Measuring the declared SDK versions and their consistency with API calls in android apps

Daoyuan WU; Ximing LIU; Jiayun XU; David Lo; Debin GAO

doi:10.1007/978-3-319-60033-8_58

Measuring the declared SDK versions and their consistency with API calls in android apps

Daoyuan WU^*, Ximing LIU, Jiayun XU, David Lo, Debin GAO

^*Corresponding author for this work

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

16 Citations (Scopus)

Abstract

Android has been the most popular smartphone system, with multiple platform versions (e.g., KITKAT and Lollipop) active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we make a first effort to study this modern software mechanism. Our objective is to measure the current practice of the declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the consistency between the DSDK versions and their app API calls. To this end, we perform a three-dimensional analysis. First, we parse Android documents to obtain a mapping between each API and their corresponding platform versions. We then analyze the DSDK-API consistency for over 24K apps, among which we pre-exclude 1.3K apps that provide different app binaries for different Android versions through Google Play analysis. Besides shedding light on the current DSDK practice, our study quantitatively measures the two side effects of inappropriate DSDK versions: (i) around 1.8K apps have API calls that do not exist in some declared SDK versions, which causes runtime crash bugs on those platform versions; (ii) over 400 apps, due to claiming the outdated targeted DSDK versions, are potentially exploitable by remote code execution. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.

Original language	English
Title of host publication	Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings
Editors	Liran MA, Abdallah KHREISHAH, Yan ZHANG, Mingyuan YAN
Publisher	Springer, Cham
Pages	678-690
Number of pages	13
ISBN (Electronic)	9783319600338
ISBN (Print)	9783319600321
DOIs	https://doi.org/10.1007/978-3-319-60033-8_58
Publication status	Published - 9 Jun 2017
Externally published	Yes
Event	12th International Conference on Wireless Algorithms, Systems, and Applications - Guilin, China Duration: 19 Jun 2017 → 21 Jun 2017

Publication series

Name	Lecture Notes in Computer Science
Volume	10251
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	12th International Conference on Wireless Algorithms, Systems, and Applications
Abbreviated title	WASA 2017
Country/Territory	China
City	Guilin
Period	19/06/17 → 21/06/17

Bibliographical note

Publisher Copyright:
© Springer International Publishing AG 2017.

Keywords

Android app security
Android bug detection

Access to Document

10.1007/978-3-319-60033-8_58

Cite this

WU, D., LIU, X., XU, J., Lo, D., & GAO, D. (2017). Measuring the declared SDK versions and their consistency with API calls in android apps. In L. MA, A. KHREISHAH, Y. ZHANG, & M. YAN (Eds.), Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings (pp. 678-690). (Lecture Notes in Computer Science; Vol. 10251). Springer, Cham. https://doi.org/10.1007/978-3-319-60033-8_58

WU, Daoyuan ; LIU, Ximing ; XU, Jiayun et al. / Measuring the declared SDK versions and their consistency with API calls in android apps. Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings. editor / Liran MA ; Abdallah KHREISHAH ; Yan ZHANG ; Mingyuan YAN. Springer, Cham, 2017. pp. 678-690 (Lecture Notes in Computer Science).

@inproceedings{7dcd8ff027914b2394f5aa2f0ec50b1a,

title = "Measuring the declared SDK versions and their consistency with API calls in android apps",

abstract = "Android has been the most popular smartphone system, with multiple platform versions (e.g., KITKAT and Lollipop) active in the market. To manage the application{\textquoteright}s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we make a first effort to study this modern software mechanism. Our objective is to measure the current practice of the declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the consistency between the DSDK versions and their app API calls. To this end, we perform a three-dimensional analysis. First, we parse Android documents to obtain a mapping between each API and their corresponding platform versions. We then analyze the DSDK-API consistency for over 24K apps, among which we pre-exclude 1.3K apps that provide different app binaries for different Android versions through Google Play analysis. Besides shedding light on the current DSDK practice, our study quantitatively measures the two side effects of inappropriate DSDK versions: (i) around 1.8K apps have API calls that do not exist in some declared SDK versions, which causes runtime crash bugs on those platform versions; (ii) over 400 apps, due to claiming the outdated targeted DSDK versions, are potentially exploitable by remote code execution. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.",

keywords = "Android app security, Android bug detection",

author = "Daoyuan WU and Ximing LIU and Jiayun XU and David Lo and Debin GAO",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 12th International Conference on Wireless Algorithms, Systems, and Applications, WASA 2017 ; Conference date: 19-06-2017 Through 21-06-2017",

year = "2017",

month = jun,

day = "9",

doi = "10.1007/978-3-319-60033-8\_58",

language = "English",

isbn = "9783319600321",

series = "Lecture Notes in Computer Science",

publisher = "Springer, Cham",

pages = "678--690",

editor = "Liran MA and Abdallah KHREISHAH and Yan ZHANG and Mingyuan YAN",

booktitle = "Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings",

}

WU, D, LIU, X, XU, J, Lo, D & GAO, D 2017, Measuring the declared SDK versions and their consistency with API calls in android apps. in L MA, A KHREISHAH, Y ZHANG & M YAN (eds), Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10251, Springer, Cham, pp. 678-690, 12th International Conference on Wireless Algorithms, Systems, and Applications, Guilin, China, 19/06/17. https://doi.org/10.1007/978-3-319-60033-8_58

Measuring the declared SDK versions and their consistency with API calls in android apps. / WU, Daoyuan; LIU, Ximing; XU, Jiayun et al.
Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings. ed. / Liran MA; Abdallah KHREISHAH; Yan ZHANG; Mingyuan YAN. Springer, Cham, 2017. p. 678-690 (Lecture Notes in Computer Science; Vol. 10251).

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

TY - GEN

T1 - Measuring the declared SDK versions and their consistency with API calls in android apps

AU - WU, Daoyuan

AU - LIU, Ximing

AU - XU, Jiayun

AU - Lo, David

AU - GAO, Debin

N1 - Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017/6/9

Y1 - 2017/6/9

N2 - Android has been the most popular smartphone system, with multiple platform versions (e.g., KITKAT and Lollipop) active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we make a first effort to study this modern software mechanism. Our objective is to measure the current practice of the declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the consistency between the DSDK versions and their app API calls. To this end, we perform a three-dimensional analysis. First, we parse Android documents to obtain a mapping between each API and their corresponding platform versions. We then analyze the DSDK-API consistency for over 24K apps, among which we pre-exclude 1.3K apps that provide different app binaries for different Android versions through Google Play analysis. Besides shedding light on the current DSDK practice, our study quantitatively measures the two side effects of inappropriate DSDK versions: (i) around 1.8K apps have API calls that do not exist in some declared SDK versions, which causes runtime crash bugs on those platform versions; (ii) over 400 apps, due to claiming the outdated targeted DSDK versions, are potentially exploitable by remote code execution. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.

AB - Android has been the most popular smartphone system, with multiple platform versions (e.g., KITKAT and Lollipop) active in the market. To manage the application’s compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we make a first effort to study this modern software mechanism. Our objective is to measure the current practice of the declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the consistency between the DSDK versions and their app API calls. To this end, we perform a three-dimensional analysis. First, we parse Android documents to obtain a mapping between each API and their corresponding platform versions. We then analyze the DSDK-API consistency for over 24K apps, among which we pre-exclude 1.3K apps that provide different app binaries for different Android versions through Google Play analysis. Besides shedding light on the current DSDK practice, our study quantitatively measures the two side effects of inappropriate DSDK versions: (i) around 1.8K apps have API calls that do not exist in some declared SDK versions, which causes runtime crash bugs on those platform versions; (ii) over 400 apps, due to claiming the outdated targeted DSDK versions, are potentially exploitable by remote code execution. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.

KW - Android app security

KW - Android bug detection

UR - https://www.scopus.com/pages/publications/85026371964

U2 - 10.1007/978-3-319-60033-8_58

DO - 10.1007/978-3-319-60033-8_58

M3 - Conference paper (refereed)

AN - SCOPUS:85026371964

SN - 9783319600321

T3 - Lecture Notes in Computer Science

SP - 678

EP - 690

BT - Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings

A2 - MA, Liran

A2 - KHREISHAH, Abdallah

A2 - ZHANG, Yan

A2 - YAN, Mingyuan

PB - Springer, Cham

T2 - 12th International Conference on Wireless Algorithms, Systems, and Applications

Y2 - 19 June 2017 through 21 June 2017

ER -

WU D, LIU X, XU J, Lo D, GAO D. Measuring the declared SDK versions and their consistency with API calls in android apps. In MA L, KHREISHAH A, ZHANG Y, YAN M, editors, Wireless Algorithms, Systems, and Applications: 12th International Conference, WASA 2017, Guilin, China, June 19-21, 2017, Proceedings. Springer, Cham. 2017. p. 678-690. (Lecture Notes in Computer Science). Epub 2017 May 27. doi: 10.1007/978-3-319-60033-8_58

Measuring the declared SDK versions and their consistency with API calls in android apps

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this