Scalable and Practical App Digging Engine
What is app digging?
App digging refers to the process of capturing and analyzing runtime states of a mobile app. Examples of runtime states include
- Data such as news articles, recipes, deals, etc. that a mobile app shows to its users when it is run (by potentially downloading it from back-end servers). The data is useful for enabling search on app-content (in a general search engine or in app-store search engine) , for displaying contextual ads within apps, for verifying if kids' apps are displaying age-inappropriate contents (and thereby violating COPPA regulations), etc.
- How an app shows data is being displayed to users: are buttons too small? is there too much text? This information is useful for various accessibility analysis such as determining whether an app is suitable to be used in a vehicle.
- How an app uses third party controls; e.g., whether an app uses third-party ad-controls in fraudulent ways or use Facebook sdks incorrectly that allows various security attacks.
- What information an app sends to back-end servers. The information is useful to verify various privacy properties of the app.
- How an app performs when run under various external conditions; e.g., whether an app page fails to load or whether it crashes if the network is too slow.
Many of the tasks mentioned above are becoming increasingly important for app stores (e.g., for checking apps' runtime security and privacy properties, for capturing and indexing data inside apps for better app search), for app developers (e.g., for checking app's runtime performance under various conditions) and for third-party sdk providers (e.g., to check if developers are using them correctly).
What is SPADE?
We develop SPADE, a collection of tools for quickly and automatically analyzing runtime states of a large collection of mobile apps. SPADE uses two key techniques. First, it uses binary instrumentation to automatically insert custom code into app binary to capture its runtime state. Second, it executes an instrumented app in a phone/tablet emulator and automatically navigates through various app pages by emulating user interactions. SPADE employs a number of novel optimizations to increase coverage (i.e., fraction of total app pages that are explored) and speed (i.e., number of unique app pages explored) of its exploration.
An overview of the project, with scenarios and technical challenges, can be found here.
- SmartAds: contextual ads on mobile aps. See video here.
- AppSearch: search engine over data deep inside apps
- DECAF: Detecting various ad frauds in mobile apps
- VanarSena: Mobile app testing in the cloud
- Yimo: Checking COPPA compliance of kids' apps
- Brahmastra: Checking if apps are including Facebook SDKs correctly
- And many others ...
Contact: Suman Nath
- Earlence Fernandes, Oriana Riva, and Suman Nath, My OS ought to know me better: In-app behavioural analytics as an OS service, Workshop on Hot Topics in Operating Systems (HotOS), May 2015.
- Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall, Brahmastra: Driving Apps to Test the Security of Third-Party Components, in USENIX Security Symposium, USENIX – Advanced Computing Systems Association, August 2014.
- Shuai Hao, Bin Liu, Suman Nath, William G.J. Halfond, and Ramesh Govindan, PUMA: Programmable UI-Automation for Large Scale Dynamic Analysis of Mobile Apps, in The International Conference on Mobile Systems, Applications, and Services (MobiSys), ACM, June 2014.
- Lenin Ravindranath, Suman Nath, Jitendra Padhye, and Hari Balakrishnan, Automatic and Scalable Fault Detection for Mobile Applications, in The International Conference on Mobile Systems, Applications, and Services (MobiSys), ACM, June 2014.
- Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu, DECAF: DEtecting and Characterizing Ad Fraud in Mobile Apps, in USENIX Symposium on Networked Systems Design and Implementation (NSDI) , USENIX Symposium on Networked Systems Design and Implemenentation, 2014.
- Felix Xiaozhu Lin, Lenin Ravindranath, Suman Nath, and Jie Liu, SPADE: Scalable App Digging with Binary Instrumentation and Automated Execution, no. MSR-TR-2013-126, January 2013.
- Suman Nath, Felix Xiaozhu Lin, Lenin Ravindranath Sivalingam, and Jitu Padhye, SmartAds: Bringing Contextual Ads to Mobile Apps, in The 11th International Conference on Mobile Systems (MobiSys'13), 2013.