Shelving it rather than Ditching it: Dynamically Debloating DEX and Native Methods of Android Applications without APK Modification

TL;DR

3DNDroid tackles the problem of bloated Android apps that carry unused features and vulnerabilities by providing dynamic, runtime debloating of both DEX and native methods without altering APKs. It uses a management app to generate a per-app debloating schema and a runtime extension that enforces debloating by intercepting DEX invocations and zero-filling native methods, ensuring compatibility with Android's security model. Evaluations on 55 real-world apps show effective debloating of hundreds of methods, substantial reductions in ROP gadgets, mitigations for several CVEs, and meaningful CPU savings, demonstrating practical security and performance benefits. The approach preserves app integrity, enables recovery by schema updates, and offers avenues for integration with eBPF-based implementations for broader adoption.

Abstract

Today's Android developers tend to include numerous features to accommodate diverse user requirements, which inevitably leads to bloated apps. Yet more often than not, only a fraction of these features are frequently utilized by users, thus a bloated app costs dearly in potential vulnerabilities, expanded attack surfaces, and additional resource consumption. Especially in the event of severe security incidents, users have the need to block vulnerable functionalities immediately. Existing works have proposed various code debloating approaches for identifying and removing features of executable components. However, they typically involve static modification of files (and, for Android apps, repackaging of APKs, too), which lacks user convenience let alone undermining the security model of Android due to the compromising of public key verification and code integrity checks. This paper introduces 3DNDroid, a Dynamic Debloating approach targeting both DEX and Native methods in AnDroid apps. Using an unprivileged management app in tandem with a customized Android OS, 3DNDroid dynamically reduces unnecessary code loading during app execution based on a pre-generated debloating schema from static or dynamic analyses. It intercepts invocations of debloated bytecode methods to prevent their interpretation, compilation, and execution, while zero-filling memory spaces of debloated native methods during code loading. Evaluation demonstrates 3DNDroid's ability to debloat 187 DEX methods and 30 native methods across 55 real-world apps, removing over 10K Return-Oriented Programming (ROP) gadgets. Case studies confirm its effectiveness in mitigating vulnerabilities, and performance assessments highlight its resource-saving advantages over non-debloated apps.

Figures (6)

• Figure 1: The overall workflow of 3DNDroid.
• Figure 2: An example of zero-filling the debloated native method and inserting return instruction.
• Figure 3: The counts of various statistics for each app, encompassing the number of methods in the debloated schema, the number of invoked methods covered by the schema, the methods debloated by 3DNDroid, and the methods of which native code does not exist in the corresponding odex file.
• Figure 4: The number of ROP gadgets found in various sizes of DEX methods compiled in native code. The bottom-left portion of the intersection of the two dashed lines contains 90% of the methods.
• Figure 5: The statistics of ROP gadgets found in debloated DEX methods post-compilation.