Identifying Android Library Dependencies in the Presence of Code Obfuscation and Minimization

The fast growth of the Android app market motivates the need for tools and techniques to analyze and improve Android apps. A basic capability in this context is to identify the libraries present in a given Android app, including their exact version. The problem of identifying library dependencies is made difficult by two common build-time transformations, namely code minimization and obfuscation. Minimization typically incorporates used library fragments into an app, while obfuscation renames symbols globally across an app.

In this paper, we tackle both of these challenges via a unified approach, which abstracts app and library classes into summaries of their interactions with system libraries. The summarization technique is resistant to obfuscation, and is amenable to efficient similarity detection (matching). We lift the class-wise matches into a set of library dependencies by encoding this problem as a global constraint/optimization system across all app classes and available libraries.

We have implemented our approach as the MOBSCANNER system. We report on the evaluation of MOBSCANNER against 20 Android apps along with a randomly chosen database of over 10K library versions belonging to 1K unique libraries. MOBSCANNER is able to pinpoint the exact library versions present across apps without and with obfuscation/minimization with recall scores of 98% and 85%, respectively.

By: Salman A. Baset, Shih-Wei Li, Philippe Suter, Omer Tripp

Published in: RC25649 in 2016


Questions about this service can be mailed to .