ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Thu 27 May 2021 00:00 - 00:20 at Blended Sessions Room 1 - 2.1.1. Vulnerabilities in Android #1
Third-party libraries (TPLs) as essential parts in the mobile ecosystem have become one of the significant contributors to the huge success of Android, which facilitate the fast development of Android applications. However, TPLs may include various vulnerabilities, which may be used by millions of apps, leading to serious security threats to app users. Unfortunately, previous research presented a few case studies with limited vulnerable TPL information and could not reflect the entire landscape of the risks from vulnerable TPLs. Besides, most existing TPL detection tools do not specify the exact TPL versions, thus they cannot be directly used to detect vulnerable in-app TPL versions.
To this end, we propose an approach, named ATVHunter, which can pinpoint the vulnerable TPL versions (TPL-V) used by the apps and provide detailed information about the vulnerabilities and TPLs.We propose a two-phase detection approach to identify specific TPLversions. Specifically, we extract the Control-Flow Graphs (CFGs) as the coarse-grained feature to match potential TPLs in the TPLdatabase, and then extract opcode in each basic block of CFG as the fine-grained feature to identify the exact TPL versions. We build a comprehensive TPL database (189,545 unique TPLs with 3,006,676versions) as the reference database. Meanwhile, to identify the specific vulnerable in-app TPL versions, we also construct a comprehensive and complete vulnerable TPL database containing 1,180 CVEs and 224 security bugs from industrial partners. Experimental results show ATVHunter outperforms state-of-the-art TPL detection tools, achieving 90.55% precision and 88.79% recall, and is also resilient to widely-used obfuscation techniques and scalable for large-scale TPL detection. Furthermore, to investigate the ecosystem of the vulnerable TPLs used by apps, we exploit ATVHunter to conduct a large-scale analysis on 104,446 apps and find 9,050 apps including vulnerable TPL versions with 53,337 vulnerabilities and 7,480 security bugs, most of which are with high risks and are not recognized by app developers.
Wed 26 MayDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
11:20 - 12:20 | 2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1 +12h Chair(s): Alessandra Gorla IMDEA Software Institute | ||
11:20 20mPaper | Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track Technical Track Siqi Ma the University of Queensland, Juanru Li Shanghai Jiao Tong University, hyoungshick kim Sungkyunkwan University, Elisa Bertino Purdue University, Surya Nepal Data61, CSIRO, Diet Ostry Data61, CSIRO, Cong Sun Xidian University Pre-print Media Attached | ||
11:40 20mPaper | App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track Technical Track Wenna Song Wuhan University, Jiang Ming University of Texas at Arlington, Lin Jiang XDJA, Han Yan Wuhan University, Yi Xiang Wuhan University, Yuan Chen Wuhan University, Jianming Fu Wuhan University, Guojun Peng Wuhan University Pre-print Media Attached | ||
12:00 20mPaper | ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track Technical Track Xian Zhan The Hong Kong Polytechnic University, Lingling Fan Nankai University, Sen Chen Tianjin University, Feng Wu Nanyang Technological University, Tianming Liu Monash Univerisity, Xiapu Luo The Hong Kong Polytechnic University, Yang Liu Nanyang Technological University Pre-print Media Attached | ||