Conference PaperPDF Available

Update Behavior in App Markets and Security Implications: A Case Study in Google Play

Authors:

Abstract and Figures

Digital market places (e.g. Apple App Store, Google Play) have become the dominant platforms for the distribution of software for mobile phones. Thereby, developers can reach millions of users. However, neither of these market places today has mechanisms in place to enforce security critical updates of distributed apps. This paper investigates this problem by gaining insights on the correlation between published updates and actual installations of those. Our findings show that almost half of all users would use a vulnerable app version even 7 days after the fix has been published. We discuss our results and give initial recommendations to app developers.
Content may be subject to copyright.
Update Behavior in App Markets and Security Implications:
A Case Study in Google Play
Andreas M¨
oller,
Stefan Diewald, Luis Roalter
Technische Universit¨
at M¨
unchen
Munich, Germany
andreas.moeller@tum.de,
stefan.diewald@tum.de,
roalter@tum.de
Florian Michahelles
ETH Zurich
Auto-ID Labs
Zurich, Switzerland
fmichahelles@ehtz.ch
Matthias Kranz
Lule˚
a University of Technology
Department of Computer Science,
Electrical and Space Engineering
Lule˚
a, Sweden
matthias.kranz@ltu.se
ABSTRACT
Digital market places (e.g. Apple App Store, Google Play)
have become the dominant platforms for the distribution of
software for mobile phones. Thereby, developers can reach
millions of users. However, neither of these market places to-
day has mechanisms in place to enforce security critical up-
dates of distributed apps. This paper investigates this problem
by gaining insights on the correlation between published up-
dates and actual installations of those. Our findings show that
almost half of all users would use a vulnerable app version
even 7 days after the fix has been published. We discuss our
results and give initial recommendations to app developers.
Author Keywords
Mobile applications; digital market places; update behavior;
security
ACM Classification Keywords
D.4.6. Operating Systems: Security and Protection
INTRODUCTION AND MOTIVATION
Platform-specific marketplaces, such as the Apple App Store
or Google Play (formerly Android Market), are nowadays an
important source for mobile app distribution [13]. In March
2012, Apple reached in total 25 billion iOS app downloads1.
Until 2011, 10 billion Android apps have been downloaded in
total over Google Play2. Smartphone users find their applica-
tions bundled at one place and are informed about available
updates (via a badge symbol on the App Store icon on iOS,
or a message in the notification bar on Android). However,
neither on iOS or Android, application updates are installed
1http://www.apple.com/pr/library/2012/03/05Apples-App-Store-
Downloads-Top-25-Billion.html
2http://www.wired.com/gadgetlab/2011/12/10-billion-apps-
detailed/
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
MobileHCI’12, September 21–24, 2012, San Francisco, CA, USA.
ACM 978-1-4503-1443-5/12/09.
automatically. Android has a setting for installing updates
without confirmation, but it is disabled by default.
This update mechanism implementation can be seen as a po-
tential risk for security. Unfixed security holes increase the
vulnerability of a device. As users need to take charge of
keeping their system up to date themselves, important up-
dates might not be installed timely or at all. Especially for
research apps (e.g. [11, 10]) or at the beginning of an app’s
market lifetime, regular installation of updates is important.
Being in state of development, such apps often are less stable
and require more frequent fixes. Until the end of 2011, more
than 20,000 new apps per month were published in Google
Play3, so that potentially a large number of apps is affected
by this phenomenon. Security flaws become even more se-
vere for the novel and upcoming category of apps that inte-
grate with the home or automobile (so-called in-car apps, see
e.g. [5]), since in that case not only the app itself, but also the
connected property becomes insecure.
In a case study, we observed users’ update behavior of an An-
droid app we have placed in Google Play. We gained insights
on the correlation between published updates and their actual
installation and discuss the consequences and recommended
actions on the part of the developers.
RELATED WORK
While inclusion in the Apple App Store requires a review pro-
cess [1], Google Play is free of constraints for uploading apps.
However, apps are scanned for viruses and malware [8] and
in case of malicious content deleted. This is, however, just a
method to uncover software that obviously tries to do ‘evil’
things, but not to detect programming bugs or security holes.
Automatic analysis of security problems during the submis-
sion process to digital market places has been proposed us-
ing several approaches [6, 14]. Di Cerbo et al. [4] present
a methodology for mobile forensics analysis to detect ‘ma-
licious’ (or ‘malware’) applications. The methodology relies
on the comparison of the Android security permission of each
application with a set of reference models, for applications
that manage sensitive data. Thus, this research is focusing
more on protecting the user from malicious apps whereas our
3http://www.androlib.com/appstats.aspx
paper focuses on capturing the (non-)compliances of users to
install fixes of a trusted developer.
It has also been found that Android apps often require per-
missions that are actually unneeded. Extensions to Android’s
permission model have consequently been proposed which
focus particularly on improving the (initially quite coarse)
granularity of permissions [12, 15] or remove them in hind-
sight by inline reference monitoring4. Fewer rights inherently
also decrease the probability for security-relevant bugs.
Miluzzo et al. [9] looked at implications and challenges of
large-scale distribution of research apps through the Apple
App Store. They pointed out that insufficient software ro-
bustness and poor usability may lead to a loss of confidence
on the part of the users, but did not quantitatively examine this
phenomenon (such as the number of uninstalls due to dissat-
isfaction). AppTicker [7] is a project that allows monitoring
mobile app usage, (un)installation and more to gain informa-
tion about usage patterns on smartphones. To our knowledge,
the particular phenomenon of update behavior in app stores
has not been examined yet. Despite the security approaches
and measures we presented in this section, keeping the soft-
ware up to date remains the central requirement for a stable
and secure system.
CASE STUDY
For our case study, we are looking at VMI Mensa5, an An-
droid application developed by the research group of the au-
thors of this paper. VMI Mensa shows meals and prices of
cafeterias and canteens of university campuses in our city.
The application, targeted at students and university employ-
ees, has been available in Google Play since July 21, 2011
and meanwhile (as of July 2012) reached 2,294 downloads.
It has received 123 ratings (averagely rated with 4.8 out of
5 stars) and 40 user comments. Since its launch, the app
has continuously been extended in its functionality, e.g. by
a location-aware canteen finder, details on ingredients, acces-
sibility information (e.g. on elevators), and much more.
Update Installation Analysis
Since VMI Mensa was first available in Google Play, we have
shipped 21 updates. For our analysis, we used the built-in
statistics tools of the Android Developer Console in Google
Play. They allow keeping track of the number of installa-
tions over time, monitor installed app versions and a lot more.
All data is anonymous and cannot be related with individual
users. As stated before, updates may install automatically or
manually by user confirmation. We cannot track whether au-
tomatic update installation was enabled on users’ devices.
For our analysis, we looked at the latest five updates, pub-
lished at December 22, 2011, January 17, January 26, Febru-
ary 24 and April 02 (all 2012). The average time between
updates was 26 days, which we consider not as an unreason-
able effort for users to regularly install them. All updates
added new functionality to the app and/or fixed small prob-
lems, but none were critical for security. For each update,
4AppGuard. http://www.backes-srt.de/produkte/srt-appguard
5https://play.google.com/store/apps/details?id=de.tum.ei.lmt.vmi.mensa
we observed how many users downloaded the update on the
initial day of publishing and in the 6 consecutive days. We
calculated the update installation ratio by relating the down-
load count to the total count of active device installations on
the respective days.
User Communication Analysis
In addition to the anonymous update installation statistics, we
considered available user communication in form of feedback
emails, comments and ratings in Google Play for our analysis.
We will bring in these findings in the discussion section.
Results
In the following, we describe and visualize the quantitative
results of our case study.
Update Behavior
Table 1 shows the installation percentages on the update pub-
lishing day (day 0) and the six consecutive days (day 1 to day
6), averaged over all five updates that were considered in this
study. The exact ratios are very similar for all updates, which
is implied by the low standard deviations (see last column of
the table). In average, 17.0% installed the update on day 0.
On the following days, the numbers continuously and expo-
nentially decrease: 14.6% installed the update on day 1, only
7.8% on day 2, and 5.1% on day 3. On day 6, only another
2.3% downloaded the update.
Day after Update Update Installed Standard Deviation
Publishing Day 17.0% 2.7%
Day 1 14.6% 2.0%
Day 2 7.8% 1.3%
Day 3 5.1% 0.9%
Day 4 3.5% 0.7%
Day 5 2.8% 0.5%
Day 6 2.3% 0.4%
Total in 7 days 53.2% 2.7%
Table 1. Percentage of all users who installed an update within 7 days
after it was published. Only slightly more than half of all users installed
a recent update within one week. Data was averaged based on five subse-
quent updates published within 102 days. Standard deviation is related
to the five individual updates we observed in our use case.
This trend is visualized in Fig. 1 and can be summarized as
follows: Most of those users who actually do install updates
install them quickly. We hypothesize that the relatively high
ratios of the first two days might partly be due to the auto-
matic update option. Users that did not install the update early
are also not likely to do so in the subsequent days. In total,
just 53.2%, slightly more than a half, had the most recent up-
date installed one week after publication.
Version Distribution
We also looked at the distribution of the latest five versions
of the app on users’ devices, illustrated by different colors
in Fig. 2. The seven-day periods after an update has been
published are slightly shaded for illustration. The visualiza-
tion shows the spread of new versions due to cumulative in-
stalls (visualized with a steep graph that flattens out more and
more), and the decrease of older versions. It also becomes
Figure 1. Visualization representing the number of five subsequent update downloads (vertical axis) over time. The graph shows maxima on the update
publishing day (possibly also due to activated auto-updates) and exponentially decreases thereafter. Modified diagram based on Android Developer
Console statistics.
Figure 2. Visualization representing the number of installations by version (vertical axis); the colored lines indicate the five latest versions. The diagram
reveals how long old versions are active on user’s devices. The 7-day periods after an update has been published are highlighted. Modified diagram
based on Android Developer Console statistics.
evident how long outdated versions (up to four versions older
than the latest one) are still circulating. As an example, we
look at April 28, 2012, which is two weeks after the latest
update has been published: Only 56.4% of all users have in-
stalled the latest version (v.27) at this time. The previous four
versions were still in use by 8.5% (v.26), 6.0% (v.25), 5.5%
(v.24) and 2.1% (v.23). Most severely, 21.5% had even older
versions installed on their devices at that time.
DISCUSSION
Results from our case study reveal a problematic update be-
havior: Even one week after their publication, updates were
installed only by about 50% of users. The rest used differ-
ent outdated versions; one fifth even did not install even one
of the last five updates. This implies two potential groups of
users: those who update in an exemplary manner, and those
who barely update at all. Hence, developers must not make
the mistake to rely on the belief that at least the penultimate
version of their app would run on most devices.
If we project this result to general update behavior, our find-
ings imply a critical security situation. The harmless feature
updates in our case study could be important security-related
fixes in another app. On average, almost half of all users
would use a vulnerable app version even 7 days after the fix
has been published. The time from detection of a security
hole to the final update shipment is not even considered here.
Further reasons indicate that the ‘real’ update situation could
even be worse than in our exemplary case analysis. A high
number of installed apps could further decrease the amount
of up-to-date apps, since more time would be required for in-
dividual updates. Furthermore, the fact that users are presum-
ably highly engaged with our examined canteen app could
have an impact on update frequency as well. We see an
even more critical situation with apps that are not regularly
used, but for which security is crucial just then (e.g. for on-
line banking apps). In-depth usage monitoring [2] is required
for better understanding the relation between usage frequency
and update behavior.
We also looked at users’ behavior in case of problems. Our
app contained a ‘Give feedback’ item in the preferences menu
that allowed sending an email to the developers. In the app
description in Google Play, we asked users to give us feed-
back using this function. We also linked to a Q&A page from
which users could contact the developers as well. Our ex-
perience revealed that few users actually used these oppor-
tunities. They rather made use of the rating functionality in
Google Play. For example, the download of the daily menu
was not working for one day due to a server migration. Sev-
eral users immediately left a bad rating in Google Play, com-
plaining about the app not working any more. Apparently,
they had not read the requests to provide feedback per mail
or not found the feedback link in the app. A similar case il-
lustrates as well that not all users read the description texts in
Google Play: One user commented that it would be good to
have an English translation. In fact, the app is fully localized
to 6 languages (amongst them English), and localizations au-
tomatically adapt to the device’s system language. Similarly,
this user rated the app worse because of this complaint.
For developers, our observations have three consequences.
First, they show how quick users are with bad ratings, which
may be problematic especially for commercial apps – other
work already stated that user reviews can be brutal [9].
Hence, it is important to keep the application bug-free and
provide timely updates in case of problems.
Second, developers cannot rely on users reading instructions
and employing the built-in feedback functions. We gained the
insight that ways to further improve such functions should be
found, and we also learned that keeping track of ratings and
comments in Google Play is important. Otherwise, in some
cases, we would not have been aware of potential problems.
In our case, they were related to usability and minor issues,
but they could have been security bugs as well. This is espe-
cially important since security holes not necessarily go along
with unresponsive or crashing apps and thus are not covered
by the built-in error reporting function of Google Play.
Third, as a first step towards an improved security on mobile
phone platforms and in light of sometimes difficult download
mechanisms [3], we encourage developers to support users in
updating, e.g. by built-in update checks within their applica-
tion and/or forwarding users to the platform market place, as
we use it in our research apps [11].
CONCLUSION
In this paper, we have analyzed update behavior and secu-
rity implications in application markets at the example of an
Android application we developed and offer for download in
Google Play. We found that, in average, half of all users did
not install an update even seven days after it has been pub-
lished and thus would use a potentially vulnerable applica-
tion. Although generalizations of our initial findings must be
carried out carefully and further studies will be necessary, we
raised the awareness for a potential slow update propagation
on Android and other mobile platforms.
Further automatic quality assessments for uploaded apps in
digital market places and more automated update mecha-
nisms could be ways to increase the level of security on mo-
bile devices.
Acknowledgments
We thank all of our students involved in the development of
VMI Mensa and our other research apps.
REFERENCES
1. Apple Inc. App store review guidelines. https:
//developer.apple.com/appstore/guidelines.html,
2012.
2. B¨
ohmer, M., Hecht, B., Sch¨
oning, J., Kr¨
uger, A., and
Bauer, G. Falling asleep with angry birds, facebook and
kindle: a large scale study on mobile application usage.
In Proceedings of the 13th International Conference on
Human Computer Interaction with Mobile Devices and
Services, ACM (2011), 47–56.
3. Cramer, H., Rost, M., Belloni, N., Bentley, F., and
Chincholle, D. Research in the large. using app stores,
markets, and other wide distribution channels in
ubicomp research. In Proceedings of the 12th ACM
international conference adjunct papers on Ubiquitous
computing - Adjunct, Ubicomp ’10 Adjunct, ACM (New
York, NY, USA, 2010), 511–514.
4. Di Cerbo, F., Girardello, A., Michahelles, F., and
Voronkova, S. Detection of malicious applications on
android OS. In Proceedings of the 4th international
conference on Computational forensics (IWCF’10),
H. Sako, K. Y. Franke, and S. Saitoh, Eds., Springer
(Berlin, Heidelberg, 2010), 138–149.
5. Diewald, S., M¨
oller, A., Roalter, L., and Kranz, M.
Mobile Device Integration and Interaction in the
Automotive Domain. In AutoNUI: Automotive Natural
User Interfaces Workshop at the 3rd International
Conference on Automotive User Interfaces and
Interactive Vehicular Applications (AutomotiveUI 2011)
(Nov.–Dec. 2011).
6. Gilbert, P., Chun, B.-G., Cox, L. P., and Jung, J. Vision:
automated security validation of mobile apps at app
markets. In Proceedings of the second international
workshop on Mobile cloud computing and services,
MCS ’11, ACM (New York, NY, USA, 2011), 21–26.
7. Henze, N., and Sahami, A. Appticker.
http://projects.hcilab.org/appticker/, 2012.
8. Lockheimer, H. Google Mobile Blog. Android and
Security. http://googlemobile.blogspot.de/2012/
02/android-and- security.html, February 2012.
9. Miluzzo, E., Lane, N., Lu, H., and Campbell, A.
Research in the app store era: Experiences from the
CenceMe app deployment on the iPhone. In Proc.
Ubicomp (2010).
10. M¨
oller, A., Roalter, L., Diewald, S., Scherr, J., Kranz,
M., Hammerla, N., Olivier, P., and Pl¨
otz, T. Gymskill: A
personal trainer for physical exercises. In Pervasive
Computing and Communications (PerCom), 2012 IEEE
International Conference on (march 2012), 213 –220.
11. M¨
oller, A., Thielsch, A., Dallmeier, B., Roalter, L.,
Diewald, S., Hendrich, A., Meyer, B. E., and Kranz, M.
Mobidics – improving university education with a
mobile didactics toolbox. In Ninth International
Conference on Pervasive Computing (Pervasive 2011),
Video Proceedings (San Francisco, CA, USA, June
2011).
12. Nauman, M., Khan, S., and Zhang, X. Apex: Extending
android permission model and enforcement with
user-defined runtime constraints. In Proceedings of the
5th ACM Symposium on Information, Computer and
Communications Security, ACM (2010), 328–332.
13. Research, and Markets. Application Distribution
Channels 2011. Evans Data Corp., Sep. 2011.
14. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., and
Weiss, Y. “Andromaly”: a behavioral malware detection
framework for android devices. Journal of Intelligent
Information Systems 38 (2012), 161–190.
10.1007/s10844-010-0148-x.
15. Vidas, T., Christin, N., and Cranor, L. Curbing android
permission creep. In Proceedings of the Web, vol. 2
(2011).
... Whereupon the update behavior of Android application users has been first studied by Moeller et al. [17] in 2012, this year is considered the starting period for this paper. There has been a lot of good works regarding identifying the update behavior of users since 2012. ...
... 3) Delaying update: Authors found that almost half of all users would use a vulnerable app version even 7 days after the fix has been published. Moreover, up to four outdated versions were still circulating even after two weeks after the latest update has been published [17]. In another research it was found that for third-party apps such as Facebook or games, on average 40% of all users update to a new version on the release day. ...
... Several initial recommendations were given to vendors [19], developers [17] [4] [5] [7] and end users [19] [7]. To User: Users should switch on auto-updates via making application update rollbacks more accessible. ...
Presentation
Full-text available
User behavior analysis is very important in every aspect and especially to implement security because a simple careless behavior of a user may cause a very harmful security anomaly to the user. There are many great articles in which researchers have analyzed the user behavior regarding the software update. However, there is no succinct work that covers all the research results altogether. In this paper, 25 well-known previous works which focused on update behavior of the end-users from 2012 to 2017 have been summarized and categorized to better understand the update behavior of the user. Moreover, based on the outcomes of those works, some directions to future researchers and to software developers and vendors are also mentioned in this paper.
... Möller et al. [29] use an app they posted on Google Play to study the correlation between published updates and their actual installations. They show that 7 days after a security update is published, almost half of the app's users still use an older, vulnerable version. ...
Preprint
The difficulty of large scale monitoring of app markets affects our understanding of their dynamics. This is particularly true for dimensions such as app update frequency, control and pricing, the impact of developer actions on app popularity, as well as coveted membership in top app lists. In this paper we perform a detailed temporal analysis on two datasets we have collected from the Google Play Store, one consisting of 160,000 apps and the other of 87,223 newly released apps. We have monitored and collected data about these apps over more than 6 months. Our results show that a high number of these apps have not been updated over the monitoring interval. Moreover, these apps are controlled by a few developers that dominate the total number of app downloads. We observe that infrequently updated apps significantly impact the median app price. However, a changing app price does not correlate with the download count. Furthermore, we show that apps that attain higher ranks have better stability in top app lists. We show that app market analytics can help detect emerging threat vectors, and identify search rank fraud and even malware. Further, we discuss the research implications of app market analytics on improving developer and user experiences.
... Previous works suggested that increased user involvement can result in better security [43]. However, studies have also shown that users often neglect and delay software updates [44], [45]. Software update reluctance is largely caused by the update representation or the user's prior inconvenient experience with software updates, which raises the suspicion that an update may introduce new problems [46], [47]. ...
Preprint
Software updates are essential to enhance security, fix bugs, and add better features to existing software. However, while some users comply and update their systems upon notification, non-compliance is common. Delaying or ignoring updates leaves systems exposed to security vulnerabilities. Despite research efforts, users' noncompliance behavior with software updates is still prevalent. In this study, we explored how psychological factors influence users' perception and behavior toward software updates. In addition, we proposed a model to assess the security risk score associated with delaying software updates. We conducted a user study with Windows OS users to explore how information about potential vulnerabilities and risk scores influence their behavior. Furthermore, we also studied the influence of demographic factors such as gender on the users' decision-making process for software updates. Our results showed that psychological traits, such as knowledge, awareness, and experience, impact users' decision-making about software updates. To increase users' compliance, providing a risk score for not updating their systems and information about vulnerabilities statistically significantly increased users' willingness to update their systems. Additionally, our results indicated no statistically significant difference in male and female users' responses in terms of concerns about securing their systems. The implications of this study are relevant for software developers and manufacturers as they can use this information to design more effective software update notification messages. Highlighting potential risks and corresponding risk scores in future software updates can motivate users to act promptly to update the systems in a timely manner, which can ultimately improve the overall security of the system.
... For instance, Pothuraju et al. [18] claim that nearly 76% of apps did not get any update in Play Store within their monitoring dataset for a period of approximately six months while a minority got nearly hundreds of updates which may point to newly released apps that could require many bug fixes. Though these updates are supposed to fix bugs or provide better security, Moller et al. [19] noted that even after a week of an update, app users still tend to use the older version. Vincent et at. ...
Preprint
App markets have evolved into highly competitive and dynamic environments for developers. While the traditional app life cycle involves incremental updates for feature enhancements and issue resolution, some apps deviate from this norm by undergoing significant transformations in their use cases or market positioning. We define this previously unstudied phenomenon as 'app metamorphosis'. In this paper, we propose a novel and efficient multi-modal search methodology to identify apps undergoing metamorphosis and apply it to analyse two snapshots of the Google Play Store taken five years apart. Our methodology uncovers various metamorphosis scenarios, including re-births, re-branding, re-purposing, and others, enabling comprehensive characterisation. Although these transformations may register as successful for app developers based on our defined success score metric (e.g., re-branded apps performing approximately 11.3% better than an average top app), we shed light on the concealed security and privacy risks that lurk within, potentially impacting even tech-savvy end-users.
... Not just among non-expert end users, even system administrators are also reluctant and face difficulties with processing software updates (Tiefenau et al., 2020). Previous research on user behavior regarding software updates has shown that users frequently ignore and delay the updates (Nicholson, Coventry & Briggs, 2018;Möller et al., 2012;). Some users tend to overlook the significance of updates and may not fully comprehend the potential security risks associated with outdated software versions (Vitale et al., 2017;Wash et al., 2016). ...
Conference Paper
Security vulnerabilities can put users at risk if they do not promptly install necessary security updates. To minimize risk, software developers regularly release security updates that address known or potential vulnerabilities. However, previous studies have revealed numerous reasons why users may not adopt software updates. Additionally, the National Vulnerability Database (NVD) demonstrated that not all types of software are equally vulnerable to security breaches. Therefore, this study investigates users' perceptions of software updates while delving into the complex realm of human behavior, uncovering which type of software users prioritize when considering updates. This study also explores to what extent the users trust these software updates.To gain a comprehensive understanding of users' perspectives on software updates, we conducted a survey consisting of questions designed to uncover valuable insights into individual behaviors, attitudes, and preferences related to performing software updates. The questionnaire featured a list of seven categories of software, such as web browsers, multimedia players, and antivirus software. The participants ranked their preferred software categories for security updates. Our survey asked users about their trust in software updates for improving security. We collected user attitudes towards software updates to offer insights to developers, analysts, and users. Out of the 63 volunteers, 48 provided complete responses for us to analyze. The group had a nearly equal split of males and females (54.17% and 45.83%, respectively), with most being between 26 and 34 years old and having a higher level of education. All participants spent at least one hour per day on the computer.Our analysis shows that around 29% of the respondents prioritize antivirus updates when making decisions about which categories of software to update for security. Additionally, approximately one quarter (26%) prioritize updates to the operating system, and approximately one in five respondents identify web browsers as significant for maintaining a secure infrastructure. Notably, only 3.52% of the participants consider multimedia software updates important. We also observed that around half of the respondents (48%) believe that updating software can enhance the security of their system. However, these users do not fully trust on software updates. In contrast, 16% of users rarely or never rely on software updates. Moreover, approximately 40% of users have had negative experiences and were hesitant to apply software updates, which is likely a significant reason for their reluctance to depend on software updates.In conclusion, these findings highlight user preferences and factors that influence their decisions regarding which software categories they prioritize for updates based on security considerations. Users prioritize software that is essential or requires updates to run the system, such as OS updates. Furthermore, many users do not believe that updates can improve security due to past negative experiences. Achieving higher adoption rates of software updates remains an open challenge due to a persistent lack of trust. To improve security through software updates, it is not enough to progress only on the technological front; it is also essential to develop more effective strategies to make the updates reliable and win the trust of users.
... It is widely accepted in the everyday users' community. Besides, although its main competitor, Apple Store (IOS), has larger earnings, Google Play (Android) leads in application downloads (Möller et al., 2012). In addition to the fact that Android is the operating system with the largest share of the smartphone market in the world, Android devices represented just over 84% of units sold in 2020, and Apple iOS almost the remaining 16% (IDC, 2020). ...
Article
Full-text available
Mobile applications (apps) are becoming an essential tool when it comes to sightseeing. There is even a specific category for trips in the leading app stores. These are no strangers to the rise of the itinerant travel style, the caravans. The study aims to understand the situation of the main caravanning apps in Spain. We have carried out a web scraping methodology using a sample of 1,601 Spanish reviews of the main apps related to caravanning. The most interesting findings, among others, are that we are getting to know a sector that up to now was unknown and that even has not been affected by the pandemic crisis. Besides, the paper has demonstrated that developers do not follow the right strategies in caravanning apps. The paper also shows users' most crucial concerns about these apps. Therefore, managers of caravanning apps could improve their strategies by focusing their attention on users' concerns and, most important, reviews to respond.
... Para poder llevar a cabo este estudio, nos centramos en analizar las reseñas de los usuarios de las apps que componen la muestra utilizada, es decir, Blablacar y Amovens. Para su obtención, entre las tiendas de aplicaciones existentes, se utilizó Google Play como fuente de datos ya que a pesar de que Apple (IOS) tiene mejores ganancias (Möller et al., 2012), Google (Android) lidera en descargas de aplicaciones. ...
Book
Full-text available
ScienCity es una actividad que viene siendo continuada desde 2018 con el objetivo de dar a conocer los conocimientos y tecnologías emergentes siendo investigados en las universidades, informar de experiencias, servicios e iniciativas puestas ya en marcha por instituciones y empresas, llegar hasta decisores políticos que podrían crear sinergias, incentivar la creación de ideas y posibilidades de desarrollo conjuntas, implicar y provocar la participación ciudadana, así como gestar una red internacional multidisciplinar de investigadores que garantice la continuación de futuras ediciones. ScienCity ha servido para que universidades, ayuntamientos, organismos públicos y empresas privadas tomen contacto por primera vez en este ámbito. Durante 2021 han asistido 40 participantes de distintos rincones de España, Portugal, Méjico, Costa Rica, Italia y Polonia con 31 ponencias, 8 pósteres, 1 taller, 8 vehículos eléctricos e híbridos, así como 8 propuestas para el concurso de ideas.
Article
Modern technology innovations feature a successive and even recurrent procedure. Intervals between old and new generations of technology are shrinking, and the Internet and Web services have facilitated the fast adoption of an innovation even before the convergence of its predecessor. While the adoption and diffusion of innovations have been studied for decades, most theories and analyses focus on single and one-time innovations. Meanwhile, limited work has investigated successive innovations while lacking user-level analysis, possibly due to the unavailability of fine-grained adoption behavior data. In this study, we present the first large-scale analysis of the adoption of recurrent innovations in the context of mobile app updates, investigating how millions of users consume various versions of thousands of apps on their mobile devices. Our analysis reveals novel patterns of crowd and individual adoption behaviors, which suggest the need for new categories of adopters to be added on top of the Rogers model of innovation diffusion. We show that standard machine learning models are able to pick up various sources of signals to predict whether or not a user in these different categories will adopt a new version of an app and how soon they will adopt it.
Article
Installing security updates is one of the important security actions individuals can take to prevent potential cybersecurity threats. The cumulative risk of delaying the installation of security updates over an extended period can be substantial, and yet, people often choose to delay such actions. Past research suggests that people neglect to update because the majority overestimate the cost (e.g., time) of an update and underestimate an attack risk. Utilizing the repeated protective decision paradigm, we conducted a laboratory experiment to examine whether priming people about the cumulative risk of not updating could influence their update speed. Results from our experiment show that communicating cumulative risk would only have a momentary effect on peoples’ update decisions and that people would quickly learn from experience to delay or neglect to update. Our findings highlight the importance of augmenting user habits to improve update decision-making.
Article
Full-text available
The Android platform has about 130 application level permissions that govern access to resources. The determi-nation of which permissions to request is left solely to the appli-cation developer. Users are prompted to approve all application permissions at install time, and permissions are silently enforced at execution time. Although many applications make use of a wide range of permissions, we have observed that some applications request permissions that are not required for the application to execute, and that existing developer APIs make it difficult for developers to align their permission requests with application functionality. In this paper we describe a tool we developed to assist developers in utilizing least privilege.
Conference Paper
Full-text available
We present GymSkill, a personal trainer for ubiquitous monitoring and assessment of physical activity using standard fitness equipment. The system records and analyzes exercises using the sensors of a personal smartphone attached to the gym equipment. Novel fine-grained activity recognition techniques based on pyramidal Principal Component Breakdown Analysis (PCBA) provide a quantitative analysis of the quality of human movements. In addition to overall quality judgments, GymSkill identifies interesting portions of the recorded sensor data and provides suggestions for improving the individual performance, thereby extending existing work. The system was evaluated in a case study where 6 participants performed a variety of exercises on balance boards. GymSkill successfully assessed the quality of the exercises, in agreement with the professional judgment provided by a physician. User feedback suggests that GymSkill has the potential to serve as an effective tool for motivating and supporting lay people to overcome sedentary, unhealthy lifestyles. GymSkill is available in the Android Market as #x2018;VMI Fit #x2019;.
Article
Full-text available
Smartphones and "app" markets are raising concerns about how third-party applications may misuse or improperly handle users' privacy-sensitive data. Fortunately, unlike in the PC world, we have a unique opportunity to improve the security of mobile applications thanks to the centralized nature of app distribution through popu-lar app markets. Thorough validation of apps applied as part of the app market admission process has the potential to significantly enhance mobile device security. In this paper, we propose AppIn-spector, an automated security validation system that analyzes apps and generates reports of potential security and privacy violations. We describe our vision for making smartphone apps more secure through automated validation and outline key challenges such as detecting and analyzing security and privacy violations, ensuring thorough test coverage, and scaling to large numbers of apps.
Conference Paper
Full-text available
Android is the rst mass-produced consumer-market open source mobile platform that allows developers to easily cre- ate applications and users to readily install them. However, giving users the ability to install third-party applications poses serious security concerns. While the existing security mechanism in Android allows a mobile phone user to see which resources an application requires, she has no choice but to allow access to all the requested permissions if she wishes to use the applications. There is no way of granting some permissions and denying others. Moreover, there is no way of restricting the usage of resources based on runtime constraints such as the location of the device or the number of times a resource has been previously used. In this paper, we present Apex { a policy enforcement framework for An- droid that allows a user to selectively grant permissions to applications as well as impose constraints on the usage of re- sources. We also describe an extended package installer that allows the user to set these constraints through an easy-to- use interface. Our enforcement framework is implemented through a minimal change to the existing Android code base and is backward compatible with the current security mech- anism.
Conference Paper
Full-text available
The paper presents a methodology for mobile forensics analysis, to detect “malicious” (or “malware”) applications, i.e., those that deceive users hiding some of their functionalities. This methodology is specifically targeted for the Android mobile operating system, and relies on its security model features, namely the set of permissions exposed by each application. The methodology has been trained on more than 13,000 applications hosted on the Android Market, collected with AppAware. A case study is presented as a preliminary validation of the methodology.
Conference Paper
Full-text available
While applications for mobile devices have become extremely important in the last few years, little public information exists on mobile application usage behavior. We describe a large-scale deployment-based research study that logged detailed application usage information from over 4,100 users of Android-powered mobile devices. We present two types of results from analyzing this data: basic descriptive statistics and contextual descriptive statistics. In the case of the former, we find that the average session with an application lasts less than a minute, even though users spend almost an hour a day using their phones. Our contextual findings include those related to time of day and location. For instance, we show that news applications are most popular in the morning and games are at night, but communication applications dominate through most of the day. We also find that despite the variety of apps available, communication applications are almost always the first used upon a device's waking from sleep. In addition, we discuss the notion of a virtual application sensor, which we used to collect the data.
Article
Full-text available
This article presents Andromaly—a framework for detecting malware on Android mobile devices. The proposed framework realizes a Host-based Malware Detection System that continuously monitors various features and events obtained from the mobile device and then applies Machine Learning anomaly detectors to classify the collected data as normal (benign) or abnormal (malicious). Since no malicious applications are yet available for Android, we developed four malicious applications, and evaluated Andromaly’s ability to detect new malware based on samples of known malware. We evaluated several combinations of anomaly detection algorithms, feature selection method and the number of top features in order to find the combination that yields the best performance in detecting new malware on Android. Empirical results suggest that the proposed framework is effective in detecting malware on mobile devices in general and on Android in particular.
Article
Smartphones and "app stores" are enabling the distribution of a wide variety of third party applications to very large numbers of people around the globe in an instance with the potential to collect rich, large-scale data sets. This new era represents a game changer for our research community -one which we are still trying to best understand and exploit. We discuss our experiences in developing, distributing and sup-porting CenceMe, a personal sensing application for mobile social networks, developed for the Apple iPhone and first re-leased when the Apple App Store opened in 2008. We had to come to terms with supporting a fairly complex real-time sensing application outside the normal controlled laboratory setting. Instead of deploying the CenceMe application to a small set of local users (e.g., 30+ users when we first de-ployed CenceMe on Nokia N95s in 2007) we had to deal with thousands of users distributed around the world. This new era of app development and distribution at scale is an exciting one for researchers -one that will accelerate the de-ployment of new ideas and likely lead to new advances and breakthroughs not well understood today.
Conference Paper
The mobile phones that people use in their daily lives now run advanced applications and come equipped with sensors once only available in custom hardware in UbiComp research. At the same time application distribution has become increasingly simple due to the proliferation of app stores and the like. Evaluation and research methods have to be adapted to this new context to get the best data and feedback from wide audiences. However, an overview of successful strategies to overcome research challenges inherent to wide deployment is not yet available. App store platform characteristics, devices, reaching target users, new types of evaluation data and dynamic, heterogeneous usage contexts have to be dealt with. This workshop provides a forum for researchers and developers to exchange experiences and strategies for wide distribution of applications. We aim at building an understanding of the opportunities of various distribution channels and obstacles involved in a research context.