LibGuard: Protecting Sensitive Data In Android Third-Party Libraries From XLDH Attacks

Mobile app vendors/developers extensively integrate third-party libraries into mobile applications. While they enrich the functions of apps, third-party libraries also bring in security risks. It has been widely studied that malicious third-party libraries could collect users' sensitive data from the host apps and the app backend servers. Recent research has reported a new attack vector - malicious libraries strategically target other vendors' library(SDKs) integrated in the same host app to harvest private user data. In this paper, we found two new dimensions of cross library data harvesting(XLDH) attack with serious privacy impacts that start from two new attack surfaces - accessing sensitive fields and accessing sensitive storage. However, the mitigation scheme, significantly, has not been yet studied. To prevent the leaks of sensitive data due to XLDH activities, we first proposed a mitigation scheme - LibGuard, which has been proven to be effective without affecting user's experience on real-world apps.