A First Look at Android Apps’ Third-Party Resources Loading

• Published in: Network and System Security pp. 193 - 213
• Main Authors: Qayyum, Hina, Salman, Muhammad, Sentana, I. Wayan Budi, Nguyen, Duc Linh Giang, Ikram, Muhammad, Tyson, Gareth, Kaafar, Mohamed Ali
• Format: Book Chapter
• Language: English
• Published: Cham Springer Nature Switzerland
• Series: Lecture Notes in Computer Science
• ISBN: 9783031230196; 3031230191
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-031-23020-2_11

Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, a such implicit trust may leave apps’ developers unaware of what resources are loaded within their apps. In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps and explore the presence of potentially malicious resources loaded via implicit trust. We find that around 94% of apps (with a number of installs greater than 500K) load resources from implicitly trusted parties. We find several different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.