Android Fuzzing: Balancing User-Inputs and Intents

Android apps can be effectively tested by randomly generating inputs and triggering corresponding events. Most test generators focus on user-triggered events, such as button clicks. However, the state of an app is not only determined by the interactions with a user, but also inputs from the system and other apps, which are called intents in Android. Intent fuzzing, that is, the automated generation of randomized intents as test inputs, has been demonstrated to be an effective means for identifying crashes in apps. However, the behavior of intent handlers is influenced by the state of the app, which may depend on the user’s interactions with the app that triggers corresponding events. Recent test generators have therefore started integrating some of both types of events, leaving open questions about the best way to combine and balance UI inputs and intents. In this paper, we describe a general framework for integrating user events and intents for testing Android apps. We study empirically how to best combine these two types of events, and evaluate the effectiveness of the combination. Our experiments suggest that combining UI inputs and intents reveals substantially higher code coverage as well as more unique crashes (844 on 500 F-Droid apps) than sending only user-events (762) or only intents (511): The combined approach achieves a magnitude higher activity coverage (78.07%) than using only user inputs (70.45%) and sending only intents (58.23%). Furthermore, 121 unique crashes were found only through the combination of UI inputs and intents. Although intent crashes and UI crashes result from similar exception types, they are distinct, which is relevant when comparing test generators.