In the mobile smartphone market, the Android system remains dominant. For example, Statista reports 86% of global smartphone shipments are for Android OS systems in 2022 and that number is expected to increase into at least 2023. In just 2021, Statista further reported almost 15 billion mobile devices being operated worldwide. With such an overwhelming majority of those devices being Android devices, Android apps are also ubiquitous and pervasive.

Besides this ubiquity, the nature of Android apps has evolved immensely such that they have become highly reliant on native code. Studies dating back 10 years demonstrate that only between around 4%-6% of Android apps at that time used native code. However, our recent study has shown that among the top 200 free apps on Google Play, the official Android market, 145 of them (72.50%) contain native libraries. Android apps include these third-party native libraries to increase performance and to reuse functionality. Native code is directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers add precompiled native libraries to their projects, enabling their use. Unfortunately, developers often struggle or simply neglect to update these libraries in a timely manner. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches became available.

To further understand such phenomena, we study the security updates in native libraries in the most popular 200 free apps on Google Play from Sept. 2013 to May 2020. A core difficulty we face in this study is the identification of libraries and their versions. Developers often rename or modify libraries, making their identification challenging. We created an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that accurately identifies native libraries and their versions as found in Android apps based on our novel similarity metric bin2sim. LibRARIAN leverages different features extracted from libraries based on their metadata and identifying strings in read-only sections. We discovered 53/200 popular apps (26.5%) with vulnerable versions with known CVEs between Sept. 2013 and May 2020, with 14 of those apps remaining vulnerable. We find that app developers took, on average, 528.71 days to apply security patches, while library developers release a security patch after 54.59 days - a 10 times slower rate of update.

After presenting this work, I will elaborate on steps my research group and other research groups have taken toward analyzing native code in more depth, the challenges that exist, and possible paths forward.