Preventing Library Spoofing on Android

Abstract

Dynamic loading of libraries is a widely used technique in Android applications. But including and executing external library code does not only have benefits, it can have severe detrimental security implications for the application and the user. In this paper we explain the mechanisms of loading external library code into an Android application and discuss resulting security implications. Since an attacker can easily impersonate libraries if the application does not perform the necessary verification, loading such code can introduce severe security problems. As a remedy, we present how external code can be verified and since currently available application often do not perform such verification, we introduce a novel way to enforce this verification. A prototype of this system has been published as open-source which can be easily integrated into existing apps and libraries.