The study of a student cafeteria menu app might help bolster the defences of Android apps, which are increasingly seen as an easy target for cyber crooks.
Android malware has been widely regarded as one of the fast-growing threats on the security landscape, as villains target the increasingly popular operating system.
While many security experts have blamed the relative lax security found in Google's Play marketplace for apps, a group of researchers led by Andreas Moller, a computer scientist at the Technical University Munich, in Germany wanted to understand the role users played in allowing Android malware to spread.
To glean their insight, the group designed an Android app which was made available through Google Play. The app, VMI Mensa was targeted at students in Munich, providing them with updates on the menus at university cafeteria in Munich.
They then studied the installation of updates for that app - which had been downloaded over 2,200 times - over a one-year period between July 2011 and July 2012, during which time 21 updates were released.
Most Android phones can update apps automatically, but the option is turned off by default. As a result, the group found more than half of the users of its app did not install an update, even after it had been available for a week.
As Moller and co noted: their results are only for one app, so they should be treated with a degree of care. But studying the behaviour of users also gave them insights that may help improve the security of other apps.
For example, despite having introduced features that made it easy to report bugs in their app, most bug reports came in via the app rating system – where typically users that had experience problems vented their frustrations by marking the app down.
In one case, a user marked down the canteen app in the mistaken belief it didn't provide an English translation.
“Developers cannot rely on users reading instructions,” the researchers warned.
That matters when it comes to security, as without mechanisms to encourage them to update their apps, most will not do so.
“We encourage developers to support users in updating, by built-in update checks within their application and/or forwarding users to the platform market place,” the researchers said.
Their work is being presented at the Research In The Large workshop at the MobileHCI 2012 conference in San Francisco later this month.
13 Sep 2012