LibHunter: An Unsupervised Approach for Third-party Library Detection without Prior Knowledge

Abstract

Third-party libraries (TPLs) are a significant component of mobile apps. They provide various functionalities, and developers employ them to facilitate app development. TPL detection is a fundamental task in security research, as it can impact other security studies. TPL can act as an assistant to malware detection, privacy leakage detection, etc. Because if a TPL carries malicious code, all apps that integrate the TPL can be considered risky. However, in some studies, TPLs can also act as noise, like app traffic fingerprinting. The TPL and app traffic are mixed during app runtime, making it difficult to fingerprint the app traffic accurately. Unfortunately, all existing TPL detection studies are working with prior knowledge of TPLs, as they need a whitelist or a train on known TPLs. However, new TPLs keep emerging, and it is not feasible for existing works to identify them-especially those who have network behaviors, as they may transfer inappropriate contents in the network. To this end, we propose LibHunter - an approach to identify TPLs without prior knowledge. LibHunter inspects the HTTP(S) traffic, logs the corresponding code execution traces, extracts features from the collected data, and performs a clustering algorithm to obtain TPLs. We apply LibHunter to 3000 apps. Results demonstrate that LibHunter can identify 79 TPLs, and about 60% of them are not detected by all existing works. We perform an analysis to show how important these TPLs are; we also present the visiting graph of these TPLs. Our findings bring light to the research community that existing tools are not accurate when encountering contemporary apps.