We are pleased to announce that Dr Daniel Luo, Associate Professor of COMP, together with his PhD student, Xian Zhan, and other researchers recently received the ACM SIGSOFT Distinguished Paper Award at the 43rd ACM/IEEE International Conference on Software Engineering (ICSE
2021) with the paper titled “ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android Applications”.
Since third-party libraries (TPLs) have been widely used in mobile apps, accurate detection of TPLs in Android apps is essential to many security and software maintenance tasks, such as repackaged apps identification, vulnerability discovery, etc. Unfortunately, it is non-trivial to identify TPLs accurately due to the challenges like TPL dependency, code obfuscation, and diverse versions. In this paper, the research team proposed and developed a novel system named ATVHunter, which can pinpoint the precise vulnerable in-app TPL versions and provide detailed information about the vulnerabilities and TPLs. Extensive experimental results showed that ATVHunter outperforms state-of-the-art TPL detection tools in terms of accuracy and efficiency.
To investigate the ecosystem of the vulnerable TPLs used by apps, the research team constructed a comprehensive vulnerable TPL dataset and used ATVHunter to conduct a large-scale analysis on the apps from Google Play store. ATVHunter found 9,050 apps including vulnerable TPL versions with 53,337 vulnerabilities and 7,480 security bugs, most of which have high risks and were not recognised by app developers. This result uncovered severe security issues in mobile apps and is very important to mobile app developers, users and security researchers.
The IEEE/ACM International Conference on Software Engineering (ICSE) is the premier software engineering conference. Since 1975, ICSE has provided a forum where researchers, practitioners, and educators gather together to present and discuss the most recent innovations, trends, experiences and issues in the field of software engineering.