MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search

Author

Zicheng ZHANG
Haoyu MA
Daoyuan WU
Debin GAO, Singapore Management UniversityFollow
Xiao YI
Yufan CHEN
Yan WU
Lingxiao JIANG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

7-2024

Abstract

Modern Android apps consist of both host app code and third-party libraries. Traditional static analysis tools conduct taint analysis for API misuses on the entire app code, while third-party library (TPL) detection tools focus solely on library code. Both approaches, however, are prone to some inherent false negatives: taint analysis tools may neglect third-party libraries or face timeouts/errors in whole app-based analysis, and TPL detection tools are not designed for pinpointing specific vulnerable methods. These challenges underscore the need for enhanced identification of insecure methods in Android apps, particularly for app markets addressing open-source security incidents. In this paper, we aim to complement the identification of missed false negatives in both TPL detection and taint analysis by directly identifying clones of insecure methods, regardless of whether they are in the host app code or a shrunk library. We propose MtdScout, a novel crosslayer, method-level clone detection tool for Android apps. MtdScout generates bytecode signatures for flawed source methods using compiler-style interpretation and abstraction, and efficiently matches them with target app bytecode using signature-mapped search trees. Our experiment using ground-truth apps shows that MtdScout achieves the highest accuracy among three tested clone detection tools, with a precision of 92.5% and recall of 87.2%. A large-scale experiment with 23.9K apps from Google Play demonstrates MtdScout's effectiveness in complementing both LibScout and CryptoGuard by identifying numerous false negatives they missed due to app shrinking, method-only cloning, and inherent timeouts and failures in expensive taint analysis. Additionally, our experiment uncovers four security findings that highlight the disparities between MtdScout's methodlevel clone detection and package-level library detection.

Keywords

Clone detection, Android apps, Third-party library detection, TPL detection, Open-source security

Discipline

Information Security

Research Areas

Cybersecurity

Areas of Excellence

Digital transformation

Publication

Proceedings of the 9th IEEE European Symposium on Security and Privacy (EuroS&P 2024) : Vienna Austria, July 8-12

First Page

724

Last Page

740

Identifier

10.1109/EuroSP60621.2024.00045

Publisher

IEEE Computer Society

City or Country

Vienna Austria

Citation

ZHANG, Zicheng; MA, Haoyu; WU, Daoyuan; GAO, Debin; YI, Xiao; CHEN, Yufan; WU, Yan; and JIANG, Lingxiao. MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search. (2024). Proceedings of the 9th IEEE European Symposium on Security and Privacy (EuroS&P 2024) : Vienna Austria, July 8-12. 724-740.
Available at: https://ink.library.smu.edu.sg/sis_research/9688

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Comments

PDF provided by faculty

Additional URL

https://doi.ieeecomputersociety.org/10.1109/EuroSP60621.2024.00045