Automatic generation of non-intrusive updates for third-party libraries in android applications
Third-Party libraries, which are ubiquitous in Android apps,have exposed great security threats to end users as they rarelyget timely updates from the app developers, leaving manysecurity vulnerabilities unpatched. This issue is due to thefact that manually updating libraries can be technically nont...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2019
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/8140 https://ink.library.smu.edu.sg/context/sis_research/article/9143/viewcontent/Automatic_Generation_of_Non_intrusive_Updates_for_Third_Party_Libraries_in_Android_Applications.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| Summary: | Third-Party libraries, which are ubiquitous in Android apps,have exposed great security threats to end users as they rarelyget timely updates from the app developers, leaving manysecurity vulnerabilities unpatched. This issue is due to thefact that manually updating libraries can be technically nontrivialand time-consuming for app developers. In this paper,we propose a technique that performs automatic generationof non-intrusive updates for third-party libraries in Androidapps. Given an Android app with an outdated library and anewer version of the library, we automatically update the oldlibrary in a way that is guaranteed to be fully backward compatibleand imposes zero impact to the library’s interactionswith other components. To understand the potential impact ofcode changes, we propose a novel Value-sensitive DifferentialSlicing algorithm that leverages the diffing informationbetween two versions of a library. The new slicing algorithmgreatly reduces the over-conservativeness of the traditionalslicing while still preserving the soundness with respect toupdate generation. We have implemented a prototype calledLIBBANDAID. We further evaluated its efficacy on 9 popularlibraries with 173 security commits across 83 different versionsand 100 real-world open-source apps. The experimentalresults show that LIBBANDAID can achieve a high averagesuccessful updating rate of 80.6% for security vulnerabilitiesand an even higher rate of 94.07% when further combinedwith potentially patchable vulnerabilities. |
|---|