参考文献
[1] Android fragmentation turning devices into a toxic hellstew of vulner- abilities. http://www.zdnet.com/article/android-fragmentation-turning- devices- into- a- toxic- hellstew- of- vulnerabilities/.
[2] Android interface definition language (AIDL). https://developer.android. com/guide/components/aidl.html.
[3] App Manifest. https://developer.android.com/guide/topics/manifest/ manifest- intro.html.
[4] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI, 2014.
[5] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: analyzing the android permission specification. In CCS, 2012.
[6] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: automatic exploit generation. In Communications of the ACM, 2014.
[7] D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch- based exploit generation is possible: Techniques and implications. In USENIX Security, 2008.
[8] C. Cadar, D. Dunbar, and D. R. Engler. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008.
[9] C. Cadar and D. Engler. Execution generated test cases: how to make systems code crash itself. Model Checking Software, 2005.
[10] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In CCS, 2006.
[11] C. Cao, N. Gao, P. Liu, and J. Xiang. Towards analyzing the input validation vulnerabilities associated with android system services. In ACSAC, 2015.
[12] Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. EdgeMiner: automatically detecting implicit control flow transitions through the android framework. In NDSS, 2015.
[13] V. Chipounov, V. Kuznetsov, and G. Candea. S2E: a platform for in-vivo multi-path analysis of software systems. In ASPLOS, 2011.
[14] M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In SOSP, 2007.
[15] CVE-2015-6628.
[16] CVE-2016-2496.
[17] CVE-2016-3750.
[18] CVE-2016-3759
[19] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010.
[20] D. Engler and D. Dunbar. Under-constrained execution: marking automatic code destruction easy and scalable. In ISSTA, 2007.
[21] P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In PLDI, 2005.
[22] P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.
[23] Google. Android Interfaces and Architecture. https://source.android. com/devices/.
[24] GSON. https://sites.google.com/site/gson/Home.
[25] Handler. https://developer.android.com/reference/android/os/Handler. html.
[26] HPROF Parser. https://github.com/eaftan/hprof- parser.
[27] C. S. Jensen, M. R. Prasad, and A. Moller. Automated testing with targeted event sequence generation. In ISSTA, 2013.
[28] S. Khurshid, C. S. Pa ̆sa ̆reanu, and W. Visser. Generalized symbolic execution for model checking and testing. In TACAS, 2003.
[29] B. P. Miller, G. Cooksey, and F. Moore. An empirical study of the robustness of macos applications using random testing. In Proceedings of the International Workshop on Random Testing, 2006.
[30] N. Mirzaei, H. Bagheri, R. Mahmood, and S. Malek. SIG-Droid: automated system input generation for android applications. In ISSRE, 2015.
[31] C. Mulliner and C. Miller. Injecting sms messages into smart phones for security analysis. In WOOT, 2009.
[32] C. S. Pa ̆sa ̆reanu, P. C. Mehlitz, D. H. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system-level concrete execution for testing nasa software. In ISSTA, 2008.
[33] C.S.Pa ̆sa ̆reanu,W.Visser,D.Bushnell,J.Geldenhuys,P.Mehlitz,and N. Rungta. Symbolic PathFinder: integrating symbolic execution with model checking for java bytecode analysis. In ASE, 2013.
[34] D. A. Ramos and D. Engler. Under-Constrained Symbolic Execution: correctness checking for real code. In USENIX Security, 2015.
[35] D. A. Ramos and D. R. Engler. Practical, low-effort equivalence verification of real code. In CAV, 2011.
[36] C. Ren, Y. Zhang, H. Xue, T. Wei, and P. Liu. Towards discovering and understanding task hijacking in android. In USENIX Security, 2015.
[37] E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, 2010.
[38] N. Shafiei and F. van Breugel. Automatic handling of native methods in Java PathFinder. In SPIN Symposium on Model Checking of Software, 2014.
[39] Y. Shao, J. Ott, Q. A. Chen, Z. Qian, and Z. M. Mao. Kratos: discovering inconsistent security policy enforcement in the android framework. In NDSS, 2016.
[40] Stagefright. https://en.wikipedia.org/wiki/Stagefright_(bug).
[41] W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda. Model checking programs. In ASE, 2003.
[42] WSJ. Google says android has 1.4 billion active users. www.wsj.com/ articles/google- says- android- has- 1- 4- billion- active- users- 1443546856.
