See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/335499796

An Observational Study on the State of REST API Uses in Android Mobile

Applications

Conference Paper · May 2019

DOI: 10.1109/MOBILESoft.2019.00020

CITATIONS READS
24 803

6 authors, including:

Manel Abdellatif Rafik Tighilt

École de Technologie Supérieure Université du Québec à Montréal
31 PUBLICATIONS 109 CITATIONS 8 PUBLICATIONS 46 CITATIONS

SEE PROFILE SEE PROFILE

Naouel Moha Yann-Gaël Guéhéneuc

Université du Québec à Montréal Concordia University Montreal
117 PUBLICATIONS 2,629 CITATIONS 342 PUBLICATIONS 9,713 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Service-Oriented Reengineering of Java EE Web Applications View project

Game of Homes (Serious Game) View project

All content following this page was uploaded by Yann-Gaël Guéhéneuc on 24 February 2021.

The user has requested enhancement of the downloaded file.

 An Observational Study on the State of REST API
Uses in Android Mobile Applications
Abdelkarim Belkhir Manel Abdellatif Rafik Tighilt
Université du Québéc à Montréal Polytechnique Montreal Université du Québéc à Montréal
Montréal, Canada Montreal, Canada Montreal, Canada
belkhir.abdelkarim@courrier.uqam.ca manel.abdellatif@polymtl.ca tighilt.rafik@courrier.uqam.ca
Naouel Moha Yann-Gaël Guéhéneuc Éric Beaudry
Université du Québéc à Montréal Concordia University Université du Québéc à Montréal
Montreal, Canada Montreal, Canada Montreal, Canada
moha.naouel@uqam.ca yann-gael.gueheneuc@concordia.ca beaudry.eric@uqam.ca

Abstract—REST is by far the most commonly-used style for business rules, and business processes of vital information-
designing APIs, especially for mobile platforms. Indeed, REST systems, which are remote services for architectural, efficiency,
APIs are well suited for providing content to apps running on and security reasons.
small devices, like smart-phones and tablets. Several research
works studied REST APIs development practices for mobile apps. REST (Representational State Transfer) APIs (Application
However, little is known about how Android apps use/consume Programming Interfaces) have been a mainstream form of
these APIs in practice through HTTP client libraries. Conse- services for some years now. They have been well suited for
quently, we propose an observational study on the state of the providing content to mobile devices, like smart-phones and
practice of REST APIs use in Android mobile apps. We (1) tablets, because they offer a lightweight and flexible imple-
build a catalogue of Android REST mobile clients practices; (2)
define each of these practices through a number of heuristics mentation for end users and mobile apps developers. Several
based on their potential implementations in Android apps, and research works studied best practices in the implementation
(3) propose an automatic approach to detect these practices. We of REST APIs [1], [2], [3], [4]. However, little is known on
analyze 1,595 REST mobile apps downloaded from the Google how Android apps use/consume these APIs in practice through
Play Store and mine thousands of StackOverflow posts to study dedicated HTTP client libraries.
REST APIs uses in Android apps. We observe that developers
have always used HttpURLConnection class for REST APIs
These libraries were first implemented for mobile apps
implementation in Android apps. However, since the apparition of with “low-level” APIs provided by programming languages
REST third-party libraries such as Okhttp, Retrofit and Google (sockets) or class libraries (HttpURLConnection). They can be
Volley, Android REST clients have been increasingly relying on implemented now using dedicated, third-party libraries, such
the facilities offered by these libraries. Also, we observe that as Google Volley or Retrofit. We ask in this paper how such
developers used to ignore some good practices of REST APIs
uses in Android apps. Such practices are the use of HTTP
dedicated HTTP client libraries are being used in practice by
third-party libraries, caching responses, timeout management, developers. Such knowledge is important for service providers
and error handling. Moreover, we report that only two good because (1) mobile apps run on mobile devices that have many
practices are widely considered by Android developers when constraints in terms of memory, battery, computational power,
implementing their mobile apps. These practices are network and competition for resources, (2) it would help them to offer
connectivity awareness and JSON vs. XML response parsing.
We also find that Retrofit is the most targeted third-party HTTP
more features that ease the Android developers’ work, and (3)
client library by Android developers because of its ease of use and it would help them improve the usability and performance of
provided features. Thus, we conclude that service providers must REST client libraries [5].
strive to make their libraries as simple as possible while mobile- Consequently, we propose an observational study of the
service consumers should consider existing libraries to benefit state of the practice of the use of REST APIs by Android
from their features, such as asynchronous requests, awareness to
apps. We answer the following research questions:
connectivity, timeout management, and cached responses.
• RQ1: What is the state of the practices in the use of
REST APIs by Android apps? We want to observe the
I. I NTRODUCTION
use of practices by developers and their prevalence.
The global market has experienced a tremendous increase • RQ2: What is the state of the implementation of HTTP
in the number of mobile users over the past decades. In 2018, client libraries in Android REST clients? We want to
Google PlayStore boasted close to 2.2 millions of mobile observe the implementations used by developers for
applications (apps) while the Apple AppStore has over 2 REST APIs, which will inform the choice of HTTP client
millions1 . Most of these mobile apps access remote data, libraries.
By answering these research questions, we want to recom-
1 https://www.statista.com/markets/424/topic/538/mobile-internet-apps mend to developers the libraries and practices to adopt based
on their prevalence in implementations and their benefits for proposed SODA-R (Service Oriented Detection for Anti-
developers. patterns in REST) [4], a heuristics-based approach to detect
Therefore, we provide four contributions. We review the lit- (anti)patterns in REST systems. They relied on heuristics
erature extensively and compile a catalogue of seven practices and detection rules for eight REST anti-patterns and five
related to the development of mobile apps using REST APIs. patterns. They applied their tool on a set of 12 widely-
These practices pertain to the use of dedicated, third-party used REST APIs including BestBuy, DropBox, and Facebook.
libraries and help to understand how Android apps use/con- Then, Palma et al. proposed a syntactic and semantic approach
sume REST APIs. Then, we propose a framework, PIRAC, to detect REST linguistic (anti-)patterns, which they define as
that automatically detects occurrences of the practices using poor/good practices in the naming, documentation, and choice
detection rules. Then, we conduct an observational study on of identifiers in REST APIs [7]. Finally, Palma et al. proposed
over 1,595 REST mobile apps out of 9,173 apps downloaded UniDoSA [6], a unified approach that (1) embeds a unified
from the Google PlayStore to report how they use/consume meta-model for the three main service technologies REST,
REST APIs. Finally, we mine 12,478 StackOverflow posts to SCA, and SOAP and (2) detects the presence of anti-patterns
assess the importance of the identified practices from the point in service-based systems.
of view of Android developers. A set of automatic approaches for the detection of REST
The remainder of this paper is as follows. Section II (anti)patterns are proposed in these works. However, they
describes related works. Section III details the design of our specifically evaluated APIs without considering any interaction
study. Section IV reports our observations. Section V answers with clients, in particular mobile clients, as we do here. Other
our research questions based on our observations while Section works proposed similar (anti)patterns detection approaches in
VI describes the threats to validity of our observational study. service applications. They implemented other techniques, such
Finally, Section VII concludes with future work. as bi-level optimization problems [8] or ontologies [9].
In contrast, in this paper, we consider and automatically
II. R ELATED W ORK detect practices related to the development of REST mobile
Several research works have been proposed in the literature clients. We take also into account the interactions among
on bad and good practices in REST APIs. However, few are clients and REST APIs, not on the service side but on the
the works that study how Android apps use/consume REST client one. We study in details the use of REST APIs libraries
APIs. for mobile clients and how Android mobile apps use/consume
In the context of mobile apps, Rodriguez et al. [1] were REST APIs.
the first to study the traffic of HTTP requests from mobile
clients. They evaluated the conformance of some state-of-the- III. S TUDY D ESIGN
art design best practices of REST APIs from the perspective This section presents the design of our study, which aims
of mobile clients. They analyzed these practices on a large to answer our research questions. Answering these questions
data-set of 78 GB of HTTP requests collected from a mobile- led us to conduct an observational study on hundreds of
Internet traffic-monitoring site. However, the best practices Android apps from the Google PlayStore. First, we reviewed
analyzed are common to any kinds of REST APIs and they the literature and developers’ forums to build a catalogue
focused specifically on HTTP requests. of Android REST clients practices. Second, we developed
Oumaziz et al. [5] conducted an empirical study on 500 a tool, PIRAC2 , to detect each of the identified practices.
popular Android apps and 15 popular services to identify Third, we validated the detection precision of PIRAC on 80
best practices when using/consuming REST APIs for Android Android apps collected from the F-Droid repository. Fourth,
mobile clients. They showed that Android clients generally we applied PIRAC on 9,173 mobile apps downloaded from
favour invoking REST APIs by using official dedicated service Google PlayStore to study the state of the practices in Android
libraries instead of invoking services with a generic HTTP clients. Finally, we conducted an observational study on Stack-
client like HttpURLConnection. They also presented which Overflow to assess the importance of the identified practices
good practices service libraries should be implemented fol- and the use of Android HTTP libraries from the developers’
lowing an online survey and manual analyses of the apps. In point of view. We describe here the first three steps and the
this paper, (1) we go more in details to identify how dedicated last one in the next section.
service libraries are used by Android clients. (2) We propose
a tool to automate the detection of these practices in Android A. Step 1: Cataloguing Android REST Mobile Clients Prac-
mobile apps. (3) We empirically analyze more than 9,000 tices
Android mobile clients to study the usage of REST APIs in To answer our first research question, we performed a
Android mobile apps. domain analysis of development practices related to Android
Several works were carried out for the detection of service REST clients by studying their definitions and specifications
anti-patterns [1], [2], [3], [4], [6], [7]. For example, in the in the literature as well as in online resources and articles.
context of REST APIs implementation, Palma et al. evaluated This domain analysis allowed us to identify seven practices
the design of several REST APIs and proposed different
approaches to detect automatically REST (anti)patterns. They 2 http://git.sofa.uqam.ca/mabdellatif/pirac/tree/master
that we classified into two sets: (1) good and bad practices for retry the requests in some chosen time-intervals until
Android REST clients and (2) other practices that are neither successfully, etc.
good nor bad practices.
List of Other Practices for Android REST Clients
1) Synchronous vs. Asynchronous requests: REST APIs
List of Good and Bad Practices for Android REST Clients requests can be synchronous or asynchronous. For syn-
1) 3 Use of third-party HTTP client vs. 7 HttpURL- chronous requests, the code execution will block until
Connection: This practice concerns the use of third- the API call returns. For asynchronous requests, calls to
party libraries to manage REST requests. It is recom- remote APIs are made while the execution continues.
mended that mobile HTTP queries should be encapsu- Android developers should carefully choose whether to
lated in a method proposed by the interface of official invoke REST APIs synchronously or asynchronously
third-party libraries, such as OkHttp, Retrofit, Google based on their needs to increase the responsiveness of
Volley, etc. A Non-encapsulated HTTP Query must be their apps.
manually built by the developer with all the needed pa- B. Step 2: Detection of the Practices
rameters using HttpURLConnection. This process could
We developed a framework, PIRAC, to detect the seven
be long and complicated in some cases and could make
identified practices. As depicted in Figure 1, our framework
the code difficult to maintain.
takes as input Android APKs, their corresponding meta-data,
2) 3 Caching vs. 7 Non caching: Caching is the
and a list of HTTP client libraries, which we use to filter
ability to keep copies of frequently accessed data in
the code to analyze. Our tool uses the SOOT framework
several places along the request–response path. Some
[11] to parse the byte-code of mobile apps and extract all
third-party Android REST libraries offer facilities to
the information needed for our analyses, such as classes
manage response caching, such as removing a single
and methods. PIRAC creates models for Android mobile
cached response, clearing the entire cache, retrieving
apps based on the information extracted by SOOT,and those
the date of a cached response, so that developers can
extracted from the reconstructed manifest file. Then, we apply
accurately decide when an update should be made. It
the detection algorithms for the identified practices to detect
is recommended to cache frequent REST requests to
their uses.
reduce bandwidth usage, network latency, and battery
An Android APK contains the compiled source code of
consumption.
the app as well as that of third-party and Android libraries.
3) 3 Network connectivity aware vs. 7 Unaware
Running our analyses on the entire packaged code would
REST service invocation: This practice pertains to the
(1) produce misleading results and (2) affect the execution
validation of the network connectivity before sending
time of our analyses. Thus, we filter the application code
REST request. It is recommended to check network
to differentiate the code of the app currently under analysis
connectivity (1) to offload heavy REST queries when
from the code belonging to Android SDK and third-party
the device is connected to WiFi, (2) to increase device
libraries. We rely on a list of third-party Android libraries,
battery life, (3) to avoid charges related to limited mobile
which contains 1,353 package names of the most used libraries
data, and (4) to detect network changes and resume
identified by Li et al. [12]. This list has not been updated since
incomplete REST requests.
2016 so we updated it by adding 1,176 package names of the
4) 3 JSON vs. 7 XML: This practice pertains to REST
libraries that we manually collected from Android community
responses parsing by mobile clients. It is recommended
Web sites3 .
to parse REST responses with JSON as it is more
After filtering the app code, we construct models of the
human-readable than XML. Also, JSON is more CPU-
APKs that embed all the required information to apply our
friendly to parse as it is more compact than XML [10].
detection heuristics. Afterwards, we identify classes of interest
5) 3 Timeouts vs. 7 Perpetual requests: This practice
that are related to REST APIs services calls. Finally, we
is related to setting or not timeouts for REST requests.
analyze these classes and identify the practices based on our
There are several types of timeouts: connection timeout,
detection rules.
read timeout, write timeout, etc. If a mobile client fails
In the following, we describe some of the detection rules
to establish a connection to the server within the set
that we use in our framework.
connection timeout, it will consider that the request
a) Android REST clients identification: Identifying auto-
failed. It is recommended to set proper timeouts values
matically Android apps that make REST calls can be a very
to make mobile apps more responsive and user friendly.
complicated task, especially with the use of static analyses
6) 3 Specification vs. 7 Non specification of a behaviour
methods. Indeed, we can only rely on some used practices
for failed requests: The specification of a behaviour
in the apps source code to verify whether a given app is
when REST requests fail is highly recommended to in-
potentially using a REST API. We rely primarily on these
crease usability and responsiveness of the mobile client
rules:
apps. Possible behaviours include to drop the requests
until some change to the network connectivity or to 3 https://android-arsenal.com/
 Detection rules
3rd party libs

Cache

Sync/Async
requests
MANIFEST Error Detected practices
handling

APK Connectivity 3rd party libs

awareness
Construction of Cache
SOURCE APK Source code Timeout
PIRAC model Detection of the
CODE filtration Sync/Async
practices
Json/XML requests
Construction of SOOT
model Error
Exclusion of client libraries Detection algorithms handling
and detection of classes of CLASSES Construction of
LIBRARIES interest PIRAC Connectivity
OF MANIFEST model awareness
BLACKLIST model
INTEREST
Timeout

Json/XML

Figure 1. Detection of REST APIs practices usage in Android apps with PIRAC

1) The use of Android INTERNET permission. Android use of REST API requests. To detect such behaviour, our tool
apps require Internet permission to access the mobile detects the invocations of methods that provide information
network. This information is explicitly defined in the about network connectivity from the ConnectivityManager
Android manifest file. class.
2) The referencing of an HTTP client library. The com- e) JSON vs. XML Response Parsing: The responses from
munication with REST APIs is primarily based on the REST APIs come in multiple formats, mainly JSON and XML.
HTTP protocol. REST apps must use an HTTP library The use of JSON is recommended due to its size relatively
to communicate through this protocol. We rely on a to XML, its readability by developers, and its ease of use.
list of 75 HTTP client libraries collected from a Maven To detect the usage of one of these two data formats, our
repository4 . framework detects the usage of the most common JSON and
When we detect these practices in an app, it is automatically XML libraries as well as their instantiation in a code executing
marked as “Potentially Using a REST API”. For a better an HTTP call.
accuracy of the detection of our targeted practices, we ensured f) Timeout vs. Perpetual REST Requests: Each one of
that the HTTP client library is executing REST calls and that it the studied client libraries provide classes or methods to
is not just referenced for other purposes/uselessly (dead code). configure a timeout for their HTTP requests. To detect a
Indeed, the simple presence of an HTTP client library in the timeout configuration, PIRAC detects invocations of these
APK file does not guarantee that this app uses/consumes REST methods or instantiation of classes with a timeout value in
APIs. Also, some Android apps may reference an HTTP client the constructor.
library to use only some of its classes without executing any g) Specification vs. Non-specification of a Behaviour
REST calls. Upon Failure: When a request fails, regardless of the rea-
b) Use of Third-party HTTP Library vs. HttpURLCon- son, developers should implement custom logic and show an
nection: When it comes to executing HTTP calls, developers adapted message to the end user. To detect this behaviour, in
can rely on the native HttpURLConnection API or choose to the case of HttpURLConnection, we detect the retrieval
use an external HTTP library. Our tool detects the usage of of HTTP status codes after a request. For external libraries,
HttpURLConnection or an external library by analyzing the we detect the usage of specific library error-handling methods
instantiation of objects and calls made with the specific Java (e.g., onFailure() or response.isSuccessful()).
methods of each of the libraries.
h) Synchronous vs. Asynchronous Requests: When using
c) Cached vs. Non-cached Responses: Developers can
third-party libraries, it is simple to perform asynchronous
use the caching capabilities offered by the HTTP client
requests because these libraries offer specific methods with
libraries or develop their own caching strategy. To detect
callbacks. To detect synchronous/asynchronous requests from
response caching, PIRAC detects the use of relevant meth-
third-party libraries, we implemented a detection approach
ods and classes provided by the libraries, which allow such
specific to each kind of libraries. We rely on the detec-
operations. PIRAC detects also the creation and use of caching
tion of third-party REST clients methods dedicated to syn-
folders dedicated to Android apps.
d) Network-connectivity Aware vs. Unaware REST chronous/asynchronous REST requests. The detection of asyn-
Requests: The Android SDK provides a class named chronous requests for Java HttpURLConnection is more
ConnectivityManager, which provides information challenging. When using this library, developers must cus-
about the network connectivity of a device (network type, tomize and hard-code asynchronous requests, most commonly
availability, etc.). Developers can use this class to adapt their using the AsyncTask class, which provides methods with
callbacks. We analyze the bodies of the methods running in the
4 https://mvnrepository.com/open-source/http-clients background to build a method-invocation call graph. Finally,
we search for a REST call in each of these methods.
C. Step 3: Validating Harissa for the Detection of REST
Mobile Clients Practices
For our validation, we analysed 1448 Android apps from
F-Droid repository5 . We applied our tool on this dataset.
We manually validated each of our practices in 80 Android
REST clients chosen randomly from the dataset by checking
the source code of each app. We chose 80 apps to reach a
confidence level of 95%. Table I summarises the detection
precision and recall of each targeted practice. The precision
detection for each targeted practice by our tool is satisfactory
as it varies between 81.91% and 100%. The recall of our tool
is also satisfactory as it varies between 80% and 95.33%. We
reached an average detection precision of 93.70% while we
had an average detection recall of 87.66%. These detection Figure 2. Distribution of Android apps by category
results confirm the reliability of our tool to detect our targeted
practices.
Practices Precision Recall
Use of third-party HTTP Li- 100% 80%
brary vs. HttpURLConnec-
tion
Cache usage 99.38% 92.85%
Connectivity aware clients 95.62% 95.33%
JSON vs. XML 89.05% 88.69%
Timeout setting 90.00% 86.36%
Specification of a behavior at 81.91% 85.39%
Figure 3. Android REST clients LOCs
request failure
Synchronous vs. 100% 85%
asynchronous calls
Average 93.70% 87.66%
Table I
OVERVIEW OF THE DETECTION PRECISION OF OUR TOOL

IV. O BSERVATIONS
A. Dataset
To conduct our observational study, we downloaded ran-
domly 9,173 Android apps from the Google PlayStore. We
used Androzoo6 to collect APKs and meta-data for these
apps. As depicted in Figure 2, the apps belong to varied
categories, such as games, communication, weather, etc. We Figure 4. Evolution of the use of HTTP libraries in time
applied PIRAC on the data-set to extract all REST clients for
a total number of 1,595 Android REST clients. These apps are
also of different sizes, as shown in Figure 3. a) Use vs. Non-use of Third-party Libraries for HTTP
Requests: Based on our previous work [5], the most used An-
Observation 1: We observe that the three main cat- droid libraries to execute HTTP requests are OkHttp, Retrofit,
egories that use the most Android REST clients are Google Volley, and Java HttpURLConnection. We focused
Lifestyle, Business& Finance, and Video& Media. on these libraries and studied their usage evolution in REST
mobile clients. We noticed that Java HttpURLConnection is
the oldestlibrary to execute HTTP requests in REST Android
B. Observations about the Identified Practices
clients. With Figure 4, we noticed that HttpURLConnection is
In this section, we present our observations about the getting less used by developers compared to newer third-party
distribution of good and bad practices of REST APIs in libraries (i.e., OkHttp, Retrofit, and Google Volley).
Android clients. In 2014, OkHttp, Retrofit, and Google Volley have been
5 https://f-droid.org/en/ released to ease and simplify the management of HTTP
6 https://androzoo.uni.lu/ requests by Android clients. We observe that between 2014
 80%

70%

60%

50%

40%

30%

20%

10%

0%
2012 2013 2014 2015 2016 2017 2018
Year

Caching Asynchronous communications

Network connectivity-aware Timeout

Figure 5. Evolution of the practices in time

Figure 7. Distribution of Android HTTP libraries by practices

and 2018, the usage evolution of OkHttp and Retrofit is almost

the same because Retrofit uses the OkHttp library for HTTP response caching has been rapidly increasing during the past
requests. The usage evolution of these two libraries increased five years.
rapidly (60% and 64%, respectively) between 2017 and 2018 As depicted in Figure 8, we observe that Android apps using
compared to Google Volley (37%) and Java HttpURLConnec- third-party libraries tend to consider more frequently the use of
tion (35%). caching (85% of Android apps considering caching are using
third-party libraries).
Observation 2: Recently, Android developers have
been using OkHttp, Retrofit, and Google Volley to Observation 3: Android developers tend to ignore the
manage REST requests because they offer more inter- use of caching to manage REST requests. However,
esting features compared to Java HttpURLConnection. Android apps using third-party libraries tend to con-
For example, implementing asynchronous requests is sider the usage of caching more.
easier when using third-party libraries because devel-
opers do not need to use Android AsyncTasks to
run network operations in a separate thread.

Figure 6. Distribution of Android REST client practices

b) Cached vs. Non-cached Responses: Although caching

helps developers implement highly capable and scalable REST Figure 8. Cache usage by Android REST client library
clients and services by limiting repetitive interactions, REST
Android developers widely ignore the caching capability for c) Network-connectivity Aware vs. Unaware REST re-
their REST requests. Based on Figure 6, we observe that only quests: Based on Figure 6, we observe that 62% of REST
4% of REST Android clients cache REST responses, which Android clients are aware of/check network connectivity be-
forces the apps to retrieve duplicate responses from servers. fore performing REST requests, which is a good practice
This bad practice is known as Ignoring Caching anti-pattern with several advantages. Checking network connectivity first
[4], [13]. Also, based on Figure 5, we observe that the use of lets mobile clients improve battery life by offloading heavy
network requests when the device is connected to WiFi, for f) Specification vs. Non-specification of a Behaviour
example. Also, for most users, mobile data is limited and can Upon Failure: Based on Figures 6 and 10, we observe that
be quite expensive. only 45% of Android REST clients handle HTTP requests
failures when calling REST APIs. We also observe that
Observation 4: The check of network connectivity Android developers do not take full benefit from the error-
before performing REST requests is a good, common handling features provided by third-party libraries as 88%
practice for Android REST clients. of error handling in Android apps are implemented with
HttpURLConnection. The wide use of HttpURLConnection
may hinder the adoption of such a good practice as developers
d) JSON vs. XML Response Parsing: Using JSON to
must implement themselves how to catch the requests failures
communicate via REST APIs is highly recommended in
and specify what should happen in case of failures.
comparison to XML due to its ease of use and of parsing.
Based on Figure 6, we observe that this good practice is widely
adopted by Android developers with 78% of Android REST Observation 7: The specification of a behaviour in
clients using JSON to parse REST APIs responses while only case of request failures is widely ignored by Android
24% use XML. developers as they poorly use third-party HTTP li-
braries that facilitate errors handling.
Observation 5: The good practice of using JSON to
communicate REST APIs responses is widely adopted
by Android developers.

e) Timeout vs. Perpetual REST Requests: Based on Fig-

ure 6, we observe that only 36% of Android REST clients
consider setting timeouts when performing HTTP requests. As
depicted in Figure 9, we also observe that 77% of Android
REST clients that consider timeouts use HttpURLConnection.
This high percentage is due to HttpURLConnection being the
only studied HTTP library that does not specify a default
value for timeouts. When using such a library, developers must
specify a value of timeout.

Observation 6: Although it is recommended to set

proper timeouts values to make the mobile apps more
responsive and user friendly, Android developers tend
to ignore this good practice.
Figure 10. Error-handling usage by Android HTTP client library

g) Synchronous vs. Asynchronous REST Requests: Based

on Figure 6, we observe that synchronous and asynchronous
calls to REST APIs are almost equally used by Android
clients. We also observe that asynchronous communications
increased by almost 40% in the past five years thanks to the
features offered by third-party libraries: Android developers
do not have to manage asynchronous calls by themselves
anymore. However, Android developers still poorly rely on
third-party HTTP libraries to make asynchronous calls as 77%
of asynchronous communications are made with HttpURL-
Connection.

Observation 8: Synchronous and asynchronous calls

to REST APIs are almost equally used by Android
clients. Also, we observe that Android developers are
still relying on third-party HTTP libraries to make
Figure 9. Timeout usage by client library asynchronous calls.
C. Mining Android REST API Usage Practices on Stack
Overflow
We mined thousands of StackOverflow posts to assess the
importance of the identified practices from the developers’
point of view. We executed several search queries related to
our identified practices for Android apps and manually filtered
irrelevant posts. We obtained a total number of 12,478 posts
related to REST API usage practices in Android apps.

Figure 13. Evolution of the questions on StackOverflow about Android HTTP

libraries over the years

Figure 11. Distribution of the questions on StackOverflow about the identified

practices
ask most questions about REST requests, when using Retrofit
(67%). Also, we found that 14% of the questions were about
Google Volley, 12% were about OkHttp, and only 7% were
about HttpURLConnection.
We explain the high interest by Android developers in
Retrofit by the poor documentation of this library in com-
parison to its features and its high performance in comparison
to OkHttp, Google Volley, and HttpURLConnection7 .

Observation 9: Since the apparition of third-party

HTTP libraries, Android developers ask more ques-
tions about them in comparison to HttpURLConnec-
tion.

There is also a concern by Android developers on Stack-

Overflow about asynchronous (30%) vs. synchronous (2%)
HTTP requests to REST APIs because (1) asynchronous
communications with REST APIs have more complicated im-
Figure 12. Distribution of the questions on StackOverflow about Android plementation than synchronous ones and (2) the multiple ways
HTTP libraries provided by HTTP libraries to handle such kind of requests
are confusing to novice developers. Android developers seem
Based on Figure 11, we conclude that the most discussed more interested in managing such calls with third-party HTTP
practice on StackOverflow by Android developers is the use libraries (mainly Retrofit as we can see in Figure 14) as
of third-party HTTP libraries. Android developers seem more they offer more straightforward ways to manage such kind
interested about using third-party HTTP libraries to ease the of requests in comparison to HttpURLConnection.
management of HTTP requests. We report that Android developers do not ask many ques-
As depicted in Figures 12 and 13, we also report the tions about the “connectivity aware" request practice (only
distributions of the questions in StackOverflow per Android 2%), probably because it is very simple to implement.
HTTP library. Based on Figure 13, we report that, since
Also, we observe that Android developers do not ask many
the apparition of Android HTTP dedicated libraries in 2013,
questions about parsing REST APIs responses with JSON. The
the number of questions about HttpURLConnection has been
more problematic parsing format is XML with 25% of the
significantly decreasing. Also, based on Figure 12, we observe
questions about XML parsing and only 9% are about JSON.
that there is a high interest in using Android HTTP client
libraries by Android REST clients developers to implement the
identified practices. Indeed, we found that Android developers 7 https://bit.ly/2ypkEl9
 Observation 10: There is a high interest on Stack- • Connectivity aware REST requests and JSON responses
Overflow in using third-party HTTP libraries for An- parsing are the most evident/trivial practices for Android
droid REST clients. Also, making asynchronous calls, developers as reflected by the low number of questions
caching responses, error handling, and XML parsing about these practices on StackOverflow vs. their high
are the most discussed practices. usage in Android apps.

B. RQ2: What is the state of the implementation of HTTP

client libraries in Android REST clients?
Choosing an efficient mobile HTTP library to communicate
with a REST API can be difficult for developers because
they must handle many aspects, such as making connec-
tions, caching, retrying failed requests, parse responses, handle
errors, etc. Although only 28% of Android REST clients
use third-party HTTP libraries, since the apparition of such
libraries, developers have been using them increasingly. The
evolution of their usage by developers is rapidly growing
(almost 98% of apps released in 2018 are using third-party
libraries). Also, since the apparition of third-party libraries,
Android apps tend to use more and more good practices
Figure 14. Distribution of the questions on StackOverflow about Android when performing REST requests. Such practices are caching
REST client libraries by practice requests, timeout, connectivity awareness, JSON vsẊML re-
sponses parsing, and error handling.
After comparing the state of implementation of HTTP li-
V. A NSWERS TO O UR R ESEARCH Q UESTIONS braries in Android apps and the distribution of questions about
We now answer our research questions using our previous these libraries in StackOverflow, we found that Retrofit is the
observations. most used and discussed third-party HTTP library because of
its ease of use, high performance and its caching features.
A. RQ1: What is the state of the practices in the use of REST Finally, we found that apps using third-party libraries tend
APIs by Android apps? to use more “good” practices: for example, Figure 7 shows
We identified several practices of REST APIs uses in that 85% of the apps with cache are using third-party libraries
Android clients that we classified into two sets: (1) good and and 60% of the apps with JSON responses parsing are also
bad practices for Android REST clients and (2) other practices using third-party libraries. The non-use of HTTP third-party
that are neither good nor bad. libraries may hinder the adoption of good practices, which is
We observed that only two good practices are widely consid- the case for timeouts and error handling.
ered by Android developers when implementing their mobile Thus, we answer that developers should use third-party li-
clients: network connectivity awareness and JSON response braries to benefit from their implementations of good practices
parsing. Moreover, based on our observations, we found that of REST API uses in Android mobile apps.
Android developers widely ignore some good practices of
REST APIs uses in Android apps: the use of HTTP third- VI. T HREATS TO VALIDITY
party libraries, caching responses, setting timeouts, and error In this section, we discuss the threats to validity of our
handling. observational study and the measures that we took to limit
Based on our observations we also found that: them.
• Caching REST responses is the most problematic practice Threats to internal validity. Although we did not carry any
for Android developers. This is reflected by the high statistical tests, we assume that the identified practices are rep-
number of questions about caching REST requests vs. the resentative characteristics of the Android REST clients. There
low percentage of Android apps using cache as shown by may be other characteristics that describe more accurately
Figures 6 and 11). these Android REST API clients. We will study more practices
• Specifying a behavior when requests fail is also very to cover possible other characteristics. We also related the
problematic for Android developers as they widely ignore practices manually thanks to the information provided in
this good practice and ask many questions about it on the literature. Yet, other researchers should perform similar
StackOverflow. analyses to confirm/infirm ours.
• Asynchronous REST request practice seems to be dif- The source code of some of the apps in our data-set is
ficult for developers as reflected by the high number of obfuscated. Even a simple obfuscation affects our detection
questions in this topic vs. the high number of apps relying precision because names of packages, classes, and methods
on asynchronous calls. change. Also, we do not detect custom caching strategies as we
only detect cache-related and asynchronous calls using third- apps developers should consider existing HTTP libraries to
party libraries. Custom caching and synchronisation strategies make use of good practices and get benefit from their features,
are challenging to cover because they vary among apps. More such as asynchronous requests, timeout management, caching
research should be done to cover such custom implementa- responses, and error handling.
tions. Future work includes selecting and–or defining more prac-
Another threat arises from the data gathered from Stack- tices and analyzing their prevalence in Android apps as well
Overflow. Although we used several search queries to collect as other apps for other mobile operating systems, in particular
our data, we may have missed some interesting posts about iOS. Thus, we could further recommend to developers best
REST APIs uses in Android apps. To mitigate this risk, practices when developing apps that use REST APIs. We also
we used a combination and keywords to gather the most want to study source-code transformations that would allow
significant posts on Stack Overflow. Also, we do not consider developers to migrate their apps from one library, in particular
any filtering process for duplicate posts as they are useful for HttpURLConnection, to other libraries, like Retrofit or Google
our study: they show the developers’ interest in using/adopting Volley, to benefit from their features.
a particular REST practice.
R EFERENCES
Threats to external validity concern the generalizability of
our results. Although we presented the largest study on the [1] C. Rodríguez, M. Báez, F. Daniel, F. Casati, J. C. Trabucco, L. Canali,
and G. Percannella, “REST apis: A large-scale analysis of compliance
practices and implementations of Android REST apps, we with principles and best practices,” in 16th International Conference
cannot generalise our results to all mobile apps. Future work Web Engineering, ser. Lecture Notes in Computer Science, vol. 9671.
is necessary to analyze more mobile REST clients, from other Springer, 2016, pp. 21–39.
[2] F. Petrillo, P. Merle, N. Moha, and Y. Guéhéneuc, “Are REST apis
mobile platforms to confirm and—or infirm our observations for cloud computing well-designed? an exploratory study,” in 14th
on their design quality characteristics. Also to generalize our International Conference on Service-Oriented Computing, ser. Lecture
results, we should consider other developers’ forums, such as Notes in Computer Science, vol. 9936. Springer, 2016, pp. 157–170.
[3] H. Brabra, A. Mtibaa, L. Sliman, W. Gaaloul, B. Benatallah, and
GitHub, Quora, or Reddit. F. Gargouri, “Detecting cloud (anti) patterns: Occi perspective,” in
International Conference on Service-Oriented Computing. Springer,
VII. C ONCLUSION AND F UTURE W ORK 2016, pp. 202–218.
[4] F. Palma, J. Dubois, N. Moha, and Y. Guéhéneuc, “Detection of
Several research works studied REST APIs development REST patterns and antipatterns: A heuristics-based approach,” in 12th
practices for mobile apps. However, little is known on how International Conference on Service-Oriented Computing, ser. Lecture
Android mobile apps use/consume REST APIs. Notes in Computer Science, vol. 8831. Springer, 2014, pp. 230–244.
[5] M. A. Oumaziz, A. Belkhir, T. Vacher, E. Beaudry, X. Blanc, J.-R.
We described in this paper an observational study about the Falleri, and N. Moha, “Empirical study on rest apis usage in android
state of the practices of REST APIs uses in Android mobile mobile applications,” in International Conference on Service-Oriented
apps. We provided four contributions: (1) we reviewed the lit- Computing. Springer, 2017, pp. 614–622.
[6] F. Palma, N. Moha, and Y.-G. Guéhéneuc, “Unidosa: The unified
erature extensively and compiled a catalogue of seven practices specification and detection of service antipatterns,” IEEE Transactions
related to the development of apps using REST APIs. These on Software Engineering, 2018.
practices pertained to the use of dedicated, third-party libraries [7] F. Palma, J. Gonzalez-Huerta, N. Moha, Y. Guéhéneuc, and G. Trem-
blay, “Are restful apis well-designed? detection of their linguistic
and helped to understand how Android apps use/consume (anti)patterns,” in 13th International Conference on Service-Oriented
REST APIs, (2) we proposed a framework, PIRAC, to detect Computing, ser. Lecture Notes in Computer Science, vol. 9435.
automatically occurrences of the identified practices using Springer, 2015, pp. 171–187.
[8] H. Wang, M. Kessentini, and A. Ouni, “Bi-level identification of
detection rules, (3) we conducted an observational study on web service defects,” in 14th International Conference on Service-
over 1,595 REST mobile apps out of 9,173 apps downloaded Oriented Computing, ser. Lecture Notes in Computer Science, vol. 9936.
from the Google PlayStore to report how they use/consume Springer, 2016, pp. 352–368.
[9] H. Brabra, A. Mtibaa, L. Sliman, W. Gaaloul, B. Benatallah, and
REST APIs, (4) we mined 12,478 StackOverflow posts to F. Gargouri, “Detecting cloud (anti)patterns: OCCI perspective,” in 14th
assess the importance of the identified practices and the use of International Conference on Service-Oriented Computing, ser. Lecture
Android HTTP libraries from the developers’ point of view. Notes in Computer Science, vol. 9936. Springer, 2016, pp. 202–218.
[10] N. Nurseitov, M. Paulson, R. Reynolds, and C. Izurieta, “Comparison
Based on our observational study, we found that developers of JSON and XML data interchange formats: A case study,” in 22nd
used to ignore some good practices of REST APIs uses in An- International Conference on Computer Applications in Industry and
droid clients. Such practices are the use of HTTP third-party Engineering, 2009, pp. 157–162.
[11] R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan,
libraries, caching responses, timeout management, and error “Soot: A java bytecode optimization framework,” in CASCON First
handling. We found that only two good practices are widely Decade High Impact Papers. IBM Corp., 2010, pp. 214–224.
considered by Android developers when implementing their [12] L. Li, T. F. Bissyandé, J. Klein, and Y. Le Traon, “An investigation
into the use of common libraries in android apps,” in 2016 IEEE
mobile clients: network connectivity awareness and JSON vs. 23rd International Conference on Software Analysis, Evolution, and
XML responses parsing. We also found that, although only Reengineering (SANER), vol. 1. IEEE, 2016, pp. 403–414.
28% of Android REST clients use third-party HTTP libraries, [13] S. Tilkov, “Rest anti-patterns,” InfoQ Article (July 2008), 2008.
since the apparition of such libraries, developers have been
using them increasingly.
Thus, we concluded that service providers must strive to
make their libraries as simple as possible and that mobile

View publication stats