CISPA
Browse
cispa_all_2885.pdf (1.26 MB)

Up-To-Crash: Evaluating Third-Party Library Updatability on Android

Download (1.26 MB)
conference contribution
posted on 2023-11-29, 18:10 authored by Jie Huang, Nataniel Pereira Borges Jr., Sven BugielSven Bugiel, Michael BackesMichael Backes
Buggy and flawed third-party libraries increase their host app’s attack surface and put the users’ privacy at risk. To avert this risk, libraries have to be kept updated to their newest versions by the app developers that integrate them into their projects. Recent researches revealed that the prevalence of outdated third-party libraries in Android apps is indeed a rampant problem, but also suggested that there is a great opportunity for drop-in replacements of outdated libraries, which would not even require cooperation by the app developers to update the libraries. However, all those conclusions are based on static app analysis, which can only provide an abstract view. In this work, we extend the updatability analysis to the runtime of apps. We implement a solution to update third-party libraries with drop-in replacements by their newer versions. To verify the feasibility of this developer-independent update mechanism, we dynamically test 3,000 real world apps for 3 popular libraries (78 library versions) for runtime failures stemming from incompatible library updates. To investigate the updatability of libraries in-depth, exploration enhanced dynamic testing is adopted to monitor the runtime behaviors of 15 apps before and after library updating. From our test, we find that the prior reported updatability rate is under real conditions overestimated by a factor of 1.57–2.06. Through root cause analysis, we find that the underlying problems prohibiting easy updates are intricate, such as deprecated functions, changed data structures, or entangled dependencies between different libraries and even the host app. We think our results not only put a more realistic light on the library updatability problem in Android, but also provide valuable insights for future solutions that provide automatic library updates or that try to support the app developers in better maintaining their external dependencies.

History

Preferred Citation

Jie Huang, Nataniel Jr., Sven Bugiel and Michael Backes. Up-To-Crash: Evaluating Third-Party Library Updatability on Android. In: IEEE European Symposium on Security and Privacy (EuroS&P). 2019.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

IEEE European Symposium on Security and Privacy (EuroS&P)

Legacy Posted Date

2019-05-02

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_2885, title = "Up-To-Crash: Evaluating Third-Party Library Updatability on Android", author = "Huang, Jie and Jr., Nataniel Pereira Borges and Bugiel, Sven and Backes, Michael", booktitle="{IEEE European Symposium on Security and Privacy (EuroS&P)}", year="2019", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC