View
353
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Digital market places (e.g. Apple App Store, Google Play) have become the dominant platforms for the distribution of software for mobile phones. Thereby, developers can reach millions of users. However, neither of these market places today has mechanisms in place to enforce security critical updates of distributed apps. This paper investigates this problem by gaining insights on the correlation between published updates and actual installations of those. Our findings show that almost half of all users would use a vulnerable app version even 7 days after the fix has been published. We discuss our results and give initial recommendations to app developers.
Citation preview
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Update Behavior in App Markets and Security Implications:
A Case Study in Google Play Andreas Möller1, Florian Michahelles2, Stefan Diewald1,
Luis Roalter1, Matthias Kranz3
1Technische Universität München, Germany
2Swiss Federal Institute of Technology, Zurich, Switzerland 3Luleå University of Technology, Department of Computer Science,
Electrical and Space Engineering, Luleå, Sweden
Research in the Large Workshop, MobileHCI 2012, San Francisco
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Outline
21.09.2012 Prof. Dr. Matthias Kranz 2
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Digital Market Places
• Important Source for mobile app distribution • Apple App Store: 25 billion iOS app downloads • Google Play: 10 billion Android app downloads
• Main argument „pro“ market place:
21.09.2012 Prof. Dr. Matthias Kranz 3
SECURITY!
Sources: apple.com, play.google.com
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Are Digital Marketplace Apps Secure?
• Review Process at Apple • Automatic Malware and Virus Scanning at Google
• Check only inappropriate content and intentionally evil software
• But: Bugs? – Android permission model is very coarse – iOS apps do not ask for permission at all – Apps can potentionally harm the system or do unwanted things (steal
data...) • Over 20,000 new apps per month in Google Play
– In particular new apps are potentially buggy and need frequent updates and fixed
21.09.2012 Prof. Dr. Matthias Kranz 4
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Automatic Updates – Really?
• Market places provide updates all in one place • BUT: only notification, no automatic installation!
– iOS: Badge icon – Android: Notification,
recently also automatically - if activated! – In most cases, user interaction
is required.
21.09.2012 Prof. Dr. Matthias Kranz 5
Source: parallels.com
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Our work – Update Installation Analysis
• How quickly do users actually install updates?
• Case Study: VMI Mensa (canteen application) – Finds nearby canteens and cafeterias – Shows menus, prices, ingredients
• Developed by our research group • Very popular with students at TUM
(more than 2,400 downloads)
21.09.2012 Prof. Dr. Matthias Kranz 6
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Update Installation
21.09.2012 Prof. Dr. Matthias Kranz 7
• Looking at 5 subsequent updates between Dec 22, 2011 and April 28, 2012 • Download peaks on publishing day and day 1 • Rapid decrease afterwards
Number of update downloads
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Cumulative Installs
Day after Update Update Installed Standard Deviation Publishing Day 17.0% 2.7% Day 1 14.6% 2.0% Day 2 7.8% 1.3% Day 3 5.1% 0.9% Day 4 3.5% 0.7% Day 5 2.8% 0.5% Day 6 2.3% 0.4% Total in 7 days 53.2% 2.7%
21.09.2012 Prof. Dr. Matthias Kranz 8
• Only half of all users have installed an update after one week!
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Version History
21.09.2012 Prof. Dr. Matthias Kranz 9
• Old versions still active for a long time • Installation base on April 28, 2012
older: 21.5% v.0.23: 2.1% v.0.24: 5.5% v.0.25: 6.0% v.0.26: 8.5% v.0.27: 56.4% (newest)
Number of update downloads
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Summary
21.09.2012 Prof. Dr. Matthias Kranz 10
1 One in users has not installed the last updates
One in users has not installed the latest version after week two
five 5
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Discussion
• Probability that users run a potentially security-critical app is high • Time until developers fix a security hole after it is detected not included!
• If users don‘t install updates in the first days, they are unlikely to do so later – Problem for infreqently used apps – Probably not willing to wait for updates once they need it
• In-depth usage monitoring needed Recommendations for Developers • Built-in auto-update if app is security-critical • Look at bug reports and market place ratings (can be informative regarding
potential problems)
21.09.2012 Prof. Dr. Matthias Kranz 11
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Thank you for your attention! Questions?
? ? 21.09.2012 Prof. Dr. Matthias Kranz 12
[email protected] www.vmi.ei.tum.de/team/matthias-kranz.html
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
Paper Reference
• Please find the associated paper at: https://vmi.lmt.ei.tum.de/publications/2012/large2012_preprint.pdf
• Please cite this work as follows: • Andreas Möller, Florian Michahelles, Stefan Diewald, Luis Roalter, Matthias
Kranz. 2012. Update Behavior in App Markets and Security Implications: A Case Study in Google Play In: 3rd workshop on Research in the large at MobileHCI 2012, San Francisco, USA, September 2012
21.09.2012 Prof. Dr. Matthias Kranz 13
Technische Universität München Distributed Multimodal Information Processing Group Prof. Dr. Matthias Kranz
If you use BibTex, please use the following entry to cite this work:
21.09.2012 Prof. Dr. Matthias Kranz 14
@INPROCEEDINGS{Large12moeller, author={Andreas M\"{o}ller and Florian Michahelles and Stefan Diewald and Luis Roalter and Matthias Kranz}, title={{Update Behavior in App Markets and Security Implications: A Case Study in Google Play}}, booktitle={{Proceedings of the 3rd International Workshop on Research in the Large. Held in Conjunction with Mobile HCI}}, year={2012}, month={Sep}, pages={3--6}, location={San Francisco, USA}, editor={Benjamin Poppinga}, }