一种自动化的Android应用定向行为测试方法

doi:10.7523/j.issn.2095-6134.2018.03.016

中国科学院大学学报 ›› 2018, Vol. 35 ›› Issue (3): 409-416.DOI: 10.7523/j.issn.2095-6134.2018.03.016

一种自动化的Android应用定向行为测试方法

叶延玲^1,2, 傅晓彤¹, 张玉清², 乐洪舟²

1 西安电子科技大学网络与信息安全学院, 西安 710071;
2 中国科学院大学国家计算机网络入侵防范中心, 北京 101408

收稿日期:2017-01-13 修回日期:2017-04-21 发布日期:2018-05-15
通讯作者: 叶延玲
基金资助:
国家重点研发计划（2016YFB0800700）、国家自然科学基金（61572460，61272481）、国家发展和改革委员会国家信息安全专项（（2012）1424）和信息安全国家重点实验室开放基金（2017-ZD-01）资助

An automated and directed testing technique for target behavior of Android application

YE Yanling^1,2, FU Xiaotong¹, ZHANG Yuqing², YUE Hongzhou²

1 School of Cyber Engineering, Xidian University, Xi'an 710071, China;
2 National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408, China

Received:2017-01-13 Revised:2017-04-21 Published:2018-05-15

摘要/Abstract

摘要： Android应用特定行为的定向测试通常被用来测试应用是否存在隐私泄漏、远程控制等恶意行为。为解决已有定向测试方法存在的失败率高和耗时多等问题，提出一种以目标API调用代表程序特定行为的自动化测试方法。首先，用静态分析得出到达目标API调用位置的路径；然后在动态测试过程中，排除无关组件和控件，使应用沿路径自动运行至目标API调用的位置，触发特定行为。实验证明，本方法完成Android应用定向行为测试的效率较高。

关键词: Android, 定向测试, 目标API, 静态分析, 动态测试

Abstract: Directed testing of specific behaviors for Android applications is usually used to detect privacy leak, remote control, or other malicious behaviors. In order to solve the problems of the high failure-rate and large time-consuming of the present approaches, an automated testing method that uses target API invocation to represent the application's behavior is proposed. First, the method gets the invocation paths to the target API by using static analysis. Then dynamic testing is adopted to exclude extraneous components and GUI elements, and the application is driven to automatically run along the specific paths to reach the target API invocations and the specific behavior is triggered. Experimental results show that the method achieves a high efficiency.

Key words: Android, directed test, target API, static analysis, dynamic testing

中图分类号:

TP393

叶延玲, 傅晓彤, 张玉清, 乐洪舟. 一种自动化的Android应用定向行为测试方法[J]. 中国科学院大学学报, 2018, 35(3): 409-416.

YE Yanling, FU Xiaotong, ZHANG Yuqing, YUE Hongzhou. An automated and directed testing technique for target behavior of Android application[J]. , 2018, 35(3): 409-416.

参考文献

[1] 吴敬征,武延军,武志飞,等. 基于有向信息流的Android隐私泄露类恶意应用检测方法[J]. 中国科学院大学学报, 2015, 32(6):807-815.
[2] Wong M Y, Lie D. IntelliDroid:a targeted input generator for the dynamic analysis of Android malware[C]//Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS), 2016:21-24.
[3] Bhoraskar R, Han S, Jeon J, et al. Brahmastra:driving apps to test the security of third-party components[C]//The Usenix Security Symposium, 2014:1021-1036.
[4] Zheng C, Zhu S, Dai S, et al. Smartdroid:an automatic system for revealing ui-based trigger conditions in android Applications[C]//Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 2012:93-104.
[5] Android Developers. UI/Application exerciser monkey[EB/OL]. (2016-09-20)[2017-01-12]. https://developer.android.com/studio/test/monkey.html.
[6] Hao S, Liu B, Nath S, et al. PUMA:programmable UI-automation for large-scale dynamic analysis of mobile Apps[C]//Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2014:204-217.
[7] Android Developers. Monkeyrunner[EB/OL]. (2016-09-20)[2017-01-12]. https://developer.android.com/studio/test/monkeyrunner/index.html.
[8] Google Code. Robotium[EB/OL]. (2017-01-11)[2017-01-12]. https://robotium.com/.
[9] Android Developers. Uiautomator[EB/OL]. (2016-05-14)[2017-01-12]. http://developer.android.com/tools/help/uiautomator/.
[10] Azim T, Neamtiu I. Targeted and depth-first exploration for systematic testing of android Apps[J]//ACM SIGPLAN Notices, 2013, 48(10):641-660.
[11] Rastogi V, Chen Y, Enck W. AppsPlayground:automatic security analysis of smartphone applications[C]//Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. ACM, 2013:209-220.
[12] Mao K, Harman M, Jia Y. Sapienz:multi-objective automated testing for android applications[C]//Proceedings of the 25th International Symposium on Software Testing and Analysis. ACM, 2016:94-105.
[13] Memon A, Banerjee I, Nagarajan A. GUI ripping:reverse engineering of graphical user interfaces for testing[C]//Reverse Engineering, 2003. Wcre 2003. Proceedings. Working Conference on. IEEE, 2003:260-269.
[14] Dutia S N, Oh T H, Oh Y H. Developing automated input generator for android mobile device to evaluate malware behavior[C]//Proceedings of the 4th Annual ACM Conference on Research in Information Technology. ACM, 2015:43.
[15] Amalfitano D, Fasolino A R, Tramontana P. A gui crawling-based technique for android mobile application testing[C]//2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops (ICSTW). IEEE, 2011:252-261.
[16] 赵耀宗, 程绍银, 蒋凡. Android应用程序GUI遍历的自动化方法[J]. 计算机系统应用, 2015, 24(9):219-224.
[17] Ma X, Wang N, Xie P, et al. An automated testing platform for mobile applications[C]//2016 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). IEEE, 2016:159-162.
[18] Wen H L, Lin C H, Hsieh T H, et al. PATS:a parallel GUI testing framework for android applications[C]//Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual. IEEE, 2015, 2:210-215.
[19] Amalfitano D, Fasolino A R, Tramontana P, et al. MobiGUITAR:automated model-based testing of mobile apps[J]. IEEE Software, 2015, 32(5):53-59.
[20] Machiry A, Tahiliani R, Naik M. Dynodroid:an input generation system for android apps[C]//Proceedings of the 20139th Joint Meeting on Foundations of Software Engineering. ACM, 2013:224-234.
[21] Bartel A, Klein J,Le Traon Y, et al. Dexpler:converting android dalvik bytecode to jimple for static analysis with soot[C]//Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis. ACM, 2012:27-38.
[22] Arzt S, Rasthofer S, Fritz C, et al. Flowdroid:precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps[J]. ACM SIGPLAN Notices, 2014, 49(6):259-269.
[23] 孔德光, 郑烇, 帅建梅, 等. 基于污点分析的源代码脆弱性检测技术[J]. 小型微型计算机系统, 2009, 30(1):78-82.
[24] Reps T, Horwitz S, Sagiv M. Precise interprocedural dataflow analysis via graph reachability[C]//Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 1995:49-61.
[25] Android Developers. Android debug bridge[EB/OL]. (2017-01-11)[2017-01-12]. https://developer.android.com/studio/command-line/adb.html?hl=zh-cn.
[26] Android Developers. Requesting permissions.[EB/OL]. (2016-12-21)[2017-01-12]. https://developer.android.com/guide/topics/permissions/requesting.html.

一种自动化的Android应用定向行为测试方法

An automated and directed testing technique for target behavior of Android application

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 9

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	吴敬征, 武延军, 武志飞, 杨牧天, 罗天悦, 王永吉. 基于有向信息流的Android隐私泄露类恶意应用检测方法[J]. 中国科学院大学学报, 2015, 32(6): 807-815.
[2]	吴敬征, 武延军, 罗天悦, 武志飞, 杨牧天, 王永吉. 一种基于权限控制机制的Android系统隐蔽信道限制方法[J]. 中国科学院大学学报, 2015, 32(5): 667-675.
[3]	王学强, 雷灵光, 王跃武. 一种易部署的Android APP动态行为监控方法[J]. 中国科学院大学学报, 2015, 32(5): 689-694.
[4]	张明庆, 张灿, 陈德元, 张克楠. 一种基于Android系统的短信息移动分级安全方法[J]. 中国科学院大学学报, 2015, 32(2): 281-287.
[5]	方喆君, 刘奇旭, 张玉清. Android应用软件功能泄露漏洞挖掘工具的设计与实现[J]. 中国科学院大学学报, 2015, 32(1): 127-135.
[6]	王凯, 刘奇旭, 张玉清. 基于Fuzzing的Android应用通信过程漏洞挖掘技术[J]. 中国科学院大学学报, 2014, 31(6): 827-835.
[7]	李昭, 王跃武, 雷灵光, 张中文. 基于动态密钥的Android短信加密方案[J]. 中国科学院大学学报, 2013, 30(2): 272-277.
[8]	王嘉捷, 蒋凡, 张涛. 一种多重循环程序内存访问越界检测方法[J]. 中国科学院大学学报, 2010, 27(1): 117-126.
[9]	王祥根, 司端锋, 冯登国, 苏璞睿. 一种基于自修改代码技术的软件保护方法[J]. 中国科学院大学学报, 2009, 26(5): 688-694.