Detalhes bibliográficos
| Ano de defesa: |
2024 |
| Autor(a) principal: |
Costa Junior, Misael |
| Orientador(a): |
Não Informado pela instituição |
| Banca de defesa: |
Não Informado pela instituição |
| Tipo de documento: |
Tese
|
| Tipo de acesso: |
Acesso aberto |
| Idioma: |
eng |
| Instituição de defesa: |
Biblioteca Digitais de Teses e Dissertações da USP
|
| Programa de Pós-Graduação: |
Não Informado pela instituição
|
| Departamento: |
Não Informado pela instituição
|
| País: |
Não Informado pela instituição
|
| Palavras-chave em Português: |
|
| Link de acesso: |
https://www.teses.usp.br/teses/disponiveis/55/55134/tde-20082024-083506/
|
Resumo: |
The widespread use of mobile apps, spanning activities from banking to office tasks, has intensified demands for quality assurance activities. Nevertheless, mobile apps testing faces unique challenges, such as power constraints (i.e., Performance), interface adaptation (i.e., Usability), and user data privacy (i.e., Security) examples of Non-Functional Requirements (NFRs). Security, one of the most critical NFRs, is pivotal for software systems, especially in mobile apps. The existence of security faults (i.e., vulnerabilities) poses a substantial risk, potentially resulting in unauthorized access or malicious attacks. Traditional security testing is often costly and intricate and further hampered by the oracle problem. In response, Metamorphic Testing (MT) has emerged as a strategic approach to address those challenges. Adopting Metamorphic Relationships (MRs) derived from the Application Under Testing (AUT), MT assesses faults in applications. Recent studies have explored MTs effectiveness in uncovering NFR-related faults, including those in performance and security, across domains such as Web systems and mobile apps. This PhD thesis introduces an innovative MT technique targeting six vulnerabilities reported by OWASP in Android mobile apps, which have affected mainly username and password authentication methods. The technique employs five MRs to evaluate the existence of such vulnerabilities, complemented by a Metamorphic Vulnerability Testing Environment automating the testing process. The environment streamlines both generation and execution of source and follow-up test cases. In an extensive experiment with 163 commercial Android applications, the technique identified 159 vulnerabilities, with 108 apps revealing at least one of them. Towards confirming the vulnerabilities identified, 37 companies were contacted for reporting those in their apps, of which nine directly responded to ratifying them, with three even requesting online consultations for addressing the issues. Although not responding to the reports, 26 companies released new versions of their apps, addressing the reported vulnerabilities. The experiments also revealed a surprising finding: contrarily to expectations, the user-perceived quality does not necessarily correlate with the absence of vulnerabilities; indeed, even applications perceived by users as high-quality are not immune to them. |
