Risk Assessment Technology For Mobile Application Based On Multi--Dimensional Android Feature

With the wide-spread use of Android applications in people’s daily life,the secu-rity and quality assurance of Android applications become more and more important.In order to evaluate the potential risks of Android applications,Java static code metrics are introduced to predict the defects of applications.However,the existing technology ignores the specific features of Android applications,and the prediction results have no guidance for the modification of defect code,which eventually leads to the failure to locate and repair the risk vulnerabilities in the applications.This paper proposes a risk assessment technology for mobile application based on multi-dimensional Android features,which is used to detect the quality and secu-rity risks of applications.Among them,quality risk refers to fault tendency,including safety,memory,performance and other risk issues.We summarize the bad practices in Android applications,define 15 Android code smells,and give some suggestions on code refactoring.In order to automatically detect these code smells,we developed a detection tool named DACS.From the dimension of programming criterion,we extract15 custom code smells and 15 publicly defined code smells.From the four dimensions of size,complexity,duplicate and violation,we extract 21 Java static code metrics.Af-ter preprocessing these multi-dimensional features,we combine nine popular machine learning algorithms to build the security risk level prediction model of the application,which helps developers identify high-risk applications.In addition,we select five kinds of code smells and the number of code lines as independent variables,and the number of faults as response variables.Based on the two discrete regression algorithms,we built the fault counting model to study the impact of code smells on the quality of application.In order to verify the effectiveness of DACS tool,we run the tool on 20 open- source Android applications and gets a detection result.At the same time,we detect these applications manually,and analyze the consistency between the results and the re-sults of the tool.We found that the detection results of DACS are consistent with those of manual detection.Therefore,DACS tool can replace manual detection.In order to evaluate the prediction model,we collected 4575 Android applications from Git Hub and conducted three experiments.The results show that(1)Android code smells can improve the risk prediction performance of the model.(2)The prediction model built by random forest algorithm has the best performance(AUC = 0.97).(3)Android code smells such as MIM and LIC may easily cause high risk of applications,so developers should pay attention to them.In addition,we also construct the fault counting model on 645 Android applications.Compared with the negative binomial regression model, the counting model constructed by zero inflation negative binomial regression algo- rithm is better(AIC = 517.32,BIC = 522.12).Besides,some code smells such as code lines(ncloc),malicious compression(MU),weak encryption algorithm and code lines(WCA:NCLOC)can significantly lead to the quality risk of applications.