An In-Depth Analysis of Android's Java Class Library: its Evolution and Security Impact

Android is an operating system widely deployed especially on devices such as smartphones. In this paper, we study the evolution of OpenJDK Java Class Library (JCL) versions used as the basis of the Dalvik Virtual Machine (DVM) and the Android Runtime (ART). We also identify vulnerabilities impacting...

Full description

Saved in:
Bibliographic Details
Published in2023 IEEE Secure Development Conference (SecDev) pp. 133 - 144
Main Authors Riom, Timothee, Bartel, Alexandre
Format Conference Proceeding
LanguageEnglish
Published IEEE 18.10.2023
Subjects
Android
external dependency
Java
managing code complexity
OpenJDK
Security
Simi- larity Analysis
Similarity Analysis
Vulnerabilities
vulnerability management
Online AccessGet full text

Cover

More Information
Summary:Android is an operating system widely deployed especially on devices such as smartphones. In this paper, we study the evolution of OpenJDK Java Class Library (JCL) versions used as the basis of the Dalvik Virtual Machine (DVM) and the Android Runtime (ART). We also identify vulnerabilities impacting OpenJDK JCL versions and analyze their impact on Android. Our results indicate that the complexity of the Android JCL code imported from OpenJDK increases because: (1) there is an increase in the number of classes imported from OpenJDK, (2) there is an increase in the fragmentation of the JCL code in Android as code is increasingly imported from multiple OpenJDK versions at the same time, and (3) there is an increase in the distance between the JCL code in Android and OpenJDK as, for instance, Android developer introduce customizations to the imported code. We also observe that most OpenJDK vulnerabilities (80%) are not impacting Android because the vulnerable classes are not imported in Android. Nevertheless, Android does import vulnerable code and little is done to patch this vulnerable code which is only "patched" when a newer version of the vulnerable code is imported. This means that the code can stay vulnerable in Android for years. Most of the vulnerabilities impacting Android (77%) have a security impact on the availability of the system. By developing a proof-of-concept, we show that OpenJDK vulnerabilities imported in Android do have a security impact. We suggest to seriously take into account public information available about OpenJDK vulnerabilities to increase the security of the Android development pipeline.
ISBN:9798350331332
9798350331325
DOI:10.1109/SecDev56634.2023.00028