research-article

What did really change with the new release of the app?

Authors:

Paolo Calciati,

Konstantin Kuznetsov,

Alessandra GorlaAuthors Info & Claims

MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

Pages 142 - 152

https://doi.org/10.1145/3196398.3196449

Published: 28 May 2018 Publication History

Abstract

The mobile app market is evolving at a very fast pace. In order to stay in the market and fulfill user's growing demands, developers have to continuously update their apps either to fix issues or to add new features. Users and market managers may have a hard time understanding what really changed in a new release though, and therefore may not make an informative guess of whether updating the app is recommendable, or whether it may pose new security and privacy threats for the user.

We propose a ready-to-use framework to analyze the evolution of Android apps. Our framework extracts and visualizes various information ---such as how an app uses sensitive data, which third-party libraries it relies on, which URLs it connects to, etc.--- and combines it to create a comprehensive report on how the app evolved.

Besides, we present the results of an empirical study on 235 applications with at least 50 releases using our framework. Our analysis reveals that Android apps tend to have more leaks of sensitive data over time, and that the majority of API calls relative to dangerous permissions are added to the code in releases posterior to the one where the corresponding permission was requested.

References

[1]

K. Allix, T. F. Bissyandé, Q. Jérome, J. Klein, R. State, and Y. L. Traon. Empirical assessment of machine learning-based malware detectors for android - measuring the gap between in-the-lab and in-the-wild validation scenarios. Journal of Empirical Software Engineering, 21(1):183--211, 2016.

Digital Library

[2]

K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon. AndroZoo: Collecting millions of android apps for the research community. In MSR 2016: 13th Working Conference on Mining Software Repositories, pages 468--471, Austin, TX, USA, May 2016. ACM.

Digital Library

[3]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI 2014: Proceedings of the ACM SIGPLAN 2014 Conference on Programming Language Design and Implementation, pages 259--269, Edinburgh, UK, June 2014.

Digital Library

[4]

K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: analyzing the Android permission specification. In CCS 2012: Proceedings of the 19th ACM Conference on Computer and Communications Security, pages 217--228, Raleigh, NC, USA, October 2012.

Digital Library

[5]

V. Avdiienko, K. Kuznetsov, P. Calciati, J. C. C. Román, A. Gorla, and A. Zeller. CALAPPA: a toolchain for mining android applications. In WAMA 2016: Proceedings of the 1st International Workshop on App Market Analytics, pages 22--25, Seattle, WA, USA, November 2016. ACM.

Digital Library

[6]

M. Backes, S. Bugiel, and E. Derr. Reliable third-party library detection in android and its security applications. In CCS 2016: Proceedings of the 23rd ACM Conference on Computer and Communications Security, pages 356--367, Vienna, Austria, October 2016. ACM.

Digital Library

[7]

M. Backes, S. Bugiel, E. Derr, P. McDaniel, D. Octeau, and S. Weisgerber. On demystifying the android application framework: Re-visiting android permission specification analysis. In USENIX Security: 25th USENIX Security Symposium, pages 1101--1118, Austin, TX, USA, August 2016. USENIX Association.

Digital Library

[8]

D. Bogdanas. Dperm: Assisting the migration of android apps to runtime permissions. CoRR, abs/1706.05042, 2017.

[9]

T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. CoRR, abs/1303.0857, 2013.

[10]

P. Calciati and A. Gorla. How do apps evolve in their permission requests? a preliminary study. In MSR 2017: 14th International Conference on Mining Software Repositories, pages 37--41, Buenos Aires, Argentina, May 2017. IEEE Computer Society.

Digital Library

[11]

S. R. Choudhary, A. Gorla, and A. Orso. Automated test input generation for android: Are we there yet? In ASE 2015: Proceedings of the 30th Annual International Conference on Automated Software Engineering, pages 429--440, Lincoln, NE, USA, November 2015. IEEE Computer Society.

Digital Library

[12]

E. Derr, S. Bugiel, S. Fahl, Y. Acar, and M. Backes. Keep me updated: An empirical study of third-party library updatability on android. In CCS 2017: Proceedings of the 24th ACM Conference on Computer and Communications Security, pages 2187--2200, Dallas, TX, USA, October 2017.

Digital Library

[13]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In CCS 2011: Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638, Chicago, IL, USA, October 2011.

Digital Library

[14]

M. I. Gordon,D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information flow analysis of Android applications in DroidSafe. In NDSS 2015: 21st Annual Symposium on Network and Distributed System Security, San Diego, CA, USA, February 2015.

[15]

A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. Checking app behavior against app descriptions. In ICSE 2014: Proceedings of the 36th International Conference on Software Engineering, pages 1025--1035, Hyderabad, India, June 2014.

Digital Library

[16]

G. Hecht, O. Benomar, R. Rouvoy, N. Moha, and L. Duchien. Tracking the software quality of android applications along their evolution (t). In ASE 2015: Proceedings of the 30th Annual International Conference on Automated Software Engineering, pages 236--247, Washington, DC, USA, November 2015. IEEE Computer Society.

Digital Library

[17]

D. E. Krutz, M. Mirakhorli, S. A. Malachowsky, A. Ruiz, J. Peterson, A. Filipski, and J. Smith. A dataset of open-source android applications. In MSR 2015: 12th Working Conference on Mining Software Repositories, pages 522--525, Florence, Italy, May 2015. IEEE Press.

Digital Library

[18]

M. Li, W. Wang, P. Wang, S. Wang, D. Wu, J. Liu, R. Xue, and W. Huo. Libd: Scalable and precise third-party library detection in android markets. In ICSE 2017: Proceedings of the 39th International Conference on Software Engineering, pages 335--346, Buenos Aires, Argentina, May 2017. IEEE Press.

Digital Library

[19]

Z. Ma, H. Wang, Y. Guo, and X. Chen. Libradar: Fast and accurate detection of third-party libraries in android apps. In ICSE 2016: Proceedings of the 38th International Conference on Software Engineering, pages 653--656, Austin, TX, USA, May 2016. ACM.

Digital Library

[20]

L. Moreno, G. Bavota, M. D. Penta, R. Oliveto, A. Marcus, and G. Canfora. ARENA: An approach for the automated generation of release notes. IEEESE, 43(2):106--127, February 2017.

Digital Library

[21]

Y. Y. Ng, H. Zhou, Z. Ji, H. Luo, and Y. Dong. Which android app store can be trusted in china? In COMPSAC 2014: Proceedings of thehe 38th Annual International Computers, Software & Applications Conference, pages 509--518, Våsterås, Sweden, July 2014. IEEE Computer Society.

Digital Library

[22]

D. Octeau, D. Luchaup, M. Dering, S. Jha, and P. McDaniel. Composite constant propagation: Application to Android inter-component communication analysis. In ICSE 2015: Proceedings of the 37th International Conference on Software Engineering, pages 77--88, Florence, Italy, May 2015.

Digital Library

[23]

M. Rapoport, P. Suter, E. Wittern, O. Lhoták, and J. Dolby. Who you gonna call?: analyzing web requests in android applications. In MSR 2017: 14th International Conference on Mining Software Repositories, pages 80--90, Buenos Aires, Argentina, May 2017.

Digital Library

[24]

J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. Bug fixes, improvements, ... and privacy leaks. In NDSS 2018: 24th Annual Symposium on Network and Distributed System Security, San Diego, CA, USA, February 2018.

[25]

R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and H. Chen. Asking for (and about) permissions used by android apps. In MSR 2013: 10th Working Conference on Mining Software Repositories, pages 31--40, San Francisco, CA, USA, May 2013. IEEE Press.

Digital Library

[26]

V. F. Taylor and I. Martinovic. To update or not to update: Insights from a two-year study of android app evolution. In ASIACCS 2017: Proceedings of the ACM Asia Conference on Computer and Communications Security, pages 45--57, Abu Dhabi, UAE, April 2017. ACM.

Digital Library

[27]

Vallée-Rai, Raja and Co, Phong and Gagnon, Etienne and Hendren, Laurie and Lam, Patrick and Sundaresan, Vijay. Soot - a Java Bytecode Optimization Framework. In CASCON 1999: Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research, pages 13--23, Mississauga, Ontario, Canada, Nov 1999.

Digital Library

[28]

X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Permission evolution in the android ecosystem. In ACSAC 2012: Proceedings of the 28th Annual Computer Security Applications Conference, pages 31--40, Orlando, FL, USA, December 2012. ACM.

Digital Library

[29]

J. Zhang, S. Sagar, and E. Shihab. The evolution of mobile apps: An exploratory study. In DeMobile 2013: 1st international Workshop on Software Development Lifecycle for Mobile, pages 1--8, Saint Petersburg, Russia, August 2013. ACM.

Digital Library

[30]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In NDSS 2012: 18th Annual Symposium on Network and Distributed System Security, San Diego, CA, USA, February 2012.

Cited By

Shu-Pei HWatanabe TAkiyama MMori T(2024)An Investigation of Privacy and Security in VR APPs through URL String AnalysisJournal of Information Processing10.2197/ipsjjip.32.77932(779-788)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.779
Ngo CPastore FBriand L(2024)Testing Updated Apps by Adapting Learned ModelsACM Transactions on Software Engineering and Methodology10.1145/366460133:6(1-40)Online publication date: 29-Jun-2024
https://dl.acm.org/doi/10.1145/3664601
Steinböck MBleier JRainer MUrban TUtz CLindorfer MSpinellis DConstantinou EBacchelli A(2024)Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform AnalysesProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644896(348-360)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644896
Show More Cited By

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Same app, different app stores: a comparative study
MOBILESoft '17: Proceedings of the 4th International Conference on Mobile Software Engineering and Systems

To attract more users, implementing the same mobile app for different platforms has become a common industry practice. App stores provide a unique channel for users to share feedback on the acquired apps through ratings and textual reviews. However, ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

May 2018

627 pages

ISBN:9781450357166

DOI:10.1145/3196398

General Chair:
Andy Zaidman
Delft University of Technology, Netherlands
,
Program Chairs:
Yasutaka Kamei
Kyushu University, Japan
,
Emily Hill
Drew University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '18

Sponsor:

SIGSOFT
IEEE-CS

ICSE '18: 40th International Conference on Software Engineering

May 28 - 29, 2018

Gothenburg, Sweden

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
310
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shu-Pei HWatanabe TAkiyama MMori T(2024)An Investigation of Privacy and Security in VR APPs through URL String AnalysisJournal of Information Processing10.2197/ipsjjip.32.77932(779-788)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.779
Ngo CPastore FBriand L(2024)Testing Updated Apps by Adapting Learned ModelsACM Transactions on Software Engineering and Methodology10.1145/366460133:6(1-40)Online publication date: 29-Jun-2024
https://dl.acm.org/doi/10.1145/3664601
Steinböck MBleier JRainer MUrban TUtz CLindorfer MSpinellis DConstantinou EBacchelli A(2024)Comparing Apples to Androids: Discovery, Retrieval, and Matching of iOS and Android Apps for Cross-Platform AnalysesProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644896(348-360)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644896
Tileria MBlasco JDash SRoychoudhury APaiva AAbreu RStorey M(2024)DocFlow: Extracting Taint Specifications from Software DocumentationProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623312(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623312
Feng RZhang ZZhou YYan ZZhang Y(2024)Accurate and Efficient Code Matching Across Android Application Versions Against Obfuscation2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00028(204-215)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00028
Xie QGong QHe XChen YWang XZheng HZhao B(2023)Trimming Mobile Applications for Bandwidth-Challenged Networks in Developing RegionsIEEE Transactions on Mobile Computing10.1109/TMC.2021.308812122:1(556-573)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TMC.2021.3088121
Sangaroonsilp PDam HGhose AGrundy JPollock LPenta M(2023)On Privacy Weaknesses and Vulnerabilities in Software SystemsProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00097(1071-1083)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00097
Ngo CPastore FBriand L(2022)Automated, Cost-effective, and Update-driven App TestingACM Transactions on Software Engineering and Methodology10.1145/350229731:4(1-51)Online publication date: 12-Jul-2022
https://dl.acm.org/doi/10.1145/3502297
Saidani IOuni AAhasanuzzaman MHassan SMkaouer MHassan A(2022)Tracking bad updates in mobile apps: a search-based approachEmpirical Software Engineering10.1007/s10664-022-10125-627:4Online publication date: 1-Jul-2022
https://dl.acm.org/doi/10.1007/s10664-022-10125-6
Lamothe MGuéhéneuc YShang W(2021)A Systematic Review of API Evolution LiteratureACM Computing Surveys10.1145/347013354:8(1-36)Online publication date: 4-Oct-2021
https://dl.acm.org/doi/10.1145/3470133
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten