Powered by
1st International Workshop on Advances in Mobile App Analysis (A-Mobile 2018),
September 4, 2018,
Montpellier, France
1st International Workshop on Advances in Mobile App Analysis (A-Mobile 2018)
Message from the Chairs
Welcome to the 1st International Workshop on Advances in Mobile App Analysis (A-Mobile), held on 4 September 2018, co-located with the 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE 2018), in Montpellier, France. The main objective of this workshop is to bring together researchers and practitioners in the field of mobile app analysis to present and discuss emerging advanced techniques.
Configurations in Android Testing: They Matter
Emily Kowalczyk, Myra B. Cohen, and Atif M. Memon
(University of Maryland, USA; University of Nebraska-Lincoln, USA)
Android has rocketed to the top of the mobile market thanks in large part to its open source model. Vendors use Android for their devices for free, and companies make customizations to suit their needs. This has resulted in a myriad of configurations that are extant in the user space today. In this paper, we show that differences in configurations, if ignored, can lead to differences in test outputs and code coverage. Consequently, researchers who develop new testing techniques and evaluate them on only one or two configurations are missing a necessary dimension in their experiments and developers who ignore this may release buggy software. In a large study on 18 apps across 88 configurations, we show that only one of the 18 apps studied showed no variation at all. The rest showed variation in either, or both, code coverage and test results. 15% of the 2,000 plus test cases across all of the apps vary, and some of the variation is subtle, i.e. not just a test crash. Our results suggest that configurations in Android testing do matter and that developers need to test using configuration-aware techniques.
@InProceedings{A-Mobile18p1,
author = {Emily Kowalczyk and Myra B. Cohen and Atif M. Memon},
title = {Configurations in Android Testing: They Matter},
booktitle = {Proc.\ A-Mobile},
publisher = {ACM},
pages = {1--6},
doi = {10.1145/3243218.3243219},
year = {2018},
}
Publisher's Version
SPEjs: A Symbolic Partial Evaluator for JavaScript
Sümeyye Süslü and
Christoph Csallner
(University of Texas at Arlington, USA)
Partial evaluation is widely performed statically, to perform a source to source transformation on a source program that yields a specialized source program. A key observation is that current partial evaluation schemes perform fast but relatively shallow static analyses. In this paper we propose to deepen the reach of such partial evaluation schemes by selectively adding local symbolic execution. Concretely, we describe the SPEjs symbolic partial evaluator for JavaScript that is built on Babel and the SMT solver Z3. To gauge the promise of this approach we compared SPEjs with Facebook's state-of-the-art partial evaluator Prepack. Our results on a set of micro benchmarks and Prepack's test suite indicate that, within Prepack's runtime budget, SPEjs was able to simplify additional expressions and therefore remove dead code branches that Prepack failed to remove, yielding smaller residual programs.
@InProceedings{A-Mobile18p7,
author = {Sümeyye Süslü and Christoph Csallner},
title = {SPEjs: A Symbolic Partial Evaluator for JavaScript},
booktitle = {Proc.\ A-Mobile},
publisher = {ACM},
pages = {7--12},
doi = {10.1145/3243218.3243220},
year = {2018},
}
Publisher's Version
Info
Exploring the Effects of Ad Schemes on the Performance Cost of Mobile Phones
Cuiyun Gao, Jichuan Zeng,
Federica Sarro,
Michael R. Lyu, and Irwin King
(Chinese University of Hong Kong, China; University College London, UK)
Advertising is an important revenue source for mobile app development, especially for free apps. However, ads also carry costs to users. Displaying ads can interfere user experience, and lead to less user retention and reduced earnings ultimately. Although there are recent studies devoted to directly mitigating ad costs, for example, by reducing the battery or memory consumed, comprehensive analysis on ad embedded schemes (e.g., ad sizes and ad providers) has rarely been conducted. In this paper, we focus on analyzing three types of performance cost, i.e., cost of memory/CPU, traffic, and battery. We explore 12 ad schemes used in 104 popular Android apps and compare their performance consumption. We show that the performance costs of the ad schemes we analyzed are significantly different. We also summarize the ad schemes that would generate low resource cost to users. Our summary is endorsed by 37 experienced app developers we surveyed.
@InProceedings{A-Mobile18p13,
author = {Cuiyun Gao and Jichuan Zeng and Federica Sarro and Michael R. Lyu and Irwin King},
title = {Exploring the Effects of Ad Schemes on the Performance Cost of Mobile Phones},
booktitle = {Proc.\ A-Mobile},
publisher = {ACM},
pages = {13--18},
doi = {10.1145/3243218.3243221},
year = {2018},
}
Publisher's Version
Poking the Bear: Lessons Learned from Probing Three Android Malware Datasets
Aleieldin Salem and Alexander Pretschner
(TU Munich, Germany)
To counter the continuous threat posed by Android malware, we attempted to devise a novel method based on active learning. Nonetheless, evaluating our active learning based method on three different Android malware datasets resulted in performance discrepancies. In an attempt to explain such inconsistencies, we postulated research questions and designed corresponding experiments to answer them. The results of our experiments unveiled the reasons behind the struggles of our method and, more importantly, revealed some limitations with the current Android malware detection methods that, we fear, can be leveraged by malware authors to evade detection. In this paper, we share with the research community our research questions, experiments, and findings to instigate researchers to devise methods to tackle such limitations.
@InProceedings{A-Mobile18p19,
author = {Aleieldin Salem and Alexander Pretschner},
title = {Poking the Bear: Lessons Learned from Probing Three Android Malware Datasets},
booktitle = {Proc.\ A-Mobile},
publisher = {ACM},
pages = {19--24},
doi = {10.1145/3243218.3243222},
year = {2018},
}
Publisher's Version
Info
Repackman: A Tool for Automatic Repackaging of Android Apps
Aleieldin Salem, F. Franziska Paulus, and Alexander Pretschner
(TU Munich, Germany)
Repackaging is a technique adopted by attackers to generate fake, malicious versions of legitimate Android apps, which undermines users’ trust in the Android ecosystem. Unfortunately, the process of releasing and evaluating anti-repackaging techniques is hindered by the difficulty of acquiring repackaged versions of legitimate apps that employ those techniques on demand. In this paper, we present Repackman, a tool to automatically repackage Android apps with arbitrary payloads. We evaluate the feasibility and reliability of the tool and furnish it upon request for the research community to generate repackaged apps on demand for research purposes.
@InProceedings{A-Mobile18p25,
author = {Aleieldin Salem and F. Franziska Paulus and Alexander Pretschner},
title = {Repackman: A Tool for Automatic Repackaging of Android Apps},
booktitle = {Proc.\ A-Mobile},
publisher = {ACM},
pages = {25--28},
doi = {10.1145/3243218.3243224},
year = {2018},
}
Publisher's Version
Video
AppSeer: Discovering Flawed Interactions among Android Components
Vincenzo Chiaramida, Francesco Pinci, Ugo Buy, and Rigel Gjomemo
(University of Illinois at Chicago, USA)
We identify several reliability issues arising from interactions between components of system-defined Android apps and components of third-party apps. These issues are generally caused by incorrect assumptions that system apps make about the behavior of third-party apps, resulting in significant vulnerabilities in system apps. For instance, it is possible for a third-party app to make many system applications to crash, including the Phone app used to make and receive phone calls, the Settings app used to configure a mobile device, and several other apps that expose a so-called started service. Our findings indicate that additional automated tools for integration testing and static analysis of Android apps are in order. Here we discuss AppSeer, a toolset that automatically detects vulnerabilities of system apps and third-party apps. Preliminary precision and recall results for AppSeer are quite encouraging.
@InProceedings{A-Mobile18p29,
author = {Vincenzo Chiaramida and Francesco Pinci and Ugo Buy and Rigel Gjomemo},
title = {AppSeer: Discovering Flawed Interactions among Android Components},
booktitle = {Proc.\ A-Mobile},
publisher = {ACM},
pages = {29--34},
doi = {10.1145/3243218.3243225},
year = {2018},
}
Publisher's Version
proc time: 1.18