Who's left behind?: Measuring Adoption of Application Updates at Scale
Pages 710 - 723
Abstract
This work presents a large-scale, longitudinal measurement study on the adoption of application updates, enabling continuous reporting of potentially vulnerable software populations worldwide. Studying the factors impacting software currentness, we investigate and discuss the impact of the platform and its updating strategies on software currentness, device lock-in effects, as well as user behavior. Utilizing HTTP User-Agent strings from end-hosts, we introduce techniques to extract application and operating system information from myriad structures, infer version release dates of applications, and measure population adoption, at a global scale. To deal with loosely structured User-Agent data, we develop a semi-supervised method that can reliably extract application and version information for some 87% of requests served by a major CDN every day. Using this methodology, we track release and adoption dynamics of some 35,000 applications. Analyzing over three years of CDN logs, we show that vendors' update strategies and platforms have a significant effect on the adoption of application updates. Our results show that, on some platforms, up to 25% of requests originate from hosts running application versions that are out-of-date by more than 100 days, and 16% more than 300 days. We find pronounced differences across geographical regions, and overall, less developed regions are more likely to have out-of-date software versions. Though, for every country, we find that at least 10% of requests reaching the CDN run software that is out-of-date by more than three months.
Supplementary Material
References
[1]
2018. Android Security 2017 Year In Review. Android Open Source Project, https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf.
[2]
2019. Android Security 2018 Year In Review. Android Open Source Project, https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf.
[3]
2020. WhatIsMyBrowser.com Developers. https://developers.whatismybrowser. com/useragents/explore/hardware_type_specific/phone/.
[4]
Amazon. 2020. Amazon Appstore App For Android. https://www.amazon.com/gp/mas/get/amazonapp.
[5]
M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou. 2017. Understanding the Mirai Botnet. In USENIX Security Symposium.
[6]
Apple. 2020. Apple App Store. https://www.apple.com/ios/app-store/.
[7]
Apple. 2020. Apple security updates. https://support.apple.com/en-us/HT201222.
[8]
K. Chiu. 2020. Windows 7 is gone, but China's dedicated users aren't ready to let go. https://www.abacusnews.com/culture/windows-7-gone-chinas-dedicated-users-arent-ready-let-go/article/3046210.
[9]
CISCO. 2020. Cisco Annual Internet Report (2018-2023) White Paper. https://www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/annual-internet-report/white-paper-c11-741490.html.
[10]
US Federal Trade Commission. 2016. FTC To Study Mobile Device Industry's Security Update Practices. https://www.ftc.gov/news-events/press-releases/2016/05/ftc-study-mobile-device-industrys-security-update-practices.
[11]
L. F. DeKoven, A. Randall, A. Mirian, G. Akiwate, A. Blume, L. K. Saul, A. Schulman, G. M. Voelker, and S. Savage. 2019. Measuring Security Practices and How They Impact Security. In ACM IMC.
[12]
Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. 2014. The Matter of Heartbleed. In ACM IMC.
[13]
Z. Durumeric, E. Wustrow, and J. A. Halderman. 2013. ZMap: Fast Internet-Wide Scanning and its Security Applications. In USENIX Security Symposium.
[14]
P. Eckersley. 2010. How Unique Is Your Web Browser?. In Privacy Enhancing Technologies (PETS).
[15]
Ericsson. 2020. Mobile data traffic outlook. https://www.ericsson.com/en/mobility-report/reports/june-2020/mobile-data-traffic-outlook.
[16]
M. Ester, H.-P. Kriegel, J. Sander, and X. Xu. 1996. A Density-based Algorithm for Discovering Clusters a Density-based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. (1996).
[17]
Facebook. 2020. Facebook: Free Basics. https://connectivity.fb.com/free-basics/.
[18]
Federal Trade Commision. 2018. Mobile Security Updates: Understanding the Issues.
[19]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. 1999. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616. IETF. http://tools.ietf.org/rfc/rfc2616.txt
[20]
Natasha Lomas for techcrunch.com. 2020. European lawmakers propose a 'right to repair' for mobiles and laptops. [online] March 11, 2020, https://techcrunch.com/2020/03/11/european-lawmakers-propose-a-right-to-repair-for-mobiles-and-laptops/.
[21]
A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L. Faith Cranor, S. Egelman, M. Harbach, and R. Telang. 2016. Do or Do Not, There Is No Try: UserEngagement May Not Improve Security Outcomes. In USENIX SOUPS.
[22]
S. Frei, T. Duebendorfer, and B. Plattner. 2009. Firefox (In)Security Update Dynamics Exposed. ACM CCR 39, 1 (2009).
[23]
Google. 2020. Google Play Store. https://play.google.com/store.
[24]
J. Kline, A. Cahn, P. Barford, and J. Sommers. 2017. On the Structure and Characteristics of User Agent Strings. In ACM IMC.
[25]
P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (Jan 2018). arXiv:1801.01203
[26]
F. Li. 2020. Shim Shimmeny: Evaluating the Security and Privacy Contributions of Link Shimming in the Modern Web. In USENIX Security.
[27]
F. Li and V. Paxson. 2017. A Large-Scale Empirical Study of Security Patches.
[28]
M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. 2018. Meltdown. ArXiv e-prints (Jan 2018). arXiv:1801.01207
[29]
A. Mathur and M. Chetty. 2017. Impact of User Characteristics on Attitudes Towards Automatic Mobile Application Updates. In USENIX SOUPS.
[30]
A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitras. 2015. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In IEEE Symp. on Security and Privacy.
[31]
K. Nohl and J. Lell. 2018. Mind the Gap: Uncovering the Android Patch Gap Through Binary-Only Patch Level Analysis. HITB Conference 2018.
[32]
T. Petsas, A. Papadogiannakis, M. Polychronakis, E. P. Markatos, and T. Karagiannis. 2013. Rise of the Planet of the Apps: A Systematic Study of the Mobile App Ecosystem. In ACM IMC.
[33]
Scientific Policy Department for Economic and Quality of Life Policies Directorate-General for Internal Policies. 2020. Sustainable Consumption and Consumer Protection Legislation.
[34]
A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. 2018. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In NDSS.
[35]
J. Ren, D. J. Dubois, D. Choffnes, A. M. Mandalari, R. Kolcun, and H. Haddadi. 2019. Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach. In ACM IMC.
[36]
J. Ren, M. Lindorfer, D. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. 2018. Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions. In NDSS.
[37]
P. Richter, G. Smaragdakis, D. Plonka, and A. Berger. 2016. Beyond Counting: New Perspectives on the Active IPv4 Address Space. In ACM IMC.
[38]
P. Richter, F. Wohlfart, N. Vallina-Rodriguez, M. Allman, R. Bush, A. Feldmann, C. Kreibich, N. Weaver, and V. Paxson. 2016. A Multi-Perspective Analysis of Carrier-Grade NAT Deployment. In ACM IMC.
[39]
Samsung. 2020. What version of Android can I upgrade my Samsung phone to? https://www.samsung.com/au/support/mobile-devices/android-version-availability/.
[40]
A. Sarabi, Z. Zhu, C. Xiao, M. Liu, and T. Dumitras. 2017. Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State. In PAM.
[41]
R. Sen, S. Ahmad, A. Phokeer, Z. A. Farooq, I. A. Qazi, D. Choffnes, and K. P. Gummadi. 2018. Inside the Walled Garden: Deconstructing Facebook's Free Basics Program. ACM CCR 47, 5 (2018).
[42]
International Telecommunication Union. 2020. ICT Data and Statistics. https://www.itu.int/ITU-D/ict/statistics/ict/.
[43]
International Telecommunication Union. 2020. Individuals Using the Internet Statistics. https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx.
[44]
K. Vaniea and Y. Rashidi. 2016. Tales of Software Updates: The Process of Updating Software. In ACM CHI.
[45]
S. Vargas, U. Goel, M. Steiner, and A. Balasubramanian. 2019. Characterizing JSON Traffic Patterns on a CDN. In ACM IMC.
[46]
W3C. 2020. Definition of User Agent. https://www.w3.org/WAI/UA/work/wiki/Definition_of_User_Agent.
[47]
N. Xia, H. H. Song, Y. Liao, M. Iliofotou, A. Nucci, Z-L. Zhang, and A. Kuzmanovic. 2013. Mosaic: quantifying privacy leakage in mobile networks. In ACM SIGCOMM.
[48]
L. Zhang, D. Choffnes, D. Levin, T. Dumitraş, A. Mislove, A. Schulman, and C. Wilson. 2014. Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed. In ACM IMC.
[49]
Y. Zhang, H. Mekky, Z-L Zhang, R. Torres, S-J Lee, A. Tongaonkar, and M. Mellia. 2015. Detecting Malicious Activities with User-Agent Based Profiles. Int. J. Network Management (2015).
Index Terms
- Who's left behind?: Measuring Adoption of Application Updates at Scale
Recommendations
Only 365 days left until the Sigcomm deadline
Only three hundred sixty four days left until the Sigcomm deadline. Only three hundred sixty three days left until the Sigcomm deadline. Only three hundred sixty two days left until the Sigcomm deadline. Only three hundred sixty one days left until the ...
Drafting behind Akamai: inferring network conditions based on CDN redirections
To enhance Web browsing experiences, content distribution networks (CDNs) move Web content "closer" to clients by caching copies of Web objects on thousands of servers worldwide. Additionally, to minimize client download times, such systems perform ...
Drafting behind Akamai (travelocity-based detouring)
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsTo enhance web browsing experiences, content distribution networks (CDNs) move web content "closer" to clients by caching copies of web objects on thousands of servers worldwide. Additionally, to minimize client download times, such systems perform ...
Comments
Information & Contributors
Information
Published In
October 2020
751 pages
ISBN:9781450381383
DOI:10.1145/3419394
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 October 2020
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
IMC '20
Sponsor:
Acceptance Rates
IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 237Total Downloads
- Downloads (Last 12 months)31
- Downloads (Last 6 weeks)5
Reflects downloads up to 28 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in