Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications
Autor(a) principal: | |
---|---|
Data de Publicação: | 2024 |
Tipo de documento: | Tese |
Idioma: | eng |
Título da fonte: | Biblioteca Digital de Teses e Dissertações da USP |
Texto Completo: | https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/ |
Resumo: | The widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them. |
id |
USP_a87d951122f05594aec6e5dd1db28a0c |
---|---|
oai_identifier_str |
oai:teses.usp.br:tde-20082024-083506 |
network_acronym_str |
USP |
network_name_str |
Biblioteca Digital de Teses e Dissertações da USP |
repository_id_str |
2721 |
spelling |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile ApplicationsUsando o Teste Metamórfico para Identificar Vulnerabilidades de Autenticação em Aplicativos AndroidGUI based testingMetamorphic testingMobile apps testingSecurity testingTeste baseado em GUITeste de aplicativos móveisTeste de segurançaTeste de vulnerabilidadeTeste metamórficoVulnerability testingThe widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them.O amplo uso de aplicativos móveis, abrangendo atividades desde operações bancárias até tarefas de escritório, intensificou a demanda por atividades de garantia de qualidade. No entanto, testes de aplicativos móveis apresentam desafios distintos, como restrições de energia (ou seja, Desempenho), adaptação de interface (ou seja, Usabilidade) e privacidade de dados do usuário (ou seja, Segurança) exemplos de Requisitos Não Funcionais (RNFs). Segurança, um dos RNFs mais críticos, é crucial para sistemas de software, especialmente em aplicativos móveis. A existência de falhas de segurança (ou seja, vulnerabilidades) representam um risco substancial, podendo resultar em acesso não autorizado ou ataques maliciosos. Testes de segurança tradicionais são frequentemente dispendiosos e complexos, complicados ainda mais pelo problema do oráculo. Em resposta, o Teste Metamórfico (TM) surgiu como uma abordagem estratégica para enfrentar esses desafios. Utilizando Relacionamentos Metamórficos (RMs) derivados do System Under Testing (SUT), o TM avalia falhas no sistema. Estudos recentes exploraram a eficácia do TM em revelar falhas relacionadas a RNFs, incluindo Desempenho e Segurança, em domínios como sistemas Web e aplicativos móveis. Esta pesquisa de doutorado introduz uma técnica inovadora de TM direcionada a cinco vulnerabilidades relatadas pela OWASP em aplicativos móveis Android, que afetaram principalmente os métodos de autenticação por nome de usuário e senha. A técnica utiliza cinco RMs para avaliar a presença dessas vulnerabilidades, complementada por um Ambiente de Teste de Vulnerabilidade Metamórfica que automatiza o processo de teste. Este ambiente simplifica a geração e execução de casos de teste source de follow-up. Em um experimento abrangente com 163 aplicativos Android comerciais, a técnica proposta identificou 159 vulnerabilidades, sendo que 108 aplicativos revelaram pelo menos uma vulnerabilidade. Dentre os métodos usados para validar as vulnerabilidades encontradas, foram contatadas 37 empresas para relatar os problemas em seus aplicativos. Nove delas responderam diretamente para validar as vulnerabilidades, e três solicitaram consultas online para corrigi-las. Notou-se que, embora 26 empresas não tenham respondido, lançaram uma nova versão do app sem as vulnerabilidades relatadas. Surpreendentemente, descobriu-se que a qualidade percebida pelo usuário não está necessariamente relacionada à ausência de vulnerabilidades. Mesmo aplicativos bem avaliados podem conter falhas de segurança.Biblioteca Digitais de Teses e Dissertações da USPDelamaro, Márcio EduardoCosta Junior, Misael2024-06-14info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisapplication/pdfhttps://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/reponame:Biblioteca Digital de Teses e Dissertações da USPinstname:Universidade de São Paulo (USP)instacron:USPLiberar o conteúdo para acesso público.info:eu-repo/semantics/openAccesseng2024-08-20T12:10:02Zoai:teses.usp.br:tde-20082024-083506Biblioteca Digital de Teses e Dissertaçõeshttp://www.teses.usp.br/PUBhttp://www.teses.usp.br/cgi-bin/mtd2br.plvirginia@if.usp.br|| atendimento@aguia.usp.br||virginia@if.usp.bropendoar:27212024-08-20T12:10:02Biblioteca Digital de Teses e Dissertações da USP - Universidade de São Paulo (USP)false |
dc.title.none.fl_str_mv |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications Usando o Teste Metamórfico para Identificar Vulnerabilidades de Autenticação em Aplicativos Android |
title |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications |
spellingShingle |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications Costa Junior, Misael GUI based testing Metamorphic testing Mobile apps testing Security testing Teste baseado em GUI Teste de aplicativos móveis Teste de segurança Teste de vulnerabilidade Teste metamórfico Vulnerability testing |
title_short |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications |
title_full |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications |
title_fullStr |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications |
title_full_unstemmed |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications |
title_sort |
Using Metamorphic Testing to Identify Authentication Vulnerabilities in Android Mobile Applications |
author |
Costa Junior, Misael |
author_facet |
Costa Junior, Misael |
author_role |
author |
dc.contributor.none.fl_str_mv |
Delamaro, Márcio Eduardo |
dc.contributor.author.fl_str_mv |
Costa Junior, Misael |
dc.subject.por.fl_str_mv |
GUI based testing Metamorphic testing Mobile apps testing Security testing Teste baseado em GUI Teste de aplicativos móveis Teste de segurança Teste de vulnerabilidade Teste metamórfico Vulnerability testing |
topic |
GUI based testing Metamorphic testing Mobile apps testing Security testing Teste baseado em GUI Teste de aplicativos móveis Teste de segurança Teste de vulnerabilidade Teste metamórfico Vulnerability testing |
description |
The widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them. |
publishDate |
2024 |
dc.date.none.fl_str_mv |
2024-06-14 |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/doctoralThesis |
format |
doctoralThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/ |
url |
https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/ |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
|
dc.rights.driver.fl_str_mv |
Liberar o conteúdo para acesso público. info:eu-repo/semantics/openAccess |
rights_invalid_str_mv |
Liberar o conteúdo para acesso público. |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.coverage.none.fl_str_mv |
|
dc.publisher.none.fl_str_mv |
Biblioteca Digitais de Teses e Dissertações da USP |
publisher.none.fl_str_mv |
Biblioteca Digitais de Teses e Dissertações da USP |
dc.source.none.fl_str_mv |
reponame:Biblioteca Digital de Teses e Dissertações da USP instname:Universidade de São Paulo (USP) instacron:USP |
instname_str |
Universidade de São Paulo (USP) |
instacron_str |
USP |
institution |
USP |
reponame_str |
Biblioteca Digital de Teses e Dissertações da USP |
collection |
Biblioteca Digital de Teses e Dissertações da USP |
repository.name.fl_str_mv |
Biblioteca Digital de Teses e Dissertações da USP - Universidade de São Paulo (USP) |
repository.mail.fl_str_mv |
virginia@if.usp.br|| atendimento@aguia.usp.br||virginia@if.usp.br |
_version_ |
1815257180050292736 |