A Study on the Vulnerabilities of Mobiles Apps associated with Software Modules

This paper reports a large-scale study that aims to understand how mobile application (app) vulnerabilities are associated with software libraries. We analyze both free and paid apps. Studying paid apps was quite meaningful because it helped us understand how differences in app development/maintenance affect the vulnerabilities associated with libraries. We analyzed 30k free and paid apps collected from the official Android marketplace. Our extensive analyses revealed that approximately 70%/50% of vulnerabilities of free/paid apps stem from software libraries, particularly from third-party libraries. Somewhat paradoxically, we found that more expensive/popular paid apps tend to have more vulnerabilities. This comes from the fact that more expensive/popular paid apps tend to have more functionality, i.e., more code and libraries, which increases the probability of vulnerabilities. Based on our findings, we provide suggestions to stakeholders of mobile app distribution ecosystems.

[1]  Haoyu Wang,et al.  LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[2]  Ahmed E. Hassan,et al.  On Ad Library Updates in Android Apps , 2017 .

[3]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[4]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[5]  Christopher Krügel,et al.  Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications , 2014, NDSS.

[6]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[7]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[8]  D. Lichtenstein,et al.  The Relationship between Perceived and Objective Price-Quality , 1989 .

[9]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[10]  Steve Hanna,et al.  Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications , 2012, DIMVA.

[11]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[12]  Jacques Klein,et al.  Parameter Values of Android APIs: A Preliminary Study on 100,000 Apps , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[13]  Rahul Telang,et al.  Inferring App Demand from Publicly Available Data , 2013, MIS Q..

[14]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[15]  C. Kruegel,et al.  A Large-Scale Study of Mobile Web App Security , 2015 .

[16]  Patrick Traynor,et al.  MAST: triage for market-scale mobile malware analysis , 2013, WiSec '13.

[17]  Tao Xie,et al.  A Study of Grayware on Google Play , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[18]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[19]  Cedric van Bockhaven,et al.  Offensive Technologies project Weak key cracking of Android applications , 2014 .

[20]  Radovan Bačík,et al.  RATING DECISION ANALYSIS BASED ON IOS APP STORE DATA , 2014 .

[21]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[22]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[23]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[24]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[25]  Haoyu Wang,et al.  WuKong: a scalable and accurate two-phase approach to Android app clone detection , 2015, ISSTA.

[26]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[27]  Yuanyuan Zhang,et al.  A Survey of App Store Analysis for Software Engineering , 2017, IEEE Transactions on Software Engineering.

[28]  Carl A. Gunter,et al.  Free for All! Assessing User Data Exposure to Advertising Libraries on Android , 2016, NDSS.

[29]  Aruna Seneviratne,et al.  A measurement study of tracking in paid mobile applications , 2015, WISEC.

[30]  Christos Faloutsos,et al.  Why people hate your app: making sense of user feedback in a mobile app store , 2013, KDD.