Up-To-Crash: Evaluating Third-Party Library Updatability on Android

Huang, Jie and Pereira Borges Jr., Nataniel and Bugiel, Sven and Backes, Michael
(2019) Up-To-Crash: Evaluating Third-Party Library Updatability on Android.
In: 4th IEEE European Symposium on Security and Privacy.
Conference: EuroS&P IEEE European Symposium on Security and Privacy

[img]
Preview
 Text
up2crash-euros&p-cr.pdf
Download (1MB) | Preview

Abstract

Buggy and flawed third-party libraries increase their host app’s attack surface and put the users’ privacy at risk. To avert this risk, libraries have to be kept updated to their newest versions by the app developers that integrate them into their projects. Recent researches revealed that the prevalence of outdated third-party libraries in Android apps is indeed a rampant problem, but also suggested that there is a great opportunity for drop-in replacements of outdated libraries, which would not even require cooperation by the app developers to update the libraries. However, all those conclusions are based on static app analysis, which can only provide an abstract view. In this work, we extend the updatability analysis to the runtime of apps. We implement a solution to update third-party libraries with drop-in replacements by their newer versions. To verify the feasibility of this developer-independent update mechanism, we dynamically test 3,000 real world apps for 3 popular libraries (78 library versions) for runtime failures stemming from incompatible library updates. To investigate the updatability of libraries in-depth, exploration enhanced dynamic testing is adopted to monitor the runtime behaviors of 15 apps before and after library updating. From our test, we find that the prior reported updatability rate is under real conditions overestimated by a factor of 1.57–2.06. Through root cause analysis, we find that the underlying problems prohibiting easy updates are intricate, such as deprecated functions, changed data structures, or entangled dependencies between different libraries and even the host app. We think our results not only put a more realistic light on the library updatability problem in Android, but also provide valuable insights for future solutions that provide automatic library updates or that try to support the app developers in better maintaining their external dependencies.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Backes (InfSec)
Andreas Zeller (Software Engineering, ST)
Sven Bugiel (Trusted Systems Group, TSG)
Conference: EuroS&P IEEE European Symposium on Security and Privacy
Depositing User: Sven Bugiel
Date Deposited: 02 May 2019 09:09
Last Modified: 18 Jul 2019 12:11
Primary Research Area: NRA4: Secure Mobile and Autonomous Systems
URI: https://publications.cispa.saarland/id/eprint/2885

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.