Table 11: Interstitial violation apps Table
cfgId violation violation-notunknown (directly,union,concat) violation-unknown (directly,union,concat) unknown-node
3 5 1 (1,0,0) 4 (4,0,0) 4
6 2 0 (0,0,0) 2 (2,0,0) 2
9 2 0 (0,0,0) 2 (2,0,0) 2
13 13 0 (0,0,0) 13 (7,6,0) 19
17 3 0 (0,0,0) 3 (2,1,0) 4
5.4 Result of Pirate App Store
Apart from the applications in App Store, our tool can also check the applications in pirate iOS App Store [57]. There are 22 genres in the pirate iOS App Store, so we downloaded 22 apps in each genre. We perform Ad fraud detection analysis on these 22 apps to demonstrate that our tool can also be used in the apps of pirate iOS App Store [57]. We extract the binary from the ipa file of App, convert the binary to assembly with IDA Pro and generate its control flow graph by Binflow script [58]. The information we generate (ipa, binary, assembly, control flow graph) and the Ad fraud detection results have been represented through a website [87].
We first download the ipa files from the pirate app stores. There are several download link of apps in this website are broken. We will skip these links. Unlike application in App Store, these ipa files do not need use decrypt tool to decrypt. So we can easily extract the binary from the ipa. There will not be any failure in this step. We generate the assembly through IDA Pro, a tool that can help us analysis the binary. We also add related information in this step for generating the segment information files and control flow graph through Binflow script [58]. We need to extract segment information from assembly so that we can generate control flow graph successfully. When we generate segment information files, there is one app invalid. SO we remain 21 segment information files. Then we try to generate control flow graph from the segment information. There is another app invalid in this step, so we remain 20 control flow graph. We detect Ad fraud with these control flow graph.
We find 5 apps violate Interstitial violation Ad fraud and 1 app violates Multi-view violation Ad fraud within 22 apps. The result of Interstitial violation Ad fraud will be showed in Table 11. App 3,6,9,13,17 have violated the Interstitial violation Ad fraud.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 31: Interstitial violation Dependency Graph 1 in Pirate App Store
Figure 32: Interstitial violation Dependency Graph 2 in Pirate App Store
There are no unknown nodes in one of the violating dependency graph of App 3. The other dependency graph all contain unknown nodes. The graph of no unknown nodes has shown in the Figure 31. There are 24 dependency graph of unknown nodes in Interstitial violation Ad fraud. We show one graph of them in the Figure 32. 17 of them are directly called Interstitial API, which means that there are no operation node in the dependency graph. 7 of them are called by union nodes, which means that the input string may comes from multiple way, and one sink of the path is unknown node. It denotes that the possibility of input string comes from user input.
The app 3 in the app list [87] we provided has violated the Multi-view violation Ad fraud. It adds two Ad views in node 651274. One of the Ad views directly calls the Ad view API. Another Ad view is called with concat operation. The figure 33 will show the dependency graph of calling Ad view with concat operation. We can see that it concatenates the unknown string, ”Ad”, and ”View” in the dependency graph.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 33: Multi-view violation Dependency Graph in Pirate App Store
6 Conclusion
Most malicious behaviors and violations of Ad fraud have been detected in the work. We present an approach that integrates string analysis with flow analysis to detect Ad fraud on iOS applications.
Various ad frauds have been identified with which developers may gain extra bene-fits but damage user experience or advertisement effects. With our Ad fraud detection analysis, we can decide the suitable way to benefit both customers and advertisers. With the implementation of the above algorithm, the superfluous expense can be reduced effec-tively for companies, and better user experience will be built in the apps. Through the process of Ad fraud detection, the app developer who has engaged efforts in balancing user experience and ad profits could be distinguished.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
References
[1] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure analysis of mobile in-app advertisements,” in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, pp. 101–112, ACM, 2012.
[2] D. Graziano, “Android and iOS Still Rule the Mobile World;Microsoft and RIM Have Long Roads Ahead.” https://www.appannie.com/en/insights/market-data/
app-advertising-spend-2021/, 2012.
[3] Google, “Google Admob.” https://admob.google.com/, 2019.
[4] Apple, “Apple Search Ads.” https://searchads.apple.com/, 2019.
[5] Facebook, “Facebook Ad.” https://www.facebook.com/business/ads, 2019.
[6] A. Mamiit, “Google flags preinstalled malware as hidden threat on mil-lions of Android phones.” https://www.digitaltrends.com/mobile/
android-phones-preinstalled-malware, 2019.
[7] Google, “Google Behavioral policies.” https://support.google.com/admob/
answer/2753860, 2019.
[8] B. Liu, S. Nath, R. Govindan, and J. Liu, “{DECAF}: Detecting and characterizing ad fraud in mobile apps,” in 11th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 14), pp. 57–70, 2014.
[9] F. Dong, H. Wang, L. Li, Y. Guo, T. F. Bissyand´e, T. Liu, G. Xu, and J. Klein,
“Frauddroid: Automated ad fraud detection for android apps,” in Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 257–268, ACM, 2018.
[10] B. Wang, F. Wu, and G. Chen, “Placement fraud detection on smart phones: A joint crowdsourcing and data analyzing based approach,” in International Conference on Mobile Ad-Hoc and Sensor Networks, pp. 163–179, Springer, 2017.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[11] V. Dave, S. Guha, and Y. Zhang, “Viceroi: Catching click-spam in search ad net-works,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & com-munications security, pp. 765–776, ACM, 2013.
[12] “Google AD Size.” https://developers.google.com/admob/ios/banner.
[13] V. Dave, S. Guha, and Y. Zhang, “Measuring and fingerprinting click-spam in ad networks,” in Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication, pp. 175–186, ACM, 2012.
[14] T. Yeh, T.-H. Chang, and R. C. Miller, “Sikuli: using gui screenshots for search and automation,” in Proceedings of the 22nd annual ACM symposium on User interface software and technology, pp. 183–192, ACM, 2009.
[15] Apple, “Apple Developer Documentation.” https://developer.apple.com/
documentation/, 2019.
[16] P. Z. Ian Beer, “A very deep dive into iOS Exploit chains found in the wild.” https://googleprojectzero.blogspot.com/2019/08/
a-very-deep-dive-into-ios-exploit.html, 2019.
[17] W. Wang, I. L. Kim, and Y. Zheng, “Adjust: runtime mitigation of resource abus-ing third-party online ads,” in Proceedabus-ings of the 41st International Conference on Software Engineering, pp. 1005–1015, IEEE Press, 2019.
[18] W. Yang, M. Prasad, and T. Xie, “Enmobile: Entity-based characterization and analysis of mobile malware,” in 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), pp. 384–394, IEEE, 2018.
[19] P. Z. Ian Beer, “In-the-wild iOS Exploit Chain 1.” https://googleprojectzero.
blogspot.com/2019/08/in-wild-ios-exploit-chain-1.html, 2019.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[20] H. Wang and Y. Guo, “Understanding third-party libraries in mobile app analysis,” in 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), pp. 515–516, IEEE, 2017.
[21] D. M. Lazer, M. A. Baum, Y. Benkler, A. J. Berinsky, K. M. Greenhill, F. Menczer, M. J. Metzger, B. Nyhan, G. Pennycook, D. Rothschild, et al., “The science of fake news,” Science, vol. 359, no. 6380, pp. 1094–1096, 2018.
[22] A. Kantchelian, M. C. Tschantz, S. Afroz, B. Miller, V. Shankar, R. Bachwani, A. D.
Joseph, and J. D. Tygar, “Better malware ground truth: Techniques for weighting anti-virus vendor labels,” in Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, pp. 45–56, ACM, 2015.
[23] B. J. Kwon, J. Mondal, J. Jang, L. Bilge, and T. Dumitra¸s, “The dropper effect:
Insights into malware distribution with downloader graph analytics,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1118–1129, ACM, 2015.
[24] K. Chen, X. Wang, Y. Chen, P. Wang, Y. Lee, X. Wang, B. Ma, A. Wang, Y. Zhang, and W. Zou, “Following devil’s footprints: Cross-platform analysis of potentially harmful libraries on android and ios,” in 2016 IEEE Symposium on Security and Privacy (SP), pp. 357–376, IEEE, 2016.
[25] X. Liao, K. Yuan, X. Wang, Z. Pei, H. Yang, J. Chen, H. Duan, K. Du, E. Alowaisheq, S. Alrwais, et al., “Seeking nonsense, looking for trouble: Efficient promotional-infection detection through semantic inconsistency search,” in 2016 IEEE Symposium on Security and Privacy (SP), pp. 707–723, IEEE, 2016.
[26] S. Roy, J. DeLoach, Y. Li, N. Herndon, D. Caragea, X. Ou, V. P. Ranganath, H. Li, and N. Guevara, “Experimental study with real-world data for android app secu-rity analysis using machine learning,” in Proceedings of the 31st Annual Computer Security Applications Conference, pp. 81–90, ACM, 2015.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[27] F. Wei, S. Roy, X. Ou, et al., “Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps,” ACM Transactions on Privacy and Security (TOPS), vol. 21, no. 3, p. 14, 2018.
[28] H. Chen, H.-f. Leung, B. Han, and J. Su, “Automatic privacy leakage detection for massive android apps via a novel hybrid approach,” in 2017 IEEE International Conference on Communications (ICC), pp. 1–7, IEEE, 2017.
[29] X. Pan, X. Wang, Y. Duan, X. Wang, and H. Yin, “Dark hazard: Learning-based, large-scale discovery of hidden sensitive operations in android apps.,” in NDSS, 2017.
[30] A. Armando, G. Costa, A. Merlo, and L. Verderame, “Enabling byod through secure meta-market,” in Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks, pp. 219–230, ACM, 2014.
[31] Y. Nan, M. Yang, Z. Yang, S. Zhou, G. Gu, and X. Wang, “Uipicker: User-input pri-vacy identification in mobile applications,” in 24th {USENIX} Security Symposium ({USENIX} Security 15), pp. 993–1008, 2015.
[32] J. Huang, Z. Li, X. Xiao, Z. Wu, K. Lu, X. Zhang, and G. Jiang, “{SUPOR}: Precise and scalable sensitive user input detection for android apps,” in 24th {USENIX}
Security Symposium ({USENIX} Security 15), pp. 977–992, 2015.
[33] Z. Qu, V. Rastogi, X. Zhang, Y. Chen, T. Zhu, and Z. Chen, “Autocog: Measur-ing the description-to-permission fidelity in android applications,” in ProceedMeasur-ings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1354–1365, ACM, 2014.
[34] R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie, “{WHYPER}: Towards au-tomating risk assessment of mobile applications,” in Presented as part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13), pp. 527–542, 2013.
[35] P. Suciu, “The Biggest Cybercrime Threats of 2019.” https://www.
ecommercetimes.com/story/85782.html, 2019.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[36] A. Metwally, D. Agrawal, and A. El Abbadi, “Detectives: detecting coalition hit inflation attacks in advertising networks streams,” in Proceedings of the 16th inter-national conference on World Wide Web, pp. 241–250, ACM, 2007.
[37] A. Metwally, F. Emek¸ci, D. Agrawal, and A. El Abbadi, “Sleuth: Single-publisher attack detection using correlation hunting,” Proceedings of the VLDB Endowment, vol. 1, no. 2, pp. 1217–1228, 2008.
[38] F. Yu, Y. Xie, and Q. Ke, “Sbotminer: large scale search bot detection,” in Pro-ceedings of the third ACM international conference on Web search and data mining, pp. 421–430, ACM, 2010.
[39] S. A. Alrwais, A. Gerber, C. W. Dunn, O. Spatscheck, M. Gupta, and E. Osterweil,
“Dissecting ghost clicks: Ad fraud via misdirected human clicks,” in Proceedings of the 28th Annual Computer Security Applications Conference, pp. 21–30, ACM, 2012.
[40] T. Blizard and N. Livic, “Click-fraud monetizing malware: A survey and case study,”
in 2012 7th International Conference on Malicious and Unwanted Software, pp. 67–
72, IEEE, 2012.
[41] J. Crussell, R. Stevens, and H. Chen, “Madfraud: Investigating ad fraud in android applications,” in Proceedings of the 12th annual international conference on Mobile systems, applications, and services, pp. 123–134, ACM, 2014.
[42] X. Xiao, X. Wang, Z. Cao, H. Wang, and P. Gao, “Iconintent: automatic identifi-cation of sensitive ui widgets based on icon classifiidentifi-cation for android apps,” in Pro-ceedings of the 41st International Conference on Software Engineering, pp. 257–268, IEEE Press, 2019.
[43] P. Wang, D. Wu, Z. Chen, and T. Wei, “Protecting million-user ios apps with ob-fuscation: motivations, pitfalls, and experience,” in 2018 IEEE/ACM 40th Interna-tional Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP), pp. 235–244, IEEE, 2018.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[44] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’11, pp. 3–14, 2011.
[45] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel, “Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps,” in ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, p. 29, 2014.
[46] L. Li, T. F. Bissyand´e, D. Octeau, and J. Klein, “Droidra: taming reflection to support whole-program analysis of android apps,” in Proceedings of the 25th Inter-national Symposium on Software Testing and Analysis, pp. 318–329, ACM, 2016.
[47] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. Mc-Daniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for real-time privacy monitoring on smartphones,” ACM Transactions on Computer Systems (TOCS), vol. 32, no. 2, p. 5, 2014.
[48] T. Bao, J. Burket, M. Woo, R. Turner, and D. Brumley, “Byteweight: Learning to recognize functions in binary code,” in Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, pp. 845–860, USENIX Association, 2014.
[49] X. Meng and B. P. Miller, “Binary code is not easy,” in Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, pp. 24–35, ACM, 2016.
[50] Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, et al., “Sok:(state of) the art of war: Offensive techniques in binary analysis,” in 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157, IEEE, 2016.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[51] T. Reinbacher and J. Brauer, “Precise control flow reconstruction using boolean logic,” in Proceedings of the Ninth ACM International Conference on Embedded Soft-ware, EMSOFT ’11, pp. 117–126, ACM, 2011.
[52] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, “BAP: A binary analysis platform,” in Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, pp. 463–469, 2011.
[53] Dynist, “Dynist: Tools for binary instrumentation, analysis, and modification.”
https://github.com/dyninst.
[54] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. New-some, P. Poosankam, and P. Saxena, “Bitblaze: A new approach to computer security via binary analysis,” in Proceedings of the 4th International Conference on Informa-tion Systems Security, ICISS ’08, pp. 1–25, 2008.
[55] Y. Lee, X. Wang, K. Lee, X. Liao, X. Wang, T. Li, and X. Mi, “Understanding ios-based crowdturfing through hidden {UI} analysis,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), pp. 765–781, 2019.
[56] C. Xiao, “Pirated iOS App Stores Client Successfully Evaded Ap-ple iOS Code Review.” https://unit42.paloaltonetworks.com/
pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/, 2016.
[57] N. Statt, “This illicit iPhone app store has been hiding in plain sight.” https://www.theverge.com/2019/2/20/18232140/
apple-tutuapp-piracy-ios-apps-developer-enterprise-program-misuse, 2019.
[58] C.-H. Lin, F. Yu, J.-H. R. Jiang, and T. Bultan, “Static detection of api call vulner-abilities in ios executables,” in 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion), pp. 394–395, IEEE, 2018.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[59] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “Pios: Detecting privacy leaks in ios applications.,” in NDSS, 2011.
[60] T. Werthmann, R. Hund, L. Davi, A.-R. Sadeghi, and T. Holz, “Psios: bring your own privacy & security to ios devices,” in Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pp. 13–24, ACM, 2013.
[61] L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. N¨urnberger, and A.-R. Sadeghi, “Mocfi: A framework to mitigate control-flow attacks on smart-phones.,” in NDSS, 2012.
[62] Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu, “iris: Vetting private api abuse in ios applications,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 44–56, ACM, 2015.
[63] F. Yu, Y.-C. Lee, S. Tai, and W.-S. Tang, “Appbeach: Characterizing app behaviors via static binary analysis,” in Proceedings of the 2013 IEEE Second International Conference on Mobile Services, p. 86, IEEE Computer Society, 2013.
[64] Z. R. Fang, S. W. Huang, and F. Yu, “Appreco: Behavior-aware recommendation for ios mobile applications,” in 2016 IEEE International Conference on Web Services (ICWS), pp. 492–499, June 2016.
[65] A. S. Christensen, A. Møller, and M. I. Schwartzbach, “Precise analysis of string expressions,” in Proc. 10th International Static Analysis Symposium (SAS), vol. 2694 of LNCS, pp. 1–18, Springer-Verlag, June 2003. Available from http://www.brics.dk/JSA/.
[66] C. Gould, Z. Su, and P. Devanbu, “Static checking of dynamically generated queries in database applications,” in Software Engineering, 2004. ICSE 2004. Proceedings.
26th International Conference on, pp. 645–654, IEEE, 2004.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[67] P. A. Abdulla, M. F. Atig, Y.-F. Chen, L. Hol´ık, A. Rezine, P. R¨ummer, and J. Sten-man, “String constraints for verification,” in International Conference on Computer Aided Verification, pp. 150–166, Springer, 2014.
[68] A. Das, S. K. Lahiri, A. Lal, and Y. Li, “Angelic verification: Precise verification modulo unknowns,” in International Conference on Computer Aided Verification, pp. 324–342, Springer, 2015.
[69] J. Sch¨utte and D. Titze, “lios: Lifting ios apps for fun and profit,” 2019.
[70] “Hex-Rays Decompiler Manual.” https://www.hex-rays.com/products/
decompiler/manual/tricks.shtml.
[71] J. Webber, “A programmatic introduction to neo4j,” in Proceedings of the 3rd an-nual conference on Systems, programming, and applications: software for humanity, pp. 217–218, ACM, 2012.
[72] Facebook, “Facebook Infer: Linters bug types-Unavailable api in supported ios sdk .” https://fbinfer.com/docs/linters-bug-types.html#UNAVAILABLE_API_
IN_SUPPORTED_IOS_SDK, 2019.
[73] C. Calcagno, D. Distefano, J. Dubreil, D. Gabi, P. Hooimeijer, M. Luca, P. OHearn, I. Papakonstantinou, J. Purbrick, and D. Rodriguez, “Moving fast with software verification,” in NASA Formal Methods Symposium, pp. 3–11, Springer, 2015.
[74] D. Distefano, P. W. Ohearn, and H. Yang, “A local shape analysis based on separation logic,” in International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 287–302, Springer, 2006.
[75] C. Calcagno, D. Distefano, P. W. Ohearn, and H. Yang, “Compositional shape anal-ysis by means of bi-abduction,” Journal of the ACM (JACM), vol. 58, no. 6, p. 26, 2011.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[76] J. Berdine, C. Calcagno, and P. W. Ohearn, “Smallfoot: Modular automatic assertion checking with separation logic,” in International Symposium on Formal Methods for Components and Objects, pp. 115–137, Springer, 2005.
[77] P. Cousot, “Abstract interpretation in a nutshell,” howpublished, 7th October, 2012.
[78] Facebook, “Facebook Infer: linters.al.” https://github.com/facebook/infer/
blob/472f155a7a1a5afa95f46d4300137e58cb1fa643/infer/lib/linter_rules/
linters.al, 2019.
[79] Facebook, “Facebook Infer: cPredicates.ml.” https://github.com/facebook/
infer/blob/86140581d5e8690ac8ba82965aaa9d970acbb78e/infer/src/al/
cPredicates.ml, 2019.
[80] M. Pradel and K. Sen, “Deepbugs: A learning approach to name-based bug detec-tion,” Proceedings of the ACM on Programming Languages, vol. 2, no. OOPSLA, p. 147, 2018.
[81] R. van Tonder and C. Le Goues, “Static automated program repair for heap prop-erties,” in 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), pp. 151–162, IEEE, 2018.
[82] M. Harman and P. O’Hearn, “From start-ups to scale-ups: Opportunities and open problems for static and dynamic program analysis,” in 2018 IEEE 18th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 1–23, IEEE, 2018.
[83] N. Alshahwan, X. Gao, M. Harman, Y. Jia, K. Mao, A. Mols, T. Tei, and I. Zorin,
“Deploying search based software engineering with sapienz at facebook,” in Interna-tional Symposium on Search Based Software Engineering, pp. 3–45, Springer, 2018.
[84] Facebook, “Facebook Infer: AL-examples.” https://fbinfer.com/docs/linters.
html#examples, 2019.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[85] Apple, “App Store Review Guidelines.” https://developer.apple.com/
app-store/review/guidelines, 2019.
[86] ARM, “ARM Information Center.” http://infocenter.arm.com/help/index.jsp, 2009.
[87] soslab nccu, “Github: Static Ad Fraud Detection on iOS Applications.” https:
//github.com/soslab-nccu/detect-adfraud, 2019.
[88] soslab nccu, “Github: BinFlow-Static Detection of API Call Vulnerabilities in iOS Executables.” https://github.com/soslab-nccu/binflow, 2018.
[89] C. Y. Huang, “Video link of App 1077052682.” https://drive.google.com/drive/
folders/1ep4RiMFPcL4CbfY05ZGc11UMAYGqHkA3?usp=sharing, 2019.