Model-driven development of mobile applications for Android and iOS supporting role-based app variability

Rapidly increasing numbers of applications and users make the development of mobile applications to one of the most promising fields in software engineering. Due to short time to market, differing platforms, and fast emerging technologies, mobile application development faces typical challenges where model-driven development (MDD) can help. We present a modeling language and an infrastructure for the MDD of native apps in Android and iOS. Our approach allows a flexible app development on different abstraction levels: compact modeling of standard app elements such as standard data management and increasingly detailed modeling of individual elements to cover, for example, specific behavior. Moreover, a kind of variability modeling is supported such that mobile apps with variants can be developed. We demonstrate our MDD approach with several apps including a conference app, a museum guide with augmented reality functionality, and a SmartPlug.     

Detecting plagiarized mobile apps using API birthmarks

This paper addresses the problem of detecting plagiarized mobile apps. Plagiarism is the practice of building mobile apps by reusing code from other apps without the consent of the corresponding app developers. Recent studies on third-party app markets have suggested that plagiarized apps are an important vehicle for malware delivery on mobile phones. Malware authors repackage official versions of apps with malicious functionality, and distribute them for free via these third-party app markets. An effective technique to detect app plagiarism can therefore help identify malicious apps. Code plagiarism has long been a problem and a number of code similarity detectors have been developed over the years to detect plagiarism. In this paper we show that obfuscation techniques can be used to easily defeat similarity detectors that rely solely on statically scanning the code of an app. We propose a dynamic technique to detect plagiarized apps that works by observing the interaction of an app with the underlying mobile platform via its API invocations. We propose API birthmarks to characterize unique app behaviors, and develop a robust plagiarism detection tool using API birthmarks.     

A technique to circumvent SSL/TLS validations on iOS devices

SSL/TLS validations such as certificate and public key pinning can reinforce the security of encrypted communications between Internet-of-Things devices and remote servers, and ensure the privacy of users. However, such implementations complicate forensic analysis and detection of information disclosure; say, when a mobile app breaches user’s privacy by sending sensitive information to third parties. Therefore, it is crucial to develop the capacity to vet mobile apps augmenting the security of SSL/TLS traffic. In this paper, we propose a technique to bypass the system’s default certificate validation as well as built-in SSL/TLS validations performed in iOS apps. We then demonstrate its utility by analysing 40 popular iOS social networking, electronic payment, banking, and cloud computing apps.     

目标代码混淆技术综述

逆向工程领域的进步,一方面提升了软件分析能力,另一方面,给软件安全带来更大的挑战。目标代码混淆技术是对软件进行保护的一种有力手段,能够有效地阻挡对软件的恶意分析。文中从逆向分析的角度出发介绍了目标代码混淆技术的分类及几种典型的目标代码混淆技术的实现及混淆效果。     

Studying the consistency of star ratings and the complaints in 1 & 2-star user reviews for top free cross-platform Android and iOS apps

How users rate a mobile app via star ratings and user reviews is of utmost importance for the success of an app. Recent studies and surveys show that users rely heavily on star ratings and user reviews that are provided by other users, for deciding which app to download. However, understanding star ratings and user reviews is a complicated matter, since they are influenced by many factors such as the actual quality of the app and how the user perceives such quality relative to their expectations, which are in turn influenced by their prior experiences and expectations relative to other apps on the platform (e.g., iOS versus Android). Nevertheless, star ratings and user reviews provide developers with valuable information for improving the overall impression of their app. In an effort to expand their revenue and reach more users, app developers commonly build cross-platform apps, i.e., apps that are available on multiple platforms. As star ratings and user reviews are of such importance in the mobile app industry, it is essential for developers of cross-platform apps to maintain a consistent level of star ratings and user reviews for their apps across the various platforms on which they are available. In this paper, we investigate whether cross-platform apps achieve a consistent level of star ratings and user reviews. We manually identify 19 cross-platform apps and conduct an empirical study on their star ratings and user reviews. By manually tagging 9,902 1 & 2-star reviews of the studied cross-platform apps, we discover that the distribution of the frequency of complaint types varies across platforms. Finally, we study the negative impact ratio of complaint types and find that for some apps, users have higher expectations on one platform. All our proposed techniques and our methodologies are generic and can be used for any app. Our findings show that at least 79% of the studied cross-platform apps do not have consistent star ratings, which suggests that different quality assurance efforts need to be considered by developers for the different platforms that they wish to support.     

基于软件多样化的拟态安全防御策略

随着逆向工程的不断发展,软件产业的利益在很长一段时间内受到了来自盗版产业和恶意行为的破坏。为了找到一种低成本的高效抗逆向方法,人们引入了原本为恶意软件用于隐藏自身恶意行为的混淆技术来提高逆向工程的门槛。但是,现存的大多数混淆方法都是语言相关或者依赖目标平台的,对逆向的作用往往极其有限。鉴于此,提出一种基于LLVM的新的编译时的混淆实现方法,并结合拟态防御思想提出一种新的软件防御策略,其能有效防御针对软件的多种恶意攻击。     

Effects of the design of mobile security notifications and mobile app usability on users’ security perceptions and continued use intention

The explosive global adoption of mobile applications (i.e., apps) has been fraught with security and privacy issues. App users typically have a poor understanding of information security; worse, they routinely ignore security notifications designed to increase security on apps. By considering both mobile app interface usability and mobile security notification (MSN) design, we investigate how security perceptions of apps are formed and how these perceptions influence users’ intentions to continue using apps. Accordingly, we designed and conducted a set of controlled survey experiments with 317 participants in different MSN interface scenarios by manipulating the types of MSN interfaces (i.e., high vs. low disruption), the context (hedonic vs. utilitarian scenarios), and the degree of MSN intrusiveness (high vs. low intrusiveness). We found that both app interface usability and the design of MSNs significantly impacted users’ perceived security, which, in turn, has a positive influence on users’ intention to continue using the app. In addition, we identified an important conundrum: disruptive MSNs—a common approach to delivering MSNs—irritate users and negatively influence their perceptions of app security. Thus, our results directly challenge current practice. If these results hold, current practice should shift away from MSNs that interrupt task performance.     

移动应用安全解析学:成果与挑战

随着移动应用(App)的广泛使用,移动应用的安全事件也频频发生。从数以亿计的移动应用中准确地识别出潜在的安全隐患成为了信息安全领域重要的难题之一。移动应用数量级增长的同时,也产生了海量的应用安全数据。这些数据使得移动应用的安全解析成为了可能。本文分别从用户界面解析、重打包应用检测、应用功能与安全行为一致性检测、基于上下文的恶意行为检测、终端用户应用管理和使用行为分析这五个方面介绍了移动应用安全解析学目前的成果。同时,基于以上的研究成果,对未来的研究方向进行了展望,并讨论了这些研究方向面临的挑战。     

Studying users’ perception of IoT mobile companion apps

Internet of Things (IoT) products provide over-the-net capabilities such as remote activation, monitoring, and notifications. An associated mobile app is often provided for more convenient usage of these capabilities. The perceived quality of these companion apps can impact the success of the IoT product. We investigate the perceived quality and prominent issues of smart-home IoT mobile companion apps with the aim of deriving insights to: (i) provide guidance to end users interested in adopting IoT products; (ii) inform companion app developers and IoT producers about characteristics frequently criticized by users; (iii) highlight open research directions. We employ a mixed-methods approach, analyzing both quantitative and qualitative data. We assess the perceived quality of companion apps by quantitatively analyzing the star rating and the sentiment of 1,347,799 Android and 48,498 iOS user reviews. We identify the prominent issues that afflict companion apps by performing a qualitative manual analysis of 1,000 sampled reviews. Our analysis shows that users’ judgment has not improved over the years. A variety of functional and non-functional issues persist, such as difficulties in pairing with the device, software flakiness, poor user interfaces, and presence of issues of a socio-technical impact. Our study highlights several aspects of companion apps that require improvement in order to meet user expectations and identifies future directions.     

移动互联网音视频类协议识别技术研究与实现

音视频类型的应用程序是应用市场中下载的热点,针对传统互联网的协议识别技术已经相对成熟,但对于移动网络中的音视频应用的识别研究还刚开始受到关注,通过对此类应用识别,运营商可以收集用户在线观看音视频等行为习惯,进而为提供用户差异化服务,也可以服务于对应用的安全审计。文章主要研究了移动互联网音视频类协议识别技术,从对应用协议数据的分析中获取应用特征值,利用特征值实现协议识别;通过开发识别程序和大量实验,实现了对移动互联网音视频类协议的自动识别,并进一步提高识别的准确率及效率。     

A Graph Approach to Quantitative Analysis of Control-Flow Obfuscating Transformations

Modern obfuscation techniques are intended to discourage reverse engineering and malicious tampering of software programs. We study control-flow obfuscation, which works by modifying the control flow of the program to be obfuscated, and observe that it is difficult to evaluate the robustness of these obfuscation techniques. In this paper, we present a framework for quantitative analysis of control-flow obfuscating transformations. Our framework is based upon the control-flow graph of the program, and we show that many existing control-flow obfuscation techniques can be expressed as a sequence of basic transformations on these graphs. We also propose a new measure of the difficulty of reversing these obfuscated programs, and we show that our framework can be used to easily evaluate the space penalty due to the transformations.      

Analyzing and automatically labelling the types of user issues that are raised in mobile app reviews

Mobile app reviews by users contain a wealth of information on the issues that users are experiencing. For example, a review might contain a feature request, a bug report, and/or a privacy complaint. Developers, users and app store owners (e.g. Apple, Blackberry, Google, Microsoft) can benefit from a better understanding of these issues – developers can better understand users’ concerns, app store owners can spot anomalous apps, and users can compare similar apps to decide which ones to download or purchase. However, user reviews are not labelled, e.g. we do not know which types of issues are raised in a review. Hence, one must sift through potentially thousands of reviews with slang and abbreviations to understand the various types of issues. Moreover, the unstructured and informal nature of reviews complicates the automated labelling of such reviews. In this paper, we study the multi-labelled nature of reviews from 20 mobile apps in the Google Play Store and Apple App Store. We find that up to 30 % of the reviews raise various types of issues in a single review (e.g. a review might contain a feature request and a bug report). We then propose an approach that can automatically assign multiple labels to reviews based on the raised issues with a precision of 66 % and recall of 65 %. Finally, we apply our approach to address three proof-of-concept analytics use case scenarios: (i) we compare competing apps to assist developers and users, (ii) we provide an overview of 601,221 reviews from 12,000 apps in the Google Play Store to assist app store owners and developers and (iii) we detect anomalous apps in the Google Play Store to assist app store owners and users.     

Network-based detection of Android malicious apps

Users leverage mobile devices for their daily Internet needs by running various mobile applications (apps) such as social networking, e-mailing, news-reading, and video/audio streaming. Mobile device have become major targets for malicious apps due to their heavy network activity and is a research challenge in the current era. The majority of the research reported in the literature is focused on host-based systems rather than the network-based; unable to detect malicious activities occurring on mobile device through the Internet. This paper presents a detection app model for classification of apps. We investigate the accuracy of various machine learning models, in the context of known and unknown apps, benign and normal apps, with or without encrypted message-based app, and operating system version independence of classification. The best resulted machine learning(ML)-based model is embedded into the detection app for efficient and effective detection. We collect a dataset of network activities of 18 different malware families-based apps and 14 genuine apps and use it to develop ML-based detectors. We show that, it is possible to detect malicious app using network traces with the traditional ML techniques, and results revealed the accuracy (95–99.9 %) in detection of apps in different scenarios. The model proposed is proved efficient and suitable for mobile devices. Due to the widespread penetration of Android OS into the market, it has become the main target for the attackers. Hence, the proposed system is deployed on Android environment.     

Recommendation algorithm of the app store by using semantic relations between apps

In this paper, we propose a personalized recommendation system for mobile application software (app) to mobile user using semantic relations of apps consumed by users. To do that, we define semantic relations between apps consumed by a specific member and his/her social members using Ontology. Based on the relations, we identify the most similar social members from the reasoning process. The reasoning is explored from measuring the common attributes between apps consumed by the target member and his/her social members. The more attributes shared by them, the more similar is their preference for consuming apps. We also develop a prototype of our system using OWL (Ontology Web Language) by defining ontology-based semantic relations among 50 mobile apps. Using the prototype, we showed the feasibility of our algorithm that our recommendation algorithm can be practical in the real field and useful to analyze the preference of mobile user.     

Android mobile VoIP apps: a survey and examination of their security and privacy

Voice over Internet Protocol (VoIP) has become increasingly popular among individuals and business organisations, with millions of users communicating using VoIP applications (apps) on their smart mobile devices. Since Android is one of the most popular mobile platforms, this research focuses on Android devices. In this paper we survey the research that examines the security and privacy of mVoIP published in English from January 2009 to January 2014. We also examine the ten most popular free mVoIP apps for Android devices, and analyse the communications to determine whether the voice and text communications using these mVoIP apps are encrypted. The results indicate that most of the apps encrypt text communications, but voice communications may not have been encrypted in Fring, ICQ, Tango, Viber, Vonage, WeChat and Yahoo. The findings described in this paper contribute to an in-depth understanding of the potential privacy risks inherent in the communications using these apps, a previously understudied app category. Six potential research topics are also outlined.     

A study of the relation of mobile device attributes with the user-perceived quality of Android apps

The number of mobile applications (apps) and mobile devices has increased considerably over the past few years. Online app markets, such as the Google Play Store, use a star-rating mechanism to quantify the user-perceived quality of mobile apps. Users may rate apps on a five point (star) scale where a five star-rating is the highest rating. Having considered the importance of a high star-rating to the success of an app, recent studies continue to explore the relationship between the app attributes, such as User Interface (UI) complexity, and the user-perceived quality. However, the user-perceived quality reflects the users’ experience using an app on a particular mobile device. Hence, the user-perceived quality of an app is not solely determined by app attributes. In this paper, we study the relation of both device attributes and app attributes with the user-perceived quality of Android apps from the Google Play Store. We study 20 device attributes, such as the CPU and the display size, and 13 app attributes, such as code size and UI complexity. Our study is based on data from 30 types of Android mobile devices and 280 Android apps. We use linear mixed effect models to identify the device attributes and app attributes with the strongest relationship with the user-perceived quality. We find that the code size has the strongest relationship with the user-perceived quality. However, some device attributes, such as the CPU, have stronger relationships with the user-perceived quality than some app attributes, such as the number of UI inputs and outputs of an app. Our work helps both device manufacturers and app developers. Manufacturers can focus on the attributes that have significant relationships with the user-perceived quality. Moreover, app developers should be careful about the devices for which they make their apps available because the device attributes have a strong relationship with the ratings that users give to apps.     

Status and trends of mobile-health applications for iOS devices: A developer's perspective

Modern smart mobile devices offer media-rich and context-aware features that are highly useful for electronic-health (e-health) applications. It is therefore not surprising that these devices have gained acceptance as target devices for e-health applications, turning them into m-health (mobile-health) apps. In particular, many e-health application developers have chosen Apple's iOS mobile devices such as iPad, iPhone, or iPod Touch as the target device to provide more convenient and richer user experience, as evidenced by the rapidly increasing number of m-health apps in Apple's App Store. In this paper, the top two hundred of such apps from the App Store were examined from a developer's perspective to provide a focused overview of the status and trends of iOS m-health apps and an analysis of related technology, architecture, and user interface design issues. The top 200 apps were classified into different groups according to their purposes, functions, and user satisfaction. It was shown that although the biggest group of apps was medical information reference apps that were delivered from or related to medical articles, websites, or journals, mobile users disproportionally favored tracking tools. It was clear that m-health apps still had plenty of room to grow to take full advantage of unique mobile platform features and truly fulfill their potential. In particular, introduction of two- or three-dimensional visualization and context-awareness could further enhance m-health app's usability and utility. This paper aims to serve as a reference point and guide for developers and practitioners interested in using iOS as a platform for m-health applications, particular from the technical point of view.     

Personalized app recommendation based on app permissions

With the development of science and technology, the popularity of smart phones has made exponential growth in mobile phone application market. How to help users to select applications they prefer has become a hot topic in recommendation algorithm. As traditional recommendation algorithms are based on popularity and download, they inadvertently fail to recommend the desirable applications. At the same time, many users tend to pay more attention to permissions of those applications, because of some privacy and security reasons. There are few recommendation algorithms which take account of apps’ permissions, functionalities and users’ interests altogether. Some of them only consider permissions while neglecting the users’ interests, others just perform linear combination of apps’ permissions, functionalities and users’ interests to implement top-N recommendation. In this paper, we devise a recommendation method based on both permissions and functionalities. After demonstrating the correlation of apps’ permissions and users’ interests, we design an app risk score calculating method ARSM based on app-permission bipartite graph model. Furthermore, we propose a novel matrix factorization algorithm MFPF based on users’ interests, apps’ permissions and functionalities to handle personalized app recommendation. We compare our work with some of the state-of-the-art recommendation algorithms, and the results indicate that our work can improve the recommendation accuracy remarkably.     

Experiment with control code obfuscation

Control code obfuscation is intended to prevent malicious reverse engineering of software by masking the program control flow. The idea for further advancing the state of the art was presented in 2000 by WANG C. An obfuscating system for Java based on the ideas of WANG C is implemented and experimented. The experiment results show that obfuscation can be done efficiently with moderate increases in code size, execution times, while making the obfuscated code resilient to a variety of reverse engineering attacks.     

数据驱动的移动应用用户接受度建模与预测

应用市场（app market）已经成为互联网环境下软件应用开发和交付的一种主流模式.相对于传统模式,应用市场模式下,软件的交付周期更短,用户的反馈更快,最终用户和开发者之间的联系更加紧密和直接.为应对激烈的竞争和动态演变的用户需求,移动应用开发者必须以快速迭代的方式不断更新应用,修复错误缺陷,完善应用质量,提升用户体验.因此,如何正确和综合理解用户对软件的接受程度（简称用户接受度）,是应用市场模式下软件开发需考量的重要因素.近年来兴起的软件解析学（software analytics）关注大数据分析技术在软件行业中的具体应用,对软件生命周期中大规模、多种类的相关数据进行挖掘和分析,被认为是帮助开发者提取有效信息、作出正确决策的有效途径.从软件解析学的角度,首先论证了为移动应用构建综合的用户接受度指标模型的必要性和可行性,并从用户评价数据、操作数据、交互行为数据这3个维度给出基本的用户接受度指标.在此基础上,使用大规模真实数据集,在目标用户群体预测、用户规模预测和更新效果预测等典型的用户接受度指标预测问题中,结合具体指标,提取移动应用生命周期不同阶段的重要特征,以协同过滤、回归融合、概率模型等方法验证用户接受度的可预测性,并讨论了预测结果与特征在移动应用开发过程中可能提供的指导.