Problems and Solutions in Mobile Application Testing

Mobiilirakenduste testimise alaste teadusartiklite arv on viimastel aastatel visalt suurenenud. Samas testivad vähesed mobiilirakendustega tegelevad teadlased oma oletusi ja lahendusi firmades. Selle lõputöö eesmärgiks on pakkuda ülevaade teaduskirjanduses mainitud mobiilirakenduste testimisega seotud probleemidest ja potentsiaalsetest lahendustest ning kõrvutada seda alal igapäevaselt tegutsevate professionaalide arvamusega. Kõigepealt viiakse selle töö käigus läbi teaduskirjanduse uuring probleemide ja potentsiaalsete lahenduste väljaselgitamiseks, misjärel intervjueeritakse kuue mobiilirakenduste testimisega tegeleva firma esindajaid, et välja selgitada, kas kirjelduses esile toodud probleemid on olulised ka tööstuses. Intervjuude tulemusena selgus, et kuigi firmad hindavad probleemide tähtsust väga erinevalt, on siiski olemas mõned võtmeprobleemid, mida peetakse oluliseks nii teaduses kui ka tööstuses. Samas on teaduskirjanduses pakutud lahendused tihti liiga teoreetilised, üldised või vananenud, et firmade esindajatele huvi pakkuda.In recent years the amount of scientific papers published on the topic of mobile applications has significantly increased. However, few researchers test their assumptions and solutions in industry. This thesis aims to provide an overview of what current scientific literature considers problems and potential solutions in mobile application testing, and compare it to opinions of industry professionals. A literature review is performed to extract the list of problems and potential solutions, after which representatives of six Estonian companies involved in the field are interviewed to verify whether the problems and solutions proposed in the literature are relevant for industry. The study reveals that while the relevance of each problem is highly variable from one company to another, there are some key problems that are generally considered vital both by research and industry. However, the solution concepts proposed by scientific literature are often too theoretical, general or outdated to be of much interest to industry professionals

Investigating Android permissions and intents for malware detection

Today’s smart phones are used for wider range of activities. This extended range of functionalities has also seen the infiltration of new security threats. Android has been the favorite target of cyber criminals. The malicious parties are using highly stealthy techniques to perform the targeted operations, which are hard to detect by the conventional signature and behaviour based approaches. Additionally, the limited resources of mobile device are inadequate to perform the extensive malware detection tasks. Impulsively emerging Android malware merit a robust and effective malware detection solution. In this thesis, we present the PIndroid ― a novel Permissions and Intents based framework for identifying Android malware apps. To the best of author’s knowledge, PIndroid is the first solution that uses a combination of permissions and intents supplemented with ensemble methods for malware detection. It overcomes the drawbacks of some of the existing malware detection methods. Our goal is to provide mobile users with an effective malware detection and prevention solution keeping in view the limited resources of mobile devices and versatility of malware behavior. Our detection engine classifies the apps against certain distinguishing combinations of permissions and intents. We conducted a comparative study of different machine learning algorithms against several performance measures to demonstrate their relative advantages. The proposed approach, when applied to 1,745 real world applications, provides more than 99% accuracy (which is best reported to date). Empirical results suggest that the proposed framework is effective in detection of malware apps including the obfuscated ones. In this thesis, we also present AndroPIn—an Android based malware detection algorithm using Permissions and Intents. It is designed with the methodology proposed in PInDroid. AndroPIn overcomes the limitation of stealthy techniques used by malware by exploiting the usage pattern of permissions and intents. These features, which play a major role in sharing user data and device resources cannot be obfuscated or altered. These vital features are well suited for resource constrained smartphones. Experimental evaluation on a corpus of real-world malware and benign apps demonstrate that the proposed algorithm can effectively detect malicious apps and is resilient to common obfuscations methods. Besides PInDroid and AndroPIn, this thesis consists of three additional studies, which supplement the proposed methodology. First study investigates if there is any correlation between permissions and intents which can be exploited to detect malware apps. For this, the statistical significance test is applied to investigate the correlation between permissions and intents. We found statistical evidence of a strong correlation between permissions and intents which could be exploited to detect malware applications. The second study is conducted to investigate if the performance of classifiers can further be improved with ensemble learning methods. We applied different ensemble methods such as bagging, boosting and stacking. The experiments with ensemble methods yielded much improved results. The third study is related to investigating if the permissions and intents based system can be used to detect the ever challenging colluding apps. Application collusion is an emerging threat to Android based devices. We discuss the current state of research on app collusion and open challenges to the detection of colluding apps. We compare existing approaches and present an integrated approach that can be used to detect the malicious app collusion

Improvements of and Extensions to FSMWeb: Testing Mobile Apps

A mobile application is a software program that runs on mobile device. In 2017, 178.1 billion mobile apps downloaded and the number is expected to grow to 258.2 billion app downloads in 2022 [19]. The number of app downloads poses a challenge for mobile application testers to find the right approach to test apps. This dissertation extends the FSMWeb approach for testing web applications [50] to test mobile applications (FSMApp). During the process of analyzing FSMWeb how it could be extended to test Mobile Apps, a number of shortcomings were detected which we improved upon. We discuss these first. We present an approach to generate black-box tests to test fail-safe behavior for web applications. We apply the approach to a large commercial web application. The approach uses a functional (behavioral) model to generate tests. It then determines at which states in the execution of behavioral test failures can occur and what mitigation requirements need to be tested. Mitigation requirements are used to build mitigation models for each failure type. From those mitigation models failure mitigation tests are generated. Next, this dissertation provides an approach for selective black-box model-based fail-safe regression testing for web applications. It classifies existing tests and test requirements as reusable, retestable, and obsolete. Removing reusable test requirements reduces test requirements between 49% to 65% in the case study. The approach also uses partial regeneration for new tests wherever possible. Third, we present the new FSMApp approach to test mobile applications and compare the approach with several other approaches [88, 37]. A number of case studies explore applicability, scalability, effectiveness, and efficiency of FSMApp with other approaches. Future work makes suggestion on how to improve test generation and execution efficiency with FSMApp

Security Testing of the Communication among Android Applications

An important reason behind the popularity of smartphones and tablets is the huge amount of available applications to download, to expand functionalities of the devices with brand new features. In fact, official stores provide a plethora of applications developed by third parties, for entertainment and business, most of which for free. However, confidential data (e.g., phone contacts, global GPS position, banking data and emails) could be disclosed by vulnerable applications. Sensitive applications should carefully validate exchanged data to avoid security problems. In this paper, we propose a novel testing approach to test communication among applications on mobile devices. We present a test case generation strategy and a testing adequacy criterion for Android applications. Our approach has been assessed on three widely used Android applications