Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Android apps include third-party native libraries to increase performance and to reuse functionality. Native code is directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers add precompiled native libraries to their projects, enabling their use. Unfortunately, developers often struggle or simply neglect to update these libraries in a timely manner. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches became available.

To further understand such phenomena, we study the security updates in native libraries in the most popular 200 free apps on Google Play from Sept. 2013 to May 2020. A core difficulty we face in this study is the identification of libraries and their versions. Developers often rename or modify libraries, making their identification challenging. We create an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that accurately identifies native libraries and their versions as found in Android apps based on our novel similarity metric bin2sim. LibRARIAN leverages different features extracted from libraries based on their metadata and identifying strings in read-only sections.

We discovered 53/200 popular apps (26.5%) with vulnerable versions with known CVEs between Sept. 2013 and May 2020, with 14 of those apps remaining vulnerable. We find that app developers took, on average, 528.71±40.20 days to apply security patches, while library developers release a security patch after 54.59 ± 8.12 days—a 10 times slower rate of update.

Conference Day
Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

20:50 - 21:50
3.6.1. Security Vulnerabilities: Different DomainsTechnical Track at Blended Sessions Room 1 +12h
Chair(s): Davide FucciBlekinge Institute of Technology
20:50
20m
Paper
Containing Malicious Package Updates in npm with a Lightweight Permission SystemTechnical Track
Technical Track
Gabriel FerreiraCarnegie Mellon University, Limin JiaCarnegie Mellon University, Joshua SunshineCarnegie Mellon University, Christian KästnerCarnegie Mellon University
Pre-print Media Attached
21:10
20m
Paper
Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps’ Native CodeArtifact ReusableTechnical TrackArtifact Available
Technical Track
Sumaya AlmaneeUniversity of California, Irvine, Arda ÜnalUniversity of California, Irvine, Mathias PayerEPFL, Joshua GarciaUniversity of California, Irvine
Link to publication DOI Pre-print Media Attached
21:30
20m
Paper
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API HardeningTechnical Track
Technical Track
Pre-print Media Attached

Conference Day
Fri 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change