TY - GEN
T1 - Understanding the responsiveness of mobile app developers to software library updates
AU - Yasumatsu, Tatsuhiko
AU - Watanabe, Takuya
AU - Kanei, Fumihiro
AU - Shioji, Eitaro
AU - Akiyama, Mitsuaki
AU - Mori, Tatsuya
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/3/13
Y1 - 2019/3/13
N2 - This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.
AB - This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.
KW - Android security
KW - Mobile app developers
KW - Mobile apps measurement
KW - Software library
UR - http://www.scopus.com/inward/record.url?scp=85063913947&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85063913947&partnerID=8YFLogxK
U2 - 10.1145/3292006.3300020
DO - 10.1145/3292006.3300020
M3 - Conference contribution
AN - SCOPUS:85063913947
T3 - CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy
SP - 13
EP - 24
BT - CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 9th ACM Conference on Data and Application Security and Privacy, CODASPY 2019
Y2 - 25 March 2019 through 27 March 2019
ER -