Xian Zhan,Lingling Fan,Tianming Liu,Sen Chen,Li,Haoyu Wang,Yifei Xu,Xiapu Luo,Yang Liu

DOI: https://doi.org/10.1145/3324884.3416582

2020-01-01

Abstract:Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results show that LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

Yongzhong He,Binghui Hu,Zhen Han

DOI: https://doi.org/10.1109/icdis.2018.00051

IF: 4.96

2019-01-01

Journal of Information Security and Applications

Abstract:Third-party libraries are widely used in Android apps. As third-party libraries share permissions with the host apps, they are easily over-privileged and leak users' privacy without notice. Combing static third-party library detection tool and dynamic Xposed framework, we propose a fine-grained and dynamic privacy leakage analysis tool to analyze the privacy leakage behaviors of third-party libraries in real time. This paper identifies three types of privacy leakage path inside apps. We evaluate 150 popular apps, collecting 1909 privacy information related call chains. We find the third-party libraries access to privacy information account for the largest proportion, and most of third-party libraries have direct network connections and the correspondent flows are inspected to validate the privacy leakage risk. The results show that the tool can achieve real-time, fine-grained and dynamic privacy behavior analysis of Android apps.

Zhan Xian,Lingling Fan,Tianming Liu,Sen Chen,Li Li,Haoyu Wang,Yifei Xu,Xiapu Luo,Yang Liu

2020-01-01

Abstract:Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code and can infect many popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some detection tasks. Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, so little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct an experience paper and attempt to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on our empirical study. The result shows that most TPL detection tools can achieve high precision but with low recall. According to our evaluation and survey results, we recommend different tools for different application scenarios. We find that LibRadar is suitable for large-scale in-app TPL detection. LibPecker is ideal for identifying obfuscated TPLs. LibScout can identify specific library versions, which can be leveraged to find vulnerable TPLs, etc. Besides, we enhance these open-sourced tools by fixing their limitations, to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

Yafei Wu,Cong Sun,Dongrui Zeng,Gang Tan,Siqi Ma,Peicheng Wang

2023-01-01

Abstract:Android apps pervasively use third-party libraries (TPL) to reuse functionalities and improve development efficiency. The insufficient knowledge of the TPL internal exposes the developers and users to severe threats of security vulnerabilities. To mitigate such threats, people have proposed diversified approaches to identifying vulnerable or even malicious TPLs. However, the rich features of different modern obfuscators, including advanced repackaging, dead code removal, and control-flow randomization, have significantly impeded the precise detection of the TPLs. In this work, we propose a general-purpose TPL detection approach, LibScan. We first fingerprint code features to build the potential class correspondence relations between the app and TPL classes. Then, we use the method-opcode similarity and call-chain-opcode similarity to improve the accuracy of detected class correspondences. Moreover, we design early-stop criteria and reuse intermediate results to improve the efficiency of LibScan. In experiments, the evaluation with ground truths demonstrated the effectiveness of LibScan and its detection steps. We also applied LibScan to detect vulnerable TPLs in the top Google Play apps and large-scale wild apps, which shows the efficiency and scalability of our approach, as well as the potential of our approach as an auxiliary tool that helps malware detection.

Hua Cheng,Guang Hu,Jin Liu,Zhiwei Kang,Chao Pan,ZiJun Zhang

DOI: https://doi.org/10.1109/cac57257.2022.10054907

2022-01-01

Abstract:Third-party libraries are widely used in APP development, providing technical solutions for APP rich functions, but some third-party libraries can collect many user privacy information and cause data leakage. According to our survey, about 60% of Android applications use android packing services. Existing tools cannot effectively detect third-party libraries used in packed applications, and their analysis results of third-party library privacy leaks are not comprehensive. To overcome these limitations, we improve the traditional third- party library detection tools so that it can detect third-party libraries used in packed applications. We propose a fine-grained privacy-collecting third-party library detection framework for detecting the privacy leakage of third-party libraries in Android applications by combining Androguard, Frida and improved third-party library detection tools. Our experimental results on 300 mainstream apps show that our framework provides good support for analyzing packed applications, and our approach can detect more third-party libraries and provide a more comprehensive analysis of privacy leaks of third-party libraries than existing tools.

Xian Zhan,Tianming Liu,Yepang Liu,Yang Liu,Li Li,Haoyu Wang,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2021.3115506

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs to facilitate their app development. Unfortunately, the popularity of TPLs also brings new security issues. For example, TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Furthermore, TPL detection is essential for downstream tasks, such as vulnerabilities and malware detection. Thus, various tools have been developed to identify TPLs. However, no existing work has studied these TPL detection tools in detail, and different tools focus on different applications and techniques with performance differences. A comprehensive understanding of these tools will help us make better use of them. To this end, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on six criteria: accuracy of TPL construction, effectiveness, efficiency, accuracy of version identification, resiliency to code obfuscation, and ease of use. Besides, we enhance these open-source tools by fixing their limitations, to improve their detection ability. Finally, we build an extensible framework that integrates all existing available TPL detection tools, providing an online service for the research community. We release the evaluation dataset and enhanced tools. According to our study, we also present the essential findings and discuss promising implications to the community; e.g., 1) Most existing TPL detection techniques more or less depend on package structure to construct in-app TPL candidates. However, using package structure as the module decoupling feature is error-prone. We hence suggest future researchers using the class dependency to substitute package structure. 2) Extracted features include richer semantic information (e.g., class dependencies) can achieve better resiliency to code obfuscation. 3) Existing tools usually have - low recall; that is because previous tools ignore some features of Android apps and TPLs, such as the compilation mechanism, the new format of TPLs, TPL dependency. Most existing tools cannot effectively find partial import TPLs, obfuscated TPLs, which directly limit their capability. 4) Existing tools are complementary to each other; we can build a better tool via combining the advantages of each tool. We believe our work provides a clear picture of existing TPL detection techniques and also gives a road-map for future research.

engineering, electrical & electronic,computer science, software engineering

Jianjun Huang,Bo Xue,Jiasheng Jiang,Wei You,Bin Liang,Jingzheng Wu,Yanjun Wu

DOI: https://doi.org/10.1109/tse.2022.3215628

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:Third-party library (TPL) detection is important for Android app security analysis nowadays. Unfortunately, the existing techniques often suffer from poor scalability. In some situations, the detection time cost is even unacceptable. Although a few existing methods run relatively fast, they cannot provide enough effectiveness, especially for non-structure-preserving obfuscated apps, e.g., repackaged and flattened. In this paper, we treat TPLs detection as a set inclusion problem to effectively and efficiently analyze obfuscated apps, and develop a scalable two-stage detection approach, Libloom. Specifically, the package and class signatures are encoded into two levels of Bloom filters respectively. At the first stage, the package filters are used to identify a limited number of candidate TPLs via set overlapping measurement to avoid unnecessary class-level set analysis. Subsequently, with the class filters, a similarity score is computed between the query app and each candidate to detect the integrated TPLs, and a novel entropy-based metric is presented to specially handle the repackaged and flattened apps. We have evaluated Libloom on some large-scale benchmarks involving tens of thousands of TPL instances. The experiment results demonstrate that Libloom outperforms state-of-the-art tools in both effectiveness and efficiency. Especially, the proposed two-stage method can run about ten times faster than the straightforward class-level analysis on flattened apps, and without loss of accuracy.

Kaifa Zhao,Xian Zhan,Le Yu,Shiyao Zhou,Hao Zhou,Xiapu Luo,Haoyu Wang,Yepang Liu

2023-09-09

Abstract:The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.

Software Engineering,Cryptography and Security

Menghao Li,Pei Wang,Wei Wang,Shuai Wang,Dinghao Wu,Jian Liu,Rui Xue,Wei Huo,Wei Zou

DOI: https://doi.org/10.1109/tse.2018.2872958

IF: 7.4

2020-09-01

IEEE Transactions on Software Engineering

Abstract:With the thriving of mobile app markets, third-party libraries are pervasively used in Android applications. The libraries provide functionalities such as advertising, location, and social networking services, making app development much more productive. However, the spread of vulnerable and harmful third-party libraries can also hurt the mobile ecosystem, leading to various security problems. Therefore, third-party library identification has emerged as an important problem, being the basis of many security applications such as repackaging detection, vulnerability identification, and malware analysis. Previously, we proposed a novel approach to identifying third-party Android libraries at a massive scale. Our method uses the internal code dependencies of an app to recognize library candidates and further classify them. With a fine-grained feature hashing strategy, we can better handle code whose package and method names are obfuscated than historical work. We have developed a prototypical tool called LibD and evaluated it with an up-to-date dataset containing 1,427,395 Android apps. Our experiment results show that LibD outperforms existing tools in detecting multi-package third-party libraries with the presence of name-based obfuscation, leading to significantly improved precision without the loss of scalability. In this paper, we extend our early work by investigating the possibility of employing effective and scalable library detection to boost the performance of large-scale app analyses in the real world. We show that the technique of LibD can be used to accelerate whole-app Android vulnerability detection and quickly identify variants of vulnerable third-party libraries. This extension paper sheds light on the practical value of our previous research.

engineering, electrical & electronic,computer science, software engineering

Huajun Cui,Guozhu Meng,Yan Zhang,Weiping Wang,Dali Zhu,Ting Su,Xiaodong Zhang,Yuejun Li

DOI: https://doi.org/10.1007/978-3-031-17551-0_35

2022-01-01

Abstract:Network traffic analysis is an appealing approach for the security auditing of mobile apps. Prior research employs various techniques (e.g., Man-in-the-Middle, TCPDUMP) to capture network traffic from apps and further recognize security/privacy risks inside. However, these techniques suffer from limitations such as traffic mixing, proxy evasion, and SSL pinning. Possible solutions are to modify and customize the Android system. However, existing studies are mainly based on Android OS 6/7. Contemporary apps generally cannot work properly on these archaic Android OS, which has become a stumbling block for further traffic analysis research. To address the above problems, we propose a new network traffic analysis framework-TraceDroid. We first leverage the dynamic hooking technique to hook the critical functions for sending network requests, and then save the request data along with code execution traces. Besides, TraceDroid proposes an unsupervised way to identify third-party libraries (TPLs) inside apps for facilitating the liability analysis between apps and TPLs. Utilizing TraceDroid, we conduct a large-scale experiment on 9,771 real-world apps to make an empirical study of the status quo of privacy leakage. Our findings show that TPLs account for 44.45% of privacy leakage in contemporary apps, and files transmitted from user devices contain much more detailed privacy data than network requests. We bring to light the over-data harvest and cross-library data harvest issues in apps. Furthermore, we unveil the relationship between TPLs and their visiting domains that previous research has never discussed.

Xian Zhan,Tianming Liu,Lingling Fan,Li Li,Sen Chen,Xiapu Luo,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2108.03787

2021-08-09

Abstract:Third-party libraries (TPLs) have been widely used in mobile apps, which play an essential part in the entire Android ecosystem. However, TPL is a double-edged sword. On the one hand, it can ease the development of mobile apps. On the other hand, it also brings security risks such as privacy leaks or increased attack surfaces (e.g., by introducing over-privileged permissions) to mobile apps. Although there are already many studies for characterizing third-party libraries, including automated detection, security and privacy analysis of TPLs, TPL attributes analysis, etc., what strikes us odd is that there is no systematic study to summarize those studies' endeavors. To this end, we conduct the first systematic literature review on Android TPL-related research. Following a well-defined systematic literature review protocol, we collected 74 primary research papers closely related to the Android third-party library from 2012 to 2020. After carefully examining these studies, we designed a taxonomy of TPL-related research studies and conducted a systematic study to summarize current solutions, limitations, challenges and possible implications of new research directions related to third-party library analysis. We hope that these contributions can give readers a clear overview of existing TPL-related studies and inspire them to go beyond the current status quo by advancing the discipline with innovative approaches.

Software Engineering

Xian Zhan,Tianming Liu,Lingling Fan,Li,Sen Chen,Xiapu Luo,Yang Liu

DOI: https://doi.org/10.1109/tse.2021.3114381

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Third-party libraries (TPLs) have been widely used in mobile apps, which play an essential part in the entire Android ecosystem. However, TPL is a double-edged sword. On the one hand, it can ease the development of mobile apps. On the other hand, it also brings security risks such as privacy leaks or increased attack surfaces (e.g., by introducing over-privileged permissions) to mobile apps. Although there are already many studies for characterizing third-party libraries, including automated detection, security and privacy analysis of TPLs, TPL attributes analysis, etc., what strikes us odd is that there is no systematic study to summarize those studies’ endeavors. To this end, we conduct the first systematic literature review on Android TPL-related research. Following a well-defined systematic literature review protocol, we collected 74 primary research papers closely related to Android third-party library from 2012 to 2020. After carefully examining these studies, we designed a taxonomy of TPL-related research studies and conducted a systematic study to summarize current solutions, limitations, challenges and possible implications of new research directions related to third-party library analysis. We hope that these contributions can give readers a clear overview of existing TPL-related studies and inspire them to go beyond the current status quo by advancing the discipline with innovative approaches.

Menghao Li,Wei Wang,Pei Wang,Shuai Wang,Dinghao Wu,Jian Liu,Rui Xue,Wei Huo

DOI: https://doi.org/10.1109/ICSE.2017.38

2017-01-01

Abstract:With the thriving of the mobile app markets, third-party libraries are pervasively integrated in the Android applications. Third-party libraries provide functionality such as advertisements, location services, and social networking services, making multi-functional app development much more productive. However, the spread of vulnerable or harmful third-party libraries may also hurt the entire mobile ecosystem, leading to various security problems. The Android platform suffers severely from such problems due to the way its ecosystem is constructed and maintained. Therefore, third-party Android library identification has emerged as an important problem which is the basis of many security applications such as repackaging detection and malware analysis. According to our investigation, existing work on Android library detection still requires improvement in many aspects, including accuracy and obfuscation resilience. In response to these limitations, we propose a novel approach to identifying third-party Android libraries. Our method utilizes the internal code dependencies of an Android app to detect and classify library candidates. Different from most previous methods which classify detected library candidates based on similarity comparison, our method is based on feature hashing and can better handle code whose package and method names are obfuscated. Based on this approach, we have developed a prototypical tool called LibD and evaluated it with an update-to-date and large-scale dataset. Our experimental results on 1,427,395 apps show that compared to existing tools, LibD can better handle multi-package third-party libraries in the presence of name-based obfuscation, leading to significantly improved precision without the loss of scalability.

Chengpeng Zhang,Haoyu Wang,Ran Wang,Yao Guo,Guoai Xu

DOI: https://doi.org/10.18293/seke2018-180

2018-01-01

Abstract:Recent research suggested promising approaches that identify potential malware by checking the inconsistence between app description and actual behavior of the app.However, state-of-the-art approaches have ignored the impact of thirdparty libraries (TPLs) when detecting outliers, which could affect the detection results greatly in two folds.On one hand, most Android apps would not list the functionality of TPLs in app description, which could cause false positives, as many apps that use TPLs will be identified as outliers.On the other hand, it is important to separate TPLs from custom code when analyzing the sensitive behaviors, otherwise the malicious behaviors of custom code will be obscured by TPLs.In this paper, we revisit the study of checking app behavior against app description in the context of TPLs.Experiment results on more than 400K Android apps suggest that more than 54% of apps are no longer identified as outliers after filtering TPLs, and we could identify roughly 50% of new outliers.Furthermore, removing the impact of TPLs could help to identify malware and pinpoint the malicious behavior of custom code.Out results shed a light on applying the TPL analysis to enhance a variety of mobile app analysis tasks.

Zifan Xie,Ming Wen,Tinghan Li,Yiding Zhu,Qinsheng Hou,Hai Jin

DOI: https://doi.org/10.1145/3691620.3695554

2024-01-01

Abstract:Android applications (apps) widely use third-party libraries (TPLs) to reuse functionalities and simplify the development process. Unfortunately, these TPLs often suffer from vulnerabilities that attackers can exploit, leading to catastrophic consequences for app users. To mitigate this threat, researchers have developed tools to detect TPL versions in the app. If an app is found using a TPL vulnerable version, these tools will issue warnings. Although these tools claim to resist the effects of code obfuscation, our preliminary study indicates that code optimization is common during the app release process. A lack of consideration for the impact of code optimizations significantly reduces the effectiveness of existing tools. To fill this gap, this work systematically investigates how and to what extent different optimization strategies affect existing tools. Our findings have led to a new tool named LibHunter, designed to against major code optimization strategies (e.g., Inlining and CallSite Optimization) while also resisting code obfuscation and shrinking. Extensive evaluations on a dataset of apps with optimization, obfuscation, and shrinking enabled show LibHunter significantly outperforms existing tools. It achieves F1 value that surpass the best tools by 29.3% and 36.1% at the library and version levels, respectively. We also applied LibHunter to detect vulnerable TPLs in the top Google Play apps, which shows the scalability of our approach, as well as the potential of our approach to facilitate malware detection.

Xian Zhan,Lingling Fan,Sen Chen,Feng We,Tianming Liu,Xiapu Luo,Yang Liu

DOI: https://doi.org/10.1109/icse43902.2021.00150

2021-01-01

Abstract:Third-party libraries (TPLs) as essential parts in the mobile ecosystem have become one of the most significant contributors to the huge success of Android, which facilitate the fast development of Android applications. Detecting TPLs in Android apps is also important for downstream tasks, such as malware and repackaged apps identification. To identify in-app TPLs, we need to solve several challenges, such as TPL dependency, code obfuscation, precise version representation. Unfortunately, existing TPL detection tools have been proved that they have not solved these challenges very well, let alone specify the exact TPL versions. To this end, we propose a system, named ATVHunter, which can pinpoint the precise vulnerable in-app TPL versions and provide detailed information about the vulnerabilities and TPLs. We propose a two-phase detection approach to identify specific TPL versions. Specifically, we extract the Control Flow Graphs as the coarse-grained feature to match potential TPLs in the pre-defined TPL database, and then extract opcode in each basic block of CFG as the fine-grained feature to identify the exact TPL versions. We build a comprehensive TPL database (189,545 unique TPLs with 3,006,676 versions) as the reference database. Meanwhile, to identify the vulnerable in-app TPL versions, we also construct a comprehensive and known vulnerable TPL database containing 1,180 CVEs and 224 security bugs. Experimental results show AtVHunter outperforms state-of-the-art TPL detection tools, achieving 90.55% precision and 88.79% recall with high efficiency, and is also resilient to widely-used obfuscation techniques and scalable for large-scale TPL detection. Furthermore, to investigate the ecosystem of the vulnerable TPLs used by apps, we exploit newtool to conduct a large-scale analysis on 104,446 apps and find that 9,050 apps include vulnerable TPL versions with 53,337 vulnerabilities and 7,480 security bugs, most of which are with high risks and are not recognized by app developers.

Zhushou Tang,Minhui Xue,Guozhu Meng,Chengguo Ying,Yugeng Liu,Jianan He,Haojin Zhu,Yang Liu

DOI: https://doi.org/10.1016/j.cose.2018.07.024

IF: 5.105

2019-01-01

Computers & Security

Abstract:Third-party library (TPL) detection in Android has been a hot topic to security researchers for a long time. A precise yet scalable detection of TPLs in applications can greatly facilitate other security activities such as TPL integrity checking, malware detection, and privacy leakage detection. Since TPLs of specific versions may exhibit their own security issues, the identification of TPL as well as its concrete version, can help assess the security of Android APPs. However in reality, existing approaches of TPL detection suffer from low efficiency for their detection algorithm to impracticable and low accuracy due to insufficient analysis data, inappropriate features, or the disturbance from code obfuscation, shrinkage, and optimization. In this paper, we present an automated approach, named PANGUARD, to detect TPLs from an enormous number of Android APPs. We propose a novel combination of features including both structural and content information for packages in APPs to characterize TPLs. In order to address the difficulties caused by code obfuscation, shrinkage, and optimization, we identify the invariants that are unchanged during mutation, separate TPLs from the primary code in APPs, and use these invariants to determine the contained TPLs as well as their versions. The extensive experiments show that PANGUARD achieves a high accuracy and scalability simultaneously in TPL detection. In order to accommodate to optimized TPL detection, which has not been mentioned by previous work, we adopt set analysis, which speed up the detection as a side effect. PANGUARD is implemented and applied on an industrial edge computing platform, and powers the identification of TPL. Beside fast detection algorithm, the edge computing deployment architecture make the detection scalable to real-time detection on a large volume of emerging APPs. Based on the detection results from millions of Android APPs, we successfully identify over 800 TPLs with 12 versions on average. By investigating the differences amongst these versions, we identify over 10 security issues in TPLs, and shed light on the significance of TPL detection with the caused harmful impacts on the Android ecosystem. (C) 2018 Elsevier Ltd. All rights reserved.

Jian Xu,Qianting Yuan

DOI: https://doi.org/10.1109/tmc.2020.3003336

IF: 6.075

2020-01-01

IEEE Transactions on Mobile Computing

Abstract:Third-party library (TPL) detection plays a very important role in Android malware analysis. The focus of recent works has been shifted to the signature-based approach. However, previous methods have several limitations such as high time complexity and low precision, especially with the presence of similar TPLs and various versions of a TPL. To solve these issues, we propose a rapid, online, and accurate TPL detection approach, named LibRoad, which also follows the line of the signature-based research. To reduce the time cost, our approach integrates an application preprocessing component and a pairwise package matching component. The former divides an application into primary modules and non-primary modules to enable us to focus on analyzing packages in non-primary modules that are the most possibly imported from a TPL. The latter adopts a combination of the package name based matching policy for non-obfuscated packages and the signature-based matching policy for obfuscated packages, where the package name based matching policy has a lower time complexity than the signature based one. Further, to improve performance, our approach integrates a perfectly matched package and TPL determination component, which adopts the package filter mechanism, online TPL detection, and local TPL discovery to identify TPLs with low false positive and false negative. We conduct several groups of experiments on real-world applications and two ground truth bases. Experimental results show that compared to state-of-the-art approaches, LibRoad can achieve a high recall of 99.86 percent and a low false positive rate of 11.48 percent without the loss of efficiency.

Xing Liu,Sencun Zhu,Wei Wang,Jiqiang Liu

DOI: https://doi.org/10.1109/tmc.2019.2903186

IF: 6.075

2020-01-01

IEEE Transactions on Mobile Computing

Abstract:While much effort has been made to detect and measure the privacy leakage caused by the advertising (ad) libraries integrated in mobile applications, analytics libraries, which are also widely used in mobile apps have not been systematically studied for their privacy risks. Different from ad libraries, the main function of analytics libraries is to collect users' in-app actions. Hence, by design analytics libraries are more likely to leak users' private information. In this work, we study what information is collected by the analytics libraries integrated in popular Android apps. We design and implement a framework called "Alde". Given an app, Alde employs both static analysis and dynamic analysis to detect the users' in-app actions collected by analytics libraries. We also study what private information can be leaked by the apps that use the same analytics library. Moreover, we analyze apps' privacy policies to see whether app developers have notified the users that their in-app action data is collected by analytics libraries. Finally, we select eight widely used analytics libraries to study and apply our method to 300 popular apps downloaded from both Chinese app markets and Google play. Our experimental results show that some apps indeed leak users' personal information through analytics libraries even though their genuine purposes of using analytics services are legal. To mitigate such threats, we have developed an app named "ALManager" that leverages the Xposed framework to manage analytics libraries in other apps.

Hao-Yu WANG,Yao GUO,Zi-Ang MA,Xiang-Qun CHEN

DOI: https://doi.org/10.13328/j.cnki.jos.005221

2017-01-01

Journal of Software

Abstract:Third-Party libraries are widely used in mobile applications such as Android apps.Much research on app analysis or access control needs to detect or classify third-party libraries first in order to provide accurate results.Most previous studies use a whitelist to identify third-party libraries and manually categorize them.However,it is impossible to build a complete whitelist of third-party libraries and classify them because:(1) there are too many of them;and (2) common techniques such as library obfuscation and library masquerading cannot be handled with a whitelist.In this paper,an automated approach is proposed to detect and classify frequently-used third-party libraries in Android apps.A multi-level clustering based method is presented to identify third-party libraries,and a machine learning based technique is applied to classify the libraries.Experiments on more than 130000 apps show that 4916 third-party libraries can be detected without prior knowledge.The classification result of 10-folds cross validation on sampled libraries is 84.28％.With the trained classifier,the proposed approach is able to classify more than 75％ of the 4916 libraries into six categories with an accuracy of 75％.