More Web Proxy on the site http://driver.im/

research-article

Open access

A Comprehensive Evaluation of Android ICC Resolution Techniques

Authors:

Jian ZhangAuthors Info & Claims

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

Article No.: 1, Pages 1 - 13

https://doi.org/10.1145/3551349.3560420

Published: 05 January 2023 Publication History

All formats PDF

Abstract

Inter-component communication (ICC) is a widely used mechanism in mobile apps, which enables message-based control flow transferring and data passing between Android components. Effective ICC resolution requires precisely identifying entry points, analyzing data values of ICC fields, modeling related framework APIs, etc. Due to various control-flow- and data-flow-related characteristics involved and the lack of oracles for real-world apps, the comprehensive evaluation of ICC resolution techniques is challenging.

To fill this gap, we collect multiple-type benchmark suites with 4,104 apps, covering hand-made apps, open-source, and commercial ones. Considering their differences, various evaluation metrics, e.g., number count, graph structure, and reliable oracle based metrics, are adopted on-demand. As the oracle for real-world apps is unavailable, we design a dynamic analysis approach to extract the real ICC links triggered during GUI exploration. By auditing the code implementations, we carefully check the extracted ICCs and confirm 1,680 ones to form a reliable oracle set, in which each ICC is labeled with 25 code characteristic tags. The evaluation performed on six state-of-the-art ICC resolution tools shows that 1) the completeness of static ICC resolution results on real-world apps is not satisfactory, as up to 38%-85% ICCs are missed by tools; 2) many wrongly reported ICCs are sent from or received by only a few components and the graph structure information can help the identification; 3) the efficiency of fundamental tools, like ICC resolution ones, should be optimized in both engineering and research aspects. By investigating both the missed and wrongly reported ICCs, we discuss the strengths of different tools for users and summarize eight common FN/FP patterns in ICC resolution for tool developers.

References

[1]

A3E. 2016. A3E. https://github.com/tanzirul/a3e.

[2]

Waqar Ahmad, Christian Kästner, Joshua Sunshine, and Jonathan Aldrich. 2016. Inter-app communication in Android: developer challenges. In Proceedings of the 13th International Conference on Mining Software Repositories, MSR 2016, Austin, TX, USA, May 14-22, 2016, Miryung Kim, Romain Robbes, and Christian Bird (Eds.). ACM, 177–188.

Digital Library

[3]

Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR ’16). ACM, 468–471.

Digital Library

[4]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI 2014. 29.

Digital Library

[5]

Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and depth-first exploration for systematic testing of Android apps. In OOPSLA 2013, part of SPLASH 2013. 641–660.

Digital Library

[6]

Hamid Bagheri, Alireza Sadeghi, Joshua Garcia, and Sam Malek. 2015. COVERT: Compositional Analysis of Android Inter-App Permission Leakage. TSE 41, 9 (2015), 866–886.

Digital Library

[7]

Shweta Bhandari, Frédéric Herbreteau, Vijay Laxmi, Akka Zemmari, Manoj Singh Gaur, and Partha S. Roop. 2020. SneakLeak+: Large-scale klepto apps analysis. Future Gener. Comput. Syst. 109 (2020), 593–603.

[8]

Shweta Bhandari, Wafa Ben Jaballah, Vineeta Jain, Vijay Laxmi, Akka Zemmari, Manoj Singh Gaur, Mohamed Mosbah, and Mauro Conti. 2017. Android inter-app communication threats and detection techniques. Comput. Secur. 70(2017), 392–421.

[9]

Zohreh Bohluli and Hamid Reza Shahriari. 2018. Detecting Privacy Leaks in Android Apps using Inter-Component Information Flow Control Analysis. In 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology, ISCISC 2018, Tehran, Iran, August 28-29, 2018. IEEE, 1–6.

[10]

Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, and Gang Wang. 2017. Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2-6, 2017. ACM, 71–85.

Digital Library

[11]

Huan Chang, Lingguang Lei, Kun Sun, Yuewu Wang, Jiwu Jing, Yi He, and Pingjian Wang. 2021. Vulnerable Service Invocation and Countermeasures. IEEE Trans. Dependable Secur. Comput. 18, 4 (2021), 1733–1750.

[12]

Sen Chen, Lingling Fan, Chunyang Chen, and Yang Liu. 2022. Automatically Distilling Storyboard with Rich Features for Android Apps. In IEEE Transactions on Software Engineering (TSE). IEEE.

[13]

Sen Chen, Lingling Fan, Chunyang Chen, Ting Su, Wenhe Li, Yang Liu, and Lihua Xu. 2019. StoryDroid: automated generation of storyboard for Android apps. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019. IEEE / ACM, 596–607.

Digital Library

[14]

Chris Chao-Chun Cheng, Chen Shi, Neil Zhenqiang Gong, and Yong Guan. 2021. LogExtractor: Extracting digital evidence from android log messages via string and taint analysis. Digit. Investig. 37 Supplement (2021), 301193.

[15]

Component. 2022. Component. https://developer.android.com/guide/components/fundamentals#Components.

[16]

DroidBench. 2017. DroidBench. https://github.com/secure-software-engineering/DroidBench.

[17]

Karim O. Elish, Haipeng Cai, Daniel Barton, Danfeng Yao, and Barbara G. Ryder. 2020. Identifying Mobile Inter-App Communication Risks. IEEE Trans. Mob. Comput. 19, 1 (2020), 90–102.

Digital Library

[18]

[18] F-Droid.2019. https://f-droid.org/.

[19]

Lingling Fan, Ting Su, Sen Chen, Guozhu Meng, Yang Liu, Lihua Xu, and Geguang Pu. 2018. Efficiently manifesting asynchronous programming errors in Android apps. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, September 3-7, 2018. ACM, 486–497.

Digital Library

[20]

Fragment. 2022. Fragment. https://developer.android.com/guide/fragments.

[21]

GATOR. 2019. GATOR. http://web.cse.ohio-state.edu/presto/software/gator/.

[22]

Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. 2015. Information Flow Analysis of Android Applications in DroidSafe. In 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015. The Internet Society.

[23]

Tianxiao Gu, Chengnian Sun, Xiaoxing Ma, Chun Cao, Chang Xu, Yuan Yao, Qirun Zhang, Jian Lu, and Zhendong Su. 2019. Practical GUI testing of Android applications via model abstraction and refinement. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019. 269–280.

Digital Library

[24]

IC3. 2015. IC3. https://github.com/siis/ic3.

[25]

IC3-DIALDroid. 2020. IC3-DIALDroid. https://github.com/dialdroid-android/ic3-dialdroid.

[26]

ICC-Bench. 2017. ICC-Bench. https://github.com/fgwei/ICC-Bench.

[27]

ICC-Resolution-Evaluation. 2022. ICC-Resolution-Evaluation. https://github.com/hanada31/ICC-Resolution-Evaluation/.

[28]

ICCBot. 2022. ICCBot. https://github.com/hanada31/ICCBot.

[29]

ICCViewer. 2022. ICCViewer. https://iccviewer.ldby.site/ICCViewer/.

[30]

Intent. 2022. Intent. https://developer.android.com/guide/components/intents-filters.

[31]

Reyhaneh Jabbarvand, Jun-Wei Lin, and Sam Malek. 2019. Search-based energy testing of Android. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019. IEEE / ACM, 1119–1130.

Digital Library

[32]

Ajay Kumar Jha and Woo Jin Lee. [n.d.]. ICCMATT: Modeling, analysis, and test case generation of inter-component communication in Android. ([n. d.]).

[33]

Jinyung Kim, Yongho Yoon, Kwangkeun Yi, and Junbum Shin. 2012. SCANDAL: Static Analyzer for Detecting Privacy Leaks in Android Applications. MoST 12, 110 (2012), 1.

[34]

Duling Lai and Julia Rubin. 2019. Goal-Driven Exploration for Android Applications. In 34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019, San Diego, CA, USA, November 11-15, 2019. IEEE, 115–127.

[35]

Youn Kyu Lee, Jae Young Bang, Gholamreza Safi, Arman Shahbazian, Yixue Zhao, and Nenad Medvidovic. 2017. A SEALANT for inter-app security holes in android. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017. IEEE / ACM, 312–323.

Digital Library

[36]

Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In ICSE 2015. 280–291.

[37]

Li Li, Tegawendé F. Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Yves Le Traon. 2017. Static analysis of android apps: A systematic literature review. Inf. Softw. Technol. 88(2017), 67–95.

Digital Library

[38]

Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. CHEX: statically vetting Android apps for component hijacking vulnerabilities. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012. ACM, 229–240.

Digital Library

[39]

Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite Constant Propagation: Application to Android Inter-Component Communication Analysis. In ICSE 2015. 77–88.

Digital Library

[40]

Damien Octeau, Daniel Luchaup, Somesh Jha, and Patrick D. McDaniel. 2016. Composite Constant Propagation and its Application to Android Program Analysis. IEEE Trans. Software Eng. 42, 11 (2016), 999–1014.

Digital Library

[41]

Damien Octeau, Patrick D. McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis. In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013. USENIX Association, 543–558.

Digital Library

[42]

[42] Google Play.2019. https://play.google.com/store.

[43]

RAICC-Bench. 2021. RAICC-Bench. https://github.com/Trustworthy-Software/RAICC.

[44]

Alireza Sadeghi, Reyhaneh Jabbarvand, Negar Ghorbani, Hamid Bagheri, and Sam Malek. [n.d.]. A temporal permission analysis and enforcement framework for Android. In Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, Gothenburg, Sweden, May 27 - June 03, 2018, Michel Chaudron, Ivica Crnkovic, Marsha Chechik, and Mark Harman (Eds.). 846–857.

Digital Library

[45]

Jordan Samhi, Alexandre Bartel, Tegawendé F. Bissyandé, and Jacques Klein. 2021. RAICC: Revealing Atypical Inter-Component Communication in Android Apps. In 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021, Madrid, Spain, 22-30 May 2021. IEEE, 1398–1409.

[46]

StoryDistiller. 2022. StoryDistiller. https://github.com/tjusenchen/StoryDistiller.

[47]

StoryDroid-Bench. 2019. StoryDroid-Bench. https://sites.google.com/view/storydroid/.

[48]

Yutian Tang, Yulei Sui, Haoyu Wang, Xiapu Luo, Hao Zhou, and Zhou Xu. [n.d.]. All your app links are belong to us: understanding the threats of instant apps based attacks. In ESEC/FSE ’20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8-13, 2020, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). 914–926.

Digital Library

[49]

Yutaka Tsutano, Shakthi Bachala, Witawas Srisa-an, Gregg Rothermel, and Jackson Dinh. 2017. An efficient, robust, and scalable approach for analyzing interacting android apps. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017, Sebastián Uchitel, Alessandro Orso, and Martin P. Robillard (Eds.). IEEE / ACM, 324–334.

Digital Library

[50]

Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2014. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014. ACM, 1329–1341.

Digital Library

[51]

Jiwei Yan, Hao Liu, Linjie Pan, Jun Yan, Jian Zhang, and Bin Liang. 2020. Multiple-entry testing of Android applications by constructing activity launching contexts. In ICSE ’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020. 457–468.

[52]

Jiwei Yan, Shixin Zhang, Yepang Liu, Jun Yan, and Jian Zhang. 2022. ICCBot: Fragment-Aware and Context-Sensitive ICC Resolution for Android Applications. In The 44th International Conference on Software Engineering, ICSE 2022 (Tool Track).

Digital Library

[53]

Shengqian Yang, Dacong Yan, Haowei Wu, Yan Wang, and Atanas Rountev. 2015. Static Control-Flow Analysis of User-Driven Callbacks in Android Applications. In 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1. IEEE Computer Society, 89–99.

[54]

Shengqian Yang, Hailong Zhang, Haowei Wu, Yan Wang, Dacong Yan, and Atanas Rountev. 2015. Static Window Transition Graphs for Android. In ASE 2015. 658–668.

[55]

Zhemin Yang and Min Yang. 2012. LeakMiner: Detect Information Leakage on Android with Static Taint Analysis. In 2012 Third World Congress on Software Engineering. 101–104. https://doi.org/10.1109/WCSE.2012.26

Digital Library

[56]

Jie Zhang, Cong Tian, and Zhenhua Duan. 2021. An efficient approach for taint analysis of android applications. Comput. Secur. 104(2021), 102161. https://doi.org/10.1016/j.cose.2020.102161

Digital Library

[57]

Jie Zhang, Cong Tian, Zhenhua Duan, and Liang Zhao. 2021. RTPDroid: Detecting Implicitly Malicious Behaviors Under Runtime Permission Model. IEEE Trans. Reliab. 70, 3 (2021), 1295–1308.

[58]

Mu Zhang and Heng Yin. 2014. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014. The Internet Society.

Cited By

Nirumand AZamani BLadani B(2024)A comprehensive framework for inter-app ICC security analysis of Android appsAutomated Software Engineering10.1007/s10515-024-00439-831:2Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1007/s10515-024-00439-8
Tran AYskout KJoosen W(2023)AndrAS: Automated Attack Surface Extraction for Android Applications2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security (QRS)10.1109/QRS60937.2023.00047(406-417)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS60937.2023.00047
Abolhassani NHalfond W(2023)A Component-Sensitive Static Analysis Based Approach for Modeling Intents in Android Apps2023 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58846.2023.00021(97-109)Online publication date: 1-Oct-2023
https://doi.org/10.1109/ICSME58846.2023.00021
Show More Cited By

Index Terms

A Comprehensive Evaluation of Android ICC Resolution Techniques
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Android: Changing the Mobile Landscape

The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Android Applications Repackaging Detection Techniques for Smartphone Devices

The problem of malwares affecting Smartphones has been widely recognized by the researchers across the world. Majority of these malwares target Android OS. Studies have found that most of the Android malwares hide inside repackaged apps to get inside ...
CrashSafe: a formal model for proving crash-safety of Android applications

Each software application running on Android powered devices consists of application components that communicate with each other to support application's functionality for enhanced user experience of mobile computing. Application components inside ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

October 2022

2006 pages

ISBN:9781450394758

DOI:10.1145/3551349

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Reusable / v1.1

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Natural Science Foundation of China
Key Research Program of Frontier Sciences, Chinese Academy of Sciences
Guangdong Basic and Applied Basic Research Fund
National Natural Science Foundation of China
Guangdong Provincial Key Laboratory

Conference

ASE '22

ASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering

October 10 - 14, 2022

MI, Rochester, USA

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
3,116
Total Downloads

Downloads (Last 12 months)2,709
Downloads (Last 6 weeks)362

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nirumand AZamani BLadani B(2024)A comprehensive framework for inter-app ICC security analysis of Android appsAutomated Software Engineering10.1007/s10515-024-00439-831:2Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1007/s10515-024-00439-8
Tran AYskout KJoosen W(2023)AndrAS: Automated Attack Surface Extraction for Android Applications2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security (QRS)10.1109/QRS60937.2023.00047(406-417)Online publication date: 22-Oct-2023
https://doi.org/10.1109/QRS60937.2023.00047
Abolhassani NHalfond W(2023)A Component-Sensitive Static Analysis Based Approach for Modeling Intents in Android Apps2023 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME58846.2023.00021(97-109)Online publication date: 1-Oct-2023
https://doi.org/10.1109/ICSME58846.2023.00021
Zhang XFan LChen SSu YLi BBissyandé TKlein JBird CSarro F(2023)Scene-Driven Exploration and GUI Modeling for Android AppsProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00179(1251-1262)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00179
Zhang SLi SDeng XYan JYan J(2023)ICTDroid: Parameter-Aware Combinatorial Testing for Components of Android Apps2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00071(2070-2073)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00071
Deng XYan JZhang SYan JZhang J(2023)Variable-strength combinatorial testing of exported activities based on misexposure predictionJournal of Systems and Software10.1016/j.jss.2023.111773204:COnline publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111773

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents