Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy

Nguyen, Duc Cuong and Derr, Erik and Backes, Michael and Bugiel, Sven
(2019) Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy.
In: Proceedings of the IEEE Symposium on Security & Privacy, May 2019, May 2019, San Francisco, CA, USA.
Conference: SP IEEE Symposium on Security and Privacy

This is the latest version of this item.

[img]
Preview
 Text
main_sp.pdf - Published Version
Download (397kB) | Preview

Abstract

Application markets streamline the end-users' task of finding and installing applications. They also form an immediate communication channel between app developers and their end-users in form of app reviews, which allow users to provide developers feedback on their apps. However, it is unclear to which extent users employ this channel to point out their security and privacy concerns about apps, about which aspects of apps users express concerns, and how developers react to such security- and privacy-related reviews. In this paper, we present the first study of the relationship between end-user reviews and security- & privacy-related changes in apps. Using natural language processing on 4.5M user reviews for the top 2,583 apps in Google Play, we identified 5,527 security and privacy relevant reviews (SPR). For each app version mentioned in the SPR, we use static code analysis to extract permission-protected features mentioned in the reviews. We successfully mapped SPRs to privacy-related changes in app updates in 60.77% of all cases. Using exploratory data analysis and regression analysis we are able to show that preceding SPR are a significant factor for predicting privacy-related app updates, indicating that user reviews in fact lead to privacy improvements of apps. Our results further show that apps that adopt runtime permissions receive a significantly higher number of SPR, showing that runtime permissions put privacy-jeopardizing actions better into users' minds. Further, we can attribute about half of all privacy-relevant app changes exclusively to third-party library code. This hints at larger problems for app developers to adhere to users' privacy expectations and markets' privacy regulations. Our results make a call for action to make app behavior more transparent to users in order to leverage their reviews in creating incentives for developers to adhere to security and privacy best practices, while our results call at the same time for better tools to support app developers in this endeavor.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Backes (InfSec)
Sven Bugiel (Trusted Systems Group, TSG)
Conference: SP IEEE Symposium on Security and Privacy
Depositing User: Sebastian Weisgerber
Date Deposited: 15 Mar 2019 10:24
Last Modified: 24 Oct 2020 16:48
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/2815

Available Versions of this Item

  • Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy. (deposited 15 Mar 2019 10:24) [Currently Displayed]

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.