Effectively Finding ICC-related Bugs in Android Apps via Reinforcement Learning

Inter-component communication (ICC) is a key mechanism in Android. It utilizes intents to achieve the communications between different components in the apps. Thus, the successful execution of ICCs (named ICC calls) is fundamental to the app operations. However, existing testing tools for Android seldom explicitly consider these ICC calls, which may fail to find those ICC-related bugs. To this end, we propose a novel ICC-guided exploration strategy to effectively find the ICC-related bugs. Our idea is that, we can (1) build an ICC call graph from the app under test, and (2) use this graph to guide the exploration toward exercising the ICC calls. To achieve this idea, we design this ICC-guided exploration strategy based on Q-learning, a classic reinforcement learning algorithm. Specifically, the reward function explicitly considers the number of explored intents, the number of promising-to-explore intents and the exploration order of explored intents to improve testing effectiveness. Moreover, to build a more complete ICC call graph, we design a graph enhancement exploration strategy also based on Q-learning to complement the call graph construction via static analysis. We have implemented our idea as an automated testing tool IccDroid. The evaluation on 28 real-word Android apps shows that IccDroid can effectively find the most number of ICC-related bugs within the same testing time, compared to existing testing tools — the bugs found by IccDroid are 1.7~2.7 times more than the others. So far, IccDroid has found 13 previously unknown ICC-related bugs, all of which have been confirmed by the app developers and five have already been fixed.