Towards Black Box Testing of Android Apps

[en] Many state-of-art mobile application testing frameworks (e.g., Dynodroid, EvoDroid) enjoy Emma or other code coverage libraries to measure the coverage achieved. The underlying assumption for these frameworks is availability of the app source code. Yet, application markets and security researchers face the need to test third-party mobile applications in the absence of the source code. There exists a number of frameworks both for manual and automated test generation that address this challenge. However, these frameworks often do not provide any statistics on the code coverage achieved, or provide coarse-grained ones like a number of activities or methods covered. At the same time, given two test reports generated by different frameworks, there is no way to understand which one achieved better coverage if the reported metrics were different (or no coverage results were provided). To address these issues we designed a framework called BBOXTESTER that is able to generate code coverage reports and produce uniform coverage metrics in testing without the source code. Security researchers can automatically execute applications exploiting current stateof- art tools, and use the results of our framework to assess if the security-critical code was covered by the tests. In this paper we report on design and implementation of BBOXTESTER and assess its efficiency and effectiveness.

Centre de recherche :

SnT - Interdisciplinary Centre for Security, Reliability and Trust

Disciplines :

Sciences informatiques

Auteur, co-auteur :

Zhauniarovich, Yury

Philippov, Anton

GADYATSKAYA, Olga ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Crispo, Bruno

Massacci, Fabio

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

Towards Black Box Testing of Android Apps

Date de publication/diffusion :

août 2015

Nom de la manifestation :

Software Assurance Workshop at the 10th International Conference of Availability, Reliability and Security (ARES), 2015

Date de la manifestation :

24-08-2015 to 27-08-2015

Manifestation à portée :

International

Titre de l'ouvrage principal :

Proc. of Software Assurance Workshop at the 10th International Conference on Availability, Reliability and Security (ARES)

Maison d'édition :

IEEE

Peer reviewed :

Peer reviewed

Commentaire :

501--510

Disponible sur ORBilu :

depuis le 22 janvier 2016

Statistiques

Nombre de vues

128 (dont 1 Unilu)

Nombre de téléchargements

0 (dont 0 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

citations OpenAlex

Bibliographie

A. Machiry, R. Tahiliani, and M. Naik, "Dynodroid: An input Generation System for Android Apps, " in Proceedings of ESEC/FSE'2013.
R. Mahmood, N. Mirzaei, and S. Malek, "EvoDroid: Segmented Evolutionary Testing of Android Apps, " in Proceedings of FSE'2014, 2014.
EMMA: A free Java code coverage tool. http://emma. sourceforge. net/.
Google Play Launch Checklist. http://developer. android. com/distribute/tools/launch-checklist. html.
App Store Publishing Guidelines. https: //developer. apple. com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/SubmittingYourApp/SubmittingYourApp. html.
J. Voas, S. Quirolgico, C. Michael, and K. Scarfone, "Technical Considerations for Vetting 3rd Party Mobile Applications (Draft), " NIST, NIST Special Publication 800-163 (Draft), 2014.
Robotium. https: //code. google. com/p/robotium/.
Espresso at android-test-kit. https: //code. google. com/p/android-test-kit/wiki/Espresso.
UI/Application Exerciser Monkey. http://developer. android. com/tools/help/monkey. html.
S. Hao, B. Liu, S. Nath, W. Halfond, and R. Govindan, "PUMA: Programmable UI-Automation for Large Scale Dynamic Analysis of Mobile Apps, " in Proceedings of Mobisys'2014, 2014.
R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, and D. Wetherall, "Brahmastra: Driving Apps to Test the Security of Third-Party Components, " in Proceedings of Usenix Security' 2014, 2014.
T. Azim and I. Neamtiu, "Targeted and Depth-first Exploration for Systematic Testing of Android Apps, " in Proceedings of OOPSLA'2013, 2013, pp. 641-660.
L. Inozemtseva and R. Holmes, "Coverage is not Strongly Correlated with Test Suite Effectiveness, " in Proceedings of ICSE'2014, 2014, pp. 435-444.
A. Gianazza, F. Maggi, A. Fattori, L. Cavallaro, and S. Zanero, "PuppetDroid: A User-Centric UI Exerciser for Automatic Dynamic Analysis of Similar Android Applications, " arXiv: 1402. 4826, 2014.
Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, B. Crispo, and F. Massacci, "StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications, " in Proceedings of CODASPY '15, 2015.
A. Reina, A. Fattori, and L. Cavallaro, "A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors, " in Proceedings of EuroSys'2013, 2013.
B. Davis, B. Sanders, A. Khodaverdian, and H. Chen, "I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications, " in IEEE Mobile Security Technologies (MoST), 2012.
R. Mahmood, N. Esfahani, T. Kacem, N. Mirzaei, S. Malek, and A. Stavrou, "A Whitebox Approach for Automated Security Testing of Android Applications on the Cloud, " in Proceedings of AST'2012.
L. Ravindranath, S. Nath, J. Padhye, and H. Balakrishnan, "Automatic and Scalable Fault Detection for Mobile Applications, " in Proceedings of MobiSys'2014, 2014.
G. Hu, X. Yuan, Y. Tang, and J. Yang, "Efficiently, Effectively Detecting Mobile App Bugs with AppDoctor, " in Proceedings of EuroSys'2014.
D. Amalfitano, N. Amatucci, A. Fasolino, U. Gentile, G. Mele, R. Nardone, V. Vittorini, and S. Marrone, "Improving Code Coverage in Android Apps Testing by Exploiting Patterns and Automated Test Case Generation, " in Proceedings of WISE'2014, 2014.
C. Jensen, M. Prasad, and A. Moller, "Automated Testing with Targeted Event Sequence Generation, " in Proceedings of ISSTA'2013, 2013.
Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo, "Demo: Enabling trusted stores for Android, " in Proc. of CCS. ACM, 2013, pp. 1345-1348.
Y. Zhauniarovich, O. Gadyatskaya, B. Crispo, F. L. Spina, and E. Moser, "FSquaDRA: Fast detection of repackaged applications, " in Proc. of DBSec, ser. LNCS, vol. 8566. Springer, 2014, pp. 130-145.
Tools Help: Platform tools. https: //developer. android. com/tools/help/index. html.
ApkTool: A tool for reverse engineering Android apk files. https: //code. google. com/p/android-apktool/.
Dex2Jar: Tools to work with android. dex and java. class files. https: //code. google. com/p/dex2jar/.
Zipalign. https: //developer. android. com/tools/help/zipalign. html.
Android Debug Bridge. http://developer. android. com/tools/help/adb. html.
JaCoCo Java Code Coverage Library. http://www. eclemma. org/jacoco/.
D. Octeau, S. Jha, and P. McDaniel, "Retargeting Android Applications to Java Bytecode, " in Proceedings of FSE'2012, 2012, pp. 6: 1-6: 11.
Android API Reference: Instrumentation. http://developer. android. com/reference/android/app/Instrumentation. html.
W. Choi, G. NEcula, and K. Sen, "Guided GUI Testing of Android Apps with Minimal Restart and Approximate Learning, " in Proceedings of OOPSLA'2013, 2013.
Intents and Intent Filters. http://developer. android. com/guide/components/intents-filters. html.
A. Bartel, J. Klein, M. Monperrus, K. Allix, and Y. Le Traon, "Improving Privacy on Android Smartphones through In-vivo Bytecode Instrumentation, " arXiv preprint arXiv: 1208. 4536, 2012.
A. Apvrille. (2013, December) Sophisticated DEX obfuscation or Proguard configuration issue? http://bit. ly/1vosShb.
E. Lafortune. (2014, November) The upcoming Jack & Jill compilers in Android. https: //www. saikoa. com/blog/the upcoming jack and jill compilers in android.
A. Avancini and M. Ceccato, "Security Testing of the Communication among Android Applications, " in Proceedings of AST'2013, 2013.
S. Anand, M. Naik, M. J. Harrold, and H. Yang, "Automated Concolic Testing of Smartphone Apps, " in Proceedings of FSE'2012, 2012.
N. Mirzaei, S. Malek, C. Pasareanu, N. Esfahani, and R. Mahmood, "Testing Android Apps Through Symbolic Execution, " ACM SIGSOFT Software Engineering Notes, vol. 37, no. 6, 2012.
J. Jeon and J. S. Foster, "Troyd: Integration Testing for Android, " University of Maryland, Tech. Rep. CS-TR-5013, 2012.
C.-J. Liang, N. Lane, N. Brouwers, L. Zhang, B. Karlsson, H. Liu, Y. Liu, J. Tang, X. Shan, R. Chandra, and F. Zhao, "Caiipa: Automated Large-scale Mobil App Testing through Contextual Fuzzing, " in Proceedings of MobiCom'2014, 2014, pp. 519-530.
H. Ye, S. Cheng, L. Zhang, and F. Jiang, "DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag, " in Proceedings of MoMM'2013.
W. Yang, M. Prasad, and T. Xie, "A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications, " in Proceedings of FASE'2013, 2013.
P. Maiya, A. Kanade, and R. Majumdar, "Race Detection for Android Applications, " in Proceedings of PLDI'2014, 2014.
V. Rastogi, Y. Chen, and W. Enck, "AppsPlayground: Automatic Security Analysis of Smartphone Applications, " in Proceedings of CODASPY'2013, 2013.
B. Liu, S. Nath, R. Govindan, and J. Liu, "DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps, " in Proceedings of Usenix NSDI'2014, 2014.
C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou, "SmartDroid: an Automatic System for Revealing UI-based Trigger Conditions in Android Applications, " in Proceedings of SPSM'2012.
C. Hu and I. Neamtiu, "Automating GUI Testing for Android Applications, " in Proceedings of AST'2011, 2011.
A. Fuchs, A. Chaudhuri, and J. S. Foster, "SCanDroid: Automated Security Certification of Android, " University of Maryland, Tech. Rep. CS-TR-4991, 2009.