Abstract
Android applications are executed on smartphones equipped with a variety of resources that must be properly accessed and controlled, otherwise the correctness of the executions and the stability of the entire environment might be negatively affected. For example, apps must properly acquire, use, and release microphones, cameras, and other multimedia devices, otherwise the behavior of the apps that use the same resources might be compromised.
Unfortunately, several apps do not use resources correctly, for instance, due to faults and inaccurate design decisions. By interacting with these apps, users may experience unexpected behaviors, which in turn may cause instability and sporadic failures, especially when resources are accessed.
In this article, we present an approach that lets users protect their environment from the apps that use resources improperly by enforcing the correct usage protocol. This is achieved by using software enforcers that can observe executions and change them when necessary. For instance, enforcers can detect that a resource has been acquired but not released and automatically perform the release operation, thus giving the possibility to use that same resource to the other apps.
The main idea is that software libraries, in particular, the ones controlling access to resources, can be augmented with enforcers that can be activated and deactivated on demand by users to protect their environment from unwanted app behaviors. We call the software libraries augmented with one or more enforcers proactive libraries, because the activation of the enforcer decorates the library with proactive behaviors that can guarantee the correctness of the execution despite the invocation of the operations implemented by the library. For example, enforcers can detect that a resource has not been released on time and proactively release it.
Our experimental results with 27 possible misuses of resources in real Android apps reveal that proactive libraries are able to effectively correct library misuses with negligible runtime overheads.
- D. Amalfitano, A. R. Fasolino, P. Tramontana, and N. Amatucci. 2013. Considering context events in event-based testing of mobile applications. In Proceedings of the International Conference on Software Testing, Verification and Validation Workshops (ICSTW’13).Google Scholar
- S. Amani, S. Nadi, H. A. Nguyen, T. N. Nguyen, and M. Mezini. 2016. MUBench: A benchmark for API-misuse detectors. In Proceedings of the International Conference on Mining Software Repositories (MSR’16).Google Scholar
- Android. 2019. The Activity Lifecycle. Retrieved from https://developer.android.com/guide/components/activities/activity-lifecycle.html.Google Scholar
- Android. 2019. Android API. Retrieved from https://developer.android.com/guide/index.html.Google Scholar
- Android. 2019. Android Studio. Retrieved from https://developer.android.com/studio/index.html.Google Scholar
- M. T. Azim, I. Neamtiu, and L. M. Marvel. 2014. Towards self-healing smartphone software via automated patching. In Proceedings of the International Conference on Automated Software Engineering (ASE’14).Google Scholar
- A. Banerjee, L. Kee Chong, S. Chattopadhyay, and A. Roychoudhury. 2014. Detecting energy bugs and hotspots in mobile apps. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14).Google Scholar
- H. Chang, L. Mariani, and M. Pezzè. 2009. In-field healing of integration problems with COTS components. In Proceedings of the International Conference on Software Engineering (ICSE’09).Google Scholar
- H. Chang, L. Mariani, and M. Pezzè. 2013. Exception handlers for healing component-based systems. ACM Trans. Software Eng. Methodol. 22, 4 (2013), 30:1--30:40.Google ScholarDigital Library
- O. Cornejo, D. Briola, D. Micucci, and L. Mariani. 2017. In the field monitoring of software applications. In Proceedings of the International Conference on Software Engineering (ICSE’17).Google Scholar
- Y. Dai, Y. Xiang, and G. Zhang. 2009. Self-healing and hybrid diagnosis in cloud computing. In Proceedings of the International Conference on Cloud Computing (CloudCom’09).Google Scholar
- G. Denaro, M. Pezzè, and D. Tosi. 2013. Test-and-adapt: An approach for improving service interchangeability. ACM Trans. Software Eng. Methodol. 22, 4 (2013), 28:1--28:43.Google ScholarDigital Library
- D. Dig, S. Negara, V. Mohindra, and R. Johnson. 2008. ReBA: Refactoring-aware binary adaptation of evolving libraries. In Proceedings of the International Conference on Software Engineering (ICSE’08).Google Scholar
- M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13).Google Scholar
- S. Elmalaki, L. Wanner, and M. Srivastava. 2015. CAreDroid: Adaptation framework for Android context-aware applications. In Proceedings of the Annual International Conference on Mobile Computing and Networking (MobiCom’15).Google Scholar
- Y. Falcone, S. Currea, and M. Jaber. 2012. Runtime verification and enforcement for Android applications with RV-Droid. In Proceedings of the International Conference on Runtime Verification (RV’12).Google Scholar
- Eclipse Foundation. 2019. Acceleo. Retrieved from https://www.eclipse.org/acceleo/.Google Scholar
- Eclipse Foundation. 2019. Eclipse. Retrieved from http://www.eclipse.org/.Google Scholar
- Eclipse Foundation. 2019. Eclipse Modeling Framework. Retrieved from https://www.eclipse.org/modeling/emf/.Google Scholar
- Eclipse Foundation. 2019. Graphical Modeling Project. Retrieved from http://www.eclipse.org/modeling/gmp/.Google Scholar
- JS Foundation. 2019. Retrieved from Appium. http://appium.io.Google Scholar
- L. Gazzola, D. Micucci, and L. Mariani. 2019. Automatic software repair: A survey. IEEE Trans. Software Eng. 45, 1 (2019), 34--67.Google ScholarDigital Library
- M. E. Joorabchi, A. Mesbah, and P. Kruchten. 2013. Real challenges in mobile app development. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement (ESEM’13).Google Scholar
- S. Kelly and J.-P. Tolvanen. 2008. Domain-Specific Modeling: Enabling Full Code Generation. Wiley.Google ScholarDigital Library
- H. Khalid, M. Nagappan, E. Shihab, and A. E. Hassan. 2014. Prioritizing the devices to test your app on: A case study of android game apps. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’14).Google Scholar
- G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. Lopes, J. Loingtier, and J. Irwin. 1997. Aspect-oriented programming. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’97).Google Scholar
- D. Kong, L. Cen, and H. Jin. 2015. AUTOREB: Automatically understanding the review-to-behavior fidelity in Android applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’15).Google Scholar
- D. Li and W. G. J. Halfond. 2014. An investigation into energy-saving programming practices for Android smartphone app development. In Proceedings of the International Workshop on Green and Sustainable Software (GREENS’14).Google ScholarDigital Library
- L. Li, T. F. Bissyandé, D. Octeau, and J. Klein. 2016. DroidRA: Taming reflection to support whole-program analysis of Android Apps. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’16).Google Scholar
- Z. Li and Y. Zhou. 2005. PR-Miner: Automatically extracting implicit programming rules and detecting violations in large software code. In Proceedings of the European Software Engineering Conference held jointly with the ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE’05).Google Scholar
- J. Ligatti, L. Bauer, and D. Walker. 2005. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. Info. Secur. 4, 1 (2005), 2--16.Google Scholar
- M. Linares-Vásquez, G. Bavota, C. Bernal-Cárdenas, M. Di Penta, R. Oliveto, and D. Poshyvanyk. 2013. API change and fault proneness: A threat to the success of android apps. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’13).Google Scholar
- M. Linares-Vásquez, G. Bavota, C. Bernal-Cárdenas, M. Di Penta, R. Oliveto, and D. Poshyvanyk. 2013. API change and fault proneness: A threat to the success of Android apps. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’13).Google Scholar
- J. Liu, T. Wu, J. Yan, and J. Zhang. 2016. Fixing resource leaks in Android apps with light-weight static analysis and low-overhead instrumentation. In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE’16).Google Scholar
- J. P. Magalhães and L. M. Silva. 2015. SHÕWA: A self-healing framework for web-based applications. ACM Trans. Auton. Adapt. Syst. 10, 1 (2015), 4:1--4:28.Google ScholarDigital Library
- F. Mancinelli and P. Inverardi. 2006. A resource model for adaptable applications. In Proceedings of the International Workshop on Self-adaptation and Self-managing Systems (SEAMS’06).Google Scholar
- L. Mariani, F. Pastore, and M. Pezzè. 2011. Dynamic analysis for diagnosing integration faults. IEEE Trans. Software Eng. 37, 4 (2011), 486--508.Google ScholarDigital Library
- T. McDonnell, B. Ray, and M. Kim. 2013. An empirical study of API stability and adoption in the android ecosystem. In Proceedings of the International Conference on Software Maintenance (ICSM’13).Google Scholar
- H. Muccini, A. Di Francesco, and P. Esposito. 2012. Software testing of mobile applications: Challenges and future research directions. In Proceedings of the International Workshop on Automation of Software Test (AST’12).Google Scholar
- C. Mulliner, J. Oberheide, W. Robertson, and E. Kirda. 2013. PatchDroid: Scalable third-party security patches for Android devices. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’13).Google Scholar
- R. Neisse, G. Steri, D. Geneiatakis, and I. N. Fovino. 2016. A privacy enforcing framework for android applications. Comput. Secur. 62 (2016), 257--277.Google ScholarCross Ref
- OMG. 2012. Object Constraint Language. Retrieved from https://modeling-languages.com/ocl-tutorial/.Google Scholar
- O. Riganelli, D. Micucci, and L. Mariani. 2016. Healing data loss problems in Android apps. In Proceedings of the International Workshop on Software Faults (IWSF’16), co-located with the International Symposium on Software Reliability Engineering (ISSRE’16).Google Scholar
- O. Riganelli, D. Micucci, and L. Mariani. 2017. Policy enforcement with proactive libraries. In Proceedings of the International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’17).Google Scholar
- O. Riganelli, D. Micucci, and L. Mariani. 2018. Increasing the reusability of enforcers with lifecycle events. In Proceedings of the International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISOLA’18).Google Scholar
- O. Riganelli, D. Micucci, and L. Mariani. 2019. From source code to test cases: A comprehensive benchmark for resource leak detection in android apps. Software: Pract. Exper. 49, 3 (2019), 540--548.Google Scholar
- O. Riganelli, D. Micucci, L. Mariani, and Y. Falcone. 2017. Verifying policy enforcers. In Proceedings of the International Conference on Runtime Verification (RV’17).Google Scholar
- O. Riganelli, M. Mobilio, D. Micucci, and L. Mariani. 2019. A benchmark of data loss bugs for android apps. In Proceedings of the International Conference on Mining Software Repositories (MSR’19).Google Scholar
- R. Rouvoy, M. Beauvois, L. Lozano, J. Lorenzo, and F. Eliassen. 2008. MUSIC: An autonomous platform supporting self-adaptive mobile applications. In Proceedings of the Workshop on Mobile Middleware: Embracing the Personal Communication Device (MobMid’08).Google Scholar
- Ronny Seiger, Steffen Huber, and Thomas Schlegel. 2018. Toward an execution system for self-healing workflows in cyber-physical systems. Software Syst. Model. 17, 2 (2018), 551--572.Google Scholar
- Z. Shan, T. Azim, and I. Neamtiu. 2016. Finding resume and restart errors in Android applications. In Proceedings of the ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’16).Google Scholar
- T. Stahl and M. Voelter. 2006. Model-Driven Software Development: Technology, Engineering, Management. John Wiley 8 Sons.Google Scholar
- A. Wasylkowski and A. Zeller. 2009. Mining temporal specifications from object usage. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’09).Google Scholar
- L. Wei, Y. Liu, and S.-C. Cheung. 2016. Taming Android fragmentation: Characterizing and detecting compatibility issues for Android Apps. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’16).Google ScholarDigital Library
- T. Wu, J. Liu, Z. Xu, C. Guo, Y. Zhang, J. Yan, and J. Zhang. 2016. Light-weight, inter-procedural and callback-aware resource leak detection for Android apps. IEEE Trans. Software Eng. 42, 11 (2016), 1054--1076.Google ScholarDigital Library
- XDA. 2019. Xposed. Retrieved from http://repo.xposed.info/.Google Scholar
- M. Zhang and H. Yin. 2014. AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in Android applications. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS’14).Google Scholar
Index Terms
- Controlling Interactions with Libraries in Android Apps Through Runtime Enforcement
Recommendations
Policy enforcement with proactive libraries
SEAMS '17: Proceedings of the 12th International Symposium on Software Engineering for Adaptive and Self-Managing SystemsSoftware libraries implement APIs that deliver reusable functionalities. To correctly use these functionalities, software applications must satisfy certain correctness policies, for instance policies about the order some API methods can be invoked and ...
Proactive libraries: enforcing correct behaviors in Android apps
ICSE '22: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion ProceedingsThe Android framework provides a rich set of APIs that can be exploited by developers to build their apps. However, the rapid evolution of these APIs jointly with the specific characteristics of the lifecycle of the Android components challenge ...
Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and SystemsCommunications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Comments