Black-box Testing Mobile Applications Using Sequence Covering Arrays
Abstract
Covering arrays have proven to be highly effective in detecting software bugs in what is known as combinatorial testing. A t-way covering array includes all t-way combinations of variable values, up to a specified level of t (usually 2-6 for software testing). In software systems that operate via a series of interactive inputs e.g. button clicks, a sequence covering array composed of sequences of events can be used. A t-way sequence covering array includes all t-way permutations of events (events are not required to be adjacent). This research examines the effectiveness of using sequence covering arrays to discover software bugs in mobile phone applications. Analysis of the distribution of t-way interactions between events in event sequence bugs provides insight into the practicality and usefulness of this combinatorial testing method. From a developer’s perspective, these methods can contribute to finding this particular class of bugs early in the software development process, saving the developers time and money without sacrificing effectiveness. However, an attacker may also leverage these techniques to discover previously undetected bugs as a means to exploit the system. This method can be particularly useful for attackers in that it is often simple to determine events in interactive software, even in black-box environments where internal knowledge about the source code is absent. Mobile applications running on popular operating systems such as Android and iOS are generally very interactive and therefore susceptible to these types of bugs. This project involved analyzing hundreds of software vulnerabilities in Android software, developing a new research tool for measuring sequence coverage in existing test suites, and using these combinatorial methods on various Android mobile applications.
Subject
Combinatorial testingBlack-box testing
Cybersecurity
Computer Security
Software
Software bug analysis
Covering arrays
sequence covering arrays
Android
Mobile Applications
Hacking
Citation
Ratliff, Zachary B (2018). Black-box Testing Mobile Applications Using Sequence Covering Arrays. Undergraduate Research Scholars Program. Available electronically from https : / /hdl .handle .net /1969 .1 /166475.