[NCTS Summit Review] Peking University Guo Yao: The Current Status and Challenges of the Mobile Application Ecosystem

On October 26, 2019, the second NCTS China Cloud Testing Industry Summit hosted by Testin was held in Beijing. With the theme of "AI+Future", the summit brought together well-known experts and scholars from the testing field at home and abroad, leading corporate decision makers, senior technical managers, media practitioners, etc. to discuss high-end cloud testing technology and help testing practitioners understand the most cutting-edge industry trends and the latest industry practices.

At the meeting, Professor Guo Yao, deputy director of the Department of Computer Science and Technology of Peking University, delivered a keynote speech entitled "Mobile Application Ecosystem: Current Situation and Challenges". Professor Guo Yao shared Peking University's latest research results in the field of mobile applications, and called on the academic community and testing experts to join hands to identify malicious applications as early as possible through more complete review functions and better analysis and testing technologies, and work together to improve the domestic mobile application ecosystem.

The following is the transcript of Professor Guo Yao’s speech:

I am very happy to come to the 2nd NCTS China Cloud Testing Industry Summit. I would like to thank Mr. Xu from Testin for inviting me to give the opening speech of the summit. Many people came to the summit this year. I wish this cloud testing industry summit a complete success.

At present, Peking University is also doing some testing practices. I am not an expert in testing, but I would like to share our research work in the field of mobile applications in the past two years. The topic I share is "Mobile Application Ecosystem: Current Situation and Challenges".

China's mobile application ecosystem is very large, with hundreds of application markets in the country and an APP economy of more than 100 billion US dollars. The composition of the mobile application ecosystem includes mobile users, mobile phones, developers, and large-scale APPs and application markets. In China, the market size of mobile users is huge, and there are many mobile phone versions. The number of developers that can be counted and truly signed developers has exceeded one million, and there are tens of thousands of mobile apps.

The entire market is very complex. Many applications in the domestic market have many problems. Users often don't know which one to choose. At the same time, although many domestic application markets claim to have done very strict review, in fact, the application quality of many APPs is not satisfactory. This requires comrades who do testing to help developers make applications better and help users better understand how to use the application.

At Peking University, we have done some mobile application analysis and testing practices in the past two years, built a large-scale mobile application analysis platform, tried to understand the problems faced by the mobile application ecosystem, and used APP automatic testing technology to detect APP malicious behavior. We built a platform that captured more than 20 application markets and nearly 10 million APKs, including different versions of APPs. We have a platform for preprocessing from the bottom up, including shelling and decompilation. On top of this, we built a set of static and dynamic analysis, including automated testing technologies, mainly for security and privacy analysis of third-party libraries, including analysis of malicious advertisements and detection of some malicious applications.

Now I would like to briefly share with you Peking University’s recent research results.

China's mobile application ecosystem is very complex. In foreign countries, basically one Google Play is enough. We compared a lot of data. Google Play downloaded 2 million mobile applications. The data for the domestic market is slightly smaller, but the magnitude is about the same. Here we analyze some simple data, and there are some very interesting discoveries. For example, the application rating of the application market is 5 points, which is the best, 1 point is very bad, and 3 points is in the middle. We made a cumulative distribution chart (CDF), and the blue line in the middle is Google Play. If we look at the domestic application market, in addition to Google Play, 70% to 80% of the application ratings are zero. The market below is from 2.5 points down, and many ratings are in the middle. This rating is not for reference and is not a regular rating distribution.

At the same time, many versions of applications downloaded by users in the application market are not the latest. The proportion of the latest versions in the application market is about 95% for Google Play. Domestic application updates are not very timely. Only 50% of the applications are the latest versions, and half of the applications are older than those on the market. This shows that there are still many problems in our application market.

In addition, due to the reasons of Chinese localization and cracking, there are still many fake or counterfeit applications on the market. For example, the fake application rate on Google Play is 0.03%, which is very low. The average rate in the domestic market is about 0.6%, which is still a 20-fold difference. We once found 30 CCB applications, which all looked the same, which was very troublesome for users. The following are cloned applications, which can be made your own with a slight modification. The rightmost column has a relatively high rate in the entire market, including Google Play, which has 10%. Another thing that users are very concerned about is the unauthorized use. How many applications have applied for too many permissions? This ratio is relatively high. About 65% of applications on Google Play apply for too many permissions, and the domestic market is even higher, about 80%. Many applications apply for more than 8 or 9 permissions, which are permissions that should not be applied for in the code.

Everyone is concerned about whether malicious apps will enter the market and be on our phones. VirusTotal integrates about 60 detection engines. We used VirusTotal to analyze all these mobile apps and found that the proportion of malicious apps in the domestic market is more than ten times that of Google Play, so we need colleagues who do testing and analysis to discover these problems as early as possible. There is another interesting result. We want to see whether these app markets will find these malicious apps and delete them. After 8 months, we scanned these malicious apps and found that 84% of the malicious apps on Google Play had been deleted, while some domestic markets had not deleted any of them and they were still there.

The previous part of the work focused on mobile applications in the domestic market. Next, I will introduce the work related to mobile application developers. Because we are doing testing, we are very concerned about the developer ecosystem. For example, we did an analysis and found nearly 1 million developers in total. This is the cumulative distribution chart of all application downloads based on the downloads of developers. It can be seen that there are very few developers with more than 10K downloads, about 10%. If it exceeds 1 million, it is even less. Only 1% of developers have a cumulative download volume of more than 3 million. This is on Google Play, which means that 1% of developers occupy 80% of the application market.

About half of these mobile developers only publish applications on Google Play, and the other half publish applications on other domestic markets. For example, based on the signatures, the overlap between the Huawei market and Google Play is only 1%. Basically, different developers publish applications in these markets.

We recently conducted an experiment on application signatures. All Android applications need to be signed. Google Play provides three versions of signatures, which we call V1, V2, and V3. V1 has many vulnerabilities, and V2 fixes the vulnerabilities. We did an analysis nearly two years after the release of V2 and found that 93.7% of applications in the domestic market only used V1 signatures, which means that if they install systems before Android 7.0, they will be attacked. At the same time, some applications with more than 1 billion downloads have compatibility issues and cannot be installed on some versions of mobile phones. Some applications use public key signatures, which means that anyone can modify them. In fact, this is a very easy problem to find, but from development to testing, until it is released to the application market, no one has discovered it, and there are still nearly 100 million downloads.

I mainly talked about some problems in the previous part. To solve these problems, we can also use testing, machine learning, and deep learning technologies to do better testing. We have also done some work ourselves. For dynamic testing, people used Monkey to click randomly at first. Later, we developed a tool called Droidbot, which can click the corresponding UI according to the UI conversion, which is better than random clicking. Recently, we brought in deep learning. Based on the historical data of the user's clicking process, we can learn where users prefer to click, so that the automatic testing tool can click like a person, and the effect will be better.

Based on these dynamic analysis tools, we also found other problems. For example, the problem of advertising fraud. Many ads will trick you into clicking. When you choose the exit button, the ad pops up when you are about to click it. This is advertising fraud. We use automated testing tools to find these behaviors. There are many malicious advertising fraud behaviors in the domestic market. We also studied malicious push notifications, which include downloading apps, especially malicious ones, and ads, which are not allowed. However, in reality, many apps have these problems and violate the policies of the app market, which shows that our review efforts are still not enough.

In addition, there are many malicious dating apps. When you search nearby, there are many beautiful women who want to chat with you. When you are about to chat, they ask you to pay money, and then they ignore you after you pay. We used dynamic analysis tools to find hundreds of them, and we manually confirmed them. Our students also paid to register and found that they were really malicious apps. This market is very large, with a monthly turnover of millions of US dollars. There are many such malicious apps in the market.

My report today roughly analyzed the domestic mobile application ecosystem, which shows that the application market is still very complex. I hope that the academic community and the testing experts present here can work together to adopt better review functions to filter out malicious applications that should not exist, and use better analysis and testing technologies to identify applications with malicious problems as early as possible before they enter the market. In addition, we are also doing some work on the user and mobile end, including fine-grained access control, to help users better understand the functions of applications and the control of privacy access.

I hope everyone here can join hands and work together to improve the domestic mobile application ecosystem. That’s all for my sharing, thank you!