Annual Computer Security Applications Conference (ACSAC) 2020

Full Program »

Up2Dep: Android Tool Support to Fix Insecure Code Dependencies

Third-party libraries, especially outdated versions, can introduce and multiply security & privacy related issues to Android applications. While prior work has shown the need for tool support for developers to avoid libraries with security problems, no such a solution has yet been brought forward to Android. It is unclear how such a solution would work and which challenges need to be solved in realizing it.

In this work, we want to make a step forward in this direction. We propose FixDep, an Android Studio extension that supports Android developers in keeping project dependencies up-to-date and in avoiding insecure libraries. To evaluate the technical feasibility of FixDep, we publicly released FixDep and tested it with Android developers (N=56) in their daily tasks. FixDep has delivered quick-fixes that mitigate 108 outdated dependencies and 8 outdated dependencies with security problems in 34 real projects. It was perceived by those developers as being helpful. Our results also highlight technical challenges in realizing such support, for which we provide solutions and new insights.

Our results emphasize the urgent need for designated tool support to detect and update insecure outdated third-party libraries in Android apps. We believe that FixDep has provided a valuable step forward to improving the security of the Android ecosystem and encouraging results for tool support with a tangible impact as app developers have an easy means to fix their outdated and insecure dependencies.

Duc Cuong Nguyen
CISPA Helmholtz Center for Information Security

Erik Derr
Saarland Univeristy

Michael Backes
CISPA Helmholtz Center for Information Security

Sven Bugiel
CISPA Helmholtz Center for Information Security

Paper (ACM DL)

Slides

Video

 



Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC