Understanding the Responsiveness of Mobile App Developers to Software Library Updates.

This paper reports a longitudinal measurement study aiming to understand how mobile app developers are responsive to updates of software libraries over time. To quantify their responsiveness to library updates, we collected 21,046 Android apps, which equated 142,611 unique application package kit (APK) files, each corresponding to a different version of an app. The release dates of these APK files spanned across 9 years. The key findings we derived from our analysis are as follows. (1) We observed an undesirable level of responsiveness of app developers; 50% of library update adoptions by app developers were performed for more than 3 months after the release date of the library, and 50% of outdated libraries used in apps were retained for over 10 months. (2) Deploying a security fix campaign in the app distribution market effectively reduced the number of apps with unfixed vulnerabilities; however, CVE-numbered vulnerabilities (without a campaign) were prone to remain unfixed. (3) The responsiveness of app developers varied and depended on multiple factors, for example, popular apps with a high number of installations had a better response to library updates and, while it took 77 days on average for app developers to adopt version updates for advertising libraries, it took 237 days for updates of utility libraries to be adopted. We discuss practical ways to eliminate libraries with vulnerabilities and to improve the responsiveness of app developers to library updates.