Research On Security Of Third-party Libraries On Android

Third-party libraries are widely used in Android application development,to simplify and speed the development,provide some new features,or increase developers' income.While bringing these convenience to developers,third-party libraries are likely to pose some threats.First,third-party libraries enjoy the same permissions as the host application,resulting in that third-party libraries are over-privileged.Thus,third-party libraries may abuse permissions of host application,leading to user privacy leak.Second,third-party libraries and the host application enjoy the same internal file space,and thus all internal files of the host application are exposed to third-party libraries,which means that third-party libraries can steal or tamper these internal files and user's privacy leaks.Besides,the Android file access control is coarse-grained,so that a library assigned the file access permission can access all types of files.To solve these problems,may researchers propose a lot of approaches.However,these approaches rely on modification to Android Framework or application's bytecode,which limits the adoption.To address the two problems introduced by third-party libraries,a development tool is proposed.Android application developers can use this tool to restrict the permissions of third-party libraries and obtain fine-grained file access control at run time,and so user privacy is protected well.Different from existing solutions,our solution doesn't rely on modification to Android framework or root privilege,rewriting application's or libraries' bytecode,and thus can be widely adopted.In conclusion,we have made the following contributions: 1.We design and implement the interception on Android framework methods and system c functions.And we analyze the mapping between dangerous permissions and framework methods(native functions);2.We design and implement a development tool,to isolate each third-party library in a sandbox,ensuring that each library has an independent permission set and an isolated file space.The tool covers Java library and native library,and elimates the need of modifying Android framework,application's/library's bytecode and the root privilege.Moreover,the tool works on some unusual ways,such as,Java reflection and dynamic code loading.3.Android application developers can use the tool to assign different permission sets to each incorporated third-party library.Third-party libraries can only use permissions in the permission set assigned to it;And developers can allocate an isolated file space to each third-party library,enforcing a fine-grained file access control on third-party libraries.4.We systematically evaluate the generality effectiveness and performance overhead introduced by the tool.Results show that the tool can effectively enforce a flexible security policy on any third-party library while introducing an acceptable performance overhead.Meanwhile,we explore some potential attacks and describe how we defeat them.