Developers lack effective means to assess third-party dependencies’ access to sensitive resources, posing significant security risks. Method: We propose an ecosystem-wide security-sensitive API identification framework. It constructs the first cross-package-family inventory of security-sensitive APIs, combines static call-graph analysis (implemented for Java) with functional similarity-based grouping of packages, and reveals substantial behavioral discrepancies in security practices among functionally equivalent packages. Its practical utility is validated through an empirical survey involving 110 developers. Contributions/Results: (1) The first systematic, scalable, ecosystem-level methodology for identifying security-sensitive APIs; (2) Empirical evidence that over 50% of developers would integrate this approach into dependency selection decisions; (3) A foundational theoretical and practical basis for embedding such analysis into automated dependency management tools.

Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is using security-sensitive APIs, i.e., the APIs that provide access to security-sensitive resources in a system, e.g., the filesystem or network resources. However, the lack of tools or research providing visibility into potential sensitive resource usage of dependencies makes it hard for developers to use this as a factor in their dependency selection process. The goal of this study is to aid developers in assessing the security risks of their dependencies by identifying security-sensitive APIs in packages through call graph analysis. In this study, we present a novel methodology to construct a security-sensitive API list for an ecosystem to better understand and assess packages before selecting them as a dependency. We implement the methodology in Java. We then compare the prevalence of security-sensitive APIs in functionally similar package groups to understand how different functionally similar packages could be in terms of security-sensitive APIs. We also conducted a developer survey (with 110 respondents) to understand developers' perceptions towards using security-sensitive API information in the dependency selection process. More than half of the developers would use security-sensitive API information in the dependency selection process if available. Finally, we advocate for incorporating security-sensitive API information into dependency management tools for easier access to the developers in the dependency selection process.