A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile Apps

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-02-07 DOI:10.1016/j.jss.2025.112364

Domenico Amalfitano , Misael Júnior , Anna Rita Fasolino , Marcio Delamaro

{"title":"A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile Apps","authors":"Domenico Amalfitano , Misael Júnior , Anna Rita Fasolino , Marcio Delamaro","doi":"10.1016/j.jss.2025.112364","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>The increasing use of mobile apps in daily life involves managing and sharing sensitive user information.</div></div><div><h3>Problem:</h3><div>New vulnerabilities are frequently reported in bug tracking systems, highlighting the need for effective security testing processes for these applications.</div></div><div><h3>Proposal:</h3><div>This study introduces a GUI-based Metamorphic Testing technique designed to detect five common real-world vulnerabilities related to username and password authentication methods in Android applications, as identified by OWASP.</div></div><div><h3>Methods:</h3><div>We developed five Metamorphic Relationships to test for these vulnerabilities and implemented a Metamorphic Vulnerability Testing Environment to automate the technique. This environment facilitates the generation of <em>Source test case</em> and the automatic creation and execution of <em>Follow-up test case</em>.</div></div><div><h3>Results:</h3><div>The technique was applied to 163 real-world Android applications, uncovering 159 vulnerabilities. Out of these, 108 apps exhibited at least one vulnerability. The vulnerabilities were validated through expert analysis conducted by three security professionals, who confirmed the issues by interacting directly with the app’s graphical user interfaces (GUIs). Additionally, to assess the practical relevance of our approach, we engaged with 37 companies whose applications were identified as vulnerable. Nine companies confirmed the vulnerabilities, and 26 updated their apps to address the reported issues. Our findings also indicate a weak inverse correlation between user-perceived quality and vulnerabilities; even highly rated apps can harbor significant security flaws.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"224 ","pages":"Article 112364"},"PeriodicalIF":3.7000,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121225000329","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

The increasing use of mobile apps in daily life involves managing and sharing sensitive user information.

Problem:

New vulnerabilities are frequently reported in bug tracking systems, highlighting the need for effective security testing processes for these applications.

Proposal:

This study introduces a GUI-based Metamorphic Testing technique designed to detect five common real-world vulnerabilities related to username and password authentication methods in Android applications, as identified by OWASP.

Methods:

We developed five Metamorphic Relationships to test for these vulnerabilities and implemented a Metamorphic Vulnerability Testing Environment to automate the technique. This environment facilitates the generation of Source test case and the automatic creation and execution of Follow-up test case.

Results:

The technique was applied to 163 real-world Android applications, uncovering 159 vulnerabilities. Out of these, 108 apps exhibited at least one vulnerability. The vulnerabilities were validated through expert analysis conducted by three security professionals, who confirmed the issues by interacting directly with the app’s graphical user interfaces (GUIs). Additionally, to assess the practical relevance of our approach, we engaged with 37 companies whose applications were identified as vulnerable. Nine companies confirmed the vulnerabilities, and 26 updated their apps to address the reported issues. Our findings also indicate a weak inverse correlation between user-perceived quality and vulnerabilities; even highly rated apps can harbor significant security flaws.

查看原文本刊更多论文

基于gui的Android移动应用认证漏洞检测变形测试技术

背景：在日常生活中越来越多地使用移动应用程序涉及管理和共享敏感的用户信息。问题：在bug跟踪系统中经常报告新的漏洞，突出表明需要对这些应用程序进行有效的安全测试过程。提案：本研究介绍了一种基于gui的Metamorphic Testing技术，旨在检测Android应用中用户名和密码认证方法相关的五个常见现实世界漏洞，这些漏洞由OWASP识别。方法：我们开发了五个变形关系来测试这些漏洞，并实现了一个变形漏洞测试环境来自动化该技术。这种环境有利于源测试用例的生成以及后续测试用例的自动创建和执行。结果：该技术被应用于163个真实Android应用程序，发现159个漏洞。其中，108个应用程序至少存在一个漏洞。这些漏洞是由三名安全专家进行的专家分析验证的，他们通过直接与应用程序的图形用户界面（gui）交互来确认问题。此外，为了评估我们方法的实际相关性，我们与37家应用程序被确定为易受攻击的公司进行了合作。9家公司确认存在漏洞，26家公司更新了他们的应用程序来解决报告的问题。我们的研究结果还表明，用户感知质量与漏洞之间存在微弱的负相关关系；即使是评价很高的应用程序也可能存在严重的安全漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.