LibDetector: Version Identification of Libraries in Android Applications

In the Android ecosystem today, code is often reused by developers in the form of software libraries. This practice not only saves time, but also reduces the complexity of software development. However, like all other software, software libraries are prone to bugs, design flaws, and security vulnerabilities. They too undergo incremental updates to not only add/change features, but also to address their flaws. Unfortunately, the knowledge gap between consumers and maintainers of software libraries presents a barrier to the timely adoption of important library updates. Therefore we present LibDetector, a tool for identifying the specific version of Java libraries used in Android applications. Using LibDetector, we perform a large empirical analysis of the current trends of library use in the Android ecosystem. We find that a huge proportion of applications currently available on the Google Play Store use outdated libraries. We also explore the potential effects of this lax updating practice. In 2 of the 17 libraries we studied, apps that contain outdated versions of the library had a significantly different average rating than apps that contain more recent versions of the library. Finally, we find in a case study that a vulnerable version of a library is a realistic threat to the security of apps consuming that version of the library