research-article

A tale of two cities: how WebView induces bugs to Android applications

Authors:
Jiajun Hu

Hong Kong University of Science and Technology, China

Hong Kong University of Science and Technology, China
View Profile

,
Lili Wei

Hong Kong University of Science and Technology, China

Hong Kong University of Science and Technology, China
View Profile

,
Yepang Liu

Southern University of Science and Technology, China

Southern University of Science and Technology, China
View Profile

,
Shing-Chi Cheung

Hong Kong University of Science and Technology, China

Hong Kong University of Science and Technology, China
View Profile

,
Huaxun Huang

Hong Kong University of Science and Technology, China

Hong Kong University of Science and Technology, China
View Profile

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringSeptember 2018Pages 702–713https://doi.org/10.1145/3238147.3238180

Published:03 September 2018Publication History

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

Pages 702–713

ABSTRACT

WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app’s native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs (ωBugs for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on ωBugs based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of ωBugs and made interesting observations that can be leveraged for detecting and diagnosing ωBugs. Based on the empirical study, we further propose an automated testing technique ωDroid to effectively expose ωBugs in Android apps. In our experiments, ωDroid successfully discovered 30 unique and previously-unknown ωBugs when applied to 146 open-source Android apps. We reported the 30 ωBugs to the corresponding app developers. Out of these 30 ωBugs, 14 were confirmed and 7 of them were fixed. This shows that ωDroid can effectively detect ωBugs that are of the developers’ concern.

References

Christoffer Quist Adamsen, Gianluca Mezzetti, and Anders Møller. 2015. Systematic execution of android test suites in adverse conditions. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015). ACM, 83–93. Google ScholarDigital Library
Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and depth-first exploration for systematic testing of android apps. In Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications (OOPSLA 2013), Vol. 48. ACM, 641–660. Google ScholarDigital Library
Young-Min Baek and Doo-Hwan Bae. 2016. Automated model-based android gui testing using multi-level gui comparison criteria. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016). ACM, 238–249. Google ScholarDigital Library
Erika Chin and David Wagner. 2013. Bifocals: Analyzing webview vulnerabilities in android applications. In International Workshop on Information Security Applications. Springer, 138–159. Google ScholarDigital Library
Wontae Choi, George Necula, and Koushik Sen. 2013. Guided gui testing of android apps with minimal restart and approximate learning. In Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications (OOPSLA 2013), Vol. 48. ACM, 623–640. Google ScholarDigital Library
Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. 2015. Automated test input generation for android: Are we there yet?. In 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE 2015). IEEE, 429–440.Google ScholarDigital Library
Lingling Fan, Ting Su, Sen Chen, Guozhu Meng, Yang Liu, Lihua Xu, Geguang Pu, and Zhendong Su. 2018. Large-Scale Analysis of Framework-Specific Exceptions in Android Apps. 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE 2018). Google ScholarDigital Library
Mattia Fazzini and Alessandro Orso. 2017. Automated cross-platform inconsistency detection for mobile apps. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017). IEEE, 308–318. Google ScholarDigital Library
Shuai Hao, Bin Liu, Suman Nath, William GJ Halfond, and Ramesh Govindan. 2014. PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services (MobiSys 2014). ACM, 204–217. Google ScholarDigital Library
Huaxun Huang, Lili Wei, Yepang Liu, and Shing-Chi Cheung. 2018. Understanding and detecting callback compatibility issues for android applications. In 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE 2018). ACM. Google ScholarDigital Library
Reyhaneh Jabbarvand and Sam Malek. 2017. µDroid: an energy-aware mutation testing framework for Android. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (FSE 2017). ACM, 208–219. Google ScholarDigital Library
Casper S Jensen, Mukul R Prasad, and Anders Møller. 2013. Automated testing with targeted event sequence generation. In Proceedings of the 2013 International Symposium on Software Testing and Analysis (ISSTA 2013). ACM, 67–77. Google ScholarDigital Library
Sungho Lee, Julian Dolby, and Sukyoung Ryu. 2016. HybriDroid: static analysis framework for Android hybrid applications. In 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016). IEEE, 250–261. Google ScholarDigital Library
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, and Xinhui Han. 2017. Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS 2017). ACM, 829–844. Google ScholarDigital Library
Yepang Liu, Chang Xu, and Shing-Chi Cheung. 2014. Characterizing and detecting performance bugs for smartphone applications. In Proceedings of the 36th International Conference on Software Engineering (ICSE 2014). ACM, 1013–1024. Google ScholarDigital Library
Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni. 2016. Understanding and detecting wake lock misuses for android applications. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, 396–409. Google ScholarDigital Library
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011). ACM, 343–352. Google ScholarDigital Library
Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. 2012. Touchjacking attacks on web in android, ios, and windows phone. In International Symposium on Foundations and Practice of Security. Springer, 227–243. Google ScholarDigital Library
Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (FSE 2013). ACM, 224–234. Google ScholarDigital Library
Riyadh Mahmood, Nariman Mirzaei, and Sam Malek. 2014. Evodroid: Segmented evolutionary testing of android apps. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). ACM, 599–609. Google ScholarDigital Library
Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-objective automated testing for Android applications. In Proceedings of the 25th International Symposium on Software Testing and Analysis (ISSTA 2016). ACM, 94–105. ASE ’18, September 3–7, 2018, Montpellier, France Jiajun Hu, Lili Wei, Yepang Liu, Shing-Chi Cheung, and Huaxun Huang Google ScholarDigital Library
Atif M Memon, Martha E Pollack, and Mary Lou Soffa. 2000. Automated test oracles for GUIs. In ACM SIGSOFT Software Engineering Notes, Vol. 25. ACM, 30–39. Google ScholarDigital Library
Patrick Mutchler, Adam Doupé, John Mitchell, Chris Kruegel, and Giovanni Vigna. 2015. A large-scale study of mobile web app security. In Proceedings of the Mobile Security Technologies Workshop (MoST 2015).Google Scholar
Frolin Ocariza, Kartik Bajaj, Karthik Pattabiraman, and Ali Mesbah. 2013. An empirical study of client-side JavaScript bugs. In 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2013). IEEE, 55–64.Google ScholarCross Ref
Frolin S Ocariza Jr, Karthik Pattabiraman, and Benjamin Zorn. 2011. JavaScript errors in the wild: An empirical study. In 2011 IEEE 22nd International Symposium on Software Reliability Engineering (ISSRE 2011). IEEE, 100–109. Google ScholarDigital Library
Fabio Palomba, Pasquale Salza, Adelina Ciurumelea, Sebastiano Panichella, Harald Gall, Filomena Ferrucci, and Andrea De Lucia. 2017. Recommending and localizing change requests for mobile apps based on user reviews. In Proceedings of the 39th International Conference on Software Engineering (ICSE 2017). IEEE, 106–117. Google ScholarDigital Library
Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder. 2017. BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews. arXiv preprint arXiv:1709.05690 (2017).Google Scholar
Marija Selakovic and Michael Pradel. 2016. Performance issues and optimizations in javascript: an empirical study. In Proceedings of the 38th International Conference on Software Engineering (ICSE 2016). ACM, 61–72. Google ScholarDigital Library
Julian Sexton, Andrey Chudnov, and David A Naumann. 2017. Spartan Jester: end-to-end information flow control for hybrid Android applications. In 2017 IEEE Security and Privacy Workshops (SPW 2017). IEEE, 157–162.Google ScholarCross Ref
Zhiyong Shan, Tanzirul Azim, and Iulian Neamtiu. 2016. Finding resume and restart errors in android applications. In Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2016), Vol. 51. ACM, 864–880. Google ScholarDigital Library
Wei Song, Qingqing Huang, and Jeff Huang. 2018. Understanding JavaScript Vulnerabilities in Large Real-World Android Applications. IEEE Transactions on Dependable and Secure Computing (2018).Google ScholarCross Ref
Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, stochastic model-based GUI testing of Android apps. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (FSE 2017). ACM, 245–256. Google ScholarDigital Library
Daniel R Thomas, Alastair R Beresford, Thomas Coudray, Tom Sutcliffe, and Adrian Taylor. 2015. The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface. In Cambridge International Workshop on Security Protocols. Springer, 126–138. Google ScholarDigital Library
Lili Wei, Yepang Liu, and Shing-Chi Cheung. 2016. Taming Android fragmentation: Characterizing and detecting compatibility issues for Android apps. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016). ACM, 226–237. Google ScholarDigital Library
Lili Wei, Yepang Liu, and Shing-Chi Cheung. 2017. OASIS: prioritizing static analysis warnings for Android apps based on app user reviews. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (FSE 2017). ACM, 672–682. Google ScholarDigital Library

Index Terms

A tale of two cities: how WebView induces bugs to Android applications
1. General and reference
  1. Cross-computing tools and techniques
    1. Empirical studies
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

ωTest: WebView-Oriented Testing for Android Applications
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

WebView is a UI widget that helps integrate web applications into the native context of Android apps. It provides powerful mechanisms for bi-directional interactions between the native-end (Java) and the web-end (JavaScript) of an Android app. However,...
Read More
Attacks on WebView in the Android system
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

WebView is an essential component in both Android and iOS platforms, enabling smartphone and tablet apps to embed a simple but powerful browser inside them. To achieve a better interaction between apps and their embedded "browsers", WebView provides a ...
Read More
Dynodroid: an input generation system for Android apps
ESEC/FSE 2013: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering

We present a system Dynodroid for generating relevant inputs to unmodified Android apps. Dynodroid views an app as an event-driven program that interacts with its environment by means of a sequence of events through the Android framework. By ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering
September 2018
955 pages
ISBN:9781450359375
DOI:10.1145/3238147
General Chair:
Marianne Huchard
University of Montpellier, France
,
Program Chairs:
Christian Kästner
Carnegie Mellon University, USA
,
Gordon Fraser
University of Passau, Germany
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 September 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Android system WebView
Empirical study
GUI testing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate82of337submissions,24%
Upcoming Conference
ASE '24

Sponsor:

sigsoft online

sigsoft online

ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering

October 27 - November 1, 2024

Sacramento , CA , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 15
  Total Citations
  View Citations
- 417
  Total Downloads
- Downloads (Last 12 months)58
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A tale of two cities: how WebView induces bugs to Android applications

ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

ωTest: WebView-Oriented Testing for Android Applications

Attacks on WebView in the Android system

Dynodroid: an input generation system for Android apps