TextExerciser: Feedback-driven Text Input Exercising for Android Applications

2020 IEEE Symposium on Security and Privacy (SP) Pub Date : 2020-05-01 DOI:10.1109/SP40000.2020.00071

Yuyu He, Lei Zhang, Zhemin Yang, Yinzhi Cao, Keke Lian, Shuai Li, Wei Yang, Zhibo Zhang, Min Yang, Yuan Zhang, Haixin Duan

{"title":"TextExerciser: Feedback-driven Text Input Exercising for Android Applications","authors":"Yuyu He, Lei Zhang, Zhemin Yang, Yinzhi Cao, Keke Lian, Shuai Li, Wei Yang, Zhibo Zhang, Min Yang, Yuan Zhang, Haixin Duan","doi":"10.1109/SP40000.2020.00071","DOIUrl":null,"url":null,"abstract":"Dynamic analysis of Android apps is often used together with an exerciser to increase its code coverage. One big obstacle in designing such Android app exercisers comes from the existence of text-based inputs, which are often constrained by the nature of the input field, such as the length and character restrictions.In this paper, we propose TextExerciser, an iterative, feedback-driven text input exerciser, which generates text inputs for Android apps. Our key insight is that Android apps often provide feedback, called hints, for malformed inputs so that our system can utilize such hints to improve the input generation.We implemented a prototype of TextExerciser and evaluated it by comparing TextExerciser with state-of-the-art exercisers, such as The Monkey and DroidBot. Our evaluation shows that TextExerciser can achieve significantly higher code coverage and trigger more sensitive behaviors than these tools. We also combine TextExerciser with dynamic analysis tools and show they are able to detect more privacy leaks and vulnerabilities with TextExerciser than with existing exercisers. Particularly, existing tools, under the help of TextExerciser, find several new vulnerabilities, such as one user credential leak in a popular social app with more than 10,000,000 downloads.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"15 1","pages":"1071-1087"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"18","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00071","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 18

Abstract

Dynamic analysis of Android apps is often used together with an exerciser to increase its code coverage. One big obstacle in designing such Android app exercisers comes from the existence of text-based inputs, which are often constrained by the nature of the input field, such as the length and character restrictions.In this paper, we propose TextExerciser, an iterative, feedback-driven text input exerciser, which generates text inputs for Android apps. Our key insight is that Android apps often provide feedback, called hints, for malformed inputs so that our system can utilize such hints to improve the input generation.We implemented a prototype of TextExerciser and evaluated it by comparing TextExerciser with state-of-the-art exercisers, such as The Monkey and DroidBot. Our evaluation shows that TextExerciser can achieve significantly higher code coverage and trigger more sensitive behaviors than these tools. We also combine TextExerciser with dynamic analysis tools and show they are able to detect more privacy leaks and vulnerabilities with TextExerciser than with existing exercisers. Particularly, existing tools, under the help of TextExerciser, find several new vulnerabilities, such as one user credential leak in a popular social app with more than 10,000,000 downloads.

查看原文本刊更多论文

TextExerciser: Android应用程序的反馈驱动文本输入练习

Android应用程序的动态分析通常与练习器一起使用，以增加其代码覆盖率。设计此类Android应用程序的一大障碍来自于基于文本的输入，这通常受到输入字段的性质的限制，例如长度和字符限制。在本文中，我们提出了TextExerciser，这是一个迭代的，反馈驱动的文本输入练习器，它为Android应用程序生成文本输入。我们的关键见解是，Android应用程序经常提供反馈，称为提示，对于畸形的输入，所以我们的系统可以利用这些提示来改进输入生成。我们实现了TextExerciser的原型，并通过将TextExerciser与最先进的锻炼器(如The Monkey和DroidBot)进行比较来评估它。我们的评估表明，与这些工具相比，TextExerciser可以实现更高的代码覆盖率，并触发更敏感的行为。我们还将TextExerciser与动态分析工具结合起来，并表明与现有的练习者相比，TextExerciser能够检测到更多的隐私泄露和漏洞。特别是，现有的工具，在TextExerciser的帮助下，发现了几个新的漏洞，比如在一个下载量超过1000万的流行社交应用程序中，一个用户凭证泄露。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量