Overview
Explore the impact of third-party code on Android app security in this 19-minute conference talk from USENIX Enigma 2018. Delve into the challenges of detecting third-party libraries in Android applications, especially when faced with code obfuscation and minification techniques. Learn about a novel library detection approach that can pinpoint exact library versions, and discover the implications of outdated libraries on app vulnerability. Examine the slow adoption of new library versions by app developers and the persistence of known security vulnerabilities in popular libraries. Investigate the potential for automatic patching of vulnerable versions and consider the obstacles to improving the current security landscape in Android app development. Gain valuable insights into the double-edged nature of third-party libraries, balancing code reuse benefits against increased attack surface risks.
Syllabus
Intro
Third-party Code - A Double-edged Sword
Risk Estimation
Quantify Security Impact
Detection Challenges on Android
Common Analysis Approach
Code Structure Detection
Profiling Apps & Libraries
Method Hashing
Profile Matching
Measuring Library Outdatedness
Vulnerability Lifetime
Call for Action
Takeaways
Taught by
USENIX Enigma Conference