Do App Developers Follow the Android Official Data Security Guidelines? An Empirical Measurement on App Data Security.

The popularity of Android OS is largely credited to massive apps, and many app developers are involved in this ecosystem. On the other hand, various vulnerabilities are introduced into apps by developers carelessly, bringing security issues to users. To facilitate secure development and avoid common API misuses, Google provides a series of security guidelines and development practices for developers on the official developer community websites. However, the deployments of these guidelines in the wild have not been systematically evaluated. In this work, through large-scale app measurement (251,749 apps from 10 markets) and analysis, we investigated whether app developers follow the official Android security guidelines and the possible reasons behind it. In practice, we selected five guidelines related to app data security as representatives, covering: (1) secure file creation modes; (2) sensitive data storage; (3) validation check for file paths; (4) hardware ID usage; (5) custom permission protection. We also designed the corresponding detection strategies to check violations of the guidelines. The results show that most developers (> 90 %) can comply with Guidelines 1 and 2. However, some guidelines have not been followed properly. For Guidelines 3, 4, and 5, less than 60 % of developers followed the Google security suggestions.