Update Behavior in App Markets and Security Implications: A Case Study in Google Play

580 views
494 views

Published on

Digital market places (e.g. Apple App Store, Google Play) have become the dominant platforms for the distribution of software for mobile phones. Thereby, developers can reach millions of users. However, neither of these market places today has mechanisms in place to enforce security critical updates of distributed apps. This paper investigates this problem by gaining insights on the correlation between published updates and actual installations of those. Our findings show that almost half of all users would use a vulnerable app version even 7 days after the fix has been published. We discuss our results and give initial recommendations to app developers.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
580
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Update Behavior in App Markets and Security Implications: A Case Study in Google Play

  1. 1. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität München Update Behavior in App Markets and Security Implications: A Case Study in Google Play Andreas Möller1, Florian Michahelles2, Stefan Diewald1, Luis Roalter1, Matthias Kranz3 1Technische Universität München, Germany 2Swiss Federal Institute of Technology, Zurich, Switzerland 3Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Luleå, Sweden Research in the Large Workshop, MobileHCI 2012, San Francisco
  2. 2. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenOutline21.09.2012 Prof. Dr. Matthias Kranz 2
  3. 3. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenDigitalMarket Places•  Important Source for mobile app distribution•  Apple App Store: 25 billion iOS app downloads•  Google Play: 10 billion Android app downloads•  Main argument „pro“ market place: SECURITY! Sources: apple.com, play.google.com21.09.2012 Prof. Dr. Matthias Kranz 3
  4. 4. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenAre Digital Marketplace Apps Secure?•  Review Process at Apple•  Automatic Malware and Virus Scanning at Google•  Check only inappropriate content and intentionally evil software•  But: Bugs? –  Android permission model is very coarse –  iOS apps do not ask for permission at all –  Apps can potentionally harm the system or do unwanted things (steal data...)•  Over 20,000 new apps per month in Google Play –  In particular new apps are potentially buggy and need frequent updates and fixed21.09.2012 Prof. Dr. Matthias Kranz 4
  5. 5. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenAutomatic Updates – Really?•  Market places provide updates all in one place•  BUT: only notification, no automatic installation! –  iOS: Badge icon –  Android: Notification, recently also automatically - if activated! –  In most cases, user interaction is required. Source: parallels.com21.09.2012 Prof. Dr. Matthias Kranz 5
  6. 6. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenOur work – Update Installation Analysis•  How quickly do users actually install updates?•  Case Study: VMI Mensa (canteen application) –  Finds nearby canteens and cafeterias –  Shows menus, prices, ingredients•  Developed by our research group•  Very popular with students at TUM (more than 2,400 downloads)21.09.2012 Prof. Dr. Matthias Kranz 6
  7. 7. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenUpdate Installation•  Looking at 5 subsequent updates between Dec 22, 2011 and April 28, 2012•  Download peaks on publishing day and day 1•  Rapid decrease afterwardsNumber of update downloads21.09.2012 Prof. Dr. Matthias Kranz 7
  8. 8. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenCumulative Installs•  Only half of all users have installed an update after one week!Day after Update Update Installed Standard DeviationPublishing Day 17.0% 2.7%Day 1 14.6% 2.0%Day 2 7.8% 1.3%Day 3 5.1% 0.9%Day 4 3.5% 0.7%Day 5 2.8% 0.5%Day 6 2.3% 0.4%Total in 7 days 53.2% 2.7%21.09.2012 Prof. Dr. Matthias Kranz 8
  9. 9. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenVersion History•  Old versions still active for a long time•  Installation base on April 28, 2012 older: 21.5% v.0.23: 2.1% v.0.24: 5.5% v.0.25: 6.0% v.0.26: 8.5% v.0.27: 56.4% (newest) Number of update downloads21.09.2012 Prof. Dr. Matthias Kranz 9
  10. 10. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenSummaryOne in two users has not installed the latest version after 1 weekOne in five users has not installed the last 5 updates21.09.2012 Prof. Dr. Matthias Kranz 10
  11. 11. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenDiscussion•  Probability that users run a potentially security-critical app is high•  Time until developers fix a security hole after it is detected not included!•  If users don‘t install updates in the first days, they are unlikely to do so later –  Problem for infreqently used apps –  Probably not willing to wait for updates once they need it•  In-depth usage monitoring neededRecommendations for Developers•  Built-in auto-update if app is security-critical•  Look at bug reports and market place ratings (can be informative regarding potential problems)21.09.2012 Prof. Dr. Matthias Kranz 11
  12. 12. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität München Thank you for your attention! Questions? ? ? matthias.kranz@tum.de www.vmi.ei.tum.de/team/matthias-kranz.html21.09.2012 Prof. Dr. Matthias Kranz 12
  13. 13. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenPaper Reference•  Please find the associated paper at: https://vmi.lmt.ei.tum.de/publications/2012/large2012_preprint.pdf•  Please cite this work as follows:•  Andreas Möller, Florian Michahelles, Stefan Diewald, Luis Roalter, Matthias Kranz. 2012. Update Behavior in App Markets and Security Implications: A Case Study in Google Play In: 3rd workshop on Research in the large at MobileHCI 2012, San Francisco, USA, September 201221.09.2012 Prof. Dr. Matthias Kranz 13
  14. 14. Distributed Multimodal Information Processing GroupProf. Dr. Matthias Kranz Technische Universität MünchenIf you use BibTex, please use the following entryto cite this work: @INPROCEEDINGS{Large12moeller, author={Andreas M"{o}ller and Florian Michahelles and Stefan Diewald and Luis Roalter and Matthias Kranz}, title={{Update Behavior in App Markets and Security Implications: A Case Study in Google Play}}, booktitle={{Proceedings of the 3rd International Workshop on Research in the Large. Held in Conjunction with Mobile HCI}}, year={2012}, month={Sep}, pages={3--6}, location={San Francisco, USA}, editor={Benjamin Poppinga}, }21.09.2012 Prof. Dr. Matthias Kranz 14

×