Conference Proceeding Article
While automated testing of mobile applications is very useful for checking run-time behaviours and specifications, its capability in discovering issues in apps is often limited in practice due to long testing time. A common practice is to randomly and exhaustively explore the whole app test space, which takes a lot of time and resource to achieve good coverage and reach targeted parts of the apps. In this paper, we present MAMBA, a directed testing system for checking privacy in Android apps. MAMBA performs path searches of user events in control-flow graphs of callbacks generated from static analysis of app bytecode. Based on the paths found, it builds test cases comprised of user events that can trigger the executions of the apps and quickly direct the apps' activity transitions from the starting activity towards target activities of interest, revealing potential accesses to privacy-sensitive data in the apps. MAMBA's backend testing engine then simulates the executions of the apps following the generated test cases to check actual run-time behavior of the apps that may leak users' private data. We evaluated MAMBA against another automated testing approach that exhaustively searches for target activities in 24 apps, and found that our graph-aided directed testing achieves the same coverage of target activities 6.1 times faster on average, including the time required for bytecode analysis and test case generation. By instrumenting privacy access/leak detectors during testing, we were able to verify from test logs that almost half of target activities accessed user privacy data, and 26.7% of target activities leaked privacy data to the network.
Automated Mobile Application Testing, Mobile Privacy
Graphics and Human Computer Interfaces | Information Security | Software Engineering
Software and Cyber-Physical Systems
AST 2016: Proceedings of the 11th International Workshop on Automation of Software Test, Austin, Texas, 14-15 May
City or Country
CHAN, Joseph Joo Keng; JIANG, Lingxiao; TAN, Kiat Wee; and BALAN, Rajesh Krishna.
Graph-aided directed testing of Android applications for checking runtime privacy behaviours. (2016). AST 2016: Proceedings of the 11th International Workshop on Automation of Software Test, Austin, Texas, 14-15 May. 57-63. Research Collection School Of Information Systems.
Available at: http://ink.library.smu.edu.sg/sis_research/3440
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.