Recommending Security Requirements for the Development of Android Applications Based on Sensitive APIs

App stores allow anyone to sell his products to millions of potential users. However, limited by the resources and time, some developers often focus on the functionalities of their Apps without well-rounded considering security problems, which are more and more important for a successful product. In this paper, we propose an approach to help developers elicit security requirements by recommending related information gained from existing Apps in the marketplace. Firstly, we construct a feature framework to summarize functionalities of Apps by mining their descriptions with the method proposed in our previous work. Then, the sensitive APIs used in these Apps are extracted from their APK files and mapped with App features. Finally, we establish relationships between permissions and functionalities by taking sensitive APIs as a bridge, and design a recommendation framework to show information according to developers' demands from two aspects: the security requirements for the whole App and the ones for the given functionality. We evaluate our approach with 580 Apps from 5 categories on Google Play. The results confirm the usefulness of our approach, especially it can help new developers without experience initialize the security requirements and give mature developers supplementary information to elicit security requirements completely.