skip to main content
10.1145/3133956.3134059acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android

Published: 30 October 2017 Publication History

Abstract

Third-party libraries in Android apps have repeatedly been shown to be hazards to the users' privacy and an amplification of their host apps' attack surface. A particularly aggravating factor to this situation is that the libraries' version included in apps are very often outdated.
This paper makes the first contribution towards solving the problem of library outdatedness on Android. First, we conduct a survey with 203 app developers from Google Play to retrieve first-hand information about their usage of libraries and requirements for more effective library updates. With a subsequent study of library providers' semantic versioning practices, we uncover that those providers are likely a contributing factor to the app developers' abstinence from library updates in order to avoid ostensible re-integration efforts and version incompatibilities. Further, we conduct a large-scale library updatability analysis of 1,264,118 apps to show that, based on the library API usage, 85.6% of the libraries could be upgraded by at least one version without modifying the app code, 48.2% even to the latest version. Particularly alarming are our findings that 97.8% out of 16,837 actively used library versions with a known security vulnerability could be easily fixed through a drop-in replacement of the vulnerable library with the fixed version. Based on these results, we conclude with a thorough discussion of solutions and actionable items for different actors in the app ecosystem to effectively remedy this situation.

Supplemental Material

MP4 File

References

[1]
Apperian. 2014. The Impact of iOS 8 on App Wrapping. https://www.apperian. com/mam-blog/impact-ios-8-app-wrapping. (2014). Last visited: 08/25/2017.
[2]
Apple. 2016. Swift Package Manager Community Proposal. https:// github.com/apple/swift-package-manager/blob/master/Documentation/ PackageManagerCommunityProposal.md. (2016). Last visited: 08/25/2017.
[3]
Google ASI. 2016. Security Vulnerability in Vungle Android SDKs prior to 3.3.0. https://support.google.com/faqs/answer/6313713. (2016). Last visited: 08/25/2017.
[4]
Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable Third-Party Library Detection in Android and its Security Applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 356--367.
[5]
Gabriele Bavota, Gerardo Canfora, Massimiliano Di Penta, Rocco Oliveto, and Sebastiano Panichella. 2015. How the Apache Community Upgrades Dependencies: An Evolutionary Study. Empirical Softw. Engg. 20, 5 (Oct. 2015), 1275--1317.
[6]
Android Developers Blog. 2017. Android Studio 3.0 Canary 1. https://androiddevelopers.googleblog.com/2017/05/android-studio-3-0-canary1.html. (2017). Last visited: 08/25/2017.
[7]
Dropbox Blog. 2015. Security bug resolved in the Dropbox SDKs for Android. https://blogs.dropbox.com/developers/2015/03/security-bug-resolved-inthe-dropbox-sdks-for-android. (2015). Last visited: 08/25/2017.
[8]
Theodore Book, Adam Pridgen, and Dan S. Wallach. 2013. Longitudinal Analysis of Android Ad Library Permissions. In MoST'13. IEEE.
[9]
Zhihao Mike Chi. 2016. LibDetector: Version Identification of Libraries in Android Applications. (August 2016).
[10]
Jonathan Crussell, Clint Gibler, and Hao Chen. 2013. Andarwin: Scalable detection of semantically similar android applications. In ESORICS'13. Springer.
[11]
Julius Davies, Daniel M. German, Michael W. Godfrey, and Abram Hindle. 2011. Software Bertillonage: Finding the Provenance of an Entity. In Proceedings of the 8th Working Conference on Mining Software Repositories (MSR '11). ACM, New York, NY, USA, 183--192.
[12]
Android Developers. 2015. App Security Improvement Program. https://developer. android.com/google/play/asi.html. (2015). Last visited: 08/25/2017.
[13]
Android Developers. 2016. Android 7 for Developers. https://developer.android. com/about/versions/nougat/android-7.0.html. (2016). Last visited: 08/25/2017.
[14]
Android Developers. 2017. App Security Improvements: Looking back at 2016. https://android-developers.googleblog.com/2017/01/app-securityimprovements-looking-back.html. (2017). Last visited: 08/25/2017.
[15]
Android Developers. 2017. Google Play Dashboard. https://developer.android. com/about/dashboards/index.html. (2017). Last visited: 08/25/2017.
[16]
Danny Dig and Ralph Johnson. 2006. How Do APIs Evolve? A Story of Refactoring: Research Articles. J. Softw. Maint. Evol. 18, 2 (March 2006), 83--107.
[17]
Hewlett Packard Enterprise. 2016. HPE Cyber Risk Report. https://techbeacon. com/resources/2016-cyber-risk-report-hpe-security. (2016). Last visited: 08/25/2017.
[18]
Google. Last visited: 02/10/2017. Chrome Extensions Autoupdating. https:// developer.chrome.com/extensions/autoupdate. (Last visited: 02/10/2017).
[19]
Michael Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe exposure analysis of mobile in-app advertisements. In WISEC'12. ACM.
[20]
GuardSquare. 2016. ProGuard Java Obfuscator. http://proguard.sourceforge.net. (2016).
[21]
Steve Hanna, Ling Huang, Edward Wu, Saung Li, Charles Chen, and Dawn Song. 2013. Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications. In DIMVA'12. Springer.
[22]
Miryung Kim, Dongxiang Cai, and Sunghun Kim. 2011. An Empirical Investigation into the Role of API-level Refactorings During Software Evolution. In Proceedings of the 33rd International Conference on Software Engineering (ICSE '11). ACM, New York, NY, USA, 151--160.
[23]
Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In Proceedings of the Network and Distributed System Security Symposium (NDSS '17).
[24]
Li Li, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. 2016. An investigation into the use of common libraries in android apps. In Proceedings of the 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER '16), Vol. 1. IEEE, 403--414.
[25]
Mario Linares-Vásquez, Gabriele Bavota, Carlos Bernal-Cárdenas, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. 2013. API change and fault proneness: a threat to the success of Android apps. In Proceedings of the 9th joint meeting on foundations of software engineering (ESEC/FSE '13). ACM, 477--487.
[26]
Mario Linares-Vásquez, Gabriele Bavota, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. 2014. How Do API Changes Trigger Stack Overflow Discussions? A Study on the Android SDK. In Proceedings of the 22nd International Conference on Program Comprehension (ICPC 2014). ACM, New York, NY, USA, 83--94.
[27]
Mario Linares-Vásquez, Andrew Holtzhauer, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2014. Revisiting Android Reuse Studies in the Context of Code Obfuscation and Library Usages. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR 2014). ACM, New York, NY, USA, 242--251.
[28]
Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. LibRadar: Fast and Accurate Detection of Third-party Libraries in Android Apps. In ICSE'16. ACM.
[29]
Tyler McDonnell, Baishakhi Ray, and Miryung Kim. 2013. An Empirical Study of API Stability and Adoption in the Android Ecosystem. In Proceedings of the 2013 IEEE International Conference on Software Maintenance (ICSM '13). IEEE Computer Society, Washington, DC, USA, 70--79.
[30]
Israel J Mojica, Bram Adams, Meiyappan Nagappan, Steffen Dienst, Thorsten Berger, and Ahmed E Hassan. 2014. A large-scale empirical study on software reuse in mobile apps. IEEE software 31, 2 (2014), 78--86.
[31]
Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In Proc. 36th IEEE Symposium on Security and Privacy (SP '15). IEEE, 692--708.
[32]
Arun Narayanan, Lihui Chen, and Chee Keong Chan. 2014. Addetect: Automated detection of android ad libraries using semantic analysis. In ISSNIP'14. IEEE.
[33]
The Hacker News. 2014. Facebook SDK Vulnerability Puts Millions of Smartphone Users' Accounts at Risk. http://thehackernews.com/2014/07/facebooksdk-vulnerability-puts.html. (2014). Last visited: 08/25/2017.
[34]
The Hacker News. 2015. Backdoor in Baidu Android SDK Puts 100 Million Devices at Risk. http://thehackernews.com/2015/11/android-malware-backdoor.html. (2015). Last visited: 08/25/2017.
[35]
The Hacker News. 2015. Warning: 18,000 Android Apps Contains Code that Spy on Your Text Messages. http://thehackernews.com/2015/10/android-apps-stealsms.html. (2015). Last visited: 08/25/2017.
[36]
Tom Preston-Werner. 2013. Semantic Versioning 2.0.0. http://semver.org/. (2013). Last visited: 08/25/2017.
[37]
Israel J Mojica Ruiz, Meiyappan Nagappan, Bram Adams, and Ahmed E Hassan. 2012. Understanding reuse in the android market. In Proceedings of the 20th International Conference on Program Comprehension (ICPC '12). IEEE, 113--122.
[38]
Sonatype. 2017. 2016 State of the Software Supply Chain. https://www.sonatype. com/software-supply-chain. (2017). Last visited: 08/25/2017.
[39]
Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen. 2012. Investigating User Privacy in Android Ad Libraries. In MoST'12. IEEE.
[40]
ThreatPost. 2016. Code reuse - A peril for secure software development. https://threatpost.com/code-reuse-a-peril-for-secure-softwaredevelopment/122476/. (2016). Last visited: 08/25/2017.
[41]
Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. WuKong: A Scalable and Accurate Two-phase Approach to Android App Clone Detection. In ISSTA'15. ACM.
[42]
Jeff Williams and Arshan Dabirsiaghi. 2012. The unfortunate reality of insecure libraries. http://www.aspectsecurity.com/research-presentations/the-unfortunatereality-of-insecure-libraries. (2012). Last visited: 08/25/2017.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
October 2017
2682 pages
ISBN:9781450349468
DOI:10.1145/3133956
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. android
  2. api
  3. app security
  4. third-party library
  5. updatability

Qualifiers

  • Research-article

Funding Sources

Conference

CCS '17
Sponsor:

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)142
  • Downloads (Last 6 weeks)14
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)GlobalConfusionProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699210(5537-5554)Online publication date: 14-Aug-2024
  • (2024)Spill the TeAProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699184(5071-5088)Online publication date: 14-Aug-2024
  • (2024)Towards privacy-preserving social-media SDKs on androidProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698937(647-664)Online publication date: 14-Aug-2024
  • (2024)Review on Proposal of a Password Manager, satisfying security and Usability through “Key-Master”International Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24NOV975(585-590)Online publication date: 23-Nov-2024
  • (2024)How Does Code Optimization Impact Third-party Library Detection for Android Applications?Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695554(1919-1931)Online publication date: 27-Oct-2024
  • (2024)Developers' Approaches to Software Supply Chain Security: An Interview StudyProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696160(56-66)Online publication date: 19-Nov-2024
  • (2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
  • (2024)Measuring Compliance Implications of Third-party Libraries' Privacy Label Disclosure GuidelinesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670371(1641-1655)Online publication date: 2-Dec-2024
  • (2024)Keep Me Updated: An Empirical Study on Embedded Javascript Engines in Android AppsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644901(361-372)Online publication date: 15-Apr-2024
  • (2024)Understanding the Impact of APIs Behavioral Breaking Changes on Client ApplicationsProceedings of the ACM on Software Engineering10.1145/36437821:FSE(1238-1261)Online publication date: 12-Jul-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media