Detection And Analysis Of Third-party Libraries In Android Applications

In order to shorten the development time,third-party libraries are widely used in Android application development.However,improper use of third-party libraries will introduce vulnerability code and violate open source licenses.Detection and analysis of third-party libraries in Android applications is conducive to application market security review of third-party libraries and supervision of developers'compliance with open source licenses.Because the reference database contains a small number of databases,and each detection needs to calculate the similarity with the third-party library features in millions of applications,detecting third-party libraries has the problems of low accuracy and low efficiency.There are few kinds of open source licenses analyzed in the literature,and only the violations of GPL(General Public License)and AGPL(Affero General Public License)licenses have been detected.In order to solve the above problems,we puts forward the detection and analysis method of the third party library of Android application,establishes the largest third party library reference library at present,and carries on the white list of the third party library and the two-level detection method of calling relationship subgraph.It also analyzes whether the application violates the provisions of four open source licenses including GPL,Apache,BSD(Berkeley Software Distribution License)and MIT(Massachusetts Institute of Technology).The main work and contributions are as follows.(1)As the benchmark of detecting third-party libraries'licenses,it is necessary to build a comprehensive third-party libraries' reference libraries.This paper obtains 1530 applications from the Android app market,uses the open source third-party library detection tool LibD to detect,and generates the library name list of the third-party library.Based on this list,the open source license file of the third party library is searched in the open source code hosting website,and the third party library with the license type of GPL,Apache,BSD or MIT is added to the base library.This paper obtains total of 709 third-party libraries,which is significantly more than that reported in the literature.(2)In order to solve the problems of low accuracy and low efficiency of the existing third-party library detection tools,we propose a two-level detection method based on whitelist and call relationship subgraph recognition.First of all,the renaming obfuscation rule is defined.If there is a regular package name in the Android application,it will be determined to use the obfuscation tool for renaming obfuscation.We will use the detection based on the call relation subgraph recognition for this type of application.Otherwise,we use whitelist-based detection.The detection of calling relation subgraph recognition saves the operation code which will not be changed by confusion technology in the function call graph,and can resist the renaming confusion when calculating the similarity between Android application candidate library and third-party library.(3)We proposes a method to detect whether Android applications violate four open source licenses including GPL,Apache,BSD and MIT.When the third-party library license type of the application is GPL,we will find the source code of the application in the open source application store and open source hosting website.When the third-party library license type of the application is Apache,BSD,or MIT,the license is retrieved to check whether the corresponding license declaration is included in decompiled application,if not,it is considered a violation.In order to verify the effectiveness of this method,we use 1096 open source applications as experimental dataset for detecting third-party databases.The results show that the detection accuracy is 83.89%and the false alarm rate is 15.99%.Compared with the existing methods,we improves the accuracy and reduces the missing rate.We also use 15055 applications in Anzhi market as experimental dataset for analyzing open source licenses,and the results show that 5378 applications violate the open source licenses.Among them,3118 applications violate one open source license,2160 applications violate many open source licenses at the same time,and the number of applications violating Apache license is the largest,totaling 4952.