Table of Contents
Fetching ...

CovAgent: Overcoming the 30% Curse of Mobile Application Coverage with Agentic AI and Dynamic Instrumentation

Wei Minn, Biniam Fisseha Demissie, Yan Naing Tun, Jiakun Liu, Mariano Ceccato, Lwin Khin Shar, David Lo

TL;DR

CovAgent addresses the persistent 30% activity-coverage ceiling in automated Android GUI testing by combining agentic AI with a hybrid static-dynamic analysis pipeline and Frida-based dynamic instrumentation. It identifies activation conditions for unreachable activities from decompiled Smali code and CTGs, then generates instrumentation scripts validated in emulators, which are loaded alongside existing fuzzers to broaden exploration. Across 27 apps, CovAgent substantially improves activity, class, method, and line coverage relative to APE, Fastbot, LLMDroid, and Scenedroid, and achieves notable activity-launch success gains. The approach demonstrates the practical potential of agentic AI in automating complex activation-condition reasoning and dynamic code instrumentation, with implications for more reliable, scalable Android app testing and future extensions into automated bug detection and cost-efficient local-model deployment.

Abstract

Automated GUI testing is crucial for ensuring the quality and reliability of Android apps. However, the efficacy of existing UI testing techniques is often limited, especially in terms of coverage. Recent studies, including the state-of-the-art, struggle to achieve more than 30% activity coverage in real-world apps. This limited coverage can be attributed to a combination of factors such as failing to generate complex user inputs, unsatisfied activation conditions regarding device configurations and external resources, and hard-to-reach code paths that are not easily accessible through the GUI. To overcome these limitations, we propose CovAgent, a novel agentic AI-powered approach to enhance Android app UI testing. Our fuzzer-agnostic framework comprises an AI agent that inspects the app's decompiled Smali code and component transition graph, and reasons about unsatisfied activation conditions within the app code logic that prevent access to the activities that are unreachable by standard and widely adopted GUI fuzzers. Then, another agent generates dynamic instrumentation scripts that satisfy activation conditions required for successful transitions to those activities. We found that augmenting existing fuzzing approaches with our framework achieves a significant improvement in test coverage over the state-of-the-art, LLMDroid, and other baselines such as Fastbot and APE (e.g., 101.1%, 116.3% and 179.7% higher activity coverage, respectively). CovAgent also outperforms all the baselines in other metrics such as class, method, and line coverage. We also conduct investigations into components within CovAgent to reveal further insights regarding the efficacy of Agentic AI in the field of automated app testing such as the agentic activation condition inference accuracy, and agentic activity-launching success rate.

CovAgent: Overcoming the 30% Curse of Mobile Application Coverage with Agentic AI and Dynamic Instrumentation

TL;DR

CovAgent addresses the persistent 30% activity-coverage ceiling in automated Android GUI testing by combining agentic AI with a hybrid static-dynamic analysis pipeline and Frida-based dynamic instrumentation. It identifies activation conditions for unreachable activities from decompiled Smali code and CTGs, then generates instrumentation scripts validated in emulators, which are loaded alongside existing fuzzers to broaden exploration. Across 27 apps, CovAgent substantially improves activity, class, method, and line coverage relative to APE, Fastbot, LLMDroid, and Scenedroid, and achieves notable activity-launch success gains. The approach demonstrates the practical potential of agentic AI in automating complex activation-condition reasoning and dynamic code instrumentation, with implications for more reliable, scalable Android app testing and future extensions into automated bug detection and cost-efficient local-model deployment.

Abstract

Automated GUI testing is crucial for ensuring the quality and reliability of Android apps. However, the efficacy of existing UI testing techniques is often limited, especially in terms of coverage. Recent studies, including the state-of-the-art, struggle to achieve more than 30% activity coverage in real-world apps. This limited coverage can be attributed to a combination of factors such as failing to generate complex user inputs, unsatisfied activation conditions regarding device configurations and external resources, and hard-to-reach code paths that are not easily accessible through the GUI. To overcome these limitations, we propose CovAgent, a novel agentic AI-powered approach to enhance Android app UI testing. Our fuzzer-agnostic framework comprises an AI agent that inspects the app's decompiled Smali code and component transition graph, and reasons about unsatisfied activation conditions within the app code logic that prevent access to the activities that are unreachable by standard and widely adopted GUI fuzzers. Then, another agent generates dynamic instrumentation scripts that satisfy activation conditions required for successful transitions to those activities. We found that augmenting existing fuzzing approaches with our framework achieves a significant improvement in test coverage over the state-of-the-art, LLMDroid, and other baselines such as Fastbot and APE (e.g., 101.1%, 116.3% and 179.7% higher activity coverage, respectively). CovAgent also outperforms all the baselines in other metrics such as class, method, and line coverage. We also conduct investigations into components within CovAgent to reveal further insights regarding the efficacy of Agentic AI in the field of automated app testing such as the agentic activation condition inference accuracy, and agentic activity-launching success rate.
Paper Structure (39 sections, 7 figures, 5 tables, 1 algorithm)

This paper contains 39 sections, 7 figures, 5 tables, 1 algorithm.

Figures (7)

  • Figure 1: Data dependencies of an app activity. While an app activity can require data from received ICC messages from source components such as caller activities, it can also require data from non-ICC sources such as APIs for communicating with servers and devices.
  • Figure 2: Overview of CovAgent. After initial exploration using an existing GUI fuzzer, the static analysis agent explores the static features of the app to infer their activation conditions of unreached activities. The dynamic edge instrumentation agent uses these inferred activation conditions along with static features related to unreached activities to generate Frida instrumentation script. The script validation agent validates the generated instrumentation scripts in an emulated Android device. Finally, CovAgent loads the validated scripts for all the target activities of the app into the app's process, and runs the GUI fuzzer concurrently to reach the target activities.
  • Figure 3: Injected button widget (on the left) that invokes transition to the target activity (on the right) to validate the edge instrumentation script
  • Figure 4: Pop-up dialog that is injected into Samsung Smart Switch app by CovAgent contains buttons that trigger instrumented edges
  • Figure 5: Example activities in McDonald's Canada app that are unreachable by existing approaches (LLMDroid, Ape, and Fastbot), but reachable by CovAgent's dynamically instrumented edges
  • ...and 2 more figures