Aladdin: Automating Release of Deep-Link APIs on Android

Compared to the Web where each web page has a global URL for external access, a specific 'page' inside a mobile app cannot be easily accessed unless the user performs several steps from the landing page of this app. Recently, the concept of 'deep link' is expected to be a promising solution and has been advocated by major service providers to enable targeting and opening a specific page of an app externally with an accessible uniform resource identifier. In this paper, we present a large-scale empirical study to investigate how deep links are really adopted, over 25,000 Android apps. To our surprise, we find that deep links have quite low coverage, e.g., more than 70% and 90% of the apps do not have deep links on app stores Wandoujia and Google Play, respectively. One underlying reason is the mandatory and non-trivial manual efforts of app developers to provide APIs for deep links. We then propose the Aladdin approach along with its supporting tool to help developers practically automate the release of deep-link APIs to access locations inside their apps. Aladdin includes a novel cooperative framework by synthesizing the static analysis and the dynamic analysis while minimally engaging developers» inputs and configurations, without requiring any coding efforts or additional deployment efforts. We evaluate Aladdin with 579 popular apps and demonstrate its effectiveness and performance.

[1]  Liviu Iftode,et al.  Testing Cross-Platform Mobile App Development Frameworks (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[3]  Benwen Zhang,et al.  Automatically Generating Test Templates from Test Names , 2015 .

[4]  Gang Wang,et al.  Measuring the Insecurity of Mobile Deep Links of Android , 2017, USENIX Security Symposium.

[5]  George C. Necula,et al.  Guided GUI testing of android apps with minimal restart and approximate learning , 2013, OOPSLA.

[6]  Xuanzhe Liu,et al.  AppHolmes: Detecting and Characterizing App Collusion among Third-Party Android Markets , 2017, WWW.

[7]  Xuanzhe Liu,et al.  PRADA: Prioritizing Android Devices for Apps by Mining Large-Scale Usage Data , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[8]  Xia Zeng,et al.  Automated test input generation for Android: are we really there yet in an industrial case? , 2016, SIGSOFT FSE.

[9]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[10]  Jacques Klein,et al.  Combining static analysis with probabilistic models to enable market-scale Android inter-component analysis , 2016, POPL.

[11]  Silva Filho,et al.  Static analysis of implicit control flow: resolving Java reflection and Android intents , 2016 .

[12]  Todd D. Millstein,et al.  RERAN: Timing- and touch-sensitive record and replay for Android , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[13]  Jacques Klein,et al.  Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[14]  Jason Flinn,et al.  Can deterministic replay be an enabling tool for mobile computing? , 2011, HotMobile '11.

[15]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[16]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[17]  Iulian Neamtiu,et al.  A GUI bug finding framework for Android applications , 2011, SAC.

[18]  Haoyu Wang,et al.  An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective , 2017, WWW.

[19]  Tao Xie,et al.  Record and replay for Android: are we there yet in industrial cases? , 2017, ESEC/SIGSOFT FSE.

[20]  Marcelo d'Amorim,et al.  Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[21]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[22]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Yongjian Hu,et al.  Versatile yet lightweight record-and-replay for Android , 2015, OOPSLA.

[24]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[25]  Tao Xie,et al.  A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications , 2013, FASE.

[26]  Suman Nath,et al.  uLink: Enabling User-Defined Deep Linking to App Content , 2016, MobiSys.

[27]  Santosh Nagarakatte,et al.  Testing Cross-Platform Mobile App Development Frameworks , 2015 .

[28]  Kaigui Bian,et al.  Characterizing Smartphone Usage Patterns from Millions of Android Users , 2015, Internet Measurement Conference.

[29]  Alexander Aiken,et al.  Interactively verifying absence of explicit information flows in Android apps , 2015, OOPSLA.

[30]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[31]  Emily Hill,et al.  Automatically Generating Test Templates from Test Names (N) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[32]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[33]  Xuanzhe Liu,et al.  Mash Droid: An Approach to Mobile-Oriented Dynamic Services Discovery and Composition by In-App Search , 2015, 2015 IEEE International Conference on Web Services.

[34]  Xia Zeng,et al.  Automated Test Input Generation for Android: Towards Getting There in an Industrial Case , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).