Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls
Android has been the most popular smartphone system with multiple platform versions active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we conduc...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/5880 https://ink.library.smu.edu.sg/context/sis_research/article/6889/viewcontent/Scalable_online_vetting_of_Android_apps.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-6889 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-68892021-03-29T05:38:03Z Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls WU, Daoyuan GAO, Debin LO, David Android has been the most popular smartphone system with multiple platform versions active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we conduct a systematic study of this modern software mechanism. Our objective is to measure the current practice of declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the (in)consistency between DSDK versions and their host apps’ API calls. To successfully analyze a modern dataset of 22,687 popular apps (with an average app size of 25MB), we design a scalable approach that operates on the Android bytecode level and employs a lightweight bytecode search for app analysis. This approach achieves a good performance suitable for online vetting in app markets, requiring only around 5 seconds to process an app on average. Besides shedding light on the characteristics of DSDK in the wild, our study quantitatively measures two side effects of inappropriate DSDK versions: (i) around 35% apps under-set the minimum DSDK versions and could incur runtime crashes, but fortunately, only 11.3% apps could crash on Android 6.0 and above; (ii) around 2% apps, due to under-claiming the targeted DSDK versions, are potentially exploitable by remote code execution, and half of them invoke the vulnerable API via embedded third-party libraries. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal. 2021-01-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5880 https://ink.library.smu.edu.sg/context/sis_research/article/6889/viewcontent/Scalable_online_vetting_of_Android_apps.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University SDK version API call Android fragmentation App analysis Artificial Intelligence and Robotics Computer Sciences Operations Research, Systems Engineering and Industrial Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
SDK version API call Android fragmentation App analysis Artificial Intelligence and Robotics Computer Sciences Operations Research, Systems Engineering and Industrial Engineering |
| spellingShingle |
SDK version API call Android fragmentation App analysis Artificial Intelligence and Robotics Computer Sciences Operations Research, Systems Engineering and Industrial Engineering WU, Daoyuan GAO, Debin LO, David Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls |
| description |
Android has been the most popular smartphone system with multiple platform versions active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we conduct a systematic study of this modern software mechanism. Our objective is to measure the current practice of declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the (in)consistency between DSDK versions and their host apps’ API calls. To successfully analyze a modern dataset of 22,687 popular apps (with an average app size of 25MB), we design a scalable approach that operates on the Android bytecode level and employs a lightweight bytecode search for app analysis. This approach achieves a good performance suitable for online vetting in app markets, requiring only around 5 seconds to process an app on average. Besides shedding light on the characteristics of DSDK in the wild, our study quantitatively measures two side effects of inappropriate DSDK versions: (i) around 35% apps under-set the minimum DSDK versions and could incur runtime crashes, but fortunately, only 11.3% apps could crash on Android 6.0 and above; (ii) around 2% apps, due to under-claiming the targeted DSDK versions, are potentially exploitable by remote code execution, and half of them invoke the vulnerable API via embedded third-party libraries. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal. |
| format |
text |
| author |
WU, Daoyuan GAO, Debin LO, David |
| author_facet |
WU, Daoyuan GAO, Debin LO, David |
| author_sort |
WU, Daoyuan |
| title |
Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls |
| title_short |
Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls |
| title_full |
Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls |
| title_fullStr |
Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls |
| title_full_unstemmed |
Scalable online vetting of Android apps for measuring declared SDK versions and their consistency with API calls |
| title_sort |
scalable online vetting of android apps for measuring declared sdk versions and their consistency with api calls |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/5880 https://ink.library.smu.edu.sg/context/sis_research/article/6889/viewcontent/Scalable_online_vetting_of_Android_apps.pdf |
| _version_ |
1770575641985417216 |