Automatic Generation Of Non-Intrusive Updates For Third-Party Libraries In Android Applications

Third-Party libraries, which are ubiquitous in Android apps, have exposed great security threats to end users as they rarely get timely updates from the app developers, leaving many security vulnerabilities unpatched. This issue is due to the fact that manually updating libraries can be technically nontrivial and time-consuming for app developers. In this paper, we propose a technique that performs automatic generation of non-intrusive updates for third-party libraries in Android apps. Given an Android app with an outdated library and a newer version of the library, we automatically update the old library in a way that is guaranteed to be fully backward compatible and imposes zero impact to the library's interactions with other components. To understand the potential impact of code changes, we propose a novel Value-sensitive Differential Slicing algorithm that leverages the diffing information between two versions of a library. The new slicing algorithm greatly reduces the over-conservativeness of the traditional slicing while still preserving the soundness with respect to update generation. We have implemented a prototype called LIBBANDAID. We further evaluated its efficacy on 9 popular libraries with 173 security commits across 83 different versions and 100 real-world open-source apps. The experimental results show that LIBBANDAID can achieve a high average successful updating rate of 80.6% for security vulnerabilities and an even higher rate of 94.07% when further combined with potentially patchable vulnerabilities.