Dr Xiao Chen

React Native is a widely-used open-source frame-work that facilitates the development of cross-platform mobile apps. The framework enables JavaScript code to interact with native-side code, such as Objective-C/Swift for iOS and Java/Kotlin for Android, via a communication mechanism provided by React Native. However, previous research and tools have overlooked this mechanism, resulting in incomplete analysis of React Native app code. To address this limitation, we have developed REUNIFY, a prototype tool that integrates the JavaScript and native-side code of React Native apps into an intermediate language that can be processed by the Soot static analysis framework. By doing so, REUNIFY enables the generation of a comprehensive model of the app's behavior. Our evaluation indicates that, by leveraging REUNIFY, the Soot-based framework can improve its coverage of static analysis for the 1,007 most popular React Native Android apps, augmenting the number of lines of Jimple code by 70%. Additionally, we observed an average increase of 84% in new nodes reached in the callgraph for these apps, after integrating REUNIFY. When REUNIFY is used for taint flow analysis, an average of two additional privacy leaks were identified. Overall, our results demonstrate that REUNIFY significantly enhances the Soot-based framework's capability to analyze React Native Android apps.

Despite being one of the largest and most popular projects, the official Android framework has only provided test cases for less than 30% of its APIs. Such a poor test case coverage rate has led to many compatibility issues that can cause apps to crash at runtime on specific Android devices, resulting in poor user experiences for both apps and the Android ecosystem. To mitigate this impact, various approaches have been proposed to automatically detect such compatibility issues. Unfortunately, these approaches have only focused on detecting signature-induced compatibility issues (i.e., a certain API does not exist in certain Android versions), leaving other equally important types of compatibility issues unresolved. In this work, we propose a novel prototype tool, JUnitTestGen, to fill this gap by mining existing Android API usage to generate unit test cases. After locating Android API usage in given real-world Android apps, JUnitTestGen performs inter-procedural backward data-flow analysis to generate a minimal executable code snippet (i.e., test case). Experimental results on thousands of real-world Android apps show that JUnitTestGen is effective in generating valid unit test cases for Android APIs. We show that these generated test cases are indeed helpful for pinpointing compatibility issues, including ones involving semantic code changes.

Despite that our community has spent numerous efforts on analyzing mobile apps, there is no study proposed for characterizing the relationship between smartphone and smartwatch apps. To fill this gap, we present to the community a comparative study of smartphone and smartwatch apps, aiming at understanding the status quo of cross-phone/watch apps. Specifically, in this work, we first collect a set of cross-phone/watch app pairs and then experimentally look into them to explore their similarities or dissimilarities from different perspectives. Experimental results show that (1) Approximately, up to 40% of resource files, 30% of code methods are reused between smartphone/watch app pairs, (2) Smartphone apps may require more than twice as many as permissions and adopt more than five times as many as user interactions than their watch counterparts, and (3) Smartwatch apps can be released as either standalone (can be run independently) or companion versions (i.e., have to co-work with their smartphone counterparts), for which the former type of apps tends to require more permissions and reuse more code, involve more user interactions than the latter type. Our findings can help developers and researchers understand the ecosystem of smartwatch apps and further gain insight into migrating smartphone apps for smartwatches.

POI (point-of-interest) recommendation as an important type of location-based services has received increasing attention with the rise of location-based social networks. Although significant efforts have been dedicated to learning and recommending users' next POIs based on their historical mobility traces, there still lacks consideration of the discrepancy of users' check-in time preferences and the inherent relationships between POIs and check-in times. To fill this gap, this paper proposes a novel recommendation method which applies multi-task learning over historical user mobility traces known to be sparse. Specifically, we design a cross-graph neural network to obtain time-aware user modeling and control how much information flows across different semantic spaces, which makes up the inadequate representation of existing user modeling methods. In addition, we design a check-in time prediction task to learn users' activities from a time perspective and learn internal patterns between POIs and their check-in times, aiming to reduce the search space to overcome the data sparsity problem. Comprehensive experiments on two real-world public datasets demonstrate that our proposed method outperforms several representative POI recommendation methods with 8.93% to 20.21 % improvement on Recall@1, 5, 10, and 9.25% to 17.56% improvement on Mean Reciprocal Rank.

While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demonstrated by many state-of-the-art studies. There is hence a strong need to regulate the usage of mobile sensors so as to keep them from being exploited by malicious attackers. However, despite the fact that various efforts have been put in achieving this, i.e., detecting privacy leaks in Android apps, we have not yet found approaches to automatically detect sensor leaks in Android apps. To fill the gap, we designed and implemented a novel prototype tool, Seeker, that extends the famous FlowDroid tool to detect sensor-based data leaks in Android apps. Seeker conducts sensor-focused static taint analyses directly on the Android apps' bytecode and reports not only sensor-triggered privacy leaks but also the sensor types involved in the leaks. Experimental results using over 40,000 real-world Android apps show that Seeker is effective in detecting sensor leaks in Android apps, and malicious apps are more interested in leaking sensor data than benign apps.

Voice Assistant (VAs) are increasingly popular for human-computer interaction (HCI) smartphones. To help users automatically conduct various tasks, these tools usually come with high privileges and are able to access sensitive system resources. A comprised VA is a stepping stone for attackers to hack into users' phones. Prior work has experimentally demonstrated that VAs can be a promising attack point for HCI tools. However, the state-of-the-art approaches require ad-hoc mechanisms to activate VAs that are non-trivial to trigger in practice and are usually limited to specific mobile platforms. To mitigate the limitations faced by the state-of-the-art, we propose a novel attack approach, namely Vaspy, which crafts the users' "activation voice" by silently listening to users' phone calls. Once the activation voice is formed, Vaspy can select a suitable occasion to launch an attack. Vaspy embodies a machine learning model that learns suitable attacking times to prevent the attack from being noticed by the user. We implement a proof-of-concept spyware and test it on a range of popular Android phones. The experimental results demonstrate that this approach can silently craft the activation voice of the users and launch attacks. In the wrong hands, a technique like Vaspy can enable automated attacks to HCI tools. By raising awareness, we urge the community and manufacturers to revisit the risks of VAs and subsequently revise the activation logic to be resilient to the style of attacks proposed in this work.

Mobile apps are ubiquitous in our daily lives for supporting different tasks such as reading and chatting. Despite the availability of many GUI testing tools, app testers still struggle with low testing code coverage due to tools frequently getting stuck in loops or overlooking activities with concealed entries. This results in a significant amount of testing time being spent on redundant and repetitive exploration of a few GUI pages. To address this, we utilize Android's deep links, which assist in triggering Android intents to lead users to specific pages and introduce a deep link-enhanced exploration method. This approach, integrated into the testing tool Monkey, gives rise to Delm (Deep Link-enhanced Monkey). Delm oversees the dynamic exploration process, guiding the tool out of meaningless testing loops to unexplored GUI pages. We provide a rigorous activity context mock-up approach for triggering existing Android intents to discover more activities with hidden entrances. We conduct experiments to evaluate Delm's effectiveness on activity context mock-up, activity coverage, method coverage, and crash detection. The findings reveal that Delm can mock up more complex activity contexts and significantly outperform state-of-the-art baselines with 27.2% activity coverage, 21.13% method coverage, and 23.81% crash detection.

It is important to understand the evolution of Android malware as this facilitates the development of defence techniques by proactively capturing malware features. So far, researchers mainly rely on dendrogram or family-tree analysis for malware's evolutionary development. However, our research finds that these techniques cannot support comprehensive malware evolution modelling, which provides a detailed explanation for why Android malware samples evolve in specific ways. This shortcoming is mainly caused by the coarse-grained clustering and analysis of malware samples. For example, because these works do not divide malware samples of a family into variant sets and explore the evolution principles among those sets, they usually fail to capture new variants that have been empowered by the feature 'drifting' in evolution. To address this problem, we propose a fine-grained and in-depth analysis of Android malware. Our experimental work systematically reveals the phylogenetic relationships among the variant sets for a deeper malware evolution analysis. We introduce five metrics: silhouette coefficient, creation date, variant labels, the presentativeness of the variant set formula, and the correctness of the linked edges to evaluate the correctness of our analysis. The results show that our variant clustering achieved a high silhouette value at a small sample distance (0.3), a small standard deviation (three months and 16 days) date based on when the malware samples are lastly modified, a high label consistency (91.4%), a high representativeness (93.1%) of the variant set formula. All the linked variant sets are connected based on our PhyloNet construction rules. We further analyse the coding details of Android malware for each variant set and summarise models of their evolutionary development. In this work, we successfully expose two major models of malware evolution: active evolution and passive evolution. We also disclose four technical explanations on the incentives of the two evolution models (two for each model respectively). These findings are valuable for proactive defence against newly emerged malware samples.