JSLibD: Reliable and Heuristic Detection of Third-party Libraries in Miniapps
Authors: 
Junjie Tao, Jifei Shi, Ming Fan, Yin Wang, Junfeng Liu, Ting LiuAuthors Info & Claims
Pages 11 - 16
Abstract
Miniapps have become an indispensable part of people's lives. Meanwhile, the utilization of third-party libraries greatly streamlines, expedites, and enhances the development of miniapps. However, ensuring the security of these third-party libraries presents a challenge, as they may harbor security vulnerabilities, such as plaintext transmission. In this paper, we propose JSLibD, an automated extraction method for third-party libraries in miniapps. Unlike conventional extraction methods that heavily rely on prior knowledge, JSLibD introduces a heuristic prediction approach, comprising two integral components: a whitelist matching method to match the known libraries and a heuristic prediction method to extract the unknown libraries using function call relationships. The results demonstrate that JSLibD can efficiently match known libraries, and accurately predict unknown libraries, achieving an impressive precision rate of 85.9% and a high recall rate of 97.2%.
References
[1]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259--269.
[2]
Arini Balakrishnan and Chloe Schulze. 2005. Code obfuscation literature survey. CS701 Construction of compilers 19 (2005), 31.
[3]
Theodore Book, Adam Pridgen, and Dan S Wallach. 2013. Longitudinal analysis of android ad library permissions. arXiv preprint arXiv:1303.0857 (2013).
[4]
David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically identifying trigger-based behavior in malware. Botnet Detection: Countering the Largest Security Threat (2008), 65--88.
[5]
Kai Chen, Peng Liu, and Yingjun Zhang. 2014. Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In Proceedings of the 36th International Conference on Software Engineering. 175--186.
[6]
Ming Fan, Jun Liu, Xiapu Luo, Kai Chen, Zhenzhou Tian, Qinghua Zheng, and Ting Liu. 2018. Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Transactions on Information Forensics and Security 13, 8 (2018), 1890--1905.
[7]
Ming Fan, Xiapu Luo, Jun Liu, Meng Wang, Chunyin Nong, Qinghua Zheng, and Ting Liu. 2019. Graph embedding based familial analysis of android malware using unsupervised learning. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 771--782.
[8]
Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, and Ting Liu. 2020. An empirical evaluation of GDPR compliance violations in Android mHealth apps. In 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 253--264.
[9]
Yanick Fratantonio, Antonio Bianchi, William Robertson, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2016. Triggerscope: Towards detecting logic bombs in android applications. In 2016 IEEE symposium on security and privacy (SP). IEEE, 377--396.
[10]
Michael C Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. 101--112.
[11]
Aladdin Institute. 2023. 2022 White Paper on the Internet Development of Miniapps. [Online]. https://www.aldzs.com/viewpointarticle?id=16573/ Last accessed on 2023-08-09.
[12]
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. Iccta: Detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 280--291.
[13]
Li Li, Tegawendé F Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Le Traon. 2017. Static analysis of android apps: A systematic literature review. Information and Software Technology 88 (2017), 67--95.
[14]
Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. Libd: Scalable and precise third-party library detection in android markets. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). IEEE, 335--346.
[15]
Bin Liu, Bin Liu, Hongxia Jin, and Ramesh Govindan. 2015. Efficient privilege de-escalation for ad libraries in mobile apps. In Proceedings of the 13th annual international conference on mobile systems, applications, and services. 89--103.
[16]
Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. Libradar: Fast and accurate detection of third-party libraries in android apps. In Proceedings of the 38th international conference on software engineering companion. 653--656.
[17]
Annamalai Narayanan, Lihui Chen, and Chee Keong Chan. 2014. Addetect: Automated detection of android ad libraries using semantic analysis. In 2014 IEEE Ninth International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP). IEEE, 1--6.
[18]
Jordan Samhi, Alexandre Bartel, Tegawendé F Bissyandé, and Jacques Klein. 2021. Raicc: Revealing atypical inter-component communication in android apps. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1398--1409.
[19]
Jordan Samhi, Jun Gao, Nadia Daoudi, Pierre Graux, Henri Hoyez, Xiaoyu Sun, Kevin Allix, Tegawendé F Bissyandé, and Jacques Klein. 2022. Jucify: A step towards android code unification for enhanced static analysis. In Proceedings of the 44th International Conference on Software Engineering. 1232--1244.
[20]
Jordan Samhi, Li Li, Tegawendé F Bissyandé, and Jacques Klein. 2022. Difuzer: Uncovering suspicious hidden sensitive operations in android apps. In Proceedings of the 44th International Conference on Software Engineering. 723--735.
[21]
Helen R Sofaer, Jennifer A Hoeting, and Catherine S Jarnevich. 2019. The area under the precision-recall curve as a performance metric for rare binary events. Methods in Ecology and Evolution 10, 4 (2019), 565--577.
[22]
Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. Wukong: A scalable and accurate two-phase approach to android app clone detection. In Proceedings of the 2015 International Symposium on Software Testing and Analysis. 71--82.
[23]
Yin Wang, Ming Fan, Junfeng Liu, Junjie Tao, Wuxia Jin, Qi Xiong, Yuhao Liu, Qinghua Zheng, and Ting Liu. 2023. Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App. arXiv preprint arXiv:2302.13860 (2023).
[24]
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2018. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Transactions on Privacy and Security (TOPS) 21, 3 (2018), 1--32.
[25]
Zicheng Zhang, Wenrui Diao, Chengyu Hu, Shanqing Guo, Chaoshun Zuo, and Li Li. 2020. An empirical study of potentially malicious third-party libraries in android apps. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 144--154.
Index Terms
- JSLibD: Reliable and Heuristic Detection of Third-party Libraries in Miniapps
Recommendations
Understanding third-party libraries in mobile app analysis
ICSE-C '17: Proceedings of the 39th International Conference on Software Engineering CompanionThird-party libraries are widely used in mobile apps. Recent studies showed that third-party libraries account for more than 60% of the code in Android apps on average. As a result, program analysis on Android apps typically requires detecting or ...
LibID: reliable identification of obfuscated third-party Android libraries
ISSTA 2019: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and AnalysisThird-party libraries are vital components of Android apps, yet they can also introduce serious security threats and impede the accuracy and reliability of app analysis tasks, such as app clone detection. Several library detection approaches have been ...
Dynamic privacy leakage analysis of Android third-party libraries
AbstractThe third-party libraries are reusable resources that are widely employed in Android Apps. While the third-party libraries provide a variety of functions, they bring serious security and privacy problems. The third-party libraries and ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2023
70 pages
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key R&D Program of China
- CCF-AFSG Research Fund
- China Postdoctoral Science Foundation
- National Natural Science Foundation of China
- Young Talent Fund of Association for Science and Technology in Shaanxi, China
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26, 2023
Copenhagen, Denmark
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 88Total Downloads
- Downloads (Last 12 months)88
- Downloads (Last 6 weeks)5
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in