{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:37:49Z","timestamp":1775839069829,"version":"3.50.1"},"reference-count":42,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T00:00:00Z","timestamp":1724889600000},"content-version":"vor","delay-in-days":241,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/100014810","name":"Fondazione di Sardegna","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100014810","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,1,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Android is the most used operating system (OS) worldwide for mobile devices, with hundreds of thousands of apps downloaded daily. Although these apps are primarily written in Java and Kotlin, advanced functionalities such as graphics or cryptography are provided through native C\/C++ libraries. These libraries can be affected by common vulnerabilities in C\/C++ code (e.g. memory errors such as buffer overflow), through which attackers can read\/modify data or execute arbitrary code. The detection and assessment of vulnerabilities in Android native code have only been recently explored by previous research work. In this paper, we propose a fast risk-based approach that provides a risk score related to the native part of an Android application. In this way, before an app is released, the developer can check whether the app may contain vulnerabilities in the native code and, whether present, patch them to publish a more secure application. To this end, we first use fast regular expressions to detect library versions and possible vulnerable functions. Then, we apply scores extracted from a vulnerability database to the analyzed application, thus obtaining a risk score representative of the whole app. We demonstrate the validity of our approach by performing a large-scale analysis on more than 100\u2009000 applications (but only 40% contained native code) and 15 popular libraries carrying known vulnerabilities. The attained results show that many applications contain well-known vulnerabilities that miscreants can potentially exploit, posing serious concerns about the security of the whole Android applications landscape.<\/jats:p>","DOI":"10.1093\/cybsec\/tyae015","type":"journal-article","created":{"date-parts":[[2024,8,29]],"date-time":"2024-08-29T12:16:27Z","timestamp":1724933787000},"source":"Crossref","is-referenced-by-count":5,"title":["A risk estimation study of native code vulnerabilities in Android applications"],"prefix":"10.1093","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-8269-9777","authenticated-orcid":false,"given":"Silvia Lucia","family":"Sanna","sequence":"first","affiliation":[{"name":"Department of Electrical and Electronic Engineering, University of Cagliari , 09123 Piazza d\u2019Armi ,","place":["Italy"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-0092-9067","authenticated-orcid":false,"given":"Diego","family":"Soi","sequence":"additional","affiliation":[{"name":"Department of Electrical and Electronic Engineering, University of Cagliari , 09123 Piazza d\u2019Armi ,","place":["Italy"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2640-4663","authenticated-orcid":false,"given":"Davide","family":"Maiorca","sequence":"additional","affiliation":[{"name":"Department of Electrical and Electronic Engineering, University of Cagliari , 09123 Piazza d\u2019Armi ,","place":["Italy"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5300-226X","authenticated-orcid":false,"given":"Giorgio","family":"Fumera","sequence":"additional","affiliation":[{"name":"Department of Electrical and Electronic Engineering, University of Cagliari , 09123 Piazza d\u2019Armi ,","place":["Italy"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5759-3017","authenticated-orcid":false,"given":"Giorgio","family":"Giacinto","sequence":"additional","affiliation":[{"name":"Department of Electrical and Electronic Engineering, University of Cagliari , 09123 Piazza d\u2019Armi ,","place":["Italy"]}]}],"member":"286","published-online":{"date-parts":[[2024,8,29]]},"reference":[{"key":"2024121909142765900_bib1","article-title":"Mobile operating system Market Share Worldwide","author":"StatCounter-GlobalStats"},{"key":"2024121909142765900_bib2","doi-asserted-by":"crossref","first-page":"1347","DOI":"10.1109\/ICSE43902.2021.00122","article-title":"Too quiet in the library: an empirical study of security updates in Android apps\u2019 native code","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE)","author":"Almanee","year":"2021"},{"key":"2024121909142765900_bib3","doi-asserted-by":"crossref","first-page":"701","DOI":"10.1007\/978-3-031-17143-7_34","article-title":"Reach me if you can: on native vulnerability reachability in Android apps","volume-title":"Computer Security\u2014ESORICS 2022","author":"Borzacchiello","year":"2022"},{"key":"2024121909142765900_bib4","article-title":"Software Bill of Materials"},{"key":"2024121909142765900_bib5","article-title":"Secure Software Development Framework"},{"key":"2024121909142765900_bib6","article-title":"Android Operating System"},{"key":"2024121909142765900_bib7","article-title":"Android Platform Architecture"},{"key":"2024121909142765900_bib8","article-title":"Android Platform Architecture"},{"key":"2024121909142765900_bib9","article-title":"Android NDK"},{"key":"2024121909142765900_bib10","article-title":"Common Vulnerability and Exposure (CVE)"},{"key":"2024121909142765900_bib11","article-title":"Common Vulnerability Scoring System (CVSS)"},{"key":"2024121909142765900_bib12","article-title":"Mitre CVE"},{"key":"2024121909142765900_bib13","article-title":"CVE Details"},{"key":"2024121909142765900_bib14","article-title":"National Vulnerability Database from NIST"},{"key":"2024121909142765900_bib15","article-title":"ISO\/IEC 27005:2008 Information technology \u2014 Security techniques \u2014 Information security risk management"},{"key":"2024121909142765900_bib16","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2630069","article-title":"Comparing vulnerability severity and exploits using case-control studies","volume":"17","author":"Allodi","year":"2014","journal-title":"ACM Trans Inf Syst Secur"},{"key":"2024121909142765900_bib17","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1109\/EDCC.2016.34","article-title":"Software metrics and security vulnerabilities: dataset and exploratory study","author":"Alves","year":"2016","journal-title":"2016 12th European Dependable Computing Conference (EDCC)"},{"key":"2024121909142765900_bib18","doi-asserted-by":"crossref","first-page":"216","DOI":"10.1109\/ISSRE.2017.11","article-title":"Software metrics as indicators of security vulnerabilities","volume-title":"2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)","author":"Medeiros","year":"2017"},{"key":"2024121909142765900_bib19","first-page":"1165","article-title":"MVP: detecting vulnerabilities using patch-enhanced vulnerability signatures","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Xiao","year":"2020"},{"key":"2024121909142765900_bib20","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1109\/ICSE.2019.00024","article-title":"LEOPARD: identifying vulnerable code for vulnerability assessment through program metrics","volume-title":"2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE)","author":"Du","year":"2019"},{"key":"2024121909142765900_bib21","first-page":"1","article-title":"The dark side of native code on android","volume-title":"TechRxiv","author":"Ruggia","year":"2022"},{"key":"2024121909142765900_bib22","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1145\/2516760.2516765","article-title":"Native code execution control for attack mitigation on android","volume-title":"Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. SPSM \u201913","author":"Fedler","year":"2013"},{"key":"2024121909142765900_bib23","article-title":"Mobile security framework (MobSF)"},{"key":"2024121909142765900_bib24","article-title":"Quick Android Review Kit (Qark)"},{"key":"2024121909142765900_bib25","doi-asserted-by":"crossref","first-page":"101448","DOI":"10.1016\/j.softx.2023.101448","article-title":"SEBASTiAn: a static and extensible black-box application security testing tool for iOS and Android applications","volume":"23","author":"Pagano","year":"2023","journal-title":"SoftwareX"},{"key":"2024121909142765900_bib26","article-title":"Android greybox fuzzing with AFL++ Frida mode"},{"key":"2024121909142765900_bib27","article-title":"android-afl"},{"key":"2024121909142765900_bib28","article-title":"Fuzzing with libfuzzer"},{"key":"2024121909142765900_bib29","first-page":"307","article-title":"FANS: fuzzing android native system services via automated interface analysis","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Liu","year":"2020"},{"key":"2024121909142765900_bib30","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1109\/CNS56114.2022.9947240","article-title":"A Study on the Testing of Android Security Patches","volume-title":"2022 IEEE Conference on Communications and Network Security (CNS)","author":"Brant","year":"2022"},{"key":"2024121909142765900_bib31","first-page":"653","article-title":"LibRadar: fast and accurate detection of third-party libraries in Android apps","volume-title":"2016 IEEE\/ACM 38th International Conference on Software Engineering Companion (ICSE-C)","author":"Ma","year":"2016"},{"key":"2024121909142765900_bib32","doi-asserted-by":"crossref","first-page":"335","DOI":"10.1109\/ICSE.2017.38","article-title":"LibD: scalable and precise third-party library detection in Android markets","volume-title":"2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE)","author":"Li","year":"2017"},{"key":"2024121909142765900_bib33","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2016.23384","article-title":"Going native: using a large-scale analysis of android apps to create a practical native-code sandboxing policy","volume-title":"Network and Distributed System Security Symposium","author":"Afonso","year":"2016"},{"key":"2024121909142765900_bib34","first-page":"165","volume-title":"NativeGuard: protecting android applications from third-party native libraries. WiSec \u201914","author":"Sun","year":"2014"},{"key":"2024121909142765900_bib35","first-page":"19","article-title":"Hybrid user-level sandboxing of third-party Android apps. ASIA CCS \u201915","author":"Zhou","year":"2015"},{"key":"2024121909142765900_bib36","doi-asserted-by":"crossref","first-page":"814","DOI":"10.1109\/TIFS.2018.2866347","article-title":"NDroid: toward tracking information flows across multiple Android contexts","volume":"14","author":"Xue","year":"2019","journal-title":"IEEE T Inf Foren Sec"},{"key":"2024121909142765900_bib37","first-page":"18","article-title":"DroidNative: semantic-based detection of Android native code malware","volume":"abs\/1602.04693","author":"Alam","year":"2016","journal-title":"CoRR"},{"key":"2024121909142765900_bib38","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ISSNIP.2014.6827639","article-title":"AdDetect: automated detection of android ad libraries using semantic analysis","volume-title":"2014 IEEE Ninth International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP)","author":"Narayanan","year":"2014"},{"key":"2024121909142765900_bib39","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1109\/MSEC.2023.3237100","article-title":"Software bills of materials are required. are we there yet?","volume":"21","author":"Zahan","year":"2023","journal-title":"IEEE Secur Priv"},{"key":"2024121909142765900_bib40","article-title":"EXECUTIVE ORDER 14028, IMPROVING THE NATION\u2019S CYBERSECURITY","author":"NIST"},{"key":"2024121909142765900_bib41","article-title":"Pwntools"},{"key":"2024121909142765900_bib42","article-title":"Librarian GitHub Repository"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae015\/61182365\/tyae015.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/10\/1\/tyae015\/61182365\/tyae015.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,19]],"date-time":"2024-12-19T09:14:48Z","timestamp":1734599688000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyae015\/7744932"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"references-count":42,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1,2]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyae015","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2024]]},"published":{"date-parts":[[2024]]},"article-number":"tyae015"}}