Who You Gonna Call? Analyzing Web Requests in Android Applications

Relying on ubiquitous Internet connectivity, applications on mobile devices frequently perform web requests during their execution. They fetch data for users to interact with, invoke remote functionalities, or send user-generated content or meta-data. These requests collectively reveal common practices of mobile application development, like what external services are used and how, and they point to possible negative effects like security and privacy violations, or impacts on battery life. In this paper, we assess different ways to analyze what web requests Android applications make. We start by presenting dynamic data collected from running 20 randomly selected Android applications and observing their network activity. Next, we present a static analysis tool, Stringoid, that analyzes string concatenations in Android applications to estimate constructed URL strings. Using Stringoid, we extract URLs from 30, 000 Android applications, and compare the performance with a simpler constant extraction analysis. Finally, we present a discussion of the advantages and limitations of dynamic and static analyses when extracting URLs, as we compare the data extracted by Stringoid from the same 20 applications with the dynamically collected data.

[1]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[2]  Denzil Ferreira,et al.  Securacy: an empirical investigation of Android applications' network usage, privacy and security , 2015, WISEC.

[3]  Lior Rokach,et al.  Mobile malware detection through analysis of deviations in application network behavior , 2014, Comput. Secur..

[4]  David Lo,et al.  How Android App Developers Manage Power Consumption? - An Empirical Study by Mining Power Management Commits , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[5]  Dawn Xiaodong Song,et al.  Understanding Mobile App Usage Patterns Using In-App Advertisements , 2013, PAM.

[6]  Jared Smith,et al.  A Dataset of Open-Source Android Applications , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[7]  Hani Jamjoom,et al.  API Harmony: Graph-based search and selection of APIs in the cloud , 2016, IBM J. Res. Dev..

[8]  Ding Li,et al.  An Empirical Study of the Energy Consumption of Android Applications , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[9]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[10]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[11]  Marc Lelarge,et al.  The 2014 ACM international conference on Measurement and modeling of computer systems , 2014, SIGMETRICS 2014.

[12]  Mario Linares Vásquez,et al.  Mining Android App Usages for Generating Actionable GUI-Based Execution Scenarios , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[13]  Oscar H. Ibarra,et al.  Symbolic String Verification: An Automata-Based Approach , 2008, SPIN.

[14]  Chao Yang,et al.  DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications , 2014, ESORICS.

[15]  Vyas Sekar,et al.  Measuring user confidence in smartphone security and privacy , 2012, SOUPS.

[16]  Yong Liao,et al.  SAMPLES: Self Adaptive Mining of Persistent LExical Snippets for Classifying Mobile Application Traffic , 2015, MobiCom.

[17]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[18]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[19]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.