More Web Proxy on the site http://driver.im/

research-article

Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps

Authors:

Takuya Watanabe,

Mitsuaki Akiyama,

Fumihiro Kanei,

Toshiki Shibahara,

Tatsuya MoriAuthors Info & Claims

MSR '17: Proceedings of the 14th International Conference on Mining Software Repositories

Pages 14 - 24

https://doi.org/10.1109/MSR.2017.23

Published: 20 May 2017 Publication History

Abstract

This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.

References

[1]

AndroBugs. https://github.com/AndroBugs/.

[2]

Android SDK Manager. https://developer.android.com/studio/intro/update.html.

[3]

Google Play. https://play.google.com/store.

[4]

List of apps for our analysis in the work. https://github.com/NWSecLab/android-library-vulnerability/blob/master/data/analyzed_apps_json.

[5]

Mallodroid. https://github.com/sfahl/mallodroid.

[6]

V. Afonso, P. de Geus, A. Bianchi, Y. Fratantonio, C. Kruegel, G. Vigna, A. Doupe, and M. Polino. Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy Slides. In Proc. of NDSS, 2016.

[7]

AppBrain. Android Ad networks. http://www.appbrain.com/stats/libraries/ad.

[8]

AppBrain. Free vs. paid Android apps. http://www.appbrain.com/stats/free-and-paid-android-applications.

[9]

M. Backes, S. Bugiel, and E. Derr. Reliable Third-Party Library Detection in Android and its Security Applications. In Proc. of CCS, 2016.

Digital Library

[10]

C. V. Bockhaven. Weak key cracking of Android applications. https://os3.nl/_media/2013-2014/courses/ot/cedricsharon.pdf.

[11]

K. Chen, X. Wang, Y. Chen, P. Wang, Y. Lee, X. Wang, B. Ma, A. Wang, Y. Zhang, and W. Zou. Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS. In the 37th IEEE S&P, 2016.

[12]

S. Demetriou, W. Merrill, W. Yang, A. Zhang, and C. A. Gunter. Free for All! Assessing User Data Exposure to Advertising Libraries on Android. In Proc. of NDSS, 2016.

[13]

A. Desnos. Androguard. https://github.com/androguard/androguard.

[14]

D. Erić, R. Bačík, and I. Fedorko. Rating Decision Analysis Based on iOS App Store Data. Quality Innovation Prosperity, 18(2), 2014.

[15]

S. Fahl, M. Harbach, T. Muders, L. Baumgrtner, B. Freisleben, and M. Smith. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proc. of CCS, 2012.

Digital Library

[16]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proc. of CCS, 2011.

Digital Library

[17]

A. P. Felt, H. J. Wang, and A. Moshchuk. Permission Re-Delegation: Attacks and Defenses. In Proc. of 20th USENIX Security, 2011.

Digital Library

[18]

B. Fu, J. Lin, L. Li, C. Faloutsos, J. Hong, and N. Sadeh. Why People Hate Your App: Making Sense of User Feedback in a Mobile App Store. In Proc. of KDD, 2013.

Digital Library

[19]

R. Garg and R. Telang. Inferring App Demand from Publicly Available Data. MIS Quarterly, 37(4), Dec. 2013.

Digital Library

[20]

M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proc. of WiSec, 2012.

Digital Library

[21]

S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications. In Proc. of DIMVA, 2012.

Digital Library

[22]

X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri. Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation. In Proc. of CCS, 2014.

Digital Library

[23]

D. R. Lichtenstein and S. Burton. The Relationship between Perceived and Objective Price-Quality. Journal of Marketing Research, 26(4):429--443, 1989.

[24]

LinkedIn. QARK. https://github.com/linkedin/qark.

[25]

Z. Ma, H. Wang, Y. Guo, and X. Chen. LibRadar: fast and accurate detection of third-party libraries in Android apps. In Proc. of ICSE, 2016.

Digital Library

[26]

A. Machiry, R. Tahiliani, and M. Naik. Dynodroid: An Input Generation System for Android Apps. In Proc. of FSE, 2013.

Digital Library

[27]

P. Mutchler, A. D. J. Mitchell, C. Kruegel, and G. Vigna. A Large-Scale Study of Mobile Web App Security. In Proc. of MoST, 2015.

[28]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In Proc. of NDSS, 2014.

[29]

I. J. M. Ruiz, M. Nagappan, B. Adams, T. Berger, S. Dienst, and A. Hassan. On ad library updates in Android apps. IEEE Software, 2014.

[30]

S. Seneviratne, H. Kolamunna, and A. Seneviratne. Short: A Measurement Study of Tracking in Paid Mobile Applications. In Proc. of WiSec, 2015.

Digital Library

[31]

Statista. Statistics and facts about mobile app usage. http://www.statista.com/topics/1002/mobile-app-usage/.

[32]

R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating User Privacy in Android Ad Libraries. In Proc. of MoST, 2012.

[33]

N. Viennot, E. Garcia, and J. Nieh. A Measurement Study of Google Play. In Proc. of SIGMETRICS, 2014.

Digital Library

[34]

H. Wang, Y. Guo, Z. Ma, and X. Chen. WuKong: A Scalable and Accurate Two-phase Approach to Android App Clone Detection. In Proc. of ISSTA, pages 71--82, 2015.

Digital Library

[35]

T. Watanabe, M. Akiyama, F. Kanei, E. Shioji, Y. Takata, B. Sun, Y. Ishi, T. Shibahara, T. Yagi, and T. Mori. A study on the vulnerabilities of mobile apps associated with software modules. arXiv preprint arXiv:1702.03112, 2017.

Cited By

Nguyen DDerr EBackes MBugiel S(2020)Up2Dep: Android Tool Support to Fix Insecure Code DependenciesProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427658(263-276)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427658
Zhang JBeresford AKollmann SZhang DMøller A(2019)LibID: reliable identification of obfuscated third-party Android librariesProceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3293882.3330563(55-65)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.1145/3293882.3330563
Yasumatsu TWatanabe TKanei FShioji EAkiyama MMori TAhn GThuraisingham BKantarcioglu MKrishnan R(2019)Understanding the Responsiveness of Mobile App Developers to Software Library UpdatesProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300020(13-24)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3292006.3300020
Show More Cited By

Recommendations

Understanding the Responsiveness of Mobile App Developers to Software Library Updates
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which ...
A Mobile App Search Engine

With the popularity of mobile apps on mobile devices based on iOS, Android, Blackberry and Windows Phone operating systems, the numbers of mobile apps in each of the respective native app stores are increasing in leaps and bounds. Currently there are ...
Characterizing Android app signing issues
ASE '19: Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering

In the app releasing process, Android requires all apps to be digitally signed with a certificate before distribution. Android uses this certificate to identify the author and ensure the integrity of an app. However, a number of signature issues have ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '17: Proceedings of the 14th International Conference on Mining Software Repositories

May 2017

567 pages

ISBN:9781538615447

General Chair:
Jesus M. Gonzalez-Barahona
Universidad Rey Juan Carlos
,
Program Chairs:
Abram Hindle
University of Alberta
,
Lin Tan
University of Waterloo

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society
SADIO: SADIO

Publisher

IEEE Press

Publication History

Published: 20 May 2017

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '17

Sponsor:

SIGSOFT
IEEE-CS
SADIO

ICSE '17: 39th International Conference on Software Engineering

May 20 - 28, 2017

Buenos Aires, Argentina

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
282
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen DDerr EBackes MBugiel S(2020)Up2Dep: Android Tool Support to Fix Insecure Code DependenciesProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427658(263-276)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427658
Zhang JBeresford AKollmann SZhang DMøller A(2019)LibID: reliable identification of obfuscated third-party Android librariesProceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3293882.3330563(55-65)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.1145/3293882.3330563
Yasumatsu TWatanabe TKanei FShioji EAkiyama MMori TAhn GThuraisingham BKantarcioglu MKrishnan R(2019)Understanding the Responsiveness of Mobile App Developers to Software Library UpdatesProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300020(13-24)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3292006.3300020
Steglich CMarczak SGuerra LMosmann LPerin MFilho Fde Souza C(2019)Revisiting the mobile software ecosystems literatureProceedings of the 7th International Workshop on Software Engineering for Systems-of-Systems and 13th Workshop on Distributed Software Development, Software Ecosystems and Systems-of-Systems10.1109/SESoS/WDES.2019.00015(50-57)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1109/SESoS/WDES.2019.00015
Rieger CMajchrzak T(2019)Towards the definitive evaluation framework for cross-platform app development approachesJournal of Systems and Software10.1016/j.jss.2019.04.001153:C(175-199)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1016/j.jss.2019.04.001
Dong FWang HLi LGuo YBissyandé TLiu TXu GKlein JLeavens GGarcia APăsăreanu C(2018)FraudDroid: automated ad fraud detection for Android appsProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3236024.3236045(257-268)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3236024.3236045
Ishii YWatanabe TKanei FTakata YShioji EAkiyama MYagi TSun BMori TSarro FShihab ENagappan MPlatenius MKaimann D(2017)Understanding the security management of global third-party Android marketplacesProceedings of the 2nd ACM SIGSOFT International Workshop on App Market Analytics10.1145/3121264.3121267(12-18)Online publication date: 5-Sep-2017
https://dl.acm.org/doi/10.1145/3121264.3121267
Zhao YHou XWang SWang H(undefined)LLM App Store Analysis: A Vision and RoadmapACM Transactions on Software Engineering and Methodology10.1145/3708530
https://dl.acm.org/doi/10.1145/3708530

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents