Testing and Analysis of Mobile Appliations

Surveys

Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, Ainuddin Wahid Abdul Wahab. A review on feature selection in mobile malware detection. Digital Investigation. 2015.

JavaScript Mobile Apps - Security

MSR Nozzle Project on Detection of JavaScript-based Malware
Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du. Code Injection Attacks on HTML5-based Mobile Apps. See additional information, including attack demonstration, from this web site. A shorter version of this paper appears in Proceedings of the Mobile Security Technologies (MoST) workshop, May 16, 2014. (Bib)
M. Georgiev, S. Jana, V. Shmatikov. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks. NDSS 2014. [abstract]
Wu, Daoyuan; Chang, Rocky K. C.. Analyzing Android Browser Apps for file:// Vulnerabilities. eprint arXiv:1404.4553, submitted it to ESORICS'14.
Xing Jin, Lusha Wang, Tongbo Luo, and Wenliang Du. Fine-Grained Access Control for HTML5-Based Mobile Applications in Android. A shorter version of this paper is published in Proceedings of the 16th Information Security Conference, Dallas, Texas. November 13-15, 2013.
Erika Chin and David Wagner. Bifocals: Analyzing WebView Vulnerabilities in Android Applications. 14th International Workshop on Information Security Applications (WISA), 2013. - Best paper award
Rui Wang, Luyi Xing, XiaoFeng Wang, Shuo Chen. Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation. In Proc. of the 20th ACM Conference on Computer and Communications Security (CCS’13), Berlin, Germany, Nov. 2013.
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. Attacks on WebView in the Android System. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), Orlando, Florida, USA. December 5-9, 2011. (Bib)
La Polla, M., Martinelli, F. ; Sgandurra, D. A Survey on Security for Mobile Devices. Communications Surveys & Tutorials, IEEE (Volume:15 , Issue: 1 ), 2013.

JavaScript Mobile Apps - General

Li, Yuesong and Powell, Mark. HTML5, A Serious Contender to Native App Development or Not? Thesis. Kristianstad University, 2013. [PDF]
Kimmo Puputti. Mobile HTML5: Implementing a Responsive Cross-Platform Application. Master Thesis. Aalto University, 2012. [PDF]
Andre Charland and Brian Leroux. 2011. Mobile application development: web vs. native.Commun. ACM 54, 5 (May 2011), 49-53. DOI=10.1145/1941487.1941504 [PDF]
Florian Schinkel, Andreas Schlag, Gunther Sachs, Stephan Haas, and Patrik Schafer. Evaluation of Android Programming Environments. [PDF]

System/Platform Testing

Industrial Application of Concolic Testing Approach: A Case Study on libexif by Using CREST-BV and KLEE. Yunho Kim, Moonzoo Kim, YoungJoo Kim, Yoonkyu Jang. ICSE 2012 Practice Track.
Concolic Testing on Embedded Software- Case Studies on Mobile Platform Programs. Yunho Kim, Moonzoo Kim, Yoonkyu Jang. ESEC/FSE 2011 Practice Track.

App Testing

Automated Concolic Testing of Smartphone Apps. Saswat Anand, Mayur Naik, Hongseok Yang, Mary Jean Harrold. FSE 2012. [Project Web][Project Web][Slides]

Using GUI Ripping for Automated Testing of Android Applications. Domenico Amalfitano, Anna Fasolino, Salvatore De Carmine, Atif Memon, Porfirio Tramontana. ASE 2012.
Finding Errors in Multithreaded GUI Applications. Sai Zhang, Hao Lu, and Michael D. Ernst . ISSTA 2012. [Tool]
Combining Model-Based and Combinatorial Testing for Effective Test Case Generation. Cu Duy Nguyen, Alessandro Marchetto, and Paolo Tonella. ISSTA 2012. [Tool]
A GUI Crawling-based technique for Android Mobile Application Testing. Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana. TESTBEDS 2011. [Slides]
Automating GUI Testing for Android Applications. Cuixiong Hu, Iulian Neamtiu. AST 2011.
Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung. Duke U. Tech Report. 2011.
Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
Andriod GUITAR
Open Source Andriod Kernel analyzer
Robolectric: Test-Drive Your Android Code

Study of Security Problems

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Categorized By Input Data Type

ProfileDroid: Multi-layer Profiling of Android Applications. Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos. MobiCom 2012.
Malicious Android Applications in the Enterprise: What Do They Do and How Do We Fix It? Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos. SDMSM'12.

Android OS

Mockdroid: trading privacy for application functionality on smartphones, A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, HotMobile, 2011

iOS Applications (Binary Code)

PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201

Android Applications (Decompiled DVM Code)

With User specified properties for analysis
A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Android Applications (DVM Code)

TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010
- Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
- [TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02 []
- Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems, David Barrera, William Enck, and Paul C. van Oorschot. Technical Report TR-11-06
- Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011
- Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011
These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Android Applications Security (e.g., Permission File)

A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010
New Policy Modeling/Enforcement
Application-Centric Security Policies on Unmodified Android. Nikhilesh Reddy, Jinseong Jeon, Jeffrey A. Vaughan, Todd Millstein, and Jeffrey S. Foster. UCLA Technical Report 110017, July 2011.
On Lightweight Mobile Phone Application Certification. William Enck, Machigar Ongtang, and Patrick McDaniel. CCS 2009.
Semantically Rich Application-Centric Security in Android, Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. ACSAC 2009.
The Effectiveness of Application Permissions, AP Felt, K Greenwood, D Wagner, USENIX WebApps 2011
A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010

TouchDevelop Script

Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.

Categorized By Output Type

Privacy or Security Leakage

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010
Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
[TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02
PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201
Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.
Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011

Detecting Changes in Behavior

These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Overprivileges of Access

Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011

Rule Violation (e.g., Dangerous Permission)

On Lightweight Mobile Phone Application Certification. William Enck, Machigar Ongtang, and Patrick McDaniel. CCS 2009.

Mocked Permission

Mockdroid: trading privacy for application functionality on smartphones, A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, HotMobile, 2011

Visualization

A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010

Categorized By Analysis and Testing Type

Design new Architecture

Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems, David Barrera, William Enck, and Paul C. van Oorschot. Technical Report TR-11-06
These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Policy Modeling and Enforcement

Application-Centric Security Policies on Unmodified Android. Nikhilesh Reddy, Jinseong Jeon, Jeffrey A. Vaughan, Todd Millstein, and Jeffrey S. Foster. UCLA Technical Report 110017, July 2011.
On Lightweight Mobile Phone Application Certification. William Enck, Machigar Ongtang, and Patrick McDaniel. CCS 2009.
Semantically Rich Application-Centric Security in Android, Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. ACSAC 2009.
These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Empirical Analysis or Case Study

A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010
The Effectiveness of Application Permissions, AP Felt, K Greenwood, D Wagner, USENIX WebApps 2011

Test Generation

Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
[TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02

Dynamic Taint Analysis

TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010

Static Analysis

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201
Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.
Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011
Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011

Mock

Mockdroid: trading privacy for application functionality on smartphones, A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, HotMobile, 2011

Re-engineering

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Categorized By AnalysisType

Information flow analysis

Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.

API Calls

Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011

Control flow analysis

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
[TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02
PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201
[Intent Control flow] Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011

Data flow analysis

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010
PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201

Structural analysis

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Semantic analysis

A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

The papers below are that I did not classify papers below yet

Securing Android-powered mobile devices using SELinux, A Shabtai, Y Fledel, Y Elovici, Security & Privacy 2010
Google Android: A Comprehensive Security Assessment, A Shabtai, Y Fledel, U Kanonov, Y Elovici, Security & Privacy 2010
XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks, Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, TR-2011-04

Privacy Revelations for Web and Mobile Apps, David Wetherall, David Choffnes, Seungyeop Han, Peter Hornyack, Jaeyeon Jung, Stuart Schechter, and Xiao Wang, HotOS 2010
I'm Allowing What? Disclosing the authority applications demand of users as a condition of installation, Jennifer Tam, Robert W. Reeder, and Stuart Schechter, no. MSR-TR-2010-54
Can I Borrow Your Phone? Understanding Concerns When Sharing Mobile Phones, Amy K. Karlson, A.J. Bernheim Brush, and Stuart Schechter, CHI 2009

Functional Testing

Hermes: A Tool for Testing Mobile Device Applications. She, S.; Sivapalan, S.; Warren, I.. ASWEC 2009.

Development

Exploring the Development of Micro-Apps: A Case Study on the BlackBerry and Android Platforms. Mark D. Syer, Bram Adams, Ying Zou and Ahmed E. Hassan. SCAM 2011.