER, 2016.

[29]

Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. Libd: Scalable and precise third-party library detection in Android markets. In Proc. of ICSE, 2017. 335--346.

Digital Library

[30]

Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. LibRadar: fast and accurate detection of third-party libraries in Android apps. In Proc. of IEEE/ACM ICSE, 2016. 653--656.

Digital Library

[31]

Tyler McDonnell, Baishakhi Ray, and Miryung Kim. 2013. An Empirical Study of API Stability and Adoption in the Android Ecosystem. In Proc. of IEEE ICSME, 2013. 70--79.

Digital Library

[32]

Stuart McIlroy, Nasir Ali, and Ahmed E Hassan. 2016. Fresh apps: an empirical study of frequently-updated mobile apps in the Google play store. Empirical Software Engineering 21, 3 (2016), 1346--1370.

Digital Library

[33]

MITRE Corporation. 2018. CVE - Common Vulnerabilities and Exposures (CVE). Retrieved September 22, 2018 from https://cve.mitre.org/

[34]

The Hacker News. 2014. Facebook SDK Vulnerability Puts Millions of Smart- phone Users' Accounts at Risk. https://thehackernews.com/2014/07/ facebook-sdk-vulnerability-puts.html

[35]

I. J. Mojica Ruiz, M. Nagappan, B. Adams, T. Berger, S. Dienst, and A. E. Hassan. 2014. Impact of Ad Libraries on Ratings of Android Mobile Apps. IEEE Software 31, 6 (Nov 2014), 86--92.

[36]

Israel J Mojica Ruiz, Meiyappan Nagappan, Bram Adams, Thorsten Berger, Steffen Dienst, and Ahmed E Hassan. 2016. Analyzing ad library updates in android apps. IEEE Software 33, 2 (2016), 74--80.

Digital Library

[37]

Vincent F. Taylor and Ivan Martinovic. 2017. To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution. In Proc. of ASIA CCS, 2017. 45--57.

Digital Library

[38]

Tom Preston-Werner. {n. d.}. Semantic Versioning 2.0.0. Retrieved September 22, 2018 from https://semver.org

[39]

U.S. National Institute of Standards and Technology. 2017. CVE-2014--8889 Detail. Retrieved September 22, 2018 from https://nvd.nist.gov/vuln/detail/ CVE-2014--8889

[40]

U.S. National Institute of Standards and Technology. 2017. CVE-2016--2402 Detail. Retrieved September 22, 2018 from https://nvd.nist.gov/vuln/detail/ CVE-2016--2402

[41]

U.S. National Institute of Standards and Technology. 2018. National Vulnerability Database. Retrieved September 22, 2018 from https://nvd.nist.gov/

[42]

Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A Measurement Study of Google Play. In Proc. of SIGMETRICS, 2014 (SIGMETRICS '14). 221--233.

Digital Library

[43]

TakuyaWatanabe, Mitsuaki Akiyama, Fumihiro Kanei, Eitaro Shioji, Yuta Takata, Bo Sun, Yuta Ishi, Toshiki Shibahara, Takeshi Yagi, and Tatsuya Mori. 2017. Understanding the Origins of Mobile App Vulnerabilities: A Large-scale Measurement Study of Free and Paid Apps. In Proc. of MSR, 2017. 14--24.

Digital Library

[44]

Daoyuan Wu, Ximing Liu, Jiayun Xu, David Lo, and Debin Gao. 2017. Measuring the Declared SDK Versions and Their Consistency with API Calls in Android Apps. In Proc. of WASA, 2017. 678--690.

[45]

Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, and Hao Chen. 2018. Detecting third-party libraries in Android applications with high precision and recall. In Proc. of SANER, 2018. 141--152.

[46]

Yajin Zhou, Lei Wu, Zhi Wang, and Xuxian Jiang. 2015. Harvesting Developer Credentials in Android Apps. In Proc. of ACM WiSec, 2015. Article 23, 23:1-- 23:12 pages.

Digital Library

Cited By

Zhang FFan LChen SCai MXu SZhao L(2024)Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party LibrariesIEEE Transactions on Software Engineering10.1109/TSE.2024.345496050:11(2906-2920)Online publication date: Nov-2024
https://doi.org/10.1109/TSE.2024.3454960
Shen YGao XSun HGuo Y(2024)Understanding vulnerabilities in software supply chainsEmpirical Software Engineering10.1007/s10664-024-10581-230:1Online publication date: 6-Nov-2024
https://dl.acm.org/doi/10.1007/s10664-024-10581-2
Adewoyin OWesson JVogts D(2024)The PBC model: promoting positive behaviours through change-based interventionsCognition, Technology & Work10.1007/s10111-024-00776-426:4(673-708)Online publication date: 16-Jul-2024
https://doi.org/10.1007/s10111-024-00776-4
Show More Cited By

Index Terms

Understanding the Responsiveness of Mobile App Developers to Software Library Updates
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps
MSR '17: Proceedings of the 14th International Conference on Mining Software Repositories

This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us ...
Characterizing the global mobile app developers: a large-scale empirical study
MOBILESoft '19: Proceedings of the 6th International Conference on Mobile Software Engineering and Systems

The rapid growth of the mobile app ecosystem has attracted a great number of mobile app developers. However, few previous studies have analyzed app developers comprehensively at a large scale, and little is known of the characteristics of mobile app ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

March 2019

373 pages

ISBN:9781450360999

DOI:10.1145/3292006

General Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Bhavani Thuraisingham
University of Texas at Dallas, USA
,
Program Chairs:
Murat Kantarcioglu
University of Texas at Dallas, USA
,
Ram Krishnan
University of Texas at San Antonio, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

JSPS Grant-in-Aid for Scientific Research B

Conference

CODASPY '19

Sponsor:

SIGSAC

CODASPY '19: Ninth ACM Conference on Data and Application Security and Privacy

March 25 - 27, 2019

Texas, Richardson, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
286
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)2

Reflects downloads up to 18 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang FFan LChen SCai MXu SZhao L(2024)Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party LibrariesIEEE Transactions on Software Engineering10.1109/TSE.2024.345496050:11(2906-2920)Online publication date: Nov-2024
https://doi.org/10.1109/TSE.2024.3454960
Shen YGao XSun HGuo Y(2024)Understanding vulnerabilities in software supply chainsEmpirical Software Engineering10.1007/s10664-024-10581-230:1Online publication date: 6-Nov-2024
https://dl.acm.org/doi/10.1007/s10664-024-10581-2
Adewoyin OWesson JVogts D(2024)The PBC model: promoting positive behaviours through change-based interventionsCognition, Technology & Work10.1007/s10111-024-00776-426:4(673-708)Online publication date: 16-Jul-2024
https://doi.org/10.1007/s10111-024-00776-4
Zhan XLiu TFan LLi LChen SLuo XLiu Y(2022)Research on Third-Party Libraries in Android Apps: A Taxonomy and Systematic Literature ReviewIEEE Transactions on Software Engineering10.1109/TSE.2021.311438148:10(4181-4213)Online publication date: 1-Oct-2022
https://doi.org/10.1109/TSE.2021.3114381
Nomura KChiba DAkiyama MUchida M(2021)Auto-creation of Robust Android Malware Family TreesJournal of Information Processing10.2197/ipsjjip.29.80129(801-811)Online publication date: 2021
https://doi.org/10.2197/ipsjjip.29.801
Zhan XFan LChen SWu FLiu TLuo XLiu Y(2021)ATVHunterProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00150(1695-1707)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00150
Anwar HFatima IPfahl DQamar U(2021)Tool Support for Green Android DevelopmentSoftware Sustainability10.1007/978-3-030-69970-3_7(153-182)Online publication date: 6-Oct-2021
https://doi.org/10.1007/978-3-030-69970-3_7
WATANABE TAKIYAMA MKANEI FSHIOJI ETAKATA YSUN BISHII YSHIBAHARA TYAGI TMORI T(2020)Study on the Vulnerabilities of Free and Paid Mobile Apps Associated with Software LibraryIEICE Transactions on Information and Systems10.1587/transinf.2019INP0011E103.D:2(276-291)Online publication date: 1-Feb-2020
https://doi.org/10.1587/transinf.2019INP0011

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten