ABSTRACT
A good graphical user interface (GUI) is crucial for an application's usability, so vendors and regulatory agencies increasingly place restrictions on how GUI elements should appear to and interact with users. Motivated by this concern, this paper presents a new technique (based on static analysis) for checking conformance between (Android) applications and GUI policies expressed in a formal specification language. In particular, this paper (1) describes a specification language for formalizing GUI policies, (2) proposes a new program abstraction called an _event-driven layout forest_, and (3) describes a static analysis for constructing this abstraction and checking it against a GUI policy. We have implemented the proposed approach in a tool called Venus, and we evaluate it on 2361 Android applications and 17 policies. Our evaluation shows that Venus can uncover malicious applications that perform ad fraud and identify violations of GUI design guidelines and GDPR laws.
- Alibaba. 2020. Alibaba UC Market Ads Guide. http://aliapp.open.uc.cn/wiki/?p=140 [Online; accessed 13-Mar-2020].Google Scholar
- Apple. 2020. iOS Design. https://developer.apple.com/design/tips [Online; accessed 13-Mar-2020].Google Scholar
- Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. Drebin: Effective and explainable detection of android malware in your pocket.. In Ndss. 14, 23–26. https://doi.org/10.14722/ndss.2014.23247 Google ScholarCross Ref
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). Association for Computing Machinery, New York, NY, USA. 259–269. isbn:9781450327848 https://doi.org/10.1145/2594291.2594299 Google ScholarDigital Library
- Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC’15). USENIX Association, USA. 659–674. isbn:9781931971232Google ScholarDigital Library
- Kevin Zhijie Chen, Noah M Johnson, Vijay D’Silva, Shuaifu Dai, Kyle MacNamara, Thomas R Magrino, Edward XueJun Wu, Martin Rinard, and Dawn Xiaodong Song. 2013. Contextual policy enforcement in android applications with permission event graphs.. In NDSS. 234.Google Scholar
- Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages. 238–252. https://doi.org/10.1145/512950.512973 Google ScholarDigital Library
- Feng Dong, Haoyu Wang, Li Li, Yao Guo, Tegawendé F. Bissyandé, Tianming Liu, Guoai Xu, and Jacques Klein. 2018. FraudDroid: Automated Ad Fraud Detection for Android Apps. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). Association for Computing Machinery, New York, NY, USA. 257–268. isbn:9781450355735 https://doi.org/10.1145/3236024.3236045 Google ScholarDigital Library
- EU. 2020. Art. 7 GDPR – Conditions for consent. https://gdpr-info.eu/art-7-gdpr/ [Online; accessed 4-Apr-2020].Google Scholar
- EU. 2020. Article 5: Principles relating to processing of personal data. https://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm [Online; accessed 13-Mar-2020].Google Scholar
- Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. 2014. Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). Association for Computing Machinery, New York, NY, USA. 576–587. isbn:9781450330565 https://doi.org/10.1145/2635868.2635869 Google ScholarDigital Library
- Yu Feng, Osbert Bastani, Ruben Martins, Isil Dillig, and Saswat Anand. 2017. Automatically learning android malware signatures from few samples. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS)(San Diego, California, USA.Google Scholar
- Google. 2018. Android Security & Privacy 2018 Year In Review. https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. AdMob policies and restrictions. https://support.google.com/admob/answer/6128543?hl=en&ref_topic=2745287&visit_id=637149126866279343-1579955165&rd=1 [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. Android Developer - Design. https://developer.android.com/design [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. Disallowed interstitial implementations. https://support.google.com/admob/answer/6201362?hl=en [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. Guidelines for programmatic native ads using app code. https://support.google.com/admanager/answer/7031536?hl=en [Online; accessed 4-Apr-2020].Google Scholar
- Google. 2020. Material Design. https://material.io/ [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. Play Store Ads Guide. https://play.google.com/intl/en-GB_ALL/about/monetization-ads/ads/ [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. Requesting Consent from European Users. https://developers.google.com/admob/android/eu-consent [Online; accessed 13-Mar-2020].Google Scholar
- Google. 2020. The type system. https://material.io/design/typography/the-type-system.html [Online; accessed 4-Apr-2020].Google Scholar
- Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information flow analysis of android applications in droidsafe. In NDSS. 15, 110. https://doi.org/10.14722/ndss.2015.23089 Google ScholarCross Ref
- Neville Grech and Yannis Smaragdakis. 2017. P/Taint: Unified Points-to and Taint Analysis. Proc. ACM Program. Lang., 1, OOPSLA (2017), Article 102, Oct., 28 pages. https://doi.org/10.1145/3133926 Google ScholarDigital Library
- Peter J Huber. 1972. The 1972 wald lecture robust statistics: A review. The Annals of Mathematical Statistics, 43, 4 (1972), 1041–1067.Google ScholarCross Ref
- Konstantin Kuznetsov, Vitalii Avdiienko, Alessandra Gorla, and Andreas Zeller. 2018. Analyzing the User Interface of Android Apps. In Proceedings of the 5th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’18). Association for Computing Machinery, New York, NY, USA. 84–87. isbn:9781450357128 https://doi.org/10.1145/3197231.3197232 Google ScholarDigital Library
- Sungho Lee, Julian Dolby, and Sukyoung Ryu. 2016. HybriDroid: Static Analysis Framework for Android Hybrid Applications. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016). Association for Computing Machinery, New York, NY, USA. 250–261. isbn:9781450338455 https://doi.org/10.1145/2970276.2970368 Google ScholarDigital Library
- Ondřej Lhoták and Laurie Hendren. 2003. Scaling Java points-to analysis using S park. In International Conference on Compiler Construction. 153–169.Google ScholarCross Ref
- Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. Iccta: Detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. 1, 280–291. https://doi.org/10.1109/ICSE.2015.48 Google ScholarCross Ref
- Chafik Meniar, Florence Opalvens, and Sylvain Hallé. 2017. Runtime Verification of User Interface Guidelines in Mobile Devices. In International Conference on Runtime Verification. 410–415. https://doi.org/10.1007/978-3-319-67531-2_27 Google ScholarCross Ref
- Ali Mesbah and Shabnam Mirshokraie. 2012. Automated analysis of CSS rules to support style maintenance. In 2012 34th International Conference on Software Engineering (ICSE). 408–418. https://doi.org/10.1109/ICSE.2012.6227174 Google ScholarCross Ref
- Ramon E Moore. 1966. Interval analysis. 4, Prentice-Hall Englewood Cliffs.Google Scholar
- Kevin Moran, Boyang Li, Carlos Bernal-Cárdenas, Dan Jelf, and Denys Poshyvanyk. 2018. Automated Reporting of GUI Design Violations for Mobile Apps. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18). Association for Computing Machinery, New York, NY, USA. 165–175. isbn:9781450356381 https://doi.org/10.1145/3180155.3180246 Google ScholarDigital Library
- Tuan Anh Nguyen and Christoph Csallner. 2015. Reverse Engineering Mobile Application User Interfaces with REMAUI. In Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE ’15). IEEE Press, 248–259. isbn:9781509000241 https://doi.org/10.1109/ASE.2015.32 Google ScholarDigital Library
- Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. 1, 77–88. https://doi.org/10.1109/ICSE.2015.30 Google ScholarCross Ref
- Rohan Padhye and Uday P. Khedker. 2013. Interprocedural Data Flow Analysis in Soot Using Value Contexts. In Proceedings of the 2nd ACM SIGPLAN International Workshop on State Of the Art in Java Program Analysis (SOAP ’13). Association for Computing Machinery, New York, NY, USA. 31–36. isbn:9781450322010 https://doi.org/10.1145/2487568.2487569 Google ScholarDigital Library
- Pavel Panchekha, Adam Timothy Geller, Shoaib Kamil, Michael Ernst, Zachary Tatlock, and Emina Torlak. 2020. The Cassius Framework. https://cassius.uwplse.org/ [Online; accessed 13-Mar-2020].Google Scholar
- Pavel Panchekha and Emina Torlak. 2016. Automated Reasoning for Web Page Layout. In Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2016). Association for Computing Machinery, New York, NY, USA. 181–194. isbn:9781450344449 https://doi.org/10.1145/2983990.2984010 Google ScholarDigital Library
- Raghavendra Satish Peri. 2021. 18 Free Mobile Accessibility Testing Tools. https://www.digitala11y.com/free-mobile-accessibility-testing-tools/ [Online; accessed 13-Feb-2021].Google Scholar
- PRESTO. 2017. GATOR: Program Analysis Toolkit For \Android\. 12 pages. http://web.cse.ohio-state.edu/presto/software/gator/Google Scholar
- Atanas Rountev and Dacong Yan. 2014. Static Reference Analysis for GUI Objects in Android Software. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO ’14). Association for Computing Machinery, New York, NY, USA. 143–153. isbn:9781450326704 https://doi.org/10.1145/2581122.2544159 Google ScholarDigital Library
- Soufflé Developers. 2020. Soufflé - Datalog. https://souffle-lang.github.io/datalog [Online; accessed 13-Mar-2020].Google Scholar
- Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers. 214–224.Google ScholarDigital Library
- VirusTotal. 2020. VirusTotal. https://www.virustotal.com/ [Online; accessed 13-Mar-2020].Google Scholar
- W3C. 2021. Web Accessibility Evaluation Tools List. https://www.w3.org/WAI/ER/tools/ [Online; accessed 13-Feb-2021].Google Scholar
- Guangliang Yang and Jeff Huang. 2018. Automated generation of event-oriented exploits in android hybrid apps. In Proc. of the Network and Distributed System Security Symposium (NDSS’18). https://doi.org/10.14722/ndss.2018.23241 Google ScholarCross Ref
- Shengqian Yang, Haowei Wu, Hailong Zhang, Yan Wang, Chandrasekar Swaminathan, Dacong Yan, and Atanas Rountev. 2018. Static window transition graphs for Android. Automated Software Engineering, 25, 4 (2018), 833–873. https://doi.org/10.1109/ASE.2015.76 Google ScholarDigital Library
- Yifei Zhang, Yulei Sui, and Jingling Xue. 2018. Launch-Mode-Aware Context-Sensitive Activity Transition Analysis. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18). Association for Computing Machinery, New York, NY, USA. 598–608. isbn:9781450356381 https://doi.org/10.1145/3180155.3180188 Google ScholarDigital Library
Index Terms
- Checking conformance of applications against GUI policies
Recommendations
FraudDroid: automated ad fraud detection for Android apps
ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringAlthough mobile ad frauds have been widespread, state-of-the-art approaches in the literature have mainly focused on detecting the so-called static placement frauds, where only a single UI state is involved and can be identified based on static ...
How do Mobile Apps Violate the Behavioral Policy of Advertisement Libraries?
HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & ApplicationsAdvertisement libraries are used in almost two-thirds of apps in Google Play. To increase economic revenue, some app developers tend to entice mobile users to unexpectedly click ad views during their interaction with the app, resulting in kinds of ad ...
Insights into layout patterns of mobile user interfaces by an automatic analysis of android apps
EICS '13: Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systemsMobile phones recently evolved into smartphones that provide a wide range of services. One aspect that differentiates smartphones from their predecessor is the app model. Users can easily install third party applications from central mobile application ...
Comments