November 7, 2018
Erik Derr
Code-reuse is a double-edged sword. The ease in development often comes at the (hidden) cost of bugs or even security and privacy issues. In this talk, I’ll present two common types of code-reuse — third-party libraries and application generators. Third-party libraries on Android have been shown to be security and privacy hazards by adding security vulnerabilities to their host apps or by misusing inherited access rights to steal personal data. A particularly aggravating factor to this is that apps frequently include outdated library versions. Correctly attributing improper app behavior either to app or library developer code would be highly desirable to mitigate these problems. To this end, we propose a library detection technique that is resilient against common code obfuscations and that is capable of pinpointing the exact library version used in apps. Applying this approach to apps from Google Play, we measure the outdatedness of libraries and particularly show that app developers slowly adapt new versions. Even long-known security vulnerabilities in popular libraries are still present in current apps. The second part of the talk focuses on online application generators (OAG) that automate app development, distribution, and maintenance. These tools significantly lower the level of technical skill that is required for app development, which makes them particularly appealing to citizen developers, i.e., developers with little or no software engineering background. We first show how to fingerprint generated apps to link them back to their generator. We thereby quantify the market penetration and discover that at least 11.1% of Google Play apps were created using OAGs. Reversing the app binaries, we find that the services’ app generation model is based on boilerplate code that is prone to reconfiguration attacks and includes well-known security issues. Given their market share, OAGs thus have a significant amplification factor for those vulnerabilities, notably harming the health of the overall mobile app ecosystem.