Targeted and depth-first exploration for systematic testing of android apps

Tanzirul Azim, Iulian Neamtiu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

225 Scopus citations


Systematic exploration of Android apps is an enabler for a variety of app analysis and testing tasks. Performing the exploration while apps run on actual phones is essential for exploring the full range of app capabilities. However, exploring real-world apps on real phones is challenging due to non-determinism, non-standard control flow, scalability and overhead constraints. Relying on end-users to conduct the exploration might not be very effective: we performed a 7-user study on popular Android apps, and found that the combined 7-user coverage was 30.08% of the app screens and 6.46% of the app methods. Prior approaches for automated exploration of Android apps have run apps in an emulator or focused on small apps whose source code was available. To address these problems, we present A3E, an approach and tool that allows substantial Android apps to be explored systematically while running on actual phones, yet without requiring access to the app's source code. The key insight of our approach is to use a static, taint-style, dataflow analysis on the app bytecode in a novel way, to construct a high-level control flow graph that captures legal transitions among activities (app screens).We then use this graph to develop an exploration strategy named Targeted Exploration that permits fast, direct exploration of activities, including activities that would be difficult to reach during normal use. We also developed a strategy named Depth-first Exploration that mimics user actions for exploring activities and their constituents in a slower, but more systematic way. To measure the effectiveness of our techniques, we use two metrics: activity coverage (number of screens explored) and method coverage. Experiments with using our approach on 25 popular Android apps including BBC News, Gas Buddy, Amazon Mobile, YouTube, Shazam Encore, and CNN, show that our exploration techniques achieve 59.39-64.11% activity coverage and 29.53-36.46% method coverage.

Original languageEnglish (US)
Title of host publicationSPLASH Indianapolis 2013
Subtitle of host publicationOOPSLA 2013 - Proceedings of the 2013 International Conference on Object Oriented Programming Systems Languages and Applications
Number of pages20
StatePublished - 2013
Externally publishedYes
Event2013 28th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2013 - Indianapolis, IN, United States
Duration: Oct 29 2013Oct 31 2013

Publication series

NameProceedings of the Conference on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA


Other2013 28th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2013
Country/TerritoryUnited States
CityIndianapolis, IN

All Science Journal Classification (ASJC) codes

  • Software


  • Code coverage
  • Dynamic analysis
  • GUI testing
  • Google android
  • Greybox testing
  • Systematic exploration
  • Taint analysis
  • Test case generation


Dive into the research topics of 'Targeted and depth-first exploration for systematic testing of android apps'. Together they form a unique fingerprint.

Cite this