When interacting with Android apps, users may not always get what they expect. For instance, when clicking on a button labeled “upload picture”, the app may actually leak the user location while uploading photos to a cloud service. In this paper we present BACKSTAGE, a static analysis framework that binds UI elements to their corresponding callbacks, and further extracts actions, in the form of Android sensitive API calls, that may be triggered by events on such UI elements. We illustrate how the analysis implemented by BACKSTAGE works, and we compare it with similar frameworks.
MOBILESoft ’18: 5th IEEE/ACM International Conference on Mobile Software Engineering and Systems