Android apps include third-party native libraries to increase performance and to reuse functionality. Native code is directly executed from apps through the Java Native Interface or the Android Native Development Kit. Android developers add precompiled native libraries to their projects, enabling their use. Unfortunately, developers often struggle or simply neglect to update these libraries in a timely manner. This results in the continuous use of outdated native libraries with unpatched security vulnerabilities years after patches became available. To further understand such phenomena, we study the security updates in native libraries in the most popular 200 free apps on Google Play from Sept. 2013 to May 2020. A core difficulty we face in this study is the identification of libraries and their versions. Developers often rename or modify libraries, making their identification challenging. We create an approach called LibRARIAN (LibRAry veRsion IdentificAtioN) that accurately identifies native libraries and their versions as found in Android apps based on our novel similarity metric bin2sim. LibRARIAN leverages different features extracted from libraries based on their metadata and identifying strings in read-only sections. We discovered 53/200 popular apps (26.5%) with vulnerable versions with known CVEs between Sept. 2013 and May 2020, with 14 of those apps remaining vulnerable. We find that app developers took, on average, 528.71 days to apply security patches, while library developers release a security patch after 54.59 days - a 10 times slower rate of update.
翻译:机器人应用包括第三方本地图书馆,以提高性能和再利用功能。 本地代码通过爪哇土著界面或安达尔土著开发工具包从应用程序直接执行。 机器人开发者将预先编译的本地图书馆添加到他们的项目中, 能够使用这些图书馆。 不幸的是, 开发者常常挣扎或完全忽视及时更新这些图书馆。 这导致持续使用过时的本地图书馆, 在提供补丁多年后, 安全脆弱度未增加。 为了进一步理解此类现象, 我们在2013年9月至2020年5月谷歌游戏上最受欢迎的200个免费应用程序中研究本地图书馆的安全更新。 我们本研究中面临的核心困难是确定图书馆及其版本。 开发者经常重新命名或修改图书馆, 使其识别具有挑战性。 我们创建了名为 LibRrial(Library Vevision IdififificAtioN) 的方法, 准确确定本地图书馆图书馆及其版本, 以我们的新相似度为本的本Bin2imesimblicks 。 我们发现, 2013年5月53/ 200 版本, 普通的版本, 在2013年版本中, 安全度之后的版本, 我们发现这些版本, 在2013年5月的版本的版本中, 5月25日中, 安全性版本的版本中, 安全性版本的版本的版本在2013年的版本中, 的版本中, 和保密版本在10日之后的版本中找到的版本。