CISPA
Browse

Up2Dep: Android Tool Support to Fix Insecure Code Dependencies

Download (927.91 kB)
conference contribution
posted on 2023-11-29, 18:14 authored by Duc Cuong Nguyen, Erik Derr, Michael BackesMichael Backes, Sven BugielSven Bugiel
Third-party libraries, especially outdated versions, can introduce and multiply security & privacy related issues to Android applications. While prior work has shown the need for tool support for developers to avoid libraries with security problems, no such a solution has yet been brought forward to Android. It is unclear how such a solution would work and which challenges need to be solved in realizing it. In this work, we want to make a step forward in this direction. We propose Up2Dep, an Android Studio extension that supports Android developers in keeping project dependencies up-to-date and in avoiding insecure libraries. To evaluate the technical feasibility of Up2Dep, we publicly released Up2Dep and tested it with Android developers (N=56) in their daily tasks. Up2Dep has delivered quick-fixes that mitigate 108 outdated dependencies and 8 outdated dependencies with security problems in 34 real projects. It was perceived by those developers as being helpful. Our results also highlight technical challenges in realizing such support, for which we provide solutions and new insights. Our results emphasize the urgent need for designated tool support to detect and update insecure outdated third-party libraries in Android apps. We believe that Up2Dep has provided a valuable step forward to improving the security of the Android ecosystem and encouraging results for tool support with a tangible impact as app developers have an easy means to fix their outdated and insecure dependencies.

History

Preferred Citation

Duc Nguyen, Erik Derr, Michael Backes and Sven Bugiel. Up2Dep: Android Tool Support to Fix Insecure Code Dependencies. In: Annual Computer Security Applications Conference (ACSAC). 2020.

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

Annual Computer Security Applications Conference (ACSAC)

Legacy Posted Date

2020-12-08

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3324, title = "Up2Dep: Android Tool Support to Fix Insecure Code Dependencies", author = "Nguyen, Duc Cuong and Derr, Erik and Backes, Michael and Bugiel, Sven", booktitle="{Annual Computer Security Applications Conference (ACSAC)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC