Jiajun Hu, Lili Wei, Yepang Liu, S. Cheung, Huaxun Huang
{"title":"双城记:WebView如何给Android应用程序带来漏洞","authors":"Jiajun Hu, Lili Wei, Yepang Liu, S. Cheung, Huaxun Huang","doi":"10.1145/3238147.3238180","DOIUrl":null,"url":null,"abstract":"WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app's native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs ($\\omega \\text{Bugs}$ for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on $\\omega \\text{Bugs}$ based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of $\\omega \\text{Bugs}$ and made interesting observations that can be leveraged for detecting and diagnosing $\\omega \\text{Bugs}$. Based on the empirical study, we further propose an automated testing technique $\\omega \\text{Droid}$ to effectively expose $\\omega \\text{Bugs}$ in Android apps. In our experiments, $\\omega \\text{Droid}$ successfully discovered 30 unique and previously-unknown $\\omega \\text{Bugs}$ when applied to 146 open-source Android apps. We reported the 30 $\\omega \\text{Bugs}$ to the corresponding app developers. Out of these 30 $\\omega \\text{Bugs}$, 14 were confirmed and 7 of them were fixed. This shows that $\\omega \\text{Droid}$ can effectively detect $\\omega \\text{Bugs}$ that are of the developers' concern.","PeriodicalId":6622,"journal":{"name":"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)","volume":"69 1","pages":"702-713"},"PeriodicalIF":0.0000,"publicationDate":"2018-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"A Tale of Two Cities: How WebView Induces Bugs to Android Applications\",\"authors\":\"Jiajun Hu, Lili Wei, Yepang Liu, S. Cheung, Huaxun Huang\",\"doi\":\"10.1145/3238147.3238180\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app's native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs ($\\\\omega \\\\text{Bugs}$ for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on $\\\\omega \\\\text{Bugs}$ based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of $\\\\omega \\\\text{Bugs}$ and made interesting observations that can be leveraged for detecting and diagnosing $\\\\omega \\\\text{Bugs}$. Based on the empirical study, we further propose an automated testing technique $\\\\omega \\\\text{Droid}$ to effectively expose $\\\\omega \\\\text{Bugs}$ in Android apps. In our experiments, $\\\\omega \\\\text{Droid}$ successfully discovered 30 unique and previously-unknown $\\\\omega \\\\text{Bugs}$ when applied to 146 open-source Android apps. We reported the 30 $\\\\omega \\\\text{Bugs}$ to the corresponding app developers. Out of these 30 $\\\\omega \\\\text{Bugs}$, 14 were confirmed and 7 of them were fixed. This shows that $\\\\omega \\\\text{Droid}$ can effectively detect $\\\\omega \\\\text{Bugs}$ that are of the developers' concern.\",\"PeriodicalId\":6622,\"journal\":{\"name\":\"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)\",\"volume\":\"69 1\",\"pages\":\"702-713\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3238147.3238180\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3238147.3238180","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Tale of Two Cities: How WebView Induces Bugs to Android Applications
WebView is a widely used Android component that augments a native app with web browser capabilities. It eases the interactions between an app's native code and web code. However, the interaction mechanism of WebView induces new types of bugs in Android apps. Understanding the characteristics and manifestation of these WebView-induced bugs ($\omega \text{Bugs}$ for short) facilitates the correct usages of WebViews in Android apps. This motivates us to conduct the first empirical study on $\omega \text{Bugs}$ based on those found in popular open-source Android apps. Our study identified the major root causes and consequences of $\omega \text{Bugs}$ and made interesting observations that can be leveraged for detecting and diagnosing $\omega \text{Bugs}$. Based on the empirical study, we further propose an automated testing technique $\omega \text{Droid}$ to effectively expose $\omega \text{Bugs}$ in Android apps. In our experiments, $\omega \text{Droid}$ successfully discovered 30 unique and previously-unknown $\omega \text{Bugs}$ when applied to 146 open-source Android apps. We reported the 30 $\omega \text{Bugs}$ to the corresponding app developers. Out of these 30 $\omega \text{Bugs}$, 14 were confirmed and 7 of them were fixed. This shows that $\omega \text{Droid}$ can effectively detect $\omega \text{Bugs}$ that are of the developers' concern.