LibKit: Detecting Third-Party Libraries in iOS Apps
Authors: 
Daniel Domínguez-Álvarez, Alejandro de la Cruz, Alessandra Gorla, Juan CaballeroAuthors Info & Claims
Daniel Domínguez-Álvarez, Alejandro de la Cruz, Alessandra Gorla, Juan CaballeroAuthors Info & ClaimsPages 1407 - 1418
Abstract
We present LibKit, the first approach and tool for detecting the name and version of third-party libraries (TPLs) present in iOS apps. LibKit automatically builds fingerprints for 86K library versions available through the CocoaPods dependency manager and matches them on the decrypted app executables to identify the TPLs (name and version) an iOS app uses. LibKit supports apps written in Swift and Objective-C, detects statically and dynamically linked libraries, and addresses challenges such as partially included libraries and different compiler versions and configurations producing variants of the same library version. On a ground truth of 95 open-source apps, LibKit identifies libraries with a precision of 0.911 and a recall of 0.839. LibKit also significantly outperforms the state-of-the-art CRiOS tool for identifying TPL boundaries. When applied to 1,500 apps from the iTunes Store, LibKit detects 47,015 library versions, identifying popular apps that contain old library versions.
Supplementary Material
"We present LibKit, the first approach and tool for detecting the name and version of third-party libraries (TPLs) present in iOS apps. LibKit automatically builds fingerprints for 86K library versions available through the CocoaPods dependency manager and matches them on the decrypted app executables to identify the TPLs (name and version) an iOS app uses. LibKit supports apps written in Swift and Objective-C, detects statically and dynamically linked libraries, and addresses challenges such as partially included libraries and different compiler versions and configurations producing variants of the same library version. On a ground truth of 95 open-source apps LibKit identifies libraries with a precision of 91.1% and a recall of 83.9%. Moreover, the library identification and library version identification results positively compare with the best-performing Android tools. LibKit also significantly outperforms the state-of-the- art CRiOS tool for identifying TPL boundaries. When applied on 1,500 apps from the iTunes Store, it detects 47,015 library versions, identifying popular apps that contain old library versions"
- Download
- 95.68 MB
References
[1]
Mohd Shahdi Ahmad, Nur Emyra Musa, Rathidevi Nadarajah, Rosilah Hassan, and Nor Effendy Othman. 2013. Comparison between android and iOS Operating System in terms of security. In CITA 2013: 8th International Conference on Information Technology in Asia. 1–4.
[2]
Fattoh Al-Qershi, Muhammad Al-Qurishi, Sk Md Mizanur Rahman, and Atif Al-Amri. 2014. Android vs. iOS: The security battle. In WCCAIS 2014: World Congress on Computer Applications and Information Systems. 1–8.
[3]
2022. angr. https://github.com/angr/angr.
[4]
Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 356–367.
[5]
Salman A Baset, Shih-Wei Li, Philippe Suter, and Omer Tripp. 2017. Identifying Android library dependencies in the presence of code obfuscation and minimization. In ICSE 2017: Proceedings of the 39th International Conference on Software Engineering. 250–252.
[6]
Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Kruegel, and Engin Kirda. 2009. Scalable, Behavior-Based Malware Clustering. In Network and Distributed System Security.
[7]
Zinaida Benenson, Freya Gassmann, and Lena Reinfelder. 2013. Android and iOS users’ differences concerning security and privacy. In CHI 2013: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 817–822.
[8]
2022. Carthage Dependency Manager. https://github.com/Carthage/Carthage.
[9]
Moses S Charikar. 2002. Similarity estimation techniques from rounding algorithms. In Proceedings of the thiry-fourth annual ACM symposium on Theory of computing. 380–388.
[10]
Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou. 2016. Following devil’s footprints: Cross-platform analysis of potentially harmful libraries on android and ios. In IEEE S&P: 2016 IEEE Symposium on Security and Privacy. 357–376.
[11]
2022. CocoaPods Dependency Manager. https://cocoapods.org/.
[12]
Daniel Domínguez-Álvarez and Alessandra Gorla. 2019. Release Practices for iOS and Android Apps. In WAMA 2019: Proceedings of the 3rd International Workshop on App Market Analytics. 15–18.
[13]
Daniel Domínguez-Álvarez, Alessandra Gorla, and Juan Caballero. 2022. On the Usage of Programming Languages in the iOS Ecosystem. In SCAM 2022: Proceedings of the 22nd IEEE International Working Conference on Source Code Analysis and Manipulation.
[14]
Daniel Domínguez-Álvarez, Alessandra Gorla, Juan Caballero, and Roberto Giacobazzi. 2019. Are you Sure They are the Same? Identifying Differences Between iOS and Android Implementations. In Actas de las V Jornadas Nacionales de Ciberseguridad. 332–333.
[15]
2022. dsdump. https://github.com/DerekSelander/dsdump.
[16]
Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting Privacy Leaks in iOS Applications. In NDSS 2011: 18th Annual Symposium on Network and Distributed System Security. 177–183.
[17]
2022. Frida Instrumentation Toolkit. https://frida.re/.
[18]
Mark H Goadrich and Michael P Rogers. 2011. Smart smartphone development: iOS versus Android. In SIGCSE 2011: Proceedings of the 42nd ACM Technical Symposium on Computer Science Education. 607–612.
[19]
Tor-Morten Grønli, Jarle Hansen, Gheorghita Ghinea, and Muhammad Younas. 2014. Mobile application platform heterogeneity: Android vs Windows Phone vs iOS vs Firefox OS. In AINA 2014: 28th IEEE International Conference on Advanced Information Networking and Applications. 635–641.
[20]
Maria Halkidi, Yannis Batistakis, and Michalis Vazirgiannis. 2001. On clustering validation techniques. Journal of intelligent information systems, 17, 2 (2001), 107–145.
[21]
John Hubbard, Ken Weimer, and Yu Chen. 2014. A study of SSL proxy attacks on Android and iOS mobile applications. In CCNC 2014: 11th IEEE Consumer Communications and Networking Conference. 86–91.
[22]
Mona Erfani Joorabchi and Ali Mesbah. 2012. Reverse engineering iOS mobile applications. In WCRE 2012: 19th Working Conference on Reverse Engineering. 177–186.
[23]
Konrad Kollnig, Anastasia Shuba, Reuben Binns, Max Van Kleek, and Nigel Shadbolt. 2022. Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps. PETS, 2022, 2 (2022), 6–24.
[24]
Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. LibD: Scalable and Precise Third-party Library Detection in Android Markets. In ICSE 2017: Proceedings of the 39th International Conference on Software Engineering. 335–346.
[25]
Yong Li, Yuanyuan Zhang, Juanru Li, and Dawu Gu. 2015. icryptotracer: Dynamic analysis on misuse of cryptography functions in ios applications. In NSS 2015: Proceedings of the 2015 International Conference on Network and System Security. 349–362.
[26]
2023. LibKit release URL. https://doi.org/10.5281/zenodo.7042015.
[27]
2023. LibKit Website. https://sites.google.com/view/libkit.
[28]
Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. 2016. LibRadar: Fast and Accurate Detection of Third-party Libraries in Android Apps. In ICSE 2016: Proceedings of the 38th International Conference on Software Engineering. 653–656.
[29]
2022. Mobile Operating System Market Share Worldwide. https://gs.statcounter.com/os-market-share/mobile/worldwide
[30]
Ibtisam Mohamed and Dhiren Patel. 2015. Android vs iOS security: A comparative study. In ITNG 2015: 12th International Conference on Information Technology-New Generations. 725–730.
[31]
Damilola Orikogbo, Matthias Büchler, and Manuel Egele. 2016. CRiOS: Toward large-scale iOS application analysis. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. 33–42.
[32]
Kristiina Rahkema and Dietmar Pfahl. 2022. Dataset: Dependency Networks of Open Source Libraries Available Through CocoaPods, Carthage and Swift PM. In MSR 2022: 19th International Conference on Mining Software Repositories. 393–397.
[33]
Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic Analysis of Malware Behavior using Machine Learning. Journal of Computer Security, 19, 4 (2011).
[34]
2022. Swift Package Manager. https://www.swift.org/package-manager/.
[35]
Zhushou Tang, Ke Tang, Minhui Xue, Yuan Tian, Sen Chen, Muhammad Ikram, Tielei Wang, and Haojin Zhu. 2020. iOS, Your OS, Everybody’s OS: Vetting and Analyzing Network Services of iOS Applications. In USENIX Security: 29th USENIX Security Symposium. 2415–2432.
[36]
Dennis Titze, Michael Lux, and Julian Schuette. 2017. Ordol: Obfuscation-Resilient Detection of Libraries in Android Applications. In 2017 IEEE Trustcom/BigDataSE/ICESS. 618–625.
[37]
Pei Wang, Qinkun Bao, Li Wang, Shuai Wang, Zhaofeng Chen, Tao Wei, and Dinghao Wu. 2018. Software Protection on the Go: A Large-Scale Empirical Study on Mobile App Obfuscation. In 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). 26–36.
[38]
Yan Wang, Haowei Wu, Hailong Zhang, and Atanas Rountev. 2018. ORLIS: obfuscation-resilient library detection for Android. In MobileSoft 2018: Proceedings of the 5th IEEE/ACM International Conference on Mobile Software Engineering and Systems. 13–23.
[39]
Haohuang Wen, Juanru Li, Yuanyuan Zhang, and Dawu Gu. 2018. An Empirical Study of SDK Credential Misuse in iOS Apps. In APSEC 2018: Proceedings of the 25th Asia-Pacific Software Engineering Conference. 258–267.
[40]
Jian Xu and Qianting Yuan. 2020. LibRoad: Rapid, Online, and Accurate Detection of TPLs on Android. IEEE Transactions on Mobile Computing, 21, 1 (2020), 167–180.
[41]
Xian Zhan, Tianming Liu, Yepang Liu, Yang Liu, Li Li, Haoyu Wang, and Xiapu Luo. 2021. A Systematic Assessment on Android Third-party Library Detection Tools. IEEE Transactions on Software Engineering.
[42]
Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, and Hao Chen. 2018. Detecting third-party libraries in android applications with high precision and recall. In SANER 2018: 25th IEEE International Conference on Software Analysis, Evolution, and Reengineering. 141–152.
[43]
Zicheng Zhang, Wenrui Diao, Chengyu Hu, Shanqing Guo, Chaoshun Zuo, and Li Li. 2020. An Empirical Study of Potentially Malicious Third-Party Libraries in Android Apps. In ACM Conference on Security and Privacy in Wireless and Mobile Networks.
Index Terms
- LibKit: Detecting Third-Party Libraries in iOS Apps
Recommendations
Adoption of third-party libraries in mobile apps: a case study on open-source Android applications
MOBILESoft '22: Proceedings of the 9th IEEE/ACM International Conference on Mobile Software Engineering and SystemsThird-party libraries are frequently adopted in open-source Android applications (apps). These libraries are essential to the Android app development ecosystem as they often provide vital functionality that would take significant development time to ...
Code smells in iOS apps: how do they compare to Android?
MOBILESoft '17: Proceedings of the 4th International Conference on Mobile Software Engineering and SystemsWith billions of app downloads, the Apple App Store and Google Play Store succeeded to conquer mobile devices. However, this success also challenges app developers to publish high-quality apps to keep attracting and satisfying end-users. In particular, ...
Understanding third-party libraries in mobile app analysis
ICSE-C '17: Proceedings of the 39th International Conference on Software Engineering CompanionThird-party libraries are widely used in mobile apps. Recent studies showed that third-party libraries account for more than 60% of the code in Android apps on average. As a result, program analysis on Android apps typically requires detecting or ...
Comments
Information & Contributors
Information
Published In
November 2023
2215 pages
ISBN:9798400703270
DOI:10.1145/3611643
- General Chair:
- Satish Chandra,
- Program Chairs:
- Kelly Blincoe,
- Paolo Tonella
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 November 2023
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- Spanish National Plan for Scientific and Technical Research and Innovation
- panish Governement MCIN/AEI/10.13039/501100011033/ERDF
- Madrid regional government program
Conference
ESEC/FSE '23
Sponsor:
ESEC/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
December 3 - 9, 2023
CA, San Francisco, USA
Acceptance Rates
Overall Acceptance Rate 112 of 543 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 151Total Downloads
- Downloads (Last 12 months)88
- Downloads (Last 6 weeks)6
Reflects downloads up to 19 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in