Home
The JSON output is divided into different sections ("appInfo", "lib_matches", "lib_packageOnlyMatches") and contains some app stats. Compare with example below.
Besides the apk file name, this section mainly summarizes important information parsed from the app's AndroidManifest.xml such as the package name, the set of declared permissions, versioncode and min/target SDK version.
Contains all libraries that have been detected in the app using the profiles including library name, version and matched root package name (lib_rootPackage). A renamed/obfuscated package name is indicated by isOriginalPackageName.
The similarity score simScore is computed based on the original library classes that have been detected in the app with 1.0 indicated a full match.
Note: By default, LibScout reports only matches that have a simScore >= .7, i.e. at least 70% of the original lib classes need to be stored in the app package. This is to prevent a large number of false positives for small amounts of library classes in the app. The threshold can be changed via the constant de.infsec.tpl.profile.ProfileMatch.MIN_PARTIAL_MATCHING_SCORE .
In case the same library appears multiple times with different versions, this is an indicator that these versions differ in code instructions only (no API changes). Thus, the app includes one of these versions (a code-change detection is currently not supported by LibScout).
includesSecurityVulnerability/-Fix indicate whether the identified library version includes a known security vulnerability or a fix (see Detecting vulnerable library versions).
If LibScout has been run with the -u switch (perform library usage analysis), usedLibMethods holds a list of API invocations of the detected library called by the application code or other libraries). In case of an empty list (despite usage analysis) no API invocations have been found and the library is likely not in use, i.e. dead code. There might be cases in which the library is still in use, e.g. if APIs are called via reflection or the library can be used without explicit invocations.
This section includes all detected libraries and their original package name for which LibScout has not found sufficient evidence/classes, i.e. their simScore was below the configured threshold.
These include number of packages/classes of the entire application and the processing time in milliseconds.
{
"appInfo": {
"appName": "com.example.WhatsInTheFoto",
"fileName": "com.example.whatsinthefoto-1.apk",
"packagename": "com.example.whatsinthefoto",
"permissions": [
"android.permission.ACCESS_NETWORK_STATE",
"android.permission.INTERNET",
"com.android.vending.BILLING"
],
"sharedUserId": "",
"versionCode": 13,
"versionMinSDK": 8,
"versionTargetSDK": 17
},
"lib_matches": [
{
"includesSecurityVulnerability": false,
"includesSecurityVulnerabilityFix": false,
"isOriginalPackageName": true,
"libName": "Google Admob",
"libRootPackage": "com.google.ads",
"libVersion": "6.2.1",
"simScore": 1.0,
"usedLibMethods": []
},
{
"includesSecurityVulnerability": false,
"includesSecurityVulnerabilityFix": false,
"isOriginalPackageName": false,
"libName": "Gson",
"libRootPackage": "com.google.mygson",
"libVersion": "2.2",
"simScore": 1.0,
"usedLibMethods": [
"com.google.gson.Gson.()V",
"com.google.gson.Gson.fromJson(Ljava/lang/String;Ljava/lang/Class;)Ljava/lang/Object;",
"com.google.gson.Gson.toJson(Ljava/lang/Object;)Ljava/lang/String;",
...
]
}
],
"lib_packageOnlyMatches": {
"Android support v7 appcompat": "android.support.v7",
"Flurry": "com.flurry.android"
},
"stats_classCount": 2225,
"stats_packageCount": 118,
"stats_processingTime": 14333
}