[en] As Android becomes a de-facto choice of development platform for mobile apps, developers extensively leverage its accompanying Software Development Kit to quickly build their apps. This SDK comes with a set of APIs which developers may find limited in comparison to what system apps can do or what framework developers are preparing to harness capabilities of new generation devices. Thus, developers may attempt to explore in advance the normally “inaccessible” APIs for building unique API-based functionality in their app.
The Android programming model is unique in its kind. Inaccessible APIs, which however are used by developers, constitute yet another specificity of Android development, and is worth investigating to understand what they are, how they evolve over time, and who uses them. To that end, in this work, we empirically investigate 17 important releases of the Android framework source code base, and we find that inaccessible APIs are commonly implemented in the Android framework, which are further neither forward nor backward compatible. Moreover, a small set of inaccessible APIs can eventually become publicly accessible, while most of them are removed during the evolution, resulting in risks for such apps that have leveraged inaccessible APIs. Finally, we show that inaccessible APIs are indeed accessed by third-party apps, and the official Google Play store has tolerated the proliferation of apps leveraging inaccessible API methods.
Centre de recherche :
SnT
Disciplines :
Sciences informatiques
Auteur, co-auteur :
LI, Li ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
LE TRAON, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC)
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Accessing Inaccessible Android APIs: An Empirical Study
Date de publication/diffusion :
octobre 2016
Nom de la manifestation :
The 32nd International Conference on Software Maintenance and Evolution (ICSME)
Date de la manifestation :
from 02-10-2016 to 10-10-2016
Manifestation à portée :
International
Titre de l'ouvrage principal :
The 32nd International Conference on Software Maintenance and Evolution (ICSME)
Pagination :
12
Peer reviewed :
Peer reviewed
Projet FnR :
FNR10449467 - Automatic Bug Fix Recommendation: Improving Software Repair And Reducing Time-to-fix Delays In Software Development Projects, 2015 (01/02/2016-31/01/2019) - Tegawendé François D'assise Bissyandé
Intitulé du projet de recherche :
AndroMap C13/IS/5921289 and Recommend C15/IS/10449467
AppBrain. Number of available android applications. http://www.appbrain.com/stats/number-of-android-apps, 2015. Accessed: 2016-08-01.
Code examples using hidden android apis. http://developer.sonymobile.com/2011/10/28/code-examples-using-hidden-android-apis/. Accessed: 2016-08-01.
Li Li, Tegawendé F Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Yves Le Traon. Static analysis of android apps: A systematic literature review. Technical report, SnT, 2016.
Tegawendé F Bissyandé, Laurent Réveillère, Julia L Lawall, and Gilles Muller. Diagnosys: automatic generation of a debugging interface to the linux kernel. In Automated Software Engineering (ASE), 2012 Proceedings of the 27th IEEE/ACM International Conference on, pages 60-69. IEEE, 2012.
Tegawendé F. Bissyandé, Laurent Réveillère, Julia L. Lawall, and Gilles Muller. Ahead of time static analysis for automatic generation of debugging interfaces to the linux kernel. Automated Software Engineering, 23(1):3-41, 2016.
Kamil Jezek, Jens Dietrich, and Premek Brada. How java apis break - an empirical study. Information and Software Technology, 65:129-146, 2015.
John Businge, Alexander Serebrenik, and Mark van den Brand. Survival of eclipse third-party plug-ins. In Software Maintenance (ICSM), 2012 28th IEEE International Conference on, pages 368-377. IEEE, 2012.
John Businge, Alexander Serebrenik, and Mark van den Brand. Analyzing the eclipse api usage: Putting the developer in the loop. In Software Maintenance and Reengineering (CSMR), 2013 17th European Conference on, pages 37-46. IEEE, 2013.
John Businge, Alexander Serebrenik, and Mark GJ van den Brand. Eclipse api usage: the good and the bad. Software Quality Journal, 23(1):107-141, 2015.
ios apps caught using private apis. https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html. Accessed: 2016-08-01.
Best apps market. http://www.bestappsmarket.com. Accessed: 2016-08-01.
Android framework classes and services. https://android.googlesource.com/platform/frameworks/base.git. Accessed: 2016-08-01.
Kevin Allix, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. Androzoo: Collecting millions of android apps for the research community. In MSR, 2016.
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pages 217-228, New York, NY, USA, 2012. ACM.
Li Li, Tegawendé F Bissyandé, Damien Octeau, and Jacques Klein. Droidra: Taming reflection to support whole-program analysis of android apps. In The 2016 International Symposium on Software Testing and Analysis (ISSTA 2016), 2016.
Support library android developers. https://developer.android.com/topic/libraries/support-library/index.html. Accessed: 2016-08-01.
Beat Fluri, Michael Wursch, Martin PInzger, and Harald C Gall. Change distilling: Tree differencing for fine-grained source code change extraction. Software Engineering, IEEE Transactions on, 33(11):725-743, 2007.
Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. The soot framework for java program analysis: a retrospective. In Cetus Users and Compiler Infastructure Workshop (CETUS 2011), 2011.
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In ICSE, 2015.
Damien Octeau, Somesh Jha, Matthew Dering, Patrick Mcdaniel, Alexandre Bartel, Li Li, Jacques Klein, and Yves Le Traon. Combining static analysis with probabilistic models to enable market-scale android inter-component analysis. In Proceedings of the 43th Symposium on Principles of Programming Languages (POPL 2016), 2016.
Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo d'Armorim, and Michael D. Ernst. Static analysis of implicit control flow: Resolving java reflection and android intents. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE, Lincoln, Nebraska, 2015.
Michael D. Ernst, René Just, Suzanne Millstein, Werner Dietl, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul Vines, and Edward X. Wu. Collaborative verification of information flow for a high-assurance app store. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), pages 1092-1104, Scottsdale, AZ, USA, November 4-6, 2014.
Tood K Moon. The expectation-maximization algorithm. Signal processing magazine, IEEE, 13(6):47-60, 1996.
Li Li, Tegawendé F Bissyandé, Damien Octeau, and Jacques Klein. Reflection-aware static analysis of android apps. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, Tool Demonstration Track, 2016.
Li Li, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. An investigation into the use of common libraries in android apps. In The 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2016), 2016.
Alexandre Bartel, Jacques Klein, Martin Monperrus, and Yves Le Traon. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing android. Software Engineering, IEEE Transactions on, 40(6):617-632, 2014.
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627-638. ACM, 2011.
Meiyappan Nagappan and Emad Shihab. Future trends in software engineering research for mobile apps. In The 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2016), 2016.
William Martin, Federica Sarro, Yue Jia, Yuanyuan Zhang, and Mark Harman. A survey of app store analysis for software engineering. RN, 16:02 2016.
Tyler McDonnell, Bonnie Ray, and Miryung Kim. An empirical study of api stability and adoption in the android ecosystem. In Software Maintenance (ICSM), 2013 29th IEEE International Conference on, pages 70-79. IEEE, 2013.
Mario Linares-Vásquez, Gabriele Bavota, Carlos Bernal-Cárdenas, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. Api change and fault proneness: A threat to the success of android apps. In Proceedings of the 2013 9th joint meeting on foundations of software engineering, pages 477-487. ACM, 2013.
Gabriele Bavota, Mario Linares-Vasquez, Carlos Eduardo Bernal-Cardenas, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. The impact of api change-and fault-proneness on the user ratings of android apps. Software Engineering, IEEE Transactions on, 41(4):384-407, 2015.
Mario Linares-Vásquez, Gabriele Bavota, Massimiliano Di Penta, Rocco Oliveto, and Denys Poshyvanyk. How do api changes trigger stack overflow discussions? a study on the android sdk. In proceedings of the 22nd International Conference on Program Comprehension, pages 83-94. ACM, 2014.
Luis Mastrangelo, Luca Ponzanelli, Andrea Mocci, Michele Lanza, Matthias Hauswirth, and Nathaniel Nystrom. Use at your own risk: The java unsafe api in the wild. ACM SIGPLAN Notices, 50(10):695-710, 2015.
Wei Wang and Michael W Godfrey. Detecting api usage obstacles: A study of ios and android developer questions. In Mining Software Repositories (MSR), 2013 10th IEEE Working Conference on, pages 61-64. IEEE, 2013.
Chris Parnin, Christoph Treude, Lars Grammel, and Margaret-Anne Storey. Crowd documentation: Exploring the coverage and the dynamics of api discussions on stack overflow. Georgia Institute of Technology, Tech. Rep, 2012.
Siddharth Subramanian, Laura Inozemtseva, and Reid Holmes. Live api documentation. In Proceedings of the 36th International Conference on Software Engineering, pages 643-652. ACM, 2014.
Mario Linares-Vásquez, Gabriele Bavota, Carlos Bernal-Cárdenas, Rocco Oliveto, Massimiliano Di Penta, and Denys Poshyvanyk. Mining energy-greedy api usage patterns in android apps: an empirical study. In Proceedings of the 11th Working Conference on Mining Software Repositories, pages 2-11. ACM, 2014.
Li Li, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. Parameter Values of Android APIs: A Preliminary Study on 100,000 Apps. In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2016), 2016.
Jin Han, Su Mon Kywe, Qiang Yan, Feng Bao, Robert Deng, Debin Gao, Yingjiu Li, and Jianying Zhou. Launching generic attacks on ios with approved third-party applications. In Applied Cryptography and Network Security, pages 272-289. Springer, 2013.
Tielei Wang, Kangjie Lu, Long Lu, Simon P Chung, and Wenke Lee. Jekyll on ios: When benign apps become evil. In Usenix Security, Volume 13, 2013.
Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. iris: Vetting private api abuse in ios applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 44-56. ACM, 2015.
Karim Ali and Ondřej Lhoták. Averroes: Whole-program analysis without the whole program. In European Conference on Object-Oriented Programming, pages 378-400. Springer, 2013.
Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. Edgeminer: Automatically detecting implicit control flow transitions through the android framework. In NDSS, 2015.
Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezini. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In Proceedings of the 33rd International Conference on Software Engineering, pages 241-250. ACM, 2011.
Yue Li, Tian Tan, and Jingling Xue. Effective soundness-guided reflection analysis. In International On Static Analysis, pages 162-180. Springer, 2015.
