Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

9-2019

Abstract

Third-Party libraries, which are ubiquitous in Android apps,have exposed great security threats to end users as they rarelyget timely updates from the app developers, leaving manysecurity vulnerabilities unpatched. This issue is due to thefact that manually updating libraries can be technically nontrivialand time-consuming for app developers. In this paper,we propose a technique that performs automatic generationof non-intrusive updates for third-party libraries in Androidapps. Given an Android app with an outdated library and anewer version of the library, we automatically update the oldlibrary in a way that is guaranteed to be fully backward compatibleand imposes zero impact to the library’s interactionswith other components. To understand the potential impact ofcode changes, we propose a novel Value-sensitive DifferentialSlicing algorithm that leverages the diffing informationbetween two versions of a library. The new slicing algorithmgreatly reduces the over-conservativeness of the traditionalslicing while still preserving the soundness with respect toupdate generation. We have implemented a prototype calledLIBBANDAID. We further evaluated its efficacy on 9 popularlibraries with 173 security commits across 83 different versionsand 100 real-world open-source apps. The experimentalresults show that LIBBANDAID can achieve a high averagesuccessful updating rate of 80.6% for security vulnerabilitiesand an even higher rate of 94.07% when further combinedwith potentially patchable vulnerabilities.

Discipline

Information Security

Publication

Proceedings of the 22nd International Symposium on Research on Attacks, Intrusions and Defenses, Beijing, China, Sep 23-25

ISBN

978193913307-6

Publisher

USENIX Association

City or Country

California, USA

Copyright Owner and License

Authors

Share

COinS