Security Analysis of the Third-Party SDKs in the Android Ecosystem
Author:
Affiliation:

Clc Number:

Fund Project:

National Natural Science Foundation of China (91546203, 61173068, 61573212); Key Research and Development Program of Shandong Province (2015GGX101046); Shandong Provincial Natural Science Foundation (ZR2014FM020)

  • Article
  • |
  • Figures
  • |
  • Metrics
  • |
  • Reference
  • |
  • Related
  • |
  • Cited by
  • |
  • Materials
  • |
  • Comments
    Abstract:

    To shorten the application development time,many Android developers include third-party SDKs in their apps.Third party SDKs are toolkits developed by third-party service companies such as advertising platforms,data providers,social network,and map service providers.These third party SDKs have become an important part of the Android ecosystem.If an SDK contains security vulnerabilities,all the apps that include it would become vulnerable,which severely affects the security of the Android ecosystem.To address this issue,this work selects 129 popular third-party SDK in the market and makes comprehensive analysis of their security.In order to improve the accuracy of the analysis,demo apps of third-party SDKs are taken as analysis object,and certain effective Android-app analysis methods (such as static taint tracking,dynamic taint tracking and dynamic binary instrumentation) and analysis tools (such as flowdroid and droidbox) are employed.The result shows that more than 60% of the collected third-party SDKs contain various of vulnerabilities (e.g.misuse of HTTP,misuse of SSL/TLS,abuse of sensitive permissions,identification,vulnerabilities brought by the local server,information leakage through logging,mistakes of applications developers),which is a threat to the related applications and the users of these applications.

    Reference
    Related
    Cited by
Get Citation

马凯,郭山清.面向Android生态系统中的第三方SDK安全性分析.软件学报,2018,29(5):1379-1391

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:July 01,2017
  • Revised:August 29,2017
  • Adopted:November 21,2017
  • Online: January 09,2018
  • Published:
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063