The Impact of Third-party Code on Android App Security

Thursday, January 18, 2018 - 2:00 pm2:30 pm

Erik Derr, PhD Student, CISPA, Saarland University


Third-party libraries are an indispensable aspect of modern software development. They ease the developer's job through code re-use but, at the same time, increase the apps' attack surface by adding vulnerable code. On Android, there is an imminent risk of misuse by libraries as they inherit the access rights of their host apps. Correctly attributing improper app behavior either to app or library code or isolating library code from their host apps would be highly desirable to mitigate these problems, but is impeded by the absence of a third-party library detection that is effective in spite of commonly used code obfuscation and minification techniques.

In this talk, I'll present a library detection approach that overcomes these obstacles and that is capable of pinpointing exact library versions in Android applications. Applied to apps from Google Play, we measure the outdatedness of libraries and show that app developers slowly adapt new library versions, exposing their end-users to large windows of vulnerability. We discover that even long-known security vulnerabilities in popular libraries are still present in current apps. A subsequent updatability study reveals that the vast majority of vulnerable versions could be patched automatically. I'll conclude the talk by highlighting potential obstacles in improving this unsatisfactory status-quo.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {208133,
author = {Erik Derr},
title = {The Impact of Third-party Code on Android App Security},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {},
publisher = {{USENIX} Association},