Yuan Zhang,Jiarun Dai,Xiaohan Zhang,Sirong Huang,Zhemin Yang,Min Yang,Hao Chen

DOI: https://doi.org/10.1109/SANER.2018.8330204

2018-01-01

Abstract:Third-party libraries are widely used in Android applications to ease development and enhance functionalities. However, the incorporated libraries also bring new security & privacy issues to the host application, and blur the accounting between application code and library code. Under this situation, a precise and reliable library detector is highly desirable. In fact, library code may be customized by developers during integration and dead library code may be eliminated by code obfuscators during application build process. However, existing research on library detection has not gracefully handled these problems, thus facing severe limitations in practice. In this paper, we propose LibPecker, an obfuscation-resilient, highly precise and reliable library detector for Android applications. LibPecker adopts signature matching to give a similarity score between a given library and an application. By fully utilizing the internal class dependencies inside a library, LibPecker generates a strict signature for each class. To tolerate library code customization and elimination as much as possible, LibPecker introduces adaptive class similarity threshold and weighted class similarity score when calculating library similarity. To quantitatively evaluate the precision and the recall of LibPecker, we perform the first such experiment (to the best of our knowledge) with a large number of libraries and applications. Results show that LibPecker significantly outperforms the state-of-the-art tools in both recall and precision (91% and 98.1% respectively).

Xiaoqiong Zhao,Shanping Li,Huan Yu,Ye Wang,Weiwei Qiu

DOI: https://doi.org/10.1587/transinf.2018edp7227

2019-01-01

IEICE Transactions on Information and Systems

Abstract:Background: The applying of third-party libraries is an integral part of many applications. But the libraries choosing is time-onsuming even for experienced developers. The automated recommendation system for libraries recommendation is widely researched to help developers to choose libraries. Aim: from software engineering aspect, our research aims to give developers a reliable recommended list of third-arty libraries at the early phase of software development lifecycle to help them build their development environment faster; and from technical aspect, our research aims to build a generalizable recommendation system framework which combines collaborative filtering and topic modeling techniques, in order to improve the performance of libraries recommendation significantly. Our works on this research: 1) we design a hybrid methodology to combine collaborative filtering and LDA text mining technology; 2) we build a recommendation system framework successfully based on the above hybrid methodology; 3) we make a well-designed experiment to validate the methodology and framework which use the data of 1,013 mobile application projects; 4) we do the evaluation for the result of the experiment. Conclusions: 1) hybrid methodology with collaborative filtering and LDA can improve the performance of libraries recommendation significantly; 2) based on the hybrid methodology, the framework works very well on the libraries recommendation for helping developers' libraries choosing. Further research is necessary to improve the performance of the libraries recommendation including: 1) use more accurate NLP technologies improve the correlation analysis; 2) try other similarity calculation methodology for collaborative filtering to rise the accuracy; 3) on this research, we just bring the time-series approach to the framework and make an experiment as comparative trial, the result shows that the performance improves continuously, so in further research we plan to use time-series data-mining as the basic methodology to update the framework.

Menghao Li,Pei Wang,Wei Wang,Shuai Wang,Dinghao Wu,Jian Liu,Rui Xue,Wei Huo,Wei Zou

DOI: https://doi.org/10.1109/tse.2018.2872958

IF: 7.4

2020-09-01

IEEE Transactions on Software Engineering

Abstract:With the thriving of mobile app markets, third-party libraries are pervasively used in Android applications. The libraries provide functionalities such as advertising, location, and social networking services, making app development much more productive. However, the spread of vulnerable and harmful third-party libraries can also hurt the mobile ecosystem, leading to various security problems. Therefore, third-party library identification has emerged as an important problem, being the basis of many security applications such as repackaging detection, vulnerability identification, and malware analysis. Previously, we proposed a novel approach to identifying third-party Android libraries at a massive scale. Our method uses the internal code dependencies of an app to recognize library candidates and further classify them. With a fine-grained feature hashing strategy, we can better handle code whose package and method names are obfuscated than historical work. We have developed a prototypical tool called LibD and evaluated it with an up-to-date dataset containing 1,427,395 Android apps. Our experiment results show that LibD outperforms existing tools in detecting multi-package third-party libraries with the presence of name-based obfuscation, leading to significantly improved precision without the loss of scalability. In this paper, we extend our early work by investigating the possibility of employing effective and scalable library detection to boost the performance of large-scale app analyses in the real world. We show that the technique of LibD can be used to accelerate whole-app Android vulnerability detection and quickly identify variants of vulnerable third-party libraries. This extension paper sheds light on the practical value of our previous research.

engineering, electrical & electronic,computer science, software engineering

Jingyi Guo,Min Zheng,Yajin Zhou,Haoyu Wang,Lei Wu,Xiapu Luo,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2207.01837

2022-07-05

Cryptography and Security

Abstract:Vetting security impacts introduced by third-party libraries in iOS apps requires a reliable library detection technique. Especially when a new vulnerability (or a privacy-invasive behavior) was discovered in a third-party library, there is a practical need to precisely identify the existence of libraries and their versions for iOS apps. However, few studies have been proposed to tackle this problem, and they all suffer from the code duplication problem in different libraries. In this paper, we focus on third-party library detection in iOS apps. Given an app, we aim to identify the integrated libraries and pinpoint their versions (or the version range).To this end, we first conduct an in-depth study on iOS third-party libraries to demystify the code duplication challenge. By doing so, we have two key observations: 1) even though two libraries can share classes, the shared classes cannot be integrated into an app simultaneously without causing a class name conflict; and 2) code duplication between multiple versions of two libraries can vary. Based on these findings, we propose a novel profile-based similarity comparison approach to perform the detection. Specifically, we build a library database consists of original library binaries with distinct versions. After extracting profiles for each library version and the target app, we conduct a similarity comparison to find the best matches. We implemented this approach in iLibScope. We built a benchmark consists of 5,807 apps with 10,495 library integrations and applied our tool to it. Our evaluation shows that iLibScope achieves a recall exceeds 99% and a precision exceeds 97% for library detection. We also applied iLibScope to detect the presence of well-known vulnerable third-party libraries in real-world iOS mobile apps to show the promising usage of our tool. It successfully identified 405 vulnerable library usage from 4,249 apps.

Zhan Xian,Lingling Fan,Tianming Liu,Sen Chen,Li Li,Haoyu Wang,Yifei Xu,Xiapu Luo,Yang Liu

2020-01-01

Abstract:Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code and can infect many popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some detection tasks. Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, so little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct an experience paper and attempt to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on our empirical study. The result shows that most TPL detection tools can achieve high precision but with low recall. According to our evaluation and survey results, we recommend different tools for different application scenarios. We find that LibRadar is suitable for large-scale in-app TPL detection. LibPecker is ideal for identifying obfuscated TPLs. LibScout can identify specific library versions, which can be leveraged to find vulnerable TPLs, etc. Besides, we enhance these open-sourced tools by fixing their limitations, to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

Ziang Ma,Haoyu Wang,Yao Guo,Xiangqun Chen

DOI: https://doi.org/10.1145/2889160.2889178

2016-01-01

Abstract:We present LibRadar, a tool that is able to detect third party libraries used in an Android app accurately and instantly. As third-party libraries are widely used in Android apps, program analysis on Android apps typically needs to detect or remove third-party libraries first in order to function correctly or provide accurate results. However, most previous studies employ a whitelist of package names of known libraries, which is incomplete and unable to deal with obfuscation. In contrast, LibRadar detects libraries based on stable API features that are obfuscation resilient in most cases. After analyzing one million free Android apps from Google Play, we have identified possible libraries and collected their unique features. Based on these features, Lib Radar can detect third-party libraries in a given Android app within seconds, as it only requires simple static analysis and fast comparison. LibRadar is available for public use at http://radar.pkuos.org. The demo video is available at: https://youtu.be/GoMYjYxsZnI

Xian Zhan,Lingling Fan,Tianming Liu,Sen Chen,Li,Haoyu Wang,Yifei Xu,Xiapu Luo,Yang Liu

DOI: https://doi.org/10.1145/3324884.3416582

2020-01-01

Abstract:Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results show that LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

Hao-Yu WANG,Yao GUO,Zi-Ang MA,Xiang-Qun CHEN

DOI: https://doi.org/10.13328/j.cnki.jos.005221

2017-01-01

Journal of Software

Abstract:Third-Party libraries are widely used in mobile applications such as Android apps.Much research on app analysis or access control needs to detect or classify third-party libraries first in order to provide accurate results.Most previous studies use a whitelist to identify third-party libraries and manually categorize them.However,it is impossible to build a complete whitelist of third-party libraries and classify them because:(1) there are too many of them;and (2) common techniques such as library obfuscation and library masquerading cannot be handled with a whitelist.In this paper,an automated approach is proposed to detect and classify frequently-used third-party libraries in Android apps.A multi-level clustering based method is presented to identify third-party libraries,and a machine learning based technique is applied to classify the libraries.Experiments on more than 130000 apps show that 4916 third-party libraries can be detected without prior knowledge.The classification result of 10-folds cross validation on sampled libraries is 84.28％.With the trained classifier,the proposed approach is able to classify more than 75％ of the 4916 libraries into six categories with an accuracy of 75％.

Qiang He,Bo Li,Feifei Chen,John Grundy,Xin Xia,Yun Yang

DOI: https://doi.org/10.1109/tse.2020.2982154

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:The rapid growth of mobile apps has significantly promoted the use of third-party libraries in mobile app development. However, mobile app developers are now facing the challenge of finding useful third-party libraries for improving their apps, e.g., to enhance user interfaces, to add social features, etc. An effective approach is to leverage collaborative filtering (CF) to predict useful third-party libraries for developers. We employed Matrix Factorization (MF) approaches - the classic CF-based prediction approaches - to make the predictions based on a total of 31,432 Android apps from Google Play. However, our investigation shows that there is a significant lack of diversity in the prediction results - a small fraction of popular third-party libraries dominate the prediction results while most other libraries are ill-served. The low diversity in the prediction results limits the usefulness of the prediction because it lacks novelty and serendipity which are much appreciated by mobile app developers. In order to increase the diversity in the prediction results, we designed an innovative MF-based approach, namely LibSeek, specifically for predicting useful third-party libraries for mobile apps. It employs an adaptive weighting mechanism to neutralize the bias caused by the popularity of third-party libraries. In addition, it introduces neighborhood information, i.e., information about similar apps and similar third-party libraries, to personalize the predictions for individual apps. The experimental results show that LibSeek can significantly diversify the prediction results, and in the meantime, increase the prediction accuracy.

engineering, electrical & electronic,computer science, software engineering

Xian Zhan,Tianming Liu,Yepang Liu,Yang Liu,Li Li,Haoyu Wang,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2021.3115506

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs to facilitate their app development. Unfortunately, the popularity of TPLs also brings new security issues. For example, TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Furthermore, TPL detection is essential for downstream tasks, such as vulnerabilities and malware detection. Thus, various tools have been developed to identify TPLs. However, no existing work has studied these TPL detection tools in detail, and different tools focus on different applications and techniques with performance differences. A comprehensive understanding of these tools will help us make better use of them. To this end, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on six criteria: accuracy of TPL construction, effectiveness, efficiency, accuracy of version identification, resiliency to code obfuscation, and ease of use. Besides, we enhance these open-source tools by fixing their limitations, to improve their detection ability. Finally, we build an extensible framework that integrates all existing available TPL detection tools, providing an online service for the research community. We release the evaluation dataset and enhanced tools. According to our study, we also present the essential findings and discuss promising implications to the community; e.g., 1) Most existing TPL detection techniques more or less depend on package structure to construct in-app TPL candidates. However, using package structure as the module decoupling feature is error-prone. We hence suggest future researchers using the class dependency to substitute package structure. 2) Extracted features include richer semantic information (e.g., class dependencies) can achieve better resiliency to code obfuscation. 3) Existing tools usually have - low recall; that is because previous tools ignore some features of Android apps and TPLs, such as the compilation mechanism, the new format of TPLs, TPL dependency. Most existing tools cannot effectively find partial import TPLs, obfuscated TPLs, which directly limit their capability. 4) Existing tools are complementary to each other; we can build a better tool via combining the advantages of each tool. We believe our work provides a clear picture of existing TPL detection techniques and also gives a road-map for future research.

engineering, electrical & electronic,computer science, software engineering

Dan Zhang,Ping Luo,W. Tang,Min Zhou

DOI: https://doi.org/10.1145/3324884.3415303

2020-01-01

Abstract:Using open-source libraries can provide rich functions and reduce development cost. However, some critical issues have also been caused such as license conflicts and vulnerability risks. In this paper, we design and implement an open-source libraries detection tool OSLDetector which uses methods of matching features to detect third-party libraries for multi-platform software in binaries. We took a series of methods such as filtering features and novelty building an internal clone forest to cope with the challenge of feature duplication. The tool can also provide the conflict of licenses and identify possible corresponding vulnerabilities, so these potential risks can be resolved and avoided. To evaluate the efficiency of OSLDetector, we collect 5K libraries containing 9K versions and manage their respective license type and existing vulnerabilities. The experimental results with a precision of 96% and recall of 92.3% show that OSLDetector is effective and outperforms similar tools.

Jun Qiu,Xuewu Yang,Huamao Wu,Yajin Zhou,Jinku Li,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2021.3075817

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Android application (or app) developers increasingly integrate third-party libraries to enrich the functionality of their apps. However, current permission model on Android cannot constrain the behaviors of in-app third-party libraries for allowing them to operate with the same permissions as their host app. This brings serious security and privacy concerns to users. In this article, we propose LibCapsule, a user-level solution to confine third-party libraries from potential permission abuses. Compared to previous systems, LibCapsule is able to provide complete confinement of third-party libraries in Android apps, including the static Java code, dynamically loaded code and native code of third-party libraries. We have developed a prototype of LibCapsule, and collected 204 popular third-party libraries as well as 2,021 apps to evaluate it. The evaluation results indicate that LibCapsule is capable of enforcing complete and fine-grained regulation on third-party libraries according to customized security policies with a low performance overhead. To engage the whole community, we will release the dataset of third-party libraries and apps in our evaluation.

Wei Tang,Ping Luo,Jialiang Fu,Dan Zhang

DOI: https://doi.org/10.1109/saner48275.2020.9054845

2020-01-01

Abstract:With the development of the open-source movement, third-party library reuse is commonly practiced in programming. Application developers can reuse the code to save time and development costs. However, there are some hidden risks in misusing third-party libraries such as license violation and security vulnerability. The identification of libraries written in C or C++ is impeded by compilation process which hides most features of code. The same open-source package can be compiled into different binary code by different compilation processes. Therefore, this paper proposes LibDX, a platform-independent and fully-automated system, to detect reused libraries in binary files. With a well-designed feature extractor, LibDX can overcome compilation diversity between binary files. LibDX novelly introduces the logic feature block concept which is applied to deal with the feature duplication challenge in a large-scale feature database. We built a large test data set covering multiple platforms and evaluated LibDX with 9.5K packages including 25.8K C/C++ binary files. Our results show that LibDX achieves a precision of 92% and a recall of 97%, and outperforms state-of-the-art tools. We have validated the performance of the system with closed source commercial applications and found some license violation cases.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Wei Tang,Yanlin Wang,Hongyu Zhang,Shi Han,Ping Luo,Dongmei Zhang

DOI: https://doi.org/10.1145/3524842.3528442

2022-01-01

Abstract:Third-party libraries (TPLs) are reused frequently in software applications for reducing development cost. However, they could introduce security risks as well. Many TPL detection methods have been proposed to detect TPL reuse in Android bytecode or in source code. This paper focuses on detecting TPL reuse in binary code, which is a more challenging task. For a detection target in binary form, libraries may be compiled and linked to separate dynamic-link files or built into a fused binary that contains multiple libraries and project-specific code. This could result in fewer available code features and lower the effectiveness of feature engineering. In this paper, we propose a binary TPL reuse detection framework, LibDB, which can effectively and efficiently detect imported TPLs even in stripped and fused binaries. In addition to the basic and coarse-grained features (string literals and exported function names), LibDB utilizes function contents as a new type of feature. It embeds all functions in a binary file to low-dimensional representations with a trained neural network. It further adopts a function call graph-based comparison method to improve the accuracy of the detection. LibDB is able to support version identification of TPLs contained in the detection target, which is not considered by existing detection methods. To evaluate the performance of LibDB, we construct three datasets for binary-based TPL reuse detection. Our experimental results show that LibDB is more accurate and efficient than state-of-the-art tools on the binary TPL detection task and the version identification task. Our datasets and source code used in this work are anonymously available at https://github.com/DeepSoftwareAnalytics/LibDB.

Haoyu Wang,Yao Guo

DOI: https://doi.org/10.1109/ICSE-C.2017.161

2017-01-01

Abstract:Third-party libraries are widely used in mobile apps. Recent studies showed that third-party libraries account for more than 60% of the code in Android apps on average. As a result, program analysis on Android apps typically requires detecting or removing third-party libraries first, because they usually introduce significant noises and affect the analysis results. In this technical briefing, we will introduce the latest research advances related to third-party libraries used in mobile apps. The briefing will be focused on: (1) the importance of third-party libraries, including the current status, types and distribution, based on the analysis results on over 1 million Android apps, (2) how to detect third-party libraries from Android apps, including an overview of existing approaches and their limitations, (3) the implications of third-party libraries in software engineering tasks such as mobile app analysis, as well as case studies from the domain of program analysis and mobile security, (4) future challenges and research directions related to third-party libraries.

Hussein Alrubaye,Mohamed Wiem Mkaouer,Ali Ouni

DOI: https://doi.org/10.48550/arXiv.1906.02591

2019-06-02

Abstract:The migration process between different third-party libraries is hard, complex and error-prone. Typically, during a library migration, developers need to find methods in the new library that are most adequate in replacing the old methods of the retired library. This process is subjective and time-consuming as developers need to fully understand the documentation of both libraries Application Programming Interfaces, and find the right matching between their methods if it exists. In this context, several studies rely on mining existing library migrations to provide developers with by-example approaches for similar scenarios. In this paper, we introduce a novel mining approach that extracts existing instances of library method replacements that are manually performed by developers for a given library migration to automatically generate migration patterns in the method level. Thereafter, our approach combines the mined method-change patterns with method-related lexical similarity to accurately detect mappings between replacing/replaced methods. We conduct a large scale empirical study to evaluate our approach on a benchmark of 57,447 open-source Java projects leading to 9 popular library migrations. Our qualitative results indicate that our approach significantly increases the accuracy of mining method-level mappings by an average accuracy of 12%, as well as increasing the number of discovered method mappings, in comparison with existing state-of-the-art studies. Finally, we provide the community with an open source mining tool along with a dataset of all mined migrations at the method level.

Software Engineering

Mohamed Aymen Saied,Ali Ouni,Houari Sahraoui,Raula Gaikovina Kula,Katsuro Inoue,David Lo

DOI: https://doi.org/10.48550/arXiv.1612.01626

2016-12-06

Software Engineering

Abstract:Modern software systems are increasingly dependent on third-party libraries. It is widely recognized that using mature and well-tested third-party libraries can improve developers' productivity, reduce time-to-market, and produce more reliable software. Today's open-source repositories provide a wide range of libraries that can be freely downloaded and used. However, as software libraries are documented separately but intended to be used together, developers are unlikely to fully take advantage of these reuse opportunities. In this paper, we present a novel approach to automatically identify third-party library usage patterns, i.e., collections of libraries that are commonly used together by developers. Our approach employs hierarchical clustering technique to group together software libraries based on external client usage. To evaluate our approach, we mined a large set of over 6,000 popular libraries from Maven Central Repository and investigated their usage by over 38,000 client systems from the Github repository. Our experiments show that our technique is able to detect the majority (77%) of highly consistent and cohesive library usage patterns across a considerable number of client systems.

Li,Timothee Riom,Tegawende F. Bissyande,Haoyu Wang,Jacques Klein,Le Traon Yves

DOI: https://doi.org/10.1016/j.jss.2019.04.065

IF: 3.5

2019-01-01

Journal of Systems and Software

Abstract:The packaging model of Android apps requires the entire code to be shipped into a single APK file in order to be installed and executed on a device. This model introduces noises to Android app analyses, e.g., detection of repackaged applications, malware classification, as not only the core developer code but also the other assistant code will be visited. Such assistant code is often contributed by common libraries that are used pervasively by all apps. Despite much effort has been put in our community to investigate Android libraries, the momentum of Android research has not yet produced a complete and reliable set of common libraries for supporting thorough analyses of Android apps. In this work, we hence leverage a dataset of about 1.5 million apps from Google Play to identify potential common libraries, including advertisement libraries, and their abstract representations. With several steps of refinements, we finally collect 1113 libraries supporting common functions and 240 libraries for advertisement. For each library, we also collected its various abstract representations that could be leveraged to find new usages, including obfuscated cases. Based on these datasets, we further empirically revisit three popular Android app analyses, namely (1) repackaged app detection, (2) machine learning-based malware detection, and (3) static code analysis, aiming at measuring the impact of common libraries on their analysing performance. Our experimental results demonstrate that common library can indeed impact the performance of Android app analysis approaches. Indeed, common libraries can introduce both false positive and false negative results to repackaged app detection approaches. The existence of common libraries in Android apps may also impact the performance of machine learning-based classifications as well as that of static code analysers. All in all, the aforementioned results suggest that it is essential to harvest a reliable list of common libraries and also important to pay special attention to them when conducting Android-related investigations. (C) 2019 Elsevier Inc. All rights reserved.

Siyuan Li,Yongpan Wang,Chaopeng Dong,Shouguo Yang,Hong Li,Hao Sun,Zhe Lang,Zuxin Chen,Weijie Wang,Hongsong Zhu,Limin Sun

2023-09-12

Abstract:Third-party libraries (TPLs) are extensively utilized by developers to expedite the software development process and incorporate external functionalities. Nevertheless, insecure TPL reuse can lead to significant security risks. Existing methods are employed to determine the presence of TPL code in the target binary. Existing methods, which involve extracting strings or conducting function matching, are employed to determine the presence of TPL code in the target binary. However, these methods often yield unsatisfactory results due to the recurrence of strings and the presence of numerous similar non-homologous functions. Additionally, they struggle to identify specific pieces of reused code in the target binary, complicating the detection of complex reuse relationships and impeding downstream tasks. In this paper, we observe that TPL reuse typically involves not just isolated functions but also areas encompassing several adjacent functions on the Function Call Graph (FCG). We introduce LibAM, a novel Area Matching framework that connects isolated functions into function areas on FCG and detects TPLs by comparing the similarity of these function areas. Furthermore, LibAM is the first approach capable of detecting the exact reuse areas on FCG and offering substantial benefits for downstream tasks. Experimental results demonstrate that LibAM outperforms all existing TPL detection methods and provides interpretable evidence for TPL detection results by identifying exact reuse areas. We also evaluate LibAM's accuracy on large-scale, real-world binaries in IoT firmware and generate a list of potential vulnerabilities for these devices. Last but not least, by analyzing the detection results of IoT firmware, we make several interesting findings, such as different target binaries always tend to reuse the same code area of TPL.

Software Engineering,Cryptography and Security