Automated third-party library detection for Android applications: are we there yet?

Xian Zhan, Lingling Fan, Tianming Liu, Sen Chen, Li Li, Haoyu Wang, Yifei Xu, Xiapu Luo, Yang Liu

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

44 Citations (Scopus)

Abstract

Third-party libraries (TPLs) have become a significant part of the Android ecosystem. Developers can employ various TPLs with different functionalities to facilitate their app development. Unfortunately, the popularity of TPLs also brings new challenges and even threats. TPLs may carry malicious or vulnerable code, which can infect popular apps to pose threats to mobile users. Besides, the code of third-party libraries could constitute noises in some downstream tasks (e.g., malware and repackaged app detection). Thus, researchers have developed various tools to identify TPLs. However, no existing work has studied these TPL detection tools in detail; different tools focus on different applications with performance differences, but little is known about them. To better understand existing TPL detection tools and dissect TPL detection techniques, we conduct a comprehensive empirical study to fill the gap by evaluating and comparing all publicly available TPL detection tools based on four criteria: effectiveness, efficiency, code obfuscation-resilience capability, and ease of use. We reveal their advantages and disadvantages based on a systematic and thorough empirical study. Furthermore, we also conduct a user study to evaluate the usability of each tool. The results showthat LibScout outperforms others regarding effectiveness, LibRadar takes less time than others and is also regarded as the most easy-to-use one, and LibPecker performs the best in defending against code obfuscation techniques. We further summarize the lessons learned from different perspectives, including users, tool implementation, and researchers. Besides, we enhance these open-sourced tools by fixing their limitations to improve their detection ability. We also build an extensible framework that integrates all existing available TPL detection tools, providing online service for the research community. We make publicly available the evaluation dataset and enhanced tools. We believe our work provides a clear picture of existing TPL detection techniques and also give a road-map for future directions.

Original languageEnglish
Title of host publicationProceedings - 2020 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020
EditorsClaire Le Goues, David Lo
Place of PublicationNew York NY USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages919-930
Number of pages12
ISBN (Electronic)9781450367684
DOIs
Publication statusPublished - 2020
EventAutomated Software Engineering Conference 2020 - Virtual, Melbourne, Australia
Duration: 21 Sept 202025 Sept 2020
Conference number: 35th
https://dl.acm.org/doi/proceedings/10.1145/3324884 (Proceedings)
https://conf.researchr.org/home/ase-2020 (Website)
https://dl.acm.org/doi/proceedings/10.1145/3417113 (Proceedings)

Conference

ConferenceAutomated Software Engineering Conference 2020
Abbreviated titleASE 2020
Country/TerritoryAustralia
CityMelbourne
Period21/09/2025/09/20
Internet address

Keywords

  • Android
  • Empirical study
  • Library detection
  • Third-party library

Cite this