You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PFE: SBOM Extraction & CVE Detection from Compiled Android APKs
Goal
Build a tool that analyzes compiled Android APKs (potentially obfuscated), extracts a Software Bill of Materials (SBOM) — i.e., identifies third-party libraries and their exact versions — and maps them to known CVEs for vulnerability assessment.
Research Baseline
Core Problem
Third-party libraries (TPLs) make up >60% of Android app code [Wang+]. They're statically linked into DEX bytecode during compilation, losing version metadata and file boundaries. Obfuscation (ProGuard, R8, DashO, Allatori) further complicates identification via renaming, inlining, control-flow flattening, and dead-code removal.
Key Papers (2016–2026)
Paper
Year
Venue
Approach
Key Result
LibScout [Backes+]
2016
CCS
Merkle tree + fuzzy descriptors
100% renaming resilient; version-level F1 12.7% under R8