Graph-aided directed testing of Android applications for checking runtime privacy behaviours
While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, w...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2016
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/3440 https://ink.library.smu.edu.sg/context/sis_research/article/4441/viewcontent/icse16ast_directedapptest__1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-4441 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-44412020-03-26T09:07:52Z Graph-aided directed testing of Android applications for checking runtime privacy behaviours CHAN, Joseph Joo Keng JIANG, Lingxiao TAN, Kiat Wee BALAN, Rajesh Krishna While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, which takes a lot of time and resource to achieve good coverage and reach targeted parts of the apps. In this paper, we present MAMBA, a directed testing system for checking privacy in Android apps. MAMBA performs path searches of user events in control-flow graphs of callbacks generated from static analysis of app bytecode. Based on the paths found, it builds test cases comprised of user events that can trigger the executions of the apps and quickly direct the apps' activity transitions from the starting activity towards target activities of interest, revealing potential accesses to privacy-sensitive data in the apps. MAMBA's backend testing engine then simulates the executions of the apps following the generated test cases to check actual run-time behavior of the apps that may leak users' private data. We evaluated MAMBA against another automated testing approach that exhaustively searches for target activities in 24 apps, and found that our graph-aided directed testing achieves the same coverage of target activities 6.1 times faster on average, including the time required for bytecode analysis and test case generation. By instrumenting privacy access/leak detectors during testing, we were able to verify from test logs that almost half of target activities accessed user privacy data, and 26.7% of target activities leaked privacy data to the network. 2016-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/3440 info:doi/10.1145/2896921.2896930 https://ink.library.smu.edu.sg/context/sis_research/article/4441/viewcontent/icse16ast_directedapptest__1_.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Automated Mobile Application Testing Mobile Privacy Information Security Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Automated Mobile Application Testing Mobile Privacy Information Security Software Engineering |
| spellingShingle |
Automated Mobile Application Testing Mobile Privacy Information Security Software Engineering CHAN, Joseph Joo Keng JIANG, Lingxiao TAN, Kiat Wee BALAN, Rajesh Krishna Graph-aided directed testing of Android applications for checking runtime privacy behaviours |
| description |
While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, which takes a lot of time and resource to achieve good coverage and reach targeted parts of the apps. In this paper, we present MAMBA, a directed testing system for checking privacy in Android apps. MAMBA performs path searches of user events in control-flow graphs of callbacks generated from static analysis of app bytecode. Based on the paths found, it builds test cases comprised of user events that can trigger the executions of the apps and quickly direct the apps' activity transitions from the starting activity towards target activities of interest, revealing potential accesses to privacy-sensitive data in the apps. MAMBA's backend testing engine then simulates the executions of the apps following the generated test cases to check actual run-time behavior of the apps that may leak users' private data. We evaluated MAMBA against another automated testing approach that exhaustively searches for target activities in 24 apps, and found that our graph-aided directed testing achieves the same coverage of target activities 6.1 times faster on average, including the time required for bytecode analysis and test case generation. By instrumenting privacy access/leak detectors during testing, we were able to verify from test logs that almost half of target activities accessed user privacy data, and 26.7% of target activities leaked privacy data to the network. |
| format |
text |
| author |
CHAN, Joseph Joo Keng JIANG, Lingxiao TAN, Kiat Wee BALAN, Rajesh Krishna |
| author_facet |
CHAN, Joseph Joo Keng JIANG, Lingxiao TAN, Kiat Wee BALAN, Rajesh Krishna |
| author_sort |
CHAN, Joseph Joo Keng |
| title |
Graph-aided directed testing of Android applications for checking runtime privacy behaviours |
| title_short |
Graph-aided directed testing of Android applications for checking runtime privacy behaviours |
| title_full |
Graph-aided directed testing of Android applications for checking runtime privacy behaviours |
| title_fullStr |
Graph-aided directed testing of Android applications for checking runtime privacy behaviours |
| title_full_unstemmed |
Graph-aided directed testing of Android applications for checking runtime privacy behaviours |
| title_sort |
graph-aided directed testing of android applications for checking runtime privacy behaviours |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2016 |
| url |
https://ink.library.smu.edu.sg/sis_research/3440 https://ink.library.smu.edu.sg/context/sis_research/article/4441/viewcontent/icse16ast_directedapptest__1_.pdf |
| _version_ |
1770573203365691392 |