Abstract
Testing is a crucial stage in the software development process that is used to
uncover bugs and potential security threats. If not conducted thoroughly, buggy
software may cause erroneous, malicious and even harmful behavior.
Unfortunately in most software systems, testing is either completely neglected
or not thoroughly conducted. One such example is Google's popular mobile
platform, Android OS, where inter-application communication is not properly
tested. This is because of the difficulty which it possesses in the development
overhead and the manual labour required by developers in setting up the testing
environment. Consequently, the lack of Android application testing continues to
cause Android users to experience erroneous behavior and sudden crashes,
impacting user experience and potentially resulting in financial losses. When
a caller application attempts to communicate with a potentially buggy
application, the caller application
will suffer functional errors or it may even potentially crash. Incidentally,
the user will
complain that the caller application is not providing the promised
functionality, resulting in a devaluation of the application's user rating.
Successive failures will no longer be considered as isolated events,
potentially crippling developer credibility of the calling application.
In this thesis we present an automated tester for inter-application
communication in
Android applications. The approach used for testing is called Intent based
Testing. Android applications are typically divided into multiple components
that communicate via intents: messages passed through Android OS to coordinate
operations between the different components. Intents are also used for
inter-application communication, rendering them relevant for security. In this
work, we designed and built a fully automated tool called IntentFuzzer, to test
the stability of inter-application communication of Android applications using
intents. Firstly, it statically analyzes the application to generate intents.
Next, it tests the inter-application communication by fuzzing them, that is,
injecting random input values that uncover unwanted behavior. In this way, we
are able to expose several new defects including potential security issues
which we discuss briefly in the Evaluation section.