Existing third-party library (TPL) version identification techniques for Android applications suffer from high false-positive rates under obfuscation and fail to distinguish fine-grained version differences. Method: This paper proposes a fine-grained TPL version identification approach based on Class Dependency Graphs (CDGs), the first to model version-specific features using class structural similarity. It introduces a two-stage mechanism comprising class signature matching and subgraph structural comparison. Contribution/Results: Evaluated on obfuscated apps, the method achieves an 84.82% F1-score for version-level detection—significantly outperforming state-of-the-art tools—while reducing version-level false positives by 38%. Library-level detection attains a 97.64% F1-score. The approach enables precise vulnerability localization and security governance, establishing a novel paradigm for TPL version identification in obfuscated Android environments.

Android applications (apps) integrate reusable and well-tested third-party libraries (TPLs) to enhance functionality and shorten development cycles. However, recent research reveals that TPLs have become the largest attack surface for Android apps, where the use of insecure TPLs can compromise both developer and user interests. To mitigate such threats, researchers have proposed various tools to detect TPLs used by apps, supporting further security analyses such as vulnerable TPLs identification. Although existing tools achieve notable library-level TPL detection performance in the presence of obfuscation, they struggle with version-level TPL detection due to a lack of sensitivity to differences between versions. This limitation results in a high version-level false positive rate, significantly increasing the manual workload for security analysts. To resolve this issue, we propose SAD, a TPL detection tool with high version-level detection performance. SAD generates a candidate app class list for each TPL class based on the feature of nodes in class dependency graphs (CDGs). It then identifies the unique corresponding app class for each TPL class by performing class matching based on the similarity of their class summaries. Finally, SAD identifies TPL versions by evaluating the structural similarity of the sub-graph formed by matched classes within the CDGs of the TPL and the app. Extensive evaluation on three datasets demonstrates the effectiveness of SAD and its components. SAD achieves F1 scores of 97.64% and 84.82% for library-level and version-level detection on obfuscated apps, respectively, surpassing existing state-of-the-art tools. The version-level false positives reported by the best tool is 1.61 times that of SAD. We further evaluate the degree to which TPLs identified by detection tools correspond to actual TPL classes.