Understanding the origins of mobile app vulnerabilities

A large-scale measurement study of free and paid apps

Takuya Watanabe, Mitsuaki Akiyama, Fumihiro Kanei, Eitaro Shioji, Yuta Takata, Bo Sun, Yuta Ishi, Toshiki Shibahara, Takeshi Yagi, Tatsuya Mori

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    10 Citations (Scopus)

    Abstract

    This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.

    Original languageEnglish
    Title of host publicationProceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017
    PublisherIEEE Computer Society
    Pages14-24
    Number of pages11
    ISBN (Electronic)9781538615447
    DOIs
    Publication statusPublished - 2017 Jun 29
    Event14th IEEE/ACM International Conference on Mining Software Repositories, MSR 2017 - Buenos Aires, Argentina
    Duration: 2017 May 202017 May 21

    Other

    Other14th IEEE/ACM International Conference on Mining Software Repositories, MSR 2017
    CountryArgentina
    CityBuenos Aires
    Period17/5/2017/5/21

    Fingerprint

    Application programs
    Ecosystems

    Keywords

    • Mobile App
    • Software Library
    • Vulnerability

    ASJC Scopus subject areas

    • Computer Science Applications
    • Software

    Cite this

    Watanabe, T., Akiyama, M., Kanei, F., Shioji, E., Takata, Y., Sun, B., ... Mori, T. (2017). Understanding the origins of mobile app vulnerabilities: A large-scale measurement study of free and paid apps. In Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017 (pp. 14-24). [7962351] IEEE Computer Society. https://doi.org/10.1109/MSR.2017.23

    Understanding the origins of mobile app vulnerabilities : A large-scale measurement study of free and paid apps. / Watanabe, Takuya; Akiyama, Mitsuaki; Kanei, Fumihiro; Shioji, Eitaro; Takata, Yuta; Sun, Bo; Ishi, Yuta; Shibahara, Toshiki; Yagi, Takeshi; Mori, Tatsuya.

    Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017. IEEE Computer Society, 2017. p. 14-24 7962351.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Watanabe, T, Akiyama, M, Kanei, F, Shioji, E, Takata, Y, Sun, B, Ishi, Y, Shibahara, T, Yagi, T & Mori, T 2017, Understanding the origins of mobile app vulnerabilities: A large-scale measurement study of free and paid apps. in Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017., 7962351, IEEE Computer Society, pp. 14-24, 14th IEEE/ACM International Conference on Mining Software Repositories, MSR 2017, Buenos Aires, Argentina, 17/5/20. https://doi.org/10.1109/MSR.2017.23
    Watanabe T, Akiyama M, Kanei F, Shioji E, Takata Y, Sun B et al. Understanding the origins of mobile app vulnerabilities: A large-scale measurement study of free and paid apps. In Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017. IEEE Computer Society. 2017. p. 14-24. 7962351 https://doi.org/10.1109/MSR.2017.23
    Watanabe, Takuya ; Akiyama, Mitsuaki ; Kanei, Fumihiro ; Shioji, Eitaro ; Takata, Yuta ; Sun, Bo ; Ishi, Yuta ; Shibahara, Toshiki ; Yagi, Takeshi ; Mori, Tatsuya. / Understanding the origins of mobile app vulnerabilities : A large-scale measurement study of free and paid apps. Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017. IEEE Computer Society, 2017. pp. 14-24
    @inproceedings{3ed7edcdb3c8416c854a9e2e7e3ad113,
    title = "Understanding the origins of mobile app vulnerabilities: A large-scale measurement study of free and paid apps",
    abstract = "This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70{\%}/50{\%} of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.",
    keywords = "Mobile App, Software Library, Vulnerability",
    author = "Takuya Watanabe and Mitsuaki Akiyama and Fumihiro Kanei and Eitaro Shioji and Yuta Takata and Bo Sun and Yuta Ishi and Toshiki Shibahara and Takeshi Yagi and Tatsuya Mori",
    year = "2017",
    month = "6",
    day = "29",
    doi = "10.1109/MSR.2017.23",
    language = "English",
    pages = "14--24",
    booktitle = "Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017",
    publisher = "IEEE Computer Society",
    address = "United States",

    }

    TY - GEN

    T1 - Understanding the origins of mobile app vulnerabilities

    T2 - A large-scale measurement study of free and paid apps

    AU - Watanabe, Takuya

    AU - Akiyama, Mitsuaki

    AU - Kanei, Fumihiro

    AU - Shioji, Eitaro

    AU - Takata, Yuta

    AU - Sun, Bo

    AU - Ishi, Yuta

    AU - Shibahara, Toshiki

    AU - Yagi, Takeshi

    AU - Mori, Tatsuya

    PY - 2017/6/29

    Y1 - 2017/6/29

    N2 - This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.

    AB - This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.

    KW - Mobile App

    KW - Software Library

    KW - Vulnerability

    UR - http://www.scopus.com/inward/record.url?scp=85026511687&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85026511687&partnerID=8YFLogxK

    U2 - 10.1109/MSR.2017.23

    DO - 10.1109/MSR.2017.23

    M3 - Conference contribution

    SP - 14

    EP - 24

    BT - Proceedings - 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, MSR 2017

    PB - IEEE Computer Society

    ER -