research-article

Controlling Interactions with Libraries in Android Apps Through Runtime Enforcement

Authors:
Oliviero Riganelli

University of Milano - Bicocca, Milan, MI, Italy

University of Milano - Bicocca, Milan, MI, Italy

0000-0003-2120-2894
View Profile

,
Daniela Micucci

University of Milano - Bicocca, Milan, MI, Italy

University of Milano - Bicocca, Milan, MI, Italy
View Profile

,
Leonardo Mariani

University of Milano - Bicocca, Milan, MI, Italy

University of Milano - Bicocca, Milan, MI, Italy
View Profile

ACM Transactions on Autonomous and Adaptive Systems Volume 14 Issue 2Article No.: 8pp 1–29https://doi.org/10.1145/3368087

Published:06 December 2019Publication History

ACM Transactions on Autonomous and Adaptive Systems

Abstract

Android applications are executed on smartphones equipped with a variety of resources that must be properly accessed and controlled, otherwise the correctness of the executions and the stability of the entire environment might be negatively affected. For example, apps must properly acquire, use, and release microphones, cameras, and other multimedia devices, otherwise the behavior of the apps that use the same resources might be compromised.

Unfortunately, several apps do not use resources correctly, for instance, due to faults and inaccurate design decisions. By interacting with these apps, users may experience unexpected behaviors, which in turn may cause instability and sporadic failures, especially when resources are accessed.

In this article, we present an approach that lets users protect their environment from the apps that use resources improperly by enforcing the correct usage protocol. This is achieved by using software enforcers that can observe executions and change them when necessary. For instance, enforcers can detect that a resource has been acquired but not released and automatically perform the release operation, thus giving the possibility to use that same resource to the other apps.

The main idea is that software libraries, in particular, the ones controlling access to resources, can be augmented with enforcers that can be activated and deactivated on demand by users to protect their environment from unwanted app behaviors. We call the software libraries augmented with one or more enforcers proactive libraries, because the activation of the enforcer decorates the library with proactive behaviors that can guarantee the correctness of the execution despite the invocation of the operations implemented by the library. For example, enforcers can detect that a resource has not been released on time and proactively release it.

Our experimental results with 27 possible misuses of resources in real Android apps reveal that proactive libraries are able to effectively correct library misuses with negligible runtime overheads.

References

D. Amalfitano, A. R. Fasolino, P. Tramontana, and N. Amatucci. 2013. Considering context events in event-based testing of mobile applications. In Proceedings of the International Conference on Software Testing, Verification and Validation Workshops (ICSTW’13).Google Scholar
S. Amani, S. Nadi, H. A. Nguyen, T. N. Nguyen, and M. Mezini. 2016. MUBench: A benchmark for API-misuse detectors. In Proceedings of the International Conference on Mining Software Repositories (MSR’16).Google Scholar
Android. 2019. The Activity Lifecycle. Retrieved from https://developer.android.com/guide/components/activities/activity-lifecycle.html.Google Scholar
Android. 2019. Android API. Retrieved from https://developer.android.com/guide/index.html.Google Scholar
Android. 2019. Android Studio. Retrieved from https://developer.android.com/studio/index.html.Google Scholar
M. T. Azim, I. Neamtiu, and L. M. Marvel. 2014. Towards self-healing smartphone software via automated patching. In Proceedings of the International Conference on Automated Software Engineering (ASE’14).Google Scholar
A. Banerjee, L. Kee Chong, S. Chattopadhyay, and A. Roychoudhury. 2014. Detecting energy bugs and hotspots in mobile apps. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14).Google Scholar
H. Chang, L. Mariani, and M. Pezzè. 2009. In-field healing of integration problems with COTS components. In Proceedings of the International Conference on Software Engineering (ICSE’09).Google Scholar
H. Chang, L. Mariani, and M. Pezzè. 2013. Exception handlers for healing component-based systems. ACM Trans. Software Eng. Methodol. 22, 4 (2013), 30:1--30:40.Google ScholarDigital Library
O. Cornejo, D. Briola, D. Micucci, and L. Mariani. 2017. In the field monitoring of software applications. In Proceedings of the International Conference on Software Engineering (ICSE’17).Google Scholar
Y. Dai, Y. Xiang, and G. Zhang. 2009. Self-healing and hybrid diagnosis in cloud computing. In Proceedings of the International Conference on Cloud Computing (CloudCom’09).Google Scholar
G. Denaro, M. Pezzè, and D. Tosi. 2013. Test-and-adapt: An approach for improving service interchangeability. ACM Trans. Software Eng. Methodol. 22, 4 (2013), 28:1--28:43.Google ScholarDigital Library
D. Dig, S. Negara, V. Mohindra, and R. Johnson. 2008. ReBA: Refactoring-aware binary adaptation of evolving libraries. In Proceedings of the International Conference on Software Engineering (ICSE’08).Google Scholar
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13).Google Scholar
S. Elmalaki, L. Wanner, and M. Srivastava. 2015. CAreDroid: Adaptation framework for Android context-aware applications. In Proceedings of the Annual International Conference on Mobile Computing and Networking (MobiCom’15).Google Scholar
Y. Falcone, S. Currea, and M. Jaber. 2012. Runtime verification and enforcement for Android applications with RV-Droid. In Proceedings of the International Conference on Runtime Verification (RV’12).Google Scholar
Eclipse Foundation. 2019. Acceleo. Retrieved from https://www.eclipse.org/acceleo/.Google Scholar
Eclipse Foundation. 2019. Eclipse. Retrieved from http://www.eclipse.org/.Google Scholar
Eclipse Foundation. 2019. Eclipse Modeling Framework. Retrieved from https://www.eclipse.org/modeling/emf/.Google Scholar
Eclipse Foundation. 2019. Graphical Modeling Project. Retrieved from http://www.eclipse.org/modeling/gmp/.Google Scholar
JS Foundation. 2019. Retrieved from Appium. http://appium.io.Google Scholar
L. Gazzola, D. Micucci, and L. Mariani. 2019. Automatic software repair: A survey. IEEE Trans. Software Eng. 45, 1 (2019), 34--67.Google ScholarDigital Library
M. E. Joorabchi, A. Mesbah, and P. Kruchten. 2013. Real challenges in mobile app development. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement (ESEM’13).Google Scholar
S. Kelly and J.-P. Tolvanen. 2008. Domain-Specific Modeling: Enabling Full Code Generation. Wiley.Google ScholarDigital Library
H. Khalid, M. Nagappan, E. Shihab, and A. E. Hassan. 2014. Prioritizing the devices to test your app on: A case study of android game apps. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’14).Google Scholar
G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. Lopes, J. Loingtier, and J. Irwin. 1997. Aspect-oriented programming. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’97).Google Scholar
D. Kong, L. Cen, and H. Jin. 2015. AUTOREB: Automatically understanding the review-to-behavior fidelity in Android applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’15).Google Scholar
D. Li and W. G. J. Halfond. 2014. An investigation into energy-saving programming practices for Android smartphone app development. In Proceedings of the International Workshop on Green and Sustainable Software (GREENS’14).Google ScholarDigital Library
L. Li, T. F. Bissyandé, D. Octeau, and J. Klein. 2016. DroidRA: Taming reflection to support whole-program analysis of Android Apps. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’16).Google Scholar
Z. Li and Y. Zhou. 2005. PR-Miner: Automatically extracting implicit programming rules and detecting violations in large software code. In Proceedings of the European Software Engineering Conference held jointly with the ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE’05).Google Scholar
J. Ligatti, L. Bauer, and D. Walker. 2005. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. Info. Secur. 4, 1 (2005), 2--16.Google Scholar
M. Linares-Vásquez, G. Bavota, C. Bernal-Cárdenas, M. Di Penta, R. Oliveto, and D. Poshyvanyk. 2013. API change and fault proneness: A threat to the success of android apps. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’13).Google Scholar
M. Linares-Vásquez, G. Bavota, C. Bernal-Cárdenas, M. Di Penta, R. Oliveto, and D. Poshyvanyk. 2013. API change and fault proneness: A threat to the success of Android apps. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’13).Google Scholar
J. Liu, T. Wu, J. Yan, and J. Zhang. 2016. Fixing resource leaks in Android apps with light-weight static analysis and low-overhead instrumentation. In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE’16).Google Scholar
J. P. Magalhães and L. M. Silva. 2015. SHÕWA: A self-healing framework for web-based applications. ACM Trans. Auton. Adapt. Syst. 10, 1 (2015), 4:1--4:28.Google ScholarDigital Library
F. Mancinelli and P. Inverardi. 2006. A resource model for adaptable applications. In Proceedings of the International Workshop on Self-adaptation and Self-managing Systems (SEAMS’06).Google Scholar
L. Mariani, F. Pastore, and M. Pezzè. 2011. Dynamic analysis for diagnosing integration faults. IEEE Trans. Software Eng. 37, 4 (2011), 486--508.Google ScholarDigital Library
T. McDonnell, B. Ray, and M. Kim. 2013. An empirical study of API stability and adoption in the android ecosystem. In Proceedings of the International Conference on Software Maintenance (ICSM’13).Google Scholar
H. Muccini, A. Di Francesco, and P. Esposito. 2012. Software testing of mobile applications: Challenges and future research directions. In Proceedings of the International Workshop on Automation of Software Test (AST’12).Google Scholar
C. Mulliner, J. Oberheide, W. Robertson, and E. Kirda. 2013. PatchDroid: Scalable third-party security patches for Android devices. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’13).Google Scholar
R. Neisse, G. Steri, D. Geneiatakis, and I. N. Fovino. 2016. A privacy enforcing framework for android applications. Comput. Secur. 62 (2016), 257--277.Google ScholarCross Ref
OMG. 2012. Object Constraint Language. Retrieved from https://modeling-languages.com/ocl-tutorial/.Google Scholar
O. Riganelli, D. Micucci, and L. Mariani. 2016. Healing data loss problems in Android apps. In Proceedings of the International Workshop on Software Faults (IWSF’16), co-located with the International Symposium on Software Reliability Engineering (ISSRE’16).Google Scholar
O. Riganelli, D. Micucci, and L. Mariani. 2017. Policy enforcement with proactive libraries. In Proceedings of the International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’17).Google Scholar
O. Riganelli, D. Micucci, and L. Mariani. 2018. Increasing the reusability of enforcers with lifecycle events. In Proceedings of the International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISOLA’18).Google Scholar
O. Riganelli, D. Micucci, and L. Mariani. 2019. From source code to test cases: A comprehensive benchmark for resource leak detection in android apps. Software: Pract. Exper. 49, 3 (2019), 540--548.Google Scholar
O. Riganelli, D. Micucci, L. Mariani, and Y. Falcone. 2017. Verifying policy enforcers. In Proceedings of the International Conference on Runtime Verification (RV’17).Google Scholar
O. Riganelli, M. Mobilio, D. Micucci, and L. Mariani. 2019. A benchmark of data loss bugs for android apps. In Proceedings of the International Conference on Mining Software Repositories (MSR’19).Google Scholar
R. Rouvoy, M. Beauvois, L. Lozano, J. Lorenzo, and F. Eliassen. 2008. MUSIC: An autonomous platform supporting self-adaptive mobile applications. In Proceedings of the Workshop on Mobile Middleware: Embracing the Personal Communication Device (MobMid’08).Google Scholar
Ronny Seiger, Steffen Huber, and Thomas Schlegel. 2018. Toward an execution system for self-healing workflows in cyber-physical systems. Software Syst. Model. 17, 2 (2018), 551--572.Google Scholar
Z. Shan, T. Azim, and I. Neamtiu. 2016. Finding resume and restart errors in Android applications. In Proceedings of the ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’16).Google Scholar
T. Stahl and M. Voelter. 2006. Model-Driven Software Development: Technology, Engineering, Management. John Wiley 8 Sons.Google Scholar
A. Wasylkowski and A. Zeller. 2009. Mining temporal specifications from object usage. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’09).Google Scholar
L. Wei, Y. Liu, and S.-C. Cheung. 2016. Taming Android fragmentation: Characterizing and detecting compatibility issues for Android Apps. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’16).Google ScholarDigital Library
T. Wu, J. Liu, Z. Xu, C. Guo, Y. Zhang, J. Yan, and J. Zhang. 2016. Light-weight, inter-procedural and callback-aware resource leak detection for Android apps. IEEE Trans. Software Eng. 42, 11 (2016), 1054--1076.Google ScholarDigital Library
XDA. 2019. Xposed. Retrieved from http://repo.xposed.info/.Google Scholar
M. Zhang and H. Yin. 2014. AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS’14).Google Scholar

Index Terms

Controlling Interactions with Libraries in Android Apps Through Runtime Enforcement
1. Computer systems organization
  1. Architectures
    1. Other architectures
      1. Self-organizing autonomic computing
2. Software and its engineering
  1. Software notations and tools
    1. Software libraries and repositories
  2. Software organization and properties
    1. Extra-functional properties
      1. Software fault tolerance

Recommendations

Policy enforcement with proactive libraries
SEAMS '17: Proceedings of the 12th International Symposium on Software Engineering for Adaptive and Self-Managing Systems

Software libraries implement APIs that deliver reusable functionalities. To correctly use these functionalities, software applications must satisfy certain correctness policies, for instance policies about the order some API methods can be invoked and ...
Read More
Proactive libraries: enforcing correct behaviors in Android apps
ICSE '22: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings

The Android framework provides a rich set of APIs that can be exploited by developers to build their apps. However, the rapid evolution of these APIs jointly with the specific characteristics of the lifecycle of the Android components challenge ...
Read More
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Autonomous and Adaptive Systems Volume 14, Issue 2
June 2019
137 pages
ISSN:1556-4665
EISSN:1556-4703
DOI:10.1145/3368391
Editor:
Bashar Nuseibeh
The Open University, UK, & Lero, Ireland
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2019
- Accepted: 1 September 2019
- Revised: 1 June 2019
- Received: 1 March 2018
Published in taas Volume 14, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Android
Proactive library
policy enforcement
resource leak
resource usage
runtime enforcement
self-healing
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 9
  Total Citations
  View Citations
- 196
  Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Controlling Interactions with Libraries in Android Apps Through Runtime Enforcement

ACM Transactions on Autonomous and Adaptive Systems

Abstract

References

Cited By

Index Terms

Recommendations

Policy enforcement with proactive libraries

Proactive libraries: enforcing correct behaviors in Android apps

Inter-app communication between Android apps developed in app-inventor and Android studio