skip to main content
10.1145/3386901.3388916acmconferencesArticle/Chapter ViewAbstractPublication PagesmobisysConference Proceedingsconference-collections
research-article

Vulcan: lessons on reliability of wearables through state-aware fuzzing

Published: 15 June 2020 Publication History

Abstract

As we look to use Wear OS (formerly known as Android Wear) devices for fitness and health monitoring, it is important to evaluate the reliability of its ecosystem. The goal of this paper is to understand the reliability weak spots in Wear OS ecosystem. We develop a state-aware fuzzing tool, Vulcan, without any elevated privileges, to uncover these weak spots by fuzzing Wear OS apps. We evaluate the outcomes due to these weak spots by fuzzing 100 popular apps downloaded from Google Play Store. The outcomes include causing specific apps to crash, causing the running app to become unresponsive, and causing the device to reboot. We finally propose a proof-of-concept mitigation solution to address the system reboot issue.

References

[1]
2019. Vulcan: A Wearable App Fuzzing Tool. https://github.com/purdue-dcsl/vulcan/
[2]
Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M. Memon. 2012. Using GUI Ripping for Automated Testing of Android Applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (Essen, Germany) (ASE 2012). ACM, New York, NY, USA, 258--261.
[3]
Saswat Anand, Mayur Naik, Mary Jean Harrold, and Hongseok Yang. 2012. Automated concolic testing of smartphone apps. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. ACM, 59.
[4]
Ole Andre. 2018. Frida. https://www.frida.re
[5]
Android. 2017. UI/Application Exerciser Monkey. https://developer.android.com/studio/test/monkey.html
[6]
appfour. 2019. Calendar for Wear OS (Android Wear). https://play.google.com/store/apps/details?id=com.appfour.wearcalendar
[7]
Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and depth-first exploration for systematic testing of android apps. In Acm Sigplan Notices, Vol. 48. ACM, 641--660.
[8]
Greg Banks, Marco Cova, Viktoria Felmetsger, Kevin Almeroth, Richard Kemmerer, and Giovanni Vigna. 2006. SNOOZE: toward a Stateful NetwOrk prOtocol fuzZEr. In International Conference on Information Security. Springer, 343--358.
[9]
Edgardo Barsallo Yi, Amiya K Maji, and Saurabh Bagchi. 2018. How Reliable is my Wearable: A Fuzz Testing-based Study. In In Proceedings of the 48th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 410--417.
[10]
Francesco A Bianchi, Mauro Pezzè, and Valerio Terragni. 2017. Reproducing concurrency failures from crash stacks. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ACM, 705--716.
[11]
Jesse Burns. 2012. Intent Fuzzer. https://www.nccgroup.trust/us/about-us/resources/intent-fuzzer
[12]
Inc Cardiogram. 2019. Cardiogram: Wear OS, Fitbit, Garmin, Android Wear. https://play.google.com/store/apps/details?id=com.cardiogram.v1&hl=en_US
[13]
Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner. 2011. Analyzing inter-application communication in Android. In Mobisys. ACM, 239--252.
[14]
Wontae Choi, George Necula, and Koushik Sen. 2013. Guided gui testing of android apps with minimal restart and approximate learning. In Acm Sigplan Notices, Vol. 48. ACM, 623--640.
[15]
Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel, and Engin Kirda. 2009. Prospex: Protocol specification extraction. In Security and Privacy, 2009 30th IEEE Symposium on. IEEE, 110--125.
[16]
E Connolly, A Faaborg, H Raffle, and B Ryskamp. 2014. Designing for wearables. Google I/O (2014).
[17]
Joeri De Ruiter and Erik Poll. 2015. Protocol State Fuzzing of TLS Implementations. In USENIX Security Symposium. 193--206.
[18]
Android Developers. [n.d.]. Sensors Overview. https://developer.android.com/guide/topics/sensors/sensors_overview.html
[19]
Cesar Garcia-Perez, Almudena Diaz-Zayas, Alvaro Rios, Pedro Merino, Kostas Katsalis, Chia-Yu Chang, Shahab Shariat, Navid Nikaein, Pilar Rodriguez, and Donal Morris. 2017. Improving the efficiency and reliability of wearable based mobile eHealth applications. Pervasive and Mobile Computing 40 (2017), 674--691.
[20]
Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck. 2015. PULSAR: stateful black-box fuzzing of proprietary network protocols. In International Conference on Security and Privacy in Communication Systems. Springer, 330--347.
[21]
Google. 2017. Android Debug Bridge. https://developer.android.com/studio/command-line/adb
[22]
Google. 2019. Android Developers. Dumpsys. https://developer.android.com/studio/command-line/dumpsys
[23]
Google. 2019. Android Developers. Intent Specification. https://developer.android.com/reference/android/content/Intent
[24]
Google. 2019. Android Developers. Logcat. https://developer.android.com/studio/command-line/logcat
[25]
Tianxiao Gu, Chengnian Sun, Xiaoxing Ma, Chun Cao, Chang Xu, Yuan Yao, Qirun Zhang, Jian Lu, and Zhendong Su. 2019. Practical GUI testing of Android applications via model abstraction and refinement. In Proceedings of the 41st International Conference on Software Engineering. IEEE Press, 269--280.
[26]
Heqing Huang, Sencun Zhu, Kai Chen, and Peng Liu. 2015. From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App. In ACM CCS. 1236--1247.
[27]
Antonio Ken Iannillo, Roberto Natella, Domenico Cotroneo, and Cristina Nita-Rotaru. 2017. Chizpurfle: A Gray-Box Android Fuzzer for Vendor Service Customizations. In ISSRE.
[28]
Philip Koopman, John Sung, Christopher Dingman, Daniel Siewiorek, and Ted Marz. 1997. Comparing operating systems using robustness benchmarks. In Proceedings of SRDS'97: 16th IEEE Symposium on Reliable Distributed Systems. IEEE, 72--79.
[29]
Joshua LeVasseur, Volkmar Uhlig, Jan Stoess, and Stefan Götz. 2004. Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines. In OSDI, Vol. 4. 17--30.
[30]
Yuanchun Li, Ziyue Yang, Yao Guo, and Xiangqun Chen. 2017. Droidbot: a lightweight ui-guided test input generator for android. In Software Engineering Companion (ICSE-C), 2017 IEEE/ACM 39th International Conference on. IEEE, 2326.
[31]
Renju Liu, Lintong Jiang, Ningzhe Jiang, and Felix Xiaozhu Lin. 2015. Anatomizing system activities on interactive wearable devices. In APSys. 1--7.
[32]
Renju Liu and Felix Xiaozhu Lin. 2016. Understanding the characteristics of android wear os. In Mobisys. 151--164.
[33]
Xing Liu, Tianyu Chen, Feng Qian, Zhixiu Guo, Felix Xiaozhu Lin, Xiaofeng Wang, and Kai Chen. 2017. Characterizing Smartwatch Usage in the Wild. In Mobisys. 385--398.
[34]
Brandon Lucia and Luis Ceze. 2013. Cooperative empirical failure avoidance for multithreaded programs. ACM SIGPLAN Notices 48, 4 (2013), 39--50.
[35]
Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In FSE. 224--234.
[36]
Amiya K Maji, Fahad A Arshad, Saurabh Bagchi, and Jan S Rellermeyer. 2012. An empirical study of the robustness of inter-component communication in Android. In DSN. 1--12.
[37]
Amiya Kumar Maji, Kangli Hao, Salmin Sultana, and Saurabh Bagchi. 2010. Characterizing failures in mobile oses: A case study with android and symbian. In Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on. IEEE, 249--258.
[38]
Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: multi-objective automated testing for Android applications. In Proceedings of the 25th International Symposium on Software Testing and Analysis. ACM, 94--105.
[39]
Raimondas Sasnauskas and John Regehr. 2014. Intent fuzzer: crafting intents of death. In WODA and PERTEA. 1--5.
[40]
Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, stochastic model-based GUI testing of android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. ACM, 245--256.
[41]
Michael M Swift, Muthukaruppan Annamalai, Brian N Bershad, and Henry M Levy. 2006. Recovering device drivers. ACM Transactions on Computer Systems (TOCS) 24, 4 (2006), 333--360.
[42]
Heila van der Merwe, Brink van der Merwe, and Willem Visser. 2012. Verifying android applications using Java PathFinder. ACM SIGSOFT Software Engineering Notes 37, 6 (2012), 1--5.
[43]
Naixing Wang, Edgardo Barsallo Yi, and Saurabh Bagchi. 2017. On reliability of Android wearable health devices. arXiv preprint arXiv:1706.09247 (2017), 1--2.
[44]
Hui Ye, Shaoyin Cheng, Lanbo Zhang, and Fan Jiang. 2013. Droidfuzzer: Fuzzing the android apps with intent-filter tag. In Proceedings of International Conference on Advances in Mobile Computing & Multimedia. ACM, 68.
[45]
Hailong Zhang and Atanas Rountev. 2017. Analysis and Testing of Notifications in Android Wear Applications. In Proceedings of the 39th International Conference on Software Engineering (Buenos Aires, Argentina) (ICSE '17). IEEE Press, 347--357.
[46]
Hailong Zhang, Haowei Wu, and Atanas Rountev. 2018. Detection of energy inefficiencies in android wear watch faces. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, 691--702.
[47]
Haibing Zheng, Dengfeng Li, Beihai Liang, Xia Zeng, Wujie Zheng, Yuetang Deng, Wing Lam, Wei Yang, and Tao Xie. 2017. Automated Test Input Generation for Android: Towards Getting There in an Industrial Case. In Proceedings of the 39th International Conference on Software Engineering: Software Engineering in Practice Track (Buenos Aires, Argentina) (ICSE-SEIP '17). IEEE Press, 253--262.

Cited By

View all
  • (2023)Variable-strength combinatorial testing of exported activities based on misexposure predictionJournal of Systems and Software10.1016/j.jss.2023.111773204(111773)Online publication date: Oct-2023
  • (2021)A Systematic Review on Software Robustness AssessmentACM Computing Surveys10.1145/344897754:4(1-65)Online publication date: 3-May-2021
  • (2021)A Black Box Tool for Robustness Testing of REST ServicesIEEE Access10.1109/ACCESS.2021.30565059(24738-24754)Online publication date: 2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MobiSys '20: Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services
June 2020
496 pages
ISBN:9781450379540
DOI:10.1145/3386901
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2020

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

MobiSys '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 274 of 1,679 submissions, 16%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)20
  • Downloads (Last 6 weeks)3
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Variable-strength combinatorial testing of exported activities based on misexposure predictionJournal of Systems and Software10.1016/j.jss.2023.111773204(111773)Online publication date: Oct-2023
  • (2021)A Systematic Review on Software Robustness AssessmentACM Computing Surveys10.1145/344897754:4(1-65)Online publication date: 3-May-2021
  • (2021)A Black Box Tool for Robustness Testing of REST ServicesIEEE Access10.1109/ACCESS.2021.30565059(24738-24754)Online publication date: 2021
  • (2020)AHPCap: A Framework for Automated Hardware Profiling and Capture of Mobile Application States2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW51248.2020.00069(183-188)Online publication date: Oct-2020

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

EPUB

View this article in ePub.

ePub

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media