Reverse Engineering of Program (Android, All)

Androguard      ApkInspector    DroidBox   Smali


Github Page (tutorial1, tutorial2, tutorial3 Jekyll Tutorial)

Weka (IBM tutorial, Convert CSV to ARFF, )

Program Analysis and Verification

Reading List:

Infer identity from Android public resource
App Recommendations with Security and Privacy Awareness

Interesting topics:

The Architecture of Open Source Applications

Lisp and Clojure


Mobile app state

Web & Mobile Group on W3C

Cucumber and its android tool

OpenIntents (List of intents)

Android security applications


CSCOPE; Source_insight

Maven: The Complete Reference; Maven by Example

How to Think Like a Computer Scientist(python)

Koans series(mavenrubyjavascript)

Android Developer Challenge

Git online learning

Architecture of salable website

Interdroid(Android distributed app platform)

0xbench(Android system benchmark)

aster(Android System automated testing)

Android Library & Resources

David Brumley

App Inventor(Education Tool)

ESC/Java2(Java Static Analysis)

The Checker Framework


Go mobile


Google Venture Library


secure se(Android benckmark and tools)

Javassist (Java bytecode engineering toolkit)



UI Automator Test Framework

GitHub Archive

GitHub Global Search

Android Market API

AppAware API

Improving Layout Performance

Android Performance tips( including benchmark (code)


Interesting product and sites:



Conference and Journal 

Mobile Testing Tool

Writing: OWL

ebook: bookFinder; Library Genesis; Library Genesis II


How to Read a Paper

It’s okay to quit



Java regular expression

customized Hadoop inputformat


Famous computer failures




Many malware now can no longer executed:

Reason1: Unable to resolve host “”: No address associated with hostname



sha256sum fileName


Dump AST: `swiftc -dump-ast` or `swiftc -dump-parse`




PMD (built in to a zip, then find executable in zip)

FInd code clones in repos:

./ cpd –minimum-tokens 1000 –files ~/Git/mfiosdev/ –language swift –skip-duplicate-files > All_1000


Experiment command:

find . -name ‘*.jimple’ | xargs wc -l

Malware reports:

Snoopy Android Adware Poses as Power-Saving Patch

‘FakeInstaller’ Leads the Attack on Android Phones



Vim setting: Disable automatic visual mode(:set mouse-=a), paste mode (prevent auto-indention) (:set paste, :set nopaste)


Refresh (Actually hit the refresh button) the page to reload “.js” files for updated webpage.



Java heap & stack. Object is in general created on the heap (because its scope might not be local; it might be referenced outside the method) Unless escape analysis is certain that your object is local:

GC algorithm : Mark and Sweep


Major reasons why soot cannot resolve some apks:

1. Inability of JDK ZipFile class:


Need to figure out the location to put Scene.v().forceResolve statement.

I put one when initialize Soot. It seems that it will affect the classloading process. A lot of class will be phantom class.



Smali grammar (Dalvik opcodes:


Nissenbaum’s notion of “privacy as contextual integrity” —-Nissenbaum, Helen. Privacy in context: Technology, policy, and the integrity of social life. Stanford University Press, 2009.



Zip dex to apk, should zip inside the directory:

zip -r a.apk ./*

Otherwise the internal structure will break, and static analysis tool may not be able to run.


ByteCode analyzer: JavaAssist (Example),  ASM, Apache Common BCEL

Searching annotation in a code base: Annotation101


Motivation: reach a balance between privacy preservation and advertising revenue.

Two types of external libraries has privacy infringing behavior: ads library and analytics library (e.g., flurry)

1. study what are the source of info

2. replace info with pre-trained profile (with different combination)

3. see how the ads react

Goal: which info (or combination of info) is mainly used in tracking?


1. Soot/Wala analysis on jar files.


study mobile botnet behavior based on course slides, for example, how many download bot code, how many disable anti-virus, what is the attack process etc.


If no permission to write to emulator:

$./adb shell


mount -o rw,remount rootfs /

chmod 777 /mnt/sdcard



Presentation: Examine the slides and remove any texts/images that is not involved in your talk.


Running Appcontext:
1. Mytest
2. Replace “/” with “//” in csv
3. Add maliciousness column
4. Run EntrypointParser



Bitcoin (;

Software Defined Networking (SDN) (28 (Prefix hijacking ect.; Add more AS to control the path BGP will choose), )


[Log] Dentist (



[Log] android.content.res.AssetManager: open() is not in Susi’s source list. How to ensure the completeness of sources and sinks?


[Log] [Weka] To exclude ID in classifying but output it in the result: Choose the FilteredClassifier, with the RemoveType as the filter, and whatever classifier you prefer. Then, open “More options…” in the “Test options” box and enter the index of the identifier attribute into the “Output additional attributes” field. To enable this field, you have to tick the “Output predictions” box first.


[Log] [Machine Learning]overfitting:  If we supply too much data into our model creation, the model will actually be created perfectly, but just for that data. Remember: We want to use the model to predict future unknowns; we don’t want the model to perfectly predict values we already know. This is why we create a test set. After we create the model, we check to ensure that the accuracy of the model we built doesn’t decrease with the test set. This ensures that our model will accurately predict future unknown values.

Pruning: like the name implies, involves removing branches of the classification tree. Why would someone want to remove information from the tree? Again, this is due to the concept of overfitting. As the data set grows larger and the number of attributes grows larger, we can create trees that become increasingly complex. Theoretically, there could be a tree with leaves = (rows * attributes). But what good would that do? That won’t help us at all in predicting future unknowns, since it’s perfectly suited only for our existing training data. We want to create a balance. We want our tree to be as simple as possible, with as few nodes and leaves as possible. But we also want it to be as accurate as possible. This is a trade-off


[Log] Copy all file but one

find src/ -type f -maxdepth 1 ! -name Default.png -exec cp {} dest/  \;


[Log] Benign app sample(search gmail: APPLICATIONS.tar.gz ( or apps_under_1mb.tar.gz)



[Log][AppContext] the handling of icfg should be in the wjtp phase, otherwise the icfg would be in baf format


[Log] [AppContext] Traverse algorithm to collect conditionStmt for each entrypoint: create a new class DFSPathQueue that can trace paths during DFS.


[Log] Line Feed(LF \x0A) and  carriage return (CR \x0D):

[Log][PL] Relationship between fixed-point theorem and Program Analysis techniques:
See Page 14:
Using fixed-point theorem to prove that the program analysis technique can produce maximum(largest) or least solutions.


[Log] [Writing] Define a concept, why you define it this way, what’s the definition, what the term represent.(Personally I feel that a good way is why we need the definition -> definition-> what it represent -> why you define it this way)

[Log] Java2Html

[Log] [FlowDroid] The elements in JimpleBasedInterproceduralCFG will changed from jimple to baf as the soot phase proceeds.

CallGraph cg = Scene.v().getCallGraph() get the same result after wjtp phase
[Eclipse] Eclipse workspace in use problem, solution: delete the .lock file in the .metadata directory in your eclipse workspace directory

[Log][FlowDroid]Three problems:
1. the target “” in the callgraph become$stub when iterate through the body of the src method of “”.
Another instance of it is “”. When I go into the body of src, it become “”
3. In callgraph it’s detail method like () , in icfg the method get through icfg.getCallersOf(icfg.getMethodOf(u)) is . To get around I have to use CG with ICFG. Note: I use cgEdge.getSrcUnit to solve the problem, I suspect icfg.getMethodOf(u) may have a bug.

[Log][soot] instead of using soot.Main.main(args);, We can use PackManager.v().runPacks(); PackManager.v().writeOutput();  to first set all the configuration, then run soot.


[Log] [Java] Java object’s notify and wait method (Concept of Monitor; Tony Hoare’s paper; Java Synchronized block)

[Log] [AppContext] In side Timer.Schedule method:

schedule(TimerTask task, long delay, long period) 
->  sched(task, System.currentTimeMillis()+delay, -period) (sched(TimerTask task, long time, long period) ) 
-> task.nextExecutionTime = time; 

Timerthread.mainLoop() -> currentTime = System.currentTimeMillis(); 
executionTime = task.nextExecutionTime;  
if (taskFired = (executionTime<=currentTime)) {
    if (task.period == 0) {} 
    else{queue.rescheduleMin( task.period < 0 ? currentTime – task.period : executionTime + task.period)}
if (taskFired); // Task fired; run it, holding no locks

noted that it’s = not == in if (taskFired = (executionTime<=currentTime)), the result of the conditional statement is the same as (executionTime<=currentTime) meanwhile the value of (executionTime<=currentTime) is assigned to taskFired

Conclusion: Timer.schedule has conditional statement, and execution of the task is influenced by the System.currentTimeMillis(), long delay, long period; predict if a thread will run repeatedly is hard. We should regard timer.schedule as a separate type of control – frequency or while (true) loop.



[Log] Using soot to get callgraph:

1. Default CG algorithm + Add new SceneTransformer() {…}

2. Spark + runPacks

all with repackaged jar.


[Log] Fennec(Firefox Mobile): codeBase; IRC;


[todo] callgraph(queuereader);


[Log] The meaning of sources and sinks varied depends on the calling context, for example, In the sink < void write(byte[])>, the OutputStream could be obtained from URLConnection..getOutputStream(), it could also be obtained from OutputStream os = new FileOutputStream(“test.txt”), it could even be java.lang.Process: getOutputStream().


[Log] Leverage built-in DowloadProvider to Inject the download into content://downloads/download


[Log] Common Androlyze command:

a, d, dx = AnalyzeAPK("/home/wyang/workspace/CommandLine/samples/DroidDream/26dd1126da55fd0754a0b96d877ac0f36f248e99.apk"); show_Permissions(dx);  a.get_permissions()

is_reflection_code(dx); is_native_code(dx); is_dyn_code(dx); show_ReflectionCode(dx);  show_NativeMethods(dx);

z = dx.tainted_variables.get_string("exploid"); z.show_paths(d)

z = dx.tainted_variables.get_field("Lcom/google/android/smart/s;","a","Lcom/google/android/smart/x;")

show_Paths(d, dx.tainted_packages.search_methods(".", "getAssets", "."))

Don’t forget the semicolon “:”





[Log] Delete files before certain date (Using xargs to pipe the result to next command)

 find . -maxdepth 1  -type d -newermt "2014-06-23 22:02:00" | xargs rm -rf


[Log] Download some of the sources of Malware mentioned here to workspace/git

How to find and install the missing file in Ubuntu:

apt-file search zlib.h


[Log] The sources and sinks in susi seems redundant. (Even subString() is a sink)



Remove files created at certain time: find . -type d -cmin 179 | xargs rm -rf (

The difference of SIGTERM and SIGKILL (popen.terminate vs popen.kill on python) :


[Log]pipe one output to multiple inputs with the tee command (

ls *.txt | tee /dev/tty txtlist.txt


[Log] Remember to add break in java’s switch case statement, because:  

All statements after the matching case label are executed in sequence, regardless of the expression of subsequent case labels, until a break statement is encountered. 


[Log] Difference method used in the sourceSink file and resourceAPI file may lead to problem: for example,

In resource API file, the internet connection is

< openConnection()>

while in sourceSink file, the sink of internet is

< void <init>(java.lang.String)>


[Log] The sensitivity of (the sources of) the information flows are dependent on the the calling contexts of the information flows.

What are the elements in the calling context that can determine the sensitivity?

In GoldDream, it’s the action and the extra key of the Intent. For each type of sensitive information, we should develop a bunch of signatures that will reflect the extraction/source of the information.


[Log] Potential improvement on appobaseline:

1. Currently we only use the extra string to figure out the type of information extracted from the source. In future, we can use the intent action type in the if statement and the intent filter of the component to minimize the false positive.


Epicc: retargeted parameter should point to the “retargeted” subdirectory that dare generates, like this:

-android-directory $outdir/dare/$apk_base/retargeted/*

Python String manipulation

print word[0]          #get one char of the word
print word[0:1]        #get one char of the word (same as above)
print word[0:3]        #get the first three char
print word[:3]         #get the first three char
print word[-3:]        #get the last three char
print word[3:]         #get all but the three first char
print word[:-3]        #get all but the three last character


[Log] Explicitly make python to call 64-bit java when allocating heap space memory (Post


[Log] BA automata

manually removing the misses;

binary instrumentation for ARM; PIN; Code generation (instruction count)


[Log] Handle possible Python exceptions (Especially IO exception), and log down the error instances at the first place; Otherwise the whole script will stop.

invalid syntax in python: usually occurs because of the parenthesis, check the line above to see if any parenthesis missing.


[Log] Python IO: Open will return a file object:

f = open('workfile', 'w')
for line in open('workfile', 'w') will return a line which is word in sentence plus '\n'; Directly pass line into wn.synsets will cause mistake.


[Log] Using derby: java

[log] Python unzip tarball: when using extractall() method of tarfile, using absolute path(os.getcwd()) instead of relative path(. , ..) .


[Log] Using  facade API edu.cmu.lti.ws4j.WS4J  to calculate similarities.

1. Put the two set as input, output top 10 related words for each permission and their score in each metrics.

2. Use whyper semantic model to do it again.

3. Try it for each API methods.


[Log] privacy related behavior that is not data transmission:


Not for third-party apps (apps with system certification only)





abortBroadcast will prevent any other broadcast receivers from receiving the broadcast. This design is wired…

If you give the foreign application a PendingIntent you created using your own permission, that application will execute the contained Intent using your application’s permission.



[Log] Classify the events in the system (covey information or receive instructions from users)

(Then enforce policy that what it could do) (leverage which permissions etc.)



[Log] Firing Event from command line:

SYSTEM: adb shell am broadcast -a android.intent.action.BOOT_COMPLETED -c android.intent.category.HOME -n package_name/class_name

Lifecycle: onCreate:

adb shell am start -n package_name/class_name


adb shell am kill package_name


[Log] Example: MoonSms

[Log] Implementation optimization:

1. Use full path name rather than short version in the .dot file.

2. Start soot once for all construction.

3. Add methods other than startActivity in the implementation. (Or use epicc)

4. Solve the bug bin forward

5. Bug: The method list is not complete (f9bb3fc540b5e45ea9346d267455e1487644e1dc.apk)


[log] fix hard disk error: Chkdsk


[log]WindowsError: [Error 2] The system cannot find the file specified

This is because I haven’t set the environment variable for Java. Add “C:\Program Files\Java\jdk1.7.0_51\bin” to PATH.


[Latex] newcommand number parameter


\ifnum#1=1 %

temporal condition


temporal conditions

\fi }

[Log] Problem with xml parser when parsing xml files. The charset is org.xmlpull.v1.XmlPullParserException: start tag unexpected character


[Log] System event: Life cycle methods can be inferred from intent-filter and its name(onResume etc.); Other system event method (mostly inner class(listeners)): LocationListener.onLocationChanged; MediaPlayer.OnCompletionListener.onCompletion; SharedPreferences.OnSharedPreferenceChangeListener.onSharedPreferenceChanged;

Activity: onConfigurationChanged;onLowMemory;

onProvideAssistData;onSearchRequested; onTrimMemory; onActivityResult;

UI events: AppWidgetProvider.onUpdate; AppWidgetProvider.onAppWidgetOptionsChanged; AppWidgetProvider.onEnabled;  AppWidgetProvider.onDisabled; AppWidgetProvider.onDeleted;  Activity.onWindowFocusChanged; Activity.onOptionsItemSelected


[Log] DroidDream Light using notification bar to advertise large amount of URL. It doesn’t require any permission to get source, nor it require any internet access. Malware and benign application


[Log] 误差: startService父节点搜索init, setclass, setcomponent…可能搜出的parameter是activity……


[Log] BaseBridge\396888b036203ee436f860b664aec91f8b40afdc.apk registerReceiver  Intent attack



[Log] Discount Usability Testing :involves user testing with low-tech paper mock-ups to get rapid feedback on early design

[TODO] Usability of Mobile Websites



[Log] The intent-filter also need permissions. We do know when these permission is being used, but we can’t explain what it used for.


[Log] Install vmware tool to share folder:; For 12.04:;



[Log] When found “init” method in call graph, it could be ad library method. But have never been invoked;


[Log] pig:

grunt> Records = LOAD ‘wikisnapLink/part-00000’

AS (title:chararray, time:int);

A = ORDER Records by time DESC;

B = LIMIT A 10;




[Log] The DOTALL mode can  make dot match newlines.(Post)

Use Scanner(File source) might produce problem; Use Scanner(Readable source) instead; (Post)


[Log] Some of the security critical method is invoked by Service or broadcastReceiver, while these Services or BroadcastReceivers are triggered by system intent (inferred from manifest file). So we also need manifest file here to infer the user-perceived events. (Reason that we need information in addition to call graph: we don’t know who invoke service or broadcastReceiver from call graph)


[Log] 09b143b430e836c513279c0209b7229a4d29a18c.apk -> yoyo Player (Crash on Nexus 7)

53dc08f08005f374a957afa44607ab52f205b684.apk ->Dandelion (Background wallpaper service)

730fed46dc7f13691906f46111ee5e05aa1b854e.apk -> I’go reader

8a15729f0f7fcdb68782fe78429a714225e58610.apk -> camera show


! LaTeX Error: File `listings.sty' not found.

Change type TarBzip2 to TarLzma in [listings] entry



[Log] For those apps throwing “staticness” exception, I use log3 to mark them(including those with non ASCII character), I commented out a line in “SootMethodRefImpl.checkStatic(SootMethod ret)”:

throw new ResolutionFailedException( “Resolved “+this+” to “+ret+” which has wrong static-ness” );

For those apps throwing “ambiguous method” exception, I use log4 to mark them, I commented out a line in “SootClass.getMethodByName(String name)”:

throw new RuntimeException(“ambiguous method: ” + name + ” in class ” + this);


[Log] The previous script failed to generate all callgraph because the missing platform API. I download all API and add a script to generate missing call graph.

[Log] replace non ASCII character in String

String resultString = subjectString.replaceAll("[^\\x00-\\x7F]", "");


[LOG] add following code to  SetupApplication.calculateSourcesSinksEntrypoints(Set<AndroidMethod> sourceMethods,Set<AndroidMethod> sinkMethods):

Transform transform = new Transform(“cg.checkCG”, new SceneTransformer() {
protected void internalTransform(String phaseName, @SuppressWarnings(“rawtypes”) Map options) {
// Process the worklist from last time
CallGraph cg = Scene.v().getCallGraph();
Set<MethodOrMethodContext> method = CallGraphPrinter.findNode(cg, “LocationManagerrequestLocationUpdates”);//ContextWrappergetContentResolver;MainActivityaddBillAmount
CallGraphPrinter.printSubCG(cg, method);



[log] Writing: artifact(data, network traffic) cannot represent program behavior; Does model representing the program behavior contain the information of when program has this behavior? Does the representation of such information can be understood by human? User-comprehensible context information is important to identify program features/functions/behaviors.



[log] I comment out “app.calculateSourcesSinksEntrypoints(“SourcesAndSinks.txt”);” to make anroid flow run faster.


[BIB] The computer scientist as toolsmith II : “intelligence amplifying systems can, at any given level of available systems technology, beat AI systems. That is, a machine and a mind can beat a mind-imitating machine working by itself.”


[Bib] Helping Users Avoid Bugs in GUI Applications: It shares the same motivation of avoid bug in inter application interaction.


[log] The activity receive the intent data may not be the one to process it. Example: When The hangout app receive text intent, it will first ask user to choose the person user want to talk to, then pass the text in the intent to conversation activity.

[Bib] Mining behavior model from GUI


[log] Add print machine: \\engr-print-01 UofI\NetID Detail Instruction


[bib] A common practice for application developer to write intent-filter is use code search engine to search Intent field key words (for example, search android.intent.action.SEND )


[bib](Epicc) “We found that the majority of specifications were relatively narrow, most ICC  objects having a single possible type. Also, key/value pairs are widely used to  communicate data over ICC” (extra or extras filed)


[bib] (Constraint-Based Automatic Test Data Generation) Theory: In a mutation system, the tester’s goal is to create test cases that kill each mutant. Put another way, the tester attempts to select inputs that cause each mutant to fail; Mutation operators are designed to represent common mistakes that a programmer might make. The assumption behind any criteria for generating test data is that the subset of inputs chosen will find a large portion of the faults in the program as well as help the tester establish some confidence in the software (kill all the mutant means exclude common mistake from the software thus building confidence for programmer);  Approach:


[TODO] Try out Android inter application analysis tool epicc


[log] HierarchyViewer shows that pure phonegap application only has a webview, it can not detect what’s inside webview.

Tracer for openGL ES will show more detail activity from GPU’s perspective but your application becomes very slow when you enable the feature from tracer to capture screenshot.


[Ideas] Comparing the model generated by ORBIT to examine the consistency.

[Todo] Group traces based on their data features; Read phonegap source code to know which JS method will trigger related java method.

[log]Start MangoDB: (related post)


[Problem] When and where to use hardware acceleration (like translate3d)? Different platforms have different levels of support for hardware acceleration, and performance can vary. Detail in this post


[log] search google code project on

[log] google code subjects: aiyou;geolocation markerMHC-appen(Gplay);bankmobilewebehighlingshidaoNumberGuessAdroCVfinesappParty;

github subjects: wikipediahtml5googleauthteamtoy,phonegap-explorer,Freshfood, Wakable, Drupalgap(gplay), tinybobeermedirectory-backbone-topcat, Lil-doodleLegends (blog post), NameTrendz,

other subjects: kitchensink


[log] adb devices找不到进程时,在任务管理器中中止adb.exe

[log] Use “adb shell input” command when monkeyrunner and robotium not working. See here

[log] code numbers for adb input event (Post)

[log] Use “adb shell am” to control application (start, kill etc) from command line (Question)


[log] Find current activity name using

adb shell dumpsys activity

or dumpsys window. (See the question here)

[log] Use python script’s full path to run monkeyrunner like:

monkeyrunner D:\Programming\Workspace\Python\monkeyRunner\ (See question here)

[log] Use –throttle to slow monkey down.


[Note] Shell and python subprocess


[Log] SurfaceFlinger is in charge of putting your pixel on to the screen.

Application thread: deliverInputEvent marks the delivery of touch/input event; Deque (receive buffer from SurfaceFlinger)

[Log] phonegap’s path by npm installation: C:\Users\david\AppData\Roaming\npm

All command-line usage

$ phonegap create my-app
$ cd my-app
$ phonegap run android


[Log] In systrace, performTraversals blocks will tell you how long the application spent drawing a frame.(cite from this post)

[TODO] Anatomy & Physiology of an Android


[TODO]Web app( and webview(



[Log] Traceview Both not working on Emulator/Phone, on Linux/Windows. Seems need to rebuild the kernel to solve the problem.

[Log] Unbrick Samsung galaxy s3:  I brick the phone by accidentally flash a different version kernel(4.0.4) on the phone.


[Log] When adb can’t find devices, try to use task manager kill adb.exe (or using adb kill-server) and then restart adb by using  adb start-server.

[Log] When you can’t change mod for a file, try not using sudo. if still can’t, copy it to some other directory, chmod, and move it back.

[Log] tadb.exe (a tencent android component) will override the adb command. Use dir tadb.exe /a /s to find all tadb.exe and delete them.


[Log] Setting a listener(page 27 of the slide) in ViewTreeObserver or set DEBUG_FPS to true in the android framework source will record the frame rate.

[TODO] 1.Go over github apps by stars(auto & manually) 2. Systrace 3.


[Log] (Bug) Wikipedia:

1. when click the textfield for search, the keyboard won’t popup (after scrolling the screen a little bit, it will)

2.冲2, 故事大纲点击后箭头方向不变(IOS will respond but Android version won’t)(Android version 1.3.4 Gplay 01/22/2013); Overall the expand action is laggy.(On Iphone 4)



[Log] Extract 964 app in Phonegap Android page; Get 885 Valid App ID; 79 Apps reside in other markets(non-googleplay market).


[Log] Add a capital L to the end of your long number:

[Log] Separate manual editing and program editing files to prevent override. (Don’t use program to write to the manual editing file, at least make a copy of the file if you have to.)

[Log] using jsoup library to get all App ID address.

[Apache POI] after modifying the workbook, remember to write workbook object to the file:

try {
FileOutputStream fileOut = new FileOutputStream(workbookName);
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
} catch (IOException e) {
// TODO Auto-generated catch block


[Log] ID excel ->Download Comment -> Comment Document -> Analyse comment -> Organised comment document and Analysed result.

[POI API] Check the component map to see the jar you may miss:

related question:

[Java] When search in string, dot should be represented as “\\.”, when write to string, it can be represented as both “.” and  “\\.” (the first argument in String.replaceAll() is a regular expression, not a literal string.)


[Log] Pre-processing steps: 1. \t -> space; \’ ->’ ;  \” ->”; – -> space;

Analyse criteria:  percentage of performance comments in all/in each level/


[Writing] Comment for reading JavaMicroBenchmark in caliper: Compilation(or JIT compilation) should know how to optimize the code; The things that developer need to do is to make structural changes: Move the redundant calculation out of loops; Decide which part written in web code and which part in native code.

[Idea] Study the practice of intent and its content resides in URI; and the handling of the intent. To see whether the two concur.

[Idea] Identify which CSS element slow down the performance of the whole page. According to IO12 video “Jank Busters”.; And the way to exercise different actions (like scrolling)


[Idea] Why design, cannot be carried out in a test driven fashion, just like development does?


[Idea] Detecting UI constrains; If the UI appears too early(before all the resources loaded or prepared) or disappear too late(after the action has already been fired; Use might feel impatient and fire the same action same and same again; probably due to performance issue so that UI hangs), the user action on these UI may crash the application.


[TODO] 1. Dig the technical detail of bridging web code and native code? 2. What are the hardware acceleration of current devices? 3. Search the hybrid apps on other levels(wrappers, native UIs) (maybe using keywords “html” “mobile” etc.)


[bib] By studying user’s perception to animation and video, the study(The Impact of Cognitive Styles on Perceptual Distributed Multimedia Quality) suggests that the two QoS(Quality of Service) parameters do not impact user QoP(Quality of Perception), multimedia content and dynamism levels significantly influence the user understanding and enjoyment component of QoP

[TODO] 1. There are many existing techniques to improve the performance of HTML5.  But that also applies to web application. Is there any performance bottleneck unique to hybrid apps?


[TODO] 1. Why HTML5 is so different from last 4 versions? 2. Why interpreted code would be slower than compiled code? 3. What make UIWebViews are simply not robust enough to handle the needs presented in a rich application like Facebook? 4. How to improve the performance of HTML5?


[TODO] 1. Best practice of phonegap app (Or web app on Google IO), 2. Try open source and library app. 3. Scrape Google Play comment.(Analysis of user comments: an approach for software requirements evolution. ICSE13′)



Using traceview:

  • Lunch your app from eclipse in debugging mode.
  • Go to DDMS View
  • In devices window there is a small button called Start Method Profiling
  • Click it when you want ( you can combine it with break points to get accurate start/end)
  • when you’re done click Stop Method Profiling
  • A new window in DDMS will appear similer to traceview with the same output.

Performance Case Study



[Linux] Search command history:  shortcut of bash “Ctrl + R“, it can “search through previously used commands”


[Linux] Add path to linux: in directory /etc type: sudo vim profile; and then source profile; (source can enable the setting in command line temporarily; Restart to make profile effective)

[Linux] type “printenv” to get the environment variables (


./create /home/wyang/Projects/FirstPhoneGapProject com.youngwei.PhoneGapProject1 FirstPhoneGapProject

Don’t use “-” in project name or package ID


How to import the code of an existing open source project (using phonegap build) into a project that can use command build:

1. First create a new PhoneGap application. And override the assets/www directory with existing code:

$ /path/to/cordova-android/bin/ ./create /path/to/my_new_cordova_project com.example.cordova_project_name CordovaProjectName

2.  Build( For Debug):

/path/to/my_new_cordova_project/cordova/ ./build --debug

3. Run

/path/to/my_new_cordova_project/cordova/ ./run [Target] [Build]

where [Target] [Build] are optional parameters.

  • Target specification. This includes --emulator--device, or --target=<targetID>.
  • Build specification. This includes --debug--release, or --nobuild.


[Idea] Summarize the feature of each phone and create API mapping for equivalent functionality.


[Idea] The location of the code statement triggering collateral failure in the whole program structure will provide information for the fix.

[Idea] As described in this post, it’s very hard to automatically (or even manually) know the source of Intent to set up different data android:scheme.How to infer such information?

[Idea] Collateral failure is the simplest to detect. The work of finding oracle to help propagate other faults is essential.


[Latex] Remove binary files(.aux, .gz files etc.) from last built if you find wired compilation. errors. And then recompile. Something might be wrong in .bib file if you can compile the tex file before compiling bib file, but throw compilation error after compiling bib file.

[Idea] Testing HCI rather than GUI. Challenges/Tasks: 1. Modeling interaction; 2. Generate test cases.



Usability evaluation: task completion steps;Number of touches; Total navigation distance.



Initialize repository: git remote add [alias] [url]

Check the changes before commit: git status

Switch to a branch: git checkout [branch]

Merge a branch into current one: git merge [branch]

Final push:git push (-u) [alias] [branch]



sharing data between applications results in an unexpected loss of control of that data; Many research have been focused on the security part; But the security as a whole is about the unexpected functionality. We will carry out the study about whether intent and intent-filter pair would be sufficient to advertise or constrain the functionality.



A sequence is like a bit of genetic code. It helps things to unfold in the right way. An human embryo follows steps as it grows, and if it misses a step then there is a malformation. But ten embryos following the same sequence well leads to ten very different people, each one unique.

A sequence means a different process.

Normally what happens when you build a house, for example, is that an architect, tries more or less or understand what you want and makes a blueprint. But a blueprint and CAD designs are mostly guess work about what is going to be just right for the dimension of a room or the placement of a window. It’s like tossing thirty coins all at once and hoping they all land on heads. Never works. A sequence is figuring out which decision has to come first and getting it right and then moving to a second decision. Like tossing one coin at a time, which is actually a much better, faster, and less expensive way to get to thirty coins all on heads. But if you work from a blueprint you are stuck with your guesses and the builders, who aren’t the architect, just have to follow the blueprint, even when they know a much better solution. It’s a silly way to do things.

(My comment) Formal writing is more like blue print. Before we figure out the outline of a research project(Problem, technical challenges), we need to understand the sequence of things we should do on this project.

(Recurring iteration like Finding problem-> possible solution -> applied to more problems -> prune the solution)

( How developer develop inter-application communication -> What’s the common bugs -> How to detect those bugs -> How to fix those bugs -> How to prevent those bugs )


[Programming] A serialization bug. The package name and classname must be exactly the same at the both sides(Serialization and deserialization). Related post.


[Idea] We can use intent flag to assist the crawling and navigating.



  • Study the cooperation of the apps execution. How do I know an app will cooperate well with my own app? As “Activity A’s request (as defined in the intent) is honored over Activity B’s request (as defined in its manifest)”, the activity B will run in a different behavior than developer expected.
  •  test for navigation behaviors that might conflict with the user’s/developer’s expected behavior

[Idea] Study the responsiveness of Android application(How the life cycle(Intent flag) should be arranged to improve the responsiveness; How to keep the resource consumption of the background application to the minimum.)

[Android]If Activity A starts Activity B, Activity B can define in its manifest how it should associate with the current task (if at all) and Activity A can also request how Activity B should associate with current task. If both activities define how Activity B should associate with a task, then Activity A’s request (as defined in the intent) is honored over Activity B’s request (as defined in its manifest). So comparing the model that app running itself as the model when the app invoked by others is meaningless. Intent flag is an important factor that affect the application’s GUI model.

[Writing] {Definitions:

A task is a collection of activities that users interact with when performing a certain job. The activities are arranged in a stack (the “back stack”), in the order in which each activity is opened.

Filters advertise the capabilities of a component and delimit the intents it can handle

Activities in the stack are never rearranged, only pushed and popped from the stack—pushed onto the stack when started by the current activity and popped off when the user leaves it using the Back button. As such, the back stack operates as a “last in, first out” object structure.

A task is a cohesive unit that can move to the “background” when users begin a new task or go to the Home screen, via theHome button. While in the background, all the activities in the task are stopped, but the back stack for the task remains intact

One activity in your application might be instantiated multiple times (even from different tasks)


[Idea]{Can GUI model represent Precondition, postcondition, and abstract invariant checks? Correlation among AUT’s solo model, interactive model and Oracle app’s solo model, interactive model?

Filters advertise the capabilities of a component; Partially describe the Precondition

Flags can be the invariant of GUI model.

Model invariant: The activity state should remain the same when move from foreground to background and then move back.

Application specific invariant: Activity management(If the application sequence is A ->B ->C -> A; Questions on stackoverflow like that: 12,3; “The most common errors/bugs in Android apps” from Quora);


[Idea]How to derive model based specification from task specification (StartActivityForResult(); OnActivity(); etc.)



[Android]Candidate AUT: Davike Explorer; Network Log; aLogcat(boundary); Call Meter 3G(boundary)

[Idea] Activity life cycle and thread life. Related post.

[Idea]Task driven UI testing. Post


[Android]PackageManager can help generate an intent to invoke another application(getLaunchIntentForPackage); But this method can only invoke the app as the app start itself, if we need to pass some parameter, we may still need implicit intent;

We can also use PackageManager to verify if the intent will be resolved on this phone(queryIntentActivities);

An intent can be use to turn applications into high-level libraries and make code re-use something even better than before.

,requestCode的作用是一个区别数据来源的标示符。比如A可以启动B, C, D三个Activity并期望从这三者得到数据,那么在用startActivityForResult()启动他们时,为他们分别分配一个独一无二的requestCode,然后在onActivityResult()方法中处理返回的数据时,就可以根据requestCode判断数据来源于B, C, D中的哪一个,进而进行不同的处理。


[Linux] Java directory for Ubuntu: /usr/lib/jvm

Set JavaHome: Need to verify this post

[Android] Resign the APK so that you can test it. (Android document about AppSigning; A tool; Robotium Document)

Import existing Android project code to Eclipse is troublesome. (If you don’t have build.xml and like Davik-Explorer)



How background application works? Syncing(For the sake of lesser data usag), loading etc…

Traditional Java library applied on Android Platform…

Platform migration and testing technique.

Multiple platform testing.

Using more resource on UI processing, which will save waiting time of the users. But how do you find this balance? Is there any best practice here?

Close unnecessary background process automatically.



Works fine on Emulator, but have error on real machine


Apps need multiple device interaction.


reproduce bug based on bug report.(其因为手机的多样性,系统的开放性导致bug很难repro,bug找之不尽)


The main difference from java program is that in integration testing. The integrate method—communication approach is different.


Testing: The controllability of Android program(provide the program with needed input) is poor.


May. 24th


Use “java -cp emma.jar emma report -r html -in coverage.em, -sp src/” to generate coverage report


The “adb pull” has different local location when used on command line or on mobile shell(adb shell).


遇到这个问题Error = Unable to find instrumentation info for……..可试试

adb shell pm list instrumentation 查看你的设备有没有安装这个instrumentation测试包,使用adb shell am instrument -w 必须要在设备上安装测试包


May. 25th

Main for astrid: com.todoroo.astrid.activity.TaskListActivity



    • getting the coverage report could not be any simpler:
      • create the ant script for building the test project. Open command prompt and go to your test project directory:
  • android update test-project -m <your_main_project_full_path> -p .
    • and run
  • ant coverage



More complete version should be:



In this example I expect that your test project is in a folder “tests” in your project folder which gets tested.

  1. Create a build.xml for your project (if it does not yet exist) cd <main project folder> android update project --path .
  2. Create the build.xml for the test project (that will allow us to do the coverage) android update test-project -m <full path to main project> -p tests/

Somehow “.” does not work and you have to use the full path like “/home/pboos/develop/workspace/project”

  1. Run coverage cd tests/ ant coverage



somehow, i always got error:


[exec] Failure in testRepeatingTaskUpgrade:

[exec] junit.framework.AssertionFailedError: expected:<2> but was:<0>

[exec] at com.todoroo.astrid.upgrade.Astrid2To3UpgradeTests.testRepeatingTaskUpgrade(

[exec] at java.lang.reflect.Method.invokeNative(Native Method)

[exec] at android.test.AndroidTestRunner.runTest(

[exec] at android.test.AndroidTestRunner.runTest(

[exec] at android.test.InstrumentationTestRunner.onStart(

[exec] at$


[exec] Error: Failed to generate emma coverage. Is emma jar on classpath?

[echo] Downloading coverage file into project directory…

[exec] remote object ‘/data/data/com.timsu.astrid/’ does not exist



/home/wyang/astrid/tests/build.xml:92: exec returned: 1

Not valid even after emma.jar in classpath(eclipse or $CLASSPATH). WILL try on my laptop again.




ant -diagnostics | grep home
To check the ANT_HOME



I comment the testRepeatingTaskUpgrade() test case in Astrid2To3UpgradeTests. in the package com.todoroo.astrid.upgrade.



May 30th.

Commandline error:


Buildfile: /home/david/workspace/astrid-tests/build.xml



[echo] Running tests …


[exec] com.todoroo.andlib.service.DependencyInjectionTests:…….

[exec] com.todoroo.andlib.sql.QueryTemplateHelperTest:………..

[exec] com.todoroo.andlib.test.SimpleAndroidTest:..

[exec] com.todoroo.andlib.test.TodorooTestCase:.

[exec] com.todoroo.andlib.utility.DateUtilitiesTest:….

[exec] com.todoroo.andlib.utility.TitleParserTest:………………….

[exec] com.todoroo.astrid.backup.BackupServiceTests:….

[exec] com.todoroo.astrid.dao.MetadataDaoTests:….

[exec] com.todoroo.astrid.dao.TaskDaoTests:……

[exec] com.todoroo.astrid.gtasks.GtasksDetailExposerTest:……

[exec] com.todoroo.astrid.gtasks.GtasksIndentActionTest:………..

[exec] com.todoroo.astrid.gtasks.GtasksMetadataServiceTest:………

[exec] com.todoroo.astrid.gtasks.GtasksTaskListUpdaterTest:……

[exec] com.todoroo.astrid.gtasks.GtasksTaskMovingTest:…………

[exec] com.todoroo.astrid.model.TaskTests:..

[exec] com.todoroo.astrid.provider.Astrid3ProviderTests:…….

[exec] com.todoroo.astrid.provider.ProviderTestUtilities:.

[exec] com.todoroo.astrid.reminders.NotificationTests:…..

[exec] com.todoroo.astrid.reminders.ReminderServiceTests:…….

[exec] com.todoroo.astrid.repeats.AdvancedRepeatTests:………

[exec] com.todoroo.astrid.repeats.NewRepeatTests:…………………………

[exec] com.todoroo.astrid.repeats.RepeatAfterCompleteTests:….

[exec] com.todoroo.astrid.service.ABTestingServiceTest:…….

[exec] com.todoroo.astrid.service.AstridDependencyInjectorTests:…

[exec] com.todoroo.astrid.service.QuickAddMarkupTest:…..

[exec] com.todoroo.astrid.service.UpdateMessageServiceTest:………..

[exec] com.todoroo.astrid.subtasks.SubtasksMovingTest:…..

[exec] com.todoroo.astrid.test.AstridTranslationTests:……

[exec] com.todoroo.astrid.test.DatabaseTestCase:.

[exec] com.todoroo.astrid.upgrade.Astrid2To3UpgradeTests:.

[exec] Error: Failed to generate emma coverage. Is emma jar on classpath?

[echo] Downloading coverage file into project directory…

[exec] remote object ‘/data/data/com.timsu.astrid/’ does not exist



/home/david/workspace/astrid-tests/build.xml:92: exec returned: 1


Total time: 4 minutes 17 seconds


May 31st

grep   string   /home/location   -r
finally get coverage by email replied on github:

cd astrid

ant all clean

cd ../tests

ant clean emma debug install coverage
adb shell monkey -p com.timsu.astrid -v 500

To see the package name:

1. lauched the application, see the logcat, take the part before “/” as the packagename;

2. Menu > Settings > Applications > Running


The emulator preserves the application and its state data across restarts, in a user-data disk partition. To ensure that the application runs properly as you update it, you may need to delete the emulator’s user-data partition. To do so, start the emulator with the -wipe-data option.



June 4th


Robotium is better compared to Monkey runner, cos Monkey runner needs objects based on location(x,y co-ordinates which may change as the application evolves) whereas Robotium  uses attributes of the object such as Text, index, image etc.


June 5th

adb shell am instrument -e coverage true -w


June 6th


./ -cp . -c net.mandaria.tippytipper.activities.TippyTipper -pt 10737 -g ./Demo/Demo.GUI -l ./Demo/Demo.log

new window(s) opened!!!

June 8th

use static analysis to provide more information:

onCreateOptionsMenu means there will be action triggered by MENU key.


Even the ID will be duplicate, we can still apply program analysis to see which onclickListener will be set in the application.



June 11th


Solve the problem of having space in path in shell script.

x=”test me”

eval cd $x

A combination of in a double-quoted text constant and an “eval” before “cd” makes it work like a charm!


More reference on eval:



June 12th

track setConentView and inflate to construct the widget hierarchy(Integration tree).

Information about Inflate:


June 14th

Some action like fling is constomized:

This situation is for


June 18th

Resource usage in the code Resource r = gerResources();


June 21st


jar cvf bundle.jar *


add all the files in a particular directory to an archive (overwriting contents if the archive already exists). Enumerating verbosely (with the “v” option)


To check the entry names in the jarfile, use the “t” option:

% jar tf bundle.jar


June 22nd

Linux系统最初就是不需要图形界面的,因为有一个很强大的文字界面。按 Ctrl-Alt-F1(F1-F6 一般来说都可以),然后等一会儿,就会切换到 tty,也就是所谓的文字界面。这个时候需要用用户名密码登入。注意,可能键盘输入的速度比较慢,不过应该还是可以忍受的。下面在提示符后面输入 top 回车,这时会看到一张动态的表,上面列出了耗用资源最多的进程。观察它刷新一两次,按q退出,然后输入 kill ,其中的 PID 你可以在 top 里面看到。这个时候应该会快了不少,如果你发现没有成功结束掉,就再输入 kill -KILL ,这次基本上就没问题了
Monkey may provide some basic functions to carry out actions like fling:


June 28th

Java 传参






O’Reilly’s Java in a Nutshell by David Flanagan (see Resources) puts it best: “Java manipulates objects ‘by reference,’ but it passes object references to methods ‘by value.'”




2、Java 应用程序有且仅有的一种参数传递机制,即按值传递


Junly 2nd

The equals() method of List,  returns true if and only if this list contains at least one element e such that (o==null ? e==null : o.equals(e)).

July 9th

Java objects live on the heap, not the stack, and they are *never*

implicitly copied (except when they are serialized and sent over a network).


tringBuffer’s equals method returns true only when a StringBuffer

object is compared with itself. It returns false when compared with any

other StringBuffer, even if the two contain the same characters.

To compare the String objects that are produced by the StringBuffer

objects in their current state, use s1.toString().equals(s2.toString())


July 19th


The head of this queue is the least element with respect to the specified ordering.

Comparator compare(T o1, T o2)

a negative integer, zero, or a positive integer as the first argument is less than, equal to, or greater than the second.
July 23rd


How to enable computer keyboard through emulator:


July 24th



try { Thread.sleep ( 10000 ) ;

} catch (InterruptedException ie){}




July 26th

以下是 Android 的 View 物件中所包含的 EventListener

July 30th


August 2nd

Add code coverage to Android; running ant in eclipse

Set the argument “emma debug install test” in eclipse, you cannot run in command line because the dependence problem with robotium.

Sept 27th

Ant setting on windows

ad-hoc setting:

set ANT_HOME=c:ant


export PATH=$PATH:/home

Spet 30th

Coverage.em is in bin directory


Oct 1st


When seed number is larger than 1500


INSTRUMENTATION_RESULT: shortMsg=Process crashed.


two observations:

1. random testing cannot identify the action be performed, has very low rate of hitting the valid action, which may result in a high overhead.

2. random testing may fall into the GUI action loop like performed same action against ListView.

3. Differentiate content and software structure.

4. The widget in navigation bar will be exercised many times.