Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls

Author

Daoyuan WU
Debin GAO, Singapore Management UniversityFollow
David LO, Singapore Management UniversityFollow

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

1-2021

Abstract

Android has been the most popular smartphone system with multiple platform versions active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we conduct a systematic study of this modern software mechanism. Our objective is to measure the current practice of declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the (in)consistency between DSDK versions and their host apps’ API calls. To successfully analyze a modern dataset of 22,687 popular apps (with an average app size of 25MB), we design a scalable approach that operates on the Android bytecode level and employs a lightweight bytecode search for app analysis. This approach achieves a good performance suitable for online vetting in app markets, requiring only around 5 seconds to process an app on average. Besides shedding light on the characteristics of DSDK in the wild, our study quantitatively measures two side effects of inappropriate DSDK versions: (i) around 35% apps under-set the minimum DSDK versions and could incur runtime crashes, but fortunately, only 11.3% apps could crash on Android 6.0 and above; (ii) around 2% apps, due to under-claiming the targeted DSDK versions, are potentially exploitable by remote code execution, and half of them invoke the vulnerable API via embedded third-party libraries. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.

Keywords

SDK version, API call, Android fragmentation, App analysis

Discipline

Artificial Intelligence and Robotics | Computer Sciences | Operations Research, Systems Engineering and Industrial Engineering

Research Areas

Cybersecurity; Software and Cyber-Physical Systems

Publication

Empirical Software Engineering

Volume

26

Issue

1

First Page

1

Last Page

32

ISSN

1382-3256

Publisher

Springer Verlag (Germany)

Embargo Period

3-28-2021

Citation

WU, Daoyuan; GAO, Debin; and LO, David. Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls. (2021). Empirical Software Engineering. 26, (1), 1-32.
Available at: https://ink.library.smu.edu.sg/sis_research/5880

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1007/s10664-020-09897-6