Presentation Transcript

1. A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications

   MukulR. Prasad Fujitsu Labs. Of America USA Tao Xie NC State University USA Wei Yang NC State University USA
2. Growing Popularity of Smartphone Source: IDC
3. Growing Demand for High-Quality Apps Solution? Automated Testing Tools! Source: Compuware
4. Sample App: Simple TippyTipper Used to calculate tip amount for a meal MENU MENU
5. GUI Model for Simple TippyTipper Calculate 2 1 （1） （2） （4） Menu Menu 4 3 About Settings 5b 5a a1 11 10 a2 a2 01 00 a1 5c 5d （3） （3） （5） a1: Toggle exclude tax rate option a2: Toggle round up option
6. Automated Testing with GUI Model Classical model-based testing Generation of system-level test cases Driver synthesis for symbolic execution Recent “crawl-and-compare” testing Cross-platform compatibility testing Regression testing across different versions
7. ORBIT GUI Crawler: Overview GUI Model Automated Program Analysis (Static + Dynamic) Android Apps
8. ORBIT GUI Crawler: Overview ORBIT GUI Model Action inference Action Mapping Android Apps Dynamic Crawler
9. Proposed GUI Model Visual observable state Inspired by the UI-design principles “make places in the app look distinct” by the Android team Hierarchy GUI-component tree of a UI screen Model: a finite-state machine States: visual observable states Transitions: user actions
10. GUI Model for Simple TippyTipper Calculate 2 1 （1） （2） （4） Menu Menu 4 3 About Settings 5b 5a a1 10 11 a2 a2 01 a1 5c 5d 00 （3） （3） （5） a1: Toggle exclude tax rate option. a2: Toggle round up option.
11. Examples of States These two states differ in the state of this widget Two different states of Screen # 5b & 5d （5b） （5d）
12. Action Inference Locate all instances of event handler definitions in the code (sinks) Associate each with the corresponding widget instantiations (sources) TippyTipper.java View btn_delete = findViewById(R.id.btn_delete); Btn_delete.setOnClickListener(newonClickListener() { public void onClick(View v) { removeBillAmount(); FlurryAgent.onEvent(“Delete Button”); } }); Btn_delete.setOnClickListener(newonLongClickListener() { public void onLongClick(View v) { clearBillAmount(); return true; } }); … R.Id.java … Inference: Widget btn_delete with Id = 0x7f0000a supports actions clickand longClick
13. Action Inference Algorithm Algorithm 1. registeredActionDetection Input : A: app source code Output: E: action map 1 begin 2 ActionSet← getAllActions() 3 EntryPoints← getAllEntryPoints() 4 foreachP ∈ EntryPointsdo 5 CG ← makeCallGraph(A, P) 6 foreachX ∈ ActionSetdo 7 L ← getEventRegMethod(X) 8 PNodeSet← getParentNode(CG, L) // Get all L’s callers 9 foreachPNode ∈ PNodeSetdo 10 s ← findCallT o(PNode,L) 11 v ← getCallingObject(s) 12 i← backLocate(v,A) 13 ID ← getParameter(i) 14 E.add(ID,X) 15 end 16 end 17 end 18 end
14. Simple TippyTipper: Actions Found ScreenActionMapping (net.mandaria.tippytipper.activities.TippyTipper, Menu) (net.mandaria.tippytipper.activities.Total, Menu) WidgetActionMapping (R.id.btn_delete, click) (R.id.btn_delete, longclick) (R.id.btn_clear, click) (R.id.btn_clear, longclick)
15. Dynamic Crawling ActivityTippyTipper Activity Setting Activity Total 1-9，DEL, CLEAR Toggle BACK Toggle Calculate Toggle Toggle BACK MENU BACK MENU Toggle Toggle Toggle SETTINGS Toggle
16. Dynamic Crawling: Algorithm Algorithm: forwardCrawlFromState Input : sc: state to crawl from, A: app under test, M: crawled model being generated, E: action map Output: s: current state at end of crawling Algorithm: crawlapp Input : A: app under test, E: action map Output: M: crawled model 1 begin 2 M←∅; s ← getOpeningScreen(A) 3 while s = null do 4 s ← forwardCrawlFromState(s,A,M,E) // forward crawl from s 5 s ← backtrack(s,A) 6 if isInitialState(s) then s ← findNewOpenState(s,M,A) 7 end 8 end 1 begin 2 sx← sc 3 while sx= null do 4 s ← sx 5 if isNewState(s) then 6 initActions(s,E,A) 7 addToModel(s,M) 8 end 9 e ← getNextOpenAction(s) 10 if e = null then sx ← null 11 else 12 sx← execute(s,e,A) 13 updateOpenActions(s,e) 14 addToModel(s,e,sx,M) 15 end 16 end 17 return s 18 end
17. Tool Implementation Action Detector Partial Connected Call Graph WALA Sub-CallGraph Inference Algorithm source code GUI Model Intent Passing Logic Action Mapping Android App deploy FwdCrawl Algorithm Robotium Android Runtime Dynamic Crawler ORBIT
18.  Related Work GUITAR: GUI Ripping for Windows, Java-based GUI (desktop) apps, Memon et al. 2003 A simplified event-flow model of simple tippytipper Our GUI model of simple tippytipper Calculate 2 1 Click 1 Click 3 Click 2 Menu Menu 4 3 Click 4 Click 5 About Settings Click 6 5b 5a Click 7 a1 11 10 a2 a2 Click 8 Click 9 5c 5d a1 01 00 Click 0 Click CLEAR Click DEL a1: Toggle exclude tax rate option a2: Toggle round up option Click Calculate Event and component based model (not suitable for stateful behavior) Black-box & dynamic (not effective for complex events)
19.  Related Work(Cont.) Concolic Testing of Android ApplicationsAnand et al. 2012 Random Testing of Android ApplicationsHu and Neamtiu 2011 AndroidRipper: Stress Testing of Android ApplicationsAmaltano et al. 2012 Crawljax: Crawling of AJAX Web ApplicationsMesbah et al. 2012
20. Research Questions RQ1: Is the proposed GUI crawling algorithm moreefficient than a standard depth-first state-traversal algorithm? RQ2: Are the widget and screen actions inferred by static analysis effectivein enhancing the behavior covered by the generated model? RQ3: Can our tool generate a higher-quality model, moreefficiently, compared to other state-of-the-art techniques?
21. Evaluation Subjects Our evaluation is based on subjects drawn from existing related work Avoid bias by including all subjects used to evaluate Android GUITAR and GUI Ripper in previous work.
22. Efficiency of Crawling Algorithms DFS takes 70% more time to traverse all 9 subjects together
23. Effectiveness of Action Inference Firing non-click actions during crawling increases the coverage by 34% on average.
24. Comparison with Other Tools Our crawler is 32%-75% faster while constructing a 5%-140% more complete model than Android GUITAR and Android GUI Ripper.
25. Conclusion ORBIT GUI Model Action inference Action Mapping Android Apps ORBIT: a grey-box approach for automated GUI-model generation of mobile applications Evaluation shows that ORBIT RQ1: performs moreefficiently than a standard DFS algorithm RQ2: enhances effectively behavior coverage w/ static analysis RQ3: generates a higher-quality model, moreefficiently than existing state-of-the-art techniques Dynamic Crawler
26. Thanks! Acknowledgment: NSF grants CCF-0845272, CCF-0915400, CNF-0958235, CNS-1160603, and an NSA Science of Security LabletGrant.
27. Conclusion ORBIT GUI Model Action inference Action Mapping Android Apps ORBIT: a grey-box approach for automated GUI-model generation of mobile applications Evaluation shows that ORBIT RQ1: performs moreefficiently than a standard DFS algorithm RQ2: enhances effectively behavior coverage w/ static analysis RQ3: generates a higher-quality model, moreefficiently than existing state-of-the-art techniques Dynamic Crawler
28. Future Work Crawling algorithm Incorporate the context of event call to prune the order of the sequence. GUI model Explore the possibility to generate a complete specification or test oracle by using our driver and partial specification. Selection of subjects Inter-application communication of Android application. Manual effort