English

Version-level Third-Party Library Detection in Android Applications via Class Structural Similarity

Cryptography and Security 2025-06-19 v2 Software Engineering

Abstract

Android applications (apps) integrate reusable and well-tested third-party libraries (TPLs) to enhance functionality and shorten development cycles. However, recent research reveals that TPLs have become the largest attack surface for Android apps, where the use of insecure TPLs can compromise both developer and user interests. To mitigate such threats, researchers have proposed various tools to detect TPLs used by apps, supporting further security analyses such as vulnerable TPLs identification. Although existing tools achieve notable library-level TPL detection performance in the presence of obfuscation, they struggle with version-level TPL detection due to a lack of sensitivity to differences between versions. This limitation results in a high version-level false positive rate, significantly increasing the manual workload for security analysts. To resolve this issue, we propose SAD, a TPL detection tool with high version-level detection performance. SAD generates a candidate app class list for each TPL class based on the feature of nodes in class dependency graphs (CDGs). It then identifies the unique corresponding app class for each TPL class by performing class matching based on the similarity of their class summaries. Finally, SAD identifies TPL versions by evaluating the structural similarity of the sub-graph formed by matched classes within the CDGs of the TPL and the app. Extensive evaluation on three datasets demonstrates the effectiveness of SAD and its components. SAD achieves F1 scores of 97.64% and 84.82% for library-level and version-level detection on obfuscated apps, respectively, surpassing existing state-of-the-art tools. The version-level false positives reported by the best tool is 1.61 times that of SAD. We further evaluate the degree to which TPLs identified by detection tools correspond to actual TPL classes.

Keywords

Cite

@article{arxiv.2504.13547,
  title  = {Version-level Third-Party Library Detection in Android Applications via Class Structural Similarity},
  author = {Bolin Zhou and Jingzheng Wu and Xiang Ling and Tianyue Luo and Jingkun Zhang},
  journal= {arXiv preprint arXiv:2504.13547},
  year   = {2025}
}

Comments

This paper has been accepted by the International Conference on Evaluation and Assessment in Software Engineering (EASE) 2025

R2 v1 2026-06-28T23:03:03.353Z