Testing and Analysis of Mobile Appliations

Surveys

• Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, Ainuddin Wahid Abdul Wahab. A review on feature selection in mobile malware detection. Digital Investigation. 2015.

JavaScript Mobile Apps - Security

• MSR Nozzle Project on Detection of JavaScript-based Malware
• Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du. Code Injection Attacks on HTML5-based Mobile Apps. See additional information, including attack demonstration, from this web site. A shorter version of this paper appears in Proceedings of the Mobile Security Technologies (MoST) workshop, May 16, 2014. (Bib)
• M. Georgiev, S. Jana, V. Shmatikov. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks. NDSS 2014. [abstract]
• Wu, Daoyuan; Chang, Rocky K. C.. Analyzing Android Browser Apps for file:// Vulnerabilities. eprint arXiv:1404.4553, submitted it to ESORICS'14.
• Xing Jin, Lusha Wang, Tongbo Luo, and Wenliang Du. Fine-Grained Access Control for HTML5-Based Mobile Applications in Android. A shorter version of this paper is published in Proceedings of the 16th Information Security Conference, Dallas, Texas. November 13-15, 2013.
• Erika Chin and David Wagner. Bifocals: Analyzing WebView Vulnerabilities in Android Applications. 14th International Workshop on Information Security Applications (WISA), 2013. - Best paper award
• Rui Wang, Luyi Xing, XiaoFeng Wang, Shuo Chen. Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation. In Proc. of the 20th ACM Conference on Computer and Communications Security (CCS’13), Berlin, Germany, Nov. 2013.
• Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. Attacks on WebView in the Android System. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), Orlando, Florida, USA. December 5-9, 2011. (Bib)
• La Polla, M., Martinelli, F. ; Sgandurra, D. A Survey on Security for Mobile Devices. Communications Surveys & Tutorials, IEEE (Volume:15 , Issue: 1 ), 2013.

JavaScript Mobile Apps - General

• Li, Yuesong and Powell, Mark. HTML5, A Serious Contender to Native App Development or Not? Thesis. Kristianstad University, 2013. [PDF]
• Kimmo Puputti. Mobile HTML5: Implementing a Responsive Cross-Platform Application. Master Thesis. Aalto University, 2012. [PDF]
• Andre Charland and Brian Leroux. 2011. Mobile application development: web vs. native.Commun. ACM 54, 5 (May 2011), 49-53. DOI=10.1145/1941487.1941504 [PDF]
• Florian Schinkel, Andreas Schlag, Gunther Sachs, Stephan Haas, and Patrik Schafer. Evaluation of Android Programming Environments. [PDF]

System/Platform Testing

• Industrial Application of Concolic Testing Approach: A Case Study on libexif by Using CREST-BV and KLEE. Yunho Kim, Moonzoo Kim, YoungJoo Kim, Yoonkyu Jang. ICSE 2012 Practice Track.
• Concolic Testing on Embedded Software- Case Studies on Mobile Platform Programs. Yunho Kim, Moonzoo Kim, Yoonkyu Jang. ESEC/FSE 2011 Practice Track.

App Testing

• Automated Concolic Testing of Smartphone Apps. Saswat Anand, Mayur Naik, Hongseok Yang, Mary Jean Harrold. FSE 2012. [Project Web][Project Web][Slides]
• Using GUI Ripping for Automated Testing of Android Applications. Domenico Amalfitano, Anna Fasolino, Salvatore De Carmine, Atif Memon, Porfirio Tramontana. ASE 2012.
• Finding Errors in Multithreaded GUI Applications. Sai Zhang, Hao Lu, and Michael D. Ernst . ISSTA 2012. [Tool]
• Combining Model-Based and Combinatorial Testing for Effective Test Case Generation. Cu Duy Nguyen, Alessandro Marchetto, and Paolo Tonella. ISSTA 2012. [Tool]
• A GUI Crawling-based technique for Android Mobile Application Testing. Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana. TESTBEDS 2011. [Slides]
• Automating GUI Testing for Android Applications. Cuixiong Hu, Iulian Neamtiu. AST 2011.
• Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung. Duke U. Tech Report. 2011.
• Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
• Andriod GUITAR
• Open Source Andriod Kernel analyzer
• Robolectric: Test-Drive Your Android Code

• ProfileDroid: Multi-layer Profiling of Android Applications. Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos. MobiCom 2012.
• Malicious Android Applications in the Enterprise: What Do They Do and How Do We Fix It? Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos. SDMSM'12.

Android OS

• Mockdroid: trading privacy for application functionality on smartphones, A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, HotMobile, 2011

iOS Applications (Binary Code)

• PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201

Android Applications (Decompiled DVM Code)

• With User specified properties for analysis
• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Android Applications (DVM Code)

• TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010
  • Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
  • [TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02 []
  • Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems, David Barrera, William Enck, and Paul C. van Oorschot. Technical Report TR-11-06
  • Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011
  • Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011
• These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Android Applications Security (e.g., Permission File)

• A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010
• New Policy Modeling/Enforcement
• Application-Centric Security Policies on Unmodified Android. Nikhilesh Reddy, Jinseong Jeon, Jeffrey A. Vaughan, Todd Millstein, and Jeffrey S. Foster. UCLA Technical Report 110017, July 2011.
• On Lightweight Mobile Phone Application Certification. William Enck, Machigar Ongtang, and Patrick McDaniel. CCS 2009.
• Semantically Rich Application-Centric Security in Android, Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. ACSAC 2009.
• The Effectiveness of Application Permissions, AP Felt, K Greenwood, D Wagner, USENIX WebApps 2011
• A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010

TouchDevelop Script

• Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.

Categorized By Output Type

Privacy or Security Leakage

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
• TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010
• Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
• [TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02
• PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201
• Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.
• Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011

Detecting Changes in Behavior

• These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Overprivileges of Access

• Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011

Rule Violation (e.g., Dangerous Permission)

• On Lightweight Mobile Phone Application Certification. William Enck, Machigar Ongtang, and Patrick McDaniel. CCS 2009.

Mocked Permission

• Mockdroid: trading privacy for application functionality on smartphones, A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, HotMobile, 2011

Visualization

• A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010

Categorized By Analysis and Testing Type

Design new Architecture

• Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems, David Barrera, William Enck, and Paul C. van Oorschot. Technical Report TR-11-06
• These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Policy Modeling and Enforcement

• Application-Centric Security Policies on Unmodified Android. Nikhilesh Reddy, Jinseong Jeon, Jeffrey A. Vaughan, Todd Millstein, and Jeffrey S. Foster. UCLA Technical Report 110017, July 2011.
• On Lightweight Mobile Phone Application Certification. William Enck, Machigar Ongtang, and Patrick McDaniel. CCS 2009.
• Semantically Rich Application-Centric Security in Android, Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. ACSAC 2009.
• These Aren't the Droids You're Looking For": Retroffiting Android to Protect Data from Imperious Applications, Peter Hornyack, Seongyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall, no. MSR-TR-2011-71

Empirical Analysis or Case Study

• A methodology for empirical analysis of permission-based security models and its application to android, D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. CCS 2010
• The Effectiveness of Application Permissions, AP Felt, K Greenwood, D Wagner, USENIX WebApps 2011

Test Generation

• Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
• [TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02

Dynamic Taint Analysis

• TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010

Static Analysis

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
• PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201
• Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.
• Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011
• Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011

Mock

• Mockdroid: trading privacy for application functionality on smartphones, A. R. Beresford, A. Rice, N. Skehin, and R. Sohan, HotMobile, 2011

Re-engineering

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Categorized By AnalysisType

Information flow analysis

• Transparent Privacy Control via Static Information Flow Analysis, Xusheng Xiao, Nikolai Tillmann, Manuel Fahndrich, Peli de Halleux, and Michal Moskal, no. MSR-TR-2011-93.

API Calls

• Android Permissions Demystified, Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, CCS 2011

Control flow analysis

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
• Vision: automated security validation of mobile apps at app markets. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. MCS 2011.
• [TR] Automating Privacy Testing of Smartphone Applications. Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Duke University, Technical Report CS-2011-02
• PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201
• [Intent Control flow] Analyzing Inter-Application Communication in Android, E Chin, AP Felt, K Greenwood, D Wagner, Mobysis 2011

Data flow analysis

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.
• TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. OSDI, 2010
• PiOS: Detecting Privacy Leaks in iOS Applications, Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna. NDSS 201

Structural analysis

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

Semantic analysis

• A Study of Android Application Security, William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. USENIX Security 2011.

The papers below are that I did not classify papers below yet

• Securing Android-powered mobile devices using SELinux, A Shabtai, Y Fledel, Y Elovici, Security & Privacy 2010
• Google Android: A Comprehensive Security Assessment, A Shabtai, Y Fledel, U Kanonov, Y Elovici, Security & Privacy 2010
• XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks, Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, TR-2011-04
• Privacy Revelations for Web and Mobile Apps, David Wetherall, David Choffnes, Seungyeop Han, Peter Hornyack, Jaeyeon Jung, Stuart Schechter, and Xiao Wang, HotOS 2010
• I'm Allowing What? Disclosing the authority applications demand of users as a condition of installation, Jennifer Tam, Robert W. Reeder, and Stuart Schechter, no. MSR-TR-2010-54
• Can I Borrow Your Phone? Understanding Concerns When Sharing Mobile Phones, Amy K. Karlson, A.J. Bernheim Brush, and Stuart Schechter, CHI 2009

Functional Testing

• Hermes: A Tool for Testing Mobile Device Applications. She, S.; Sivapalan, S.; Warren, I.. ASWEC 2009.

Development

• Exploring the Development of Micro-Apps: A Case Study on the BlackBerry and Android Platforms. Mark D. Syer, Bram Adams, Ying Zou and Ahmed E. Hassan. SCAM 2011.