research-article

Automated, Dynamic Android App Vulnerability and Privacy Leak Analysis: Design Considerations, Required Components and Available Tools

Authors:

Jens HeiderAuthors Info & Claims

EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

Pages 1 - 6

https://doi.org/10.1145/3487405.3487652

Published: 22 November 2021 Publication History

Abstract

Smartphones apps aid humans in plenty of situations. There exists an app for everything. However, without the user’s awareness, some apps contain vulnerabilities or leak private data. Static and dynamic app analysis are ways to find these software properties. Especially setting up a dynamic analysis environment is not a trivial task. Several peculiarities of Android have to be considered, existing tools for different aspects have to be evaluated, selected and setup to work together. Existing literature is often outdated and only covers tools for one aspect but doesn’t combine them together in a big picture. This paper presents a generic design for an automated dynamic app analysis environment and highlights the required components as well as functionality to reveal security and privacy issues. Available tools are listed, realizing different aspects of the proposed environment design. Tool features are evaluated and tool usability for an automated large scale dynamic app analysis is compared. This document should serve as a reference to all who need to implement dynamic analysis on Android (or some aspects) and require an overview of available and usable solutions.

References

[1]

Christoffer Quist Adamsen, Gianluca Mezzetti, and Anders Møller. 2015. Systematic Execution of Android Test Suites in Adverse Conditions(ISSTA).

[2]

D. Amalfitano, N. Amatucci, A. R. Fasolino, 2015. AGRippin: A Novel Search Based Testing Technique for Android Applications(DeMobile).

[3]

D. Amalfitano, A. R. Fasolino, P. Tramontana, 2015. MobiGUITAR: Automated Model-Based Testing of Mobile Apps. IEEE Software (2015).

[4]

D. Amalfitano, A. R. Fasolino, P. Tramontana, S. De Carmine, and A. M. Memon. 2012. Using GUI ripping for automated testing of Android applications(ASE).

[5]

Saswat Anand, Mayur Naik, Mary Jean Harrold, and Hongseok Yang. 2012. Automated Concolic Testing of Smartphone Apps(FSE).

[6]

Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and Depth-First Exploration for Systematic Testing of Android Apps. SIGPLAN (2013).

[7]

M. Backes, S. Bugiel, C. Hammer, O. Schranz, and P. Von Styp-Rekowsky. 2015. Boxify: Full-Fledged App Sandboxing for Stock Android(USENIX Security).

[8]

M. Backes, S. Bugiel, O. Schranz, P. von Styp-Rekowsky, and S. Weisgerber. 2017. ARTist: The Android runtime instrumentation and security toolkit(EuroS&P).

[9]

A. Bianchi, Y. Fratantonio, C. Kruegel, 2015. NJAS: Sandboxing Unmodified Applications in Non-Rooted Devices Running Stock Android(CCS/SPSM).

Digital Library

[10]

Nataniel P. Borges Jr.2017. Data Flow Oriented UI Testing: Exploiting Data Flows and UI Elements to Test Android Applications(ISSTA).

[11]

Yuzhong Cao, Guoquan Wu, Wei Chen, and Jun Wei. 2018. CrawlDroid: Effective Model-Based GUI Testing of Android Apps(Internetware).

[12]

P. Carter, C. Mulliner, M. Lindorfer, 2017. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes(FC).

[13]

J. Chen, G. Han, S. Guo, and W. Diao. 2018. FragDroid: Automated User Interface Interaction with Activity and Fragment Analysis in Android Applications(DSN).

[14]

Wontae Choi, George Necula, and Koushik Sen. 2013. Guided GUI Testing of Android Apps with Minimal Restart and Approximate Learning(OOPSLA).

[15]

Valerio Costamagna and Cong Zheng. 2016. ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime(IMPS@ESSoS).

[16]

B. Davis and H. Chen. 2013. RetroSkeleton: Retrofitting Android Apps(MobiSys).

[17]

M. Diamantaris, E. P. Papadopoulos, E. P. Markatos, 2019. REAPER: Real-Time App Analysis for Augmenting the Android Permission System(CODASPY).

Digital Library

[18]

T. Eder, M. Rodler, D. Vymazal, and M. Zeilinger. 2013. ANANAS - A Framework for Analyzing Android Applications(ARES).

[19]

W. Enck, P. Gilbert, 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones(USENIX OSDI).

[20]

Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh Govindan. 2013. SIF: A Selective Instrumentation Framework for Mobile Applications(MobiSys).

Digital Library

[21]

Shuai Hao, Bin Liu, Suman Nath, 2014. PUMA: Programmable UI-Automation for Large-Scale Dynamic Analysis of Mobile Apps(MobiSys).

Digital Library

[22]

L. V. Haoyin. 2017. Automatic android application GUI testing—A random walk approach(WiSPNET).

[23]

Gang Hu, Xinhao Yuan, Yang Tang, and Junfeng Yang. 2014. Efficiently, Effectively Detecting Mobile App Bugs with AppDoctor(EuroSys).

[24]

J. C. J. Keng, L. Jiang, T. K. Wee, and R. K. Balan. 2016. Graph-Aided Directed Testing of Android Applications for Checking Runtime Privacy Behaviours(AST).

[25]

Y. Koroglu, A. Sen, O. Muslu, Y. Mete, C. Ulker, T. Tanriverdi, and Y. Donmez. 2018. QBE: QLearning-Based Exploration of Android Applications(ICST).

[26]

Wing Lam, Zhengkai Wu, Dengfeng Li, 2017. Record and Replay for Android: Are We There yet in Industrial Cases?(ESEC/FSE).

[27]

M. Linares-Vásquez, M. White, C. Bernal-Cárdenas, 2015. Mining Android App Usages for Generating Actionable GUI-Based Execution Scenarios(MSR).

[28]

M. Linares-Vásquez, K. Moran, 2017. Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mobile App Testing(ICSME).

[29]

C. Luo, J. Goncalves, E. Velloso, 2020. A Survey of Context Simulation for Testing Mobile Context-Aware Applications. ACM Comput. Surv. (2020).

[30]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An Input Generation System for Android Apps(ESEC/FSE).

[31]

Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. EvoDroid: Segmented Evolutionary Testing of Android Apps(FSE).

[32]

Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-Objective Automated Testing for Android Applications(ISSTA).

[33]

N. Mirzaei, H. Bagheri, R. Mahmood, and S. Malek. 2015. SIG-Droid: Automated system input generation for Android applications(ISSRE).

[34]

K. Moran, M. Linares-Vásquez, C. Bernal-Cárdenas, 2016. Automatically Discovering, Reporting and Reproducing Android Application Crashes(ICST).

[35]

Sebastian Neuner, Victor van der Veen, Martina Lindorfer, Markus Huber, Georg Merzdovnik, Martin Mulazzani, and Edgar R. Weippl. 2014. Enter Sandbox: Android Sandbox Comparison. CoRR (2014).

[36]

Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards Transparent Tracing and Debugging on ARM(USENIX Security).

[37]

Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic Security Analysis of Smartphone Applications(CODASPY).

[38]

Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. 2015. Automated Test Input Generation for Android: Are We There Yet?(ASE).

[39]

Raimondas Sasnauskas and John Regehr. 2014. Intent Fuzzer: Crafting Intents of Death(WODA+PERTEA).

[40]

M. Spreitzenbarth, F. Freiling, F. Echtler, 2013. Mobile-Sandbox: Having a Deeper Look into Android Applications(SAC).

[41]

Ting Su, Guozhu Meng, Yuting Chen, 2017. Guided, Stochastic Model-Based GUI Testing of Android Apps(ESEC/FSE).

[42]

Kimberly Tam, Salahuddin Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors(NDSS).

[43]

Xiaoxiao Tang, Yan Lin, Daoyuan Wu, and Debin Gao. 2018. Towards Dynamically Monitoring Android Applications on Non-Rooted Devices in the Wild(WiSec).

[44]

Nikolaos Totosis and Constantinos Patsakis. 2018. Android Hooking Revisited.

[45]

P. Tramontana, D. Amalfitano, 2019. Automated functional testing of mobile applications: a systematic mapping study. Software Quality Journal(2019).

[46]

Heila van der Merwe, Brink van der Merwe, and Willem Visser. 2012. Verifying Android Applications Using Java PathFinder. SIGSOFT Softw. Eng. Notes(2012).

[47]

V. van der Veen. 2013. Dynamic Analysis of Android Malware. Ph.D. Dissertation.

[48]

Rubin Xu, Hassen Saïdi, and Ross Anderson. 2012. Aurasium: Practical Policy Enforcement for Android Applications(USENIX Security).

[49]

Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards on-Device Non-Invasive Mobile Malware Analysis for ART(USENIX Security).

[50]

J. Yan, T. Wu, J. Yan, and J. Zhang. 2017. Widget-Sensitive and Back-Stack-Aware GUI Exploration for Testing Android Apps(QRS).

[51]

Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis(USENIX Security).

[52]

Wei Yang, Mukul R. Prasad, and Tao Xie. 2013. A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications(FASE).

[53]

Hui Ye, Shaoyin Cheng, Lanbo Zhang, and Fan Jiang. 2013. DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag(MoMM).

[54]

Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. DroidBot: a lightweight UI-Guided test input generator for android(ICSE-C).

[55]

R. N. Zaeem, M. R. Prasad, and S. Khurshid. 2014. Automated Generation of Oracles for Testing User-Interaction Features of Mobile Apps(ICST).

[56]

Yuan Zhang, Min Yang, Bingquan Xu, 2013. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis(CCS).

[57]

Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, 2015. StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications. CODASPY ’15.

[58]

C. Zheng, S. Zhu, S. Dai, 2012. SmartDroid: An Automatic System for Revealing UI-Based Trigger Conditions in Android Applications(SPSM).

[59]

Yajin Zhou, Kunal Patel, Lei Wu, Zhi Wang, and Xuxian Jiang. 2015. Hybrid User-Level Sandboxing of Third-Party Android Apps(ASIA CCS).

Cited By

Ling YHao YWang YWang KBai GDong J(2024)Essential or Excessive? MINDAEXT: Measuring Data Minimization Practices among Browser Extensions2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00104(964-975)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00104
Tu TZhang HGong BDu DWen Q(2024)Intelligent analysis of android application privacy policy and permission consistencyArtificial Intelligence Review10.1007/s10462-024-10798-z57:7Online publication date: 13-Jun-2024
https://doi.org/10.1007/s10462-024-10798-z
Heid KHeider J(2022)Context Correlation for Automated Dynamic Android App Analysis to Improve Impact Rating of Privacy and Security FlawsRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_1(1-17)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-31108-6_1

Index Terms

Automated, Dynamic Android App Vulnerability and Privacy Leak Analysis: Design Considerations, Required Components and Available Tools

Index terms have been assigned to the content through auto-classification.

Recommendations

Learn Android App Development
A Comprehensive Study of Privacy Leakage Vulnerability in Android App Logs
ASE '24: Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering

Android is the most popular mobile operating system, which attracts countless users. However, Android app logs, which record Android runtime information, are often overlooked in privacy leakage vulnerability research. Existing studies on privacy leakage ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference

November 2021

97 pages

ISBN:9781450390491

DOI:10.1145/3487405

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

German Federal Ministry of Education and Research

Conference

EICC '21

EICC '21: European Interdisciplinary Cybersecurity Conference

November 10 - 11, 2021

Virtual Event, Romania

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
298
Total Downloads

Downloads (Last 12 months)77
Downloads (Last 6 weeks)4

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ling YHao YWang YWang KBai GDong J(2024)Essential or Excessive? MINDAEXT: Measuring Data Minimization Practices among Browser Extensions2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00104(964-975)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00104
Tu TZhang HGong BDu DWen Q(2024)Intelligent analysis of android application privacy policy and permission consistencyArtificial Intelligence Review10.1007/s10462-024-10798-z57:7Online publication date: 13-Jun-2024
https://doi.org/10.1007/s10462-024-10798-z
Heid KHeider J(2022)Context Correlation for Automated Dynamic Android App Analysis to Improve Impact Rating of Privacy and Security FlawsRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_1(1-17)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-31108-6_1

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents