cispa_all_2815.pdf (388.53 kB)

Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security and Privacy

Download (388.53 kB)
conference contribution
posted on 2023-11-29, 18:10 authored by Duc Cuong Nguyen, Erik Derr, Michael BackesMichael Backes, Sven BugielSven Bugiel
Application markets streamline the end-users' task of finding and installing applications. They also form an immediate communication channel between app developers and their end-users in form of app reviews, which allow users to provide developers feedback on their apps. However, it is unclear to which extent users employ this channel to point out their security and privacy concerns about apps, about which aspects of apps users express concerns, and how developers react to such security- and privacy-related reviews. In this paper, we present the first study of the relationship between end-user reviews and security- & privacy-related changes in apps. Using natural language processing on 4.5M user reviews for the top 2,583 apps in Google Play, we identified 5,527 security and privacy relevant reviews (SPR). For each app version mentioned in the SPR, we use static code analysis to extract permission-protected features mentioned in the reviews. We successfully mapped SPRs to privacy-related changes in app updates in 60.77% of all cases. Using exploratory data analysis and regression analysis we are able to show that preceding SPR are a significant factor for predicting privacy-related app updates, indicating that user reviews in fact lead to privacy improvements of apps. Our results further show that apps that adopt runtime permissions receive a significantly higher number of SPR, showing that runtime permissions put privacy-jeopardizing actions better into users' minds. Further, we can attribute about half of all privacy-relevant app changes exclusively to third-party library code. This hints at larger problems for app developers to adhere to users' privacy expectations and markets' privacy regulations. Our results make a call for action to make app behavior more transparent to users in order to leverage their reviews in creating incentives for developers to adhere to security and privacy best practices, while our results call at the same time for better tools to support app developers in this endeavor.


Preferred Citation

Duc Nguyen, Erik Derr, Michael Backes and Sven Bugiel. Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security and Privacy. In: IEEE Symposium on Security and Privacy (S&P). 2019.

Primary Research Area

  • Empirical and Behavioral Security

Secondary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_2815, title = "Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security and Privacy", author = "Nguyen, Duc Cuong and Derr, Erik and Backes, Michael and Bugiel, Sven", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2019", }

Usage metrics


    No categories selected


    Ref. manager