Go to DBLP homepageA First Look at Android Apps' Third-Party Resources Loading
Abstract: Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, a such implicit trust may leave apps’ developers unaware of what resources are loaded within their apps. In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps and explore the presence of potentially malicious resources loaded via implicit trust. We find that around 94% of apps (with a number of installs greater than 500K) load resources from implicitly trusted parties. We find several different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.
Loading