An automated testing approach for inter-application security in Android

Recently, Google Android has occupied a major market share of mobile phone systems as a result of its openness for developers and richness for users. By the distribution channels of the Android market, both development and use of Android applications soar. However, the low development threshold of applications leads to weak security awareness of developers. Moreover, Android applications lack strict security standards, resulting that security crisis has become increasingly prominent. For now, an application's biggest security threat falls on its messaging mechanism between components. Once permission’s verification is neglected, it is easy to be exploited by attackers, causing immeasurable loss. We analyze the security mechanism of Android inter-application components, and accordingly construct the security rules. Specifically, a compositional approach including static and dynamic automated testing techniques is proposed to detect the security vulnerabilities caused by messaging between components. In our approach, the static part obtains rough results and some parameter information. After that, the dynamic part automatically generates attack cases for verifying these results. This approach can be used not only to discover potential weaknesses within inter-application components but also to automatically simulate attack behaviors. Thereby, the detection results’ effectiveness can be verified.