{"id":"https://openalex.org/W4315750589","doi":"https://doi.org/10.1109/tse.2023.3236582","title":"Mixed Signals: Analyzing Software Attribution Challenges in the Android Ecosystem","display_name":"Mixed Signals: Analyzing Software Attribution Challenges in the Android Ecosystem","publication_year":2023,"publication_date":"2023-01-12","ids":{"openalex":"https://openalex.org/W4315750589","doi":"https://doi.org/10.1109/tse.2023.3236582"},"language":"en","primary_location":{"id":"doi:10.1109/tse.2023.3236582","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2023.3236582","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://arxiv.org/pdf/2211.13104","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5026866315","display_name":"Kaspar Hageman","orcid":"https://orcid.org/0000-0002-4245-9798"},"institutions":[{"id":"https://openalex.org/I204337017","display_name":"Aarhus University","ror":"https://ror.org/01aj84f44","country_code":"DK","type":"education","lineage":["https://openalex.org/I204337017"]}],"countries":["DK"],"is_corresponding":true,"raw_author_name":"Kaspar Hageman","raw_affiliation_strings":["Department of Electrical and Computer Engineering, Aarhus Universitet, Aarhus, Denmark"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Electrical and Computer Engineering, Aarhus Universitet, Aarhus, Denmark","institution_ids":["https://openalex.org/I204337017"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040431181","display_name":"\u00c1lvaro Feal","orcid":"https://orcid.org/0000-0002-6658-1800"},"institutions":[{"id":"https://openalex.org/I2802499160","display_name":"IMDEA Networks","ror":"https://ror.org/04mm9fg30","country_code":"ES","type":"facility","lineage":["https://openalex.org/I105140100","https://openalex.org/I2802499160"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"\u00c1lvaro Feal","raw_affiliation_strings":["IMDEA Networks Institute, Leganés, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0002-6658-1800","affiliations":[{"raw_affiliation_string":"IMDEA Networks Institute, Leganés, Madrid, Spain","institution_ids":["https://openalex.org/I2802499160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064537557","display_name":"Julien Gamba","orcid":"https://orcid.org/0000-0003-4554-8291"},"institutions":[{"id":"https://openalex.org/I2802499160","display_name":"IMDEA Networks","ror":"https://ror.org/04mm9fg30","country_code":"ES","type":"facility","lineage":["https://openalex.org/I105140100","https://openalex.org/I2802499160"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Julien Gamba","raw_affiliation_strings":["IMDEA Networks Institute, Leganés, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0003-4554-8291","affiliations":[{"raw_affiliation_string":"IMDEA Networks Institute, Leganés, Madrid, Spain","institution_ids":["https://openalex.org/I2802499160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067900210","display_name":"Aniketh Girish","orcid":"https://orcid.org/0000-0002-2895-125X"},"institutions":[{"id":"https://openalex.org/I2802499160","display_name":"IMDEA Networks","ror":"https://ror.org/04mm9fg30","country_code":"ES","type":"facility","lineage":["https://openalex.org/I105140100","https://openalex.org/I2802499160"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Aniketh Girish","raw_affiliation_strings":["IMDEA Networks Institute, Leganés, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0002-2895-125X","affiliations":[{"raw_affiliation_string":"IMDEA Networks Institute, Leganés, Madrid, Spain","institution_ids":["https://openalex.org/I2802499160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5082318926","display_name":"Jakob Bleier","orcid":"https://orcid.org/0009-0003-5927-7119"},"institutions":[{"id":"https://openalex.org/I145847075","display_name":"TU Wien","ror":"https://ror.org/04d836q62","country_code":"AT","type":"education","lineage":["https://openalex.org/I145847075"]}],"countries":["AT"],"is_corresponding":false,"raw_author_name":"Jakob Bleier","raw_affiliation_strings":["Security and Privacy Research Unit, TU Wien, Vienna, Austria"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Security and Privacy Research Unit, TU Wien, Vienna, Austria","institution_ids":["https://openalex.org/I145847075"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5009694552","display_name":"Martina Lindorfer","orcid":"https://orcid.org/0000-0001-7001-4481"},"institutions":[{"id":"https://openalex.org/I145847075","display_name":"TU Wien","ror":"https://ror.org/04d836q62","country_code":"AT","type":"education","lineage":["https://openalex.org/I145847075"]}],"countries":["AT"],"is_corresponding":false,"raw_author_name":"Martina Lindorfer","raw_affiliation_strings":["Security and Privacy Research Unit, TU Wien, Vienna, Austria"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Security and Privacy Research Unit, TU Wien, Vienna, Austria","institution_ids":["https://openalex.org/I145847075"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5070199150","display_name":"Juan Tapiador","orcid":"https://orcid.org/0000-0002-4573-3967"},"institutions":[{"id":"https://openalex.org/I50357001","display_name":"Universidad Carlos III de Madrid","ror":"https://ror.org/03ths8210","country_code":"ES","type":"education","lineage":["https://openalex.org/I50357001"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Juan Tapiador","raw_affiliation_strings":["Department of Computer Science, Universidad Carlos III de Madrid, Leganés, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0002-4573-3967","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Universidad Carlos III de Madrid, Leganés, Madrid, Spain","institution_ids":["https://openalex.org/I50357001"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5016569835","display_name":"Narseo Vallina-Rodr\u00edguez","orcid":"https://orcid.org/0000-0002-5420-6835"},"institutions":[{"id":"https://openalex.org/I2802499160","display_name":"IMDEA Networks","ror":"https://ror.org/04mm9fg30","country_code":"ES","type":"facility","lineage":["https://openalex.org/I105140100","https://openalex.org/I2802499160"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Narseo Vallina-Rodriguez","raw_affiliation_strings":["IMDEA Networks Institute, Leganés, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0002-5420-6835","affiliations":[{"raw_affiliation_string":"IMDEA Networks Institute, Leganés, Madrid, Spain","institution_ids":["https://openalex.org/I2802499160"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5026866315"],"corresponding_institution_ids":["https://openalex.org/I204337017"],"apc_list":null,"apc_paid":null,"fwci":1.1514,"has_fulltext":true,"cited_by_count":6,"citation_normalized_percentile":{"value":0.77022594,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":96},"biblio":{"volume":"49","issue":"4","first_page":"2964","last_page":"2979"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9868000149726868,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9815999865531921,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8332973718643188},{"id":"https://openalex.org/keywords/android","display_name":"Android (operating system)","score":0.5533273220062256},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5095096230506897},{"id":"https://openalex.org/keywords/attribution","display_name":"Attribution","score":0.4925418794155121},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.48418477177619934},{"id":"https://openalex.org/keywords/ecosystem","display_name":"Ecosystem","score":0.4183838367462158},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.38732975721359253},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.24221402406692505}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8332973718643188},{"id":"https://openalex.org/C557433098","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android (operating system)","level":2,"score":0.5533273220062256},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5095096230506897},{"id":"https://openalex.org/C143299363","wikidata":"https://www.wikidata.org/wiki/Q900584","display_name":"Attribution","level":2,"score":0.4925418794155121},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.48418477177619934},{"id":"https://openalex.org/C110872660","wikidata":"https://www.wikidata.org/wiki/Q37813","display_name":"Ecosystem","level":2,"score":0.4183838367462158},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.38732975721359253},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.24221402406692505},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C77805123","wikidata":"https://www.wikidata.org/wiki/Q161272","display_name":"Social psychology","level":1,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tse.2023.3236582","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2023.3236582","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"},{"id":"pmh:oai:pure.atira.dk:publications/33f9bf6c-0ef6-45ce-b24e-df290fbd455e","is_oa":true,"landing_page_url":"https://pure.au.dk/portal/en/publications/33f9bf6c-0ef6-45ce-b24e-df290fbd455e","pdf_url":"https://arxiv.org/pdf/2211.13104","source":null,"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Hageman, K, Feal, A, Gamba, J, Girish, A, Bleier, J, Lindorfer, M, Tapiador, J & Vallina-Rodriguez, N 2023, 'Mixed Signals : Analyzing Software Attribution Challenges in the Android Ecosystem', IEEE Transactions on Software Engineering, vol. 49, no. 4, pp. 2964-2979. https://doi.org/10.1109/TSE.2023.3236582","raw_type":"info:eu-repo/semantics/publishedVersion"}],"best_oa_location":{"id":"pmh:oai:pure.atira.dk:publications/33f9bf6c-0ef6-45ce-b24e-df290fbd455e","is_oa":true,"landing_page_url":"https://pure.au.dk/portal/en/publications/33f9bf6c-0ef6-45ce-b24e-df290fbd455e","pdf_url":"https://arxiv.org/pdf/2211.13104","source":null,"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Hageman, K, Feal, A, Gamba, J, Girish, A, Bleier, J, Lindorfer, M, Tapiador, J & Vallina-Rodriguez, N 2023, 'Mixed Signals : Analyzing Software Attribution Challenges in the Android Ecosystem', IEEE Transactions on Software Engineering, vol. 49, no. 4, pp. 2964-2979. https://doi.org/10.1109/TSE.2023.3236582","raw_type":"info:eu-repo/semantics/publishedVersion"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G163384878","display_name":null,"funder_award_id":"ICT19-056","funder_id":"https://openalex.org/F4320321003","funder_display_name":"Vienna Science and Technology Fund"},{"id":"https://openalex.org/G62988262","display_name":null,"funder_award_id":"CYNAMON-CM P2018/TCS-4566","funder_id":"https://openalex.org/F4320335322","funder_display_name":"European Regional Development Fund"}],"funders":[{"id":"https://openalex.org/F4320313831","display_name":"Comunidad de Madrid","ror":null},{"id":"https://openalex.org/F4320321003","display_name":"Vienna Science and Technology Fund","ror":"https://ror.org/01f9mc681"},{"id":"https://openalex.org/F4320327593","display_name":"Bundesministerium f\u00fcr Digitalisierung und Wirtschaftsstandort","ror":null},{"id":"https://openalex.org/F4320329167","display_name":"SBA Research","ror":"https://ror.org/05nny6x17"},{"id":"https://openalex.org/F4320335322","display_name":"European Regional Development Fund","ror":"https://ror.org/00k4n6c32"}],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W4315750589.pdf"},"referenced_works_count":51,"referenced_works":["https://openalex.org/W34283345","https://openalex.org/W183494281","https://openalex.org/W1976596267","https://openalex.org/W1980874575","https://openalex.org/W1998821658","https://openalex.org/W2008502641","https://openalex.org/W2010395842","https://openalex.org/W2027943416","https://openalex.org/W2088479623","https://openalex.org/W2106510916","https://openalex.org/W2111643688","https://openalex.org/W2141554582","https://openalex.org/W2164539435","https://openalex.org/W2334842536","https://openalex.org/W2551244268","https://openalex.org/W2552873532","https://openalex.org/W2564822508","https://openalex.org/W2605037362","https://openalex.org/W2612622960","https://openalex.org/W2734633251","https://openalex.org/W2766980353","https://openalex.org/W2781198008","https://openalex.org/W2787735108","https://openalex.org/W2792035783","https://openalex.org/W2792151094","https://openalex.org/W2797009188","https://openalex.org/W2886307859","https://openalex.org/W2888672439","https://openalex.org/W2897615540","https://openalex.org/W2914751159","https://openalex.org/W2946880603","https://openalex.org/W2953797486","https://openalex.org/W2963213304","https://openalex.org/W2978651785","https://openalex.org/W3012793501","https://openalex.org/W3091477168","https://openalex.org/W3091580460","https://openalex.org/W3097394933","https://openalex.org/W3100514082","https://openalex.org/W3152941721","https://openalex.org/W3153294612","https://openalex.org/W3154197417","https://openalex.org/W4244201901","https://openalex.org/W6628532452","https://openalex.org/W6643463851","https://openalex.org/W6747772679","https://openalex.org/W6753450854","https://openalex.org/W6761342882","https://openalex.org/W6764197484","https://openalex.org/W6766222326","https://openalex.org/W6796619903"],"related_works":["https://openalex.org/W2035546108","https://openalex.org/W2376361520","https://openalex.org/W2133328864","https://openalex.org/W2093949997","https://openalex.org/W2570200690","https://openalex.org/W2389726244","https://openalex.org/W3030478661","https://openalex.org/W2323536476","https://openalex.org/W2104624653","https://openalex.org/W2128730003"],"abstract_inverted_index":{"The":[0],"ability":[1],"to":[2,28,44,56,95,234,259],"identify":[3,57],"the":[4,39,62,88,97,102,112,118,138,143,209,213,235,247,261,268,276],"author":[5,157,219],"responsible":[6],"for":[7,14,19,123,156,182,218],"a":[8,167],"given":[9],"software":[10,21,58,242],"object":[11],"is":[12,42],"critical":[13],"many":[15],"research":[16,48],"studies":[17],"and":[18,23,53,64,99,116,146,153,175,200,241,255],"enhancing":[20],"transparency":[22],"accountability.":[24],"However,":[25,70],"as":[26],"opposed":[27],"other":[29],"application":[30,72],"markets":[31,94,181],"like":[32],"Apple's":[33],"iOS":[34],"App":[35],"Store,":[36],"attribution":[37,68,158,192,265,287],"in":[38,107,159],"Android":[40,71,160,180],"ecosystem":[41],"known":[43],"be":[45],"hard.":[46],"Prior":[47],"has":[49],"leveraged":[50],"market":[51,109,152,173,198],"metadata":[52,155],"signing":[54,124,216,231],"certificates":[55,122,128,217,232],"authors":[59,74,229],"without":[60],"questioning":[61],"validity":[63,214,262],"accuracy":[65,98],"of":[66,90,101,120,127,142,149,169,215,237,249,263,278],"these":[67],"signals.":[69],"(app)":[73],"can,":[75],"either":[76],"intentionally":[77],"or":[78],"by":[79,93,105,130],"mistake,":[80],"hide":[81],"their":[82,108],"true":[83],"identity":[84],"due":[85,233],"to:":[86],"(1)":[87],"lack":[89,277],"policy":[91],"enforcement":[92],"ensure":[96],"correctness":[100],"information":[103],"disclosed":[104],"developers":[106],"profiles":[110,199],"during":[111],"app":[113,154,238],"release":[114],"process,":[115],"(2)":[117],"use":[119],"self-signed":[121],"apps":[125,176,226],"instead":[126],"issued":[129],"trusted":[131],"CAs.":[132],"In":[133],"this":[134],"paper,":[135],"we":[136,165,223,245,256],"perform":[137],"first":[139],"empirical":[140],"analysis":[141],"availability,":[144],"volatility":[145],"overall":[147],"aptness":[148],"publicly":[150,281],"available":[151,282],"markets.":[161],"To":[162],"that":[163,189,201,225,275],"end,":[164],"analyze":[166],"dataset":[168],"over":[170,183,204,280],"2.5":[171],"million":[172],"entries":[174],"extracted":[177],"from":[178,197,227],"five":[179],"two":[184],"years.":[185],"Our":[186,272],"results":[187,273],"show":[188],"widely":[190],"used":[191],"signals":[193,266,283],"are":[194],"often":[195],"missing":[196],"they":[202],"change":[203],"time.":[205],"We":[206],"also":[207],"invalidate":[208],"general":[210],"belief":[211],"about":[212],"attribution.":[220],"For":[221],"instance,":[222],"find":[224],"different":[228],"share":[230],"proliferation":[236],"building":[239],"frameworks":[240],"factories.":[243],"Finally,":[244],"introduce":[246],"concept":[248],"an":[250],"attribution":[253],"graph":[254],"apply":[257],"it":[258],"evaluate":[260],"existing":[264],"on":[267],"Google":[269],"Play":[270],"Store.":[271],"confirm":[274],"control":[279],"can":[284],"confuse":[285],"automatic":[286],"processes.":[288]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":2}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}