Towards Black Box Testing of Android Apps

Zhauniarovich, Yury; Philippov, Anton; GADYATSKAYA, Olga; Crispo, Bruno; Massacci, Fabio

doi:10.1109/ARES.2015.70

Request a copy

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Towards Black Box Testing of Android Apps

Zhauniarovich, Yury; Philippov, Anton; GADYATSKAYA, Olga et al.

2015 • In Proc. of Software Assurance Workshop at the 10th International Conference on Availability, Reliability and Security (ARES)

Peer reviewed

Permalink
https://hdl.handle.net/10993/23816

DOI
10.1109/ARES.2015.70

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

bboxtesting.pdf

Author preprint (339.09 kB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Android; testing; code coverage

Abstract :

[en] Many state-of-art mobile application testing frameworks (e.g., Dynodroid, EvoDroid) enjoy Emma or other code coverage libraries to measure the coverage achieved. The underlying assumption for these frameworks is availability of the app source code. Yet, application markets and security researchers face the need to test third-party mobile applications in the absence of the source code. There exists a number of frameworks both for manual and automated test generation that address this challenge. However, these frameworks often do not provide any statistics on the code coverage achieved, or provide coarse-grained ones like a number of activities or methods covered. At the same time, given two test reports generated by different frameworks, there is no way to understand which one achieved better coverage if the reported metrics were different (or no coverage results were provided). To address these issues we designed a framework called BBOXTESTER that is able to generate code coverage reports and produce uniform coverage metrics in testing without the source code. Security researchers can automatically execute applications exploiting current stateof- art tools, and use the results of our framework to assess if the security-critical code was covered by the tests. In this paper we report on design and implementation of BBOXTESTER and assess its efficiency and effectiveness.

Research center :

SnT - Interdisciplinary Centre for Security, Reliability and Trust

Disciplines :

Computer science

Author, co-author :

Zhauniarovich, Yury

Philippov, Anton

GADYATSKAYA, Olga ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Crispo, Bruno

Massacci, Fabio

External co-authors :

yes

Language :

English

Title :

Towards Black Box Testing of Android Apps

Publication date :

August 2015

Event name :

Software Assurance Workshop at the 10th International Conference of Availability, Reliability and Security (ARES), 2015

Event date :

24-08-2015 to 27-08-2015

Audience :

International

Main work title :

Proc. of Software Assurance Workshop at the 10th International Conference on Availability, Reliability and Security (ARES)

Publisher :

IEEE

Peer reviewed :

Peer reviewed

Commentary :

501--510

Available on ORBilu :

since 22 January 2016

Statistics

Number of views

82 (1 by Unilu)

Number of downloads

0 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenAlex citations

Bibliography

A. Machiry, R. Tahiliani, and M. Naik, "Dynodroid: An input Generation System for Android Apps, " in Proceedings of ESEC/FSE'2013.
R. Mahmood, N. Mirzaei, and S. Malek, "EvoDroid: Segmented Evolutionary Testing of Android Apps, " in Proceedings of FSE'2014, 2014.
EMMA: A free Java code coverage tool. http://emma. sourceforge. net/.
Google Play Launch Checklist. http://developer. android. com/distribute/tools/launch-checklist. html.
App Store Publishing Guidelines. https: //developer. apple. com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/SubmittingYourApp/SubmittingYourApp. html.
J. Voas, S. Quirolgico, C. Michael, and K. Scarfone, "Technical Considerations for Vetting 3rd Party Mobile Applications (Draft), " NIST, NIST Special Publication 800-163 (Draft), 2014.
Robotium. https: //code. google. com/p/robotium/.
Espresso at android-test-kit. https: //code. google. com/p/android-test-kit/wiki/Espresso.
UI/Application Exerciser Monkey. http://developer. android. com/tools/help/monkey. html.
S. Hao, B. Liu, S. Nath, W. Halfond, and R. Govindan, "PUMA: Programmable UI-Automation for Large Scale Dynamic Analysis of Mobile Apps, " in Proceedings of Mobisys'2014, 2014.
R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall, "Brahmastra: Driving Apps to Test the Security of Third-Party Components, " in Proceedings of Usenix Security' 2014, 2014.
T. Azim and I. Neamtiu, "Targeted and Depth-first Exploration for Systematic Testing of Android Apps, " in Proceedings of OOPSLA'2013, 2013, pp. 641-660.
L. Inozemtseva and R. Holmes, "Coverage is not Strongly Correlated with Test Suite Effectiveness, " in Proceedings of ICSE'2014, 2014, pp. 435-444.
A. Gianazza, F. Maggi, A. Fattori, L. Cavallaro, and S. Zanero, "PuppetDroid: A User-Centric UI Exerciser for Automatic Dynamic Analysis of Similar Android Applications, " arXiv: 1402. 4826, 2014.
Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, B. Crispo, and F. Massacci, "StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications, " in Proceedings of CODASPY '15, 2015.
A. Reina, A. Fattori, and L. Cavallaro, "A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors, " in Proceedings of EuroSys'2013, 2013.
B. Davis, B. Sanders, A. Khodaverdian, and H. Chen, "I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications, " in IEEE Mobile Security Technologies (MoST), 2012.
R. Mahmood, N. Esfahani, T. Kacem, N. Mirzaei, S. Malek, and A. Stavrou, "A Whitebox Approach for Automated Security Testing of Android Applications on the Cloud, " in Proceedings of AST'2012.
L. Ravindranath, S. Nath, J. Padhye, and H. Balakrishnan, "Automatic and Scalable Fault Detection for Mobile Applications, " in Proceedings of MobiSys'2014, 2014.
G. Hu, X. Yuan, Y. Tang, and J. Yang, "Efficiently, Effectively Detecting Mobile App Bugs with AppDoctor, " in Proceedings of EuroSys'2014.
D. Amalfitano, N. Amatucci, A. Fasolino, U. Gentile, G. Mele, R. Nardone, V. Vittorini, and S. Marrone, "Improving Code Coverage in Android Apps Testing by Exploiting Patterns and Automated Test Case Generation, " in Proceedings of WISE'2014, 2014.
C. Jensen, M. Prasad, and A. Moller, "Automated Testing with Targeted Event Sequence Generation, " in Proceedings of ISSTA'2013, 2013.
Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo, "Demo: Enabling trusted stores for Android, " in Proc. of CCS. ACM, 2013, pp. 1345-1348.
Y. Zhauniarovich, O. Gadyatskaya, B. Crispo, F. L. Spina, and E. Moser, "FSquaDRA: Fast detection of repackaged applications, " in Proc. of DBSec, ser. LNCS, vol. 8566. Springer, 2014, pp. 130-145.
Tools Help: Platform tools. https: //developer. android. com/tools/help/index. html.
ApkTool: A tool for reverse engineering Android apk files. https: //code. google. com/p/android-apktool/.
Dex2Jar: Tools to work with android. dex and java. class files. https: //code. google. com/p/dex2jar/.
Zipalign. https: //developer. android. com/tools/help/zipalign. html.
Android Debug Bridge. http://developer. android. com/tools/help/adb. html.
JaCoCo Java Code Coverage Library. http://www. eclemma. org/jacoco/.
D. Octeau, S. Jha, and P. McDaniel, "Retargeting Android Applications to Java Bytecode, " in Proceedings of FSE'2012, 2012, pp. 6: 1-6: 11.
Android API Reference: Instrumentation. http://developer. android. com/reference/android/app/Instrumentation. html.
W. Choi, G. NEcula, and K. Sen, "Guided GUI Testing of Android Apps with Minimal Restart and Approximate Learning, " in Proceedings of OOPSLA'2013, 2013.
Intents and Intent Filters. http://developer. android. com/guide/components/intents-filters. html.
A. Bartel, J. Klein, M. Monperrus, K. Allix, and Y. Le Traon, "Improving Privacy on Android Smartphones through In-vivo Bytecode Instrumentation, " arXiv preprint arXiv: 1208. 4536, 2012.
A. Apvrille. (2013, December) Sophisticated DEX obfuscation or Proguard configuration issue? http://bit. ly/1vosShb.
E. Lafortune. (2014, November) The upcoming Jack & Jill compilers in Android. https: //www. saikoa. com/blog/the upcoming jack and jill compilers in android.
A. Avancini and M. Ceccato, "Security Testing of the Communication among Android Applications, " in Proceedings of AST'2013, 2013.
S. Anand, M. Naik, M. J. Harrold, and H. Yang, "Automated Concolic Testing of Smartphone Apps, " in Proceedings of FSE'2012, 2012.
N. Mirzaei, S. Malek, C. Pasareanu, N. Esfahani, and R. Mahmood, "Testing Android Apps Through Symbolic Execution, " ACM SIGSOFT Software Engineering Notes, vol. 37, no. 6, 2012.
J. Jeon and J. S. Foster, "Troyd: Integration Testing for Android, " University of Maryland, Tech. Rep. CS-TR-5013, 2012.
C.-J. Liang, N. Lane, N. Brouwers, L. Zhang, B. Karlsson, H. Liu, Y. Liu, J. Tang, X. Shan, R. Chandra, and F. Zhao, "Caiipa: Automated Large-scale Mobil App Testing through Contextual Fuzzing, " in Proceedings of MobiCom'2014, 2014, pp. 519-530.
H. Ye, S. Cheng, L. Zhang, and F. Jiang, "DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag, " in Proceedings of MoMM'2013.
W. Yang, M. Prasad, and T. Xie, "A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications, " in Proceedings of FASE'2013, 2013.
P. Maiya, A. Kanade, and R. Majumdar, "Race Detection for Android Applications, " in Proceedings of PLDI'2014, 2014.
V. Rastogi, Y. Chen, and W. Enck, "AppsPlayground: Automatic Security Analysis of Smartphone Applications, " in Proceedings of CODASPY'2013, 2013.
B. Liu, S. Nath, R. Govindan, and J. Liu, "DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps, " in Proceedings of Usenix NSDI'2014, 2014.
C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou, "SmartDroid: an Automatic System for Revealing UI-based Trigger Conditions in Android Applications, " in Proceedings of SPSM'2012.
C. Hu and I. Neamtiu, "Automating GUI Testing for Android Applications, " in Proceedings of AST'2011, 2011.
A. Fuchs, A. Chaudhuri, and J. S. Foster, "SCanDroid: Automated Security Certification of Android, " University of Maryland, Tech. Rep. CS-TR-4991, 2009.