From guidelines to practice: assessing Android app developer compliance with google’s security recommendations

The popularity of Android OS is largely credited to massive number of apps, and many app developers are involved in this ecosystem. On the other hand, various vulnerabilities are introduced into apps by developers carelessly, bringing security risks to users. To facilitate secure development and avoid common API misuses, Google provides a series of security guidelines and development practices for developers on official developer community websites. However, the adoption rate of these security guidelines in the real-world has not been systematically evaluated. In this work, through large-scale app measurement (108,091 apps from Google Play) and analysis, we investigated whether app developers follow the official Android security guidelines and the possible reasons behind it. In practice, we selected nine guidelines and mapped them to four OWASP MASVS control groups (MASVS-STORAGE, MASVS-NETWORK, MASVS-PLATFORM, and MASVS-CODE) as representatives, covering: (1) sensitive data storage; (2) validation check for file paths; (3) network security measures; (4) custom permission protection; (5) webview objects usage; (6) intent vulnerability; (7) secure file creation modes; (8) hardware ID usage; (9) man-in-the-middle attacks. We also designed the corresponding detection strategies to identify violations of the guidelines. The results show that most developers (> 90%) comply with Guidelines 1 and 7. However, some guidelines have not been followed properly. For Guidelines 2, 3, 4, 5, 6, and 8, less than 60% of developers followed Google security suggestions.