Understanding the responsiveness of mobile app developers to software library updates

Tatsuhiko Yasumatsu, Takuya Watanabe, Fumihiro Kanei, Eitaro Shioji, Mitsuaki Akiyama, Tatsuya Mori

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.

Original languageEnglish
Title of host publicationCODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages13-24
Number of pages12
ISBN (Electronic)9781450360999
DOIs
Publication statusPublished - 2019 Mar 13
Event9th ACM Conference on Data and Application Security and Privacy, CODASPY 2019 - Richardson, United States
Duration: 2019 Mar 252019 Mar 27

Publication series

NameCODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy

Conference

Conference9th ACM Conference on Data and Application Security and Privacy, CODASPY 2019
CountryUnited States
CityRichardson
Period19/3/2519/3/27

Fingerprint

Application programs
Marketing

Keywords

  • Android security
  • Mobile app developers
  • Mobile apps measurement
  • Software library

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Software

Cite this

Yasumatsu, T., Watanabe, T., Kanei, F., Shioji, E., Akiyama, M., & Mori, T. (2019). Understanding the responsiveness of mobile app developers to software library updates. In CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (pp. 13-24). (CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy). Association for Computing Machinery, Inc. https://doi.org/10.1145/3292006.3300020

Understanding the responsiveness of mobile app developers to software library updates. / Yasumatsu, Tatsuhiko; Watanabe, Takuya; Kanei, Fumihiro; Shioji, Eitaro; Akiyama, Mitsuaki; Mori, Tatsuya.

CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2019. p. 13-24 (CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yasumatsu, T, Watanabe, T, Kanei, F, Shioji, E, Akiyama, M & Mori, T 2019, Understanding the responsiveness of mobile app developers to software library updates. in CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy. CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy, Association for Computing Machinery, Inc, pp. 13-24, 9th ACM Conference on Data and Application Security and Privacy, CODASPY 2019, Richardson, United States, 19/3/25. https://doi.org/10.1145/3292006.3300020
Yasumatsu T, Watanabe T, Kanei F, Shioji E, Akiyama M, Mori T. Understanding the responsiveness of mobile app developers to software library updates. In CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc. 2019. p. 13-24. (CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy). https://doi.org/10.1145/3292006.3300020
Yasumatsu, Tatsuhiko ; Watanabe, Takuya ; Kanei, Fumihiro ; Shioji, Eitaro ; Akiyama, Mitsuaki ; Mori, Tatsuya. / Understanding the responsiveness of mobile app developers to software library updates. CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2019. pp. 13-24 (CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy).
@inproceedings{1fb9641284d640b584b3f940169a31c1,
title = "Understanding the responsiveness of mobile app developers to software library updates",
abstract = "This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50{\%} of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50{\%} of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.",
keywords = "Android security, Mobile app developers, Mobile apps measurement, Software library",
author = "Tatsuhiko Yasumatsu and Takuya Watanabe and Fumihiro Kanei and Eitaro Shioji and Mitsuaki Akiyama and Tatsuya Mori",
year = "2019",
month = "3",
day = "13",
doi = "10.1145/3292006.3300020",
language = "English",
series = "CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy",
publisher = "Association for Computing Machinery, Inc",
pages = "13--24",
booktitle = "CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy",

}

TY - GEN

T1 - Understanding the responsiveness of mobile app developers to software library updates

AU - Yasumatsu, Tatsuhiko

AU - Watanabe, Takuya

AU - Kanei, Fumihiro

AU - Shioji, Eitaro

AU - Akiyama, Mitsuaki

AU - Mori, Tatsuya

PY - 2019/3/13

Y1 - 2019/3/13

N2 - This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.

AB - This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.

KW - Android security

KW - Mobile app developers

KW - Mobile apps measurement

KW - Software library

UR - http://www.scopus.com/inward/record.url?scp=85063913947&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85063913947&partnerID=8YFLogxK

U2 - 10.1145/3292006.3300020

DO - 10.1145/3292006.3300020

M3 - Conference contribution

T3 - CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy

SP - 13

EP - 24

BT - CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery, Inc

ER -