skip to main content
10.1145/2976749.2978333acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Reliable Third-Party Library Detection in Android and its Security Applications

Published: 24 October 2016 Publication History

Abstract

Third-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights. Correctly attributing improper app behavior either to app or library developer code or isolating library code from their host apps would be highly desirable to mitigate these problems, but is impeded by the absence of a third-party library detection that is effective and reliable in spite of obfuscated code. This paper proposes a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps. Libraries are detected with profiles from a comprehensive library database that we generated from the original library SDKs. We apply our technique to the top apps on Google Play and their complete histories to conduct a longitudinal study of library usage and evolution in apps. Our results particularly show that app developers only slowly adapt new library versions, exposing their end-users to large windows of vulnerability. For instance, we discovered that two long-known security vulnerabilities in popular libs are still present in the current top apps. Moreover, we find that misuse of cryptographic APIs in advertising libs, which increases the host apps' attack surface, affects 296 top apps with a cumulative install base of 3.7bn devices according to Play. To the best of our knowledge, our work is first to quantify the security impact of third-party libs on the Android ecosystem.

References

[1]
T.J. Watson Libraries for Analysis (WALA). http://wala.sf.net, 2006.
[2]
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI'14, 2014.
[3]
M. Backes, S. Bugiel, E. Derr, S. Gerling, and C. Hammer. R-Droid: Leveraging Android App Analysis with Static Slice Optimization. In ASIACCS '16. ACM, 2016.
[4]
T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. In MoST'13. IEEE, 2013.
[5]
K. Chen, P. Liu, and Y. Zhang. Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In ICSE'14. ACM, 2014.
[6]
J. Crussell, C. Gibler, and H. Chen. Attack of the clones: Detecting cloned applications on android markets. In ESORICS'12. Springer, 2012.
[7]
J. Crussell, C. Gibler, and H. Chen. Andarwin: Scalable detection of semantically similar android applications. In ESORICS'13. Springer, 2013.
[8]
Dropbox Blog. Security bug resolved in the dropbox sdks for android. https://blogs.dropbox.com/developers/2015/03/security-bug-resolved-in-the-dropbox-sdks-for-android. Last visited: 04/27/16.
[9]
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in android applications. In CCS'13. ACM, 2013.
[10]
W. Enck, D. Octeau, P. McDaniel, and C. Swarat. A study of android application security. In USENIX Security'11. USENIX, 2011.
[11]
S. Fahl, M. Harbach, T. Muders, L. Baumg\"artner, B. Freisleben, and M. Smith. Why eve and mallory love android: an analysis of android ssl (in)security. In CCS'12. ACM, 2012.
[12]
C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In TRUST '12. Springer, 2012.
[13]
M. I. Gordon, D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information-flow analysis of Android applications in DroidSafe. In NDSS'15, 2015.
[14]
M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In WISEC'12. ACM, 2012.
[15]
GuardSquare. Dexguard android obfuscator. https://www.guardsquare.com/dexguard.
[16]
GuardSquare. Proguard java obfuscator. http://proguard.sourceforge.net.
[17]
S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A scalable system for detecting code reuse among android applications. In DIMVA'12. Springer, 2013.
[18]
Licel Corporation. Dexprotector android obfuscator. https://dexprotector.com.
[19]
Licel Corporation. Stringer java obfuscator. https://jfxstore.com/stringer.
[20]
B. Liu, B. Liu, H. Jin, and R. Govindan. Efficient privilege de-escalation for ad libraries in mobile apps. In MobiSys'15. ACM, 2015.
[21]
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In CCS'12. ACM, 2012.
[22]
Z. Ma, H. Wang, Y. Guo, and X. Chen. Libradar: Fast and accurate detection of third-party libraries in android apps. In ICSE'16. ACM, 2016.
[23]
R. C. Merkle. A digital signature based on a conventional encryption function. In CRYPTO'87. Springer, 1988.
[24]
A. Narayanan, L. Chen, and C. K. Chan. Addetect: Automated detection of android ad libraries using semantic analysis. In ISSNIP'14. IEEE, 2014.
[25]
M. Oltrogge, Y. Acar, S. Dechand, M. Smith, and S. Fahl. To pin or not to pin app developers bullet proof their tls connections. In USENIX Security'15. USENIX, 2015.
[26]
Parse Blog. Discovering a major security hole in facebook's android sdk. http://blog.parse.com/learn/engineering/discovering-a-major-security-hole-in-facebooks-android-sdk. Last visited: 04/27/16.
[27]
P. Pearce, A. Porter Felt, G. Nunez, and D. Wagner. AdDroid: Privilege separation for applications and advertisers in Android. In ASIACCS'12. ACM, 2012.
[28]
S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In NDSS'14, San Diego, CA, 2014.
[29]
PreEmptive Solutions. Dasho java obfuscator. http://www.preemptive.com/products/dasho.
[30]
J. Seo, D. Kim, D. Cho, T. Kim, and I. Shin. FlexDroid: Enforcing In-App Privilege Separation in Android. In NDSS'16, 2016.
[31]
S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In USENIX Security'12. USENIX, 2012.
[32]
Smardec Inc. Allatori java obfuscator. http://www.atori.com.
[33]
S. Son, G. Daehyeok, K. Kaist, and V. Shmatikov. What mobile ads know about mobile users. In NDSS'16, 2015.
[34]
R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In MoST'12. IEEE, 2012.
[35]
The Hacker News. Backdoor in baidu android sdk puts 100 million devices at risk. http://thehackernews.com/2015/11/android-malware-backdoor.html. Last visited: 04/27/16.
[36]
The Hacker News. Facebook sdk vulnerability puts millions of smartphone users' accounts at risk. http://thehackernews.com/2014/07/facebook-sdk-vulnerability-puts.html. Last visited: 04/27/16.
[37]
The Hacker News. Warning: 18,000 android apps contains code that spy on your text messages. http://thehackernews.com/2015/10/android-apps-steal-sms.html. Last visited: 04/27/16.
[38]
N. Viennot, E. Garcia, and J. Nieh. A measurement study of google play. In SIGMETRICS'14. ACM, 2014.
[39]
Vungle Support. Security vulnerability in android sdks prior to 3.3.0. https://support.vungle.com/hc/en-us/articles/205142650-Security-Vulnerability-in-Android-SDKs-prior-to-3--3-0. Last visited: 05/02/2016.
[40]
H. Wang, Y. Guo, Z. Ma, and X. Chen. Wukong: A scalable and accurate two-phase approach to android app clone detection. In ISSTA'15. ACM, 2015.
[41]
R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In USENIX Security'13. USENIX, 2013.
[42]
F. Wei, S. Roy, X. Ou, and Robby. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In CCS'14. ACM, 2014.
[43]
P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, and K. Beznosov. Android permissions remystified: A field study on contextual integrity. In USENIX Security'15. USENIX, 2015.
[44]
W. Yang, J. Li, Y. Zhang, Y. Li, J. Shu, and D. Gu. Apklancet: Tumor payload diagnosis and purification for android applications. In ASIACCS'14. ACM, 2014.
[45]
Z. Yang and M. Yang. Leakminer: Detect information leakage on Android with static taint analysis. In WCSE'12. IEEE, 2012.
[46]
N. Zhong and F. Michahelles. Where should you focus: Long tail or superstar?: An analysis of app adoption on the android market. In SA'12. ACM, 2012.
[47]
W. Zhou, Z. Wang, Y. Zhou, and X. Jiang. Divilar: Diversifying intermediate language for anti-repackaging on android platform. In CODASPY'14. ACM, 2014.
[48]
W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In CODASPY'12. ACM, 2012.

Cited By

View all
  • (2025)Deep learning and pre-training technology for encrypted traffic classification: A comprehensive reviewNeurocomputing10.1016/j.neucom.2024.128444617(128444)Online publication date: Feb-2025
  • (2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
  • (2024)How Does Code Optimization Impact Third-party Library Detection for Android Applications?Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695554(1919-1931)Online publication date: 27-Oct-2024
  • Show More Cited By

Index Terms

  1. Reliable Third-Party Library Detection in Android and its Security Applications

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
      October 2016
      1924 pages
      ISBN:9781450341394
      DOI:10.1145/2976749
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 24 October 2016

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. android
      2. third-party library detection

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      CCS'16
      Sponsor:

      Acceptance Rates

      CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)182
      • Downloads (Last 6 weeks)22
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Deep learning and pre-training technology for encrypted traffic classification: A comprehensive reviewNeurocomputing10.1016/j.neucom.2024.128444617(128444)Online publication date: Feb-2025
      • (2024)Evaluation Methodologies in Software Protection ResearchACM Computing Surveys10.1145/3702314Online publication date: 2-Nov-2024
      • (2024)How Does Code Optimization Impact Third-party Library Detection for Android Applications?Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695554(1919-1931)Online publication date: 27-Oct-2024
      • (2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
      • (2024)Giving without Notifying: Assessing Compliance of Data Transmission in Android AppsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695528(1595-1606)Online publication date: 27-Oct-2024
      • (2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
      • (2024)A Large-Scale Study on the Prevalence and Usage of TEE-based Features on AndroidProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664486(1-11)Online publication date: 30-Jul-2024
      • (2024)Measuring Compliance Implications of Third-party Libraries' Privacy Label Disclosure GuidelinesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670371(1641-1655)Online publication date: 2-Dec-2024
      • (2024)Whatcha Lookin' At: Investigating Third-Party Web Content in Popular Android AppsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688405(114-129)Online publication date: 4-Nov-2024
      • (2024)Keep Me Updated: An Empirical Study on Embedded Javascript Engines in Android AppsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644901(361-372)Online publication date: 15-Apr-2024
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media