Graph-aided directed testing of Android applications for checking runtime privacy behaviours

Author

Joseph Joo Keng CHAN, Singapore Management UniversityFollow
Lingxiao JIANG, Singapore Management UniversityFollow
Kiat Wee TAN, Singapore Management UniversityFollow
Rajesh Krishna BALAN, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

5-2016

Abstract

While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, which takes a lot of time and resource to achieve good coverage and reach targeted parts of the apps. In this paper, we present MAMBA, a directed testing system for checking privacy in Android apps. MAMBA performs path searches of user events in control-flow graphs of callbacks generated from static analysis of app bytecode. Based on the paths found, it builds test cases comprised of user events that can trigger the executions of the apps and quickly direct the apps' activity transitions from the starting activity towards target activities of interest, revealing potential accesses to privacy-sensitive data in the apps. MAMBA's backend testing engine then simulates the executions of the apps following the generated test cases to check actual run-time behavior of the apps that may leak users' private data. We evaluated MAMBA against another automated testing approach that exhaustively searches for target activities in 24 apps, and found that our graph-aided directed testing achieves the same coverage of target activities 6.1 times faster on average, including the time required for bytecode analysis and test case generation. By instrumenting privacy access/leak detectors during testing, we were able to verify from test logs that almost half of target activities accessed user privacy data, and 26.7% of target activities leaked privacy data to the network.

Keywords

Automated Mobile Application Testing, Mobile Privacy

Discipline

Information Security | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

AST 2016: Proceedings of the 11th International Workshop on Automation of Software Test, Austin, Texas, 14-15 May

First Page

57

Last Page

63

ISBN

9781450341516

Identifier

10.1145/2896921.2896930

Publisher

ACM

City or Country

New York

Citation

CHAN, Joseph Joo Keng; JIANG, Lingxiao; TAN, Kiat Wee; and BALAN, Rajesh Krishna. Graph-aided directed testing of Android applications for checking runtime privacy behaviours. (2016). AST 2016: Proceedings of the 11th International Workshop on Automation of Software Test, Austin, Texas, 14-15 May. 57-63.
Available at: https://ink.library.smu.edu.sg/sis_research/3440

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/2896921.2896930