ICSE 2024
Fri 12 - Sun 21 April 2024 Lisbon, Portugal
Thu 18 Apr 2024 11:15 - 11:30 at Amália Rodrigues - Evolution 2 Chair(s): Massimiliano Di Penta

Mobile apps have become popular for providing artificial intelligence (\emph{AI}) services via on-device machine learning (\emph{ML}) techniques. Unlike accomplishing these AI services on remote servers traditionally, these on-device techniques process sensitive information required by AI services locally, which can mitigate the severe concerns of the sensitive data collection on the remote side. However, these on-device techniques have to push the core of ML expertise (\textit{e.g.}, models) to smartphones locally, which are still subject to similar vulnerabilities on the remote clouds and servers, especially when facing the model stealing attack. To defend against these attacks, developers have taken various protective measures. Unfortunately, we have found that these protections are still insufficient, and on-device ML models in mobile apps could be extracted and reused without limitation. To better demonstrate its inadequate protection and the feasibility of this attack, this paper presents DeMistify, which statically locates ML models within an app, slices relevant execution components, and finally generates scripts automatically to instrument mobile apps to successfully steal and reuse target ML models freely. To evaluate DeMistify and demonstrate its applicability, we apply it on $1,511$ top mobile apps using on-device ML expertise for several ML services based on their install numbers from Google Play and DeMistify can successfully execute $1,250$ of them ($82.73%$). In addition, an in-depth study is conducted to understand the on-device ML ecosystem in the mobile application.

Thu 18 Apr

Displayed time zone: Lisbon change

11:00 - 12:30
11:00
15m
Talk
On Using GUI Interaction Data to Improve Text Retrieval-based Bug Localization
Research Track
Junayed Mahmud George Mason University, Nadeeshan De Silva William & Mary, Safwat Ali Khan George Mason University, Seyed Hooman Mostafavi George Mason University, S M Hasan Mansur George Mason University, Oscar Chaparro William & Mary, Andrian (Andi) Marcus The University of Texas at Dallas, Kevin Moran University of Central Florida
11:15
15m
Talk
DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile Apps
Research Track
Pengcheng Ren Shandong University, Chaoshun Zuo Ohio State University, Xiaofeng Liu Shandong University, Wenrui Diao Shandong University, Qingchuan Zhao City University of Hong Kong, Shanqing Guo Shandong University
11:30
15m
Talk
How do Developers Talk about GitHub Actions? Evidence from Online Software Development Community
Research Track
Yang Zhang National University of Defense Technology, China, Yiwen Wu National University of Defense Technology, Tingting Chen College of Computer, National University of Defense Technology, Tao Wang National University of Defense Technology, Hui Liu Beijing Institute of Technology, Huaimin Wang
11:45
15m
Paper
Design principles for generating and presenting automated formative feedback on code quality using software metrics
Software Engineering Education and Training
Eddy van den Aker Zuyd University of Applied Science, Ebrahim Rahimi Open University, the Netherlands
12:00
7m
Talk
Automatic Specialization of Third-Party Java Dependencies
Journal-first Papers
César Soto-Valero KTH, Deepika Tiwari KTH Royal Institute of Technology, Tim Toady Programming Republic of Perl, Benoit Baudry KTH
12:07
7m
Talk
Discovering Reusable Functional Features in Legacy Object-Oriented Systems
Journal-first Papers
Hafedh Mili Université du Québec à Montréal, Imen Benzarti École de technologie supérieure, Amel Elkharraz Collège de Bois-de-Boulogne, Ghizlane El Boussaidi École de Technologie Supérieure, Yann-Gaël Guéhéneuc Concordia University and Polytechnique Montréal, Petko Valchev Université du Québec à Montréal