Principles of Mobile Application Development and Analysis (CPEN 524)

Overview

For several years now, mobile devices bypass desktops in sales: just walk into a restaurant, bar or a shopping mall and see how many individuals are holding a mobile device. The number of mobile application developers also bypasses the number of desktop developer worldwide. To better understand the mobile ecosystem, this course will look at topics specific to mobile application development and management, such as mobile application security, privacy, and energy-efficiency. Students will learn fundamentals and specifics of mobile application development and how it differs from the development of desktop applications. Students will also learn fundamentals of program analysis and how to apply analysis techniques for evaluating and vetting mobile applications developed by a third-party, e.g., those submitted to application stores.

This is a graduate research-oriented course. Each student will read, summarize, and present several scientific papers. Students will work in pairs or groups of three to propose, implement, and present an original project that advances the state-of-the-art in mobile application analysis. The course will also focus on polishing the students' research, development, communication, and technical presentation skills.

Office Hours

Thu. 5-6pm, KAIS 4053

Communication

Please enroll for Piazza and use it as the main communication vehicle. All deliverables should also be uploaded to Piazza.

Learning Objectives

By the end of the course, students will learn:

• mobile application development paradigms;
• program analysis paradigms;
• specifics of mobile development, such as mobile application security, privacy and energy-efficiency;
• application of analysis techniques for evaluating third-party mobile applications, e.g., w.r.t. security, privacy, and energy-efficiency;
• efficient technical communication and presentation skills.

Prerequisites

This course does not have formal prerequisites. However, previous programming experience, specifically in Java, C++, Swift, or Objective-C, is highly desired.

Topics and Schedule

Week	Topic	Major Deadlines
W1: Jan. 2	Introduction; mobile application development, Android development principles; mobile security, privacy and energy-efficiency [instructor]
W2: Jan. 9	Software analysis principles: static and dynamic program analysis, symbolic execution, model checking [instructor]	By 2pm on Jan. 7, select papers you would like to present here.
W3: Jan. 16	Privacy Arzt et al., "FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps" http://dl.acm.org/citation.cfm?id=2594299 Enck et al., "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" http://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf	Finalize groups and project topic by the beginning of class. January 14: Last day to withdraw
W4: Jan. 23	Privacy Yang et al., "AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection" http://dl.acm.org/citation.cfm?id=2516676 Continella et al., "Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis" http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ndss2017_05A-4_Continella_paper.pdf
W5: Jan. 30	Security Zhou and Jiang, "Dissecting Android Malware: Characterization and Evolution" http://dl.acm.org/citation.cfm?id=2310710 Arp et al., "DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket https://www.sec.cs.tu-bs.de/pubs/2014-ndss.pdf	Project proposal are due by the beginning of class
W6: Feb. 6	Project proposal presentations [students]
W7: Feb. 13	Security Fahl et al., "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security http://dl.acm.org/citation.cfm?id=2382205 Fratantonio et al., "TriggerScope: Towards Detecting Logic Bombs in Android Applications" https://www.cs.ucsb.edu/~vigna/publications/2016_SP_Triggerscope.pdf Mariconti et al., "MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models https://arxiv.org/pdf/1612.04433.pdf
W8: Feb. 20	Midterm Break - No classes
W9: Feb. 27	Input generation and testing Mao et al., "Sapienz: Multi-objective Automated Testing for Android Applications http://www0.cs.ucl.ac.uk/staff/K.Mao/archive/p_issta16_sapienz.pdf Su et al., "Guided, Stochastic Model-Based GUI Testing of Android Apps https://tingsu.github.io/files/fse17-stoat.pdf
W10: Mar. 6	No class
W11: Mar. 13	Input generation and testing Wong and Lie, "IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware http://www.internetsociety.org/sites/default/files/blogs-media/intellidroid-targeted-input-generator-dynamic-analysis-android-malware.pdf Hao et al., "Puma: Programmable UI-Automation for Large-Scale Dynamic Analysis of Mobile Apps https://pdfs.semanticscholar.org/2166/ed56495a8e528f891067a138f63913e9fb00.pdf	First project report is due by the beginning of class
W12: Mar. 20	Energy-efficiency Pathak et al., "Where is the energy spent inside my app? Fine Grained Energy Accounting on Smartphones with Eprof" http://dl.acm.org/citation.cfm?id=2168841 Hao et al., "Estimating Mobile Application Energy Consumption using Program Analysis" http://www-bcf.usc.edu/~halfond/papers/hao13icse.pdf
W13: Mar. 27	Energy-efficiency Banerjee et al., "Detecting Energy Bugs and Hotspots in Mobile Apps" http://dl.acm.org/citation.cfm?id=2635871 Li et al., "Automated Energy Optimization of HTTP Requests for Mobile Applications" http://dl.acm.org/citation.cfm?id=2884867
W14: Apr. 3	Workshop: project presentations and demos [students]
W15: April 10		Final project report is due by April 10

Reading Assignments

For weeks 3-5, 7, and 9-13 students will read the assigned research papers (two or three papers each week). Each student will submit a one-page summary of each paper that describes (a) the main idea of the paper, (b) a critical review that includes paper strengths and weaknesses (beyond those listed in the paper), and (c) suggestions for improvement and follow-up work.

Paper Presentations

Each week, a student will present one of the assigned research papers to the class (two or three students each week). The student should summarize the paper, discuss its strengths and weaknesses, and lead the discussion on the paper. Depending on the number of course participants, each student will present 1-2 papers. Students do not need to submit summaries of the papers they present.

By 2pm PST on January 7, 2019, please indicate which papers you would like to present. Use this form to select up to 6 papers. I will do my best to satisfy everyone's preferences and will give priority to earlier records in case multiple students are interested in the same paper.

Project

The majority of evaluation for the course is based on the course project. The expectation for the project is to generate novel insights relevant to the mobile application ecosystem. That can include novel mobile application development paradigms, novel application analysis techniques, discovery of previously unknown vulnerabilities in mobile applications, collection of statistical data on existing vulnerabilities and their impact on the society, or novel literature reviews. Come to talk to the course instructor if you want some ideas for inspiration!

The project will be performed by groups of 2-3 students. The scope of each group's project should match the number of students involved.

There are five deliverables for the project:

1. Groups are formed by the beginning of class on week 3.
2. Project proposals are due by the beginning of class on week 5.
   • The proposal should be up to 2 pages and should include (a) description of the problem solved in the project, (b) statement of novelty and relation to existing work, (c) proposed technical approach, (d) proposed evaluation, (e) timetable and the planned role of each team member.
   • Each group should set a meeting with the course instructor to discuss the project idea before submitting the proposal.
3. The first project report is due by the beginning of class on week 10.
   • The report should be up to 5 pages and should include (a) description of the problem solved in the project, possibly refined, (b) statement of novelty and relation to existing work, possibly refined, (c) technical approach, (d) results achieved so far and contribution of each team member, (e) plan to completion the planned role of each team member.
4. The final project report is due by the beginning of class on week 15.
   • The report should be up to 10 pages and should include (a) description of the problem solved in the project, (b) explicit statement of contribution and its novelty, (c) relation to existing work, (d) description of the technical approach, (e) evaluation and results, (f) contribution of each team member, (g) lessons learned and future research directions.
5. Demos and presentations will be scheduled in the course workshop that will be held during the weeks 14 or 15.

Grading

This course does not have a final exam. The attendance in lectures is mandatory. The grading is based on four components:

1. Summaries of the assigned research papers – 20%
2. Presentation of 1-2 research papers in class – 20%
3. Project – 55%, specifically:
   1. Project proposal summary and presentation – 5% (only if final report is submitted)
   2. First project report – 10% (only if final report is submitted)
   3. Final demo and presentation – 15%
   4. Final project report – 25%
4. Participation in class discussions – 5%