{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T04:07:47Z","timestamp":1782878867772,"version":"3.54.5"},"reference-count":112,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2021,2,9]],"date-time":"2021-02-09T00:00:00Z","timestamp":1612828800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF","doi-asserted-by":"publisher","award":["1815336"],"award-info":[{"award-number":["1815336"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2021,8,31]]},"abstract":"<jats:p>\n            Mobile application security has been a major area of focus for security research over the course of the last decade. Numerous application analysis tools have been proposed in response to malicious, curious, or vulnerable apps. However, existing tools, and specifically, static analysis tools, trade soundness of the analysis for precision and performance and are hence sound\n            <jats:italic>y<\/jats:italic>\n            . Unfortunately, the specific unsound choices or flaws in the design of these tools is often not known or well documented, leading to misplaced confidence among researchers, developers, and users. This article describes the\n            <jats:italic>Mutation-Based Soundness Evaluation<\/jats:italic>\n            (\u03bcSE) framework, which systematically evaluates Android static analysis tools to discover, document, and fix flaws, by leveraging the well-founded practice of mutation analysis. We implemented \u03bcSE and applied it to a set of prominent Android static analysis tools that detect private data leaks in apps. In a study conducted previously, we used \u03bcSE to discover 13 previously undocumented flaws in FlowDroid, one of the most prominent data leak detectors for Android apps. Moreover, we discovered that flaws also propagated to other tools that build upon the design or implementation of FlowDroid or its components. This article substantially extends our \u03bcSE framework and offers a new in-depth analysis of two more major tools in our 2020 study; we find 12 new, undocumented flaws and demonstrate that all 25 flaws are found in more than one tool, regardless of any inheritance-relation among the tools. Our results motivate the need for systematic discovery and documentation of unsound choices in soundy tools and demonstrate the opportunities in leveraging mutation testing in achieving this goal.\n          <\/jats:p>","DOI":"10.1145\/3439802","type":"journal-article","created":{"date-parts":[[2021,2,10]],"date-time":"2021-02-10T14:58:29Z","timestamp":1612969109000},"page":"1-37","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Systematic Mutation-Based Evaluation of the Soundness of Security-Focused Android Static Analysis Techniques"],"prefix":"10.1145","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9455-2230","authenticated-orcid":false,"given":"Amit Seal","family":"Ami","sequence":"first","affiliation":[{"name":"Department of Computer Science, William &amp; Mary, Williamsburg, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kaushal","family":"Kafle","sequence":"additional","affiliation":[{"name":"Department of Computer Science, William &amp; Mary, Williamsburg, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kevin","family":"Moran","sequence":"additional","affiliation":[{"name":"Department of Computer Science, George Mason University, Fairfax, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Adwait","family":"Nadkarni","sequence":"additional","affiliation":[{"name":"Department of Computer Science, William &amp; Mary, Williamsburg, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Denys","family":"Poshyvanyk","sequence":"additional","affiliation":[{"name":"Department of Computer Science, William &amp; Mary, Williamsburg, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2021,2,9]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813648"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.33"},{"key":"e_1_2_1_3_1","unstructured":"Android Developers. [n.d.]. Fragments. Retrieved July 7 2019 from https:\/\/developer.android.com\/guide\/components\/fragments.html.  Android Developers. [n.d.]. Fragments. Retrieved July 7 2019 from https:\/\/developer.android.com\/guide\/components\/fragments.html."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2610384.2610403"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382222"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818808"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)","author":"Backes Michael","year":"2015","unstructured":"Michael Backes , Sven Bugiel , Christian Hammer , Oliver Schranz , and Philipp von Styp-Rekowsky . 2015 . Boxify: Full-fledged app sandboxing for stock Android . In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915) . Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky. 2015. Boxify: Full-fledged app sandboxing for stock Android. In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36742-7_39"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Bonett Richard","year":"2018","unstructured":"Richard Bonett , Kaushal Kafle , Kevin Moran , Adwait Nadkarni , and Denys Poshyvanyk . 2018 . Discovering flaws in security-focused static analysis tools for android using systematic mutation . In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918) . USENIX Association, 1263--1280. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/bonett. Richard Bonett, Kaushal Kafle, Kevin Moran, Adwait Nadkarni, and Denys Poshyvanyk. 2018. Discovering flaws in security-focused static analysis tools for android using systematic mutation. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). USENIX Association, 1263--1280. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/bonett."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201912)","author":"Bugiel Sven","year":"2012","unstructured":"Sven Bugiel , Lucas Davi , Alexandra Dmitrienko , Thomas Fischer , Ahmad-Reza Sadeghi , and Bhargava Shastry . 2012 . Toward taming privilege-escalation attacks on Android . In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201912) . Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, and Bhargava Shastry. 2012. Toward taming privilege-escalation attacks on Android. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201912)."},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046614.2046624"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS P\u201916)","author":"Calzavara S.","unstructured":"S. Calzavara , I. Grishchenko , and M. Maffei . 2016. HornDroid: Practical and sound static analysis of Android applications by SMT solving . In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS P\u201916) . 47--62. S. Calzavara, I. Grishchenko, and M. Maffei. 2016. HornDroid: Practical and sound static analysis of Android applications by SMT solving. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS P\u201916). 47--62."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23140"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1999995.2000018"},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the 13th Information Security Conference (ISC\u201910)","author":"Conti Mauro","year":"2010","unstructured":"Mauro Conti , Vu Thien Nga Nguyen , and Bruno Crispo . 2010 . CRePE: Context-related policy enforcement for Android . In Proceedings of the 13th Information Security Conference (ISC\u201910) . Mauro Conti, Vu Thien Nga Nguyen, and Bruno Crispo. 2010. CRePE: Context-related policy enforcement for Android. In Proceedings of the 13th Information Security Conference (ISC\u201910)."},{"key":"e_1_2_1_18_1","unstructured":"Benjamin Davis Ben Sanders Armen Khodaverdian and Hao Chen. 2012. I-ARM-Droid: A rewriting framework for in-app reference monitors for Android applications.  Benjamin Davis Ben Sanders Armen Khodaverdian and Hao Chen. 2012. I-ARM-Droid: A rewriting framework for in-app reference monitors for Android applications."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/C-M.1978.218136"},{"key":"e_1_2_1_20_1","volume-title":"IEEE 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW\u201915)","author":"Deng Lin","unstructured":"Lin Deng , N. Mirzaei , P. Ammann , and J. Offutt . 2015. Towards mutation analysis of Android apps . In IEEE 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW\u201915) . 1--10. Lin Deng, N. Mirzaei, P. Ammann, and J. Offutt. 2015. Towards mutation analysis of Android apps. In IEEE 8th International Conference on Software Testing, Verification and Validation Workshops (ICSTW\u201915). 1--10."},{"key":"e_1_2_1_21_1","volume-title":"Analysis of Mutation Operators for the Python Language","author":"Derezi\u0144ska Anna","unstructured":"Anna Derezi\u0144ska and Konrad Ha\u0142as . 2014. Analysis of Mutation Operators for the Python Language . Springer International Publishing , Cham , 155--164. Anna Derezi\u0144ska and Konrad Ha\u0142as. 2014. Analysis of Mutation Operators for the Python Language. Springer International Publishing, Cham, 155--164."},{"key":"e_1_2_1_22_1","volume-title":"Android Developer Documentation\u2014Broadcasts. Retrieved","author":"Developers Android","year":"2019","unstructured":"Android Developers . 2019. Android Developer Documentation\u2014Broadcasts. Retrieved July 7, 2019 from https:\/\/developer.android.com\/guide\/components\/broadcasts.html. Android Developers. 2019. Android Developer Documentation\u2014Broadcasts. Retrieved July 7, 2019 from https:\/\/developer.android.com\/guide\/components\/broadcasts.html."},{"key":"e_1_2_1_23_1","volume-title":"Android Developer Documentation\u2014Intents and Intent Filters. Retrieved","author":"Developers Android","year":"2019","unstructured":"Android Developers . 2019. Android Developer Documentation\u2014Intents and Intent Filters. Retrieved July 7, 2019 from https:\/\/developer.android.com\/guide\/components\/intents-filters.html. Android Developers. 2019. Android Developer Documentation\u2014Intents and Intent Filters. Retrieved July 7, 2019 from https:\/\/developer.android.com\/guide\/components\/intents-filters.html."},{"key":"e_1_2_1_24_1","volume-title":"Android Developer Documentation\u2014The Activity Lifecycle. Retrieved","author":"Developers Android","year":"2019","unstructured":"Android Developers . 2019. Android Developer Documentation\u2014The Activity Lifecycle. Retrieved July 7, 2019 from https:\/\/developer.android.com\/guide\/components\/activities\/activity-lifecycle.html. Android Developers. 2019. Android Developer Documentation\u2014The Activity Lifecycle. Retrieved July 7, 2019 from https:\/\/developer.android.com\/guide\/components\/activities\/activity-lifecycle.html."},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 8th IEEE International Conference on Software Testing, Verification and Validation, (ICST\u201915)","author":"Nardo Daniel Di","unstructured":"Daniel Di Nardo , Fabrizio Pastore , and Lionel C. Briand . 2015. Generating complex and faulty test data through model-based mutation analysis . In Proceedings of the 8th IEEE International Conference on Software Testing, Verification and Validation, (ICST\u201915) . 1--10. Daniel Di Nardo, Fabrizio Pastore, and Lionel C. Briand. 2015. Generating complex and faulty test data through model-based mutation analysis. In Proceedings of the 8th IEEE International Conference on Software Testing, Verification and Validation, (ICST\u201915). 1--10."},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Dietz Michael","unstructured":"Michael Dietz , Shashi Shekhar , Yuliy Pisetsky , Anhei Shu , and Dan S. Wallach . 2011. Quire: Lightweight provenance for smart phone operating systems . In Proceedings of the USENIX Security Symposium. Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach. 2011. Quire: Lightweight provenance for smart phone operating systems. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.15"},{"key":"e_1_2_1_28_1","unstructured":"DroidBench [n.d.]. DroidBench 2.0. Retrieved June 27 2020 from https:\/\/github.com\/secure-software-engineering\/DroidBench.  DroidBench [n.d.]. DroidBench 2.0. Retrieved June 27 2020 from https:\/\/github.com\/secure-software-engineering\/DroidBench."},{"key":"e_1_2_1_29_1","volume-title":"Planet of the Phones. Retrieved","author":"Economist The","year":"2019","unstructured":"The Economist . 2015. Planet of the Phones. Retrieved July 7, 2019 from http:\/\/www.economist.com\/news\/leaders\/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones. The Economist. 2015. Planet of the Phones. Retrieved July 7, 2019 from http:\/\/www.economist.com\/news\/leaders\/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516693"},{"key":"e_1_2_1_31_1","volume-title":"Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201911)","author":"Egele Manuel","year":"2011","unstructured":"Manuel Egele , Christopher Kruegel , Engin Kirda , and Giovanni Vigna . 2011 . PiOS: Detecting privacy leaks in iOS applications . In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201911) . Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201911)."},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201910)","author":"Enck William","unstructured":"William Enck , Peter Gilbert , Byung-Gon Chun , Landon P. Cox , Jaeyeon Jung , Patrick McDaniel , and Anmol N. Sheth . 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones . In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201910) . William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201910)."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653691"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382205"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516655"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046779"},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Felt Adrienne Porter","year":"2011","unstructured":"Adrienne Porter Felt , Helen J. Wang , Alexander Moshchuk , Steven Hanna , and Erika Chin . 2011 . Permission re-delegation: Attacks and defenses . In Proceedings of the USENIX Security Symposium. Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steven Hanna, and Erika Chin. 2011. Permission re-delegation: Attacks and defenses. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201914)","author":"Fengguo Wei Xinming Ou","year":"2014","unstructured":"Xinming Ou Fengguo Wei , Sankardas Roy and Robby. 2014 . Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps . In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201914) . Xinming Ou Fengguo Wei, Sankardas Roy and Robby. 2014. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201914)."},{"key":"e_1_2_1_39_1","volume-title":"Apache Ant Build System. Retrieved","author":"Software Foundation The Apache","year":"2019","unstructured":"The Apache Software Foundation . 2019. Apache Ant Build System. Retrieved July 7, 2019 from http:\/\/ant.apache.org. The Apache Software Foundation. 2019. Apache Ant Build System. Retrieved July 7, 2019 from http:\/\/ant.apache.org."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.21236\/ADA579929"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.29"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-30921-2_17"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2307636.2307663"},{"key":"e_1_2_1_44_1","first-page":"4","article-title":"Testing programs with the aid of a compiler","volume":"3","author":"Hamlet R. G.","year":"1977","unstructured":"R. G. Hamlet . 1977 . Testing programs with the aid of a compiler . IEEE Trans. Software Eng. 3 , 4 (July 1977), 279--290. R. G. Hamlet. 1977. Testing programs with the aid of a compiler. IEEE Trans. Software Eng. 3, 4 (July 1977), 279--290.","journal-title":"IEEE Trans. Software Eng."},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Heuser Stephan","year":"2014","unstructured":"Stephan Heuser , Adwait Nadkarni , William Enck , and Ahmad-Reza Sadeghi . 2014 . ASM: A programmable interface for extending Android security . In Proceedings of the USENIX Security Symposium. Stephan Heuser, Adwait Nadkarni, William Enck, and Ahmad-Reza Sadeghi. 2014. ASM: A programmable interface for extending Android security. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2557547.2557563"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2013.6693128"},{"key":"e_1_2_1_48_1","unstructured":"iccbench [n.d.]. ICC-Bench. Retrieved June 27 2020 from https:\/\/github.com\/fgwei\/ICC-Bench.  iccbench [n.d.]. ICC-Bench. Retrieved June 27 2020 from https:\/\/github.com\/fgwei\/ICC-Bench."},{"key":"e_1_2_1_49_1","volume-title":"Gradle Build System. Retrieved","author":"Gradle Inc. 2019.","year":"2019","unstructured":"Gradle Inc. 2019. Gradle Build System. Retrieved July 7, 2019 from https:\/\/gradle.org. Gradle Inc. 2019. Gradle Build System. Retrieved July 7, 2019 from https:\/\/gradle.org."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106244"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884782"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2381934.2381938"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40203-6_43"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455806"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/2614628.2614633"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.5555\/3155562.3155681"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.36"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.48"},{"key":"e_1_2_1_59_1","volume-title":"Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. 388--397","author":"Li L.","year":"2014","unstructured":"L. Li , A. Bartel , J. Klein , and Y. L. Traon . 2014. Automatically exploiting potential component leaks in Android applications . In Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. 388--397 . DOI:https:\/\/doi.org\/10.1109\/TrustCom. 2014 .50 10.1109\/TrustCom.2014.50 L. Li, A. Bartel, J. Klein, and Y. L. Traon. 2014. Automatically exploiting potential component leaks in Android applications. In Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. 388--397. DOI:https:\/\/doi.org\/10.1109\/TrustCom.2014.50"},{"key":"e_1_2_1_60_1","volume-title":"Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel.","author":"Li Li","year":"2014","unstructured":"Li Li , Alexandre Bartel , Jacques Klein , Yves Le Traon , Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2014 . I know what leaked in your pocket: Uncovering privacy leaks on Android apps with static taint analysis. In CoRR. Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2014. I know what leaked in your pocket: Uncovering privacy leaks on Android apps with static taint analysis. In CoRR."},{"key":"e_1_2_1_61_1","first-page":"1","article-title":"Tracking load-time configuration options","volume":"99","author":"Lillack M.","year":"2017","unstructured":"M. Lillack , C. Kastner , and E. Bodden . 2017 . Tracking load-time configuration options . IEEE Transactions on Software Engineering PP , 99 (2017), 1 -- 1 . DOI:https:\/\/doi.org\/10.1109\/TSE.2017.2756048 10.1109\/TSE.2017.2756048 M. Lillack, C. Kastner, and E. Bodden. 2017. Tracking load-time configuration options. IEEE Transactions on Software Engineering PP, 99 (2017), 1--1. DOI:https:\/\/doi.org\/10.1109\/TSE.2017.2756048","journal-title":"IEEE Transactions on Software Engineering PP"},{"key":"e_1_2_1_62_1","volume-title":"Retrieved","author":"Limited Droid","year":"2019","unstructured":"F- Droid Limited . 2019 . F-Droid\u2014Free and Open Source Android App Repository . Retrieved August 10, 2019 from https:\/\/f-droid.org\/en\/. F-Droid Limited. 2019. F-Droid\u2014Free and Open Source Android App Repository. Retrieved August 10, 2019 from https:\/\/f-droid.org\/en\/."},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106275"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/BADGERS.2014.7"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2742647.2742668"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2644805"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382223"},{"key":"e_1_2_1_68_1","volume-title":"Proceedings of the 13th International Symposium on Software Reliability Engineering (ISSRE\u201902)","author":"Ma Yu-Seung","year":"2002","unstructured":"Yu-Seung Ma , Yong Rae Kwon , and Jeff Offutt . 2002 . Inter-class mutation operators for Java . In Proceedings of the 13th International Symposium on Software Reliability Engineering (ISSRE\u201902) . 352--366. Yu-Seung Ma, Yong Rae Kwon, and Jeff Offutt. 2002. Inter-class mutation operators for Java. In Proceedings of the 13th International Symposium on Software Reliability Engineering (ISSRE\u201902). 352--366."},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931054"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-C.2017.16"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2016.34"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/292540.292561"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/363516.363526"},{"key":"e_1_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241181"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516677"},{"key":"e_1_2_1_76_1","volume-title":"USENIX Security Symposium. 993--1008","author":"Nan Yuhong","year":"2015","unstructured":"Yuhong Nan , Min Yang , Zhemin Yang , Shunfan Zhou , Guofei Gu , and XiaoFeng Wang . 2015 . UIPicker: User-input privacy identification in mobile applications . In USENIX Security Symposium. 993--1008 . Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. UIPicker: User-input privacy identification in mobile applications. In USENIX Security Symposium. 993--1008."},{"key":"e_1_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/1755688.1755732"},{"key":"e_1_2_1_78_1","volume-title":"Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering.","author":"Octeau D.","unstructured":"D. Octeau , S. Jha , and P. McDaniel . 2012. Retargeting Android applications to Java bytecode . In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. D. Octeau, S. Jha, and P. McDaniel. 2012. Retargeting Android applications to Java bytecode. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering."},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.30"},{"key":"e_1_2_1_80_1","volume-title":"Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913)","author":"Octeau Damien","year":"2013","unstructured":"Damien Octeau , Patrick McDaniel , Somesh Jha , Alexandre Bartel , Eric Bodden , Jacques Klein , and Yves Le Traon . 2013 . Effective inter-component communication mapping in Android: An essential step towards holistic security analysis . In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913) . USENIX, 543--558. https:\/\/www.usenix.org\/conference\/usenixsecurity13\/technical-sessions\/presentation\/octeau. Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in Android: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security\u201913). USENIX, 543--558. https:\/\/www.usenix.org\/conference\/usenixsecurity13\/technical-sessions\/presentation\/octeau."},{"key":"e_1_2_1_81_1","volume-title":"Untch","author":"Jefferson Offutt A.","year":"2001","unstructured":"A. Jefferson Offutt and Roland H . Untch . 2001 . Mutation 2000: Uniting the Orthogonal. Springer US , Boston, MA, 34--44. DOI:https:\/\/doi.org\/10.1007\/978-1-4757-5939-6_7 10.1007\/978-1-4757-5939-6_7 A. Jefferson Offutt and Roland H. Untch. 2001. Mutation 2000: Uniting the Orthogonal. Springer US, Boston, MA, 34--44. DOI:https:\/\/doi.org\/10.1007\/978-1-4757-5939-6_7"},{"key":"e_1_2_1_82_1","volume-title":"Proceedings of the International Conference on Software Testing, Verification, and Validation\u2014Workshops, (ICSTW\u201915)","author":"Oliveira R. A. P.","unstructured":"R. A. P. Oliveira , E. Al\u00e9groth , Z. Gao , and A. Memon . 2015. Definition and evaluation of mutation operators for GUI-level mutation analysis . In Proceedings of the International Conference on Software Testing, Verification, and Validation\u2014Workshops, (ICSTW\u201915) . 1--10. R. A. P. Oliveira, E. Al\u00e9groth, Z. Gao, and A. Memon. 2015. Definition and evaluation of mutation operators for GUI-level mutation analysis. In Proceedings of the International Conference on Software Testing, Verification, and Validation\u2014Workshops, (ICSTW\u201915). 1--10."},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.39"},{"key":"e_1_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236029"},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/2414456.2414498"},{"key":"e_1_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSTW.2016.17"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/3213846.3213873"},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345659"},{"key":"e_1_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2014.13"},{"key":"e_1_2_1_90_1","volume-title":"Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY\u201913)","author":"Rastogi Vaibhav","year":"2013","unstructured":"Vaibhav Rastogi , Yan Chen , and William Enck . 2013 . AppsPlayground: Automatic large-scale dynamic analysis of Android applications . In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY\u201913) . Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic large-scale dynamic analysis of Android applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY\u201913)."},{"key":"e_1_2_1_91_1","doi-asserted-by":"publisher","DOI":"10.1145\/2996358"},{"key":"e_1_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1145\/2632168.2632169"},{"key":"e_1_2_1_93_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Shekhar Shashi","unstructured":"Shashi Shekhar , Michael Dietz , and Dan S. Wallach . 2012. AdSplit: Separating smartphone advertising from applications . In Proceedings of the USENIX Security Symposium. Shashi Shekhar, Michael Dietz, and Dan S. Wallach. 2012. AdSplit: Separating smartphone advertising from applications. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1145\/2642937.2643018"},{"key":"e_1_2_1_95_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884855"},{"key":"e_1_2_1_96_1","volume-title":"Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS\u201913)","author":"Smalley Stephen","year":"2013","unstructured":"Stephen Smalley and Robert Craig . 2013 . Security enhanced (SE) Android: Bringing flexible MAC to Android . In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS\u201913) . Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS\u201913)."},{"key":"e_1_2_1_97_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23205"},{"key":"e_1_2_1_98_1","unstructured":"Steven Artz. [n.d.]. FlowDroid 2.0. Retrieved July 7 2019 from https:\/\/github.com\/secure-software-engineering\/soot-infoflow\/releases.  Steven Artz. [n.d.]. FlowDroid 2.0. Retrieved July 7 2019 from https:\/\/github.com\/secure-software-engineering\/soot-infoflow\/releases."},{"key":"e_1_2_1_99_1","volume-title":"Possible to Integrate Fragment Lifecycle? Retrieved","year":"2019","unstructured":"stream101. [n.d.]. Possible to Integrate Fragment Lifecycle? Retrieved July 7, 2019 from https:\/\/github.com\/secure-software-engineering\/soot-infoflow-android\/issues\/52. stream101. [n.d.]. Possible to Integrate Fragment Lifecycle? Retrieved July 7, 2019 from https:\/\/github.com\/secure-software-engineering\/soot-infoflow-android\/issues\/52."},{"key":"e_1_2_1_100_1","volume-title":"SE Sources and Data.Retrieved","author":"Developers SE","year":"2019","unstructured":"SE Developers . 2019. SE Sources and Data.Retrieved July 7, 2019 from https:\/\/muse-security-evaluation.github.io. SE Developers. 2019. SE Sources and Data.Retrieved July 7, 2019 from https:\/\/muse-security-evaluation.github.io."},{"key":"e_1_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.5555\/781995.782008"},{"key":"e_1_2_1_102_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.36"},{"key":"e_1_2_1_103_1","volume-title":"Veracode\u2019s 10th State of Software Security Report Finds Organizations Reduce Rising \u2018Security Debt","year":"2019","unstructured":"Veracode. 2020. Veracode\u2019s 10th State of Software Security Report Finds Organizations Reduce Rising \u2018Security Debt \u2019 via Devsecops, Special Sprints . Retrieved July 7, 2019 from https:\/\/www.veracode.com\/veracodes-10th-state-software-security-report-finds-organizations-reduce-rising-security-debt. Veracode. 2020. Veracode\u2019s 10th State of Software Security Report Finds Organizations Reduce Rising \u2018Security Debt\u2019 via Devsecops, Special Sprints. Retrieved July 7, 2019 from https:\/\/www.veracode.com\/veracodes-10th-state-software-security-report-finds-organizations-reduce-rising-security-debt."},{"key":"e_1_2_1_104_1","volume-title":"Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP\u201911)","author":"Vidas Timothy","year":"2011","unstructured":"Timothy Vidas , Nicolas Cristin , and Lorrie Faith Cranor . 2011 . Curbing Android permission creep . In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP\u201911) . Timothy Vidas, Nicolas Cristin, and Lorrie Faith Cranor. 2011. Curbing Android permission creep. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP\u201911)."},{"key":"e_1_2_1_105_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Xu Rubin","year":"2012","unstructured":"Rubin Xu , Hassen Saidi , and Ross Anderson . 2012 . Aurasium: Practical policy enforcement for Android applications . In Proceedings of the USENIX Security Symposium. Rubin Xu, Hassen Saidi, and Ross Anderson. 2012. Aurasium: Practical policy enforcement for Android applications. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_2_1_106_1","doi-asserted-by":"publisher","DOI":"10.1145\/2741948.2741966"},{"key":"e_1_2_1_107_1","doi-asserted-by":"publisher","DOI":"10.1145\/2103656.2103669"},{"key":"e_1_2_1_108_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.50"},{"key":"e_1_2_1_109_1","volume-title":"Proceedings of the 2nd International Conference on Software Testing Verification and Validation, (ICST\u201909)","author":"Zhou Chixiang","unstructured":"Chixiang Zhou and Phyllis G. Frankl . 2009. Mutation testing for Java database applications . In Proceedings of the 2nd International Conference on Software Testing Verification and Validation, (ICST\u201909) . 396--405. Chixiang Zhou and Phyllis G. Frankl. 2009. Mutation testing for Java database applications. In Proceedings of the 2nd International Conference on Software Testing Verification and Validation, (ICST\u201909). 396--405."},{"key":"e_1_2_1_110_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.16"},{"key":"e_1_2_1_111_1","volume-title":"Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201912)","author":"Zhou Yajin","year":"2012","unstructured":"Yajin Zhou , Zhi Wang , Wu Zhou , and Xuxian Jiang . 2012 . Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets . In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201912) . Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201912)."},{"key":"e_1_2_1_112_1","volume-title":"Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST\u201911)","author":"Zhou Yajin","unstructured":"Yajin Zhou , Xinwen Zhang , Xuxian Jiang , and Vincent W. Freeh . 2011. Taming information-stealing smartphone applications (on Android) . In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST\u201911) . Yajin Zhou, Xinwen Zhang, Xuxian Jiang, and Vincent W. Freeh. 2011. Taming information-stealing smartphone applications (on Android). In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST\u201911)."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3439802","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3439802","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3439802","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:01:52Z","timestamp":1750197712000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3439802"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,9]]},"references-count":112,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,8,31]]}},"alternative-id":["10.1145\/3439802"],"URL":"https:\/\/doi.org\/10.1145\/3439802","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,9]]},"assertion":[{"value":"2020-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-02-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}