Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications

Detalhes bibliográficos
Autor(a) principal: Costa Junior, Misael
Data de Publicação: 2024
Tipo de documento: Tese
Idioma: eng
Título da fonte: Biblioteca Digital de Teses e Dissertações da USP
Texto Completo: https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/
Resumo: The widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them.
id USP_a87d951122f05594aec6e5dd1db28a0c
oai_identifier_str oai:teses.usp.br:tde-20082024-083506
network_acronym_str USP
network_name_str Biblioteca Digital de Teses e Dissertações da USP
repository_id_str 2721
spelling Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile ApplicationsUsando o Teste Metamórfico para Identificar Vulnerabilidades de Autenticação em Aplicativos AndroidGUI based testingMetamorphic testingMobile apps testingSecurity testingTeste baseado em GUITeste de aplicativos móveisTeste de segurançaTeste de vulnerabilidadeTeste metamórficoVulnerability testingThe widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them.O amplo uso de aplicativos móveis, abrangendo atividades desde operações bancárias até tarefas de escritório, intensificou a demanda por atividades de garantia de qualidade. No entanto, testes de aplicativos móveis apresentam desafios distintos, como restrições de energia (ou seja, Desempenho), adaptação de interface (ou seja, Usabilidade) e privacidade de dados do usuário (ou seja, Segurança) exemplos de Requisitos Não Funcionais (RNFs). Segurança, um dos RNFs mais críticos, é crucial para sistemas de software, especialmente em aplicativos móveis. A existência de falhas de segurança (ou seja, vulnerabilidades) representam um risco substancial, podendo resultar em acesso não autorizado ou ataques maliciosos. Testes de segurança tradicionais são frequentemente dispendiosos e complexos, complicados ainda mais pelo problema do oráculo. Em resposta, o Teste Metamórfico (TM) surgiu como uma abordagem estratégica para enfrentar esses desafios. Utilizando Relacionamentos Metamórficos (RMs) derivados do System Under Testing (SUT), o TM avalia falhas no sistema. Estudos recentes exploraram a eficácia do TM em revelar falhas relacionadas a RNFs, incluindo Desempenho e Segurança, em domínios como sistemas Web e aplicativos móveis. Esta pesquisa de doutorado introduz uma técnica inovadora de TM direcionada a cinco vulnerabilidades relatadas pela OWASP em aplicativos móveis Android, que afetaram principalmente os métodos de autenticação por nome de usuário e senha. A técnica utiliza cinco RMs para avaliar a presença dessas vulnerabilidades, complementada por um Ambiente de Teste de Vulnerabilidade Metamórfica que automatiza o processo de teste. Este ambiente simplifica a geração e execução de casos de teste source de follow-up. Em um experimento abrangente com 163 aplicativos Android comerciais, a técnica proposta identificou 159 vulnerabilidades, sendo que 108 aplicativos revelaram pelo menos uma vulnerabilidade. Dentre os métodos usados para validar as vulnerabilidades encontradas, foram contatadas 37 empresas para relatar os problemas em seus aplicativos. Nove delas responderam diretamente para validar as vulnerabilidades, e três solicitaram consultas online para corrigi-las. Notou-se que, embora 26 empresas não tenham respondido, lançaram uma nova versão do app sem as vulnerabilidades relatadas. Surpreendentemente, descobriu-se que a qualidade percebida pelo usuário não está necessariamente relacionada à ausência de vulnerabilidades. Mesmo aplicativos bem avaliados podem conter falhas de segurança.Biblioteca Digitais de Teses e Dissertações da USPDelamaro, Márcio EduardoCosta Junior, Misael2024-06-14info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisapplication/pdfhttps://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/reponame:Biblioteca Digital de Teses e Dissertações da USPinstname:Universidade de São Paulo (USP)instacron:USPLiberar o conteúdo para acesso público.info:eu-repo/semantics/openAccesseng2024-08-20T12:10:02Zoai:teses.usp.br:tde-20082024-083506Biblioteca Digital de Teses e Dissertaçõeshttp://www.teses.usp.br/PUBhttp://www.teses.usp.br/cgi-bin/mtd2br.plvirginia@if.usp.br|| atendimento@aguia.usp.br||virginia@if.usp.bropendoar:27212024-08-20T12:10:02Biblioteca Digital de Teses e Dissertações da USP - Universidade de São Paulo (USP)false
dc.title.none.fl_str_mv Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
Usando o Teste Metamórfico para Identificar Vulnerabilidades de Autenticação em Aplicativos Android
title Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
spellingShingle Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
Costa Junior, Misael
GUI based testing
Metamorphic testing
Mobile apps testing
Security testing
Teste baseado em GUI
Teste de aplicativos móveis
Teste de segurança
Teste de vulnerabilidade
Teste metamórfico
Vulnerability testing
title_short Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
title_full Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
title_fullStr Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
title_full_unstemmed Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
title_sort Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
author Costa Junior, Misael
author_facet Costa Junior, Misael
author_role author
dc.contributor.none.fl_str_mv Delamaro, Márcio Eduardo
dc.contributor.author.fl_str_mv Costa Junior, Misael
dc.subject.por.fl_str_mv GUI based testing
Metamorphic testing
Mobile apps testing
Security testing
Teste baseado em GUI
Teste de aplicativos móveis
Teste de segurança
Teste de vulnerabilidade
Teste metamórfico
Vulnerability testing
topic GUI based testing
Metamorphic testing
Mobile apps testing
Security testing
Teste baseado em GUI
Teste de aplicativos móveis
Teste de segurança
Teste de vulnerabilidade
Teste metamórfico
Vulnerability testing
description The widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them.
publishDate 2024
dc.date.none.fl_str_mv 2024-06-14
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/
url https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv
dc.rights.driver.fl_str_mv Liberar o conteúdo para acesso público.
info:eu-repo/semantics/openAccess
rights_invalid_str_mv Liberar o conteúdo para acesso público.
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.coverage.none.fl_str_mv
dc.publisher.none.fl_str_mv Biblioteca Digitais de Teses e Dissertações da USP
publisher.none.fl_str_mv Biblioteca Digitais de Teses e Dissertações da USP
dc.source.none.fl_str_mv
reponame:Biblioteca Digital de Teses e Dissertações da USP
instname:Universidade de São Paulo (USP)
instacron:USP
instname_str Universidade de São Paulo (USP)
instacron_str USP
institution USP
reponame_str Biblioteca Digital de Teses e Dissertações da USP
collection Biblioteca Digital de Teses e Dissertações da USP
repository.name.fl_str_mv Biblioteca Digital de Teses e Dissertações da USP - Universidade de São Paulo (USP)
repository.mail.fl_str_mv virginia@if.usp.br|| atendimento@aguia.usp.br||virginia@if.usp.br
_version_ 1815257180050292736