APSET, an Android aPplication SEcurity Testing tool for detecting intent-based vulnerabilities.

International audienceThe Android messaging system, called in- tent, is a mechanism that ties components together to build applications for smartphones. Intents are kinds of messages composed of actions and data, sent by a com- ponent to another component to perform several opera- tions, e.g., launching a user interface. The intent mech- anism o er a lot of exibility for developing Android applications, but it might also be used as an entry point for security attacks. The latter can be easily sent with intents to components, that can indirectly forward at- tacks to other components and so on. In this context, this paper proposes APSET, a tool for Android aPplication SEcurity Testing, which aims at detecting intent-based vulnerabilities. It takes as inputs Android applications and intent-based vulnerabilities formally expressed with models called vulnerability patterns. Then, and this is the originality of our approach, class diagrams and par- tial speci cations are automatically generated from ap- plications with algorithms re ecting some knowledge of the Android documentation. These partial speci cations avoid false positives and re ne the test result with spe- cial verdicts notifying that a component is not compli- ant to its speci cation. Furthermore, we propose a test case execution framework which supports the receipt of any exception, the detection of application crashes, and provides a nal XML test report detailing the test case verdicts. The vulnerability detection e ectiveness of APSET is evaluated with experimentations on randomly chosen Android applications of the Android Market

Problems and Solutions in Mobile Application Testing

Mobiilirakenduste testimise alaste teadusartiklite arv on viimastel aastatel visalt suurenenud. Samas testivad vähesed mobiilirakendustega tegelevad teadlased oma oletusi ja lahendusi firmades. Selle lõputöö eesmärgiks on pakkuda ülevaade teaduskirjanduses mainitud mobiilirakenduste testimisega seotud probleemidest ja potentsiaalsetest lahendustest ning kõrvutada seda alal igapäevaselt tegutsevate professionaalide arvamusega. Kõigepealt viiakse selle töö käigus läbi teaduskirjanduse uuring probleemide ja potentsiaalsete lahenduste väljaselgitamiseks, misjärel intervjueeritakse kuue mobiilirakenduste testimisega tegeleva firma esindajaid, et välja selgitada, kas kirjelduses esile toodud probleemid on olulised ka tööstuses. Intervjuude tulemusena selgus, et kuigi firmad hindavad probleemide tähtsust väga erinevalt, on siiski olemas mõned võtmeprobleemid, mida peetakse oluliseks nii teaduses kui ka tööstuses. Samas on teaduskirjanduses pakutud lahendused tihti liiga teoreetilised, üldised või vananenud, et firmade esindajatele huvi pakkuda.In recent years the amount of scientific papers published on the topic of mobile applications has significantly increased. However, few researchers test their assumptions and solutions in industry. This thesis aims to provide an overview of what current scientific literature considers problems and potential solutions in mobile application testing, and compare it to opinions of industry professionals. A literature review is performed to extract the list of problems and potential solutions, after which representatives of six Estonian companies involved in the field are interviewed to verify whether the problems and solutions proposed in the literature are relevant for industry. The study reveals that while the relevance of each problem is highly variable from one company to another, there are some key problems that are generally considered vital both by research and industry. However, the solution concepts proposed by scientific literature are often too theoretical, general or outdated to be of much interest to industry professionals

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection

Automated Testing of Android Apps: A Systematic Literature Review

Automated testing of Android apps is essential for app users, app developers and market maintainer communities alike. Given the widespread adoption of Android and the specificities of its development model, the literature has proposed various testing approaches for ensuring that not only functional requirements but also non-functional requirements are satisfied. In this paper, we aim at providing a clear overview of the state-of-the-art works around the topic of Android app testing, in an attempt to highlight the main trends, pinpoint the main methodologies applied and enumerate the challenges faced by the Android testing approaches as well as the directions where the community effort is still needed. To this end, we conduct a Systematic Literature Review (SLR) during which we eventually identified 103 relevant research papers published in leading conferences and journals until 2016. Our thorough examination of the relevant literature has led to several findings and highlighted the challenges that Android testing researchers should strive to address in the future. After that, we further propose a few concrete research directions where testing approaches are needed to solve recurrent issues in app updates, continuous increases of app sizes, as well as the Android ecosystem fragmentation

Automating Test Case Generation for Android Applications using Model-based Testing

Testing of mobile applications (apps) has its quirks as numerous events are required to be tested. Mobile apps testing, being an evolving domain, carries certain challenges that should be accounted for in the overall testing process. Since smartphone apps are moderate in size so we consider that model-based testing (MBT) using state machines and statecharts could be a promising option for ensuring maximum coverage and completeness of test cases. Using model-based testing approach, we can automate the tedious phase of test case generation, which not only saves time of the overall testing process but also minimizes defects and ensures maximum test case coverage and completeness. In this paper, we explore and model the most critical modules of the mobile app for generating test cases to ascertain the efficiency and impact of using model-based testing. Test cases for the targeted model of the application under test were generated on a real device. The experimental results indicate that our framework reduced the time required to execute all the generated test cases by 50%. Experimental setup and results are reported herein

Desarrollo de una aplicación que permita el escaneo de las vulnerabilidades en los dispositivos móviles Android para mitigar los problemas de seguridad

El trabajo de investigación Desarrollo de una aplicación que permita el escaneo de las vulnerabilidades en los dispositivos móviles Android para mitigar los problemas de seguridad realizado en la ciudad de Riobamba, beneficia principalmente a los desarrolladores de software para la realización de una programación segura bajo Android. El presente trabajo de investigación utiliza el método científico porque utiliza varias etapas para obtener un conocimiento válido, lo que ha permitido la fiabilidad de la investigación y resultados. Se compararon los indicadores considerados en las variables y se aplicó la estadística descriptiva y la inferencial para la demostración de la hipótesis. Las herramientas que se utilizaron fueron como ambiente de desarrollo integrado Netbeans y Eclipse Juno, JDK (Java Development Kit) de Java y el SDK (Software Development Kit) de Android. Se desarrolló el generador y el framework de ejecución de los casos de prueba que permite la detección de las vulnerabilidades en las aplicaciones escaneadas, se elaboró la Guía de Mejores Prácticas para la Realización de una Programación Segura en Android. Se implementó y comparó los resultados obtenidos entre los prototipos I (sin considerar las recomendaciones de la guía) y II (considerando las recomendaciones de la guía) de 3 aplicaciones, que obtuvieron una valoración de 28 y 34 puntos de acuerdo a las escalas de Likert respectivamente. Se concluye que la aplicación desarrollada (APSEBI) escanea las vulnerabilidades basadas en intents, a través de la guía elaborada mejora la seguridad de las aplicaciones Android en un 21,4%. Se recomienda a los desarrolladores de software seguir actualizando el generador de casos de prueba en base a nuevos patrones de vulnerabilidad, así como también la guía elaborada.The research development of an application that allows scanning vulnerabilities in Android mobile devices to mitigate security issues held in the city of Riobamba, mainly benefits developers of software for the realization of a secure programming on Android. This research uses the scientific method because it uses several steps to obtain valid knowledge, allowing the reliability of the research and results. Comparing: the indicators considered in the variables and applied, descriptive and inferential statistics to demonstrate the hypothesis. The tool used were as integrated development environment, Netbeans and Eclipse Juno, JDK (Java Development Kit) Java and SDK (Software Development Kit) for Android. Developed, the generator and the framework for implementing the test cases that allows the detection of vulnerabilities in scanned applications, and it was developed the Guide to Best Practices for Making a Secure Programming in Android. It was implemented and compared the results obtained between the prototypes I (without considering the recommendations of the Guide) and II (considering the recommendations of the Guide) from 3 applications, which received a rating of 28 and 34 points according to Likert scales respectively. It is concluded that the developed application (APSEBI) scans based vulnerabilities intents, through the prepared Guide improves the security of Android applications by 21.4%. It is recommended, software developers continue to update the generator of test cases based on new patterns of vulnerability, as well as the prepared guide