skip to main content
research-article
Public Access

Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques

Authors Info & Claims
Published:09 February 2021Publication History
Skip Abstract Section

Abstract

Mobile application security has been a major area of focus for security research over the course of the last decade. Numerous application analysis tools have been proposed in response to malicious, curious, or vulnerable apps. However, existing tools, and specifically, static analysis tools, trade soundness of the analysis for precision and performance and are hence soundy. Unfortunately, the specific unsound choices or flaws in the design of these tools is often not known or well documented, leading to misplaced confidence among researchers, developers, and users. This article describes the Mutation-Based Soundness Evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws, by leveraging the well-founded practice of mutation analysis. We implemented μSE and applied it to a set of prominent Android static analysis tools that detect private data leaks in apps. In a study conducted previously, we used μSE to discover 13 previously undocumented flaws in FlowDroid, one of the most prominent data leak detectors for Android apps. Moreover, we discovered that flaws also propagated to other tools that build upon the design or implementation of FlowDroid or its components. This article substantially extends our μSE framework and offers a new in-depth analysis of two more major tools in our 2020 study; we find 12 new, undocumented flaws and demonstrate that all 25 flaws are found in more than one tool, regardless of any inheritance-relation among the tools. Our results motivate the need for systematic discovery and documentation of unsound choices in soundy tools and demonstrate the opportunities in leveraging mutation testing in achieving this goal.

References

  1. Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace. 2015. Hare hunting in the wild Android: A study on the threat of hanging attribute references. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 1248--1259. DOI:https://doi.org/10.1145/2810103.2813648Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick McDaniel, and Matthew Smith. 2016. SoK: Lessons learned from Android security research for appified software platforms. In Proceedings of the 37th IEEE Symposium on Security and Privacy (SP’16).Google ScholarGoogle ScholarCross RefCross Ref
  3. Android Developers. [n.d.]. Fragments. Retrieved July 7, 2019 from https://developer.android.com/guide/components/fragments.html.Google ScholarGoogle Scholar
  4. Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: An input mutation approach. In International Symposium on Software Testing and Analysis, (ISSTA’14). 259--269.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Daniel Arp, Michael Spreitzenbarth, Malte Hübner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’14).Google ScholarGoogle ScholarCross RefCross Ref
  6. Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14).Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. 217--228.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining apps for abnormal usage of sensitive data. In Proceedings of the 37th International Conference on Software Engineering—Volume 1. 426--436.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. Boxify: Full-fledged app sandboxing for stock Android. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15).Google ScholarGoogle Scholar
  10. Michael Backes, Sebastian Gerling, Christian Hammer, Matteo Maffei, and Philipp von Styp-Rekowsky. 2013. AppGuard: Enforcing user requirements on Android apps. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’13).Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering flaws in security-focused static analysis tools for android using systematic mutation. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 1263--1280. https://www.usenix.org/conference/usenixsecurity18/presentation/bonett.Google ScholarGoogle Scholar
  12. Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, and Bhargava Shastry. 2012. Toward taming privilege-escalation attacks on Android. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’12).Google ScholarGoogle Scholar
  13. Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Stephan Heuser, Ahmad-Reza Sadeghi, and Bhargava Shastry. 2011. Practical and lightweight domain isolation on Android. In Proceedings of the ACM Workshop on Security and Privacy in Mobile Devices (SPSM’11).Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. S. Calzavara, I. Grishchenko, and M. Maffei. 2016. HornDroid: Practical and sound static analysis of Android applications by SMT solving. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS P’16). 47--62.Google ScholarGoogle Scholar
  15. Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. 2015. EdgeMiner: Automatically detecting implicit control flow transitions through the Android framework. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’15).Google ScholarGoogle ScholarCross RefCross Ref
  16. Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’11).Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Mauro Conti, Vu Thien Nga Nguyen, and Bruno Crispo. 2010. CRePE: Context-related policy enforcement for Android. In Proceedings of the 13th Information Security Conference (ISC’10).Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Benjamin Davis, Ben Sanders, Armen Khodaverdian, and Hao Chen. 2012. I-ARM-Droid: A rewriting framework for in-app reference monitors for Android applications.Google ScholarGoogle Scholar
  19. R. A. DeMillo, R. J. Lipton, and F. G. Sayward. 1978. Hints on test data selection: Help for the practicing programmer. Computer 11, 4 (April 1978), 34--41.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Lin Deng, N. Mirzaei, P. Ammann, and J. Offutt. 2015. Towards mutation analysis of Android apps. In IEEE 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW’15). 1--10.Google ScholarGoogle Scholar
  21. Anna Derezińska and Konrad Hałas. 2014. Analysis of Mutation Operators for the Python Language. Springer International Publishing, Cham, 155--164.Google ScholarGoogle Scholar
  22. Android Developers. 2019. Android Developer Documentation—Broadcasts. Retrieved July 7, 2019 from https://developer.android.com/guide/components/broadcasts.html.Google ScholarGoogle Scholar
  23. Android Developers. 2019. Android Developer Documentation—Intents and Intent Filters. Retrieved July 7, 2019 from https://developer.android.com/guide/components/intents-filters.html.Google ScholarGoogle Scholar
  24. Android Developers. 2019. Android Developer Documentation—The Activity Lifecycle. Retrieved July 7, 2019 from https://developer.android.com/guide/components/activities/activity-lifecycle.html.Google ScholarGoogle Scholar
  25. Daniel Di Nardo, Fabrizio Pastore, and Lionel C. Briand. 2015. Generating complex and faulty test data through model-based mutation analysis. In Proceedings of the 8th IEEE International Conference on Software Testing, Verification and Validation, (ICST’15). 1--10.Google ScholarGoogle Scholar
  26. Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach. 2011. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the USENIX Security Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. Lava: Large-scale automated vulnerability addition. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S8P’16).Google ScholarGoogle ScholarCross RefCross Ref
  28. DroidBench [n.d.]. DroidBench 2.0. Retrieved June 27, 2020 from https://github.com/secure-software-engineering/DroidBench.Google ScholarGoogle Scholar
  29. The Economist. 2015. Planet of the Phones. Retrieved July 7, 2019 from http://www.economist.com/news/leaders/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones.Google ScholarGoogle Scholar
  30. Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM Press, 73--84. DOI:https://doi.org/10.1145/2508859.2516693Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’11).Google ScholarGoogle Scholar
  32. William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI’10).Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09).Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 50--61. DOI:https://doi.org/10.1145/2382196.2382205Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. 2013. Rethinking SSL development in an Appified world. In Proceedings of the 2013 ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM, New York, NY, 49--60. DOI:https://doi.org/10.1145/2508859.2516655Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’11).Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steven Hanna, and Erika Chin. 2011. Permission re-delegation: Attacks and defenses. In Proceedings of the USENIX Security Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Xinming Ou Fengguo Wei, Sankardas Roy and Robby. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14).Google ScholarGoogle Scholar
  39. The Apache Software Foundation. 2019. Apache Ant Build System. Retrieved July 7, 2019 from http://ant.apache.org.Google ScholarGoogle Scholar
  40. Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey. 2012. Modeling and enhancing Android’s permission system. In Computer Security —ESORICS 2012, Sara Foresti, Moti Yung, and Fabio Martinelli (Eds.). Springer, Berlin, 1--18.Google ScholarGoogle ScholarCross RefCross Ref
  41. Jason Franklin, Sagar Chaki, Anupam Datta, and Arvind Seshadri. 2010. Scalable parametric verification of secure systems: How to verify reference monitors without worrying about data structure size. In IEEE Symposium on Security and Privacy (SP’10). 365--379.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST’12).Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. 2012. RiskRanker: Scalable and accurate zero-day Android malware detection. In Proceedings of the International Conference on Mobile Systems, Applications and Services (MobiSys’12).Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. R. G. Hamlet. 1977. Testing programs with the aid of a compiler. IEEE Trans. Software Eng. 3, 4 (July 1977), 279--290.Google ScholarGoogle Scholar
  45. Stephan Heuser, Adwait Nadkarni, William Enck, and Ahmad-Reza Sadeghi. 2014. ASM: A programmable interface for extending Android security. In Proceedings of the USENIX Security Symposium.Google ScholarGoogle Scholar
  46. Tsung-Hsuan Ho, Daniel Dean, Xiaohui Gu, and William Enck. 2014. PREC: Practical root exploit containment for Android devices. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY’14).Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. S. Holavanalli, D. Manuel, V. Nanjundaswamy, B. Rosenberg, F. Shen, S. Y. Ko, and L. Ziarek. 2013. Flow permissions for Android. In Proceedings of the 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE’13). 652--657. DOI:https://doi.org/10.1109/ASE.2013.6693128Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. iccbench [n.d.]. ICC-Bench. Retrieved June 27, 2020 from https://github.com/fgwei/ICC-Bench.Google ScholarGoogle Scholar
  49. Gradle Inc. 2019. Gradle Build System. Retrieved July 7, 2019 from https://gradle.org.Google ScholarGoogle Scholar
  50. Reyhaneh Jabbarvand and Sam Malek. 2017. Droid: An energy-aware mutation testing framework for Android. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). ACM, New York, NY, 208--219. DOI:https://doi.org/10.1145/3106237.3106244Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining sandboxes. In Proceedings of the IEEE/ACM 38th International Conference on Software Engineering (ICSE’16). 37--48.Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Jinseong Jeon, Kristopher K. Micinski, Jeffrey A. Vaughan, Ari Fogel, Nikhilesh Reddy, Jeffrey S. Foster, and Todd Millstein. 2012. Dr. Android and Mr. Hide: Fine-grained permissions in Android applications. In Proceedings of the ACM Workshop on Security and Privacy in Mobile Devices (SPSM’12).Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake. 2013. Run-time enforcement of information-flow properties on Android (extended abstract). In Proceedings of the European Symposium on Research in Computer Security (ESORICS’13).Google ScholarGoogle ScholarCross RefCross Ref
  54. Jaeyeon Jung, Anmol Sheth, Ben Greenstein, David Wetherall, Gabriel Maganis, and Tadayoshi Kohno. 2008. Privacy Oracle: A system for finding application leaks with black box differential testing. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM New York, NY, 279--288.Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis. 1--6.Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, and Ram Kamath. 2017. CogniCrypt: Supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE’17). IEEE Press, Piscataway, NJ, 931--936.Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Youn Kyu Lee, Jae young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for inter-app security holes in Android. In Proceedings of the 39th International Conference on Software Engineering. 312--323.Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. IccTA: Detecting inter-component privacy leaks in Android apps. In Proceedings of the 37th International Conference on Software Engineering—Volume 1. 280--291.Google ScholarGoogle ScholarCross RefCross Ref
  59. L. Li, A. Bartel, J. Klein, and Y. L. Traon. 2014. Automatically exploiting potential component leaks in Android applications. In Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. 388--397. DOI:https://doi.org/10.1109/TrustCom.2014.50Google ScholarGoogle Scholar
  60. Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2014. I know what leaked in your pocket: Uncovering privacy leaks on Android apps with static taint analysis. In CoRR.Google ScholarGoogle Scholar
  61. M. Lillack, C. Kastner, and E. Bodden. 2017. Tracking load-time configuration options. IEEE Transactions on Software Engineering PP, 99 (2017), 1--1. DOI:https://doi.org/10.1109/TSE.2017.2756048Google ScholarGoogle Scholar
  62. F-Droid Limited. 2019. F-Droid—Free and Open Source Android App Repository. Retrieved August 10, 2019 from https://f-droid.org/en/.Google ScholarGoogle Scholar
  63. Mario Linares-Vásquez, Gabriele Bavota, Michele Tufano, Kevin Moran, Massimiliano Di Penta, Christopher Vendome, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2017. Enabling mutation testing for Android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). ACM, New York, NY, 233--244. DOI:https://doi.org/10.1145/3106237.3106275Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor Van Der Veen, and Christian Platzer. 2014. Andrubis—-1,000,000 apps later: A view on current Android malware behaviors. In Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS’14).Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Bin Liu, Bin Liu, Hongxia Jin, and Ramesh Govindan. 2015. Efficient privilege de-escalation for ad libraries in mobile apps. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’15). ACM, New York, NY, 89--103. DOI:https://doi.org/10.1145/2742647.2742668Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: A manifesto. Communications of the ACM 58, 2 (Jan. 2015).Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). 229--240.Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Yu-Seung Ma, Yong Rae Kwon, and Jeff Offutt. 2002. Inter-class mutation operators for Java. In Proceedings of the 13th International Symposium on Software Reliability Engineering (ISSRE’02). 352--366.Google ScholarGoogle Scholar
  69. Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-objective automated testing for Android applications. In Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA’16). ACM, New York, NY, 94--105.Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. K. Moran, M. Linares-Vasquez, C. Bernal-Cardenas, C. Vendome, and D. Poshyvanyk. 2017. CrashScope: A practical tool for automated testing of Android applications. In Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C’17). 15--18. DOI:https://doi.org/10.1109/ICSE-C.2017.16Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Kevin Moran, Mario Linares Vásquez, Carlos Bernal-Cárdenas, Christopher Vendome, and Denys Poshyvanyk. 2016. Automatically discovering, reporting and reproducing Android application crashes. In Proceedings of the 2016 IEEE International Conference on Software Testing, Verification and Validation, (ICST’16). 33--44.Google ScholarGoogle ScholarCross RefCross Ref
  72. Andrew C. Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Langauges (POPL’99).Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Andrew C. Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9, 4 (October 2000), 410--442.Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Adwait Nadkarni, Benjamin Andow, William Enck, and Somesh Jha. 2016. Practical DIFC enforcement on Android. In Proceedings of the 25th USENIX Security Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Adwait Nadkarni and William Enck. 2013. Preventing accidental data disclosure in modern operating systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’13).Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. UIPicker: User-input privacy identification in mobile applications. In USENIX Security Symposium. 993--1008.Google ScholarGoogle Scholar
  77. Mohammad Nauman, Sohail Khan, and Xinwen Zhang. 2010. Apex: Extending Android permission model and enforcement with user-defined runtime constraints. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS’10).Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. D. Octeau, S. Jha, and P. McDaniel. 2012. Retargeting Android applications to Java bytecode. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering.Google ScholarGoogle Scholar
  79. Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to Android inter-component communication analysis. In Proceedings of the 37th International Conference on Software Engineering—Volume 1 (ICSE’15). IEEE Press, Piscataway, NJ, 77--88. http://dl.acm.org/citation.cfm?id=2818754.2818767.Google ScholarGoogle ScholarCross RefCross Ref
  80. Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in Android: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security’13). USENIX, 543--558. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/octeau.Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. A. Jefferson Offutt and Roland H. Untch. 2001. Mutation 2000: Uniting the Orthogonal. Springer US, Boston, MA, 34--44. DOI:https://doi.org/10.1007/978-1-4757-5939-6_7Google ScholarGoogle Scholar
  82. R. A. P. Oliveira, E. Alégroth, Z. Gao, and A. Memon. 2015. Definition and evaluation of mutation operators for GUI-level mutation analysis. In Proceedings of the International Conference on Software Testing, Verification, and Validation—Workshops, (ICSTW’15). 1--10.Google ScholarGoogle Scholar
  83. Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. 2009. Semantically rich application-centric security in Android. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC’09). 340--349.Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. Felix Pauck, Eric Bodden, and Heike Wehrheim. 2018. Do Android taint analysis tools keep their promises? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE’18). ACM, New York, NY, 331--341. DOI:https://doi.org/10.1145/3236024.3236029Google ScholarGoogle ScholarDigital LibraryDigital Library
  85. Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. 2012. AdDroid: Privilege separation for applications and advertisers in Android. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS’12).Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. Upsorn Praphamontripong, Jeff Offutt, Lin Deng, and Jingjing Gu. 2016. An experimental evaluation of web mutation operators. In Proceedings of the International Conference on Software Testing, Verification, and Validation (ICSTW’16). 102--111.Google ScholarGoogle ScholarCross RefCross Ref
  87. Lina Qiu, Yingying Wang, and Julia Rubin. 2018. Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18). ACM Press, Amsterdam, Netherlands, 176--186. DOI:https://doi.org/10.1145/3213846.3213873Google ScholarGoogle ScholarDigital LibraryDigital Library
  88. Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. 2019. CryptoGuard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS’19). ACM Press, London, United Kingdom, 2455--2472. DOI:https://doi.org/10.1145/3319535.3345659Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. S. Rasthofer, S. Arzt, E. Lovat, and E. Bodden. 2014. DroidForce: Enforcing complex, data-centric, system-wide policies in Android. In Proceedings of the 2014 9th International Conference on Availability, Reliability and Security. 40--49. DOI:https://doi.org/10.1109/ARES.2014.13Google ScholarGoogle ScholarDigital LibraryDigital Library
  90. Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic large-scale dynamic analysis of Android applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY’13).Google ScholarGoogle Scholar
  91. Bradley Reaves, Jasmine Bowers, Sigmund Albert Gorski III, Olabode Anise, Rahul Bobhate, Raymond Cho, Hiranava Das, Sharique Hussain, Hamza Karachiwala, Nolen Scaife, Byron Wright, Kevin Butler, William Enck, and Patrick Traynor. 2016. * droid: Assessment and evaluation of Android application analysis tools. ACM Computing Surveys (CSUR) 49, 3 (2016), 55.Google ScholarGoogle ScholarDigital LibraryDigital Library
  92. Raimondas Sasnauskas and John Regehr. 2014. Intent fuzzer: Crafting intents of death. In Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA’14) and Software and System Performance Testing, Debugging, and Analytics (PERTEA) (WODA+PERTEA’14). ACM, New York, NY, 1--5. DOI:https://doi.org/10.1145/2632168.2632169Google ScholarGoogle ScholarDigital LibraryDigital Library
  93. Shashi Shekhar, Michael Dietz, and Dan S. Wallach. 2012. AdSplit: Separating smartphone advertising from applications. In Proceedings of the USENIX Security Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  94. Feng Shen, Namita Vishnubhotla, Chirag Todarka, Mohit Arora, Babu Dhandapani, Steven Y. Ko, and Lukasz Ziarek. 2014. Information flows as a permission mechanism. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’14).Google ScholarGoogle ScholarDigital LibraryDigital Library
  95. Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D. Breaux, and Jianwei Niu. 2016. Toward a framework for detecting privacy policy violations in Android application code. In Proceedings of the 38th International Conference on Software Engineering (ICSE’16). ACM, New York, NY, 25--36. DOI:https://doi.org/10.1145/2884781.2884855Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’13).Google ScholarGoogle Scholar
  97. David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-Hunter: Large scale, automated detection of Ssl/Tls man-in-the-middle vulnerabilities in Android apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14).Google ScholarGoogle ScholarCross RefCross Ref
  98. Steven Artz. [n.d.]. FlowDroid 2.0. Retrieved July 7, 2019 from https://github.com/secure-software-engineering/soot-infoflow/releases.Google ScholarGoogle Scholar
  99. stream101. [n.d.]. Possible to Integrate Fragment Lifecycle? Retrieved July 7, 2019 from https://github.com/secure-software-engineering/soot-infoflow-android/issues/52.Google ScholarGoogle Scholar
  100. SE Developers. 2019. SE Sources and Data.Retrieved July 7, 2019 from https://muse-security-evaluation.github.io.Google ScholarGoogle Scholar
  101. Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot—A Java bytecode optimization framework. In Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research. IBM Press, 13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  102. Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In IEEE Symposium on Security and Privacy (SP’13). 430--444.Google ScholarGoogle ScholarDigital LibraryDigital Library
  103. Veracode. 2020. Veracode’s 10th State of Software Security Report Finds Organizations Reduce Rising ‘Security Debt’ via Devsecops, Special Sprints. Retrieved July 7, 2019 from https://www.veracode.com/veracodes-10th-state-software-security-report-finds-organizations-reduce-rising-security-debt.Google ScholarGoogle Scholar
  104. Timothy Vidas, Nicolas Cristin, and Lorrie Faith Cranor. 2011. Curbing Android permission creep. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP’11).Google ScholarGoogle Scholar
  105. Rubin Xu, Hassen Saidi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for Android applications. In Proceedings of the USENIX Security Symposium.Google ScholarGoogle ScholarDigital LibraryDigital Library
  106. Yuanzhong Xu and Emmett Witchel. 2015. Maxoid: Transparently confining mobile applications with custom views of state. In Proceedings of the 10th European Conference on Computer Systems. 26.Google ScholarGoogle ScholarDigital LibraryDigital Library
  107. Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  108. W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. 2015. AppContext: Differentiating malicious and benign mobile app behaviors using context. In Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. 303--313. DOI:https://doi.org/10.1109/ICSE.2015.50Google ScholarGoogle ScholarCross RefCross Ref
  109. Chixiang Zhou and Phyllis G. Frankl. 2009. Mutation testing for Java database applications. In Proceedings of the 2nd International Conference on Software Testing Verification and Validation, (ICST’09). 396--405.Google ScholarGoogle Scholar
  110. Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android malware: Characterization and evolution. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland).Google ScholarGoogle ScholarDigital LibraryDigital Library
  111. Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’12).Google ScholarGoogle Scholar
  112. Yajin Zhou, Xinwen Zhang, Xuxian Jiang, and Vincent W. Freeh. 2011. Taming information-stealing smartphone applications (on Android). In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST’11).Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Privacy and Security
      ACM Transactions on Privacy and Security  Volume 24, Issue 3
      August 2021
      286 pages
      ISSN:2471-2566
      EISSN:2471-2574
      DOI:10.1145/3450360
      Issue’s Table of Contents

      Copyright © 2021 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 9 February 2021
      • Accepted: 1 November 2020
      • Revised: 1 September 2020
      • Received: 1 February 2020
      Published in tops Volume 24, Issue 3

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!