The exponential increase in smartphone usage has fueled the rapid growth of Android applications (apps). Unfortunately, this growth has also resulted in an alarming rise in security vulnerabilities, posing a significant challenge for developers of smartphone apps. In this paper, we conducted a quantitative and qualitative study to analyze security-related issues in open-source Android apps available on GitHub. Our study included a total set of 689 security-related commits identified from 111,224 commits distributed over 2,187 apps. We proposed a taxonomy of ten distinct categories of security issues, which we identified using the card-sorting technique. Our findings showed that permission issues were the most prevalent in our dataset (370, 53.7%), followed by Login issues (160, 23.22%). Issues such as Privacy (5, 0.72%) and Framework (3, 0.43%) were rare in our dataset. Other security issues were related to Encryption, Authentication, Generic Security, Decryption, Network, and Database. Our taxonomy also included 91 sub-categories/sub-themes, with permission issues having the highest number of sub-categories (37). Developers discussed permission sub-categories, such as permission sub-categories in their commits are camera permission, WiFi permissions, storage permission, WRITE/READ_PHONE_STATE permission, and location permission, among others, in their code commits. These preliminary findings serve as an initial step towards comprehending the primary security concerns from the perspective of both developers and researchers. Furthermore, our long-term objective is to investigate how developers address these security issues in their apps and determine whether they effectively resolve them. This research could provide valuable insights into improving the security of Android apps and preventing potential security breaches.

Teerath Das

University of Jyväskylä

Finland

Adam Ali

Mohammad Ali JInnah University

Pakistan

Tommi Mikkonen

University of Jyvaskyla

Finland