A Study on the Vulnerabilities of Mobile Apps associated with Software Modules

TL;DR

This large-scale study investigates how software libraries contribute to vulnerabilities in mobile apps, revealing that a significant portion of vulnerabilities originate from third-party libraries, especially in more complex and popular paid apps.

Contribution

The paper provides a comprehensive analysis of app vulnerabilities linked to libraries, highlighting differences between free and paid apps and offering insights for improving app security.

Findings

Approximately 70% of free app vulnerabilities stem from libraries.

About 50% of paid app vulnerabilities are due to libraries.

More popular and expensive apps tend to have more vulnerabilities.

Abstract

This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.