Erik Derr - Escaping the Dependency Hell on Android

Transcript

1. Escaping the Dependency Hell on Android Erik Derr CISPA Helmholtz

   Center i.G. @erikdrr

2. Third-party Code – A Double-edged Sword Eases software development 

   Code re-use  Faster development, less costs Increases apps‘ attack surface  Code from different origins  Trust closed-source components – Updated „Unwanted Software Policy“ (due to GDPR)

3. Risk Estimation 2,000,000,000 components with known vulnerabilities are downloaded /

   year Outdated libs have a 3x higher probability to include vulnerabilities OWASP Top 10 Security Risks (since 2013) “Using components with known vulnerabilities”

4. Quantify Security Impact Measure the status quo of outdated libs

   in the software ecosystem Identify apps that use lib versions with known vulnerabilities/privacy issues Attribute new issues to the correct component (library / app code) Requires a reliable detection of libraries in app binaries

5. Detection Challenges on Android Compiled App Obfuscated App Developer View

    Explicit declaration  Libraries / versions known  Monolithic bytecode  Same Origin  Identifier renaming  Dead code elimination

6. Code Structure Detection Root com facebook google ads searchads mediation

   util admob customevent de example myapp activity widget util animator … … } public class myClass { public class someClass { {..} } package com.google.ads.util; public void myTest(int, int, String) { } private int doSomething(String) { } package com.facebook.widget; public class anotherActivity { {..} } package de.example.myapp.activity; a b c d

7. Profiling Apps & Libraries Merkle Tree  Parent hash generated

   from child hashes  Efficient integrity checks for large data structures  Sort hashes for deterministic build order Method Hash Class Hash Package Hash Library/App Hash Package Hash Class Hash Class Hash Method Hash Method Hash Match Build

8. Method Hashing signature com.myClass.do(android.content.Context, int, com.Foo) com.Session descriptor (android.content.Context, int,

   com.Foo) com.Session fuzzy descriptor (android.content.Context, int, X) X Idea: Replace anything that is prone to identifier renaming Side-effect: Error introduced at method layer to defeat obfuscation But, error decreases when building the entire tree

9. Profile Matching Class Hash Package Hash Package Hash Class Hash

   Class Hash App Tree Library Version Tree Full Match

10. Profile Matching Class Hash Package Hash Package Hash Class Hash

    Class Hash App Tree Library Version Tree Partial Match 90% of original library code

11. Measuring Facebook SDK Outdatedness 0 20 40 60 80 100

    120 140 3.0.x 3.5.x 3.6.x 3.7.x 3.8.x 3.14.x 3.15.x 3.16.x 3.17.x 3.18.x 3.19.x 3.20.x 3.21.x 3.22.x 3.23.x 4.0.x 4.1.x 4.2.x 4.3.x 4.4.x 4.5.x 4.6.x 4.7.x 4.8.x 4.9.x 4.10.x 4.11.x 4.12.x 4.13.x 4.14.x # Apps including Facebook SDK Account Hijacking Vulnerability (version 3.15)

12. Vulnerability Lifetime Released apps with vulnerable Facebook SDK (before /

    after release of patched SDK) Packages with patched / removed Facebook SDK Packages with vulnerable Facebook SDK (released after patched SDK) Released apps with patched / removed Facebook SDK

13. Steadily increasing number of used libraries  13+ libraries/app or

    70+% of code Recap – Library Outdatedness Why do app developers not update their code dependences? Steadily increasing outdated code  >70% of included libs are (severely) outdated  324 days, on average, to adopt new versions (if at all)

14. Ask App Developers Survey with >200 developers from Google Play

     Developing apps as primary job: yes (34%), no (66%)  Coding experience: ~12yrs (general), ~4yrs (Android)  # apps worked on: ~13 28 questions grouped into three categories C1. Common workflow C2. App/library update motivation + frequency C3. Reasons for library outdatedness

15. C1: Common Workflow 0 10 20 30 40 50 60

    70 80 90 Where do you search for libraries? Criteria to choose libraries 0 10 20 30 40 50 60 70 80 90 Internet GitHub StackOverflow 0 10 20 30 40 50 60 70 80 90 Functionality Open Source Documentation Security .. 5 more criteria ..

16. C2: Update Motivation + Frequency 0 10 20 30 40

    50 60 70 80 90 100 Reasons to update app Reasons to update apps‘ libraries New Functionality Bug Fixing Library Updates 0 10 20 30 40 50 60 70 80 90 100 Bug Fixing Security Fixing New Functionality

17. C3: Reasons for Outdated Libraries 0 10 20 30 40

    50 60 0 10 20 30 40 50 60 Library was still working Prevent incompatibilities Unaware of updates Too much effort  Expected vs actual update effort – Expected: Which information drives app developers expectations – Actual: Based on library API changes and API usage by app  Self-reported reasons for not updating

18. Expected Update Effort  Assessment of expected effort based on

    aux info – Changelogs are read sporadically or not at all (86%) – Update docs are missing or rarely read  Library version string as simple compatibility indicator Semantic Versioning – a three number versioning scheme MAJOR.MINOR.PATCH breaking API changes backwards-compatible changes code-only changes

19. Expected Update Effort  Assessment of expected effort based on

    aux info – Changelogs are read sporadically or not at all (86%) – Update docs are missing or rarely read  Library version string as simple compatibility indicator Semantic Versioning – a three number versioning scheme MAJOR.MINOR.PATCH breaking API changes backwards-compatible changes code-only changes

20.  Check API compatibility adjacent lib versions Problem: No specification,

    incomplete/missing API documentation Solution: Programmatically determine documented public lib interface  Public lib interface ≠ set of all public API methods – Filter code in /internal/ subpackages – Eliminate obfuscated public classes (following ProGuard‘s renaming rules) – Filter synthetic classes + methods Adherence to Semantic Versioning

21. Expected patch minor Actual major 15% 24%  Analyzed 89

    libraries with >10 versions each (1,971 in total)  Expected vs actual changes:  Lib developer‘s misclassification by type: Library Release Analysis 0 200 400 600 800 1000 1200 Major Minor Patch Expected Change Actual Change 0 200 400 600 800 1000 1200 Major Minor Patch Expected Change Actual Change

22.  Library API compatability – Scan library history to generate

    mapping of public APIs to supported versions Predict Library Updatability  API usage of apps – Scan bytecode for API invocations of identified library com.fb.AppLinkData.getRef() com.fb.AccessToken.getExpires() com.fb.AccessToken.getDeclinedPermissions() com.fb.AccessToken.getUserId() com.fb.AppEventsLogger.deactivateApp(..) […] [3.5, 3.5.1, 3.5.2, 3.6] […, 3.22, 3.23, 3.23.1, 4.0, 4.0.1, …] […, 3.22, 3.23, 3.23.1] [4.0, 4.0.1, 4.1.0, …] […, 3.22, 3.23, 3.23.1] 3.23.1 3.23.1 3.23.1

23. Library Updatability  Scanned 1,26M apps from Google Play, identified

    >2M lib versions – Gson with 99.91% update2Max – 8 libraries with 0..20% updatability to current version

24. Call for Action Additional Platform Support (package manager) Library Developer

    simplify updates Market Operator adopt state-of-the-art analyses Android Ecosystem Need for Development Tools

25. Android Studio Extension (Up2Dep) Facilitates the recurrent library maintenance task

     Replaces (simple) lint checks for outdated libraries  Leverages library API analysis results Unique Features  Reports for every outdated lib the highest compatible version  For incompatible versions, it provides estimate about update effort

26. Up2Dep Extension

27. Up2Dep Extension

28. Up2Dep Extension

29. Up2Dep – First Prototype Upcoming Features  Improved updatability prediction

    with nested dependencies info  Warn about usage of lib versions with known vulnerabilites Feedback appreciated  Up2Dep works completely offline, you may share telemetry data with us  You can provide feedback via online survey (just ping us)

30. Takeaways Status quo of libraries in apps worrysome  Raising

    awareness  LibScout is open-source: https://github.com/reddr/LibScout No silver bullet  Requires combined effort of different actors to improve status quo more sustainably  First steps: Up2Dep IDE extension https://project.cispa.io/up2dep erikdrr