A snapshot of androidvulnerabilities.org is contained in androidvulnerabilities.zip, the live site is at http://androidvulnerabilities.org/ and the full up to date data and source code: https://github.com/ucam-cl-dtg/android-vulnerabilities The LaTeX source of the paper: spsm04-thomas.tex and security_scoring.tex The LaTeX source of the data included in the paper: avostats.tex, countversions.tex, dastats.tex the data was stored in these files using latex_value.py, the current version of which is available from: https://github.com/ucam-cl-dtg/latex_value The python code used to do version scraping: versions.py and the resulting data: version_dates_bouncycastle.csv, version_dates_linux.csv, version_dates_openssl.csv The python code used to analyse the device analyzer data and plot the graphs: contribution_analysis.py, dahelpers.py, iohelpers.py, iso8601.py, manufacturer_model_analysis.py, operator_analysis.py, os-version.py, plot_tools.py, version_security.py, version_tools.py The figures included in the paper along with some additional figures: figures.zip Comparisons between Google Play API data and Device Analyzer: api_gpcomp_diff.csv, api_gpcomp_rdiff.csv, gp_per_api_diff.csv, norm_api_gpcomp.csv First observations of API and OS versions: first_api_versions.csv, first_os_versions.csv Recorded instances of updates: security_updates.csv, updates.csv Significant manufacturers, models and operators: s_manufacturers.csv, s_models.csv, s_operators.csv The Device Analyzer data used is available under contract, details at: https://deviceanalyzer.cl.cam.ac.uk/ Those interested in the Rwanda data should speak to Sherif Akoush: https://www.cl.cam.ac.uk/~sa497/ The FTSE 100 company data is not available for external use.