Dynamic privacy leakage analysis of Android third-party libraries

Abstract

The third-party libraries are reusable resources that are widely employed in Android Apps. While the third-party libraries provide a variety of functions, they bring serious security and privacy problems. The third-party libraries and the host Apps run in the same process and share the same permissions. Whether the third-party libraries are compliant with privacy policies is out of the control of App developers. In this work, we identify four types of privacy leakage paths inside Apps with case studies. Based on the Xposed framework, we propose a fine-grained and dynamic privacy-leakage analysis tool to analyze the privacy leakage behaviors of the third-party libraries in real time. Our tool can first identify the third-party libraries inside Apps, and then extracts call chains of the privacy source and sink functions during the execution of Apps, and finally evaluate the risks of privacy leaks of the third-party libraries according to the privacy leakage paths. We evaluate our tool over 150 popular Apps, collecting 1909 privacy data related call chains. We find that many third-party libraries access to private information. Moreover, they set up direct network connections to remote servers, which suggests that the third-party libraries pose a great privacy risk. The experiments results show that our tool can achieve real-time, fine-grained and dynamic privacy leakage analysis on Android Apps.