Computer Science

Computer Science ›› 2026, Vol. 53 ›› Issue (1): 285-297.doi: 10.11896/jsjkx.250500023

• Information Security • Previous Articles     Next Articles

Survey on Security of Android SDKs

XU Teng1, LIU Luyao2, JIANG Haoyu1, LUO Chang1, LI Heng1, YUAN Wei1   

  1. 1 School of Electronic Information and Communication, Huazhong University of Science and Technology, Wuhan 430074, China;
    2 Wuhan Marine Communication Research Institute, Wuhan 430070, China
  • Received:2025-05-09 Revised:2025-09-15 Published:2026-01-08
  • About author:XU Teng,born in 1994,Ph.D candidate.His main research interests include malware detection and machine lear-ning.
    LI Heng,born in 1995,Ph.D, is a member of CCF(No.X8790M).His main research interests include malware detection and adversarial sample attack and defense.

PDF (PC)

4

Abstract: Android SDK is a software toolkit used for Android application development.Since a single Android SDK can be integrated into multiple applications,its security implications for the installation ecosystem are chain-like,exposing the Android ecosystem to comprehensive threats from SDKs.In recent years,a series of security issues related to the Android SDK,such as SDK cross-library harvests private data and SDK library resource merging and overlay,have attracted high attention from both industry and academia.However,there remains a lack of comprehensive reviews on the security of Android SDKs.This paper syste-matically organizes existing related work,focusing on two key dimensions:the security of internal component code in Android SDKs and the security of runtime data interaction.For the former,it compiles research findings at both the system SDK and for third-party SDKs.For the latter,it summarizes studies on SDK self-violations and external intrusions into SDKs.Additionally,this paper analyzes recent advancements in Android SDK security research,introduces performance metrics for horizontal compari-son,combs through its development context and evolutionary process.Finally,prospects the future research directions for combining this field with emerging technologies such as current AI large language models.

Key words: Android SDK, Security analysis, Code security, Data interaction security

CLC Number: 

  • TP311.5
[1]KUMAR N.Android Usage Statistics(2025)-Global Market Share[EB/OL].[2025-09-10].https://www.demandsage.com/android-statistics/.
[2]iJiami.HOT! iJiami Releases the National Mobile Application SDK Market Share Analysis Report[EB/OL].[2019-06-06].https://www.ijiami.cn/new
[3]iJiami.SDK Security Monitoring Report:How Should WeStrengthen Prevention?[EB/OL].[2023-03-29].https://www.ijiami.cn/newsInfo?id=1336.
[4]MA J.Research on the Detection of Security Vulnerabilities in External SDKs of the Android System[J].Information Technology and Network Security,2019,38(8):6-12.
[5]XIA X W,QIAN C,LIU B,et al.Android Security Overview:A Systematic Survey[C]//Proceedings of the 2nd IEEE International Conference on Computer and Communications(ICCC),IEEE,2016.
[6]SARKAR A,GOYAL A,HICKS D,et al.Android Application Development:A Brief Overview of Android Platforms and Evolution of Security Systems[C]//Proceedings of the 2019 Third International conference on I-SMAC(IoT in Social,Mobile,Analytics and Cloud).2019.
[7]QIU J,YANG X W,WU H M,et al.LibCapsule:Complete Confinement of Third-Party Libraries in Android Applications[J].IEEE Transactions on Dependable and Secure Computing,2022,19(5):2873-2889.
[8]WANG J C,XIAO Y,WANG X Q,et al.Understanding Malicious Cross-library Data Harvesting on Android[C]//Procee-dings of the 30th USENIX Security Symposium.2021.
[9]WANG X Q,ZHANG Y F,WANG X F,et al.Union under Duress:Understanding Hazards of Duplicate Resource Mismediation in Android Software Supply Chain[C]//Proceedings of the 32nd USENIX Security Symposium.2023.
[10]MA K,GUO S Q.Security analysis of third-party SDKs in the Android ecosystem[J].Journal of Software,2018,29(5):1379-91.
[11]FANG Z R,HAN W L,LI Y J.Permission based Android secu-rity:Issues and countermeasures[J].Computers & Security,2014,43:205-218.
[12]FAHL S,HARBACH M,MUDERS T,et al.Why eve and mallory love android:an analysis of android SSL(in)security[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security.2012:50-61.
[13] ZHANG J,LI R X,TANG J W,et al.Detection of collusion behaviors in Android third-party libraries[J].Computer Science,2019,46(5):83-91.
[14]DUAN R,BIJLANI A,XU M,et al.Identifying Open-Source License Violation and 1-day Security Risk at Large Scale[C]//Proceedings of the 24th ACM-SIGSAC Conference on Computer and Communications Security.2017.
[15]ANDOW B,MAHMUD S Y,WANG W Y,et al.PolicyLint:Investigating Internal Privacy Policy Contradictions on Google Play[C]//Proceedings of the 28th USENIX Security Sympo-sium.2019.
[16]LU H R,LIU Y C,LIAO X J,et al.Towards Privacy-Preserving Social-Media SDKs on Android[C]//Proceedings of the 33rd USENIX Security Symposium.2024.
[17]GOOGLE.SDK tools guides[EB/OL].[2025-05-06].https://developer.android.com/tools.
[18]MA K.Research on Privacy Leakage and Security of Third-party SDKs in the Android Ecosystem[D].Jinan:Shandong University,2018.
[19]GAO P.Research on Detection Techniques for Android Third-party Libraries[D].Wuhan:Wuhan University of Science and Technology,2023.
[20]SUZANNA,SASMOKO,GAOL F L,et al.Augmented Reality SDK Overview for General Application Use[J].International Journal of Advanced Computer Science and Applications,2023,14(11):54-60.
[21]MAHMUD S Y,ENGLISH K V,THORN S,et al.Analysis of Payment Service Provider SDKs in Android[C]//Proceedings of the 38th Annual Computer Security Applications Conference.2022.
[22]CABAÑAS J G,CUEVAS A,CUEVAS R,et al.Unveiling and Quantifying Facebook Exploitation of Sensitive Personal Data for Advertising Purposes[C]//Proceedings of the 27th USENIX Security Symposium.2018.
[23]ZHANG Y.MVC Algorithm Design of Smart Mobile Marketing Micro-Classroom System based on Android SDK Technology[C]//Proceedings of the 2022 International Conference on Sustainable Computing and Data Communication Systems.2022.
[24]ZHAN X,LIU T M,FAN L L,et al.Research on Third-Party Libraries in Android Apps:A Taxonomy and Systematic Literature Review[J].IEEE Transactions on Software Engineering,2022,48(10):4181-4213.
[25]WANG Y,WEN M,LIU Z W,et al.Do the Dependency Conflicts in My Project Matter?[C]//Proceedings of the 26th ACM Joint Meeting on European Software Engineering Confe-rence(ESEC)/Symposium on the Foundations of Software Engineering(FSE).2018.
[26]ZHAN X,FAN L L,CHEN S,et al.ATVHUNTER:Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android Applications[C]//Proceedings of the 43rd IEEE/ACM International Conference on Software Engineering-Software Engineering in Practice(ICSE-SEIP)/43rd ACM/IEEE International Conference on Software Engineering-New Ideas and Emerging Results.2021.
[27]KHANDELWAL R,NAYAK A,CHUNG P,et al.The Overview of Privacy Labels and their Compatibility with Privacy Po-licies[J].arXiv:2303.08213,2023.
[28]WIKIPEDIA.Terms of service[EB/OL].[2025-06-25].ht-tps://en.wikipedia.org/wiki/Terms_of_service.
[29]KHANDELWAL R,NAYAK A,CHUNG P,et al.Unpacking Privacy Labels:A Measurement and Developer Perspective on Google’s Data Safety Section[C]//Proceedings of the 33rd USENIX Security Symposium.2024.
[30]GDPR.General Data Protection Regulation[EB/OL].[2016-04-27].https://gdpr-info.eu/.
[31]CCPA.California Consumer Privacy Act of 2018[EB/OL].https://www.oag.ca.gov.
[32]ANDOW B,MAHMUD S Y,WHITAKER J,et al.ActionsSpeak Louder than Words:Entity-Sensitive Privacy Policy and Data Flow Analysis with POLICHECK[C]//Proceedings of the 29th USENIX Security Symposium.2020.
[33]GUARDIAN T.Revealed:50 million Facebook profiles harvested for Cambridge Analytica in major datareach[EB/OL].https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election.
[34]MAHMUD T,CHE M R,YANG G W,et al.Android Compatibility Issue Detection Using API Differences[C]//Proceedings of the 28th IEEE International Conference on Software Analysis,Evolution and Reengineering.2021.
[35]HUASONG MENG M,YAN C,HAO Y,et al.A Large-Scale Privacy Assessment of Android Third-Party SDKs[J].arXiv:2409.10411,2024.
[36]CHEN S,ZHANG Y,FAN L,et al.AUSERA:Automated Security Vulnerability Detection for Android Apps[C]//Procee-dings of the 37th IEEE/ACM International Conference on Automated Software Engineering.2023.
[37]DIAO W R,LIU X Y,LI Z,et al.No Pardon for the Interruption:New Inference Attacks on Android Through Interrupt Timing Analysis[C]//Proceedings of the IEEE Symposium on Security and Privacy.2016.
[38]ZHANG Y F,HU Z J,WANG X Q,et al.Navigating the Pri-vacy Compliance Maze:Understanding Risks with Privacy-Con-figurable Mobile SDKs[C]//Proceedings of the 33rd USENIX Security Symposium.2024.
[39]LIU B,LIU B,JIN H,et al.Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps[C]//Proceedings of the 13th Annual International Conference on Mobile Systems,Applications,and Services.2015:89-103.
[40]INAYOSHI H,KAKEI S,SAITO S,et al.Detection of Inconsistencies between Guidance Pages and Actual Data Collection of Third-party SDKs in Android Apps[C]//Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems.2024.
[41]DING X H,ZHANG L L,ZHAO K,et al.A privacy leakage detection method combining static and dynamic features[J].Journal of Computer Science and Technology,2023,50(10):327-335.
[42]LI R Y.Research on Vulnerability Detection Technology of Android Third-party SDKs Based on Machine Learning[D].Beijing:Beijing University of Posts and Telecommunications,2019.
[43]YUAN J F,LI H X,YOU W,et al.Location of Third-Party Library Functions in Obfuscated Applications[J].Journal of Computer Science and Technology,2023,50(7):293-301.
[44]DERR E,BUGIEL S,FAHL S,et al.Keep me Updated:An Empirical Study of Third-Party Library Updatability on Android[C]//Proceedings of the 24th ACM-SIGSAC Conference on Computer and Communications Security.2017.
[45]ROVO89.Xposed[EB/OL].http://xposed.cc.
[46]CAI Y B.Static and dynamic analysis of the security of third-party SDKs in the Android ecosystem[J].Microcomputer Applications,2021,37(6):55-57.
[47]YANG S,CHEN S,FAN L L,et al.Compatibility Issue Detection for Android Apps Based on Path-Sensitive Semantic Analysis[C]//Proceedings of the 45th IEEE/ACM International Conference on Software Engineering.2023.
[48]RODRIGUEZ D,CALANDRINO J A,DEL ALAMO J M,et al.Privacy Settings of Third-Party Libraries in Android Apps:A Study of Facebook SDKs[EB/OL].https://plaintextresponse.com/static/papers/pets2025-rodriguez.pdf.
[49]LI L,BISSYANDÉ T F,WANG H Y,et al.CiD:Automating the Detection of API-Related Compatibility Issues in Android Apps[C]//Proceedings of the 27th ACM SIGSOFT Internatio-nal Symposium on Software Testing and Analysis.2018.
[50]HUANG H X,WEI L L,LIU Y P,et al.Understanding and Detecting Callback Compatibility Issues for Android Applications[C]//Proceedings of the 33rd IEEE/ACM International Confe-rence on Automated Software Engineering.2018.
[51]MAHMUD T,CHE M,YANG G.Detecting Android API Compatibility Issues With API Differences[J].IEEE Transactions on Software Engineering,2023,49(7):3857-3871.
[52]GIRISH A,REARDON J,TAPIADOR J,et al.Your Signal,Their Data:An Empirical Privacy Analysis of Wireless-scanning SDKs in Android[J].arXiv.2503.15238,2025.
[53] LIANG J,LIU W,HAN W L,et al.Analysis of code security issues in the Android cloud backup module[J].Journal of Network and Information Security,2017,3(1):68-78.
[54]MA Z,WANG H Y,GUO Y,et al.LibRadar:Fast and Accurate Detection of Third-party Libraries in Android Apps[C]//Proceedings of the 38th IEEE/ACM International Conference on Software Engineering Companion.2016.
[55]LI M H,WANG W,WANG P,et al.LibD:Scalable and Precise Third-party Library Detection in Android Markets[C]//Proceedings of the 39th IEEE/ACM International Conference on Software Engineering.2017.
[56]WANG Y,WU H W,ZHANG H L,et al.ORLIS:Obfuscation-Resilient Library Detection for Android[C]//Proceedings of the 5th ACM/IEEE International Conference on Mobile Software Engineering and Systems.2018.
[57]ZHAN X,LIU T M,LIU Y P,et al.A Systematic Assessment on Android Third-Party Library Detection Tools[J].IEEE Transactions on Software Engineering,2022,48(11):4249-4273.
[58]CHEN K,LIU P,ZHANG Y J.Achieving Accuracy and Scalability Simultaneously in Detecting Application Clones on Android Markets[C]//Proceedings of the 36th International Conference on Software Engineering.2014.
[59]HE Y Z,HU B H,HAN Z,et al.Dynamic Privacy LeakageAnalysis of Android Third-party Libraries[C]//Proceedings of the 1st International Conference on Data Intelligence and Security.2018.
[60]MENG M H,YAN C,ZHANG Q,et al.Assessing Privacy Compliance of Android Third-Party SDKs[J].arXiv:2409.10411,2024.
[61]HEUSER S,NADKARNI A,ENCK W,et al.ASM:A Programmable Interface for Extending Android Security[C]//Procee-dings of the 23rd USENIX Security Symposium.2014.
[62]BACKES M,BUGIEL S,DERR E,et al.Reliable Third-Party Library Detection in Android and its Security Applications[C]//Proceedings of the 23rd ACM Conference on Computer and Communications Security.2016.
[63]BASET S A,LI S W,SUTER P,et al.Identifying Android Library Dependencies in the Presence of Code Obfuscation and Minimization[C]//Proceedings of the IEEE/ACM 39th International Conference on Software Engineering Companion.IEEE,2017.
[64]GRACE M C,ZHOU W,JIANG X,et al.Unsafe exposure analysis of mobile in-app advertisements[C]//Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks.2012:101-112.
[65]CABAÑAS J G,CUEVAS A,CUEVAS R,et al.FDVT:DataValuation Tool for Facebook Users[C]//Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems.2017.
[66]JIN G Z,LIU Z,WAGMAN L.The GDPR and SDK Usage In Android Mobile Apps[EB/OL].https://www.nber.org/system/files/working_papers/w33099/w33099.pdf.
[67]BALASH D G,ALI M M,KODWANI M,et al.Poster:Longitudinal Measurement of the Adoption Dynamics in Apple’s Privacy Label Ecosystem[C]//Proceedings of the 30th ACM SIGSAC Conference on Computer and Communications Security.2023.
[68]IRWIN R,PRIMAL W,JOEL R,et al.“Won’t SomebodyThink of the Children?” Examining COPPA Compliance at Scale[C]//Proceedings of the 8th Privacy Enhancing Technologies Symposium.2018.
[69]DU X L,YANG Z M,LIN J P,et al.Withdrawing is believing? Detecting Inconsistencies between Withdrawal Choices and Third-party Data Collections in Mobile Apps[C]//Proceedings of the 45th IEEE Symposium on Security and Privacy.2024.
[70] LU D B,CUI H L,ZHANG W,et al.An application security reinforcement scheme based on Intent filtering[J].Information Network Security,2017(11):67-73.
[71]TANG W,LUO P,FU J L,et al.LibDX:A Cross-Platform and Accurate System to Detect Third-Party Libraries in Binary Code[C]//Proceedings of the 27th IEEE International Conference on Software Analysis,Evolution,and Reengineering.2020.
[72] YANG Y,WANG X,ZHAO C L,et al.Survey on automatedtesting of Android graphical user interfaces[J].Journal of Computer Science and Technology,2022,49(S2):756-765.
[73]GUO J,FU X,LI L,et al.Characterizing Installation- and Run-Time Compatibility Issues in Android Benign Apps and Malware[EB/OL].https://dl.acm.org/doi/pdf/10.1145/3725810.
[74]GARDNER J,FENG Y Y,REIMAN K,et al.Helping Mobile Application Developers Create Accurate Privacy Labels[C]//Proceedings of the 7th IEEE European Symposium on Security and Privacy.2022.
[75]LI T S,REIMAN K,AGARWAL Y,et al.Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels[C]//Proceedings of the CHI Conference on Human Factors in Computing Systems.2022.
[1] SU Xinzhong, XU Youyun. Lightweight Secure Authentication and Key Update Scheme for 5G Urban Transportation [J]. Computer Science, 2025, 52(12): 331-338.
[2] YANG Xin, LI Gengxin, LI Hui. EHFM:An Efficient Hierarchical Filtering Method for Multi-source Network Malicious Alerts [J]. Computer Science, 2023, 50(2): 324-332.
[3] YE Sheng-nan, CHEN Jian-hua. Security Analysis and Improvement of Strongly Secure Certificateless Digital Signature Scheme [J]. Computer Science, 2021, 48(10): 272-277.
[4] DING Qing-yang, WANG Xiu-li, ZHU Jian-ming and SONG Biao. Information Security Framework Based on Blockchain for Cyber-physics System [J]. Computer Science, 2018, 45(2): 32-39.
[5] MA Yuan-yuan, CHEN Zhe, WANG Chen, FEI Jia-xuan and HUANG Xiu-li. Security Analysis Model of Power Intelligent Unit Transmission Protocols [J]. Computer Science, 2016, 43(Z11): 329-337.
[6] JIANG Meng-tao and JING Qi. Method of Extracting Function Call Relationship in Static Code Analysis of C Language [J]. Computer Science, 2014, 41(Z6): 442-444.
[7] . Code Protection Method Oriented to Application Requirement [J]. Computer Science, 2012, 39(11): 93-97.
[8] CHEN Yong,HE Yan-xiang,SHI Qiang,WU Wei,LI Qing-an. Low-cost Protection Strategy Based on the Code Compression [J]. Computer Science, 2011, 38(11): 119-122.
[9] WANG Chang-da,HUA Ming-hui,ZHOU Cong-hua,SONG Xiang-mei,JU Shi-guang. Security Analysis of Access Control Policy Based on Predicate Abstract and Verification Space Division [J]. Computer Science, 2011, 38(10): 55-59.
[10] ZHAO Feng,ZHANG Qin,LI Min. Novel Dynamic Security Analysis Model for Computing System Based on DBN [J]. Computer Science, 2010, 37(2): 61-64.
[11] . [J]. Computer Science, 2009, 36(4): 90-93.
[12] YAN Xue-xiong, WANG Qing-xian (Institute of Information Engineering, Information Engineering University, Zhengzhou 450002, China). [J]. Computer Science, 2009, 36(4): 42-46.
[13] HU Xiao-ming HUANG Shang-teng (Department of Computer Seienee and Engineering, Shanghai Jiaotong Univ. , Shanghai 200240, China). [J]. Computer Science, 2008, 35(8): 98-100.
[14] MING Yang ,WANG Yu-Min (State Key Lab. of Integrated Service Networks, Xidian Univ. Xi'an 710071). [J]. Computer Science, 2006, 33(8): 128-129.
[15] JIANG Zheng-Tao,HAO Yan-Hua,WANG Yu-Min (National Key Lab. of Integrated Service Networks, Xidian Univ. , Xi'an 710071). [J]. Computer Science, 2005, 32(9): 68-69.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.