2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)最新文献

{"title":"Vulnerability Propagation in Package Managers Used in iOS Development","authors":"Kristiina Rahkema, Dietmar Pfahl","doi":"10.1109/MOBILSoft59058.2023.00015","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00015","url":null,"abstract":"Although using third-party libraries is common practice when writing software, vulnerabilities may be found even in well-known libraries. Detected vulnerabilities are often fixed quickly in the library code. The easiest way to include these fixes in a dependent software application, is to update the used library version. Package managers provide automated solutions for updating library dependencies, which make this process relatively easy. However, library dependencies can have dependencies to other libraries resulting in a dependency network with several levels of indirections. Assessing vulnerability risks induced by dependency networks is a non-trivial task for software developers.The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager. These three package managers are used while developing, for example, iOS or Mac OS applications in Swift or Objective-C. We analysed how vulnerabilities propagate in the library dependency network of the Swift ecosystem, how vulnerable dependencies could be fixed via dependency upgrades, and if third party vulnerability analysis could be made more precise given public information on these vulnerabilities.We found that only 5.9% of connected libraries had a direct or transitive dependency to a vulnerable library. Although we found that most libraries with publicly reported vulnerabilities are written in C, the highest impact of publicly reported vulnerabilities originated from libraries written in native iOS languages, i.e., Objective-C and Swift. We found that around 30% of vulnerable dependencies could have been fixed via upgrading the library dependency. In case of critical vulnerabilities and latest library versions, over 70% of vulnerable dependencies would have been fixed via a dependency upgrade. Lastly, we checked whether the analysis of vulnerable dependency use could be refined using publicly available information on the code location (method or class) of a reported vulnerability. We found that such information is not available most of the time.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124579365","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"FirmwareDroid: Towards Automated Static Analysis of Pre-Installed Android Apps","authors":"Thomas Sutter, B. Tellenbach","doi":"10.1109/MOBILSoft59058.2023.00009","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00009","url":null,"abstract":"Supply chain attacks are an evolving threat to the IoT and mobile landscape. Recent malware findings have shown that even sizeable mobile phone vendors cannot defend their operating systems fully against pre-installed malware. Detecting and mitigating malware and software vulnerabilities on Android firmware is a challenging task requiring expertise in Android internals, such as customised firmware formats. Moreover, as users cannot choose what software is pre-installed on their devices, there is a fundamental lack of transparency and control. To make Android firmware analysis more accessible and regain some transparency, we present FirmwareDroid, a novel open-source security framework for Android firmware analysis that automates the extraction and analysis of pre-installed software.FirmwareDroid streamlines the process of software extraction from Android firmware for static security and privacy assessments. With FirmwareDroid, we lay the groundwork for researchers to automate the security assessment of Android firmware at scale, and we demonstrated the capabilities of FirmwareDroid by analysing 5,728 Android firmware samples from various vendors. We analysed 75,141 unique pre-installed Android applications to study how common advertising tracker libraries (a piece of software that collects user usage data) are used and which permissions pre-installed Android apps inherit. We conclude that 20.53% of all apps in our dataset include advertising trackers and that 88.14% of all used permissions are signature-based.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133930180","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Understanding the Impact of Fingerprinting in Android Hybrid Apps","authors":"A. Tiwari, Jyoti Prakash, Alimerdan Rahimov, Christian Hammer","doi":"10.1109/MOBILSoft59058.2023.00011","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00011","url":null,"abstract":"Numerous studies demonstrate that browser fingerprinting is detrimental to users’ security and privacy. However, little is known about the effects of browser fingerprinting on Android hybrid apps – where a stripped-down Chromium browser is integrated into an app. These apps expand the attack surface by permitting two-way communication between native apps and the web. This paper studies the impact of browser fingerprinting on these embedded browsers. To this end, we instrument the Android framework to record and extract information leveraged for fingerprinting. We study over 60,000 apps, including the most popular apps from the Google play store. We exemplify security flaws and severe information leaks in popular apps like Instagram. Our study reveals that fingerprints in hybrid apps potentially contain account-specific and device-specific information that identifies users across multiple devices uniquely. Besides, our results show that the hybrid app browser does not always adhere to standard browser-specific privacy policies.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128618137","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Sensitive and Personal Data: What Exactly Are You Talking About?","authors":"Maria Kober, Jordan Samhi, Steven Arzt, Tegawendé F. Bissyandé, Jacques Klein","doi":"10.1109/MOBILSoft59058.2023.00016","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00016","url":null,"abstract":"Mobile devices are pervasively used for a variety of tasks, including the processing of sensitive data in mobile apps. While in most cases access to this data is legitimate, malware often targets sensitive data and even benign apps collect more data than necessary for their task. Therefore, researchers have proposed several frameworks to detect and track the use of sensitive data in apps, so as to disclose and prevent unauthorized access and data leakage. Unfortunately, a review of the literature reveals a lack of consensus on what sensitive data is in the context of technical frameworks like Android. Authors either provide an intuitive definition or an ad-hoc definition, derive their definition from the Android permission model, or rely on previous research papers which do or do not give a definition of sensitive data. In this paper, we provide an overview of existing definitions of sensitive data in literature and legal frameworks. We further provide a sound definition of sensitive data derived from the definition of personal data of several legal frameworks. To help the scientific community further advance in this field, we publicly provide a list of sensitive sources from the Android framework, thus starting a community project leading to a complete list of sensitive API methods across different frameworks and programming languages.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130553301","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Native vs Web Apps: Comparing the Energy Consumption and Performance of Android Apps and their Web Counterparts","authors":"Ruben Horn, Abdellah Lahnaoui, Edgardo Reinoso, Sicheng Peng, Vadim Isakov, Tanjina Islam, I. Malavolta","doi":"10.1109/MOBILSoft59058.2023.00013","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00013","url":null,"abstract":"Context. Many Internet content platforms, such as Spotify and YouTube, provide their services via both native and Web apps. Even though those apps provide similar features to the end user, using their native version or Web counterpart might lead to different levels of energy consumption and performance. Goal. The goal of this study is to empirically assess the energy consumption and performance of native and Web apps in the context of Internet content platforms on Android.Method. We select 10 Internet content platforms across 5 categories. Then, we measure them based on the energy consumption, network traffic volume, CPU load, memory load, and frame time of their native and Web versions; then, we statistically analyze the collected measures and report our results.Results. We confirm that native apps consume significantly less energy than their Web counterparts, with large effect size. Web apps use more CPU and memory, with statistically significant difference and large effect size. Therefore, we conclude that native apps tend to require fewer hardware resources than their corresponding Web versions. The network traffic volume exhibits statistically significant difference in favour of native apps, with small effect size. Our results do not allow us to draw any conclusion in terms of frame time.Conclusions. Based on our results, we advise users to access Internet contents using native apps over Web apps, when possible. Also, the results of this study motivate further research on the optimization of the usage of runtime resources of mobile Web apps and Android browsers.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123134180","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Reducing the Impact of Breaking Changes to Web Service Clients During Web API Evolution","authors":"Paul Schmiedmayer, Andreas Bauer, B. Brügge","doi":"10.1109/MOBILSoft59058.2023.00008","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00008","url":null,"abstract":"Web services are self-contained distributed services enabled by web service application programming interfaces (APIs) using numerous protocol and middleware types. Web service API evolution encompasses changes to a web API made during the lifetime of a web service. Web clients, such as mobile applications, must continuously and manually adapt to breaking changes in the web API offered by web services. This paper presents an automated process for the adaptation based on web service API type-independent evolution patterns. These patterns enable the classification and resolution of web API changes in the context of continuously changing web API standards, protocols, and middleware types. Migration guides enable the generation of stable client libraries that replace the traditionally performed manual client-specific migrations. The process is instantiated using Apodini Migrators, generating Swift-based client libraries for web clients. We demonstrate how migration guides can be automatically generated using OpenAPI specifications or based on web services developed using the Apodini framework. We build two Migrators using a resource-based and a remote procedure call-based web API type. We validated the applicability of these Migrators to 13 web service version increments featuring a total of 3896 changes. The process correctly identified 86.1% of the changes, including 1132 breaking changes. The breaking changes included 424 unsolvable changes that required manual migration guide improvements by the web service developers at predefined extension points.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130017655","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Analysis of Library Dependency Networks of Package Managers Used in iOS Development","authors":"Kristiina Rahkema, Dietmar Pfahl, R. Ramler","doi":"10.1109/MOBILSoft59058.2023.00010","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00010","url":null,"abstract":"Reusing existing solutions in the form of third-party libraries is common practice when writing software. Package managers are used to manage dependencies to third-party libraries by automating the process of installing and updating the libraries. Library dependencies themselves can have dependencies to other libraries creating a dependency network with several levels of indirections. The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager (PM). These package managers are used when developing, for example, iOS or Mac OS applications in Swift and Objective-C. We provide the first analysis of the library dependency network evolution in the Swift ecosystem.Although CocoaPods is the package manager with the biggest set of libraries, the difference to other package managers is not as big as expected. The youngest package manager and official package manager for Swift, Swift PM, is becoming more and more popular, resulting in a gradual slow-down of the growth of the other two package managers. When analyzing direct and transitive dependencies, we found that the mean total number of dependencies is lower in the Swift ecosystem compared to many other ecosystems. Still, the total number of dependencies shows a clear growing trend over the last five years.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131238681","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"On Security and Energy Efficiency in Android Smartphones","authors":"João Ferreira, Bernardo Santos, Wellington Oliveira, Nuno Antunes, Bruno Cabral, J. P. Fernandes","doi":"10.1109/MOBILSoft59058.2023.00018","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00018","url":null,"abstract":"Smartphones are so immersed in our everyday lives that it is hard to imagine our routines without them. For most of us, they have already replaced alarm clocks, calculators, organizers, maps, and countless other things. As such, running out of battery charge means losing all of these functionalities, not just the inability to communicate using calls or messages, which can already be critical. The widespread usage of mobile devices is accompanied by a growing number of cybercriminals exploring scams for (illicit) benefits. Indeed, the more data flowing through mobile devices and apps, the greater the possibility of exploring threats and attacks. Users are then concerned about unintended access to critical data such as sensitive stored information, bank accounts, passwords, social media accounts, or private files. Although documented strategies exist to mitigate security risks, implementing the corresponding security mechanisms may impose an overhead on energy consumption, which in practice, affects the device’s battery charge. In this paper, we analyse the impact of security mechanisms on energy consumption in the context of Android mobile devices. We investigate the energy consumption of operations such as copying files and logging in with and without encrypting the credentials. Our results quantify the energy overhead of certain security mechanisms and confirm that there is a statistically significant increase in energy consumption when security standards, e.g., data encryption, are adopted. This work highlights the need for understanding the trade-offs between energy consumption and security in mobile devices and serves as a reference for mobile application developers to consider energy efficiency when implementing security measures.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132181414","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Ebserver: Automating Resource-Usage Data Collection of Android Applications","authors":"Wellington Oliveira, Bernardo Moraes, F. C. Filho, J. P. Fernandes","doi":"10.1109/MOBILSoft59058.2023.00014","DOIUrl":"https://doi.org/10.1109/MOBILSoft59058.2023.00014","url":null,"abstract":"Mobile applications are a typical component of people’s routines. Because of that, there is fierce competition for mobile users’ attention, creating pressure for mobile developers to optimize their applications in a number of ways, such as making them faster, reducing their energy consumption, or their memory usage. To understand their application resource usage, developers need to execute their app, collect data from that execution and analyze how it behaves. Researchers must also go through this process when evaluating optimizations and techniques to reduce resource usage. This error-prone experimentation process can take hours of repetitive work if done manually. In this paper, we present EBSERVER, a general-purpose measurement automation tool to collect Android device data during application executions. EBSERVER is simple to configure and extend, requiring very little instrumentation code to use. It enables users to collect execution metrics on a per-process basis from an application execution automatically. Examples of such metrics include energy consumption, CPU usage, execution time, and memory usage. EBSERVER makes it possible for applications to run multiple times in an automated manner, eliminates the need to predict the time that applications or benchmarks will run in an experiment, and is compatible with contemporary Android UI testing tools. EBSERVER has been employed in multiple experiments, including experiments that do not have involvement of its authors.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134410278","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Issue-Labeler: an ALBERT-based Jira Plugin for Issue Classification","authors":"Waleed Alhindi, Abdulrahman Aleid, Ilyes Jenhani, Mohamed Wiem Mkaouer","doi":"10.1109/mobilsoft59058.2023.00012","DOIUrl":"https://doi.org/10.1109/mobilsoft59058.2023.00012","url":null,"abstract":"Issue labels are key drivers in software maintenance as they dictate the prioritization, organization, and ultimately the resolution of encountered issues. Consequently, mislabeling issues result in inefficient prioritization, which compromises the resolution process of these issues. Thus, to increase the accuracy and effectiveness of issue labeling in software maintenance, this paper proposes \"Issue-Labeler\": an automated issue labeler plugin for Jira1, which utilizes a deep neural language model to predict an issue’s type based on its title and description. Specifically, the plugin would classify an issue into three types: BUG, IMPROVEMENT, and NEW FEATURE. The issue-labeler plugin was implemented by fine-tuning Google’s pre-trained ALBERT language model, using 35,889 labeled issue reports extracted from 77 projects. The plugin showed an average F1-score of 0.75, 0.58, and 0.67, respectively, for the BUG, IMPROVEMENT, and NEW FEATURE issues. The plugin will provide developers with a tool that recommends issue labels to, in turn, optimize the process of tagging and resolving these issues. Video of tool setup and runtime is available: https://voutu.be/mi2FwaXNrR4. Tool Webpage: https://issue-labeler.github.io/issue-labeler-site/. Replication package: https://github.com/issue-labeler/.","PeriodicalId":311618,"journal":{"name":"2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"199 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116411114","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}