Automated third-party library detection for Android applications: are we there yet?

Xian Zhan; Lingling Fan; Tianming Liu; Sen Chen; Li Li; Haoyu Wang; Yifei Xu; Xiapu Luo; Yang Liu

doi:10.1145/3324884.3416582

Automated third-party library detection for Android applications: are we there yet?

Xian Zhan, Lingling Fan, Tianming Liu, Sen Chen, Li Li, Haoyu Wang, Yifei Xu, Xiapu Luo, Yang Liu

Department of Software Systems & Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

22 Citations (Scopus)

Abstract

Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results showthat LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

Original language	English
Title of host publication	Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020
Editors	Claire Le Goues, David Lo
Place of Publication	New York NY USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	919-930
Number of pages	12
ISBN (Electronic)	9781450367684
DOIs	https://doi.org/10.1145/3324884.3416582
Publication status	Published - 2020
Event	Automated Software Engineering Conference 2020 - Virtual, Melbourne, Australia Duration: 21 Sep 2020 → 25 Sep 2020 Conference number: 35th https://dl.acm.org/doi/proceedings/10.1145/3324884 (Proceedings) https://conf.researchr.org/home/ase-2020 (Website) https://dl.acm.org/doi/proceedings/10.1145/3417113 (Proceedings)

Conference

Conference	Automated Software Engineering Conference 2020
Abbreviated title	ASE 2020
Country/Territory	Australia
City	Melbourne
Period	21/09/20 → 25/09/20
Internet address	https://dl.acm.org/doi/proceedings/10.1145/3324884 (Proceedings) https://conf.researchr.org/home/ase-2020 (Website) https://dl.acm.org/doi/proceedings/10.1145/3417113 (Proceedings)

Keywords

Android
Empirical study
Library detection
Third-party library

Access to Document

10.1145/3324884.3416582

Cite this

Zhan, X., Fan, L., Liu, T., Chen, S., Li, L., Wang, H., Xu, Y., Luo, X., & Liu, Y. (2020). Automated third-party library detection for Android applications: are we there yet? In C. Le Goues, & D. Lo (Eds.), Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020 (pp. 919-930). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1145/3324884.3416582

Zhan, Xian ; Fan, Lingling ; Liu, Tianming et al. / Automated third-party library detection for Android applications : are we there yet?. Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020. editor / Claire Le Goues ; David Lo. New York NY USA : IEEE, Institute of Electrical and Electronics Engineers, 2020. pp. 919-930

@inproceedings{e171e99ed9d44b1e86ff5cf8824b3e3a,

title = "Automated third-party library detection for Android applications: are we there yet?",

abstract = "Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results showthat LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.",

keywords = "Android, Empirical study, Library detection, Third-party library",

author = "Xian Zhan and Lingling Fan and Tianming Liu and Sen Chen and Li Li and Haoyu Wang and Yifei Xu and Xiapu Luo and Yang Liu",

year = "2020",

doi = "10.1145/3324884.3416582",

language = "English",

pages = "919--930",

editor = "{Le Goues}, {Claire } and David Lo",

booktitle = "Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "Automated Software Engineering Conference 2020, ASE 2020 ; Conference date: 21-09-2020 Through 25-09-2020",

url = "https://dl.acm.org/doi/proceedings/10.1145/3324884, https://conf.researchr.org/home/ase-2020, https://dl.acm.org/doi/proceedings/10.1145/3417113",

}

Zhan, X, Fan, L, Liu, T, Chen, S, Li, L, Wang, H, Xu, Y, Luo, X & Liu, Y 2020, Automated third-party library detection for Android applications: are we there yet? in C Le Goues & D Lo (eds), Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020. IEEE, Institute of Electrical and Electronics Engineers, New York NY USA, pp. 919-930, Automated Software Engineering Conference 2020, Melbourne, Victoria, Australia, 21/09/20. https://doi.org/10.1145/3324884.3416582

Automated third-party library detection for Android applications : are we there yet? / Zhan, Xian; Fan, Lingling; Liu, Tianming et al.

Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020. ed. / Claire Le Goues; David Lo. New York NY USA : IEEE, Institute of Electrical and Electronics Engineers, 2020. p. 919-930.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Automated third-party library detection for Android applications

T2 - Automated Software Engineering Conference 2020

AU - Zhan, Xian

AU - Fan, Lingling

AU - Liu, Tianming

AU - Chen, Sen

AU - Li, Li

AU - Wang, Haoyu

AU - Xu, Yifei

AU - Luo, Xiapu

AU - Liu, Yang

N1 - Conference code: 35th

PY - 2020

Y1 - 2020

N2 - Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results showthat LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

AB - Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results showthat LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

KW - Android

KW - Empirical study

KW - Library detection

KW - Third-party library

UR - http://www.scopus.com/inward/record.url?scp=85099211873&partnerID=8YFLogxK

U2 - 10.1145/3324884.3416582

DO - 10.1145/3324884.3416582

M3 - Conference Paper

AN - SCOPUS:85099211873

SP - 919

EP - 930

BT - Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020

A2 - Le Goues, Claire

A2 - Lo, David

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - New York NY USA

Y2 - 21 September 2020 through 25 September 2020

ER -

Zhan X, Fan L, Liu T, Chen S, Li L, Wang H et al. Automated third-party library detection for Android applications: are we there yet? In Le Goues C, Lo D, editors, Proceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020. New York NY USA: IEEE, Institute of Electrical and Electronics Engineers. 2020. p. 919-930 https://doi.org/10.1145/3324884.3416582

Automated third-party library detection for Android applications: are we there yet?

Abstract

Conference

Keywords

Access to Document

Other files and links

ValDefFixApp: Values-oriented Defect Fixing for Mobile Software Applications

Enabling Compatible and Secure Mobile Apps via Automated Program Repair

Cite this

Automated third-party library detection for Android applications: are we there yet?

Abstract

Conference

Keywords

Access to Document

Other files and links

Projects

ValDefFixApp: Values-oriented Defect Fixing for Mobile Software Applications

Enabling Compatible and Secure Mobile Apps via Automated Program Repair

Cite this