Too Quiet in the Library: A Study of Native Third-Party Libraries in Android
Android applications ("apps") make avid use of third-party native libraries to increase performance and to reuse already implemented functionality. Native code can be directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers drop precompiled native libraries into their projects, enabling their use. Unfortunately, developers are often not aware that these libraries (or their dependencies) must be updated. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches are available. To assess the severity of the use of outdated and vulnerable libraries in the Android ecosystem, we study the prevalence of native libraries in the top applications of the Google Play market over time, correlating the time when native libraries are updated with the availability of security patches. A core difficulty we have to solve for this research is the identification of libraries and versions. Developers often rename or modify libraries but we require precise information about each binary. Our binary similarity metric bin2sim uses diverse features extracted from the libraries to identify and map the required information. Leveraging this bin2sim, we create an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that can accurately identify native libraries and their versions as found in Android apps with a a 92.53 true-positive rate, no false positives, and a 7.46
READ FULL TEXT