Taxonomy of Security-related Issues in Android Apps: An Empirical Study
Pages 8 - 14
Abstract
Smart applications (apps) have become the primary means of obtaining digital services in many aspects of our daily lives, such as health care, e-banking, online shopping, etc. With the growing number of smart apps being created, the likelihood of security vulnerabilities has increased significantly. Smartphone developers remain vigilant about security concerns during their mobile app development, installation, and maintenance. This paper presents a large-scale empirical study examining critical security issues in open-source Android apps obtained from GitHub. We analyzed 111,224 commits across 2,187 apps and identified 689 commits explicitly related to security issues. Additionally, we utilized the card-sorting approach to construct a taxonomy/catalog of ten distinct categories of security-related issues. According to our findings, the most frequent security-related problem in our dataset was related to permission issues, accounting for 370 instances (53.7%), followed by Login, with 160 instances, representing 23.22%. On the other hand, Privacy and Framework issues were less frequent, with only 5 (0.72%) and 3 (0.43%) instances, respectively, in our dataset. Moreover, our taxonomy also included 71 sub-categories/sub-themes, with permission issues having the highest number of sub-categories (23) and Framework issues with the lowest numbers (2). Developers discussed permission sub-categories, such as camera permission, WiFi permissions, storage permission, WRITE/READ_PHONE_STATE permission, and location permission, among others, in their code commits. The insights gained from our study provide a foundation for comprehending the primary security concerns from the viewpoints of both researchers and software practitioners.
References
[1]
Data security: https://www.imperva.com/learn/data-security/data-security/.
[2]
Sen Chen, Yuxin Zhang, Lingling Fan, Jiaming Li, and Yang Liu. Ausera: Automated security vulnerability detection for android apps. In 37th IEEE/ACM International Conference on Automated Software Engineering, pages 1--5, 2022.
[3]
Jacob Cohen. Weighted kappa: nominal scale agreement provision for scaled disagreement or partial credit. Psychological bulletin, 70(4):213, 1968.
[4]
Teerath Das, Adam Ali, and Tommi Mikkonen. Investigation of security-related commits in android apps. In Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering, EASE '23, page 259--260, New York, NY, USA, 2023. Association for Computing Machinery.
[5]
Teerath Das, Massimiliano Di Penta, and Ivano Malavolta. A quantitative and qualitative investigation of performance-related commits in android apps. In 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 443--447. IEEE, 2016.
[6]
Teerath Das et al. Investigating performance issues in mobile apps. 2020.
[7]
Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. Pios: Detecting privacy leaks in ios applications. 01 2011.
[8]
William Enck, Damien Octeau, Patrick D McDaniel, and Swarat Chaudhuri. A study of android application security. In USENIX security symposium, volume 2, 2011.
[9]
Buket Erşahin and Mustafa Erşahin. Web application security. South Florida Journal of Development, 3(4):4194--4203, Jul. 2022.
[10]
Chengzhou Fu, Chang Huang, Yong Tang, Weiquan Zeng, Dahao Wang, and Chengzhe Yuan. Survey on android applications security. In Qiaohong Zu and Bo Hu, editors, Human Centered Computing, pages 92--103, Cham, 2016. Springer International Publishing.
[11]
Shivi Garg and Niyati Baliyan. Android security assessment: A review, taxonomy and research gap study. Computers & Security, 100:102087, 2021.
[12]
Babu Khadiranaikar, Pavol Zavarsky, and Yasir Malik. Improving android application security for intent based attacks. In 2017 8th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pages 62--67, 2017.
[13]
Ziqing Li and Guiling Feng. Inter-language static analysis for android application security. In 2020 IEEE 3rd International Conference on Information Systems and Computer Aided Education (ICISCAE), pages 647--650, 2020.
[14]
Madalina Marin, Costin Carabas, Razvan Deaconescu, and Nicolae Tapus. Proactive secure coding for ios applications. pages 1--5, 10 2019.
[15]
Alejandro Mazuera-Rozo, Camilo Escobar-Velásquez, Juan Espitia-Acero, David Vega-Guzmán, Catia Trubiani, Mario Linares-Vásquez, and Gabriele Bavota. Taxonomy of security weaknesses in java and kotlin android apps. Journal of Systems and Software, 187:111233, 2022.
[16]
Sofia Reis and Rui Abreu. Secbench: A database of real security vulnerabilities. In SecSE@ ESORICS, pages 69--85, 2017.
[17]
D.Spencer. Card sorting (1st ed.), doi=https://www.perlego.com/book/1257069/card-sorting-designing-usable-categories-pdf. 2009.
[18]
Wei Wang, Meichen Zhao, Zhenzhen Gao, Guangquan Xu, Hequn Xian, Yuanyuan Li, and Xiangliang Zhang. Constructing features for detecting android malicious applications: issues, taxonomy and directions. IEEE access, 7:67602--67631, 2019.
[19]
Mansooreh Zahedi, Muhammad Ali Babar, and Christoph Treude. An empirical study of security issues posted in open source projects. 2018.
[20]
Yaqin Zhou and Asankhaya Sharma. Automated identification of security issues from commit messages and bug reports. In Proceedings of the 2017 11th joint meeting on foundations of software engineering, pages 914--919, 2017.
Index Terms
- Taxonomy of Security-related Issues in Android Apps: An Empirical Study
Recommendations
Taxonomy of Security-related Issues in Android Apps: An Empirical Study
ASEW '24: Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering WorkshopsSmart applications (apps) have become the primary means of obtaining digital services in many aspects of our daily lives, such as health care, e-banking, online shopping, etc. With the growing number of smart apps being created, the likelihood of ...
Investigation of Security-related Commits in Android Apps
EASE '23: Proceedings of the 27th International Conference on Evaluation and Assessment in Software EngineeringThe exponential increase in smartphone usage has fueled the rapid growth of Android applications (apps). Unfortunately, this growth has also resulted in an alarming rise in security vulnerabilities, posing a significant challenge for developers of ...
Release practices for iOS and Android apps
WAMA 2019: Proceedings of the 3rd ACM SIGSOFT International Workshop on App Market AnalyticsWe conduct a preliminary study on the practices of releasing apps for the two major mobile platforms: iOS and Android. We select the most popular applications on the official stores, and we retrieve all the releases of such apps to understand how often ...
Comments
Information & Contributors
Information
Published In
October 2024
25 pages
ISBN:9798400712708
DOI:10.1145/3695750
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 October 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering Workshops
October 27 - November 1, 2024
CA, Sacramento, USA
Acceptance Rates
RENE '24 Paper Acceptance Rate 3 of 3 submissions, 100%;
Overall Acceptance Rate 3 of 3 submissions, 100%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 74Total Downloads
- Downloads (Last 12 months)74
- Downloads (Last 6 weeks)32
Reflects downloads up to 26 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in