TeamUSEC

Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android

Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar and Michael Backes.
Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017
PDF Abstract Cite DOI

Abstract

Third-party libraries in Android apps have repeatedly been shown to be hazards to the users’ privacy and an amplification of their host apps’ attack surface. A particularly aggravating factor to this situation is that the libraries’ version included in apps are very often outdated.

This paper makes the first contribution towards solving the problem of library outdatedness on Android. First, we conduct a survey with 203 app developers from Google Play to retrieve first-hand information about their usage of libraries and requirements for more effective library updates. With a subsequent study of library providers’ semantic versioning practices, we uncover that those providers are likely a contributing factor to the app developers’ abstinence from library updates in order to avoid ostensible re-integration efforts and version incompatibilities. Further, we conduct a large-scale library updatability analysis of 1,264,118 apps to show that, based on the library API usage, 85.6% of the libraries could be upgraded by at least one version without modifying the app code, 48.2% even to the latest version. Particularly alarming are our findings that 97.8% out of 16,837 actively used library versions with a known security vulnerability could be easily fixed through a drop-in replacement of the vulnerable library with the fixed version.

Based on these results, we conclude with a thorough discussion of solutions and actionable items for different actors in the app ecosystem to effectively remedy this situation.

Reference

@inproceedings{DBLP:conf/ccs/DerrBFA017,
 author = {Erik Derr and
Sven Bugiel and
Sascha Fahl and
Yasemin Acar and
Michael Backes},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/ccs/DerrBFA017.bib},
 booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security, CCS 2017, Dallas, TX, USA, October 30 -
November 03, 2017},
 doi = {10.1145/3133956.3134059},
 editor = {Bhavani M. Thuraisingham and
David Evans and
Tal Malkin and
Dongyan Xu},
 pages = {2187--2200},
 publisher = {ACM},
 title = {Keep me Updated: An Empirical Study of Third-Party Library Updatability
on Android},
 url = {https://doi.org/10.1145/3133956.3134059},
 year = {2017}
}