Libspector : Context-Aware Large-Scale Network Traffic Analysis of Android Applications

Abstract

Android applications (apps) are a combination of code written by the developers as well as third-party libraries that carry out most commonly used functionalities such as advertisement and payments. Running apps in a monitoring environment allows researchers to measure how much network traffic is exchanged between an app and remote endpoints. However, current systems currently do not have the ability to reliably distinguish traffic that is generated by different libraries. This is important, because while mobile users are paying for data traffic without distinctions, some of this traffic is useful (e.g., data for core app functionalities), whereas the rest of the traffic can be considered a nuisance (e.g., excessive advertisements). In this paper, we present Libspector, a system that precisely attributes network traffic coming from an Android app to the library that generated it. To this end, we instrument the Android Framework to inspect the network connections initiated by apps, provide fine-grained information on the libraries in use, and calculate method coverage information while performing dynamic analysis. We then perform a measurement on 25,000 popular Android apps and investigate the relation between different categories of apps with the use of specific libraries. We analyze the method coverage of our dynamic analysis method, and further characterize the endpoint connections established by the Android apps. Our results indicate that advertisement libraries account for over a quarter of the total data transmission. We further observe that there is no strict 1-to-1 correlation between the similar categories of network endpoints and libraries which initiated the data transfer.