ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android Apps
ACM SIGSOFT Distinguished PaperTechnical Track
Third-party libraries (TPLs) as essential parts in the mobile ecosystem have become one of the significant contributors to the huge success of Android, which facilitate the fast development of Android applications. However, TPLs may include various vulnerabilities, which may be used by millions of apps, leading to serious security threats to app users. Unfortunately, previous research presented a few case studies with limited vulnerable TPL information and could not reflect the entire landscape of the risks from vulnerable TPLs. Besides, most existing TPL detection tools do not specify the exact TPL versions, thus they cannot be directly used to detect vulnerable in-app TPL versions.
To this end, we propose an approach, named ATVHunter, which can pinpoint the vulnerable TPL versions (TPL-V) used by the apps and provide detailed information about the vulnerabilities and TPLs.We propose a two-phase detection approach to identify specific TPLversions. Specifically, we extract the Control-Flow Graphs (CFGs) as the coarse-grained feature to match potential TPLs in the TPLdatabase, and then extract opcode in each basic block of CFG as the fine-grained feature to identify the exact TPL versions. We build a comprehensive TPL database (189,545 unique TPLs with 3,006,676versions) as the reference database. Meanwhile, to identify the specific vulnerable in-app TPL versions, we also construct a comprehensive and complete vulnerable TPL database containing 1,180 CVEs and 224 security bugs from industrial partners. Experimental results show ATVHunter outperforms state-of-the-art TPL detection tools, achieving 90.55% precision and 88.79% recall, and is also resilient to widely-used obfuscation techniques and scalable for large-scale TPL detection. Furthermore, to investigate the ecosystem of the vulnerable TPLs used by apps, we exploit ATVHunter to conduct a large-scale analysis on 104,446 apps and find 9,050 apps including vulnerable TPL versions with 53,337 vulnerabilities and 7,480 security bugs, most of which are with high risks and are not recognized by app developers.