Web API Fragility How Robust Is Your Mobile Application?

Tiago Espinha, Andy Zaidman, Gerd Gross

MobileSoft 2015, Firenze, Italy

Dude, are you still on YouTube API v2?

Dude, are you still on YouTube API v2?

Developer decides when Web API provider decides when

v1

v2

What is the damage?

43 Android apps

Proxy server

Mutation operators on response message- Remove node- Add irrelevant node- Malformed response- Empty message response- Change of implicit data type- Data formatting disruption

Mutation operators on response message- Remove node- Add irrelevant node- Malformed response- Empty message response- Change of implicit data type- Data formatting disruption

App behaviour

• Force close• Error message (no silent fail)• Timeout (versus indefinitely loading)• No indication

What happens?Undesirable

• >50% apps fail silently • Most apps fairly robust(30% crash on field removal)

Recommendations• HATEAOS versioning of Web APIs• Better error reporting for users• Built-in validity checks for Web API

response• Design for change when dealing with

Web APIs