The ARPfix benchmark of Android runtime permission (ARP) misuse bugs.
There are two types of ARP bugs:
- Type-1 (Missing Permission Check): Adangerous API is called without a permission check on the target Android version.
- Type-2 (Incompatible Permission Usage): A dangerous API is called on incompatible platforms, or the evolution of permission specification is not fully handled.
The benchmark consists of 60 apps, including 35 Type-1 bugs and 25 Type-2 bugs. Each app has a buggy version and a fixed version. Thus ther are 120 APKs in total.
This repo contains each app's reduced source code, and two corresponding built APKs. For example, in Type-1:
- Androidcommons1530: The reduced source code of the benchmarking app AndroidCommons
- AndroidCommons1530_Buggy.apk: The app's buggy version of this issue
- AndroidCommons1530_Fixed.apk: The app's fixed (bug-free) version of this issue
For this app's source code, it is the buggy version by default. In the ContributionsListFragment.java file:
@Override
public boolean onOptionsItemSelected(@NonNull MenuItem item) {
/*if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
if (ContextCompat.checkSelfPermission(this.getActivity(), Manifest.permission.ACCESS_FINE_LOCATION) != PackageManager.PERMISSION_GRANTED) {
//See http://stackoverflow.com/questions/33169455/onrequestpermissionsresult-not-being-called-in-dialog-fragment
requestPermissions(new String[]{Manifest.permission.ACCESS_FINE_LOCATION}, 2);
return false;
} else {*/
Intent nearbyIntent = new Intent(getActivity(), NearbyActivity.class);
startActivity(nearbyIntent);
// }
// }
return true;
}By uncommenting the code, we can obtain the fixed version of this app.
The results of Aper comparing with other tools can be found on our website.