we attempt to demystify current third-party library detection techniques by conducting a thorough comparison. We evaluate five state-of-the-art

third-party library detection tools based on four aspects: scalability, effectiveness, ability to code obfuscation-resilience, and ease of use.

Paper supplement

The obfuscation-resilient capability of each TPL detection tool are summarized in Table from their original literature.

We can observe that all of these tools claim to be resilient to identifier renaming and string encryption and are not resilient to some sophisticated obfuscation strategies, e.g., classes.dex file encryption.

We will reveal their capability from their actual implementation and provide insight based on our evaluation in this section.

shows a real example where a popular ad library is included in an app with sha256 prefix ``42A5BC''.

LibID profiles some TPL can meet some erros as follows:

1 error; aborting

[ERROR] 2020-01-15 12:24:36,141 - LibID [_profile_libs:130] - Conversion failed

[INFO] 2020-01-15 12:24:36,141 - LibID [_profile_libs:121] - Converting AndroidAsync_1.0.8.jar to AndroidAsync_1.0.8.dex ...

UNEXPECTED TOP-LEVEL EXCEPTION:

java.util.zip.ZipException: error in opening zip file

at java.util.zip.ZipFile.open(Native Method)

at java.util.zip.ZipFile.<init>(ZipFile.java:225)

at java.util.zip.ZipFile.<init>(ZipFile.java:155)

at java.util.zip.ZipFile.<init>(ZipFile.java:169)

at com.android.dx.cf.direct.ClassPathOpener.processArchive(ClassPathOpener.java:206)

at com.android.dx.cf.direct.ClassPathOpener.processOne(ClassPathOpener.java:131)

at com.android.dx.cf.direct.ClassPathOpener.process(ClassPathOpener.java:109)

at com.android.dx.command.dexer.Main.processOne(Main.java:418)

at com.android.dx.command.dexer.Main.processAllFiles(Main.java:329)

at com.android.dx.command.dexer.Main.run(Main.java:206)

at com.android.dx.command.dexer.Main.main(Main.java:174)

at com.android.dx.command.Main.main(Main.java:95)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.googlecode.dex2jar.tools.Jar2Dex.doCommandLine(Jar2Dex.java:99)

at com.googlecode.dex2jar.tools.BaseCmd.doMain(BaseCmd.java:290)

at com.googlecode.dex2jar.tools.Jar2Dex.main(Jar2Dex.java:32)

1 error; aborting

[ERROR] 2020-01-15 12:24:36,628 - LibID [_profile_libs:130] - Conversion failed

[INFO] 2020-01-15 12:24:36,629 - LibID [_profile_libs:121] - Converting AndroidAsync_1.3.6.jar to AndroidAsync_1.3.6.dex ...