On vulnerability evolution in Android apps

2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR)

Kong

et al. 2019

Self Cite

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that "developers update API usage instances to fix misuses", we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

Section: Datasetmentioning

confidence: 99%

“…The lineage reconstruction yielded 43 365 app lineages accounting for 745,101 apks. This lineage dataset is twice as large as the dataset presented by Gao et al in [24] .…”

Section: Datasetmentioning

confidence: 99%

Section: Threats To Validitymentioning

confidence: 99%

See 1 more Smart Citation

Negative Results on Mining Crypto-API Usage Rules in Android Apps

2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR)

Kong

et al. 2019

Self Cite

“…As the framework evolves, the provided Software Development Kit (SDK), including the Application Programming Interfaces (APIs), is regularly updated. To better track and reflect those changes, each major release of the Android framework is tagged with multiple names: (1) its version number (e.g., Android 4.4); (2) its API level (e.g., 19); and (3) a name of sweet (e.g., KitKat). Figure 1 presents an example of API levels with respect to their adoption by millions of Android-powered devices using the official Google Play store as of May 2018.…”

Section: A Android Frameworkmentioning

confidence: 99%

“…We re-construct app lineages based on AndroZoo's data heap and according to the procedure proposed by Gao et al [19] as illustrated in Figure 4.…”

Section: Re-construction Of App Lineagesmentioning

confidence: 99%

On the Evolution of Mobile App Complexity

2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS)

Bissyandé

et al. 2019

Self Cite

Android developers are known to frequently update their apps for fixing bugs and addressing vulnerabilities, but more commonly for introducing new features. This process leads a trail in the ecosystem with multiple successive app versions which record historical evolutions of a variety of apps. While the literature includes various works related to such evolutions, little attention has been paid to the research question on how quality evolves, in particular with regards to maintainability and code complexity. In this work, we fill this gap by presenting a largescale empirical study: we leverage the AndroZoo dataset to obtain a significant number of app lineages (i.e., successive releases of the same Android apps), and rely on six well-established, maintainability-related complexity metrics commonly accepted in the literature on app quality, maintainability etc. Our empirical investigation eventually reveals that, overall, while Android apps become bigger in terms of code size as time goes by, the apps themselves appear to be increasingly maintainable and thus decreasingly complex.

CDA: Characterising Deprecated Android APIs

Bissyandé

et al. 2020

Empir Software Eng

Self Cite

Because of functionality evolution, or security and performance-related changes, some APIs eventually become unnecessary in a software system and thus need to be cleaned to ensure proper maintainability. Those APIs are typically marked first as deprecated APIs and, as recommended, follow through a deprecated-replace-remove cycle, giving an opportunity to client application developers to smoothly adapt their code in next updates. Such a mechanism is adopted in the Android framework development where thousands of reusable APIs are made available to Android app developers. In this work, we present a research-based prototype tool called CDA and apply it to different revisions (i.e., releases or tags) of the Android framework code for characterising deprecated APIs. Based on the data mined by CDA, we then perform an empirical study on API deprecation in the Android ecosystem and the associated challenges for maintaining quality apps. In particular, we investigate the prevalence of deprecated APIs, their annotations and documentation, their removal and