Measuring the declared SDK versions and their consistency with API calls in android apps

Android has been the most popular smartphone system, with multiple platform versions (e.g., KITKAT and Lollipop) active in the market. To manage the application's compatibility with one or more platform versions, Android allows apps to declare the supported platform SDK versions in their manifest files. In this paper, we make a first effort to study this modern software mechanism. Our objective is to measure the current practice of the declared SDK versions (which we term as DSDK versions afterwards) in real apps, and the consistency between the DSDK versions and their app API calls. To this end, we perform a three-dimensional analysis. First, we parse Android documents to obtain a mapping between each API and their corresponding platform versions. We then analyze the DSDK-API consistency for over 24K apps, among which we pre-exclude 1.3K apps that provide different app binaries for different Android versions through Google Play analysis. Besides shedding light on the current DSDK practice, our study quantitatively measures the two side effects of inappropriate DSDK versions: (i) around 1.8K apps have API calls that do not exist in some declared SDK versions, which causes runtime crash bugs on those platform versions; (ii) over 400 apps, due to claiming the outdated targeted DSDK versions, are potentially exploitable by remote code execution. These results indicate the importance and difficulty of declaring correct DSDK, and our work can help developers fulfill this goal.Comment: This paper has been accepted by WASA 2017 (http://wasa-conference.org/WASA2017/). It is originally a course project paper done by the first three authors in April 201

GAINDroid: General Automated Incompatibility Notifier for Android Applications

With the ever-increasing popularity of mobile devices over the last decade, mobile apps and the frameworks upon which they are built frequently change. This rapid evolution leads to a confusing jumble of devices and applications utilizing differing features even within the same framework. For Android apps and devices, representing over 80% of the market share, mismatches between the version of the Android operating system installed on a device and the version of the app installed, can lead to several run-time crashes, providing a poor user experience. This thesis presents GAINDroid, an analysis approach, backed with a classloader based program analyzer, that automatically detects three types of mismatches to which an app may be vulnerable across versions of the Android API it supports. Unlike all prior techniques that focus on identifying a particular problem, such as callback APIs issues, GAINDroid has the potential to greatly increase the scope of the analysis by automatically and effectively analyzing various sources of incompatibilities that may lead an app to crash at run-time. We applied GAINDroid to 3,590 real-world apps and compared the results of our analysis against state-of-the-art tools. The experimental results demonstrate its ability to outperform the existing analysis techniques in terms of both the number and type of mismatches correctly identified as well as run-time performance of the analysis. Adviser: Hamid Bagher

Measuring and Characterizing (mis)compliance of the Android permission system

Within the Android mobile operating system, Android permissions act as a system of safeguards designed to restrict access to potentially sensitive data and privileged components. Multiple research studies indicate flaws and limitations of the Android permission system, prompting Google to implement a more regulated and fine-grained permission model. In spite of its newly-introduced complexity, misgranted permissions continue to present a significant risk to users. We present research on theoretical and practical misuse of permissions using our methodology that leverages unified permissions and call mappings. To guide the automated evaluation of permission use and compliance in Android apps, we develop PChecker, a tool that reports permissions requested by and granted to Android devices. We evaluate four versions of the Android Open Source Project code (major versions 10--13) and shed light on the prevalence of discrepancies between the official Android guidelines for permissions and their implementation in the Android platform source code. We use PChecker to analyze the permission use of 3,681 Android apps showing the common prevalence and occasional severity of non-compliance in real-world scenarios

A Memory Usage Comparison Between Jitana and Soot

There are several factors that make analyzing Android apps to address dependability and security concerns challenging. These factors include (i) resource efficiency as analysts need to be able to analyze large code-bases to look for issues that can exist in the application code and underlying platform code; (ii) scalability as today’s cybercriminals deploy attacks that may involve many participating apps; and (iii) in many cases, security analysts often rely on dynamic or hybrid analysis techniques to detect and identify the sources of issues. The underlying principle governing the design of existing program analysis engines is the main cause that prevents them from satisfying these factors. Existing designs operate like compilers, so they only analyze one app at a time using a close-world process that leads to poor efficiency and scalability. Recently, Tsutana et al. introduced Jitana, a Virtual Class-Loader (VCL) based approach to construct program analyses based on the open-world concept. This approach is able to continuously load and analyze code. As such, this approach establishes a new way to make analysis efforts proportional to the code size and provides an infrastructure to construct complex, efficient, and scalable static, dynamic, and hybrid analysis procedures to address emerging dependability and security needs. In this thesis, we attempt to quantify the performance benefit of Jitana through the lens of memory usage. Memory is a very important system-level resource that if not expended efficiently, can result in long execution time and premature termination of a program. Existing program analysis frameworks are notorious for consuming a large amount of memory during an attempt to analyze a large software project. As such, we design an experiment to compare the memory usage between Jitana and Soot, a widely used program analysis and optimization framework for Java. Our evaluation consists of using 18 Android apps, with sizes ranging from 0.02 MB to 80.4 MB. Our empirical evaluations reveal that Jitana requires up to 81% less memory than Soot to analyze an app. At the same time, it can also analyze more components including those belonging to the application and those belonging to the Android framework. Adviser: Witawas Srisa-a

Towards Principled Dynamic Analysis on Android

The vast amount of information and services accessible through mobile handsets running the Android operating system has led to the tight integration of such devices into our daily routines. However, their capability to capture and operate upon user data provides an unprecedented insight into our private lives that needs to be properly protected, which demands for comprehensive analysis and thorough testing. While dynamic analysis has been applied to these problems in the past, the corresponding literature consists of scattered work that often specializes on sub-problems and keeps on re-inventing the wheel, thus lacking a structured approach. To overcome this unsatisfactory situation, this dissertation introduces two major systems that advance the state-of-the-art of dynamically analyzing the Android platform. First, we introduce a novel, fine-grained and non-intrusive compiler-based instrumentation framework that allows for precise and high-performance modification of Android apps and system components. Second, we present a unifying dynamic analysis platform with a special focus on Android’s middleware in order to overcome the common challenges we identified from related work. Together, these two systems allow for a more principled approach for dynamic analysis on Android that enables comparability and composability of both existing and future work.Die enorme Menge an Informationen und Diensten, die durch mobile Endgeräte mit dem Android Betriebssystem zugänglich gemacht werden, hat zu einer verstärkten Einbindung dieser Geräte in unseren Alltag geführt. Gleichzeitig erlauben die dabei verarbeiteten Benutzerdaten einen beispiellosen Einblick in unser Privatleben. Diese Informationen müssen adäquat geschützt werden, was umfassender Analysen und gründlicher Prüfung bedarf. Dynamische Analysetechniken, die in der Vergangenheit hier bereits angewandt wurden, fokussieren sich oftmals auf Teilprobleme und reimplementieren regelmäßig bereits existierende Komponenten statt einen strukturierten Ansatz zu verfolgen. Zur Überwindung dieser unbefriedigenden Situation stellt diese Dissertation zwei Systeme vor, die den Stand der Technik dynamischer Analyse der Android Plattform erweitern. Zunächst präsentieren wir ein compilerbasiertes, feingranulares und nur geringfügig eingreifendes Instrumentierungsframework für präzises und performantes Modifizieren von Android Apps und Systemkomponenten. Anschließend führen wir eine auf die Android Middleware spezialisierte Plattform zur Vereinheitlichung von dynamischer Analyse ein, um die aus existierenden Arbeiten extrahierten, gemeinsamen Herausforderungen in diesem Gebiet zu überwinden. Zusammen erlauben diese beiden Systeme einen prinzipienorientierten Ansatz zur dynamischen Analyse, welcher den Vergleich und die Zusammenführung existierender und zukünftiger Arbeiten ermöglicht

Determinants of quality, latency, and amount of Stack Overflow answers about recent Android APIs.

Stack Overflow is a popular crowdsourced question and answer website for programming-related issues. It is an invaluable resource for software developers; on average, questions posted there get answered in minutes to an hour. Questions about well established topics, e.g., the coercion operator in C++, or the difference between canonical and class names in Java, get asked often in one form or another, and answered very quickly. On the other hand, questions on previously unseen or niche topics take a while to get a good answer. This is particularly the case with questions about current updates to or the introduction of new application programming interfaces (APIs). In a hyper-competitive online market, getting good answers to current programming questions sooner could increase the chances of an app getting released and used. So, can developers anyhow, e.g., hasten the speed to good answers to questions about new APIs? Here, we empirically study Stack Overflow questions pertaining to new Android APIs and their associated answers. We contrast the interest in these questions, their answer quality, and timeliness of their answers to questions about old APIs. We find that Stack Overflow answerers in general prioritize with respect to currentness: questions about new APIs do get more answers, but good quality answers take longer. We also find that incentives in terms of question bounties, if used appropriately, can significantly shorten the time and increase answer quality. Interestingly, no operationalization of bounty amount shows significance in our models. In practice, our findings confirm the value of bounties in enhancing expert participation. In addition, they show that the Stack Overflow style of crowdsourcing, for all its glory in providing answers about established programming knowledge, is less effective with new API questions

GreenSource: repository tailored for green software analysis

Dissertação de mestrado in Computer ScienceBoth energy consumption analysis and energy-aware development have gained the attention of both developers and researchers over the past years. The interest is more notorious due to the proliferation of mobile devices, where energy is a key concern. There is a gap identified in terms of tools and information to detect and identify anomalous energy consumption in Android applications. A large part of the existing tools are based on external hardware (costly solutions in terms of setup-time), through predictive models (requiring previous hardware calibration) or static code analysis methods. We could not identify so far a tool capable of monitor all relevant system resources and components that an application uses and appoint its energy consumption, while being easily integrated with the application and/or with its development environment. Due to the lack of a tool capable of gathering all this information, a natural consequence is the lack of information about the energy consumption of applications and factors that can influence it. This dissertation aims to carry out a study on the energy consumption of applications and mobile devices in the Android platform, having developed in this scope the GreenSource infrastructure, a repository containing the source code, representative metadata and metrics relatively to a large number of applications (and respective execution in physical devices). In order to gather the results, an auxiliary tool has been developed to automatize the process of testing and collect the respective results for each one of the applications. This tool is a software-based solution, allowing to obtain results in terms of consumption through executions made directly on a physical device running the Android platform. The developed framework, the AnaDroid, has the capability to perform static and dynamic analysis of an application, being able to monitor power consumption and usage of resources for each application through tests execution. This is done following a whitebox testing approach, in order to test applications at source code level. It invokes calls to the TrepnLib library at strategic locations of the application code (through instrumentation techniques) to gain control over relevant portions of the source code, like methods and unit tests. In this way the programmer can have results about the use, state and consumption of resources such as energy, CPU, GPU, memory, sensor usage and complexity of developed test cases. The information gathered through the use of the AnaDroid over a large set of applications was stored in GreenSource backend. With the collected results, we expect to be able to characterize and classify applications, as well the tests developed for it. It is intended that this will be made publicly available and serve as a reference for future works and studies.Quer a análise do consumo de energia, quer o desenvolvimento de aplicações com consciência neste sentido têm vindo a cativar a atenção de desenvolvedores e investigadores nos últimos anos. O interesse é mais notório devido à proliferação de dispositivos móveis, onde a energia é uma preocupação fundamental mas ainda pouco explorada. Como tal, existem lacunas identificadas em termos de ferramentas e informações para detectar e identificar o consumo anómalo de energia em aplicações Android. Grande parte das ferramentas existentes são baseadas em hardware externo (soluções dispendiosas em termos de tempo de setup), através de modelos preditivos (que exigem calibração prévia) ou métodos de análise estática de código. Não conseguimos identificar até ao momento uma ferramenta capaz de monitorizar de forma precisa todos os recursos e componentes relevantes do sistema usados por uma aplicação, bem como de determinar o seu consumo energético. Esta lacuna tem como consequência natural a falta de informação sobre o consumo de energia de aplicações e fatores que podem influenciá-lo. Esta dissertação tem como objetivo realizar um estudo sobre o consumo de energia na plataforma Android, tendo sido desenvolvido neste âmbito a infraestrutura GreenSource. Esta contém um repositório que engloba o código fonte, resultados e métricas relativas a um grande número de aplicações. A fim de obter resultados ilustrativos para um grande número de aplicações, foi desenvolvida uma ferramenta para automatizar o processo de teste e reunir os respectivos resultados. A ferramenta desenvolvida é baseada em software, permitindo obter resultados em termos de consumo através de execuções realizadas diretamente num dispositivo físico Android. Esta framework, denominada AnaDroid, possui a capacidade de analizar aplicações de forma estática e dinâmica, bem como de monitorizar o consumo e uso de recursos durante a sua execução. Para este efeito, são efetuadas invocações a uma biblioteca denominada TrepnLib, em locais estratégicos do código da aplicação para obter controlo sobre partes relevantes deste. Desta forma obtém-se resultados sobre o uso, estado e consumo de recursos, tais como consumo energético, CPU, GPU, memória, sensores. As informações reunidas através da execução do AnaDroid foram armazenadas na base de dados do GreenSource. Com todos os resultados coletados, pretende-se caracterizar e classificar energeticamente aplicações e testes desenvolvidos para estas. Pretende-se disponibilizar abertamente estes resultados, para que possam servir como referencia para futuros trabalhos, análises e estudos