2,838 research outputs found
Overcoming Language Dichotomies: Toward Effective Program Comprehension for Mobile App Development
Mobile devices and platforms have become an established target for modern
software developers due to performant hardware and a large and growing user
base numbering in the billions. Despite their popularity, the software
development process for mobile apps comes with a set of unique, domain-specific
challenges rooted in program comprehension. Many of these challenges stem from
developer difficulties in reasoning about different representations of a
program, a phenomenon we define as a "language dichotomy". In this paper, we
reflect upon the various language dichotomies that contribute to open problems
in program comprehension and development for mobile apps. Furthermore, to help
guide the research community towards effective solutions for these problems, we
provide a roadmap of directions for future work.Comment: Invited Keynote Paper for the 26th IEEE/ACM International Conference
on Program Comprehension (ICPC'18
MiniScope: Automated UI Exploration and Privacy Inconsistency Detection of MiniApps via Two-phase Iterative Hybrid Analysis
The advent of MiniApps, operating within larger SuperApps, has revolutionized
user experiences by offering a wide range of services without the need for
individual app downloads. However, this convenience has raised significant
privacy concerns, as these MiniApps often require access to sensitive data,
potentially leading to privacy violations. Our research addresses the critical
gaps in the analysis of MiniApps' privacy practices, especially focusing on
WeChat MiniApps in the Android ecosystem. Despite existing privacy regulations
and platform guidelines, there is a lack of effective mechanisms to safeguard
user privacy fully. We introduce MiniScope, a novel two-phase hybrid analysis
approach, specifically designed for the MiniApp environment. This approach
overcomes the limitations of existing static analysis techniques by
incorporating dynamic UI exploration for complete code coverage and accurate
privacy practice identification. Our methodology includes modeling UI
transition states, resolving cross-package callback control flows, and
automated iterative UI exploration. This allows for a comprehensive
understanding of MiniApps' privacy practices, addressing the unique challenges
of sub-package loading and event-driven callbacks. Our empirical evaluation of
over 120K MiniApps using MiniScope demonstrates its effectiveness in
identifying privacy inconsistencies. The results reveal significant issues,
with 5.7% of MiniApps over-collecting private data and 33.4% overclaiming data
collection. These findings emphasize the urgent need for more precise privacy
monitoring systems and highlight the responsibility of SuperApp operators to
enforce stricter privacy measures
An analysis of android malware classification services
The increasing number of Android malware forced antivirus (AV) companies to rely on automated classification techniques to determine the family and class of suspicious samples. The research community relies heavily on such labels to carry out prevalence studies of the threat ecosystem and to build datasets that are used to validate and benchmark novel detection and classification methods. In this work, we carry out an extensive study of the Android malware ecosystem by surveying white papers and reports from 6 key players in the industry, as well as 81 papers from 8 top security conferences, to understand how malware datasets are used by both. We, then, explore the limitations associated with the use of available malware classification services, namely VirusTotal (VT) engines, for determining the family of an Android sample. Using a dataset of 2.47 M Android malware samples, we find that the detection coverage of VT's AVs is generally very low, that the percentage of samples flagged by any 2 AV engines does not go beyond 52%, and that common families between any pair of AV engines is at best 29%. We rely on clustering to determine the extent to which different AV engine pairs agree upon which samples belong to the same family (regardless of the actual family name) and find that there are discrepancies that can introduce noise in automatic label unification schemes. We also observe the usage of generic labels and inconsistencies within the labels of top AV engines, suggesting that their efforts are directed towards accurate detection rather than classification. Our results contribute to a better understanding of the limitations of using Android malware family labels as supplied by common AV engines.This work has been supported by the “Ramon y Cajal” Fellowship RYC-2020-029401
Stack Overflow: A Code Laundering Platform?
Developers use Question and Answer (Q&A) websites to exchange knowledge and
expertise. Stack Overflow is a popular Q&A website where developers discuss
coding problems and share code examples. Although all Stack Overflow posts are
free to access, code examples on Stack Overflow are governed by the Creative
Commons Attribute-ShareAlike 3.0 Unported license that developers should obey
when reusing code from Stack Overflow or posting code to Stack Overflow. In
this paper, we conduct a case study with 399 Android apps, to investigate
whether developers respect license terms when reusing code from Stack Overflow
posts (and the other way around). We found 232 code snippets in 62 Android apps
from our dataset that were potentially reused from Stack Overflow, and 1,226
Stack Overflow posts containing code examples that are clones of code released
in 68 Android apps, suggesting that developers may have copied the code of
these apps to answer Stack Overflow questions. We investigated the licenses of
these pieces of code and observed 1,279 cases of potential license violations
(related to code posting to Stack overflow or code reuse from Stack overflow).
This paper aims to raise the awareness of the software engineering community
about potential unethical code reuse activities taking place on Q&A websites
like Stack Overflow.Comment: In proceedings of the 24th IEEE International Conference on Software
Analysis, Evolution, and Reengineering (SANER
Explainable AI for Android Malware Detection: Towards Understanding Why the Models Perform So Well?
Machine learning (ML)-based Android malware detection has been one of the
most popular research topics in the mobile security community. An increasing
number of research studies have demonstrated that machine learning is an
effective and promising approach for malware detection, and some works have
even claimed that their proposed models could achieve 99\% detection accuracy,
leaving little room for further improvement. However, numerous prior studies
have suggested that unrealistic experimental designs bring substantial biases,
resulting in over-optimistic performance in malware detection. Unlike previous
research that examined the detection performance of ML classifiers to locate
the causes, this study employs Explainable AI (XAI) approaches to explore what
ML-based models learned during the training process, inspecting and
interpreting why ML-based malware classifiers perform so well under unrealistic
experimental settings. We discover that temporal sample inconsistency in the
training dataset brings over-optimistic classification performance (up to 99\%
F1 score and accuracy). Importantly, our results indicate that ML models
classify malware based on temporal differences between malware and benign,
rather than the actual malicious behaviors. Our evaluation also confirms the
fact that unrealistic experimental designs lead to not only unrealistic
detection performance but also poor reliability, posing a significant obstacle
to real-world applications. These findings suggest that XAI approaches should
be used to help practitioners/researchers better understand how do AI/ML models
(i.e., malware detection) work -- not just focusing on accuracy improvement.Comment: Accepted by the 33rd IEEE International Symposium on Software
Reliability Engineering (ISSRE 2022
A Study of Learning Environment for Initiating Flutter App Development Using Docker
The Flutter framework with Dart programming allows developers to effortlessly build applications for both web and mobile from a single codebase. It enables efficient conversions to native codes for mobile apps and optimized JavaScript for web browsers. Since utilizing a wide range of widgets in Flutter ensures consistent experiences on various devices for users, it becomes crucial in programming education by providing a unified environment for learning app development while reducing the need for platform-specific knowledge. However, the setup of the Flutter environment is challenging for novice students due to its multiple steps, such as installing dependencies and configuring environments. To support independent learning for these students, it is essential to simplify the setup by providing user-friendly instructions and automated tools. In this paper, we present a Docker-based environment for Flutter app developments across Windows, Linux, and Mac through Visual Studio Code, ensuring a unified learning experience. This paper aims to simplify complex configurations and address the obstacles encountered by students when initiating Flutter projects. For the evaluation, we prepared three simple Flutter projects along with the setup environment in a Docker container. Then, we asked 24 Master's students at Okayama University, Japan, to install the environment and modify the source codes in the projects independently by following the given instructions. The results show that all the students successfully completed the assignments, which confirms the efficiency and validity of our proposal
IoTSan: Fortifying the Safety of IoT Systems
Today's IoT systems include event-driven smart applications (apps) that
interact with sensors and actuators. A problem specific to IoT systems is that
buggy apps, unforeseen bad app interactions, or device/communication failures,
can cause unsafe and dangerous physical states. Detecting flaws that lead to
such states, requires a holistic view of installed apps, component devices,
their configurations, and more importantly, how they interact. In this paper,
we design IoTSan, a novel practical system that uses model checking as a
building block to reveal "interaction-level" flaws by identifying events that
can lead the system to unsafe states. In building IoTSan, we design novel
techniques tailored to IoT systems, to alleviate the state explosion associated
with model checking. IoTSan also automatically translates IoT apps into a
format amenable to model checking. Finally, to understand the root cause of a
detected vulnerability, we design an attribution mechanism to identify
problematic and potentially malicious apps. We evaluate IoTSan on the Samsung
SmartThings platform. From 76 manually configured systems, IoTSan detects 147
vulnerabilities. We also evaluate IoTSan with malicious SmartThings apps from a
previous effort. IoTSan detects the potential safety violations and also
effectively attributes these apps as malicious.Comment: Proc. of the 14th ACM CoNEXT, 201
- …