Abstract
Mobile application security has been a major area of focus for security research over the course of the last decade. Numerous application analysis tools have been proposed in response to malicious, curious, or vulnerable apps. However, existing tools, and specifically, static analysis tools, trade soundness of the analysis for precision and performance and are hence soundy. Unfortunately, the specific unsound choices or flaws in the design of these tools is often not known or well documented, leading to misplaced confidence among researchers, developers, and users. This article describes the Mutation-Based Soundness Evaluation (μSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws, by leveraging the well-founded practice of mutation analysis. We implemented μSE and applied it to a set of prominent Android static analysis tools that detect private data leaks in apps. In a study conducted previously, we used μSE to discover 13 previously undocumented flaws in FlowDroid, one of the most prominent data leak detectors for Android apps. Moreover, we discovered that flaws also propagated to other tools that build upon the design or implementation of FlowDroid or its components. This article substantially extends our μSE framework and offers a new in-depth analysis of two more major tools in our 2020 study; we find 12 new, undocumented flaws and demonstrate that all 25 flaws are found in more than one tool, regardless of any inheritance-relation among the tools. Our results motivate the need for systematic discovery and documentation of unsound choices in soundy tools and demonstrate the opportunities in leveraging mutation testing in achieving this goal.
- Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace. 2015. Hare hunting in the wild Android: A study on the threat of hanging attribute references. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 1248--1259. DOI:https://doi.org/10.1145/2810103.2813648Google Scholar
Digital Library
- Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick McDaniel, and Matthew Smith. 2016. SoK: Lessons learned from Android security research for appified software platforms. In Proceedings of the 37th IEEE Symposium on Security and Privacy (SP’16).Google Scholar
Cross Ref
- Android Developers. [n.d.]. Fragments. Retrieved July 7, 2019 from https://developer.android.com/guide/components/fragments.html.Google Scholar
- Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: An input mutation approach. In International Symposium on Software Testing and Analysis, (ISSTA’14). 259--269.Google Scholar
Digital Library
- Daniel Arp, Michael Spreitzenbarth, Malte Hübner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’14).Google Scholar
Cross Ref
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14).Google Scholar
Digital Library
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. 217--228.Google Scholar
Digital Library
- Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining apps for abnormal usage of sensitive data. In Proceedings of the 37th International Conference on Software Engineering—Volume 1. 426--436.Google Scholar
Digital Library
- Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. Boxify: Full-fledged app sandboxing for stock Android. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15).Google Scholar
- Michael Backes, Sebastian Gerling, Christian Hammer, Matteo Maffei, and Philipp von Styp-Rekowsky. 2013. AppGuard: Enforcing user requirements on Android apps. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’13).Google Scholar
Digital Library
- Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering flaws in security-focused static analysis tools for android using systematic mutation. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 1263--1280. https://www.usenix.org/conference/usenixsecurity18/presentation/bonett.Google Scholar
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, and Bhargava Shastry. 2012. Toward taming privilege-escalation attacks on Android. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’12).Google Scholar
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Stephan Heuser, Ahmad-Reza Sadeghi, and Bhargava Shastry. 2011. Practical and lightweight domain isolation on Android. In Proceedings of the ACM Workshop on Security and Privacy in Mobile Devices (SPSM’11).Google Scholar
Digital Library
- S. Calzavara, I. Grishchenko, and M. Maffei. 2016. HornDroid: Practical and sound static analysis of Android applications by SMT solving. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS P’16). 47--62.Google Scholar
- Yinzhi Cao, Yanick Fratantonio, Antonio Bianchi, Manuel Egele, Christopher Kruegel, Giovanni Vigna, and Yan Chen. 2015. EdgeMiner: Automatically detecting implicit control flow transitions through the Android framework. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’15).Google Scholar
Cross Ref
- Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’11).Google Scholar
Digital Library
- Mauro Conti, Vu Thien Nga Nguyen, and Bruno Crispo. 2010. CRePE: Context-related policy enforcement for Android. In Proceedings of the 13th Information Security Conference (ISC’10).Google Scholar
Digital Library
- Benjamin Davis, Ben Sanders, Armen Khodaverdian, and Hao Chen. 2012. I-ARM-Droid: A rewriting framework for in-app reference monitors for Android applications.Google Scholar
- R. A. DeMillo, R. J. Lipton, and F. G. Sayward. 1978. Hints on test data selection: Help for the practicing programmer. Computer 11, 4 (April 1978), 34--41.Google Scholar
Digital Library
- Lin Deng, N. Mirzaei, P. Ammann, and J. Offutt. 2015. Towards mutation analysis of Android apps. In IEEE 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW’15). 1--10.Google Scholar
- Anna Derezińska and Konrad Hałas. 2014. Analysis of Mutation Operators for the Python Language. Springer International Publishing, Cham, 155--164.Google Scholar
- Android Developers. 2019. Android Developer Documentation—Broadcasts. Retrieved July 7, 2019 from https://developer.android.com/guide/components/broadcasts.html.Google Scholar
- Android Developers. 2019. Android Developer Documentation—Intents and Intent Filters. Retrieved July 7, 2019 from https://developer.android.com/guide/components/intents-filters.html.Google Scholar
- Android Developers. 2019. Android Developer Documentation—The Activity Lifecycle. Retrieved July 7, 2019 from https://developer.android.com/guide/components/activities/activity-lifecycle.html.Google Scholar
- Daniel Di Nardo, Fabrizio Pastore, and Lionel C. Briand. 2015. Generating complex and faulty test data through model-based mutation analysis. In Proceedings of the 8th IEEE International Conference on Software Testing, Verification and Validation, (ICST’15). 1--10.Google Scholar
- Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach. 2011. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the USENIX Security Symposium.Google Scholar
Digital Library
- Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. Lava: Large-scale automated vulnerability addition. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S8P’16).Google Scholar
Cross Ref
- DroidBench [n.d.]. DroidBench 2.0. Retrieved June 27, 2020 from https://github.com/secure-software-engineering/DroidBench.Google Scholar
- The Economist. 2015. Planet of the Phones. Retrieved July 7, 2019 from http://www.economist.com/news/leaders/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones.Google Scholar
- Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM Press, 73--84. DOI:https://doi.org/10.1145/2508859.2516693Google Scholar
Digital Library
- Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’11).Google Scholar
- William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI’10).Google Scholar
Digital Library
- William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09).Google Scholar
Digital Library
- Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 50--61. DOI:https://doi.org/10.1145/2382196.2382205Google Scholar
Digital Library
- Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. 2013. Rethinking SSL development in an Appified world. In Proceedings of the 2013 ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM, New York, NY, 49--60. DOI:https://doi.org/10.1145/2508859.2516655Google Scholar
Digital Library
- Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’11).Google Scholar
Digital Library
- Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steven Hanna, and Erika Chin. 2011. Permission re-delegation: Attacks and defenses. In Proceedings of the USENIX Security Symposium.Google Scholar
Digital Library
- Xinming Ou Fengguo Wei, Sankardas Roy and Robby. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14).Google Scholar
- The Apache Software Foundation. 2019. Apache Ant Build System. Retrieved July 7, 2019 from http://ant.apache.org.Google Scholar
- Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey. 2012. Modeling and enhancing Android’s permission system. In Computer Security —ESORICS 2012, Sara Foresti, Moti Yung, and Fabio Martinelli (Eds.). Springer, Berlin, 1--18.Google Scholar
Cross Ref
- Jason Franklin, Sagar Chaki, Anupam Datta, and Arvind Seshadri. 2010. Scalable parametric verification of secure systems: How to verify reference monitors without worrying about data structure size. In IEEE Symposium on Security and Privacy (SP’10). 365--379.Google Scholar
Digital Library
- Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST’12).Google Scholar
Digital Library
- Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, and Xuxian Jiang. 2012. RiskRanker: Scalable and accurate zero-day Android malware detection. In Proceedings of the International Conference on Mobile Systems, Applications and Services (MobiSys’12).Google Scholar
Digital Library
- R. G. Hamlet. 1977. Testing programs with the aid of a compiler. IEEE Trans. Software Eng. 3, 4 (July 1977), 279--290.Google Scholar
- Stephan Heuser, Adwait Nadkarni, William Enck, and Ahmad-Reza Sadeghi. 2014. ASM: A programmable interface for extending Android security. In Proceedings of the USENIX Security Symposium.Google Scholar
- Tsung-Hsuan Ho, Daniel Dean, Xiaohui Gu, and William Enck. 2014. PREC: Practical root exploit containment for Android devices. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY’14).Google Scholar
Digital Library
- S. Holavanalli, D. Manuel, V. Nanjundaswamy, B. Rosenberg, F. Shen, S. Y. Ko, and L. Ziarek. 2013. Flow permissions for Android. In Proceedings of the 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE’13). 652--657. DOI:https://doi.org/10.1109/ASE.2013.6693128Google Scholar
Digital Library
- iccbench [n.d.]. ICC-Bench. Retrieved June 27, 2020 from https://github.com/fgwei/ICC-Bench.Google Scholar
- Gradle Inc. 2019. Gradle Build System. Retrieved July 7, 2019 from https://gradle.org.Google Scholar
- Reyhaneh Jabbarvand and Sam Malek. 2017. Droid: An energy-aware mutation testing framework for Android. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). ACM, New York, NY, 208--219. DOI:https://doi.org/10.1145/3106237.3106244Google Scholar
Digital Library
- Konrad Jamrozik, Philipp von Styp-Rekowsky, and Andreas Zeller. 2016. Mining sandboxes. In Proceedings of the IEEE/ACM 38th International Conference on Software Engineering (ICSE’16). 37--48.Google Scholar
Digital Library
- Jinseong Jeon, Kristopher K. Micinski, Jeffrey A. Vaughan, Ari Fogel, Nikhilesh Reddy, Jeffrey S. Foster, and Todd Millstein. 2012. Dr. Android and Mr. Hide: Fine-grained permissions in Android applications. In Proceedings of the ACM Workshop on Security and Privacy in Mobile Devices (SPSM’12).Google Scholar
Digital Library
- Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake. 2013. Run-time enforcement of information-flow properties on Android (extended abstract). In Proceedings of the European Symposium on Research in Computer Security (ESORICS’13).Google Scholar
Cross Ref
- Jaeyeon Jung, Anmol Sheth, Ben Greenstein, David Wetherall, Gabriel Maganis, and Tadayoshi Kohno. 2008. Privacy Oracle: A system for finding application leaks with black box differential testing. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM New York, NY, 279--288.Google Scholar
Digital Library
- William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer. 2014. Android taint flow analysis for app sets. In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis. 1--6.Google Scholar
Digital Library
- Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, and Ram Kamath. 2017. CogniCrypt: Supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE’17). IEEE Press, Piscataway, NJ, 931--936.Google Scholar
Digital Library
- Youn Kyu Lee, Jae young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for inter-app security holes in Android. In Proceedings of the 39th International Conference on Software Engineering. 312--323.Google Scholar
Digital Library
- Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. IccTA: Detecting inter-component privacy leaks in Android apps. In Proceedings of the 37th International Conference on Software Engineering—Volume 1. 280--291.Google Scholar
Cross Ref
- L. Li, A. Bartel, J. Klein, and Y. L. Traon. 2014. Automatically exploiting potential component leaks in Android applications. In Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. 388--397. DOI:https://doi.org/10.1109/TrustCom.2014.50Google Scholar
- Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2014. I know what leaked in your pocket: Uncovering privacy leaks on Android apps with static taint analysis. In CoRR.Google Scholar
- M. Lillack, C. Kastner, and E. Bodden. 2017. Tracking load-time configuration options. IEEE Transactions on Software Engineering PP, 99 (2017), 1--1. DOI:https://doi.org/10.1109/TSE.2017.2756048Google Scholar
- F-Droid Limited. 2019. F-Droid—Free and Open Source Android App Repository. Retrieved August 10, 2019 from https://f-droid.org/en/.Google Scholar
- Mario Linares-Vásquez, Gabriele Bavota, Michele Tufano, Kevin Moran, Massimiliano Di Penta, Christopher Vendome, Carlos Bernal-Cárdenas, and Denys Poshyvanyk. 2017. Enabling mutation testing for Android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). ACM, New York, NY, 233--244. DOI:https://doi.org/10.1145/3106237.3106275Google Scholar
Digital Library
- Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor Van Der Veen, and Christian Platzer. 2014. Andrubis—-1,000,000 apps later: A view on current Android malware behaviors. In Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS’14).Google Scholar
Digital Library
- Bin Liu, Bin Liu, Hongxia Jin, and Ramesh Govindan. 2015. Efficient privilege de-escalation for ad libraries in mobile apps. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’15). ACM, New York, NY, 89--103. DOI:https://doi.org/10.1145/2742647.2742668Google Scholar
Digital Library
- Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: A manifesto. Communications of the ACM 58, 2 (Jan. 2015).Google Scholar
Digital Library
- Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). 229--240.Google Scholar
Digital Library
- Yu-Seung Ma, Yong Rae Kwon, and Jeff Offutt. 2002. Inter-class mutation operators for Java. In Proceedings of the 13th International Symposium on Software Reliability Engineering (ISSRE’02). 352--366.Google Scholar
- Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-objective automated testing for Android applications. In Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA’16). ACM, New York, NY, 94--105.Google Scholar
Digital Library
- K. Moran, M. Linares-Vasquez, C. Bernal-Cardenas, C. Vendome, and D. Poshyvanyk. 2017. CrashScope: A practical tool for automated testing of Android applications. In Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C’17). 15--18. DOI:https://doi.org/10.1109/ICSE-C.2017.16Google Scholar
Digital Library
- Kevin Moran, Mario Linares Vásquez, Carlos Bernal-Cárdenas, Christopher Vendome, and Denys Poshyvanyk. 2016. Automatically discovering, reporting and reproducing Android application crashes. In Proceedings of the 2016 IEEE International Conference on Software Testing, Verification and Validation, (ICST’16). 33--44.Google Scholar
Cross Ref
- Andrew C. Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Langauges (POPL’99).Google Scholar
Digital Library
- Andrew C. Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9, 4 (October 2000), 410--442.Google Scholar
Digital Library
- Adwait Nadkarni, Benjamin Andow, William Enck, and Somesh Jha. 2016. Practical DIFC enforcement on Android. In Proceedings of the 25th USENIX Security Symposium.Google Scholar
Digital Library
- Adwait Nadkarni and William Enck. 2013. Preventing accidental data disclosure in modern operating systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’13).Google Scholar
Digital Library
- Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. UIPicker: User-input privacy identification in mobile applications. In USENIX Security Symposium. 993--1008.Google Scholar
- Mohammad Nauman, Sohail Khan, and Xinwen Zhang. 2010. Apex: Extending Android permission model and enforcement with user-defined runtime constraints. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS’10).Google Scholar
Digital Library
- D. Octeau, S. Jha, and P. McDaniel. 2012. Retargeting Android applications to Java bytecode. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering.Google Scholar
- Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to Android inter-component communication analysis. In Proceedings of the 37th International Conference on Software Engineering—Volume 1 (ICSE’15). IEEE Press, Piscataway, NJ, 77--88. http://dl.acm.org/citation.cfm?id=2818754.2818767.Google Scholar
Cross Ref
- Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in Android: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security’13). USENIX, 543--558. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/octeau.Google Scholar
Digital Library
- A. Jefferson Offutt and Roland H. Untch. 2001. Mutation 2000: Uniting the Orthogonal. Springer US, Boston, MA, 34--44. DOI:https://doi.org/10.1007/978-1-4757-5939-6_7Google Scholar
- R. A. P. Oliveira, E. Alégroth, Z. Gao, and A. Memon. 2015. Definition and evaluation of mutation operators for GUI-level mutation analysis. In Proceedings of the International Conference on Software Testing, Verification, and Validation—Workshops, (ICSTW’15). 1--10.Google Scholar
- Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. 2009. Semantically rich application-centric security in Android. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC’09). 340--349.Google Scholar
Digital Library
- Felix Pauck, Eric Bodden, and Heike Wehrheim. 2018. Do Android taint analysis tools keep their promises? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE’18). ACM, New York, NY, 331--341. DOI:https://doi.org/10.1145/3236024.3236029Google Scholar
Digital Library
- Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. 2012. AdDroid: Privilege separation for applications and advertisers in Android. In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS’12).Google Scholar
Digital Library
- Upsorn Praphamontripong, Jeff Offutt, Lin Deng, and Jingjing Gu. 2016. An experimental evaluation of web mutation operators. In Proceedings of the International Conference on Software Testing, Verification, and Validation (ICSTW’16). 102--111.Google Scholar
Cross Ref
- Lina Qiu, Yingying Wang, and Julia Rubin. 2018. Analyzing the analyzers: FlowDroid/IccTA, AmanDroid, and DroidSafe. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’18). ACM Press, Amsterdam, Netherlands, 176--186. DOI:https://doi.org/10.1145/3213846.3213873Google Scholar
Digital Library
- Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. 2019. CryptoGuard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS’19). ACM Press, London, United Kingdom, 2455--2472. DOI:https://doi.org/10.1145/3319535.3345659Google Scholar
Digital Library
- S. Rasthofer, S. Arzt, E. Lovat, and E. Bodden. 2014. DroidForce: Enforcing complex, data-centric, system-wide policies in Android. In Proceedings of the 2014 9th International Conference on Availability, Reliability and Security. 40--49. DOI:https://doi.org/10.1109/ARES.2014.13Google Scholar
Digital Library
- Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic large-scale dynamic analysis of Android applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY’13).Google Scholar
- Bradley Reaves, Jasmine Bowers, Sigmund Albert Gorski III, Olabode Anise, Rahul Bobhate, Raymond Cho, Hiranava Das, Sharique Hussain, Hamza Karachiwala, Nolen Scaife, Byron Wright, Kevin Butler, William Enck, and Patrick Traynor. 2016. * droid: Assessment and evaluation of Android application analysis tools. ACM Computing Surveys (CSUR) 49, 3 (2016), 55.Google Scholar
Digital Library
- Raimondas Sasnauskas and John Regehr. 2014. Intent fuzzer: Crafting intents of death. In Proceedings of the 2014 Joint International Workshop on Dynamic Analysis (WODA’14) and Software and System Performance Testing, Debugging, and Analytics (PERTEA) (WODA+PERTEA’14). ACM, New York, NY, 1--5. DOI:https://doi.org/10.1145/2632168.2632169Google Scholar
Digital Library
- Shashi Shekhar, Michael Dietz, and Dan S. Wallach. 2012. AdSplit: Separating smartphone advertising from applications. In Proceedings of the USENIX Security Symposium.Google Scholar
Digital Library
- Feng Shen, Namita Vishnubhotla, Chirag Todarka, Mohit Arora, Babu Dhandapani, Steven Y. Ko, and Lukasz Ziarek. 2014. Information flows as a permission mechanism. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’14).Google Scholar
Digital Library
- Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D. Breaux, and Jianwei Niu. 2016. Toward a framework for detecting privacy policy violations in Android application code. In Proceedings of the 38th International Conference on Software Engineering (ICSE’16). ACM, New York, NY, 25--36. DOI:https://doi.org/10.1145/2884781.2884855Google Scholar
Digital Library
- Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS’13).Google Scholar
- David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-Hunter: Large scale, automated detection of Ssl/Tls man-in-the-middle vulnerabilities in Android apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14).Google Scholar
Cross Ref
- Steven Artz. [n.d.]. FlowDroid 2.0. Retrieved July 7, 2019 from https://github.com/secure-software-engineering/soot-infoflow/releases.Google Scholar
- stream101. [n.d.]. Possible to Integrate Fragment Lifecycle? Retrieved July 7, 2019 from https://github.com/secure-software-engineering/soot-infoflow-android/issues/52.Google Scholar
- SE Developers. 2019. SE Sources and Data.Retrieved July 7, 2019 from https://muse-security-evaluation.github.io.Google Scholar
- Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot—A Java bytecode optimization framework. In Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research. IBM Press, 13.Google Scholar
Digital Library
- Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In IEEE Symposium on Security and Privacy (SP’13). 430--444.Google Scholar
Digital Library
- Veracode. 2020. Veracode’s 10th State of Software Security Report Finds Organizations Reduce Rising ‘Security Debt’ via Devsecops, Special Sprints. Retrieved July 7, 2019 from https://www.veracode.com/veracodes-10th-state-software-security-report-finds-organizations-reduce-rising-security-debt.Google Scholar
- Timothy Vidas, Nicolas Cristin, and Lorrie Faith Cranor. 2011. Curbing Android permission creep. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP’11).Google Scholar
- Rubin Xu, Hassen Saidi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for Android applications. In Proceedings of the USENIX Security Symposium.Google Scholar
Digital Library
- Yuanzhong Xu and Emmett Witchel. 2015. Maxoid: Transparently confining mobile applications with custom views of state. In Proceedings of the 10th European Conference on Computer Systems. 26.Google Scholar
Digital Library
- Jean Yang, Kuat Yessenov, and Armando Solar-Lezama. 2012. A language for automatically enforcing privacy policies. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages.Google Scholar
Digital Library
- W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. 2015. AppContext: Differentiating malicious and benign mobile app behaviors using context. In Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. 303--313. DOI:https://doi.org/10.1109/ICSE.2015.50Google Scholar
Cross Ref
- Chixiang Zhou and Phyllis G. Frankl. 2009. Mutation testing for Java database applications. In Proceedings of the 2nd International Conference on Software Testing Verification and Validation, (ICST’09). 396--405.Google Scholar
- Yajin Zhou and Xuxian Jiang. 2012. Dissecting Android malware: Characterization and evolution. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland).Google Scholar
Digital Library
- Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’12).Google Scholar
- Yajin Zhou, Xinwen Zhang, Xuxian Jiang, and Vincent W. Freeh. 2011. Taming information-stealing smartphone applications (on Android). In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST’11).Google Scholar
Digital Library
Index Terms
Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques
Recommendations
Discovering flaws in security-focused static analysis tools for android using systematic mutation
SEC'18: Proceedings of the 27th USENIX Conference on Security SymposiumMobile application security has been one of the major areas of security research in the last decade. Numerous application analysis tools have been proposed in response to malicious, curious, or vulnerable apps. However, existing tools, and specifically, ...
Android Security via Static Program Analysis
Ph.D. Forum '17: Proceedings of the 2017 Workshop on MobiSys 2017 Ph.D. ForumAndroid is a popular platform designed for mobile devices. It consists of a customized Linux kernel, middleware, and a few core applications such as the Phone application. The middleware, commonly referred to as the Android framework, provides libraries ...
Android Malware Static Analysis Techniques
CISR '15: Proceedings of the 10th Annual Cyber and Information Security Research ConferenceDuring 2014, Business Insider announced that there are over a billion users of Android worldwide. Government officials are also trending towards acquiring Android mobile devices. Google's application architecture is already ubiquitous and will keep ...






Comments