Sébastien Salva

Data vulnerability detection by security testing for Android applications

The Android intent messaging is a mechanism that ties components together to build Mobile applications. Intents are kinds of messages composed of actions and data, sent by a component to another component to perform several operations, e.g., launching a user interface. The intent mechanism eases the writing of Mobile applications, but it might also be used as an entry point for security attacks. The latter can be easily sent with intents to components, that can indirectly forward attacks to other components and so on. In this context, this paper proposes a Model-based security testing approach to attempt to detect data vulnerabilities in Android applications. In other words, this approach generates test cases to check whether components are vulnerable to attacks, sent through intents, that expose personal data. Our method takes Android applications and intent-based vulnerabilities formally expressed with models called vulnerability patterns. Then, and this is the originality of our approach, partial specifications are automatically generated from configuration files and component codes. Test cases are then automatically generated from vulnerability patterns and the previous specifications. A tool, called APSET, is presented and evaluated with experimentations on some Android applications.

An Approach Dedicated for Web Service Security Testing

Web Services are more and more used in designing and building systems in open and dynamic distributed environments. The security of these transactions is becoming a critical issue. This paper proposes a security testing method for stateful Web Services. We define some specific security rules with the Nomad language. Then, we construct test cases from a symbolic specification and test purposes derived from the previous rules. We present some experimentation results based on roughly 100 Web Services and we show that 11 percent have vulnerabilities, using the rules introduce in the article.

A Preliminary Study on BPEL Process Testability

WS-BPEL is an OASIS standard language used for describing interactions in Service Oriented Architectures (SOA). BPEL processes are usually overlapped in large Business applications composed of web services and such applications are more and more developed with respect of quality processes. Testability, which is the topic of this paper, is a quality criterion devoted for testing activities which evaluates the test coverage and the testing cost. We study the BPEL testability on two well-known testability criteria, observability and controllability. To evaluate them, we propose to transform ABPEL specifications into STS and to apply existing methods. Then, from STS testability issues, we deduce some patterns of ABPEL testability degradation. These latter help to finally propose testability enhancement methods of ABPEL specifications.

Some parameters for timed system testability

This study is devoted to test quality of timed systems. In order to produce reliable systems, they need to be tested before industrial development, but system testing costs a lot of money and time. We suggest to make some preliminary analysis of the system in order to evaluate the cost before starting the tests. This test quality is evaluated by means of four factors. We detail each factor and show how to measure them in all different cases of system specification.

Testing mobile and distributed systems: method and experimentation

Mobile and distributed systems are generally composed of components which interact together with input/output events by using a least a mobile network (GSM, wireless lan), and eventually others heterogeneous ones. Such systems are generally complex so they need to be tested in order to check their reliability. However, no distributed testing tool is proposed. In this paper, we propose a complete method to test such systems and an experimentation which aims to test a WAP application. From a formal specification, the testing method generates test cases and deploys them on a test architecture. This one is composed of several testers which must be synchronized for testing. For the experimentation, we have implemented: a distributed test architecture composed of several testers, a WAP architecture and a WAP application. The experimentation results show that the testing method can be used in practice.