Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
9-2019
Abstract
Third-Party libraries, which are ubiquitous in Android apps,have exposed great security threats to end users as they rarelyget timely updates from the app developers, leaving manysecurity vulnerabilities unpatched. This issue is due to thefact that manually updating libraries can be technically nontrivialand time-consuming for app developers. In this paper,we propose a technique that performs automatic generationof non-intrusive updates for third-party libraries in Androidapps. Given an Android app with an outdated library and anewer version of the library, we automatically update the oldlibrary in a way that is guaranteed to be fully backward compatibleand imposes zero impact to the library’s interactionswith other components. To understand the potential impact ofcode changes, we propose a novel Value-sensitive DifferentialSlicing algorithm that leverages the diffing informationbetween two versions of a library. The new slicing algorithmgreatly reduces the over-conservativeness of the traditionalslicing while still preserving the soundness with respect toupdate generation. We have implemented a prototype calledLIBBANDAID. We further evaluated its efficacy on 9 popularlibraries with 173 security commits across 83 different versionsand 100 real-world open-source apps. The experimentalresults show that LIBBANDAID can achieve a high averagesuccessful updating rate of 80.6% for security vulnerabilitiesand an even higher rate of 94.07% when further combinedwith potentially patchable vulnerabilities.
Discipline
Information Security
Publication
Proceedings of the 22nd International Symposium on Research on Attacks, Intrusions and Defenses, Beijing, China, Sep 23-25
ISBN
978193913307-6
Publisher
USENIX Association
City or Country
California, USA
Citation
DUAN, Yue; GAO, Lian; HU, Jie; and YIN, Heng.
Automatic generation of non-intrusive updates for third-party libraries in android applications. (2019). Proceedings of the 22nd International Symposium on Research on Attacks, Intrusions and Defenses, Beijing, China, Sep 23-25.
Available at: https://ink.library.smu.edu.sg/sis_research/8140
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.