Automatic Generation of Non-intrusive Updates for Third-Party Libraries in Android Applications

Third-Party libraries, which are ubiquitous in Android apps, have exposed great security threats to end users as they rarely get timely updates from the app developers, leaving many security vulnerabilities unpatched. This outdatedness is mainly due to the fact that manually updating libraries can be non-trivial and time-consuming for app developers since it usually involves code modifications. In this paper, we propose a technique that performs automatic generation of non-intrusive updates for third-party libraries in Android apps. Given an Android app with an outdated library and a newer version of the library, we automatically update the old library in a way that is guaranteed to be fully backward compatible and impose zero impact to the library's interactions with other components. To understand the potential impact of code changes, we propose a novel Value-sensitive Differential Slicing algorithm that leverages the diffing information between two versions of a library. The new slicing algorithm greatly reduces the over-conservativeness of the traditional slicing while still preserving the soundness with respect to updates generation. We have implemented a prototype called LibBandAid. We further evaluated its efficacy on 9 popular libraries with 173 security commits across 83 different versions and 100 real-world open-source apps. The experimental results show that LibBandAid can achieve a high average successful updating rate of 80.6% for security vulnerabilities and an even higher rate of 94.07% when further combined with potentially patchable vulnerabilities.