A3S3 conceptual overviewAbstract
Android devices and related applications are increasingly prevalent in our daily routines. Furthermore, these technologies are being used for more than just connecting people around the world. Indeed, Android devices are more and more connected to external sensors or used as sensors, directly gathering data from their environment, which brings them closer to Cyber Physical Systems (CPS). When used for specific purposes such as health, Android devices and related applications can be life-critical (insulin pumps, heart monitoring, etc.), requiring guarantees specific to the application domain. Interestingly, when considering the technical security in domains related to operational technologies, we can see that many standards are available while not directly intended for Android applications. Other regulatory texts can also be valuable to drive an audit process, although they need more effort to reach technically testable requirements from the legal requirements they define. In particular, Android applications are developed using various device permissions (i.e., resource access), external libraries, etc. In this paper, we present A3S3 a tool to link requirements from industry standards and regulatory texts to Android features to drive a security audit. Following research in the cyber-security community, we suggest an approach based on static code analysis of Android applications to retrieve good and bad signals, denoting potential violations, related to non-functional requirements.
Guillaume Nguyen
PhD Student
Xavier Devroey
Professor of Software Engineering
My research goal is to to ease software testing by exploring new paths to achieve a high level of automation for test case design, generation, selection, and prioritization. My main research interests include search-based and model-based software testing, test suite augmentation, DevOps, and variability-intensive systems.