MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search
Modern Android apps consist of both host app code and third-party libraries. Traditional static analysis tools conduct taint analysis for API misuses on the entire app code, while third-party library (TPL) detection tools focus solely on library code. Both approaches, however, are prone to some inhe...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2024
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9688 https://ink.library.smu.edu.sg/context/sis_research/article/10688/viewcontent/eurosp24__1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-10688 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-106882024-11-28T09:10:08Z MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search ZHANG, Zicheng MA, Haoyu WU, Daoyuan GAO, Debin YI, Xiao CHEN, Yufan WU, Yan JIANG, Lingxiao Modern Android apps consist of both host app code and third-party libraries. Traditional static analysis tools conduct taint analysis for API misuses on the entire app code, while third-party library (TPL) detection tools focus solely on library code. Both approaches, however, are prone to some inherent false negatives: taint analysis tools may neglect third-party libraries or face timeouts/errors in whole app-based analysis, and TPL detection tools are not designed for pinpointing specific vulnerable methods. These challenges underscore the need for enhanced identification of insecure methods in Android apps, particularly for app markets addressing open-source security incidents. In this paper, we aim to complement the identification of missed false negatives in both TPL detection and taint analysis by directly identifying clones of insecure methods, regardless of whether they are in the host app code or a shrunk library. We propose MtdScout, a novel crosslayer, method-level clone detection tool for Android apps. MtdScout generates bytecode signatures for flawed source methods using compiler-style interpretation and abstraction, and efficiently matches them with target app bytecode using signature-mapped search trees. Our experiment using ground-truth apps shows that MtdScout achieves the highest accuracy among three tested clone detection tools, with a precision of 92.5% and recall of 87.2%. A large-scale experiment with 23.9K apps from Google Play demonstrates MtdScout's effectiveness in complementing both LibScout and CryptoGuard by identifying numerous false negatives they missed due to app shrinking, method-only cloning, and inherent timeouts and failures in expensive taint analysis. Additionally, our experiment uncovers four security findings that highlight the disparities between MtdScout's methodlevel clone detection and package-level library detection. 2024-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9688 info:doi/10.1109/EuroSP60621.2024.00045 https://ink.library.smu.edu.sg/context/sis_research/article/10688/viewcontent/eurosp24__1_.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Clone detection Android apps Third-party library detection TPL detection Open-source security Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Clone detection Android apps Third-party library detection TPL detection Open-source security Information Security |
| spellingShingle |
Clone detection Android apps Third-party library detection TPL detection Open-source security Information Security ZHANG, Zicheng MA, Haoyu WU, Daoyuan GAO, Debin YI, Xiao CHEN, Yufan WU, Yan JIANG, Lingxiao MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search |
| description |
Modern Android apps consist of both host app code and third-party libraries. Traditional static analysis tools conduct taint analysis for API misuses on the entire app code, while third-party library (TPL) detection tools focus solely on library code. Both approaches, however, are prone to some inherent false negatives: taint analysis tools may neglect third-party libraries or face timeouts/errors in whole app-based analysis, and TPL detection tools are not designed for pinpointing specific vulnerable methods. These challenges underscore the need for enhanced identification of insecure methods in Android apps, particularly for app markets addressing open-source security incidents. In this paper, we aim to complement the identification of missed false negatives in both TPL detection and taint analysis by directly identifying clones of insecure methods, regardless of whether they are in the host app code or a shrunk library. We propose MtdScout, a novel crosslayer, method-level clone detection tool for Android apps. MtdScout generates bytecode signatures for flawed source methods using compiler-style interpretation and abstraction, and efficiently matches them with target app bytecode using signature-mapped search trees. Our experiment using ground-truth apps shows that MtdScout achieves the highest accuracy among three tested clone detection tools, with a precision of 92.5% and recall of 87.2%. A large-scale experiment with 23.9K apps from Google Play demonstrates MtdScout's effectiveness in complementing both LibScout and CryptoGuard by identifying numerous false negatives they missed due to app shrinking, method-only cloning, and inherent timeouts and failures in expensive taint analysis. Additionally, our experiment uncovers four security findings that highlight the disparities between MtdScout's methodlevel clone detection and package-level library detection. |
| format |
text |
| author |
ZHANG, Zicheng MA, Haoyu WU, Daoyuan GAO, Debin YI, Xiao CHEN, Yufan WU, Yan JIANG, Lingxiao |
| author_facet |
ZHANG, Zicheng MA, Haoyu WU, Daoyuan GAO, Debin YI, Xiao CHEN, Yufan WU, Yan JIANG, Lingxiao |
| author_sort |
ZHANG, Zicheng |
| title |
MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search |
| title_short |
MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search |
| title_full |
MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search |
| title_fullStr |
MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search |
| title_full_unstemmed |
MtdScout : Complementing the identification of insecure methods in Android apps via source-to-bytecode signature generation and tree-based layered search |
| title_sort |
mtdscout : complementing the identification of insecure methods in android apps via source-to-bytecode signature generation and tree-based layered search |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2024 |
| url |
https://ink.library.smu.edu.sg/sis_research/9688 https://ink.library.smu.edu.sg/context/sis_research/article/10688/viewcontent/eurosp24__1_.pdf |
| _version_ |
1819113103295512576 |