Measuring the Declared SDK Versions and Their Consistency with API Calls in Android Apps

Android has been the most popular smartphone system, with multiple platform versions (e.g., KITKAT and Lollipop) active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we make a first effort to study this modern software mechanism. Our objective is to measure the current practice of the declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the consistency between the DSDK versions and their app API calls. To this end, we perform a three-dimensional analysis. First, we parse Android documents to obtain a mapping between each API and their corresponding platform versions. We then analyze the DSDK-API consistency for over 24K apps, among which we pre-exclude 1.3K apps that provide different app binaries for different Android versions through Google Play analysis. Besides shedding light on the current DSDK practice, our study quantitatively measures the two side effects of inappropriate DSDK versions: (i) around 1.8K apps have API calls that do not exist in some declared SDK versions, which causes runtime crash bugs on those platform versions; (ii) over 400 apps, due to claiming the outdated targeted DSDK versions, are potentially exploitable by remote code execution. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.

[1]  Marco Tulio Valente,et al.  Do Developers Deprecate APIs with Replacement Messages? A Large-Scale Analysis on Java Systems , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[2]  Gabriele Bavota,et al.  API change and fault proneness: a threat to the success of Android apps , 2013, ESEC/FSE 2013.

[3]  Yepang Liu,et al.  Taming Android fragmentation: Characterizing and detecting compatibility issues for Android apps , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Daoyuan Wu,et al.  Analyzing Android Browser Apps for file: // Vulnerabilities , 2014, ISC.

[5]  Adam Doupé,et al.  Target Fragmentation in Android Apps , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[6]  Xiapu Luo,et al.  A Sink-driven Approach to Detecting Exposed Component Vulnerabilities in Android Apps , 2014, ArXiv.

[7]  Jacques Klein,et al.  Accessing Inaccessible Android APIs: An Empirical Study , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[8]  Daoyuan Wu,et al.  Indirect File Leaks in Mobile Applications , 2015, ArXiv.

[9]  Miryung Kim,et al.  An Empirical Study of API Stability and Adoption in the Android Ecosystem , 2013, 2013 IEEE International Conference on Software Maintenance.

[10]  Debin Gao,et al.  MopEye: Monitoring Per-app Network Performance with Zero Measurement Traffic , 2016, ArXiv.