Scalable Online Vetting of Android Apps for Measuring Declared SDK Versions and Their Consistency with API Calls

TL;DR

This paper presents a scalable, bytecode-level approach to analyze Android apps for declared SDK versions and their consistency with API calls, revealing significant issues with under-declaration that impact app stability and security.

Contribution

It introduces a fast, online vetting method for large app datasets to assess DSDK declaration accuracy and its implications, which was not previously feasible at this scale.

Findings

35% of apps under-report DSDK, risking runtime crashes

11.3% of apps could crash on Android 6.0+ due to under-declaration

2% of apps are potentially exploitable via under-claimed DSDKs

Abstract

Android has been the most popular smartphone system with multiple platform versions active in the market. To manage the application's compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we conduct a systematic study of this modern software mechanism. Our objective is to measure the current practice of declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the (in)consistency between DSDK versions and their host apps' API calls. To successfully analyze a modern dataset of 22,687 popular apps (with an average app size of 25MB), we design a scalable approach that operates on the Android bytecode level and employs a lightweight bytecode search for app analysis. This approach achieves a good performance suitable for online vetting in app markets, requiring only around 5 seconds to process an app on average. Besides shedding light on the characteristics of DSDK in the wild, our study quantitatively measures two side effects of inappropriate DSDK versions: (i) around 35% apps under-set the minimum DSDK versions and could incur runtime crashes, but fortunately, only 11.3% apps could crash on Android 6.0 and above; (ii) around 2% apps, due to under-claiming the targeted DSDK versions, are potentially exploitable by remote code execution, and half of them invoke the vulnerable API via embedded third-party libraries. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.