TextExerciser: Feedback-driven Text Input Exercising for Android Applications

Dynamic analysis of Android apps is often used together with an exerciser to increase its code coverage. One big obstacle in designing such Android app exercisers comes from the existence of text-based inputs, which are often constrained by the nature of the input field, such as the length and character restrictions.In this paper, we propose TextExerciser, an iterative, feedback-driven text input exerciser, which generates text inputs for Android apps. Our key insight is that Android apps often provide feedback, called hints, for malformed inputs so that our system can utilize such hints to improve the input generation.We implemented a prototype of TextExerciser and evaluated it by comparing TextExerciser with state-of-the-art exercisers, such as The Monkey and DroidBot. Our evaluation shows that TextExerciser can achieve significantly higher code coverage and trigger more sensitive behaviors than these tools. We also combine TextExerciser with dynamic analysis tools and show they are able to detect more privacy leaks and vulnerabilities with TextExerciser than with existing exercisers. Particularly, existing tools, under the help of TextExerciser, find several new vulnerabilities, such as one user credential leak in a popular social app with more than 10,000,000 downloads.

[1]  Zhiqiang Lin,et al.  AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services , 2017, CCS.

[2]  Yajin Zhou,et al.  Malton: Towards On-Device Non-Invasive Mobile Malware Analysis for ART , 2017, USENIX Security Symposium.

[3]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[4]  William K. Robertson,et al.  CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes , 2016, Financial Cryptography.

[5]  Yue Jia,et al.  Sapienz: multi-objective automated testing for Android applications , 2016, ISSTA.

[6]  Yuexiang Yang,et al.  Crafting Intents to Detect ICC Vulnerabilities of Android Apps , 2016, 2016 12th International Conference on Computational Intelligence and Security (CIS).

[7]  Lipo Wang,et al.  Mobolic: An automated approach to exercising mobile application GUIs using symbiosis of online testing technique and customated input generation , 2018, Softw. Pract. Exp..

[8]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.

[9]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[10]  Xiaofeng Wang,et al.  UIPicker: User-Input Privacy Identification in Mobile Applications , 2015, USENIX Security Symposium.

[11]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[12]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[13]  Nitesh V. Chawla,et al.  SMOTE: Synthetic Minority Over-sampling Technique , 2002, J. Artif. Intell. Res..

[14]  Narseo Vallina-Rodriguez,et al.  Bug Fixes, Improvements,... and Privacy Leaks , 2018 .

[15]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[16]  Hee Beng Kuan Tan,et al.  Achieving High Code Coverage in Android UI Testing via Automated Widget Exercising , 2016, 2016 23rd Asia-Pacific Software Engineering Conference (APSEC).

[17]  Junfeng Yang,et al.  Efficiently, effectively detecting mobile app bugs with AppDoctor , 2014, EuroSys '14.

[18]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[19]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[20]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[21]  John C. S. Lui,et al.  DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[22]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[23]  Kang G. Shin,et al.  Understanding and defending the binder attack surface in Android , 2016, ACSAC.

[24]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[25]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[26]  Yuanchun Li,et al.  DroidBot: A Lightweight UI-Guided Test Input Generator for Android , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[27]  Xiangyu Zhang,et al.  SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps , 2015, USENIX Security Symposium.

[28]  Guofei Gu,et al.  SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications , 2012, SPSM '12.

[29]  John Regehr,et al.  Intent fuzzer: crafting intents of death , 2014, WODA+PERTEA 2014.

[30]  Michael Backes,et al.  ARTist: The Android Runtime Instrumentation and Security Toolkit , 2016, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[31]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[32]  Xiangyu Zhang,et al.  Automatic Text Input Generation for Mobile Testing , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[33]  Ranveer Chandra,et al.  Caiipa: automated large-scale mobile app testing through contextual fuzzing , 2014, MobiCom.

[34]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[35]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[36]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[37]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[38]  Jong Kyoung Kim,et al.  Speech recognition , 1983, 1983 IEEE International Solid-State Circuits Conference. Digest of Technical Papers.

[39]  Tao Xie,et al.  An Empirical Study of Android Test Generation Tools in Industrial Cases , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[40]  Yang Liu,et al.  Guided, stochastic model-based GUI testing of Android apps , 2017, ESEC/SIGSOFT FSE.

[41]  Dengfeng Li,et al.  UiRef: analysis of sensitive user inputs in Android applications , 2017, WISEC.

[42]  Hui Ye,et al.  DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag , 2013, MoMM '13.

[43]  John C. S. Lui,et al.  TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime , 2016, CCS.

[44]  Yafang Xue,et al.  Optical Character Recognition , 2022 .