Up-To-Crash: Evaluating Third-Party Library Updatability on Android

Huang, Jie; Borges, Nataniel P.; Bugiel, Sven; Backes, Michael

doi:10.1109/eurosp.2019.00012

Cited by 18 publications

(12 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A user of a library can fix all vulnerabilities by accessing and modifying the code base of dependencies, but developers tend to avoid it [7]. Equally, 'simply updating' ain't so simple [8]. ment tools such as Apache Ivy 5 and Apache Maven 6 :…”

Section: Terminologymentioning

confidence: 99%

“…• A dependency is direct if it is directly invoked from the dependent library instance. • A dependency tree 8 is a representation of a software library instance and its dependencies where each node is a library instance and edges connect dependent library instances to their direct dependencies. • A transitive dependency is connected to the root library instance of a dependency tree through a path with more than one edge.…”

Section: Terminologymentioning

confidence: 99%

See 1 more Smart Citation

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Vulnerable dependencies are a known problem in today's free open-source software ecosystems because FOSS libraries are highly interconnected, and developers do not always update their dependencies. Our paper proposes Vuln4Real, the methodology for counting actually vulnerable dependencies, that addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. To understand the industrial impact of a more precise methodology, we considered the 500 most popular FOSS Java libraries used by SAP in its own software. Our analysis included 25767 distinct library instances in Maven. We found that the proposed methodology has visible impacts on both ecosystem view and the individual library developer view of the situation of software dependencies: Vuln4Real significantly reduces the number of false alerts for deployed code (dependencies wrongly flagged as vulnerable), provides meaningful insights on the exposure to third-parties (and hence vulnerabilities) of a library, and automatically predicts when dependency maintenance starts lagging, so it may not receive updates for arising issues.

show abstract

Section: Terminologymentioning

confidence: 99%

Section: Terminologymentioning

confidence: 99%

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…Developers are wary of updating their dependencies if they work as intended. A follow up quantitative study [20] found that the most likely reason that stops developers from updating dependencies are breaking changes due to deprecated functions, changed data structures, or entangled dependencies between different libraries and even the host app. Limited insights are provided on the developers' motivations for performing an update of each kind (functionality or security).…”

Section: Dependency Management and Mitigation Of Dependency Issuesmentioning

confidence: 99%

“…On the Android ecosystem, mobile app developers do not consider security as a top-priority task [11]. A later study by the same group [20] explained the reason behind it as a major clash with functionality: the 'easy' updates would actually break around 50% of dependent projects.…”

mentioning

confidence: 99%

A Qualitative Study of Dependency Management and Its Security Implications

Pashchenko

Massacci

2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Several large scale studies on the Maven, NPM, and Android ecosystems point out that many developers do not often update their vulnerable software libraries thus exposing the user of their code to security risks. The purpose of this study is to qualitatively investigate the choices and the interplay of functional and security concerns on the developers' overall decision-making strategies for selecting, managing, and updating software dependencies. We run 25 semi-structured interviews with developers of both large and small-medium enterprises located in nine countries. All interviews were transcribed, coded, and analyzed according to applied thematic analysis. They highlight the trade-offs that developers are facing and that security researchers must understand to provide an effective support to mitigate vulnerabilities (for example bundling security fixes with functional changes might hinder adoption due to lack of resources to fix functional breaking changes). We further distill our observations to actionable implications on what algorithms and automated tools should achieve to effectively support (semi-)automatic dependency management.

show abstract

“…While during our evaluation, we did not consider transitive dependencies, we also have seen that the problems of transitive dependency with regards to library updatability is a corner case, e.g., only 2 instances of the false positives. Also existing research [28] on the updatability of third-party libraries shows that only 1.7% of the library API could be affected by this problem (referred to as entangled dependencies). Still we see a potential threat to the security of Android apps due to transitive dependencies.…”

Section: Transitive Dependencies and App Securitymentioning

confidence: 99%