The Impact of Third-party Code on Android App Security

Third-party libraries are an indispensable aspect of modern software development. They ease the developer's job through code re-use but, at the same time, increase the apps' attack surface by adding vulnerable code. On Android, there is an imminent risk of misuse by libraries as they inherit the access rights of their host apps. Correctly attributing improper app behavior either to app or library code or isolating library code from their host apps would be highly desirable to mitigate these problems, but is impeded by the absence of a third-party library detection that is effective in spite of commonly used code obfuscation and minification techniques.

In this talk, I'll present a library detection approach that overcomes these obstacles and that is capable of pinpointing exact library versions in Android applications. Applied to apps from Google Play, we measure the outdatedness of libraries and show that app developers slowly adapt new library versions, exposing their end-users to large windows of vulnerability. We discover that even long-known security vulnerabilities in popular libraries are still present in current apps. A subsequent updatability study reveals that the vast majority of vulnerable versions could be patched automatically. I'll conclude the talk by highlighting potential obstacles in improving this unsatisfactory status-quo.