Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3487405.3487652acmotherconferencesArticle/Chapter ViewAbstractPublication PageseiccConference Proceedingsconference-collections
research-article

Automated, Dynamic Android App Vulnerability and Privacy Leak Analysis: Design Considerations, Required Components and Available Tools

Published: 22 November 2021 Publication History

Abstract

Smartphones apps aid humans in plenty of situations. There exists an app for everything. However, without the user’s awareness, some apps contain vulnerabilities or leak private data. Static and dynamic app analysis are ways to find these software properties. Especially setting up a dynamic analysis environment is not a trivial task. Several peculiarities of Android have to be considered, existing tools for different aspects have to be evaluated, selected and setup to work together. Existing literature is often outdated and only covers tools for one aspect but doesn’t combine them together in a big picture. This paper presents a generic design for an automated dynamic app analysis environment and highlights the required components as well as functionality to reveal security and privacy issues. Available tools are listed, realizing different aspects of the proposed environment design. Tool features are evaluated and tool usability for an automated large scale dynamic app analysis is compared. This document should serve as a reference to all who need to implement dynamic analysis on Android (or some aspects) and require an overview of available and usable solutions.

References

[1]
Christoffer Quist Adamsen, Gianluca Mezzetti, and Anders Møller. 2015. Systematic Execution of Android Test Suites in Adverse Conditions(ISSTA).
[2]
D. Amalfitano, N. Amatucci, A. R. Fasolino, 2015. AGRippin: A Novel Search Based Testing Technique for Android Applications(DeMobile).
[3]
D. Amalfitano, A. R. Fasolino, P. Tramontana, 2015. MobiGUITAR: Automated Model-Based Testing of Mobile Apps. IEEE Software (2015).
[4]
D. Amalfitano, A. R. Fasolino, P. Tramontana, S. De Carmine, and A. M. Memon. 2012. Using GUI ripping for automated testing of Android applications(ASE).
[5]
Saswat Anand, Mayur Naik, Mary Jean Harrold, and Hongseok Yang. 2012. Automated Concolic Testing of Smartphone Apps(FSE).
[6]
Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and Depth-First Exploration for Systematic Testing of Android Apps. SIGPLAN (2013).
[7]
M. Backes, S. Bugiel, C. Hammer, O. Schranz, and P. Von Styp-Rekowsky. 2015. Boxify: Full-Fledged App Sandboxing for Stock Android(USENIX Security).
[8]
M. Backes, S. Bugiel, O. Schranz, P. von Styp-Rekowsky, and S. Weisgerber. 2017. ARTist: The Android runtime instrumentation and security toolkit(EuroS&P).
[9]
A. Bianchi, Y. Fratantonio, C. Kruegel, 2015. NJAS: Sandboxing Unmodified Applications in Non-Rooted Devices Running Stock Android(CCS/SPSM).
[10]
Nataniel P. Borges Jr.2017. Data Flow Oriented UI Testing: Exploiting Data Flows and UI Elements to Test Android Applications(ISSTA).
[11]
Yuzhong Cao, Guoquan Wu, Wei Chen, and Jun Wei. 2018. CrawlDroid: Effective Model-Based GUI Testing of Android Apps(Internetware).
[12]
P. Carter, C. Mulliner, M. Lindorfer, 2017. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes(FC).
[13]
J. Chen, G. Han, S. Guo, and W. Diao. 2018. FragDroid: Automated User Interface Interaction with Activity and Fragment Analysis in Android Applications(DSN).
[14]
Wontae Choi, George Necula, and Koushik Sen. 2013. Guided GUI Testing of Android Apps with Minimal Restart and Approximate Learning(OOPSLA).
[15]
Valerio Costamagna and Cong Zheng. 2016. ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime(IMPS@ESSoS).
[16]
B. Davis and H. Chen. 2013. RetroSkeleton: Retrofitting Android Apps(MobiSys).
[17]
M. Diamantaris, E. P. Papadopoulos, E. P. Markatos, 2019. REAPER: Real-Time App Analysis for Augmenting the Android Permission System(CODASPY).
[18]
T. Eder, M. Rodler, D. Vymazal, and M. Zeilinger. 2013. ANANAS - A Framework for Analyzing Android Applications(ARES).
[19]
W. Enck, P. Gilbert, 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones(USENIX OSDI).
[20]
Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh Govindan. 2013. SIF: A Selective Instrumentation Framework for Mobile Applications(MobiSys).
[21]
Shuai Hao, Bin Liu, Suman Nath, 2014. PUMA: Programmable UI-Automation for Large-Scale Dynamic Analysis of Mobile Apps(MobiSys).
[22]
L. V. Haoyin. 2017. Automatic android application GUI testing—A random walk approach(WiSPNET).
[23]
Gang Hu, Xinhao Yuan, Yang Tang, and Junfeng Yang. 2014. Efficiently, Effectively Detecting Mobile App Bugs with AppDoctor(EuroSys).
[24]
J. C. J. Keng, L. Jiang, T. K. Wee, and R. K. Balan. 2016. Graph-Aided Directed Testing of Android Applications for Checking Runtime Privacy Behaviours(AST).
[25]
Y. Koroglu, A. Sen, O. Muslu, Y. Mete, C. Ulker, T. Tanriverdi, and Y. Donmez. 2018. QBE: QLearning-Based Exploration of Android Applications(ICST).
[26]
Wing Lam, Zhengkai Wu, Dengfeng Li, 2017. Record and Replay for Android: Are We There yet in Industrial Cases?(ESEC/FSE).
[27]
M. Linares-Vásquez, M. White, C. Bernal-Cárdenas, 2015. Mining Android App Usages for Generating Actionable GUI-Based Execution Scenarios(MSR).
[28]
M. Linares-Vásquez, K. Moran, 2017. Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mobile App Testing(ICSME).
[29]
C. Luo, J. Goncalves, E. Velloso, 2020. A Survey of Context Simulation for Testing Mobile Context-Aware Applications. ACM Comput. Surv. (2020).
[30]
Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An Input Generation System for Android Apps(ESEC/FSE).
[31]
Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. EvoDroid: Segmented Evolutionary Testing of Android Apps(FSE).
[32]
Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-Objective Automated Testing for Android Applications(ISSTA).
[33]
N. Mirzaei, H. Bagheri, R. Mahmood, and S. Malek. 2015. SIG-Droid: Automated system input generation for Android applications(ISSRE).
[34]
K. Moran, M. Linares-Vásquez, C. Bernal-Cárdenas, 2016. Automatically Discovering, Reporting and Reproducing Android Application Crashes(ICST).
[35]
Sebastian Neuner, Victor van der Veen, Martina Lindorfer, Markus Huber, Georg Merzdovnik, Martin Mulazzani, and Edgar R. Weippl. 2014. Enter Sandbox: Android Sandbox Comparison. CoRR (2014).
[36]
Zhenyu Ning and Fengwei Zhang. 2017. Ninja: Towards Transparent Tracing and Debugging on ARM(USENIX Security).
[37]
Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic Security Analysis of Smartphone Applications(CODASPY).
[38]
Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. 2015. Automated Test Input Generation for Android: Are We There Yet?(ASE).
[39]
Raimondas Sasnauskas and John Regehr. 2014. Intent Fuzzer: Crafting Intents of Death(WODA+PERTEA).
[40]
M. Spreitzenbarth, F. Freiling, F. Echtler, 2013. Mobile-Sandbox: Having a Deeper Look into Android Applications(SAC).
[41]
Ting Su, Guozhu Meng, Yuting Chen, 2017. Guided, Stochastic Model-Based GUI Testing of Android Apps(ESEC/FSE).
[42]
Kimberly Tam, Salahuddin Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors(NDSS).
[43]
Xiaoxiao Tang, Yan Lin, Daoyuan Wu, and Debin Gao. 2018. Towards Dynamically Monitoring Android Applications on Non-Rooted Devices in the Wild(WiSec).
[44]
Nikolaos Totosis and Constantinos Patsakis. 2018. Android Hooking Revisited.
[45]
P. Tramontana, D. Amalfitano, 2019. Automated functional testing of mobile applications: a systematic mapping study. Software Quality Journal(2019).
[46]
Heila van der Merwe, Brink van der Merwe, and Willem Visser. 2012. Verifying Android Applications Using Java PathFinder. SIGSOFT Softw. Eng. Notes(2012).
[47]
V. van der Veen. 2013. Dynamic Analysis of Android Malware. Ph.D. Dissertation.
[48]
Rubin Xu, Hassen Saïdi, and Ross Anderson. 2012. Aurasium: Practical Policy Enforcement for Android Applications(USENIX Security).
[49]
Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards on-Device Non-Invasive Mobile Malware Analysis for ART(USENIX Security).
[50]
J. Yan, T. Wu, J. Yan, and J. Zhang. 2017. Widget-Sensitive and Back-Stack-Aware GUI Exploration for Testing Android Apps(QRS).
[51]
Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis(USENIX Security).
[52]
Wei Yang, Mukul R. Prasad, and Tao Xie. 2013. A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications(FASE).
[53]
Hui Ye, Shaoyin Cheng, Lanbo Zhang, and Fan Jiang. 2013. DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag(MoMM).
[54]
Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. DroidBot: a lightweight UI-Guided test input generator for android(ICSE-C).
[55]
R. N. Zaeem, M. R. Prasad, and S. Khurshid. 2014. Automated Generation of Oracles for Testing User-Interaction Features of Mobile Apps(ICST).
[56]
Yuan Zhang, Min Yang, Bingquan Xu, 2013. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis(CCS).
[57]
Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, 2015. StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications. CODASPY ’15.
[58]
C. Zheng, S. Zhu, S. Dai, 2012. SmartDroid: An Automatic System for Revealing UI-Based Trigger Conditions in Android Applications(SPSM).
[59]
Yajin Zhou, Kunal Patel, Lei Wu, Zhi Wang, and Xuxian Jiang. 2015. Hybrid User-Level Sandboxing of Third-Party Android Apps(ASIA CCS).

Cited By

View all
  • (2024)Essential or Excessive? MINDAEXT: Measuring Data Minimization Practices among Browser Extensions2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00104(964-975)Online publication date: 12-Mar-2024
  • (2024)Intelligent analysis of android application privacy policy and permission consistencyArtificial Intelligence Review10.1007/s10462-024-10798-z57:7Online publication date: 13-Jun-2024
  • (2022)Context Correlation for Automated Dynamic Android App Analysis to Improve Impact Rating of Privacy and Security FlawsRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_1(1-17)Online publication date: 7-Dec-2022

Index Terms

  1. Automated, Dynamic Android App Vulnerability and Privacy Leak Analysis: Design Considerations, Required Components and Available Tools
        Index terms have been assigned to the content through auto-classification.

        Recommendations

        Comments

        Please enable JavaScript to view thecomments powered by Disqus.

        Information & Contributors

        Information

        Published In

        cover image ACM Other conferences
        EICC '21: Proceedings of the 2021 European Interdisciplinary Cybersecurity Conference
        November 2021
        97 pages
        ISBN:9781450390491
        DOI:10.1145/3487405
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 22 November 2021

        Permissions

        Request permissions for this article.

        Check for updates

        Qualifiers

        • Research-article
        • Research
        • Refereed limited

        Funding Sources

        • German Federal Ministry of Education and Research

        Conference

        EICC '21
        EICC '21: European Interdisciplinary Cybersecurity Conference
        November 10 - 11, 2021
        Virtual Event, Romania

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)77
        • Downloads (Last 6 weeks)4
        Reflects downloads up to 24 Nov 2024

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)Essential or Excessive? MINDAEXT: Measuring Data Minimization Practices among Browser Extensions2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00104(964-975)Online publication date: 12-Mar-2024
        • (2024)Intelligent analysis of android application privacy policy and permission consistencyArtificial Intelligence Review10.1007/s10462-024-10798-z57:7Online publication date: 13-Jun-2024
        • (2022)Context Correlation for Automated Dynamic Android App Analysis to Improve Impact Rating of Privacy and Security FlawsRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_1(1-17)Online publication date: 7-Dec-2022

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format.

        HTML Format

        Media

        Figures

        Other

        Tables

        Share

        Share

        Share this Publication link

        Share on social media