Write a Blog >>
ESEC/FSE 2021
Thu 19 - Sat 28 August 2021 Clowdr Platform
Thu 26 Aug 2021 19:00 - 19:10 - Testing—Mobile Analysis and Testing Chair(s): Fabrizio Pastore
Fri 27 Aug 2021 07:00 - 07:10 - Testing—Mobile Analysis and Testing Chair(s): Wei Yang

Current taint analyses track flow from sources to sinks, and report
the results simply as source $\to$ sink pairs, or flows. This is imprecise and
ineffective in many real-world scenarios; examples include taint
sources that are mutually exclusive, or flows that combine sources
(e.g., IMEI and MAC Address are concatenated, hashed, leaked vs. IMEI
and MAC Address hashed separately and leaked separately). These
shortcomings are particularly acute in the context of Android, where
sensitive identifiers can be combined, processed, and then leaked, in
complicated ways. To address these issues, we introduce a novel,
{\it algebraic-datatype} taint analysis that generates rich yet concise taint
signatures involving AND, XOR, hashing – akin to algebraic, product
and sum, types. We implemented our approach as a static analysis for
Android that derives app leak signatures – an algebraic
representation of how, and where, hardware/software identifiers are
manipulated before being exfiltrated to the network. We perform six
empirical studies of algebraic-datatype taint tracking on 1,000 top apps from
Google Play and their embedded libraries, including: discerning
between ``raw'' and hashed flows which eliminates a source of
imprecision in current analyses; finding apps and libraries that go
against Google Play's guidelines by (ab)using hardware identifiers;
showing that third-party code, rather than app code, is the
predominant source of leaks; exposing potential de-anonymization
practices; and quantifying how apps have become more privacy-friendly
over the past two years.

Thu 26 Aug

Displayed time zone: Athens change

19:00 - 20:00
Testing—Mobile Analysis and TestingResearch Papers +12h
Chair(s): Fabrizio Pastore University of Luxembourg
19:00
10m
Paper
Algebraic-Datatype Taint Tracking, with Applications to Understanding Android Identifier LeaksArtifacts FunctionalArtifacts Available
Research Papers
Sydur Rahaman New Jersey Institute of Technology, Iulian Neamtiu New Jersey Institute of Technology, Xin Yin New Jersey Institute of Technology
DOI
19:10
10m
Paper
Vet: Identifying and Avoiding UI Exploration TarpitsDistinguished Paper Award
Research Papers
Wenyu Wang University of Illinois at Urbana-Champaign, Wei Yang University of Texas at Dallas, Tianyin Xu University of Illinois at Urbana-Champaign, Tao Xie Peking University
Link to publication DOI Media Attached
19:20
10m
Paper
Checking Conformance of Applications against GUI Policies
Research Papers
Zhen Zhang University of Washington, Yu Feng University of California at Santa Barbara, Michael D. Ernst University of Washington, Sebastian Porst Google, Isil Dillig University of Texas at Austin
DOI
19:30
30m
Live Q&A
Q&A (Testing—Mobile Analysis and Testing)
Research Papers

Fri 27 Aug

Displayed time zone: Athens change

07:00 - 08:00
Testing—Mobile Analysis and TestingResearch Papers
Chair(s): Wei Yang University of Texas at Dallas
07:00
10m
Paper
Algebraic-Datatype Taint Tracking, with Applications to Understanding Android Identifier LeaksArtifacts FunctionalArtifacts Available
Research Papers
Sydur Rahaman New Jersey Institute of Technology, Iulian Neamtiu New Jersey Institute of Technology, Xin Yin New Jersey Institute of Technology
DOI
07:10
10m
Paper
Vet: Identifying and Avoiding UI Exploration TarpitsDistinguished Paper Award
Research Papers
Wenyu Wang University of Illinois at Urbana-Champaign, Wei Yang University of Texas at Dallas, Tianyin Xu University of Illinois at Urbana-Champaign, Tao Xie Peking University
Link to publication DOI Media Attached
07:20
10m
Paper
Checking Conformance of Applications against GUI Policies
Research Papers
Zhen Zhang University of Washington, Yu Feng University of California at Santa Barbara, Michael D. Ernst University of Washington, Sebastian Porst Google, Isil Dillig University of Texas at Austin
DOI
07:30
30m
Live Q&A
Q&A (Testing—Mobile Analysis and Testing)
Research Papers