SlideShare a Scribd company logo

ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection

Lili Wei
Lili Wei

This is the slides for the talk of ICSE 2019 paper "PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection". A link to the paper is available at: http://sccpu2.cse.ust.hk/liliwei/ICSE-main-350-CR.pdf

Mobile
1 of 29
Download to read offline
PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection Lili Wei1 Yepang Liu2 Shing-Chi Cheung1 1Hong Kong University of Science and Technology, Hong Kong, China 2Southern University of Science and Technology, Shenzhen, China May 31st, 2019
Many Device Manufacturers Build Devices Based on Android 2
Android Ecosystem is Heavily Fragmented ➤ Over 24,000 distinct Android device models 3
4 Source: https://vine.co/v/MgWLMmmwUQQ Fragmentation-Induced Compatibility Issues (Compatibility Issues) Compatibility issues are commonly caused by inconsistent behaviour of the same API across different device models [Wei et al. ASE 2016][Wei et al. TSE 2019] An App Can Behave Inconsistently on Different Devices
Identifying Compatibility Issues is Challenging ➤ Limited documentation available for customized systems and devices ➤ App developers mainly identify compatibility issues through testing on different device models 5Source: https://techcrunch.com/2012/06/02/android-qa-testing-quality-assurance/
Identifying Compatibility Issues is Challenging ➤ The search space for compatibility issue testing is combinatorially large 6 Provide remote access to real Android devices 200+ distinct Android device models Amazon Device Farm An Android App [Lu et al. CCS 2012] 50+ entry methods on average The search space is also evolving! 50 × 200 = 10,000 combinations!
!7 “… mostly because of this issue I am focusing more on iOS devices, where fragmentation is minimal.”
Existing Work ➤ Differential Testing [Fazzini et al. ASE 2017][Ki et al. ICSE 2019] ➤ Focus more on test oracle problem but not reducing the search space ➤ Test device prioritization [Khalid et al. FSE 2014][Lu et al. ICSE 2016] ➤ Not effective in reducing the search space since they did not relate device models with compatibility issues ➤ FicFinder [Wei et al. ASE 2016][Wei et al. TSE 2019] ➤ Detect compatibility issues via static analysis ➤ Rely on manually-extracted knowledge of compatibility issues 8 Our goal: Automatically learn knowledge of compatibility issues to facilitate compatibility issue detection
Knowledge of Compatibility Issues Can Be Learned From Mature Apps ➤ Mature Android apps contain code snippets handling compatibility issues ➤ Such code snippets demonstrate common patterns 9 Camera.setRecordingHint Can we automatically extract knowledge of compatibility issues from such issue-handling code snippets? “Nexus 4”
API-Device Correlation & Its Application Scenario ➤ PIVOT: API-DeVice cOrrelaTor ➤ Learn knowledge of compatibility issues from mature Android apps in the form of API-device correlations 10 <Android API, Device Identifier> <Activity.openOptionsMenu(), “LGE”> Identify potential locations of compatibility issues in apps Test on potential issue- triggering devices
Illustrative Example ➤ Apps can crash when pressing options menu hardware button on LG devices 11
Illustrative Example ➤ Apps can crash when pressing options menu hardware button on LG devices 12 A code snippet handling the compatibility issue API Device Identifier ?
Correlating APIs and Device Identifiers 13 Device condition: A conditional statement that uses android.os.Build <Activity.openOptionsMenu(), “LGE”> <Log.i(String, String), “LGE”> <Activity.getCurrentFocus(), “LGE”> Invalid API-device correlations: Irrelevant to compatibility issues
Invalid API-Device Correlations Are Massive ➤ In our evaluation, 97% of our randomly sampled API-device correlations are invalid 14 97% 3% Valid Invalid How to identify valid API-device correlations and filter out such massive noises?
Mining API Preconditions & Learning API-Device Correlations 15 ? Can we apply existing API precondition mining techniques to identify valid API-device correlations? Yes! No! API usages in large app corpora can help Existing API precondition mining techniques cannot be directly applied
Mining API Preconditions & Learning API-Device Correlations 16 No! Existing API precondition mining techniques cannot be directly applied Assume that the APIs are mostly guarded by correct API preconditions across different projects This assumption does not hold for API-device correlations! Compatibility issues are commonly left unhandled in practice due to the large and evolving search space In our evaluation: An existing API precondition mining technique identified ONLY ONE valid API-device correlation among the top 50 in its ranked list
Observation: Similar Assumptions Can Hold Within the Same App ➤ Within the same app ➤ APIs related to the same compatibility issues are often guarded by the same device conditions ➤ APIs irrelevant to compatibility issues can be invoked at other places without device conditions 17 <Activity.openOptionsMenu(), “LGE”> <Log.i(String, String), “LGE”> <Activity.getCurrentFocus, “LGE”> <Log.i(String, String), “LGE”>
In-App Confidence ➤ Confidence for an API-device correlation within an app 18 # callsites of the API that are guarded by the device condition Total # callsites of the API Input Apps In-App Confidence In-App Confidence In-App Confidence In-App Confidence In-App Confidence + + + + In-App Confidence for an API-device correlation
Libraries & Cloned Methods Can Mess Up the Results ➤ Libraries and cloned methods are common among android apps ➤ Invalid API-device correlations can be cloned in different apps ➤ Difficult to distinguish valid and invalid API-device correlations recurring in libraries and cloned methods 19 In a method cloned from VLC (a famous open-source app) ➤ Recurred in cloned methods in many different apps ➤ Is rarely used at other places ➤ High in-app confidence <Activity.openOptionsMenu(), “LGE”> <Log.i(String, String), “LGE”> <Activity.getCurrentFocus, “LGE”><Activity.getCurrentFocus, “LGE”>
Occurrence Diversity ➤ Occurrence Diversity: Quantify the diversity of the occurrences of each API- device correlation ➤ App-level diversity ➤ App identifier ➤ App company ➤ Method-level diversity ➤ Method package name ➤ Control-flow information: Centroid [Chen et al. ICSE’14] ➤ Metric: Shannon-Index ➤ A diversity measurement commonly leveraged in ecology to measure the diversity of species 20
PIVOT - Summary 21 API-device correlation Extractor API-device correlation Prioritizer 1. ———— 2. ———— 3. ———— Input App Corpus In-app confidence ✕ occurrence diversityInter-procedural static analysis Ranked API-device correlations
Experiment Setup ➤ Evaluation subjects ➤ Top apps in each app category on Google Play (collected in 2017 & 2018) ➤ Each app corpus contains millions of classes & methods 22
Evaluation 23 ➤ RQ1 (Effectiveness) Can PIVOT effectively identify valid API-device correlations from large-scale Android app corpora? ➤ Baseline: Adapted from a state-of-the-art API precondition mining technique [Ngyen et al. FSE’ 14] ➤ Rank the API-device correlations based on overall confidence ➤ Evaluation Metric: Precision@N ➤ The percentage of valid correlations among the top N (1, 5, 10. . . ) correlations in each ranked list. ➤ Ground Truth: manually-constructed ground truth ➤ An API-device correlation is considered as a true positive if it either can cause compatibility issues or can be used to fix compatibility issues
RQ1 - Effectiveness 24
RQ1 - Effectiveness ➤ Among the top 50 API-device correlations of the two corpora ➤ 49 distinct valid API-device correlations ➤ 39 of them are not related to any compatibility issues in FicFinder’s empirical study dataset published in 2016 [Wei et al. ASE 2016] 25
Evaluation ➤ RQ2 (Usefulness) Can the API-device correlations learned by PIVOT be applied to facilitate compatibility issue detection? ➤ Case study with FicFinder ➤ Manually encode valid API-device correlations of 5 issues learned by PIVOT to the format of the input of FicFinder ➤ Leverage FicFinder to detect compatibility issues in the latest version of open-source Android apps ➤ Reproduce the detected compatibility issues using online device platforms (Amazon Device Farm, WeTest) ➤ Report the detected issues their original app developers !26
RQ2 - Usefulness ➤ We detected 10 previously-unknown issues in 10 open-source apps ➤ 7 of the issues have been acknowledged ➤ 4 of the issues have been fixed ➤ All of these issues cannot be detected by FicFinder 2016 version !27 Knowledge learned by PIVOT can be leveraged to facilitate compatibility issue detecion Demo Issues
Conclusion ➤ Fragmentation-induced compatibility issues ➤ Big headache for app developers ➤ Difficult to identify: The search space is large and evolving ➤ PIVOT ➤ Effectively identify API-device correlations by learning from code snippets handling compatibility issues in mature Android apps ➤ Identified API-device correlations can be used to detect potential compatibility issues in Android apps ➤ All the valid API-device correlations and their corresponding compatibility issues identified by PIVOT have been released on GitHub 28
Thank you! More interesting details (including limitations and future work) are in our paper! Our paper, tool, and identified issues are available on our project homepage https://ficissuepivot.github.io/Pivot/ Scan Me! 29

Recommended

ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...Lili Wei
 
Checklist for andriod app testing.
Checklist for andriod app testing.Checklist for andriod app testing.
Checklist for andriod app testing.TestOrigen Software Services Pvt. Ltd.
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...ijseajournal
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...ijseajournal
 
Benchpress: Analyzing Android App Vulnerability Benchmark Suites
Benchpress: Analyzing Android App Vulnerability Benchmark SuitesBenchpress: Analyzing Android App Vulnerability Benchmark Suites
Benchpress: Analyzing Android App Vulnerability Benchmark SuitesVenkatesh Prasad Ranganath
 
On the Link Between Mobile App Quality and User Reviews
On the Link Between Mobile App Quality and User ReviewsOn the Link Between Mobile App Quality and User Reviews
On the Link Between Mobile App Quality and User ReviewsSAIL_QU
 
What are the Characteristics of High-rated Apps
What are the Characteristics of High-rated AppsWhat are the Characteristics of High-rated Apps
What are the Characteristics of High-rated AppsSAIL_QU
 
Top 10 mobile app testing interview questions
Top 10 mobile app testing interview questionsTop 10 mobile app testing interview questions
Top 10 mobile app testing interview questionsRock Interview
 

Recommended

ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...Lili Wei
 
Checklist for andriod app testing.
Checklist for andriod app testing.Checklist for andriod app testing.
Checklist for andriod app testing.TestOrigen Software Services Pvt. Ltd.
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...ijseajournal
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...ijseajournal
 
Benchpress: Analyzing Android App Vulnerability Benchmark Suites
Benchpress: Analyzing Android App Vulnerability Benchmark SuitesBenchpress: Analyzing Android App Vulnerability Benchmark Suites
Benchpress: Analyzing Android App Vulnerability Benchmark SuitesVenkatesh Prasad Ranganath
 
On the Link Between Mobile App Quality and User Reviews
On the Link Between Mobile App Quality and User ReviewsOn the Link Between Mobile App Quality and User Reviews
On the Link Between Mobile App Quality and User ReviewsSAIL_QU
 
What are the Characteristics of High-rated Apps
What are the Characteristics of High-rated AppsWhat are the Characteristics of High-rated Apps
What are the Characteristics of High-rated AppsSAIL_QU
 
Top 10 mobile app testing interview questions
Top 10 mobile app testing interview questionsTop 10 mobile app testing interview questions
Top 10 mobile app testing interview questionsRock Interview
 
Analyzing Reviews and Code of Mobile Apps for Better Release Planning
Analyzing Reviews and Code of Mobile Apps for Better Release PlanningAnalyzing Reviews and Code of Mobile Apps for Better Release Planning
Analyzing Reviews and Code of Mobile Apps for Better Release PlanningSebastiano Panichella
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
MDroid+: A Mutation Testing Framework for Android
MDroid+: A Mutation Testing Framework for AndroidMDroid+: A Mutation Testing Framework for Android
MDroid+: A Mutation Testing Framework for AndroidKevin Moran
 
On-Device Bug Reporting for Android Applications
On-Device Bug Reporting for Android ApplicationsOn-Device Bug Reporting for Android Applications
On-Device Bug Reporting for Android ApplicationsKevin Moran
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your TestingBugRaptors
 
Studying online distribution platforms for games through the mining of data f...
Studying online distribution platforms for games through the mining of data f...Studying online distribution platforms for games through the mining of data f...
Studying online distribution platforms for games through the mining of data f...SAIL_QU
 
How do Developers Test Android Applications?
How do Developers Test Android Applications?How do Developers Test Android Applications?
How do Developers Test Android Applications?Kevin Moran
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Overcoming Test Automation Obstacles
Overcoming Test Automation ObstaclesOvercoming Test Automation Obstacles
Overcoming Test Automation ObstaclesPerfecto by Perforce
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
 
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...Riccardo Coppola
 
expBSIT (1) (1)
expBSIT (1) (1)expBSIT (1) (1)
expBSIT (1) (1)Tilli Buchanan
 
Agile Mobile Testing Workshop
Agile Mobile Testing WorkshopAgile Mobile Testing Workshop
Agile Mobile Testing WorkshopNaresh Jain
 
Android automation tools
Android automation toolsAndroid automation tools
Android automation toolsSSGMCE SHEGAON
 
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...Kevin Moran
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYury M
 
Introduction to Secure Coding Checker
Introduction to Secure Coding Checker Introduction to Secure Coding Checker
Introduction to Secure Coding Checker Yoshinori Iwano
 
Mobile App Development and Management: Results from a Qualitative Investigation
Mobile App Development and Management: Results from a Qualitative InvestigationMobile App Development and Management: Results from a Qualitative Investigation
Mobile App Development and Management: Results from a Qualitative InvestigationMobileSoft
 
5 Popular Test Automation Tools For React Native Apps.pdf
5 Popular Test Automation Tools For React Native Apps.pdf5 Popular Test Automation Tools For React Native Apps.pdf
5 Popular Test Automation Tools For React Native Apps.pdfflufftailshop
 
Automation Proposal_V1.0
Automation Proposal_V1.0Automation Proposal_V1.0
Automation Proposal_V1.0Dao Nhỏ
 

More Related Content

What's hot

Analyzing Reviews and Code of Mobile Apps for Better Release Planning
Analyzing Reviews and Code of Mobile Apps for Better Release PlanningAnalyzing Reviews and Code of Mobile Apps for Better Release Planning
Analyzing Reviews and Code of Mobile Apps for Better Release PlanningSebastiano Panichella
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Venkatesh Prasad Ranganath
 
MDroid+: A Mutation Testing Framework for Android
MDroid+: A Mutation Testing Framework for AndroidMDroid+: A Mutation Testing Framework for Android
MDroid+: A Mutation Testing Framework for AndroidKevin Moran
 
On-Device Bug Reporting for Android Applications
On-Device Bug Reporting for Android ApplicationsOn-Device Bug Reporting for Android Applications
On-Device Bug Reporting for Android ApplicationsKevin Moran
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your TestingBugRaptors
 
Studying online distribution platforms for games through the mining of data f...
Studying online distribution platforms for games through the mining of data f...Studying online distribution platforms for games through the mining of data f...
Studying online distribution platforms for games through the mining of data f...SAIL_QU
 
How do Developers Test Android Applications?
How do Developers Test Android Applications?How do Developers Test Android Applications?
How do Developers Test Android Applications?Kevin Moran
 
Overcoming Test Automation Obstacles
Overcoming Test Automation ObstaclesOvercoming Test Automation Obstacles
Overcoming Test Automation ObstaclesPerfecto by Perforce
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
 
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...Riccardo Coppola
 
Agile Mobile Testing Workshop
Agile Mobile Testing WorkshopAgile Mobile Testing Workshop
Agile Mobile Testing WorkshopNaresh Jain
 
Android automation tools
Android automation toolsAndroid automation tools
Android automation toolsSSGMCE SHEGAON
 
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...Kevin Moran
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYury M
 
Introduction to Secure Coding Checker
Introduction to Secure Coding Checker Introduction to Secure Coding Checker
Introduction to Secure Coding Checker Yoshinori Iwano
 
Mobile App Development and Management: Results from a Qualitative Investigation
Mobile App Development and Management: Results from a Qualitative InvestigationMobile App Development and Management: Results from a Qualitative Investigation
Mobile App Development and Management: Results from a Qualitative InvestigationMobileSoft
 

What's hot (20)

Analyzing Reviews and Code of Mobile Apps for Better Release Planning
Analyzing Reviews and Code of Mobile Apps for Better Release PlanningAnalyzing Reviews and Code of Mobile Apps for Better Release Planning
Analyzing Reviews and Code of Mobile Apps for Better Release Planning
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
MDroid+: A Mutation Testing Framework for Android
MDroid+: A Mutation Testing Framework for AndroidMDroid+: A Mutation Testing Framework for Android
MDroid+: A Mutation Testing Framework for Android
 
On-Device Bug Reporting for Android Applications
On-Device Bug Reporting for Android ApplicationsOn-Device Bug Reporting for Android Applications
On-Device Bug Reporting for Android Applications
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing
 
Studying online distribution platforms for games through the mining of data f...
Studying online distribution platforms for games through the mining of data f...Studying online distribution platforms for games through the mining of data f...
Studying online distribution platforms for games through the mining of data f...
 
How do Developers Test Android Applications?
How do Developers Test Android Applications?How do Developers Test Android Applications?
How do Developers Test Android Applications?
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3
 
Overcoming Test Automation Obstacles
Overcoming Test Automation ObstaclesOvercoming Test Automation Obstacles
Overcoming Test Automation Obstacles
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
 
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
Automated Mobile UI Testing Fragility: An Exploratory Assessment Study on And...
 
expBSIT (1) (1)
expBSIT (1) (1)expBSIT (1) (1)
expBSIT (1) (1)
 
Agile Mobile Testing Workshop
Agile Mobile Testing WorkshopAgile Mobile Testing Workshop
Agile Mobile Testing Workshop
 
Android automation tools
Android automation toolsAndroid automation tools
Android automation tools
 
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
Continuous, Evolutionary and Large-Scale: A New Perspective for Automated Mob...
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
 
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
 
Introduction to Secure Coding Checker
Introduction to Secure Coding Checker Introduction to Secure Coding Checker
Introduction to Secure Coding Checker
 
Mobile App Development and Management: Results from a Qualitative Investigation
Mobile App Development and Management: Results from a Qualitative InvestigationMobile App Development and Management: Results from a Qualitative Investigation
Mobile App Development and Management: Results from a Qualitative Investigation
 

Similar to ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection

5 Popular Test Automation Tools For React Native Apps.pdf
5 Popular Test Automation Tools For React Native Apps.pdf5 Popular Test Automation Tools For React Native Apps.pdf
5 Popular Test Automation Tools For React Native Apps.pdfflufftailshop
 
Automation Proposal_V1.0
Automation Proposal_V1.0Automation Proposal_V1.0
Automation Proposal_V1.0Dao Nhỏ
 
Android Interview Questions And Answers | Android Tutorial | Android Online T...
Android Interview Questions And Answers | Android Tutorial | Android Online T...Android Interview Questions And Answers | Android Tutorial | Android Online T...
Android Interview Questions And Answers | Android Tutorial | Android Online T...Edureka!
 
A hybrid crowd-powered.compressed
A hybrid crowd-powered.compressedA hybrid crowd-powered.compressed
A hybrid crowd-powered.compressedjoseph wanjekeche
 
2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdf2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdfBelayet Hossain
 
Experitest-Infosys Co-Webinar on Mobile Continuous Integration
Experitest-Infosys Co-Webinar on Mobile Continuous IntegrationExperitest-Infosys Co-Webinar on Mobile Continuous Integration
Experitest-Infosys Co-Webinar on Mobile Continuous IntegrationExperitest
 
COVERT app
COVERT appCOVERT app
COVERT appitba9
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
iOS Test Automation Tools - Top Frameworks.pdf
iOS Test Automation Tools - Top Frameworks.pdfiOS Test Automation Tools - Top Frameworks.pdf
iOS Test Automation Tools - Top Frameworks.pdfAbhay Kumar
 
Android testing
Android testingAndroid testing
Android testingJinaTm
 
Testing Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoTesting Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoPietro Alberto Rossi
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
Learnings from Mobile Application Testing
Learnings from Mobile Application TestingLearnings from Mobile Application Testing
Learnings from Mobile Application TestingThoughtworks
 
API Testing Impact on Development Process.pdf
API Testing Impact on Development Process.pdfAPI Testing Impact on Development Process.pdf
API Testing Impact on Development Process.pdffleekitsolutions2
 
Launch High Performing Mobile Apps with Appurify
Launch High Performing Mobile Apps with AppurifyLaunch High Performing Mobile Apps with Appurify
Launch High Performing Mobile Apps with AppurifyManish Lachwani
 
The ultimate guide to mobile app testing with appium
The ultimate guide to mobile app testing with appiumThe ultimate guide to mobile app testing with appium
The ultimate guide to mobile app testing with appiumheadspin2
 

Similar to ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection (20)

5 Popular Test Automation Tools For React Native Apps.pdf
5 Popular Test Automation Tools For React Native Apps.pdf5 Popular Test Automation Tools For React Native Apps.pdf
5 Popular Test Automation Tools For React Native Apps.pdf
 
Automation Proposal_V1.0
Automation Proposal_V1.0Automation Proposal_V1.0
Automation Proposal_V1.0
 
Android Interview Questions And Answers | Android Tutorial | Android Online T...
Android Interview Questions And Answers | Android Tutorial | Android Online T...Android Interview Questions And Answers | Android Tutorial | Android Online T...
Android Interview Questions And Answers | Android Tutorial | Android Online T...
 
A hybrid crowd-powered.compressed
A hybrid crowd-powered.compressedA hybrid crowd-powered.compressed
A hybrid crowd-powered.compressed
 
2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdf2.Android App Development_ Types of Automated Unit Tests.pdf
2.Android App Development_ Types of Automated Unit Tests.pdf
 
Test Automation for Mobile Applications
Test Automation for Mobile ApplicationsTest Automation for Mobile Applications
Test Automation for Mobile Applications
 
Experitest-Infosys Co-Webinar on Mobile Continuous Integration
Experitest-Infosys Co-Webinar on Mobile Continuous IntegrationExperitest-Infosys Co-Webinar on Mobile Continuous Integration
Experitest-Infosys Co-Webinar on Mobile Continuous Integration
 
Appium ppt
Appium pptAppium ppt
Appium ppt
 
[Binh nguyen] Mobile Application Automation Testing iOS and Android
[Binh nguyen] Mobile Application Automation Testing iOS and Android [Binh nguyen] Mobile Application Automation Testing iOS and Android
[Binh nguyen] Mobile Application Automation Testing iOS and Android
 
COVERT app
COVERT appCOVERT app
COVERT app
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
iOS Test Automation Tools - Top Frameworks.pdf
iOS Test Automation Tools - Top Frameworks.pdfiOS Test Automation Tools - Top Frameworks.pdf
iOS Test Automation Tools - Top Frameworks.pdf
 
Android testing
Android testingAndroid testing
Android testing
 
Testing Android Application, Droidcon Torino
Testing Android Application, Droidcon TorinoTesting Android Application, Droidcon Torino
Testing Android Application, Droidcon Torino
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Learnings from Mobile Application Testing
Learnings from Mobile Application TestingLearnings from Mobile Application Testing
Learnings from Mobile Application Testing
 
API Testing Impact on Development Process.pdf
API Testing Impact on Development Process.pdfAPI Testing Impact on Development Process.pdf
API Testing Impact on Development Process.pdf
 
Launch High Performing Mobile Apps with Appurify
Launch High Performing Mobile Apps with AppurifyLaunch High Performing Mobile Apps with Appurify
Launch High Performing Mobile Apps with Appurify
 
The ultimate guide to mobile app testing with appium
The ultimate guide to mobile app testing with appiumThe ultimate guide to mobile app testing with appium
The ultimate guide to mobile app testing with appium
 

ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection

  • 1. PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection Lili Wei1 Yepang Liu2 Shing-Chi Cheung1 1Hong Kong University of Science and Technology, Hong Kong, China 2Southern University of Science and Technology, Shenzhen, China May 31st, 2019
  • 2. Many Device Manufacturers Build Devices Based on Android 2
  • 3. Android Ecosystem is Heavily Fragmented ➤ Over 24,000 distinct Android device models 3
  • 4. 4 Source: https://vine.co/v/MgWLMmmwUQQ Fragmentation-Induced Compatibility Issues (Compatibility Issues) Compatibility issues are commonly caused by inconsistent behaviour of the same API across different device models [Wei et al. ASE 2016][Wei et al. TSE 2019] An App Can Behave Inconsistently on Different Devices
  • 5. Identifying Compatibility Issues is Challenging ➤ Limited documentation available for customized systems and devices ➤ App developers mainly identify compatibility issues through testing on different device models 5Source: https://techcrunch.com/2012/06/02/android-qa-testing-quality-assurance/
  • 6. Identifying Compatibility Issues is Challenging ➤ The search space for compatibility issue testing is combinatorially large 6 Provide remote access to real Android devices 200+ distinct Android device models Amazon Device Farm An Android App [Lu et al. CCS 2012] 50+ entry methods on average The search space is also evolving! 50 × 200 = 10,000 combinations!
  • 7. !7 “… mostly because of this issue I am focusing more on iOS devices, where fragmentation is minimal.”
  • 8. Existing Work ➤ Differential Testing [Fazzini et al. ASE 2017][Ki et al. ICSE 2019] ➤ Focus more on test oracle problem but not reducing the search space ➤ Test device prioritization [Khalid et al. FSE 2014][Lu et al. ICSE 2016] ➤ Not effective in reducing the search space since they did not relate device models with compatibility issues ➤ FicFinder [Wei et al. ASE 2016][Wei et al. TSE 2019] ➤ Detect compatibility issues via static analysis ➤ Rely on manually-extracted knowledge of compatibility issues 8 Our goal: Automatically learn knowledge of compatibility issues to facilitate compatibility issue detection
  • 9. Knowledge of Compatibility Issues Can Be Learned From Mature Apps ➤ Mature Android apps contain code snippets handling compatibility issues ➤ Such code snippets demonstrate common patterns 9 Camera.setRecordingHint Can we automatically extract knowledge of compatibility issues from such issue-handling code snippets? “Nexus 4”
  • 10. API-Device Correlation & Its Application Scenario ➤ PIVOT: API-DeVice cOrrelaTor ➤ Learn knowledge of compatibility issues from mature Android apps in the form of API-device correlations 10 <Android API, Device Identifier> <Activity.openOptionsMenu(), “LGE”> Identify potential locations of compatibility issues in apps Test on potential issue- triggering devices
  • 11. Illustrative Example ➤ Apps can crash when pressing options menu hardware button on LG devices 11
  • 12. Illustrative Example ➤ Apps can crash when pressing options menu hardware button on LG devices 12 A code snippet handling the compatibility issue API Device Identifier ?
  • 13. Correlating APIs and Device Identifiers 13 Device condition: A conditional statement that uses android.os.Build <Activity.openOptionsMenu(), “LGE”> <Log.i(String, String), “LGE”> <Activity.getCurrentFocus(), “LGE”> Invalid API-device correlations: Irrelevant to compatibility issues
  • 14. Invalid API-Device Correlations Are Massive ➤ In our evaluation, 97% of our randomly sampled API-device correlations are invalid 14 97% 3% Valid Invalid How to identify valid API-device correlations and filter out such massive noises?
  • 15. Mining API Preconditions & Learning API-Device Correlations 15 ? Can we apply existing API precondition mining techniques to identify valid API-device correlations? Yes! No! API usages in large app corpora can help Existing API precondition mining techniques cannot be directly applied
  • 16. Mining API Preconditions & Learning API-Device Correlations 16 No! Existing API precondition mining techniques cannot be directly applied Assume that the APIs are mostly guarded by correct API preconditions across different projects This assumption does not hold for API-device correlations! Compatibility issues are commonly left unhandled in practice due to the large and evolving search space In our evaluation: An existing API precondition mining technique identified ONLY ONE valid API-device correlation among the top 50 in its ranked list
  • 17. Observation: Similar Assumptions Can Hold Within the Same App ➤ Within the same app ➤ APIs related to the same compatibility issues are often guarded by the same device conditions ➤ APIs irrelevant to compatibility issues can be invoked at other places without device conditions 17 <Activity.openOptionsMenu(), “LGE”> <Log.i(String, String), “LGE”> <Activity.getCurrentFocus, “LGE”> <Log.i(String, String), “LGE”>
  • 18. In-App Confidence ➤ Confidence for an API-device correlation within an app 18 # callsites of the API that are guarded by the device condition Total # callsites of the API Input Apps In-App Confidence In-App Confidence In-App Confidence In-App Confidence In-App Confidence + + + + In-App Confidence for an API-device correlation
  • 19. Libraries & Cloned Methods Can Mess Up the Results ➤ Libraries and cloned methods are common among android apps ➤ Invalid API-device correlations can be cloned in different apps ➤ Difficult to distinguish valid and invalid API-device correlations recurring in libraries and cloned methods 19 In a method cloned from VLC (a famous open-source app) ➤ Recurred in cloned methods in many different apps ➤ Is rarely used at other places ➤ High in-app confidence <Activity.openOptionsMenu(), “LGE”> <Log.i(String, String), “LGE”> <Activity.getCurrentFocus, “LGE”><Activity.getCurrentFocus, “LGE”>
  • 20. Occurrence Diversity ➤ Occurrence Diversity: Quantify the diversity of the occurrences of each API- device correlation ➤ App-level diversity ➤ App identifier ➤ App company ➤ Method-level diversity ➤ Method package name ➤ Control-flow information: Centroid [Chen et al. ICSE’14] ➤ Metric: Shannon-Index ➤ A diversity measurement commonly leveraged in ecology to measure the diversity of species 20
  • 21. PIVOT - Summary 21 API-device correlation Extractor API-device correlation Prioritizer 1. ———— 2. ———— 3. ———— Input App Corpus In-app confidence ✕ occurrence diversityInter-procedural static analysis Ranked API-device correlations
  • 22. Experiment Setup ➤ Evaluation subjects ➤ Top apps in each app category on Google Play (collected in 2017 & 2018) ➤ Each app corpus contains millions of classes & methods 22
  • 23. Evaluation 23 ➤ RQ1 (Effectiveness) Can PIVOT effectively identify valid API-device correlations from large-scale Android app corpora? ➤ Baseline: Adapted from a state-of-the-art API precondition mining technique [Ngyen et al. FSE’ 14] ➤ Rank the API-device correlations based on overall confidence ➤ Evaluation Metric: Precision@N ➤ The percentage of valid correlations among the top N (1, 5, 10. . . ) correlations in each ranked list. ➤ Ground Truth: manually-constructed ground truth ➤ An API-device correlation is considered as a true positive if it either can cause compatibility issues or can be used to fix compatibility issues
  • 25. RQ1 - Effectiveness ➤ Among the top 50 API-device correlations of the two corpora ➤ 49 distinct valid API-device correlations ➤ 39 of them are not related to any compatibility issues in FicFinder’s empirical study dataset published in 2016 [Wei et al. ASE 2016] 25
  • 26. Evaluation ➤ RQ2 (Usefulness) Can the API-device correlations learned by PIVOT be applied to facilitate compatibility issue detection? ➤ Case study with FicFinder ➤ Manually encode valid API-device correlations of 5 issues learned by PIVOT to the format of the input of FicFinder ➤ Leverage FicFinder to detect compatibility issues in the latest version of open-source Android apps ➤ Reproduce the detected compatibility issues using online device platforms (Amazon Device Farm, WeTest) ➤ Report the detected issues their original app developers !26
  • 27. RQ2 - Usefulness ➤ We detected 10 previously-unknown issues in 10 open-source apps ➤ 7 of the issues have been acknowledged ➤ 4 of the issues have been fixed ➤ All of these issues cannot be detected by FicFinder 2016 version !27 Knowledge learned by PIVOT can be leveraged to facilitate compatibility issue detecion Demo Issues
  • 28. Conclusion ➤ Fragmentation-induced compatibility issues ➤ Big headache for app developers ➤ Difficult to identify: The search space is large and evolving ➤ PIVOT ➤ Effectively identify API-device correlations by learning from code snippets handling compatibility issues in mature Android apps ➤ Identified API-device correlations can be used to detect potential compatibility issues in Android apps ➤ All the valid API-device correlations and their corresponding compatibility issues identified by PIVOT have been released on GitHub 28
  • 29. Thank you! More interesting details (including limitations and future work) are in our paper! Our paper, tool, and identified issues are available on our project homepage https://ficissuepivot.github.io/Pivot/ Scan Me! 29