External Link
https://www.sciencedirect.com/science/article/pii/S0164121225000329?dgcid=rss_sd_all
BibTeX
@article{AMALFITANO2025112364, title = {A GUI-based Metamorphic Testing technique for detecting authentication vulnerabilities in Android mobile apps}, journal = {Journal of Systems and Software}, pages = {112364}, year = {2025}, issn = {0164-1212}, doi = {https://doi.org/10.1016/j.jss.2025.112364}, url = {https://www.sciencedirect.com/science/article/pii/S0164121225000329}, author = {Domenico Amalfitano and Misael Júnior and Anna Rita Fasolino and Marcio Delamaro}, keywords = {security testing, Metamorphic testing, Vulnerability testing, Mobile testing, Test automation, GUI-based testing}, abstract = {Context: The increasing use of mobile apps in daily life involves managing and sharing sensitive user information. Problem: New vulnerabilities are frequently reported in bug tracking systems, highlighting the need for effective security testing processes for these applications. Proposal: This study introduces a GUI-based Metamorphic Testing technique designed to detect five common real-world vulnerabilities related to username and password authentication methods in Android applications, as identified by OWASP. Methods: We developed five Metamorphic Relationships to test for these vulnerabilities and implemented a Metamorphic Vulnerability Testing Environment to automate the technique. This environment facilitates the generation of Source test case and the automatic creation and execution of Follow-up test case. Results: The technique was applied to 163 real-world Android applications, uncovering 159 vulnerabilities. Out of these, 108 apps exhibited at least one vulnerability. The vulnerabilities were validated through expert analysis conducted by three security professionals, who confirmed the issues by interacting directly with the app’s graphical user interfaces (GUIs). Additionally, to assess the practical relevance of our approach, we engaged with 37 companies whose applications were identified as vulnerable. Nine companies confirmed the vulnerabilities, and 26 updated their apps to address the reported issues. Our findings also indicate a weak inverse correlation between user-perceived quality and vulnerabilities; even highly rated apps can harbor significant security flaws.} }