Fuzzing The Andtoid Apps On The Data Input

With the development of the mobile Internet, Android system seizes a dominate market share with its advantages of simplicity in use, open-source in code and facility in customization. The number of apps on Android has increased sharply to over700thousand. However, since app developers are new to Android system, and the individual ability of those developers attracted by the booming Android app market is uneven, most of the apps suffer from low robustness. When users operate their Android devices, they encounter a sudden crash or a freeze on some apps now and then. This will undoubtedly impact the user’s experience and even lead to economic loss if the interrupted process is dealing with important data. So, researching on automated testing on Android apps to improve its robustness becomes a hot topic.Current testing methods on Android apps mainly focus on the motion input on the screen, like click event and slip event, but the data input of an app is neglected. Data input, which is claimed by Android app in its manifest file, is one kind of user input that could be handled in that app. Since data input is often uncontrolled, apps may fail to handle the data and go wrong. So, in this paper, we propose an automated fuzzing test method to test Android apps on the data input.The test targets are the Activities which accept outside data as input. First, the manifest file in the target app is analyzed, and the information about the data input is extract. Then sample data is deconstructed based on the information from the first step and a varying algorithm is applied to generate abnormal data. Finally, the abnormal data is sent to corresponding Activity of the target app and the app is monitored for program crash. The crash information could be used to locate the position of software bugs, and be used to mine the vulnerability in the app.An automated fuzzing test system is implemented based on the method. On one hand, this fuzzing test system can do the test work in a black-box way, which provides a help to the third-party testers. On the other hand, the test cases of the fuzzing test system are the data input of the target apps, so the system can detect those software bugs which other test methods cannot detect. In the end, to prove the effectiveness of the system, we download some popular apps to conduct experiments on the system and the found several bugs.