Like websites, mobile apps import a range of external resources from various third-party domains. In succession, the third-party domains can further load resources hosted on other domains. For each mobile app, this creates a dependency chain underpinned by a form of implicit trust between the app and transitively connected third-parties. Hence, such implicit trust may leave apps' developers unaware what resources are loaded within their apps.
In this work, we perform a large-scale study of dependency chains in 7,048 free Android mobile apps. We characterize the third-party resources used by apps, and explore the presence of potentially malicious resources loaded via implicit trust.
We find that around 99% of apps (with number of installs at most 500K) have dependency chains compared to 98\% of apps with number of installs least 100K. We find many different types of resources, most notably JavaScript codes, which may open the way to a range of exploits. These JavaScript codes are implicitly loaded by 92.3% of Android apps. Using VirusTotal, we classify 1.18% of third-party resources as suspicious. Our observations raise concerns for how apps are currently developed, and suggest that more rigorous vetting of in-app third-party resource loading is required.
Our paper is under submission.
A sample of dataset and scripts used in this paper is hosted at on Google Drive.
Mobapptrust: mobapptrust [at] gmail.com
This will be updated upon acceptance of our paper.