update behavior in app markets and security implications: a case study in google play

Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz

Update Behavior in App Markets and Security Implications:

A Case Study in Google Play Andreas Möller1, Florian Michahelles2, Stefan Diewald1,

Luis Roalter1, Matthias Kranz3

1Technische Universität München, Germany

2Swiss Federal Institute of Technology, Zurich, Switzerland 3Luleå University of Technology, Department of Computer Science,

Electrical and Space Engineering, Luleå, Sweden

Research in the Large Workshop, MobileHCI 2012, San Francisco


Outline

21.09.2012 Prof. Dr. Matthias Kranz 2


Digital Market Places

•  Important Source for mobile app distribution •  Apple App Store: 25 billion iOS app downloads •  Google Play: 10 billion Android app downloads

•  Main argument „pro“ market place:


SECURITY!

Sources: apple.com, play.google.com


Are Digital Marketplace Apps Secure?

•  Review Process at Apple •  Automatic Malware and Virus Scanning at Google

•  Check only inappropriate content and intentionally evil software

•  But: Bugs? –  Android permission model is very coarse –  iOS apps do not ask for permission at all –  Apps can potentionally harm the system or do unwanted things (steal

data...) •  Over 20,000 new apps per month in Google Play

–  In particular new apps are potentially buggy and need frequent updates and fixed



Automatic Updates – Really?

•  Market places provide updates all in one place •  BUT: only notification, no automatic installation!

–  iOS: Badge icon –  Android: Notification,

recently also automatically - if activated! –  In most cases, user interaction

is required.


Source: parallels.com


Our work – Update Installation Analysis

•  How quickly do users actually install updates?

•  Case Study: VMI Mensa (canteen application) –  Finds nearby canteens and cafeterias –  Shows menus, prices, ingredients

•  Developed by our research group •  Very popular with students at TUM

(more than 2,400 downloads)



Update Installation


•  Looking at 5 subsequent updates between Dec 22, 2011 and April 28, 2012 •  Download peaks on publishing day and day 1 •  Rapid decrease afterwards

Number of update downloads


Cumulative Installs

Day after Update Update Installed Standard Deviation Publishing Day 17.0% 2.7% Day 1 14.6% 2.0% Day 2 7.8% 1.3% Day 3 5.1% 0.9% Day 4 3.5% 0.7% Day 5 2.8% 0.5% Day 6 2.3% 0.4% Total in 7 days 53.2% 2.7%


•  Only half of all users have installed an update after one week!


Version History


•  Old versions still active for a long time •  Installation base on April 28, 2012

older: 21.5% v.0.23: 2.1% v.0.24: 5.5% v.0.25: 6.0% v.0.26: 8.5% v.0.27: 56.4% (newest)

Number of update downloads


Summary


1 One in users has not installed the last updates

One in users has not installed the latest version after week two

five 5


Discussion

•  Probability that users run a potentially security-critical app is high •  Time until developers fix a security hole after it is detected not included!

•  If users don‘t install updates in the first days, they are unlikely to do so later –  Problem for infreqently used apps –  Probably not willing to wait for updates once they need it

•  In-depth usage monitoring needed Recommendations for Developers •  Built-in auto-update if app is security-critical •  Look at bug reports and market place ratings (can be informative regarding

potential problems)



Thank you for your attention! Questions?

? ? 21.09.2012 Prof. Dr. Matthias Kranz 12

[email protected] www.vmi.ei.tum.de/team/matthias-kranz.html


Paper Reference

•  Please find the associated paper at: https://vmi.lmt.ei.tum.de/publications/2012/large2012_preprint.pdf

•  Please cite this work as follows: •  Andreas Möller, Florian Michahelles, Stefan Diewald, Luis Roalter, Matthias

Kranz. 2012. Update Behavior in App Markets and Security Implications: A Case Study in Google Play In: 3rd workshop on Research in the large at MobileHCI 2012, San Francisco, USA, September 2012



If you use BibTex, please use the following entry to cite this work:


@INPROCEEDINGS{Large12moeller, author={Andreas M\"{o}ller and Florian Michahelles and Stefan Diewald and Luis Roalter and Matthias Kranz}, title={{Update Behavior in App Markets and Security Implications: A Case Study in Google Play}}, booktitle={{Proceedings of the 3rd International Workshop on Research in the Large. Held in Conjunction with Mobile HCI}}, year={2012}, month={Sep}, pages={3--6}, location={San Francisco, USA}, editor={Benjamin Poppinga}, }

update behavior in app markets and security implications: a case study in google play

Technology

matthias kranz2

matthias kranz7

matthias kranz9

matthias kranz8

matthias kranz12

securitycritical app

ios app downloadsgoogle

users dont