Downloading Filtering App Market or Database Metadata Libraries APK Content Data Flows APIs

The mobile app market is evolving at a very fast pace. In order to stay in the market and fulfill user’s growing demands, developers have to continuously update their apps either to fix issues or to add new features. Users and market managers may have a hard time understanding what really changed in a new release though, and therefore may not make an informative guess of whether updating the app is recommendable, or whether it may pose new security and privacy threats for the user. We propose a ready-to-use framework to analyze the evolution of Android apps. Our framework extracts and visualizes various information —such as how an app uses sensitive data, which third-party libraries it relies on, which URLs it connects to, etc.— and combines it to create a comprehensive report on how the app evolved. Besides, we present the results of an empirical study on 235 applications with at least 50 releases using our framework. Our analysis reveals that Android apps tend to have more leaks of sensitive data over time, and that the majority of API calls relative to dangerous permissions are added to the code in releases posterior to the one where the corresponding permission was requested.

[1]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[2]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[3]  Michalis Faloutsos,et al.  Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[4]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[5]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[6]  Dan S. Wallach,et al.  Longitudinal Analysis of Android Ad Library Permissions , 2013, ArXiv.

[7]  Premkumar T. Devanbu,et al.  Asking for (and about) permissions used by Android apps , 2013, 2013 10th Working Conference on Mining Software Repositories (MSR).

[8]  Jack Zhang,et al.  The evolution of mobile apps: an exploratory study , 2013, DeMobile 2013.

[9]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[10]  Jacques Klein,et al.  Empirical assessment of machine learning-based malware detectors for Android , 2014, Empirical Software Engineering.

[11]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[12]  Huan Luo,et al.  Which Android App Store Can Be Trusted in China? , 2014, 2014 IEEE 38th Annual Computer Software and Applications Conference.

[13]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[14]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[15]  Jared Smith,et al.  A Dataset of Open-Source Android Applications , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[16]  Romain Rouvoy,et al.  Tracking the Software Quality of Android Applications Along Their Evolution (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[19]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[20]  Haoyu Wang,et al.  LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[21]  Alessandra Gorla,et al.  CALAPPA: a toolchain for mining Android applications , 2016, WAMA@SIGSOFT FSE.

[22]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[23]  Alessandra Gorla,et al.  How Do Apps Evolve in Their Permission Requests? A Preliminary Study , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[24]  Ivan Martinovic,et al.  To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution , 2017, AsiaCCS.

[25]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.

[26]  Denis Bogdanas DPerm: Assisting the Migration of Android Apps to Runtime Permissions , 2017, ArXiv.

[27]  Jian Liu,et al.  LibD: Scalable and Precise Third-Party Library Detection in Android Markets , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[28]  Ondrej Lhoták,et al.  Who You Gonna Call? Analyzing Web Requests in Android Applications , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[29]  Gabriele Bavota,et al.  ARENA: An Approach for the Automated Generation of Release Notes , 2017, IEEE Transactions on Software Engineering.

[30]  Narseo Vallina-Rodriguez,et al.  Bug Fixes, Improvements,... and Privacy Leaks , 2018 .