Understanding the Evolution of Android App Vulnerabilities

The Android ecosystem today is a growing universe of a few billion devices, hundreds of millions of users and millions of applications targeting a wide range of activities where sensitive information is collected and processed. Security of communication and privacy of data are thus of utmost importance in application development. Yet, regularly, there are reports of successful attacks targeting Android users. While some of those attacks exploit vulnerabilities in the Android OS, others directly concern application-level code written by a large pool of developers with varying experience. Recently, a number of studies have investigated this phenomenon, focusing however only on a specific vulnerability type appearing in apps, and based on only a snapshot of the situation at a given time. Thus, the community is still lacking comprehensive studies exploring how vulnerabilities have evolved over time, and how they evolve in a single app across developer updates. Our work fills this gap by leveraging a data stream of 5 million app packages to re-construct versioned lineages of Android apps and finally obtained 28;564 app lineages (i.e., successive releases of the same Android apps) with more than 10 app versions each, corresponding to a total of 465;037 apks. Based on these app lineages, we apply state-of- the-art vulnerability-finding tools and investigate systematically the reports produced by each tool. In particular, we study which types of vulnerabilities are found, how they are introduced in the app code, where they are located, and whether they foreshadow malware. We provide insights based on the quantitative data as reported by the tools, but we further discuss the potential false positives. Our findings and study artifacts constitute a tangible knowledge to the community. It could be leveraged by developers to focus verification tasks, and by researchers to drive vulnerability discovery and repair research efforts

Supporting Evolution and Maintenance of android Apps

Mobile developers and testers face a number of emerging challenges. These include rapid platform evolution and API instability; issues in bug reporting and reproduction involving complex multitouch gestures; platform fragmentation; the impact of reviews and ratings on the success of their apps; management of crowd-sourced requirements; continuous pressure from the market for frequent releases; lack of effective and usable testing tools; and limited computational resources for handheld devices. Traditional and contemporary methods in software evolution and maintenance were not designed for these types of challenges; therefore, a set of studies and a new toolbox of techniques for mobile development are required to analyze current challenges and propose new solutions. This dissertation presents a set of empirical studies, as well as solutions for some of the key challenges when evolving and maintaining android apps. In particular, we analyzed key challenges experienced by practitioners and open issues in the mobile development community such as (i) android API instability, (ii) performance optimizations, (iii) automatic GUI testing, and (iv) energy consumption. When carrying out the studies, we relied on qualitative and quantitative analyses to understand the phenomena on a large scale by considering evidence extracted from software repositories and the opinions of open-source mobile developers. From the empirical studies, we identified that dynamic analysis is a relevant method for several evolution and maintenance tasks, in particular, because of the need of practitioners to execute/validate the apps on a diverse set of platforms (i.e., device and OS) and under pressure for continuous delivery. Therefore, we designed and implemented an extensible infrastructure that enables large-scale automatic execution of android apps to support different evolution and maintenance tasks (e.g., testing and energy optimization). In addition to the infrastructure we present a taxonomy of issues, single solutions to the issues, and guidelines to enable large execution of android apps. Finally, we devised novel approaches aimed at supporting testing and energy optimization of mobile apps (two key challenges in evolution and maintenance of android apps). First, we propose a novel hybrid approach for automatic GUI-based testing of apps that is able to generate (un)natural test sequences by mining real applications usages and learning statistical models that represent the GUI interactions. In addition, we propose a multi-objective approach for optimizing the energy consumption of GUIs in android apps that is able to generate visually appealing color compositions, while reducing the energy consumption and keeping a design concept close to the original

Understanding and Tooling Framework API Evolution

RÉSUMÉ Les cadres d’applications sont intensivement utilisés dans le développement de logiciels modernes et sont accessibles au travers de leur Application Programming Interface (API), qui définit un ensemble de fonctionnalités que les programmes clients peuvent utiliser pour accomplir des tâches. Les cadres d’applications ne cessent d’évoluer au cours de leurs vies pour satisfaire la demande de nouvelles fonctions ou pour rapiécer des vulnérabilités de sécurité. L’évolution des cadres d’applications peut engendrer des modifications de l’API auxquelles les programmes clients doivent s’adapter. Les mises à jour vers les nouvelles versions des cadres d’applications prennent du temps et peuvent même interrompre le service. Aider les développeurs à mettre à jour leurs programmes est d’un grand intérêt pour les chercheurs académiques et industriels. Dans cette thèse, nous réalisons une étude exploratoire de la réalité des évolutions des API et de leurs usages dans le dépôt central de Maven et dans deux grands cadres d’applications avec de larges écosystèmes : Apache et Eclipse. Nous découvrons que les API changent dans environ 10 % des cadres d’applications et touchent 50 % des programmes clients. Il arrive plus souvent que des classes et des méthodes manquent et disparaissent dans les cadres d’applications. Ces classes et méthodes affectent les programmes clients plus souvent que les autres changements des API. Nous montrons aussi qu’environ 80 % des utilisations des API dans les programmes clients peuvent être réduits par refactoring. Forts de ce constat, nous faisons une expérience pour vérifier l’effectivité des règles de changement des API générés par les approches existantes, qui recommandent les remplacements pour les API disparues pendant l’évolution des cadres d’application. Nous confirmons que les règles de changement des API aident les développeurs à trouver des remplacements aux API manquantes plus précisément, en particulier pour des cadres d’applications difficiles à comprendre. Enfin, nous étudions l’efficacité des caractéristiques utilisées pour construire les règles de changement des API et différentes manières de combiner plusieurs caractéristiques. Nous soutenons et montrons que des approches basées sur l’optimisation multi-objective peuvent détecter des règles de changement des API plus précisément et qu’elles peuvent prendre en compte plus facilement de nouvelles caractéristiques que les approches précédentes.----------ABSTRACT Frameworks are widely used in modern software development and are accessed through their Application Programming Interfaces (APIs), which specify sets of functionalities that client programs can use to accomplish their tasks. Frameworks keep evolving during their lifespan to cope with new requirements, to patch security vulnerabilities, etc. Framework evolution may lead to API changes to which client programs must adapt. Upgrading to new releases of frameworks is time-consuming and can even interrupt services. Helping developers upgrade frameworks draws great interests from both academic and industrial researchers. In this dissertation, we first present an exploratory study to investigate the reality of API changes and usages in Maven repository and two framework ecosystems: Apache and Eclipse. We find that API changes in about 10% of frameworks affect about 50% of client programs. Missing classes and missing methods happen more often in frameworks and affect client programs more often than other API changes. About 80% API usages in client programs can be reduced by refactoring. Based on these findings, we conduct an empirical study to verify the usefulness of API change rules automatically built by previous approaches, which recommend the replacements for missing APIs due to framework evolution. We show that API change rules do help developers find the replacements of missing APIs more accurately, especially for frameworks difficult to understand. We describe another empirical study to evaluate the effectiveness of features used to build API change rules and of different ways combining multiple features. We argue and show that multi-objective-optimization-based approaches can detect more correct change rules and are easier to extend with new features than previous approaches

Exploring the effects of temporal evolution in open source software projects

This study addresses the governance and coordination challenges faced in open source software (OSS) development projects, a modern development approach that has seen rapid adoption in recent years. Unlike traditional software development, OSS projects involve a geographically dispersed base of volunteers working on the code openly, usually without formal hierarchies or contracts. As a result, OSS projects can face scalability issues, such as developers freely abandoning projects or disputes leading to project forking. The study of OSS governance and its underlying mechanisms has seen recent interest. Some of this research has proposed that social dynamics and community structures may change as a result of evolution and growth. This study therefore is an attempt to understand how different types of OSS projects evolve over time. The goal of this study is to identify evolutionary patterns in the community's approach regarding the trade-off between innovation and sustainability. The research question to be answered is as follows: What evolutionary patterns can be identified with regards to the community and its approach to innovation and sustainability of open source software development projects? To answer this question, a quantitative research has been carried out based on the data of over 1,500 open source software projects created by Google, Microsoft, or Apache. This data has been retrieved through the GraphQL API of GitHub – the world’s largest open source development platform. With the help of Python scripts, this data has been analyzed to identify certain phenomena – patterns – in the evolution of OSS projects. Based on the academic literature, a framework is developed to categorize OSS projects, emphasizing the trade-off between innovation and sustainability. The results indicate that after the first project release, the attention towards smaller features increases. Innovation and sustainability levels are however not affected. Over time, projects with high innovation levels tend to transition towards a more defensive approach. Simultaneously, projects with initially low sustainability levels show improvement and reach sustainable levels after the first year. Notably, the size of the community is a key predictor for new contributor inflow, while having more pull request reviewers proves effective in both contributor retention and innovation. Interestingly, contributors tend to remain engaged for longer periods when involved in non-profit sponsored projects compared to for-profit sponsored projects. Moreover, a change in platform ownership does not significantly impact other organizations within the platform. Lastly, the study reveals that early contributors show longer retention, whereas the inflow of new contributors gradually decreases as OSS projects age. These are the identified evolutionary patterns in open source software projects and show that while there are inherent differences between such projects, they do commonly follow the same or similar events. The degree of change is dependent on organizational and project characteristics. As this research is focused on solely sponsored open source projects, further research could focus on examining community-founded projects and comparing them with the results of this study. Additionally, investigating the relationship between contributor turnover, innovation, and project sustainability would be valuable

Advancing computational biophysics with Virtual Reality

Modelos computacionais são ferramentas poderosas para explorar as propriedades de sistemas biológicos complexos. Na neurociência computacional, permitir fácil exploração e visualização computacional desses modelos é crucial para o progresso do campo. Nos últimos anos, os sistemas de visualização 3D e o hardware de realidade virtual tornaram-se mais acessíveis e isso abre uma janela de oportunidade para os serviços de visualização. O principal problema atual da visualização 3D diz respeito à usabilidade (ou seja, navegação e seleção). Durante esta dissertação, hipotetizaremos que a substituição do 3D por VR irá (1) superar os problemas de usabilidade mencionados e, eventualmente, (2) aumentar a eficácia dos utilizadores em relação às questões do campo de estudo (neurociência). Para avaliar os resultados do trabalho desenvolvido nesta dissertação, será realizada uma experiência de duas partes, em que um grupo de indivíduos deverá executar um conjunto de tarefas pré-determinadas e avaliar sua experiência usando 3D na primeira e VR na última parte. Além da autoavaliação da experiência, dados como tempo de conclusão e correção da tarefa também serão usados para quantificar a eficácia do método de visualização. Dada a experiência mencionada, um protótipo de uma aplicação (baseada na Web) com visualização de Realidade Virtual deve ser desenvolvido. A visualização 3D será fornecida por uma framework de código aberto baseada na Web, chamada Geppetto. Cada uma das decisões tomadas no desenvolvimento do protótipo será analisada adequadamente neste documento, bem como a literatura científica que servirá de base quando necessário. Além do estudo da Realidade Virtual propriamente dita, também serão analisados métodos padronizados para a visualização de informações (neuro) científicas. A solução proposta procurará constituir uma base de trabalho sólida e suficientemente genérica a ser aplicada, não apenas no contexto da neurociência, mas também em vários outros contextos onde a visualização de modelos através de Realidade Virtual poderá ser bem-sucedida.Computational models are powerful tools for exploring the properties of complex biological systems. In computational neuroscience, allowing easy computational exploration and visualization of this models is crucial for the progress of the field. In recent years, Virtual Reality hardware and visualization systems have become more affordable and this opens a window of opportunity for visualization services. The current major problem of 3D visualization concerns usability (i.e., navigation and selection). During this dissertation, we will hypothesize that the replacement of 3D for VR will (1) overcome the usability issues mentioned and eventually (2) boost user effectiveness regarding field of study (neuroscience) concerns. In order to evaluate the results of the work developed under this dissertation, a two-part experiment will be carried out where a group of individuals must perform a set of predetermined tasks and evaluate their experience using 3D in the first and VR in the last part. Besides the self-evaluation of the experiment, data such as completion time and task correctness will also be used to quantify the effectiveness of the visualization method. Given the aforementioned experiment, a prototype of a (web-based) application with Virtual Reality visualization shall be developed. The 3D visualization will be provided by a web-based open-sourced framework called Geppetto. Each of the decisions made in the development of the prototype will be properly analyzed in this document, as well as the scientific literature that will serve as a basis when necessary. Besides the study of Virtual Reality itself, standard methods with respect to the visualization of (neuro)scientific information will also be analyzed. The proposed solution will seek to constitute a solid and sufficiently generic work base to be applied, not only in the scope of neuroscience, but also in several other contexts where visualization through VR might be successful

Android Application Security Scanning Process

This chapter presents the security scanning process for Android applications. The aim is to guide researchers and developers to the core phases/steps required to analyze Android applications, check their trustworthiness, and protect Android users and their devices from being victims to different malware attacks. The scanning process is comprehensive, explaining the main phases and how they are conducted including (a) the download of the apps themselves; (b) Android application package (APK) reverse engineering; (c) app feature extraction, considering both static and dynamic analysis; (d) dataset creation and/or utilization; and (e) data analysis and data mining that result in producing detection systems, classification systems, and ranking systems. Furthermore, this chapter highlights the app features, evaluation metrics, mechanisms and tools, and datasets that are frequently used during the app’s security scanning process

Accessing Inaccessible Android APIs: An Empirical Study

As Android becomes a de-facto choice of development platform for mobile apps, developers extensively leverage its accompanying Software Development Kit to quickly build their apps. This SDK comes with a set of APIs which developers may find limited in comparison to what system apps can do or what framework developers are preparing to harness capabilities of new generation devices. Thus, developers may attempt to explore in advance the normally “inaccessible” APIs for building unique API-based functionality in their app. The Android programming model is unique in its kind. Inaccessible APIs, which however are used by developers, constitute yet another specificity of Android development, and is worth investigating to understand what they are, how they evolve over time, and who uses them. To that end, in this work, we empirically investigate 17 important releases of the Android framework source code base, and we find that inaccessible APIs are commonly implemented in the Android framework, which are further neither forward nor backward compatible. Moreover, a small set of inaccessible APIs can eventually become publicly accessible, while most of them are removed during the evolution, resulting in risks for such apps that have leveraged inaccessible APIs. Finally, we show that inaccessible APIs are indeed accessed by third-party apps, and the official Google Play store has tolerated the proliferation of apps leveraging inaccessible API methods