Accessing Inaccessible Android APIs: An Empirical Study

Li, Li; Bissyandé, Tegawendé F.; Traon, Yves Le; Klein, Jacques

doi:10.1109/icsme.2016.35

Cited by 50 publications

(48 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bug fix commits study: Various studies have mined software repositories to analyze commits [66]- [69]. Purushothaman and Perry [70] studied patch-related commits in terms of sizes of bug fix hunks and repair action types to investigate the impact of small source code changes.…”

Section: Related Workmentioning

confidence: 99%

A Closer Look at Real-World Patches

Liu

Kim

Koyuncu

et al. 2018

2018 IEEE International Conference on Software Maintenance and Evolution (ICSME)

Self Cite

View full text Add to dashboard Cite

Bug fixing is a time-consuming and tedious task. To reduce the manual efforts in bug fixing, researchers have presented automated approaches to software repair. Unfortunately, recent studies have shown that the state-of-the-art techniques in automated repair tend to generate patches only for a small number of bugs even with quality issues (e.g., incorrect behavior and nonsensical changes). To improve automated program repair (APR) techniques, the community should deepen its knowledge on repair actions from real-world patches since most of the techniques rely on patches written by human developers. Previous investigations on real-world patches are limited to statement level that is not sufficiently fine-grained to build this knowledge. In this work, we contribute to building this knowledge via a systematic and fine-grained study of 16,450 bug fix commits from seven Java open-source projects. We find that there are opportunities for APR techniques to improve their effectiveness by looking at code elements that have not yet been investigated. We also discuss nine insights into tuning automated repair tools. For example, a small number of statement and expression types are recurrently impacted by real-world patches, and expression-level granularity could reduce search space of finding fix ingredients, where previous studies never explored.

show abstract

Section: Related Workmentioning

confidence: 99%

A Closer Look at Real-World Patches

Liu

Kim

Koyuncu

et al. 2018

2018 IEEE International Conference on Software Maintenance and Evolution (ICSME)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Evolution of Android OS code has also been investigated. McDonnell et al have empirically studied the stability of Android APIs [117] while Li et al focused on the evolution of inaccessible Android APIs [25]. Thanks to the lineage dataset that we have collected, further studies can be performed to check the alignment between OS API evolution and API usage evolution in app code.…”

Section: Related Workmentioning

confidence: 99%

“…In the quasi-totality of apps available in the marketplace, the history of development is a fleeing data stream: at a given time, only a single version of the app is available in the market; when the next updated version is uploaded, the past version is lost. A few works [24], [25], [26] involving evolution studies have proposed to "watch" a small number of apps for a period of time to collect history versions. However, the insight observed by such studies may not be representative of that of the whole Android ecosystem.…”

Section: Introductionmentioning

confidence: 99%

Understanding the Evolution of Android App Vulnerabilities

Gao

Kong

et al. 2021

IEEE Trans. Rel.

Self Cite

View full text Add to dashboard Cite

The Android ecosystem today is a growing universe of a few billion devices, hundreds of millions of users and millions of applications targeting a wide range of activities where sensitive information is collected and processed. Security of communication and privacy of data are thus of utmost importance in application development. Yet, regularly, there are reports of successful attacks targeting Android users. While some of those attacks exploit vulnerabilities in the Android OS, others directly concern application-level code written by a large pool of developers with varying experience. Recently, a number of studies have investigated this phenomenon, focusing however only on a specific vulnerability type appearing in apps, and based on only a snapshot of the situation at a given time. Thus, the community is still lacking comprehensive studies exploring how vulnerabilities have evolved over time, and how they evolve in a single app across developer updates. Our work fills this gap by leveraging a data stream of 5 million app packages to reconstruct versioned lineages of Android apps and finally obtained 28,564 app lineages (i.e., successive releases of the same Android apps) with more than 10 app versions each, corresponding to a total of 465,037 apks. Based on these app lineages, we apply stateof-the-art vulnerability-finding tools and investigate systematically the reports produced by each tool. In particular, we study which types of vulnerabilities are found, how they are introduced in the app code, where they are located, and whether they foreshadow malware. We provide insights based on the quantitative data as reported by the tools, but we further discuss the potential false positives. Our findings and study artifacts constitute a tangible knowledge to the community. It could be leveraged by developers to focus verification tasks, and by researchers to drive vulnerability discovery and repair research efforts.

show abstract

“…Android app evolution analysis is not new. Researchers have presented various studies for understanding the evolution of Android apps [33], [34], [35]. For example, Gao et al [24] have presented an empirical study aiming at understanding the evolution of Android app vulnerabilities.…”

Section: Threats To Validitymentioning

confidence: 99%

Negative Results on Mining Crypto-API Usage Rules in Android Apps

Gao

Kong

et al. 2019

2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR)

Self Cite

View full text Add to dashboard Cite

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that "developers update API usage instances to fix misuses", we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

show abstract

Accessing Inaccessible Android APIs: An Empirical Study

Cited by 50 publications

References 36 publications

A Closer Look at Real-World Patches

A Closer Look at Real-World Patches

Understanding the Evolution of Android App Vulnerabilities

Negative Results on Mining Crypto-API Usage Rules in Android Apps

Contact Info

Product

Resources

About