The hidden complexities of Android TPL detection: An empirical analysis of techniques, challenges, and effectiveness

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-10-01 DOI:10.1016/j.cose.2025.104672

Lige Zhan , Jiang Ming , Jianming Fu , Guojun Peng , Letian Sha , Lili Lan

{"title":"The hidden complexities of Android TPL detection: An empirical analysis of techniques, challenges, and effectiveness","authors":"Lige Zhan , Jiang Ming , Jianming Fu , Guojun Peng , Letian Sha , Lili Lan","doi":"10.1016/j.cose.2025.104672","DOIUrl":null,"url":null,"abstract":"<div><div>Third-party libraries (TPLs) play a crucial role in Android application (app) development and have become an indispensable part of the Android ecosystem. However, TPLs also introduce potential security risks, as they may propagate 1-day vulnerabilities or even malicious code into apps. Moreover, certain downstream tasks, such as app clone detection, license violation identification and patch presence test, require accurate TPL detection as a prerequisite. Consequently, TPL detection has gained increasing importance over the past decade in improving maintainability and enhancing security within the software supply chain. To ensure robustness against external factors and precise vulnerability identification, modern library detection tools, in addition to recognizing TPL variety, must be resilient to code obfuscation and optimization, and must also be capable of accurately identifying library versions. Although recent studies have reported progress in addressing these issues, none have conducted a comprehensive evaluation to determine whether the proposed methods effectively overcome these challenges. Furthermore, critical aspects such as tool performance on real-world apps, as well as the generalizability of existing approaches, are frequently overlooked in current research.</div><div>To gain deeper insights into TPL detection research, we conducted a comprehensive empirical analysis of state-of-the-art approaches in this domain. This study begins by summarizing the common technologies used at each stage of the TPL detection process, followed by an analysis of the prevalence of code obfuscation and optimization in real-world apps to identify key external factors that hinder effective library detection. Next, we evaluate the performance of cutting-edge tools on multiple ground-truth datasets to validate our findings. Specifically, we systematically analyze the methodologies employed by these tools, assessing their capabilities in TPL variety detection, version identification, resilience to common obfuscation and optimization techniques, and the underlying causes of their failures. Finally, we assessed the generalizability of these tools by comparing their performance across diverse datasets and validating them with real-world data. Our findings confirm that obfuscation and optimization are indeed prevalent in real-world scenarios. However, the code transformations introduced by these techniques often exceed the scope of scenarios considered in prior TPL detection studies. We also observe that even the most advanced detection features struggle to accurately differentiate between library versions. In addition to errors caused by obfuscation and optimization, overly simplistic library features can further contribute to false positives. Moreover, while most tools perform well on their own curated datasets and show reduced performance on external datasets, their effectiveness in real-world scenarios does not exhibit a substantial disparity. Overall, this paper presents a comprehensive analysis and evaluation of current TPL detection techniques, providing a solid foundation for future research in this area.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104672"},"PeriodicalIF":5.4000,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482500361X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Third-party libraries (TPLs) play a crucial role in Android application (app) development and have become an indispensable part of the Android ecosystem. However, TPLs also introduce potential security risks, as they may propagate 1-day vulnerabilities or even malicious code into apps. Moreover, certain downstream tasks, such as app clone detection, license violation identification and patch presence test, require accurate TPL detection as a prerequisite. Consequently, TPL detection has gained increasing importance over the past decade in improving maintainability and enhancing security within the software supply chain. To ensure robustness against external factors and precise vulnerability identification, modern library detection tools, in addition to recognizing TPL variety, must be resilient to code obfuscation and optimization, and must also be capable of accurately identifying library versions. Although recent studies have reported progress in addressing these issues, none have conducted a comprehensive evaluation to determine whether the proposed methods effectively overcome these challenges. Furthermore, critical aspects such as tool performance on real-world apps, as well as the generalizability of existing approaches, are frequently overlooked in current research.

To gain deeper insights into TPL detection research, we conducted a comprehensive empirical analysis of state-of-the-art approaches in this domain. This study begins by summarizing the common technologies used at each stage of the TPL detection process, followed by an analysis of the prevalence of code obfuscation and optimization in real-world apps to identify key external factors that hinder effective library detection. Next, we evaluate the performance of cutting-edge tools on multiple ground-truth datasets to validate our findings. Specifically, we systematically analyze the methodologies employed by these tools, assessing their capabilities in TPL variety detection, version identification, resilience to common obfuscation and optimization techniques, and the underlying causes of their failures. Finally, we assessed the generalizability of these tools by comparing their performance across diverse datasets and validating them with real-world data. Our findings confirm that obfuscation and optimization are indeed prevalent in real-world scenarios. However, the code transformations introduced by these techniques often exceed the scope of scenarios considered in prior TPL detection studies. We also observe that even the most advanced detection features struggle to accurately differentiate between library versions. In addition to errors caused by obfuscation and optimization, overly simplistic library features can further contribute to false positives. Moreover, while most tools perform well on their own curated datasets and show reduced performance on external datasets, their effectiveness in real-world scenarios does not exhibit a substantial disparity. Overall, this paper presents a comprehensive analysis and evaluation of current TPL detection techniques, providing a solid foundation for future research in this area.

查看原文本刊更多论文

Android TPL检测的隐藏复杂性：技术、挑战和有效性的实证分析

第三方库（tpl）在Android应用程序（app）开发中起着至关重要的作用，已经成为Android生态系统中不可或缺的一部分。然而，tpl也带来了潜在的安全风险，因为它们可能会将1天漏洞甚至恶意代码传播到应用程序中。此外，某些下游任务，如应用克隆检测、license违规识别和补丁存在测试，需要准确的TPL检测作为先决条件。因此，在过去十年中，TPL检测在提高软件供应链中的可维护性和增强安全性方面变得越来越重要。为了确保对外部因素的健壮性和精确的漏洞识别，现代库检测工具除了识别TPL的多样性外，还必须能够适应代码混淆和优化，并且还必须能够准确识别库版本。尽管最近的研究报告了在解决这些问题方面取得的进展，但没有一项研究进行了全面的评估，以确定拟议的方法是否有效地克服了这些挑战。此外，在当前的研究中，诸如工具在实际应用程序上的性能以及现有方法的普遍性等关键方面经常被忽视。为了更深入地了解TPL检测研究，我们对该领域最先进的方法进行了全面的实证分析。本研究首先总结了TPL检测过程中每个阶段使用的常用技术，然后分析了实际应用程序中代码混淆和优化的流行情况，以确定阻碍有效库检测的关键外部因素。接下来，我们在多个真实数据集上评估尖端工具的性能，以验证我们的发现。具体来说，我们系统地分析了这些工具所使用的方法，评估了它们在TPL品种检测、版本识别、对常见混淆和优化技术的弹性方面的能力，以及它们失败的潜在原因。最后，我们通过比较这些工具在不同数据集上的性能，并用实际数据验证它们，评估了这些工具的通用性。我们的研究结果证实，混淆和优化在现实场景中确实很普遍。然而，这些技术引入的代码转换通常超出了先前TPL检测研究中考虑的场景范围。我们还观察到，即使是最先进的检测功能也难以准确区分库版本。除了混淆和优化导致的错误之外，过于简单的库特性还会进一步导致误报。此外，虽然大多数工具在它们自己的数据集上表现良好，而在外部数据集上表现较差，但它们在现实场景中的有效性并没有表现出实质性的差异。总体而言，本文对目前的TPL检测技术进行了全面的分析和评价，为该领域的进一步研究奠定了坚实的基础。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.