2023 |
Zhou M, Gao X, Wu J, Grundy J, Chen X, Chen C, Li L, 'ModelObfuscator: Obfuscating Model Information to Protect Deployed ML-Based Systems', ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Seattle, USA (2023) [E1]
|
|
|
2023 |
Sun X, Chen X, Liu Y, Grundy J, Li L, 'LazyCow: A Lightweight Crowdsourced Testing Tool for Taming Android Fragmentation', ESEC/FSE 2023 - Proceedings of the 31st ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, San Francisco, CA (2023) [E1]
|
|
|
2023 |
Zhang R, Wu T, Chen X, Wen S, Nepal S, Paris C, Xiang Y, 'Dynalogue: A Transformer-Based Dialogue System with Dynamic Attention', ACM Web Conference 2023 - Proceedings of the World Wide Web Conference, WWW 2023, Austin, Texas (2023) [E1]
|
|
|
2023 |
Liu Y, Chen X, Liu P, Grundy J, Chen C, Li L, 'ReuNify: A Step Towards Whole Program Analysis for React Native Android Apps', Proceedings - 2023 38th IEEE/ACM International Conference on Automated Software Engineering, ASE 2023 (2023)
React Native is a widely-used open-source frame-work that facilitates the development of cross-platform mobile apps. The framework enables JavaScript code to interact with native-... [more]
React Native is a widely-used open-source frame-work that facilitates the development of cross-platform mobile apps. The framework enables JavaScript code to interact with native-side code, such as Objective-C/Swift for iOS and Java/Kotlin for Android, via a communication mechanism provided by React Native. However, previous research and tools have overlooked this mechanism, resulting in incomplete analysis of React Native app code. To address this limitation, we have developed REUNIFY, a prototype tool that integrates the JavaScript and native-side code of React Native apps into an intermediate language that can be processed by the Soot static analysis framework. By doing so, REUNIFY enables the generation of a comprehensive model of the app's behavior. Our evaluation indicates that, by leveraging REUNIFY, the Soot-based framework can improve its coverage of static analysis for the 1,007 most popular React Native Android apps, augmenting the number of lines of Jimple code by 70%. Additionally, we observed an average increase of 84% in new nodes reached in the callgraph for these apps, after integrating REUNIFY. When REUNIFY is used for taint flow analysis, an average of two additional privacy leaks were identified. Overall, our results demonstrate that REUNIFY significantly enhances the Soot-based framework's capability to analyze React Native Android apps.
|
|
|
2022 |
Li C, Chen X, Sun R, Xue M, Wen S, Ahmed ME, et al., 'Cross-language Android permission specification', ESEC/FSE 2022 - Proceedings of the 30th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2022)
The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However,... [more]
The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection mapping from the Android API framework, which leverages static code analysis to determine if specific permissions are required before accessing an API. Nevertheless, none of them has attempted to analyze the protection mapping in the native library (i.e., code written in C and C++), an essential component of the Android framework that handles communication with the lower-level hardware, such as cameras and sensors. While the protection mapping can be utilized to detect various security vulnerabilities in Android apps, such as permission over-privilege, imprecise mapping will lead to false results in detecting such security vulnerabilities. To fill this gap, we thereby propose to construct the protection mapping involved in the native libraries of the Android framework to present a complete and accurate specification of Android API protection. We develop a prototype system, named NatiDroid, to facilitate the cross-language static analysis and compare its performance with two state-of-the-practice tools, termed Axplorer and Arcade. We evaluate NatiDroid on more than 11,000 Android apps, including system apps from custom Android ROMs and third-party apps from the Google Play. Our NatiDroid can identify up to 464 new API-permission mappings, in contrast to the worst-case results derived from both Axplorer and Arcade, where approximately 71% apps have at least one false positive in permission over-privilege. We have disclosed all the potential vulnerabilities detected to the stakeholders.
|
|
|
2022 |
Sun X, Chen X, Zhao Y, Liu P, Grundy J, Li L, 'Mining Android API Usage to Generate Unit Test Cases for Pinpointing Compatibility Issues', ACM International Conference Proceeding Series (2022)
Despite being one of the largest and most popular projects, the official Android framework has only provided test cases for less than 30% of its APIs. Such a poor test case covera... [more]
Despite being one of the largest and most popular projects, the official Android framework has only provided test cases for less than 30% of its APIs. Such a poor test case coverage rate has led to many compatibility issues that can cause apps to crash at runtime on specific Android devices, resulting in poor user experiences for both apps and the Android ecosystem. To mitigate this impact, various approaches have been proposed to automatically detect such compatibility issues. Unfortunately, these approaches have only focused on detecting signature-induced compatibility issues (i.e., a certain API does not exist in certain Android versions), leaving other equally important types of compatibility issues unresolved. In this work, we propose a novel prototype tool, JUnitTestGen, to fill this gap by mining existing Android API usage to generate unit test cases. After locating Android API usage in given real-world Android apps, JUnitTestGen performs inter-procedural backward data-flow analysis to generate a minimal executable code snippet (i.e., test case). Experimental results on thousands of real-world Android apps show that JUnitTestGen is effective in generating valid unit test cases for Android APIs. We show that these generated test cases are indeed helpful for pinpointing compatibility issues, including ones involving semantic code changes.
|
|
|
2021 |
Chen X, Chen W, Liu K, Chen C, Li L, 'A comparative study of smartphone and smartwatch apps', Proceedings of the ACM Symposium on Applied Computing (2021)
Despite that our community has spent numerous efforts on analyzing mobile apps, there is no study proposed for characterizing the relationship between smartphone and smartwatch ap... [more]
Despite that our community has spent numerous efforts on analyzing mobile apps, there is no study proposed for characterizing the relationship between smartphone and smartwatch apps. To fill this gap, we present to the community a comparative study of smartphone and smartwatch apps, aiming at understanding the status quo of cross-phone/watch apps. Specifically, in this work, we first collect a set of cross-phone/watch app pairs and then experimentally look into them to explore their similarities or dissimilarities from different perspectives. Experimental results show that (1) Approximately, up to 40% of resource files, 30% of code methods are reused between smartphone/watch app pairs, (2) Smartphone apps may require more than twice as many as permissions and adopt more than five times as many as user interactions than their watch counterparts, and (3) Smartwatch apps can be released as either standalone (can be run independently) or companion versions (i.e., have to co-work with their smartphone counterparts), for which the former type of apps tends to require more permissions and reuse more code, involve more user interactions than the latter type. Our findings can help developers and researchers understand the ecosystem of smartwatch apps and further gain insight into migrating smartphone apps for smartwatches.
|
|
|
2021 |
Wang X, Liu X, Li L, Chen X, Liu J, Wu H, 'Time-aware User Modeling with Check-in Time Prediction for Next POI Recommendation', Proceedings - 2021 IEEE International Conference on Web Services, ICWS 2021 (2021)
POI (point-of-interest) recommendation as an important type of location-based services has received increasing attention with the rise of location-based social networks. Although ... [more]
POI (point-of-interest) recommendation as an important type of location-based services has received increasing attention with the rise of location-based social networks. Although significant efforts have been dedicated to learning and recommending users' next POIs based on their historical mobility traces, there still lacks consideration of the discrepancy of users' check-in time preferences and the inherent relationships between POIs and check-in times. To fill this gap, this paper proposes a novel recommendation method which applies multi-task learning over historical user mobility traces known to be sparse. Specifically, we design a cross-graph neural network to obtain time-aware user modeling and control how much information flows across different semantic spaces, which makes up the inadequate representation of existing user modeling methods. In addition, we design a check-in time prediction task to learn users' activities from a time perspective and learn internal patterns between POIs and their check-in times, aiming to reduce the search space to overcome the data sparsity problem. Comprehensive experiments on two real-world public datasets demonstrate that our proposed method outperforms several representative POI recommendation methods with 8.93% to 20.21 % improvement on Recall@1, 5, 10, and 9.25% to 17.56% improvement on Mean Reciprocal Rank.
|
|
|
2021 |
Sun X, Chen X, Liu K, Wen S, Li L, Grundy J, 'Characterizing Sensor Leaks in Android Apps', Proceedings - International Symposium on Software Reliability Engineering, ISSRE (2021)
While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demons... [more]
While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demonstrated by many state-of-the-art studies. There is hence a strong need to regulate the usage of mobile sensors so as to keep them from being exploited by malicious attackers. However, despite the fact that various efforts have been put in achieving this, i.e., detecting privacy leaks in Android apps, we have not yet found approaches to automatically detect sensor leaks in Android apps. To fill the gap, we designed and implemented a novel prototype tool, Seeker, that extends the famous FlowDroid tool to detect sensor-based data leaks in Android apps. Seeker conducts sensor-focused static taint analyses directly on the Android apps' bytecode and reports not only sensor-triggered privacy leaks but also the sensor types involved in the leaks. Experimental results using over 40,000 real-world Android apps show that Seeker is effective in detecting sensor leaks in Android apps, and malicious apps are more interested in leaking sensor data than benign apps.
|
|
|
2020 |
Wang X, Liu J, Li L, Chen X, Liu X, Wu H, 'Detecting and Explaining Self-Admitted Technical Debts with Attention- based Neural Networks', 2020 35TH IEEE/ACM INTERNATIONAL CONFERENCE ON AUTOMATED SOFTWARE ENGINEERING (ASE 2020), ELECTR NETWORK (2020)
|
|
|
2020 |
Li Y, Xiao X, Zhu X, Chen X, Wen S, Zhang B, 'SpeedNeuzz: Speed Up Neural Program Approximation with Neighbor Edge Knowledge', 2020 IEEE 19TH INTERNATIONAL CONFERENCE ON TRUST, SECURITY AND PRIVACY IN COMPUTING AND COMMUNICATIONS (TRUSTCOM 2020), PEOPLES R CHINA, Guangzhou (2020)
|
|
|
2015 |
Chen C, Zhang J, Chen X, Xiang Y, Zhou W, '6 million spam tweets: A large ground truth for timely Twitter spam detection', IEEE International Conference on Communications (2015)
Twitter has changed the way of communication and getting news for people's daily life in recent years. Meanwhile, due to the popularity of Twitter, it also becomes a main tar... [more]
Twitter has changed the way of communication and getting news for people's daily life in recent years. Meanwhile, due to the popularity of Twitter, it also becomes a main target for spamming activities. In order to stop spammers, Twitter is using Google SafeBrowsing to detect and block spam links. Despite that blacklists can block malicious URLs embedded in tweets, their lagging time hinders the ability to protect users in real-time. Thus, researchers begin to apply different machine learning algorithms to detect Twitter spam. However, there is no comprehensive evaluation on each algorithms' performance for real-time Twitter spam detection due to the lack of large groundtruth. To carry out a thorough evaluation, we collected a large dataset of over 600 million public tweets. We further labelled around 6.5 million spam tweets and extracted 12 light-weight features, which can be used for online detection. In addition, we have conducted a number of experiments on six machine learning algorithms under various conditions to better understand their effectiveness and weakness for timely Twitter spam detection. We will make our labelled dataset for researchers who are interested in validating or extending our work.
|
|
|
2013 |
Chen X, Zhang J, Xiang Y, Zhou W, 'Traffic Identification in Semi-known Network Environment', 2013 IEEE 16TH INTERNATIONAL CONFERENCE ON COMPUTATIONAL SCIENCE AND ENGINEERING (CSE 2013), AUSTRALIA, Sydney (2013)
|
|
|