Automatic Generation of Non-intrusive Updates for Third-Party Libraries in Android Applications

Authors: 

Yue Duan, Cornell University; Lian Gao, Jie Hu, and Heng Yin, University of California Riverside

Abstract: 

Third-Party libraries, which are ubiquitous in Android apps, have exposed great security threats to end users as they rarely get timely updates from the app developers, leaving many security vulnerabilities unpatched. This outdatedness is mainly due to the fact that manually updating libraries can be non-trivial and time-consuming for app developers since it usually involves code modifications. In this paper, we propose a technique that performs automatic generation of non-intrusive updates for third-party libraries in Android apps. Given an Android app with an outdated library and a newer version of the library, we automatically update the old library in a way that is guaranteed to be fully backward compatible and impose zero impact to the library's interactions with other components. To understand the potential impact of code changes, we propose a novel Value-sensitive Differential Slicing algorithm that leverages the diffing information between two versions of a library. The new slicing algorithm greatly reduces the over-conservativeness of the traditional slicing while still preserving the soundness with respect to updates generation. We have implemented a prototype called LibBandAid. We further evaluated its efficacy on 9 popular libraries with 173 security commits across 83 different versions and 100 real-world open-source apps. The experimental results show that LibBandAid can achieve a high average successful updating rate of 80.6% for security vulnerabilities and an even higher rate of 94.07% when further combined with potentially patchable vulnerabilities.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {242046,
author = {Yue Duan and Lian Gao and Jie Hu and Heng Yin},
title = {Automatic Generation of Non-intrusive Updates for {Third-Party} Libraries in Android Applications},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {277--292},
url = {https://www.usenix.org/conference/raid2019/presentation/duan},
publisher = {USENIX Association},
month = sep
}