Checking conformance of applications against GUI policies

Authors:
Zhen Zhang

University of Washington, USA

University of Washington, USA
View Profile

,
Yu Feng

University of California at Santa Barbara, USA

University of California at Santa Barbara, USA
View Profile

,
Michael D. Ernst

University of Washington, USA

University of Washington, USA
View Profile

,
Sebastian Porst

Google, USA

Google, USA
View Profile

,
Isil Dillig

University of Texas at Austin, USA

University of Texas at Austin, USA
View Profile

ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringAugust 2021Pages 95–106https://doi.org/10.1145/3468264.3468561

Published:18 August 2021Publication History

ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 95–106

ABSTRACT

A good graphical user interface (GUI) is crucial for an application's usability, so vendors and regulatory agencies increasingly place restrictions on how GUI elements should appear to and interact with users. Motivated by this concern, this paper presents a new technique (based on static analysis) for checking conformance between (Android) applications and GUI policies expressed in a formal specification language. In particular, this paper (1) describes a specification language for formalizing GUI policies, (2) proposes a new program abstraction called an _event-driven layout forest_, and (3) describes a static analysis for constructing this abstraction and checking it against a GUI policy. We have implemented the proposed approach in a tool called Venus, and we evaluate it on 2361 Android applications and 17 policies. Our evaluation shows that Venus can uncover malicious applications that perform ad fraud and identify violations of GUI design guidelines and GDPR laws.

References

Alibaba. 2020. Alibaba UC Market Ads Guide. http://aliapp.open.uc.cn/wiki/?p=140 [Online; accessed 13-Mar-2020].Google Scholar
Apple. 2020. iOS Design. https://developer.apple.com/design/tips [Online; accessed 13-Mar-2020].Google Scholar
Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. Drebin: Effective and explainable detection of android malware in your pocket.. In Ndss. 14, 23–26. https://doi.org/10.14722/ndss.2014.23247 Google ScholarCross Ref
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). Association for Computing Machinery, New York, NY, USA. 259–269. isbn:9781450327848 https://doi.org/10.1145/2594291.2594299 Google ScholarDigital Library
Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC’15). USENIX Association, USA. 659–674. isbn:9781931971232Google ScholarDigital Library
Kevin Zhijie Chen, Noah M Johnson, Vijay D’Silva, Shuaifu Dai, Kyle MacNamara, Thomas R Magrino, Edward XueJun Wu, Martin Rinard, and Dawn Xiaodong Song. 2013. Contextual policy enforcement in android applications with permission event graphs.. In NDSS. 234.Google Scholar
Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages. 238–252. https://doi.org/10.1145/512950.512973 Google ScholarDigital Library
Feng Dong, Haoyu Wang, Li Li, Yao Guo, Tegawendé F. Bissyandé, Tianming Liu, Guoai Xu, and Jacques Klein. 2018. FraudDroid: Automated Ad Fraud Detection for Android Apps. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA. 257–268. isbn:9781450355735 https://doi.org/10.1145/3236024.3236045 Google ScholarDigital Library
EU. 2020. Art. 7 GDPR – Conditions for consent. https://gdpr-info.eu/art-7-gdpr/ [Online; accessed 4-Apr-2020].Google Scholar
EU. 2020. Article 5: Principles relating to processing of personal data. https://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm [Online; accessed 13-Mar-2020].Google Scholar
Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. 2014. Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). Association for Computing Machinery, New York, NY, USA. 576–587. isbn:9781450330565 https://doi.org/10.1145/2635868.2635869 Google ScholarDigital Library
Yu Feng, Osbert Bastani, Ruben Martins, Isil Dillig, and Saswat Anand. 2017. Automatically learning android malware signatures from few samples. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS)(San Diego, California, USA.Google Scholar
Google. 2018. Android Security & Privacy 2018 Year In Review. https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. AdMob policies and restrictions. https://support.google.com/admob/answer/6128543?hl=en&ref_topic=2745287&visit_id=637149126866279343-1579955165&rd=1 [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. Android Developer - Design. https://developer.android.com/design [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. Disallowed interstitial implementations. https://support.google.com/admob/answer/6201362?hl=en [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. Guidelines for programmatic native ads using app code. https://support.google.com/admanager/answer/7031536?hl=en [Online; accessed 4-Apr-2020].Google Scholar
Google. 2020. Material Design. https://material.io/ [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. Play Store Ads Guide. https://play.google.com/intl/en-GB_ALL/about/monetization-ads/ads/ [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. Requesting Consent from European Users. https://developers.google.com/admob/android/eu-consent [Online; accessed 13-Mar-2020].Google Scholar
Google. 2020. The type system. https://material.io/design/typography/the-type-system.html [Online; accessed 4-Apr-2020].Google Scholar
Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information flow analysis of android applications in droidsafe. In NDSS. 15, 110. https://doi.org/10.14722/ndss.2015.23089 Google ScholarCross Ref
Neville Grech and Yannis Smaragdakis. 2017. P/Taint: Unified Points-to and Taint Analysis. Proc. ACM Program. Lang., 1, OOPSLA (2017), Article 102, Oct., 28 pages. https://doi.org/10.1145/3133926 Google ScholarDigital Library
Peter J Huber. 1972. The 1972 wald lecture robust statistics: A review. The Annals of Mathematical Statistics, 43, 4 (1972), 1041–1067.Google ScholarCross Ref
Konstantin Kuznetsov, Vitalii Avdiienko, Alessandra Gorla, and Andreas Zeller. 2018. Analyzing the User Interface of Android Apps. In Proceedings of the 5th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’18). Association for Computing Machinery, New York, NY, USA. 84–87. isbn:9781450357128 https://doi.org/10.1145/3197231.3197232 Google ScholarDigital Library
Sungho Lee, Julian Dolby, and Sukyoung Ryu. 2016. HybriDroid: Static Analysis Framework for Android Hybrid Applications. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016). Association for Computing Machinery, New York, NY, USA. 250–261. isbn:9781450338455 https://doi.org/10.1145/2970276.2970368 Google ScholarDigital Library
Ondřej Lhoták and Laurie Hendren. 2003. Scaling Java points-to analysis using S park. In International Conference on Compiler Construction. 153–169.Google ScholarCross Ref
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. Iccta: Detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. 1, 280–291. https://doi.org/10.1109/ICSE.2015.48 Google ScholarCross Ref
Chafik Meniar, Florence Opalvens, and Sylvain Hallé. 2017. Runtime Verification of User Interface Guidelines in Mobile Devices. In International Conference on Runtime Verification. 410–415. https://doi.org/10.1007/978-3-319-67531-2_27 Google ScholarCross Ref
Ali Mesbah and Shabnam Mirshokraie. 2012. Automated analysis of CSS rules to support style maintenance. In 2012 34th International Conference on Software Engineering (ICSE). 408–418. https://doi.org/10.1109/ICSE.2012.6227174 Google ScholarCross Ref
Ramon E Moore. 1966. Interval analysis. 4, Prentice-Hall Englewood Cliffs.Google Scholar
Kevin Moran, Boyang Li, Carlos Bernal-Cárdenas, Dan Jelf, and Denys Poshyvanyk. 2018. Automated Reporting of GUI Design Violations for Mobile Apps. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18). Association for Computing Machinery, New York, NY, USA. 165–175. isbn:9781450356381 https://doi.org/10.1145/3180155.3180246 Google ScholarDigital Library
Tuan Anh Nguyen and Christoph Csallner. 2015. Reverse Engineering Mobile Application User Interfaces with REMAUI. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE ’15). IEEE Press, 248–259. isbn:9781509000241 https://doi.org/10.1109/ASE.2015.32 Google ScholarDigital Library
Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. 1, 77–88. https://doi.org/10.1109/ICSE.2015.30 Google ScholarCross Ref
Rohan Padhye and Uday P. Khedker. 2013. Interprocedural Data Flow Analysis in Soot Using Value Contexts. In Proceedings of the 2nd ACM SIGPLAN International Workshop on State Of the Art in Java Program Analysis (SOAP ’13). Association for Computing Machinery, New York, NY, USA. 31–36. isbn:9781450322010 https://doi.org/10.1145/2487568.2487569 Google ScholarDigital Library
Pavel Panchekha, Adam Timothy Geller, Shoaib Kamil, Michael Ernst, Zachary Tatlock, and Emina Torlak. 2020. The Cassius Framework. https://cassius.uwplse.org/ [Online; accessed 13-Mar-2020].Google Scholar
Pavel Panchekha and Emina Torlak. 2016. Automated Reasoning for Web Page Layout. In Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2016). Association for Computing Machinery, New York, NY, USA. 181–194. isbn:9781450344449 https://doi.org/10.1145/2983990.2984010 Google ScholarDigital Library
Raghavendra Satish Peri. 2021. 18 Free Mobile Accessibility Testing Tools. https://www.digitala11y.com/free-mobile-accessibility-testing-tools/ [Online; accessed 13-Feb-2021].Google Scholar
PRESTO. 2017. GATOR: Program Analysis Toolkit For \Android\. 12 pages. http://web.cse.ohio-state.edu/presto/software/gator/Google Scholar
Atanas Rountev and Dacong Yan. 2014. Static Reference Analysis for GUI Objects in Android Software. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO ’14). Association for Computing Machinery, New York, NY, USA. 143–153. isbn:9781450326704 https://doi.org/10.1145/2581122.2544159 Google ScholarDigital Library
Soufflé Developers. 2020. Soufflé - Datalog. https://souffle-lang.github.io/datalog [Online; accessed 13-Mar-2020].Google Scholar
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers. 214–224.Google ScholarDigital Library
VirusTotal. 2020. VirusTotal. https://www.virustotal.com/ [Online; accessed 13-Mar-2020].Google Scholar
W3C. 2021. Web Accessibility Evaluation Tools List. https://www.w3.org/WAI/ER/tools/ [Online; accessed 13-Feb-2021].Google Scholar
Guangliang Yang and Jeff Huang. 2018. Automated generation of event-oriented exploits in android hybrid apps. In Proc. of the Network and Distributed System Security Symposium (NDSS’18). https://doi.org/10.14722/ndss.2018.23241 Google ScholarCross Ref
Shengqian Yang, Haowei Wu, Hailong Zhang, Yan Wang, Chandrasekar Swaminathan, Dacong Yan, and Atanas Rountev. 2018. Static window transition graphs for Android. Automated Software Engineering, 25, 4 (2018), 833–873. https://doi.org/10.1109/ASE.2015.76 Google ScholarDigital Library
Yifei Zhang, Yulei Sui, and Jingling Xue. 2018. Launch-Mode-Aware Context-Sensitive Activity Transition Analysis. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18). Association for Computing Machinery, New York, NY, USA. 598–608. isbn:9781450356381 https://doi.org/10.1145/3180155.3180188 Google ScholarDigital Library

Index Terms

Checking conformance of applications against GUI policies
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation

Recommendations

FraudDroid: automated ad fraud detection for Android apps
ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Although mobile ad frauds have been widespread, state-of-the-art approaches in the literature have mainly focused on detecting the so-called static placement frauds, where only a single UI state is involved and can be identified based on static ...
Read More
How do Mobile Apps Violate the Behavioral Policy of Advertisement Libraries?
HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications

Advertisement libraries are used in almost two-thirds of apps in Google Play. To increase economic revenue, some app developers tend to entice mobile users to unexpectedly click ad views during their interaction with the app, resulting in kinds of ad ...
Read More
Insights into layout patterns of mobile user interfaces by an automatic analysis of android apps
EICS '13: Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systems

Mobile phones recently evolved into smartphones that provide a wide range of services. One aspect that differentiates smartphones from their predecessor is the app model. Users can easily install third party applications from central mobile application ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
August 2021
1690 pages
ISBN:9781450385626
DOI:10.1145/3468264
General Chairs:
Diomidis Spinellis
Athens University of Economics and Business, Greece
,
Georgios Gousios
Facebook, Netherlands / Delft University of Technology, Netherlands
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Massimiliano Di Penta
University of Sannio, Italy
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 August 2021
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Android
ad fraud
mobile app
static analysis
user interface
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate112of543submissions,21%
Upcoming Conference
FSE '24

Sponsor:

sigsoft

32nd ACM International Conference on the Foundations of Software Engineering

July 15 - 19, 2024

Ipojuca (Pernambuco) , Brazil
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 284
  Total Downloads
- Downloads (Last 12 months)93
- Downloads (Last 6 weeks)17
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Checking conformance of applications against GUI policies

ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

FraudDroid: automated ad fraud detection for Android apps

How do Mobile Apps Violate the Behavioral Policy of Advertisement Libraries?

Insights into layout patterns of mobile user interfaces by an automatic analysis of android apps