ABSTRACT
Third-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights. Correctly attributing improper app behavior either to app or library developer code or isolating library code from their host apps would be highly desirable to mitigate these problems, but is impeded by the absence of a third-party library detection that is effective and reliable in spite of obfuscated code. This paper proposes a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps. Libraries are detected with profiles from a comprehensive library database that we generated from the original library SDKs. We apply our technique to the top apps on Google Play and their complete histories to conduct a longitudinal study of library usage and evolution in apps. Our results particularly show that app developers only slowly adapt new library versions, exposing their end-users to large windows of vulnerability. For instance, we discovered that two long-known security vulnerabilities in popular libs are still present in the current top apps. Moreover, we find that misuse of cryptographic APIs in advertising libs, which increases the host apps' attack surface, affects 296 top apps with a cumulative install base of 3.7bn devices according to Play. To the best of our knowledge, our work is first to quantify the security impact of third-party libs on the Android ecosystem.
- T.J. Watson Libraries for Analysis (WALA). http://wala.sf.net, 2006.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI'14, 2014. Google ScholarDigital Library
- M. Backes, S. Bugiel, E. Derr, S. Gerling, and C. Hammer. R-Droid: Leveraging Android App Analysis with Static Slice Optimization. In ASIACCS '16. ACM, 2016. Google ScholarDigital Library
- T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. In MoST'13. IEEE, 2013.Google Scholar
- K. Chen, P. Liu, and Y. Zhang. Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In ICSE'14. ACM, 2014. Google ScholarDigital Library
- J. Crussell, C. Gibler, and H. Chen. Attack of the clones: Detecting cloned applications on android markets. In ESORICS'12. Springer, 2012.Google ScholarCross Ref
- J. Crussell, C. Gibler, and H. Chen. Andarwin: Scalable detection of semantically similar android applications. In ESORICS'13. Springer, 2013.Google ScholarCross Ref
- Dropbox Blog. Security bug resolved in the dropbox sdks for android. https://blogs.dropbox.com/developers/2015/03/security-bug-resolved-in-the-dropbox-sdks-for-android. Last visited: 04/27/16.Google Scholar
- M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in android applications. In CCS'13. ACM, 2013. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and C. Swarat. A study of android application security. In USENIX Security'11. USENIX, 2011. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, L. Baumg\"artner, B. Freisleben, and M. Smith. Why eve and mallory love android: an analysis of android ssl (in)security. In CCS'12. ACM, 2012. Google ScholarDigital Library
- C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In TRUST '12. Springer, 2012. Google ScholarDigital Library
- M. I. Gordon, D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information-flow analysis of Android applications in DroidSafe. In NDSS'15, 2015.Google ScholarCross Ref
- M. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In WISEC'12. ACM, 2012. Google ScholarDigital Library
- GuardSquare. Dexguard android obfuscator. https://www.guardsquare.com/dexguard.Google Scholar
- GuardSquare. Proguard java obfuscator. http://proguard.sourceforge.net.Google Scholar
- S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A scalable system for detecting code reuse among android applications. In DIMVA'12. Springer, 2013. Google ScholarDigital Library
- Licel Corporation. Dexprotector android obfuscator. https://dexprotector.com.Google Scholar
- Licel Corporation. Stringer java obfuscator. https://jfxstore.com/stringer.Google Scholar
- B. Liu, B. Liu, H. Jin, and R. Govindan. Efficient privilege de-escalation for ad libraries in mobile apps. In MobiSys'15. ACM, 2015. Google ScholarDigital Library
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In CCS'12. ACM, 2012. Google ScholarDigital Library
- Z. Ma, H. Wang, Y. Guo, and X. Chen. Libradar: Fast and accurate detection of third-party libraries in android apps. In ICSE'16. ACM, 2016. Google ScholarDigital Library
- R. C. Merkle. A digital signature based on a conventional encryption function. In CRYPTO'87. Springer, 1988. Google ScholarDigital Library
- A. Narayanan, L. Chen, and C. K. Chan. Addetect: Automated detection of android ad libraries using semantic analysis. In ISSNIP'14. IEEE, 2014.Google ScholarCross Ref
- M. Oltrogge, Y. Acar, S. Dechand, M. Smith, and S. Fahl. To pin or not to pin app developers bullet proof their tls connections. In USENIX Security'15. USENIX, 2015. Google ScholarDigital Library
- Parse Blog. Discovering a major security hole in facebook's android sdk. http://blog.parse.com/learn/engineering/discovering-a-major-security-hole-in-facebooks-android-sdk. Last visited: 04/27/16.Google Scholar
- P. Pearce, A. Porter Felt, G. Nunez, and D. Wagner. AdDroid: Privilege separation for applications and advertisers in Android. In ASIACCS'12. ACM, 2012. Google ScholarDigital Library
- S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In NDSS'14, San Diego, CA, 2014.Google ScholarCross Ref
- PreEmptive Solutions. Dasho java obfuscator. http://www.preemptive.com/products/dasho.Google Scholar
- J. Seo, D. Kim, D. Cho, T. Kim, and I. Shin. FlexDroid: Enforcing In-App Privilege Separation in Android. In NDSS'16, 2016.Google Scholar
- S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In USENIX Security'12. USENIX, 2012. Google ScholarDigital Library
- Smardec Inc. Allatori java obfuscator. http://www.atori.com.Google Scholar
- S. Son, G. Daehyeok, K. Kaist, and V. Shmatikov. What mobile ads know about mobile users. In NDSS'16, 2015.Google Scholar
- R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In MoST'12. IEEE, 2012.Google Scholar
- The Hacker News. Backdoor in baidu android sdk puts 100 million devices at risk. http://thehackernews.com/2015/11/android-malware-backdoor.html. Last visited: 04/27/16.Google Scholar
- The Hacker News. Facebook sdk vulnerability puts millions of smartphone users' accounts at risk. http://thehackernews.com/2014/07/facebook-sdk-vulnerability-puts.html. Last visited: 04/27/16.Google Scholar
- The Hacker News. Warning: 18,000 android apps contains code that spy on your text messages. http://thehackernews.com/2015/10/android-apps-steal-sms.html. Last visited: 04/27/16.Google Scholar
- N. Viennot, E. Garcia, and J. Nieh. A measurement study of google play. In SIGMETRICS'14. ACM, 2014. Google ScholarDigital Library
- Vungle Support. Security vulnerability in android sdks prior to 3.3.0. https://support.vungle.com/hc/en-us/articles/205142650-Security-Vulnerability-in-Android-SDKs-prior-to-3--3-0. Last visited: 05/02/2016.Google Scholar
- H. Wang, Y. Guo, Z. Ma, and X. Chen. Wukong: A scalable and accurate two-phase approach to android app clone detection. In ISSTA'15. ACM, 2015. Google ScholarDigital Library
- R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In USENIX Security'13. USENIX, 2013. Google ScholarDigital Library
- F. Wei, S. Roy, X. Ou, and Robby. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In CCS'14. ACM, 2014. Google ScholarDigital Library
- P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, and K. Beznosov. Android permissions remystified: A field study on contextual integrity. In USENIX Security'15. USENIX, 2015. Google ScholarDigital Library
- W. Yang, J. Li, Y. Zhang, Y. Li, J. Shu, and D. Gu. Apklancet: Tumor payload diagnosis and purification for android applications. In ASIACCS'14. ACM, 2014. Google ScholarDigital Library
- Z. Yang and M. Yang. Leakminer: Detect information leakage on Android with static taint analysis. In WCSE'12. IEEE, 2012. Google ScholarDigital Library
- N. Zhong and F. Michahelles. Where should you focus: Long tail or superstar?: An analysis of app adoption on the android market. In SA'12. ACM, 2012. Google ScholarDigital Library
- W. Zhou, Z. Wang, Y. Zhou, and X. Jiang. Divilar: Diversifying intermediate language for anti-repackaging on android platform. In CODASPY'14. ACM, 2014. Google ScholarDigital Library
- W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In CODASPY'12. ACM, 2012. Google ScholarDigital Library
Index Terms
- Reliable Third-Party Library Detection in Android and its Security Applications
Recommendations
Automated third-party library detection for Android applications: are we there yet?
ASE '20: Proceedings of the 35th IEEE/ACM International Conference on Automated Software EngineeringThird-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges ...
LibID: reliable identification of obfuscated third-party Android libraries
ISSTA 2019: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and AnalysisThird-party libraries are vital components of Android apps, yet they can also introduce serious security threats and impede the accuracy and reliability of app analysis tasks, such as app clone detection. Several library detection approaches have been ...
Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and PrivacyRecent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
Comments