Who You Gonna Call? Analyzing Web Requests in Android Applications

Rapoport, Marianna; Suter, Philippe; Wittern, Erik; Lhoták, Ondřej; Dolby, Julian

doi:10.1109/msr.2017.11

Cited by 21 publications

(16 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As dynamic analysis might miss relevant parts of the code, we also implement a module that inspects the bytecode for network activity. This module relies on Stringoid [23], a static analysis tool that takes as input an APK and produces a set of string patterns representing URLs. We use it to extract constructed URL strings from applications, estimating the domains the app connects to.…”

Section: Static Analysis Of Network Trafc With String Analysismentioning

confidence: 99%

What did really change with the new release of the app?

Calciati

Kuznetsov

Bai

et al. 2018

Proceedings of the 15th International Conference on Mining Software Repositories

View full text Add to dashboard Cite

The mobile app market is evolving at a very fast pace. In order to stay in the market and fulfll user's growing demands, developers have to continuously update their apps either to fx issues or to add new features. Users and market managers may have a hard time understanding what really changed in a new release though, and therefore may not make an informative guess of whether updating the app is recommendable, or whether it may pose new security and privacy threats for the user.We propose a ready-to-use framework to analyze the evolution of Android apps. Our framework extracts and visualizes various information -such as how an app uses sensitive data, which third-party libraries it relies on, which URLs it connects to, etc.-and combines it to create a comprehensive report on how the app evolved.Besides, we present the results of an empirical study on 235 applications with at least 50 releases using our framework. Our analysis reveals that Android apps tend to have more leaks of sensitive data over time, and that the majority of API calls relative to dangerous permissions are added to the code in releases posterior to the one where the corresponding permission was requested.

show abstract

Section: Static Analysis Of Network Trafc With String Analysismentioning

confidence: 99%

What did really change with the new release of the app?

Calciati

Kuznetsov

Bai

et al. 2018

Proceedings of the 15th International Conference on Mining Software Repositories

View full text Add to dashboard Cite

show abstract

“…Rapoport et al studied web requests in Android apps [1]. They demonstrated that a large number of web requests are not immediately traceable to source code and need dynamic analysis.…”

Section: Related Workmentioning

confidence: 99%

“…Apps access the internet through web APIs in order to use an increasing number of public web services, or to communicate with private backends. Researchers have recently studied the use of such APIs in mobile apps, and, for instance, found that a large number of web requests are not directly traceable to source code [1], cloud and mail service credentials are hard-coded in the apps [2], many web requests are harmful [3], many web links targeting well-known advertisement networks impose serious risks on users [4], and lax input validation in many web APIs could compromise the security and privacy of millions of users [5].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Web APIs in Android through the Lens of Security

Gadient

Ghafari

Tarnutzer

et al. 2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have.We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter.We extracted 9 714 distinct web API URLs that were used in 3 376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack.

show abstract

“…For example, Oumaziz et al perform static analysis on mobile applications to assess if and to what extent they interact with web APIs [22]. Rapoport et al combine static analysis with a dynamic execution of selected mobile applications, exploring how to best detect consumption of web APIs [23]. Finally, Wittern et al studied how to detect the use of web APIs in JavaScript-based application code mined from GitHub using static analysis [24].…”

Section: Web Api Characteristics and Ecosystemsmentioning

confidence: 99%

Benchmarking Web API Quality

Bermbach

Wittern

2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Modern applications increasingly interact with web APIs -reusable components, deployed and operated outside the application, and accessed over the network. Their existence, arguably, spurs application innovations, making it easy to integrate data or functionalities. While previous work has analyzed the ecosystem of web APIs and their design, little is known about web API quality at runtime. This gap is critical, as qualities including availability, latency, or security can severely impact applications and user experience. In this paper, we revisit a 3-month, geo-distributed benchmark of popular web APIs, originally performed in 2015. We repeat this benchmark in 2018 and compare results from these two benchmarks regarding availability and latency. We furthermore introduce new results from assessing web API security measurements, collected both in 2015 and 2018, and results from our attempts to reach out to API providers with the results from our 2015 experiments. Our extensive experiments show that web API qualities vary 1.) based on the geo-distribution of clients, 2.) during our individual experiments, and 3.) between the two experiments. Our findings provide evidence to foster the discussion around web API quality, and can act as a basis for the creation of tools and approaches to mitigate quality issues.Index Terms-Web APIs, Benchmarking, Quality of Service ! 2. We denote an endpoint to be the combination of a resource, identified by a URL, and an HTTP method as proposed in [7].

show abstract

Who You Gonna Call? Analyzing Web Requests in Android Applications

Cited by 21 publications

References 19 publications

What did really change with the new release of the app?

What did really change with the new release of the app?

Web APIs in Android through the Lens of Security

Benchmarking Web API Quality

Contact Info

Product

Resources

About