A First look at Android Apps’ third-party resources loading

Hina Qayyum; Muhammad Salman; Duc Linh Giang Nguyen; I Wayan Budi Sentana; Muhammad Ikram; Gareth Tyson; Mohamed Ali Kaafar

doi:10.1007/978-3-031-23020-2_11

A First look at Android Apps’ third-party resources loading

Hina Qayyum, Muhammad Salman, Duc Linh Giang Nguyen, I Wayan Budi Sentana, Muhammad Ikram^*, Gareth Tyson, Mohamed Ali Kaafar

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

2 Citations (Scopus)

Abstract

Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, a such implicit trust may leave apps’ developers unaware of what resources are loaded within their apps. In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps and explore the presence of potentially malicious resources loaded via implicit trust. We find that around 94% of apps (with a number of installs greater than 500K) load resources from implicitly trusted parties. We find several different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.

Original language	English
Title of host publication	Network and System Security
Subtitle of host publication	16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022. Proceedings
Editors	Xingliang Yuan, Guangdong Bai, Cristina Alcaraz, Suryadipta Majumdar
Place of Publication	Cham
Publisher	Springer, Springer Nature
Pages	193-213
Number of pages	21
ISBN (Electronic)	9783031230202
ISBN (Print)	9783031230196
DOIs	https://doi.org/10.1007/978-3-031-23020-2_11
Publication status	Published - 2022
Event	16th International Conference on Network and System Security, NSS 2022 - Denarau Island, Fiji Duration: 9 Dec 2022 → 12 Dec 2022

Publication series

Name	Lecture Notes in Computer Science
Volume	13787
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	16th International Conference on Network and System Security, NSS 2022
Country/Territory	Fiji
City	Denarau Island
Period	9/12/22 → 12/12/22

Access to Document

10.1007/978-3-031-23020-2_11

Cite this

Qayyum, H., Salman, M., Nguyen, D. L. G., Sentana, I. W. B., Ikram, M., Tyson, G., & Kaafar, M. A. (2022). A First look at Android Apps’ third-party resources loading. In X. Yuan, G. Bai, C. Alcaraz, & S. Majumdar (Eds.), Network and System Security: 16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022. Proceedings (pp. 193-213). (Lecture Notes in Computer Science; Vol. 13787). Springer, Springer Nature. https://doi.org/10.1007/978-3-031-23020-2_11

Qayyum, Hina ; Salman, Muhammad ; Nguyen, Duc Linh Giang et al. / A First look at Android Apps’ third-party resources loading. Network and System Security: 16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022. Proceedings. editor / Xingliang Yuan ; Guangdong Bai ; Cristina Alcaraz ; Suryadipta Majumdar. Cham : Springer, Springer Nature, 2022. pp. 193-213 (Lecture Notes in Computer Science).

@inproceedings{3efbe60a034a4865affbe82953f2f261,

title = "A First look at Android Apps{\textquoteright} third-party resources loading",

abstract = "Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, a such implicit trust may leave apps{\textquoteright} developers unaware of what resources are loaded within their apps. In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps and explore the presence of potentially malicious resources loaded via implicit trust. We find that around 94% of apps (with a number of installs greater than 500K) load resources from implicitly trusted parties. We find several different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.",

author = "Hina Qayyum and Muhammad Salman and Nguyen, {Duc Linh Giang} and Sentana, {I Wayan Budi} and Muhammad Ikram and Gareth Tyson and Kaafar, {Mohamed Ali}",

year = "2022",

doi = "10.1007/978-3-031-23020-2_11",

language = "English",

isbn = "9783031230196",

series = "Lecture Notes in Computer Science",

publisher = "Springer, Springer Nature",

pages = "193--213",

editor = "Xingliang Yuan and Guangdong Bai and Cristina Alcaraz and Suryadipta Majumdar",

booktitle = "Network and System Security",

address = "United States",

note = "16th International Conference on Network and System Security, NSS 2022 ; Conference date: 09-12-2022 Through 12-12-2022",

}

Qayyum, H, Salman, M, Nguyen, DLG, Sentana, IWB, Ikram, M, Tyson, G & Kaafar, MA 2022, A First look at Android Apps’ third-party resources loading. in X Yuan, G Bai, C Alcaraz & S Majumdar (eds), Network and System Security: 16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022. Proceedings. Lecture Notes in Computer Science, vol. 13787, Springer, Springer Nature, Cham, pp. 193-213, 16th International Conference on Network and System Security, NSS 2022, Denarau Island, Fiji, 9/12/22. https://doi.org/10.1007/978-3-031-23020-2_11

A First look at Android Apps’ third-party resources loading. / Qayyum, Hina; Salman, Muhammad; Nguyen, Duc Linh Giang et al.
Network and System Security: 16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022. Proceedings. ed. / Xingliang Yuan; Guangdong Bai; Cristina Alcaraz; Suryadipta Majumdar. Cham: Springer, Springer Nature, 2022. p. 193-213 (Lecture Notes in Computer Science; Vol. 13787).

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - A First look at Android Apps’ third-party resources loading

AU - Qayyum, Hina

AU - Salman, Muhammad

AU - Nguyen, Duc Linh Giang

AU - Sentana, I Wayan Budi

AU - Ikram, Muhammad

AU - Tyson, Gareth

AU - Kaafar, Mohamed Ali

PY - 2022

Y1 - 2022

N2 - Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, a such implicit trust may leave apps’ developers unaware of what resources are loaded within their apps. In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps and explore the presence of potentially malicious resources loaded via implicit trust. We find that around 94% of apps (with a number of installs greater than 500K) load resources from implicitly trusted parties. We find several different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.

AB - Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, a such implicit trust may leave apps’ developers unaware of what resources are loaded within their apps. In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps and explore the presence of potentially malicious resources loaded via implicit trust. We find that around 94% of apps (with a number of installs greater than 500K) load resources from implicitly trusted parties. We find several different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.

UR - http://www.scopus.com/inward/record.url?scp=85145019532&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-23020-2_11

DO - 10.1007/978-3-031-23020-2_11

M3 - Conference proceeding contribution

AN - SCOPUS:85145019532

SN - 9783031230196

T3 - Lecture Notes in Computer Science

SP - 193

EP - 213

BT - Network and System Security

A2 - Yuan, Xingliang

A2 - Bai, Guangdong

A2 - Alcaraz, Cristina

A2 - Majumdar, Suryadipta

PB - Springer, Springer Nature

CY - Cham

T2 - 16th International Conference on Network and System Security, NSS 2022

Y2 - 9 December 2022 through 12 December 2022

ER -

Qayyum H, Salman M, Nguyen DLG, Sentana IWB, Ikram M, Tyson G et al. A First look at Android Apps’ third-party resources loading. In Yuan X, Bai G, Alcaraz C, Majumdar S, editors, Network and System Security: 16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022. Proceedings. Cham: Springer, Springer Nature. 2022. p. 193-213. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-23020-2_11