Don't Trust Me, Test Me: 100% Code Coverage for a 3rd-party Android App

[en] The incompleteness of 3rd-party app testing is an accepted fact in Software Engineering. This issue makes it impossible to verify the app functionality and to confirm its safety to the end-user. To solve this problem, enterprises developed strict policies. A company, willing to use modern apps, may perform an expensive security analysis, rely on trust or forbid the app. These strategies may lead companies to high direct and indirect spending with no guarantee of safety. In this work, we present a novel approach, called Dynamic Binary Shrinking, that allows a user to review app functionality and leave only tested code. The shrunk app produces 100% instruction coverage on observed behaviors and in this way guarantees the absence of unexplored, and therefore, potentially malicious code. On our running examples, we demonstrate that apps use less than 20% of the codebase. We developed an approach and the ACVCut tool to shrink Android apps towards the executed code. Repository — http://github.com/pilgun/acvcut.

Disciplines :

Computer science

Author, co-author :

PILGUN, Aleksandr ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > PI Mauw

External co-authors :

Language :

English

Title :

Don't Trust Me, Test Me: 100% Code Coverage for a 3rd-party Android App

Publication date :

2020

Event name :

2020 27th Asia-Pacific Software Engineering Conference (APSEC)

Event place :

Singapore, Singapore

Event date :

01-12-2020 to 04-12-2020

Audience :

International

Main work title :

2020 27th Asia-Pacific Software Engineering Conference (APSEC)

Author, co-author :

PILGUN, Aleksandr

Pages :

375-384

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR11289380 - Systematically Exploring Semantic App Models For Android, 2016 (15/11/2016-14/11/2020) - Aleksandr Pilgun

Name of the research project :

FNR11289380 > Aleksandr Pilgun > > Systematically Exploring Semantic App Models for Android > 15/11/2016 > 14/11/2020 > 2016

Available on ORBilu :

since 18 October 2020

Statistics

Number of views

289 (26 by Unilu)

Number of downloads

360 (10 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenAlex citations

publications

supporting

mentioning

contrasting

Smart Citations

Citing PublicationsSupportingMentioningContrasting

View Citations

See how this article has been cited at scite.ai

scite shows how a scientific paper has been cited by providing the context of the citation, a classification describing whether it supports, mentions, or contrasts the cited claim, and a label indicating in which section the citation was made.

Bibliography

A. Pilgun, " [GitHub] pilgun/acvcut: ACVCut v1. 0, Zenodo, " Sep 2020. [Online]. Available: https://doi. org/10. 5281/zenodo. 4060422
Google. (2020) Google play protect. [Online]. Available: https://www. android. com/play-protect/
K. Tam, A. Feizollah, N. B. Anuar, R. Salleh, and L. Cavallaro, "The evolution of android malware and android analysis techniques, " ACM Computing Surveys (CSUR), vol. 49, no. 4, pp. 1-41, 2017.
Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna, "Triggerscope: Towards detecting logic bombs in android applications, " in 2016 IEEE symposium on security and privacy (SP). IEEE, 2016, pp. 377-396.
Google. (2020) Mobile device management system for android enterprise. [Online]. Available: https://www. android. com/enterprise/management/
M. Linares-Vásquez, G. Bavota, and C. Escobar-Velásquez, "An empirical study on android-related vulnerabilities, " in 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE, 2017, pp. 2-13.
S. Dashevskyi, Y. Zhauniarovich, O. Gadyatskaya, A. Pilgun, and H. Ouhssain, "Dissecting android cryptocurrency miners, " in Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, 2020, pp. 191-202.
L. Li, T. F. Bissyandé, M. Papadakis, S. Rasthofer, A. Bartel, D. Octeau, J. Klein, and L. Traon, "Static analysis of android apps: A systematic literature review, " Information and Software Technology, vol. 88, pp. 67-95, 2017.
P. Kong, L. Li, J. Gao, K. Liu, T. F. Bissyandé, and J. Klein, "Automated testing of android apps: A systematic literature review, " IEEE Transactions on Reliability, vol. 68, no. 1, pp. 45-66, 2018.
K. Jamrozik and A. Zeller, "Droidmate: a robust and extensible test generator for android, " in Proceedings of the International Conference on Mobile Software Engineering and Systems, 2016, pp. 293-294.
L. Bao, T.-D. B. Le, and D. Lo, "Mining sandboxes: Are we there yet?" in 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 2018, pp. 445-455.
T.-D. B. Le, L. Bao, D. Lo, D. Gao, and L. Li, "Towards mining comprehensive android sandboxes, " in 2018 23rd International conference on engineering of complex computer systems (ICECCS). IEEE, 2018, pp. 51-60.
Y. Zhauniarovich and O. Gadyatskaya, "Small changes, big changes: An updated view on the android permission system, " in Research in Attacks, Intrusions, and Defenses, F. Monrose, M. Dacier, G. Blanc, and J. Garcia-Alfaro, Eds. Cham: Springer International Publishing, 2016, pp. 346-367.
A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus, "Automatically securing permission-based software by reducing the attack surface: An application to android, " in 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 2012, pp. 274-277.
K. Jamrozik, P. von Styp-Rekowsky, and A. Zeller, "Mining sandboxes, " in Proceedings of the 38th International Conference on Software Engineering, 2016, pp. 37-48.
Y. Jiang, C. Zhang, D. Wu, and P. Liu, "Feature-based software customization: Preliminary analysis, formalization, and methods, " in 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE). IEEE, 2016, pp. 122-131.
Y. Jiang, D. Wu, and P. Liu, "Jred: Program customization and bloatware mitigation based on static analysis, " in 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 1, 2016, pp. 12-21.
Y. Jiang, Q. Bao, S. Wang, X. Liu, and D. Wu, "Reddroid: Android application redundancy customization based on static analysis, " in 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE). IEEE, 2018, pp. 189-199.
K. Heo, W. Lee, P. Pashakhanloo, and M. Naik, "Effective program debloating via reinforcement learning, " in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '18. New York, NY, USA: Association for Computing Machinery, 2018, p. 380-394. [Online]. Available: https://doi. org/10. 1145/3243734. 3243838
I. Agadakos, D. Jin, D. Williams-King, V. P. Kemerlis, and G. Portokalidis, "Nibbler: Debloating binary shared libraries, " in Proceedings of the 35th Annual Computer Security Applications Conference, ser. ACSAC '19. New York, NY, USA: Association for Computing Machinery, 2019, p. 70-83. [Online]. Available: https://doi. org/10. 1145/3359789. 3359823
B. A. Azad, P. Laperdrix, and N. Nikiforakis, "Less is more: quantifying the security benefits of debloating web applications, " in 28th {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 1697-1714.
C. Qian, H. Hu, M. Alharthi, P. H. Chung, T. Kim, and W. Lee, "{RAZOR}: A framework for post-deployment software debloating, " in 28th {USENIX} Security Symposium ({USENIX} Security 19), 2019, pp. 1733-1750.
L. Onwuzurike, M. Almeida, E. Mariconti, J. Blackburn, G. Stringhini, and E. De Cristofaro, "A family of droids-android malware detection via behavioral modeling: Static vs dynamic analysis, " in 2018 16th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2018, pp. 1-10.
R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan, "Soot: A java bytecode optimization framework, " in CASCON First Decade High Impact Papers, ser. CASCON '10. USA: IBM Corp., 2010, pp. 214-224. [Online]. Available: https://doi. org/10. 1145/1925805. 1925818
Google. (2018) smali. [Online]. Available: https://android. googlesource. com/platform/external/smali/
N. P. Borges Jr, J. Hotzkow, and A. Zeller, "Droidmate-2: a platform for android test generation, " in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018, pp. 916-919.
Y. Li, Z. Yang, Y. Guo, and X. Chen, "Droidbot: a lightweight ui-guided test input generator for android, " in 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), May 2017, pp. 23-26.
Google. (2020) UI/Application Exerciser Monkey. [Online]. Available: https://developer. android. com/studio/test/monkey
J. Rabe. (2016) Timebomb: Stops app usage after a period of time has passed starting from app build date. [Online]. Available: https://github. com/kibotu/TimeBomb
GuardSquare. (2020) Proguard manual. [Online]. Available: https://www. guardsquare. com/en/proguard/manual/introduction
Google. (2020) Shrink, obfuscate, and optimize your app. [Online]. Available: https://developer. android. com/studio/build/shrink-code
A. Pilgun, O. Gadyatskaya, S. Dashevskyi, Y. Zhauniarovich, and A. Kushniarou, "An effective android code coverage tool, " in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 2189-2191.
A. Pilgun, O. Gadyatskaya, Y. Zhauniarovich, S. Dashevskyi, A. Kushniarou, and S. Mauw, "Fine-grained code coverage measurement in automated black-box android testing, " ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 29, no. 4, pp. 1-35, 2020.
I. Google. (2020) WebView: A View that displays web pages. [Online]. Available: https://developer. android. com/reference/android/webkit/WebView
T. O. Foundation. (2020) Mobile security testing guide. android antireversing defenses. [Online]. Available: https://mobile-security. gitbook. io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering
Google. (2019) UI Automator. [Online]. Available: https://developer. android. com/training/testing/ui-automator
K. Cooper and L. Torczon, Engineering a compiler. Elsevier, 2011.
M. D. Brown and S. Pande, "Carve: Practical security-focused software debloating using simple feature set mappings, " in Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation, 2019, pp. 1-7.
J. Landsborough, S. Harding, and S. Fugate, "Removing the kitchen sink from software, " in Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, 2015, pp. 833-838.