| According to the report of Internet Data Center(IDC),Android is the ruling OS with a solid 85%market share in the first quarter of 2017.The huge amount of users has prompted the development of Android applications,which is followed by an increasing severe security situation.To detect security vulnerabilities and problems in these applications,scholars and researchers have proposed multiple automated testing methods and tools.Existing work is mostly based on the Activity level as the UI basic unit for automated testing while many developers are turning to Fragment as part of the Activity for efficiency and convenience.Thus,the detection of security problems existing in the design and implementation of Fragment could fail using the original technical framework.Aiming at this,we propose a Fragment-compatible automated test model to enable automated testing of Android Fragment components.The model innovatively designed a transition model of Activity and Fragment and automatically compile UI operation queue information to generate corresponding test cases.In addition,we combine this model with the detection function of the Android sensitive function call.In the experiment,we found that most of the interfaces between Android applications and remote servers are based on web API.But adding new web API in servers for being compatible with more applications would bring security issues to the servers.Therefore,we design and implement a model which can automatically analyze the web API interface in Android applications.Eventually,9 of 48 testing popular applications were detected to existing API abuse,session hijacking and other security problems. |
PDF Full Text Request