Article (Scientific journals)
Understanding the Evolution of Android App Vulnerabilities
Gao, Jun; li, li; Bissyande, Tegawendé François D Assise et al.
2020In IEEE Transactions on Reliability
Peer Reviewed verified by ORBi


Full Text
Author preprint (1.8 MB)

All documents in ORBilu are protected by a user license.

Send to


Keywords :
Android; vulnerability; Evolution
Abstract :
[en] The Android ecosystem today is a growing universe of a few billion devices, hundreds of millions of users and millions of applications targeting a wide range of activities where sensitive information is collected and processed. Security of communication and privacy of data are thus of utmost importance in application development. Yet, regularly, there are reports of successful attacks targeting Android users. While some of those attacks exploit vulnerabilities in the Android OS, others directly concern application-level code written by a large pool of developers with varying experience. Recently, a number of studies have investigated this phenomenon, focusing however only on a specific vulnerability type appearing in apps, and based on only a snapshot of the situation at a given time. Thus, the community is still lacking comprehensive studies exploring how vulnerabilities have evolved over time, and how they evolve in a single app across developer updates. Our work fills this gap by leveraging a data stream of 5 million app packages to re-construct versioned lineages of Android apps and finally obtained 28;564 app lineages (i.e., successive releases of the same Android apps) with more than 10 app versions each, corresponding to a total of 465;037 apks. Based on these app lineages, we apply state-of- the-art vulnerability-finding tools and investigate systematically the reports produced by each tool. In particular, we study which types of vulnerabilities are found, how they are introduced in the app code, where they are located, and whether they foreshadow malware. We provide insights based on the quantitative data as reported by the tools, but we further discuss the potential false positives. Our findings and study artifacts constitute a tangible knowledge to the community. It could be leveraged by developers to focus verification tasks, and by researchers to drive vulnerability discovery and repair research efforts.
Research center :
University of Luxembourg: Interdisciplinary Centre for Security, Reliability and Trust
Disciplines :
Computer science
Author, co-author :
Gao, Jun ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
li, li;  Monash University > Faculty of Information Technology
Bissyande, Tegawendé François D Assise  ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Klein, Jacques ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)
External co-authors :
Language :
Title :
Understanding the Evolution of Android App Vulnerabilities
Publication date :
Journal title :
IEEE Transactions on Reliability
Publisher :
Institute of Electrical and Electronics Engineers, United States
Peer reviewed :
Peer Reviewed verified by ORBi
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR10621687 - Security And Privacy For System Protection, 2015 (01/01/2017-30/06/2023) - Sjouke Mauw
Available on ORBilu :
since 12 January 2020


Number of views
205 (27 by Unilu)
Number of downloads
891 (13 by Unilu)

Scopus citations®
Scopus citations®
without self-citations
WoS citations


Similar publications

Contact ORBilu