A Systematical Study on Application Performance Management Libraries for Apps

Being able to automatically detect the performance issues in apps can significantly improve apps' quality as well as having a positive influence on user satisfaction. Application Performance Management (APM) libraries are used to locate the apps' performance bottleneck, monitor their behaviors at runtime, and identify potential security risks. Although app developers have been exploiting application performance management (APM) tools to capture these potential performance issues, most of them do not fully understand the internals of these APM tools and the effect on their apps. To fill this gap, in this paper, we conduct the first systematic study on APMs for apps by scrutinizing 25 widely-used APMs for Android apps and develop a framework named APMHunter for exploring the usage of APMs in Android apps. Using APMHunter, we conduct a large-scale empirical study on 500,000 Android apps to explore the usage patterns of APMs and discover the potential misuses of APMs. We obtain two major findings: 1) some APMs still employ deprecated permissions and approaches, which makes APMs fail to perform as expected; 2) inappropriate use of APMs can cause privacy leaks. Thus, our study suggests that both APM vendors and developers should design and use APMs scrupulously.

[1]  Xiapu Luo,et al.  UI Obfuscation and Its Effects on Automated UI Analysis for Android Apps , 2020, 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[3]  Michael R. Lyu,et al.  DiagDroid: Android performance diagnosis via anatomizing asynchronous executions , 2016, SIGSOFT FSE.

[4]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[5]  Lukasz Ziarek,et al.  Flow Permissions for Android , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[6]  Ratul Mahajan,et al.  AppInsight: Mobile App Performance Monitoring in the Wild , 2022 .

[7]  Laurence Moroney Google Analytics for Firebase , 2017 .

[8]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[9]  Tao Zhang,et al.  AutoPPG: Towards Automatic Generation of Privacy Policy for Android Applications , 2015, SPSM@CCS.

[10]  Xiapu Luo,et al.  PackerGrind: An Adaptive Unpacking System for Android Apps , 2020, IEEE Transactions on Software Engineering.

[11]  Seokjun Lee,et al.  User interaction-based profiling system for Android application tuning , 2014, UbiComp.

[12]  Jian Lu,et al.  AimDroid: Activity-Insulated Multi-level Automated Testing for Android Applications , 2017, 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[13]  Cor-Paul Bezemer,et al.  Studying the Effectiveness of Application Performance Management (APM) Tools for Detecting Performance Regressions for Web Applications: An Experience Report , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[14]  Helmut Krcmar,et al.  Towards Model-based Performance Predictions of SAP Enterprise Applications , 2018 .

[15]  Yajin Zhou,et al.  Demystifying Application Performance Management Libraries for Android , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Matthew Alexander Webster,et al.  Eclipse AspectJ: Aspect-Oriented Programming with AspectJ and the Eclipse AspectJ Development Tools , 2004 .

[17]  Mario Linares Vásquez,et al.  Revisiting Android reuse studies in the context of code obfuscation and library usages , 2014, MSR 2014.

[18]  Lei Zhang,et al.  Towards a scalable resource-driven approach for detecting repackaged Android applications , 2014, ACSAC.

[19]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[20]  Jingling Xue,et al.  Understanding and Analyzing Java Reflection , 2017, ACM Trans. Softw. Eng. Methodol..

[21]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[22]  Yang Liu,et al.  An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps , 2020, 2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE).

[23]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[24]  Helmut Krcmar,et al.  Using Dynatrace Monitoring Data for Generating Performance Models of Java EE Applications , 2015, ICPE.

[25]  Andrei Toma,et al.  Log4Perf: Suggesting Logging Locations for Web-based Systems' Performance Monitoring , 2018, ICPE.

[26]  Lei Xue,et al.  Adaptive Unpacking of Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[27]  Ralph E. Johnson,et al.  Design Patterns: Abstraction and Reuse of Object-Oriented Design , 1993, ECOOP.

[28]  Yajin Zhou,et al.  NDroid: Toward Tracking Information Flows Across Multiple Android Contexts , 2019, IEEE Transactions on Information Forensics and Security.

[29]  Xiaofeng Wang,et al.  Identifying User-Input Privacy in Mobile Applications at a Large Scale , 2017, IEEE Transactions on Information Forensics and Security.

[30]  Yepang Liu,et al.  Characterizing and detecting performance bugs for smartphone applications , 2014, ICSE.

[31]  Tao Zhang,et al.  Can We Trust the Privacy Policies of Android Apps? , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[32]  Benjamin Muschko Gradle in Action , 2014 .

[33]  Yue Jia,et al.  Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[34]  Angelos Stavrou,et al.  Behavioral Analysis of Android Applications Using Automated Instrumentation , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[35]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[36]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[37]  Xiapu Luo,et al.  PPChecker: Towards Accessing the Trustworthiness of Android Apps’ Privacy Policies , 2018, IEEE Transactions on Software Engineering.

[38]  André van Hoorn,et al.  Exploiting load testing and profiling for Performance Antipattern Detection , 2017, Inf. Softw. Technol..

[39]  Lei Xue,et al.  Is what you measure what you expect? Factors affecting smartphone-based mobile network measurement , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[40]  Nikolaos Tsantalis,et al.  iPerfDetector: Characterizing and detecting performance anti-patterns in iOS applications , 2019, Empirical Software Engineering.

[41]  Hareton K. N. Leung,et al.  Enhancing the Description-to-Behavior Fidelity in Android Apps with Privacy Policy , 2018, IEEE Transactions on Software Engineering.

[42]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[43]  Jacques Klein,et al.  Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[44]  Stuart E. Middleton,et al.  Ontological user profiling in recommender systems , 2004, TOIS.

[45]  Zhiqiang Lin,et al.  Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[46]  Romain Rouvoy,et al.  Tracking the Software Quality of Android Applications Along Their Evolution (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[47]  Lei Xue,et al.  AndroidPerf: A cross-layer profiling system for Android applications , 2015, 2015 IEEE 23rd International Symposium on Quality of Service (IWQoS).

[48]  Baowen Xu,et al.  Speedoo: Prioritizing Performance Optimization Opportunities , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[49]  Yajin Zhou,et al.  Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART , 2017, USENIX Security Symposium.

[50]  Brian Gough,et al.  GNU Scientific Library Reference Manual - Third Edition , 2003 .

[51]  Jacques Klein,et al.  Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting , 2017, IEEE Transactions on Information Forensics and Security.

[52]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[53]  André van Hoorn,et al.  Application Performance Management: State of the Art and Challenges for the Future , 2017, ICPE.

[54]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[55]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[56]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[57]  Paul Voigt,et al.  The Eu General Data Protection Regulation (Gdpr): A Practical Guide , 2017 .

[58]  Vladimir O. Safonov Using Aspect-Oriented Programming for Trustworthy Software Development , 2008 .

[59]  Debin Gao,et al.  MopEye: Opportunistic Monitoring of Per-app Mobile Network Performance , 2017, USENIX Annual Technical Conference.

[60]  Michael Backes,et al.  ARTist: The Android Runtime Instrumentation and Security Toolkit , 2016, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[61]  Weichao Li,et al.  Toward Accurate Network Delay Measurement on Android Phones , 2018, IEEE Transactions on Mobile Computing.

[62]  Masumi Nakamura,et al.  Programming Android , 2011 .

[63]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[64]  Li Li,et al.  Automated Third-Party Library Detection for Android Applications: Are We There Yet? , 2020, 2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[65]  Kenneth D. Williams MVS Application Performance Management , 1998, Int. CMG Conference.