SCG News

Assessing and Improving the Software Quality of an iOS App Framework

Alain Stulz. Assessing and Improving the Software Quality of an iOS App Framework. Bachelor’s thesis, University of Bern, February 2020. Details.


Creating and maintaining high-quality software is an essential topic in Software Engineering. While mobile application development is a relatively young discipline, it has evolved particularly rapidly. The quick pace requires complex mobile projects to be highly flexible and easily maintainable to stay relevant over time. In this thesis, we examine a framework designed to build iOS applications, which was created in the early 2010s and seems to have fallen behind in some areas. We answer "How can we assess the quality of our system?" by defining our understanding of software quality and subsequently collecting and analyzing data from several sources. In a second step, we address "How to improve the existing system’s quality?" through setting conventions for developers, performing maintenance, and refactoring specific areas in the code. In this context, we also explore different techniques to increase unit test coverage. Furthermore, we analyze the question "What would constitute a better software design?" by selectively rewriting parts of the system’s functionality. Finally, we take a look at the project’s future and recommend that the company should consider a rewrite over refactoring to better cope with changed software requirements and technology.

Posted by scg at 10 February 2020, 6:15 pm comment link

Automatically Retrofitting Cordova Applications for Stricter Content Security Policies

Basil Schöni. Automatically Retrofitting Cordova Applications for Stricter Content Security Policies. Bachelor’s thesis, University of Bern, February 2020. Details.


Content Security Policy (CSP), a feature present in Android’s WebView for many years, has the potential to protect against most types of code injection attacks. However, adoption rates are low and existing policies often apply weak restrictions. We investigate attack methods against WebView and how CSP can prevent them. We found that there is a wide variety of injection vectors, ranging from external sources like NFC communications to internal ones like Android’s inter-app communication. The impacts include breaches of privacy, credential stealing and further spreading of malicious code. CSP mitigates such attacks by blocking various classes of code execution, loading external data, exfiltration of data, UI manipulation and insecure connections. We propose a tool that generates such CSP definitions for pre-existing, real-world Cordova apps. To improve the strictness of these CSP definitions, our tool attempts to rewrite all Javascript APIs that are restricted by CSP. We evaluated the tool using a large data set and found that we can avoid the "script-src unsafe-inline" definition in 84.28% and the "style-src unsafe-inline" definition in 25.88% of cases. Conversely, for the "script-src unsafe-eval" definition, no application could benefit from our rewriting and for "style-src unsafe-eval", loosening strictness could only be avoided for 2.89% of applications. From this we conclude that while our approach provides significant benefits with respect to the "unsafe-inline" keywords, it is mostly ineffective in rewriting to avoid the "unsafe-eval" keywords. We identified six patterns which limit either the strictness or the non-breaking behavior of our generated policies and two use cases which make the static generation of non-breaking policies completely impossible. We conclude that any static rewriting of Javascript APIs should apply in-depth flow analysis and be able to deal with special syntaxes introduced by the most common UI frameworks. Approaches like ours that do not apply these measures may work well for smaller applications, but will cause breaking for more complex ones.

Posted by scg at 7 February 2020, 6:15 pm comment link

Test name recommendation — A study of the unit test naming and naming traditions

Christian Zürcher. Test name recommendation — A study of the unit test naming and naming traditions. Bachelor’s thesis, University of Bern, January 2020. Details.


The name of a unit test is an essential part of it and helps the developers to understand its purpose and to identify tests inside test suites. And even though such names have a lot of benefits, many tests end without a descriptive name. This occurs not only in automatically generated tests but also in manually written ones. Automatically generating descriptive names is confronted with the challenge that there is a vast variety of tests, written by different developers with different conventions, or generated by different tools. In this thesis, we present an automated approach to generate descriptive names based on the test body by finding the focal method of the test, around which it was written. We compared our results to the original names and to other publications to find out that our approach provides good results for all kind of tests even though in specific scenarios, other approaches may work better. Finally, we found out, that the names created by developers, when done correctly, are still the most descriptive.

Posted by scg at 23 January 2020, 11:15 am comment link

On Demand Runtime Information — A language- and IDE-agnostic approach to provide runtime information

Rathesan Iyadurai. On Demand Runtime Information — A language- and IDE-agnostic approach to provide runtime information. Masters thesis, University of Bern, January 2020. Details.


Understanding programs written in dynamically-typed languages can be difficult because of the lack of static type information. When reasoning about a function written in JavaScript for instance, developers often lack the information about parameter types and values, which is essential for understanding the implementation. Gathering runtime information and presenting it on-demand would assist developers in their program comprehension tasks. In this thesis we present AUDREY, a system that gathers runtime information for multiple languages and exposes the information to many development environments. AUDREY aims to be as language- and IDE-agnostic as the underlying infrastructure allows. We discuss the challenges of implementing AUDREY with state-of-the-art technologies for future work.

Posted by scg at 10 January 2020, 11:15 am comment link

Testability First!

M. Ghafari, M. Eggiman, and O. Nierstrasz. Testability First!. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), p. 1-6, September 2019. Details.


Background: The pivotal role of testing in high-quality software production has driven a significant effort in evaluating and assessing testing practices. Aims: We explore the state of testing in a large industrial project over an extended period. Method: We study the interplay between bugs in the project and its test cases, and interview developers and stakeholders to uncover reasons underpinning our observations. Results: We realized that testing is not well adopted, and that testability(i.e., ease of testing) is low. We found that developers tended to abandon writing tests when they assessed the effort to be high. Frequent changes in requirements and pressure to add new features also hindered developers from writing tests. Conclusions: Regardless of the debates on test first or later, we hypothesize that the underlying reasons for poor test quality are rooted in a lack of attention to testing early in the development of a software component, leading to poor testability of the component. However, testability is usually overlooked in research that studies the impact of testing practices, and should be explicitly taken into account.

Posted by scg at 11 December 2019, 1:14 pm comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009