Abstract
Android API is evolving continuously, including API updates, deletion, addition and changes. Unfortunately, we find that the distributed Android applications (apps) often fail to keep pace with the API evolution. Specifically, the apps usually involve the APIs that are out of date, which potentially cause the apps or Android system to behave abnormally, leak sensitive information or crash down. We call this issue that making the Android phones unreliable as API misuse. To investigate the universality of this issue and detect the defective apps in the wild, we propose an automated framework MAD-API that consists of a detection method that identifies API misuses in apps and a recommendation method to trace the latest API status and correct the misuses. We implement MAD-API based on 13 Android versions, and evaluate it with the top 10,000 Android apps. According to the evaluation, 93.13% of the evaluated apps suffer from API misuse problems, and the total number of API misuses is 1,241,831. In addition, apps with larger size have more API misuses. Worst of all, some APIs are misused all the time. The results indicate that (1) the API misuse issue widely exists in distributed apps, (2) MAD-API is able to detect API misuses in Android apps effectively, and (3) MAD-API also help developers trace the defective APIs in their distributed apps conveniently and correct them immediately.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Android: Welcome to the android open source project! http://source.android.com
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of android malware in your pocket. In: NDSS 2014 (2014)
Avdiienko, V., Kuznetsov, K., Gorla, A., Zeller, A., Arzt, S., Rasthofer, S., Bodden, E.: Mining apps for abnormal usage of sensitive data. In: ICSE 2015, pp. 426–436 (2015)
Bae, S., Cho, H., Lim, I., Ryu, S.: SAFEWAPI: web API misuse detector for web applications. In: FSE 2014, pp. 507–517 (2014)
Bavota, G., Linares-Vásquez, M., Bernal-Cárdenas, C.E., Penta, M.D., Oliveto, R., Poshyvanyk, D.: The impact of API change- and fault-proneness on the user ratings of android apps. TSE 41(4), 384–407 (2015)
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: SP 2015, pp. 931–948 (2015)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A., Shastry, B.: Towards taming privilege-escalation attacks on android. In: NDSS 2012 (2012)
Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: mass vetting for new threats at the google-play scale. In: SEC 2015, pp. 659–674 (2015)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: SEC 2011, p. 21 (2011)
Linares-Vásquez, M., Bavota, G., Bernal-Cárdenas, C., Di Penta, M., Oliveto, R., Poshyvanyk, D.: API change and fault proneness: a threat to the success of android apps. In: ESEC/FSE 2013, pp. 477–487 (2013)
Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Veen, V.v.d., Platzer, C.: ANDRUBIS - 1,000,000 apps later: a view on current android malware behaviors. In: BADGERS 2014, pp. 3–17 (2014)
McDonnell, T., Ray, B., Kim, M.: An empirical study of API stability and adoption in the android ecosystem. In: ICSM 2013, pp. 70–79 (2013)
Moreno, L., Bavota, G., Di Penta, M., Oliveto, R., Marcus, A.: How can I use this method? In: ICSE 2015, pp. 880–890 (2015)
Nguyen, T.T., Pham, H.V., Vu, P.M., Nguyen, T.T.: Learning API usages from bytecode: a statistical approach. In: ICSE 2016, pp. 416–427 (2016)
Petrosyan, G., Robillard, M.P., De Mori, R.: Discovering information explaining API types using text classification. In: ICSE 2015, pp. 869–879 (2015)
Ponzanelli, L., Bavota, G., Mocci, A., Di Penta, M., Oliveto, R., Hasan, M., Russo, B., Haiduc, S., Lanza, M.: Too long; didn’t watch!: Extracting relevant fragments from software development video tutorials. In: ICSE 2016, pp. 261–272 (2016)
Robbes, R., Lungu, M., Röthlisberger, D.: How do developers react to API deprecation?: The case of a smalltalk ecosystem. In: FSE 2012, pp. 1–11 (2012)
Slavin, R., Wang, X., Hosseini, M.B., Hester, J., Krishnan, R., Bhatia, J., Breaux, T.D., Niu, J.: Toward a framework for detecting privacy policy violations in android application code. In: ICSE 2016, pp. 25–36 (2016)
Treude, C., Robillard, M.P.: Augmenting API documentation with insights from stack overflow. In: ICSE 2016, pp. 392–403 (2016)
Common Vulnerabilities and Exposures: CVE-2015-3833 (2015). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3833
Wu, J., Liu, S., Ji, S., Yang, M., Luo, T., Wu, Y., Wang, Y.: Exception beyond exception: crashing android system by trapping in “uncaught exception”. In: ICSE 2017, pp. 283–292 (2017)
Wu, J., Wu, Y., Yang, M., Wu, Z., Luo, T., Wang, Y.: POSTER: biTheft: stealing your secrets by bidirectional covert channel communication with zero-permission android application. In: CCS 2015, pp. 1690–1692 (2015)
Wu, J., Yang, M.: LaChouTi: kernel vulnerability responding framework for the fragmented android devices. In: ESEC/FSE 2017, pp. 920–925 (2017)
Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: exposing missing checks in source code for vulnerability discovery. In: CCS 2013, pp. 499–510 (2013)
Ye, X., Shen, H., Ma, X., Bunescu, R., Liu, C.: From word embeddings to document similarities for improved information retrieval in software engineering. In: ICSE 2016, pp. 404–415 (2016)
Zhang, H., She, D., Qian, Z.: Android root and its providers: a double-edged sword. In: CCS 2015, pp. 1093–1104 (2015)
Zhang, M., Duan, Y., Feng, Q., Yin, H.: Towards automatic generation of security-centric descriptions for android apps. In: CCS 2015, pp. 518–529 (2015)
Zhang, N., Yuan, K., Naveed, M., Zhou, X., Wang, X.: Leave me alone: app-level protection against runtime information gathering on android. In: SP 2015, pp. 915–930 (2015)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: NDSS 2012 (2012)
Acknowledgments
This work was partly supported by NSFC No. 61772507, No. 2017YFB0801902 and 2017YFB1002301.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Luo, T., Wu, J., Yang, M., Zhao, S., Wu, Y., Wang, Y. (2018). MAD-API: Detection, Correction and Explanation of API Misuses in Distributed Android Applications. In: Aiello, M., Yang, Y., Zou, Y., Zhang, LJ. (eds) Artificial Intelligence and Mobile Services – AIMS 2018. AIMS 2018. Lecture Notes in Computer Science(), vol 10970. Springer, Cham. https://doi.org/10.1007/978-3-319-94361-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-94361-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94360-2
Online ISBN: 978-3-319-94361-9
eBook Packages: Computer ScienceComputer Science (R0)