The Impact of Third-party Code

on Android App Security

Erik Derr

Third-party Code – A Double-edged Sword

Eases software development

Code re-use

Faster development, less costs

Increases apps‘ attack surface

Code from different origins

Trust closed-source components

Risk Estimation

2,000,000,000 components with known

vulnerabilities are downloaded / year

Outdated libs have a 3x higher

probability to include vulnerabilities

OWASP Top 10 Security Risks (since 2013)

“Using components with known vulnerabilities”

Quantify Security Impact

Measure the status quo of outdated libs in the software ecosystem

Identify apps that use lib versions with known vulnerabilities

Attribute new vulnerabilities to the correct component (library / app code)

Requires a reliable detection of libraries in app binaries

Detection Challenges on Android

Compiled App Obfuscated App

Developer View

Explicit declaration

Libraries / versions known

Monolithic bytecode

Same Origin

Identifier renaming

Dead code elimination

public void myTest(int, int, String) {code code codecode code codeif (..) {

code code codecode code code

} elsecode = doSomething(data);

}

private int doSomething(String) {while (true) {

obfuscatedCallobfuscatedCallif (..) {

return data;}

}return otherData;

}

CFG

CFG

??

Static (Byte)Code Analysis Data Structures (CFG, CG, ..)

Imprecision

Scalability

Common Analysis Approach

Code Structure Detection

Root

com

facebook

widget

internalandroid

model

google

ads

searchadsmediation

util

admob

customeventdeexample

myapp

activity

widget

utilanimator

…

…

}

public class myClass {

public class someClass {{..}

}

package com.google.ads.util;

public void myTest(int, int, String) {}

private int doSomething(String) {}

package com.facebook.widget;

public class anotherActivity {{..}

}

package de.example.myapp.activity;

Code Structure Detection

Root

com

facebook

google

ads

searchadsmediation

util

admob

customeventdeexample

myapp

activity

widget

utilanimator

…

…

}

public class myClass {

public class someClass {{..}

}

package com.google.ads.util;

public void myTest(int, int, String) {}

private int doSomething(String) {}

package com.facebook.widget;

public class anotherActivity {{..}

}

package de.example.myapp.activity;

a

bc

d

Profiling Apps & Libraries

Merkle Tree

Parent hash generated

from child hashes

Efficient integrity checks

for large data structures

Sort hashes for

deterministic build order

Method Hash

Class Hash

Package Hash

Library/App Hash

Package Hash

Class Hash Class Hash

Method Hash Method Hash

Match

Build

Method Hashing

signature com.myClass.do(android.content.Context, int, com.Foo) com.Session

descriptor (android.content.Context, int, com.Foo) com.Session

fuzzy descriptor (android.content.Context, int, X) X

Idea: Replace anything that is prone to identifier renaming

Side-effect: Error introduced at method layer to defeat obfuscation

But, error decreases when building the entire tree

Profile Matching

Class Hash

Package Hash Package Hash

Class Hash Class Hash

App Tree Library Version Tree

Full Match

Profile Matching

Class Hash

Package Hash Package Hash

Class Hash Class Hash

App Tree Library Version Tree

Partial Match

90% of original library code

Measuring Library Outdatedness

0 20 40 60 80 100 120 140

3.0.x3.5.x3.6.x3.7.x3.8.x

3.14.x3.15.x3.16.x3.17.x3.18.x3.19.x3.20.x3.21.x3.22.x3.23.x4.0.x4.1.x4.2.x4.3.x4.4.x4.5.x4.6.x4.7.x4.8.x4.9.x

4.10.x4.11.x4.12.x4.13.x4.14.x

# Apps including Facebook SDK

Account Hijacking Vulnerability (version 3.15)

Vulnerability Lifetime

Released apps with vulnerable Facebook SDK (before / after release of patched SDK)

Packages with patched / removed Facebook

SDK

Packages with vulnerable Facebook SDK (released after patched SDK)

Released apps with patched / removed Facebook SDK

Call for Action

Additional Platform Support

(dependency manager)Library Developer

simplify updates

Market Operator

adopt state-of-the-art analyses

Android Ecosystem Need for Development Tools

Takeaways

Third-party libraries are a double-edged sword

Consider potential security risks

Reliable library detection

Quantify security impact of third-party code

Raise awareness

No silver bullet

Requires combined effort to improve

status quo more sustainably

LibScout is Open-Source!

https://github.com/reddr/LibScout

Growing library DB (>230 libs, >4,500 versions)

Detected more than 20k apps with vulnerable libs