EPFL Logo
fr|en
Se Connecter
Publication

Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps' Native Code

Mathias Josef Payer
2021
Article de conférence
Résumé

Android apps include third-party native libraries to increase performance and to reuse functionality. Native code is directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers add precompiled native libraries to their projects, enabling their use. Unfortunately, developers often stniggle or simply neglect to update these libraries in a timely manner. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches became available. To further understand such phenomena, we study the security updates in native libraries in the most popular 200 free apps on Google Play from Sept. 2013 to May 2020. A core difficulty we face in this study is the identification of libraries and their versions. Developers often rename or modify libraries, making their identification challenging. We create an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that accurately identifies native libraries and their versions as found in Android apps based on our novel similarity metric bin(2)sim. LibRARIAN leverages different features extracted from libraries based on their metadata and identifying strings in read-only sections. We discovered 53/200 popular apps (26.5%) with vulnerable versions with known CVEs between Sept. 2013 and May 2020, with 14 of those apps remaining vulnerable. We find that app developers took, on average, 528.71 +/- 40.20 days to apply security patches, while library developers release a security patch after 54.59 +/- 8.12 days-a 10 times slower rate of update.

Source officielle
À propos de ce résultat
Cette page est générée automatiquement et peut contenir des informations qui ne sont pas correctes, complètes, à jour ou pertinentes par rapport à votre recherche. Il en va de même pour toutes les autres pages de ce site. Veillez à vérifier les informations auprès des sources officielles de l'EPFL.
Proximité ontologique
Génie informatique
Concepts associés (40)
Google Play
Google Play est une suite d'applications créée par Google le 22 octobre 2008 par fusion des services Android Market, Google Movies, Google ebookstor et Google Music. Elle regroupe Play Store, le magasin d'applications officiel pour les appareils fonctionnant sous Android et Chrome OS, Play Films et séries, une boutique de location de films et de séries télévisées, Play Livres, une boutique d'achat en ligne de livres et de magazines, et Play Jeux, un service de sauvegarde, de récompense et de défis autour des jeux mobiles disponibles sur le Play Store.
Android
Android ( , en français : ) est un système d'exploitation mobile fondé sur le noyau Linux et développé par des informaticiens sponsorisés par Google. À la suite du rachat par Google en 2005 de la startup du même nom, le système avait d'abord été lancé en juin 2007 pour les smartphones et tablettes tactiles, avant de se diversifier dans les objets connectés, ordinateurs comme les télévisions (Android TV), les voitures (Android Auto), les Chromebook (Chrome OS qui utilise les applications Android) et les smartwatch (Wear OS).
Android software development
Android software development is the process by which applications are created for devices running the Android operating system. Google states that "Android apps can be written using Kotlin, Java, and C++ languages" using the Android software development kit (SDK), while using other languages is also possible. All non-Java virtual machine (JVM) languages, such as Go, JavaScript, C, C++ or assembly, need the help of JVM language code, that may be supplied by tools, likely with restricted API support.
Afficher plus
Publications associées (32)

Simulation Of New Methods Using Applications Which Exflitrate Data From Android Phones

Maria-Alexandra Paun

Nowadays mobile phones have become indispensable, as they have been endowed with many of the capabilities that a user was able to achieve previously with the help of PCs only. Among the functions that mobile phones perform we identify audio and video calls ...
POLYTECHNIC UNIV BUCHAREST2022

PMT: Power Measurement Toolkit

Stefano Corda

Efficient use of energy is essential for today's supercomputing systems, as energy cost is generally a major component of their operational cost. Research into "green computing" is needed to reduce the environmental impact of running these systems. As such ...
IEEE COMPUTER SOC2022

Just-in-time performance without warm-up

Denys Shabalin

Scala has been developed as a language that deeply integrates with the Java ecosystem. It offers seamless interoperability with existing Java libraries. Since the Scala compiler targets Java bytecode, Scala programs have access to high-performance runtimes ...
EPFL2020
Afficher plus

Copyright © 2025 EPFL, tous droits réservés

Graph Chatbot

Chattez avec Graph Search

Posez n’importe quelle question sur les cours, conférences, exercices, recherches, actualités, etc. de l’EPFL ou essayez les exemples de questions ci-dessous.

AVERTISSEMENT : Le chatbot Graph n'est pas programmé pour fournir des réponses explicites ou catégoriques à vos questions. Il transforme plutôt vos questions en demandes API qui sont distribuées aux différents services informatiques officiellement administrés par l'EPFL. Son but est uniquement de collecter et de recommander des références pertinentes à des contenus que vous pouvez explorer pour vous aider à répondre à vos questions.