SURVEY OF VULNERABILITY ASSESSMENT OF TRANSITIVE

LIBRARY DEPENDENCIES ON ANDROID APPLICATION SECURITY

BY

JOANNA
ABSTRACT

Security risks are rising dramatically offering a significant challenge to mobile platforms
particularly Android. Attacks have been increasingly frequent in recent years and each one
has become more damaging to the system. While there has been a lot of research work in the
previous years regarding Android security detection and mitigation there are still many
obstacles and gaps in the sector. Third-party libraries that an Android application uses could
have dependencies of their own. A chain of transitive dependencies can be formed by these
dependents, which may then have dependencies of their own. There are serious security
issues associated with transitive library dependencies which are indirect dependencies created
by direct dependencies. A thorough vulnerability assessment framework for transitive library
dependencies in Android applications is presented in this study. Effective assessment and
management of transitive library dependencies is crucial for securing the safety of Android
applications. Important steps to reduce the risks associated with transitive library
dependencies include conducting vulnerability assessments, keeping an eye out for known
vulnerabilities and updating dependencies.

ii
1.INTRODUCTION
This survey is going to discuss the paper” ATVHUNTER: Reliable Version Detection of
Third-Party Libraries for Vulnerability Identification in Android Application” as the major
paper from which the research was done. It will also discuss the other papers that contributed
to the study and their role. This survey will give an analysis of existing research in order to
identify gaps that will be filled by this study for assessing the impact of vulnerabilities in
Transitive Library Dependencies on Android Application Security.

2.LITERATURE REVIEW
The paper by [1] discusses existing TPL detection techniques, such as clustering-based
methods. After identifying the limitation of previous studies, the authors in [1] introduce
ATVHUNTER as a novel tool for detecting vulnerable TPLs in Android apps. The study
emphasizes the importance of identifying vulnerable TPL versions and provides insights into
the severity of vulnerabilities using CVSS v3.0 metrics. It categorizes vulnerabilities based
on severity levels such as low, medium, high and critical. Specifically, vulnerabilities with a
score greater than 7.0 are considered to have high and critical severity. This classification
helps in identifying the most severe vulnerabilities that may involve risks like remote code
execution, sensitive data leakage, SSRF attacks and more. By using CVSS v3.0 metrics, the
document effectively communicates the seriousness of vulnerabilities to readers, enabling a
clear understanding of the potential threats posed by vulnerable TPLs. This adds to the
literature on TPL security assessment and risk mitigation in Android apps.

The paper [1] also evaluates the effectiveness of ATVHUNTER in detecting vulnerable TPLs
and highlights its impact on improving app quality and security. This evaluation adds to the
literature on the evaluation of security tools and their practical implications. In conclusion,
the paper enriches the literature on Android TPL security by introducing an innovative tool,
providing insights into vulnerability identification and offering practical recommendations
for app developers. It builds upon existing techniques and addresses their limitations,
contributing to the advancement of research in Android app security and vulnerability
detection.

A library's security issues may go unnoticed by developers if it is included as a transitive

dependence of another dependency. Such a situation is described in [2] for the widely used
JavaScript framework Node.js package manager (npm), which has been found to introduce

1
security risks by perhaps concealing the npm security issues from developers [2]. Due to the
widespread usage of third-party libraries, which in turn have other dependencies there are
difficulties in controlling these risks such as compatibility problems, ignorance and the need
for more work to migrate than is advantageous. For instance, to install npm one must either
have certain software installed or it will be downloaded and installed during the npm install.
Thus, Node.js itself depends on other libraries to function hence the introduction of transitive
dependencies.

In order to visualise both direct and transitive dependencies for Node.js and to offer an
interactive graph that exposes vulnerability information, [5] presented a web-based
application named V-Achilles. It obtains users npm repositories over a GitHub connection,
examines their dependencies and creates a dependency graph visualisation. In addition, the
programme delivers vulnerability information, suggests dependency changes and generates a
vulnerability report. The importance of understanding and controlling the security risks
associated with transitive dependencies is shown by the tool's successful discovery of
vulnerabilities in [x%] of the top ten most starred GitHub repositories during testing [5]. The
excessive impact of transitive vulnerabilities, libraries holding onto vulnerable dependencies,
fresh releases including vulnerable dependencies and patch releases that take place following
vulnerability disclosure are some examples of these security hazards [6]. These dangers
highlight how security flaws can spread through transitive dependencies, impacting different
software components and creating difficulties for vulnerability management.

Transitive dependencies are those that are introduced by the libraries or modules that your
app directly depends on in the context of Android development. There's a chance a library
you include in your Android project will require other libraries. For your project, these
dependencies are regarded as transitive dependencies. For instance, if Library A contains
Library B as a dependence and your app also includes Library A, then Library B is a
transitive dependency for your app. It's critical to manage transitive dependencies to make
sure your programme has everything it needs to run. It entails identifying and resolving any
conflicts or problems that can result from the transitive dependencies that your Android
project's libraries introduce. The difficulties that transitive dependencies in Android
applications provide are covered in the article [7]. It states that a large number of
unpredictable transitive dependencies cause issues for developers when it comes to managing
dependencies. Because of the difficulty in handling transitive dependencies, developers are

2
avoiding updates as a result of this issue, which is identified as a severe strain in managing
and updating dependencies. According to the study, developers should consider
implementing high-level metrics that show a library's maturity, safety and least amount of
impact on transitive dependencies. This shows that libraries with few transitive dependencies
are preferred by developers who are worried about the effects of such dependencies.

2.1 RELATED WORK

The objective of a study by [2] was to assess the technological viability of helping developers
maintain the dependencies of their projects current. The researchers used tools like LibScout
and CogniCrypt to evaluate library history and find insecure uses of cryptographic APIs and
then they developed Up2Dep, an Android Studio addon. As per [4], the findings
demonstrated that Up2Dep offered helpful assistance and assisted developers in upgrading
the dependencies of their projects. The analysis made clear how urgently insecure, out-of-
date third-party libraries in Android apps need to be detected and updated with tool support.

The research makes use of the Vuln4Real technique, which expands on the most recent
methods for assessing software dependencies. It comprises a number of stages, including
classifying dependencies according to which software projects they belong to, filtering
dependencies that are only needed for development and figuring out whether a particular
dependency is dead. With a programme that uses Apache Maven's functionality to extract
library dependencies and apply Vuln4Real post-processing processes, the technique is
applied to the 500 most popular FOSS Maven-based libraries from SAP.

The study also tackles risks to construct and internal validity and assesses the approach using
a self-developed tool. The study comes to the conclusion that the suggested Vuln4Real
technique has discernible effects on the ecosystem as well as the perspectives of individual
library developers on the state of software dependencies. It intelligently anticipates when
dependency maintenance starts to lag, offers insightful information on a library's exposure to
third parties and dramatically lowers the number of false alarms for deployed code. The study
also emphasises how critical it is to take transitive dependencies and the security threats they
pose into account when analysing and detecting vulnerabilities. Additionally, the study
suggests that any improvement in the precision of the list of vulnerabilities will give better
results for some libraries and it plans to complement the work with a qualitative study on the
3
reasons why known vulnerabilities persist. The conclusion of the study highlights the
effectiveness of ATVHunter in detecting vulnerable TPLs, its potential for improving app
quality and the need for continued research to address emerging TPLs and maintain the
system's database.

A study by [3] evaluated open-source dependencies in 450 GitHub projects across various
programming languages through an empirical analysis with the Veracode SCA tool. The
months of November 2017 through October 2018 were the observation periods. The study
concentrated on finding prevalent vulnerability categories, weak libraries, and the amount of
work needed to fix dependent problems. The study also looked into the connection between
commit properties and vulnerabilities. Important discoveries included the longevity of
susceptible dependency problems, which took an average of 4-5 months to resolve and the
finding that the quantity and calibre of contributors, the degree of project activity and the
project's size had no discernible effects on the quantity of vulnerabilities in open-source
dependencies. The study also made clear how important it is to find out how to lessen risk
brought on by weak dependency by adding more personnel to the project.

The study performed a software composition analysis on 450 GitHub projects written in
widely used programming languages using the Veracode SCA tool. November 1 2017 to
October 31 2018, was the observation period. The process comprised identifying common
vulnerability types and vulnerable libraries by examining the commits made to the projects
during this time. Along with looking into the relationship between commit attributes and
vulnerabilities, the analysis also included a look at how long it takes to fix dependency
vulnerabilities. The study analysed the data and made findings using statistical tests, such as
the Wilcoxon signed-rank test.

The study's conclusion is that more research is required to determine whether increasing the
project's workforce may effectively reduce risk resulting from dependent dependencies that
are prone to failure. Users of libraries, developers and security researchers would benefit
from this analysis since it can shed light on the frequency of enduring vulnerabilities and out-
of-date dependencies, as well as how staffing decisions affect managing risky dependencies.
The study may also aid in pinpointing research avenues that have a greater chance of yielding
positive results for a variety of software applications.

4
2.2 RESEARCH GAP
The research gap in this study lies in the need for continued research to address emerging
transitive library dependencies and maintain the system's database. This gap indicates the
necessity for ongoing investigation and development to keep pace with evolving
vulnerabilities and ensure the security of Android applications. Additionally, the importance
of proactive dependency management and regular updates as essential measures for
enhancing software security highlights the need for further research in this area of Assessing
the Impact of Vulnerabilities in Transitive Library Dependencies on Android Application
Security.

3. CONCLUSION
This survey paper gave a summary of the literature with a focus on the transitive
dependencies found in Android applications, the vulnerabilities found in transitive library
dependencies, the security risks connected to transitive dependencies and the identification
and investigation of transitive library dependencies' vulnerabilities. The literature review
brought to light the gaps in our understanding of how transitive library dependency problems
affect the security of Android applications. By completing these gaps, more study can be
conducted to provide security guidelines, best practices and instruments that will enhance
Android applications' general security.

5
REFERENCES
[1] Zhan, X., Fan, L., Chen, S., We, F., Liu, T., Luo, X. and Liu, Y., 2021, May. Atvhunter:
Reliable version detection of third-party libraries for vulnerability identification in android
applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering
(ICSE) (pp. 1695-1707). IEEE.
[2] D. C. Nguyen, E. Derr, M. Backes, and S. Bugiel, “UP2DEP: Android Tool support to fix
insecure code dependencies,” Annual Computer Security Applications Conference, Dec.
2020, doi: 10.1145/3427228.3427658. Available: https://doi.org/10.1145/3427228.3427658
[3] G. A. A. Prana et al., “Out of sight, out of mind? How vulnerable dependencies affect
open-source projects,” Empirical Software Engineering, vol. 26, no. 4, Apr. 2021, doi:
10.1007/s10664-021-09959-3. Available: https://doi.org/10.1007/s10664-021-09959-3
[4] I. Pashchenko, H. Plate, S. E. Ponta, A. Sabetta and F. Massacci, "Vuln4Real: A
Methodology for Counting Actually Vulnerable Dependencies," in IEEE Transactions on
Software Engineering, vol. 48, no. 5, pp. 1592-1609, 1 May 2022, doi:
10.1109/TSE.2020.3025443.
[5] C. Ragkhitwetsagul et al., “V-Achilles: An Interactive Visualization of Transitive
Security Vulnerabilities,” ASE ’22: Proceedings of the 37th IEEE/ACM International
Conference on Automated Software Engineering V-Achilles: An Interactive Visualization of
Transitive Security Vulnerabilities Pages 1–4, Oct. 2022, doi: 10.1145/3551349.3559526.
Available: https://doi.org/10.1145/3551349.3559526
[6] J. Düsing and B. Hermann, “Analyzing the Direct and Transitive Impact of
Vulnerabilities onto Different Artifact Repositories,” Digital Threats, vol. 3, no. 4, pp. 1–25,
Feb. 2022, doi: 10.1145/3472811. Available: https://doi.org/10.1145/3472811
[7] Pashchenko, Ivan & Vu, Duc-Ly & Massacci, Fabio. A Qualitative Study of Dependency
Management and Its Security Implications (To appear in ACM CCS 2020) (2020).Available:
https://www.researchgate.net/publication/343403374\
[8] M. Yesilyurt and Y. Yalman, “Security Threats on Mobile Devices and their Effects:
Estimations for the Future,” International Journal of Security and Its Applications” vol. 10,
no. 2, pp. 13–26, Feb. 2016, doi: 10.14257/ijsia.2016.10.2.02. Available:
https://doi.org/10.14257/ijsia.2016.10.2.02
[9] M. Jimenez, “Profiling Android vulnerabilities,” CORE, Aug. 2016, Available:
https://core.ac.uk/display/42924334?
utm_source=pdf&utm_medium=banner&utm_campaign=pdf-decoration-v1