References of "Li, Li"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailA critical review on the evaluation of automated program repair systems
Kui, Liu; Li, Li; Koyuncu, Anil UL et al

in Journal of Systems and Software (2021)

Detailed reference viewed: 68 (4 UL)
Full Text
Peer Reviewed
See detailBorrowing your enemy's arrows: the case of code reuse in android via direct inter-app code invocation
Gao, Jun UL; li, li; Kong, Pingfan UL et al

in ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2020, November)

{The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of ... [more ▼]

{The Android ecosystem offers different facilities to enable communication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in the community is another powerful mechanism that allows for direct inter-app code invocation which opens up for different reuse scenarios, both legitimate or malicious. This paper exposes the general workflow for this mechanism, which beyond ICCs, enables app developers to access and invoke functionalities (either entire Java classes, methods or object fields) implemented in other apps using official Android APIs. We experimentally showcase how this reuse mechanism can be leveraged to â plagiarize" supposedly-protected functionalities. Typically, we were able to leverage this mechanism to bypass security guards that a popular video broadcaster has placed for preventing access to its video database from outside its provided app. We further contribute with a static analysis toolkit, named DICIDer, for detecting direct inter-app code invocations in apps. An empirical analysis of the usage prevalence of this reuse mechanism is then conducted. Finally, we discuss the usage contexts as well as the implications of this studied reuse mechanism [less ▲]

Detailed reference viewed: 36 (5 UL)
Full Text
Peer Reviewed
See detailKnowledgezooclient: Constructing knowledge graph for android
Li, Li; Gao, Jun UL; Kong, Pingfan UL et al

in The 3rd International Workshop on Advances in Mobile App Analysis (2020, September)

In this work, we describe the design and implementation of a reusable tool named KnowledgeZooClient targeting the construction, as a crowd-sourced effort, of a knowledge graph for Android apps ... [more ▼]

In this work, we describe the design and implementation of a reusable tool named KnowledgeZooClient targeting the construction, as a crowd-sourced effort, of a knowledge graph for Android apps. KnowledgeZooClient is made up of two modules: (1) the Metadata Extraction Module (MEM), which aims at extracting metadata from Android apps and (2) the Metadata Integration Module (MIM) for importing and integrating extracted metadata into a graph database. The usefulness of KnowledgeZooClient is demonstrated via an exclusive knowledge graph called KnowledgeZoo, which contains information on over 500,000 apps already and still keeps growing. Interested users can already benefit from KnowledgeZoo by writing advanced search queries so as to collect targeted app samples. [less ▲]

Detailed reference viewed: 24 (4 UL)
Full Text
Peer Reviewed
See detailMadDroid: Characterizing and Detecting Devious Ad Contents for Android Apps
Liu, Tianming; Wang, Haoyu; Li, Li et al

in Proceedings of The Web Conference 2020 (2020, April)

Advertisement drives the economy of the mobile app ecosystem. As a key component in the mobile ad business model, mobile ad content has been overlooked by the research community, which poses a number of ... [more ▼]

Advertisement drives the economy of the mobile app ecosystem. As a key component in the mobile ad business model, mobile ad content has been overlooked by the research community, which poses a number of threats, e.g., propagating malware and undesirable contents. To understand the practice of these devious ad behaviors, we perform a large-scale study on the app contents harvested through automated app testing. In this work, we first provide a comprehensive categorization of devious ad contents, including five kinds of behaviors belonging to two categories: ad loading content and ad clicking content. Then, we propose MadDroid, a framework for automated detection of devious ad contents. MadDroid leverages an automated app testing framework with a sophisticated ad view exploration strategy for effectively collecting ad-related network traffic and subsequently extracting ad contents. We then integrate dedicated approaches into the framework to identify devious ad contents. We have applied MadDroid to 40,000 Android apps and found that roughly 6% of apps deliver devious ad contents, e.g., distributing malicious apps that cannot be downloaded via traditional app markets. Experiment results indicate that devious ad contents are prevalent, suggesting that our community should invest more effort into the detection and mitigation of devious ads towards building a trustworthy mobile advertising ecosystem. [less ▲]

Detailed reference viewed: 83 (0 UL)
Full Text
Peer Reviewed
See detailCDA: Characterising Deprecated Android APIs
li, li; Gao, Jun UL; Bissyande, Tegawendé François D Assise UL et al

in Empirical Software Engineering (2020), 24(118), 1-41

Because of functionality evolution, or security and performance-related changes, some APIs eventually become unnecessary in a software system and thus need to be cleaned to ensure proper maintainability ... [more ▼]

Because of functionality evolution, or security and performance-related changes, some APIs eventually become unnecessary in a software system and thus need to be cleaned to ensure proper maintainability. Those APIs are typically marked first as deprecated APIs and, as recommended, follow through a deprecated-replace-remove cycle, giving an opportunity to client application developers to smoothly adapt their code in next updates. Such a mechanism is adopted in the Android framework development where thousands of reusable APIs are made available to Android app developers. In this work, we present a research-based prototype tool called CDA and apply it to different revisions (i.e., releases or tags) of the Android framework code for characterising deprecated APIs. Based on the data mined by CDA, we then perform an empirical study on API deprecation in the Android ecosystem and the associated challenges for maintaining quality apps. In particular, we investigate the prevalence of deprecated APIs, their annotations and documentation, their removal and consequences, their replacement messages, developer reactions to API deprecation, as well as the evolution of the usage of deprecated APIs. Experimental results reveal several findings that further provide promising insights related to deprecated Android APIs. Notably, by mining the source code of the Android framework base, we have identified three bugs related to deprecated APIs. These bugs have been quickly assigned and positively appreciated by the framework maintainers, who claim that these issues will be updated in future releases. [less ▲]

Detailed reference viewed: 43 (2 UL)
Full Text
Peer Reviewed
See detailUnderstanding the Evolution of Android App Vulnerabilities
Gao, Jun UL; li, li; Bissyande, Tegawendé François D Assise UL et al

in IEEE Transactions on Reliability (2020)

The Android ecosystem today is a growing universe of a few billion devices, hundreds of millions of users and millions of applications targeting a wide range of activities where sensitive information is ... [more ▼]

The Android ecosystem today is a growing universe of a few billion devices, hundreds of millions of users and millions of applications targeting a wide range of activities where sensitive information is collected and processed. Security of communication and privacy of data are thus of utmost importance in application development. Yet, regularly, there are reports of successful attacks targeting Android users. While some of those attacks exploit vulnerabilities in the Android OS, others directly concern application-level code written by a large pool of developers with varying experience. Recently, a number of studies have investigated this phenomenon, focusing however only on a specific vulnerability type appearing in apps, and based on only a snapshot of the situation at a given time. Thus, the community is still lacking comprehensive studies exploring how vulnerabilities have evolved over time, and how they evolve in a single app across developer updates. Our work fills this gap by leveraging a data stream of 5 million app packages to re-construct versioned lineages of Android apps and finally obtained 28;564 app lineages (i.e., successive releases of the same Android apps) with more than 10 app versions each, corresponding to a total of 465;037 apks. Based on these app lineages, we apply state-of- the-art vulnerability-finding tools and investigate systematically the reports produced by each tool. In particular, we study which types of vulnerabilities are found, how they are introduced in the app code, where they are located, and whether they foreshadow malware. We provide insights based on the quantitative data as reported by the tools, but we further discuss the potential false positives. Our findings and study artifacts constitute a tangible knowledge to the community. It could be leveraged by developers to focus verification tasks, and by researchers to drive vulnerability discovery and repair research efforts. [less ▲]

Detailed reference viewed: 159 (17 UL)
Full Text
Peer Reviewed
See detailEvaluating Representation Learning of Code Changes for Predicting Patch Correctness in Program Repair
Tian, Haoye UL; Liu, Kui UL; Kaboreé, Abdoul Kader et al

in Tian, Haoye (Ed.) 35th IEEE/ACM International Conference on Automated Software Engineering, September 21-25, 2020, Melbourne, Australia (2020)

A large body of the literature of automated program repair develops approaches where patches are generated to be validated against an oracle (e.g., a test suite). Because such an oracle can be imperfect ... [more ▼]

A large body of the literature of automated program repair develops approaches where patches are generated to be validated against an oracle (e.g., a test suite). Because such an oracle can be imperfect, the generated patches, although validated by the oracle, may actually be incorrect. While the state of the art explore research directions that require dynamic information or rely on manually-crafted heuristics, we study the benefit of learning code representations to learn deep features that may encode the properties of patch correctness. Our work mainly investigates different representation learning approaches for code changes to derive embeddings that are amenable to similarity computations. We report on findings based on embeddings produced by pre-trained and re-trained neural networks. Experimental results demonstrate the potential of embeddings to empower learning algorithms in reasoning about patch correctness: a machine learning predictor with BERT transformer-based embeddings... [less ▲]

Detailed reference viewed: 40 (4 UL)
Full Text
Peer Reviewed
See detailRevisiting the impact of common libraries for android-related investigations
Li, Li; Riom, Timothée UL; Bissyande, Tegawendé François D Assise UL et al

in Journal of Systems and Software (2019), 154

Detailed reference viewed: 51 (1 UL)
Full Text
Peer Reviewed
See detailMining Android Crash Fixes in the Absence of Issue- and Change-Tracking Systems
Kong, Pingfan UL; li, li; Gao, Jun et al

Scientific Conference (2019, July 15)

Android apps are prone to crash. This often arises from the misuse of Android framework APIs, making it harder to debug since official Android documentation does not discuss thoroughly potential ... [more ▼]

Android apps are prone to crash. This often arises from the misuse of Android framework APIs, making it harder to debug since official Android documentation does not discuss thoroughly potential exceptions.Recently, the program repair community has also started to investigate the possibility to fix crashes automatically. Current results, however, apply to limited example cases. In both scenarios of repair, the main issue is the need for more example data to drive the fix processes due to the high cost in time and effort needed to collect and identify fix examples. We propose in this work a scalable approach, CraftDroid, to mine crash fixes by leveraging a set of 28 thousand carefully reconstructed app lineages from app markets, without the need for the app source code or issue reports. We developed a replicative testing approach that locates fixes among app versions which output different runtime logs with the exact same test inputs. Overall, we have mined 104 relevant crash fixes, further abstracted 17 fine-grained fix templates that are demonstrated to be effective for patching crashed apks. Finally, we release ReCBench, a benchmark consisting of 200 crashed apks and the crash replication scripts, which the community can explore for evaluating generated crash-inducing bug patches. [less ▲]

Detailed reference viewed: 80 (6 UL)
Full Text
Peer Reviewed
See detailOn Identifying and Explaining Similarities in Android Apps
Li, Li; Bissyande, Tegawendé François D Assise UL; Wang, Haoyu et al

in Journal of Computer Science and Technology (2019), 34(2), 437-455

Detailed reference viewed: 38 (1 UL)
Full Text
Peer Reviewed
See detailRebooting Research on Detecting Repackaged Android Apps: Literature Review and Benchmark
Li, Li; Bissyande, Tegawendé François D Assise UL; Klein, Jacques UL

in IEEE Transactions on Software Engineering (2019)

Detailed reference viewed: 56 (2 UL)
Full Text
Peer Reviewed
See detailShould You Consider Adware as Malware in Your Study?
Gao, Jun UL; Li, Li; Kong, Pingfan UL et al

in 26th edition of the IEEE International Conference on Software Analysis, Evolution and Reengineering (2019, February 24)

Empirical validations of research approaches eventually require a curated ground truth. In studies related to Android malware, such a ground truth is built by leveraging Anti-Virus (AV) scanning reports ... [more ▼]

Empirical validations of research approaches eventually require a curated ground truth. In studies related to Android malware, such a ground truth is built by leveraging Anti-Virus (AV) scanning reports which are often provided free through online services such as VirusTotal. Unfortunately, these reports do not offer precise information for appropriately and uniquely assigning classes to samples in app datasets: AV engines indeed do not have a consensus on specifying information in labels. Furthermore, labels often mix information related to families, types, etc. In particular, the notion of “adware” is currently blurry when it comes to maliciousness. There is thus a need to thoroughly investigate cases where adware samples can actually be associated with malware (e.g., because they are tagged as adware but could be considered as malware as well). In this work, we present a large-scale analytical study of Android adware samples to quantify to what extent “adware should be considered as malware”. Our analysis is based on the Androzoo repository of 5 million apps with associated AV labels and leverages a state-of-the-art label harmonization tool to infer the malicious type of apps before confronting it against the ad families that each adware app is associated with. We found that all adware families include samples that are actually known to implement specific malicious behavior types. Up to 50% of samples in an ad family could be flagged as malicious. Overall the study demonstrates that adware is not necessarily benign. [less ▲]

Detailed reference viewed: 185 (16 UL)
Full Text
Peer Reviewed
See detailNegative Results on Mining Crypto-API Usage Rules in Android Apps
Gao, Jun UL; Kong, Pingfan UL; Li, Li et al

in Proceedings of the 16th International Conference on Mining Software Repositories (2019)

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It ... [more ▼]

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that “developers update API usage instances to fix misuses”, we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates. [less ▲]

Detailed reference viewed: 64 (8 UL)
Full Text
Peer Reviewed
See detailFraudDroid: Automated Ad Fraud Detection for Android Apps
Dong, Feng; Wang, Haoyu; Li, Li et al

in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018) (2018, November)

Detailed reference viewed: 180 (5 UL)
Full Text
Peer Reviewed
See detailMoonlightBox: Mining Android API Histories for Uncovering Release-time Inconsistencies
Li, Li; Bissyande, Tegawendé François D Assise UL; Klein, Jacques UL

in 29th IEEE International Symposium on Software Reliability Engineering (ISSRE) (2018, October)

Detailed reference viewed: 137 (4 UL)
Full Text
Peer Reviewed
See detailAutomated Testing of Android Apps: A Systematic Literature Review
Kong, Pingfan UL; Li, Li; Gao, Jun UL et al

in IEEE Transactions on Reliability (2018)

Automated testing of Android apps is essential for app users, app developers and market maintainer communities alike. Given the widespread adoption of Android and the specificities of its development ... [more ▼]

Automated testing of Android apps is essential for app users, app developers and market maintainer communities alike. Given the widespread adoption of Android and the specificities of its development model, the literature has proposed various testing approaches for ensuring that not only functional requirements but also non-functional requirements are satisfied. In this paper, we aim at providing a clear overview of the state-of-the-art works around the topic of Android app testing, in an attempt to highlight the main trends, pinpoint the main methodologies applied and enumerate the challenges faced by the Android testing approaches as well as the directions where the community effort is still needed. To this end, we conduct a Systematic Literature Review (SLR) during which we eventually identified 103 relevant research papers published in leading conferences and journals until 2016. Our thorough examination of the relevant literature has led to several findings and highlighted the challenges that Android testing researchers should strive to address in the future. After that, we further propose a few concrete research directions where testing approaches are needed to solve recurrent issues in app updates, continuous increases of app sizes, as well as the Android ecosystem fragmentation. [less ▲]

Detailed reference viewed: 207 (31 UL)
Full Text
Peer Reviewed
See detailA Closer Look at Real-World Patches
Liu, Kui UL; Kim, Dongsun UL; Koyuncu, Anil UL et al

in 34th IEEE International Conference on Software Maintenance and Evolution (ICSME) (2018, September)

Bug fixing is a time-consuming and tedious task. To reduce the manual efforts in bug fixing, researchers have presented automated approaches to software repair. Unfortunately, recent studies have shown ... [more ▼]

Bug fixing is a time-consuming and tedious task. To reduce the manual efforts in bug fixing, researchers have presented automated approaches to software repair. Unfortunately, recent studies have shown that the state-of-the-art techniques in automated repair tend to generate patches only for a small number of bugs even with quality issues (e.g., incorrect behavior and nonsensical changes). To improve automated program repair (APR) techniques, the community should deepen its knowledge on repair actions from real-world patches since most of the techniques rely on patches written by human developers. Previous investigations on real-world patches are limited to statement level that is not sufficiently fine-grained to build this knowledge. In this work, we contribute to building this knowledge via a systematic and fine-grained study of 16,450 bug fix commits from seven Java open-source projects. We find that there are opportunities for APR techniques to improve their effectiveness by looking at code elements that have not yet been investigated. We also discuss nine insights into tuning automated repair tools. For example, a small number of statement and expression types are recurrently impacted by real-world patches, and expression-level granularity could reduce search space of finding fix ingredients, where previous studies never explored. [less ▲]

Detailed reference viewed: 183 (24 UL)
Full Text
Peer Reviewed
See detailCiD: Automating the Detection of API-related Compatibility Issues in Android Apps
Li, Li; Bissyande, Tegawendé François D Assise UL; Wang, Haoyu et al

in International Symposium on Software Testing and Analysis (ISSTA) (2018, July)

Detailed reference viewed: 166 (3 UL)
Full Text
Peer Reviewed
See detailFaCoY - A Code-to-Code Search Engine
Kim, Kisub UL; Kim, Dongsun UL; Bissyande, Tegawendé François D Assise UL et al

in International Conference on Software Engineering (ICSE 2018) (2018, May 27)

Code search is an unavoidable activity in software development. Various approaches and techniques have been explored in the literature to support code search tasks. Most of these approaches focus on ... [more ▼]

Code search is an unavoidable activity in software development. Various approaches and techniques have been explored in the literature to support code search tasks. Most of these approaches focus on serving user queries provided as natural language free-form input. However, there exists a wide range of use-case scenarios where a code-to-code approach would be most beneficial. For example, research directions in code transplantation, code diversity, patch recommendation can leverage a code-to-code search engine to find essential ingredients for their techniques. In this paper, we propose FaCoY, a novel approach for statically finding code fragments which may be semantically similar to user input code. FaCoY implements a query alternation strategy: instead of directly matching code query tokens with code in the search space, FaCoY first attempts to identify other tokens which may also be relevant in implementing the functional behavior of the input code. With various experiments, we show that (1) FaCoY is more effective than online code-to-code search engines; (2) FaCoY can detect more semantic code clones (i.e., Type-4) in BigCloneBench than the state-of-theart; (3) FaCoY, while static, can detect code fragments which are indeed similar with respect to runtime execution behavior; and (4) FaCoY can be useful in code/patch recommendation. [less ▲]

Detailed reference viewed: 182 (19 UL)
Full Text
Peer Reviewed
See detailCharacterising Deprecated Android APIs
Li, Li; Gao, Jun UL; Bissyande, Tegawendé François D Assise UL et al

in 15th International Conference on Mining Software Repositories (MSR 2018) (2018, May)

Detailed reference viewed: 155 (9 UL)