API Usage Research Articles

Auth4App: Streamlining authentication for integrated cyber–physical environments

The growing integration of mobile applications for user authentication has revolutionized user interactions with digital platforms, offering novel possibilities in user experience (UX). However, this paradigm shift poses significant security challenges. Leveraging smartphones for authentication purposes provides convenient and swift access to services, streamlining user interactions with various platforms through simple taps. Several institutions adopt static QR Codes generated from primary, unchanging user data (e.g., individual citizen national identification numbers) for physical authentication procedures like access turnstiles. However, relying on static data introduces critical security vulnerabilities as this data is susceptible to compromise. Implementing an One-Time Authentication Code (OTAC) approach appears promising in addressing these issues. Nevertheless, the absence of an integrated solution for developing a physical authentication process using OTAC leads to suboptimal API user experiences (UX APIs) and subsequent security vulnerabilities. In response to this challenge, we introduce Auth4App, a protocol set designed for identification and authentication using mobile applications. Auth4App comprises two core protocols: one dedicated to linking user credentials to mobile devices (i.e., identification), and the other for generating OTAC. We showcase the adaptability and practicality of Auth4App through three distinct case studies: a mobile-only scenario, integration of mobile devices with a turnstile, and integration of Auth4App with FIDO2. To ensure the robustness of the security protocols, Auth4App is evaluated using automated verification tools and argument proofs, solidifying the system’s reliability.

Popularity Bias in Correlation Graph based API Recommendation for Mashup Creation

The explosive growth of the API economy in recent years has led to a dramatic increase in available APIs. Mashup development, a dominant approach for creating data-centric applications based on APIs, has experienced a surge in popularity. However, the vast array of choices poses a challenge for mashup developers when selecting appropriate API compositions to meet specific business requirements. Correlation graph-based recommendation approaches have been designed to assist developers in discovering related and compatible API compositions for mashup creation. Unfortunately, these approaches often suffer from popularity bias issues, leading to an inequality in API usage and potential disruptions to the entire API ecosystem. To address these challenges, our research begins with a theoretical analysis of the popularity bias introduced by correlation graph-based API recommendation approaches. Subsequently, we empirically validate the presence of popularity bias in API recommendations through a data-driven study. Finally, we introduce the p opularity b ias aware w eb A PI r ecommendation ( PB-WAR ) approach to mitigate popularity bias in correlation graph-based API recommendations. Experimental results over a real world dataset demonstrate that PB-WAR offers the optimal trade-off between accuracy and debiasing performance compared to other competitive methods.

LeanContext: Cost-efficient domain-specific question answering using LLMs

Question-answering (QA) is a significant application of Large Language Models (LLMs), shaping chatbot capabilities across healthcare, education, and customer service. However, widespread LLM integration presents a challenge for small businesses due to the high expenses of LLM API usage. Costs rise rapidly when domain-specific data (context) is used alongside queries for accurate domain-specific LLM responses. Extracting context from domain-specific data is implemented by a Retrieval Augmented Generation (RAG) approach. One option is to summarize the RAG context by using LLMs and reduce the context. However, this can also filter out useful information that is necessary to answer some domain-specific queries. In this paper, we shift from human-oriented summarizers to AI model-friendly summaries. Our approach, LeanContext, efficiently extracts k key sentences from the context that are closely aligned with the query. The choice of k is neither static nor random; we introduce a reinforcement learning technique that dynamically determines k based on the query and context. The rest of the less important sentences are either reduced using a free open-source text reduction method or eliminated. We evaluate LeanContext against several recent query-aware and query-unaware context reduction approaches on prominent datasets (arxiv papers and BBC news articles, NarrativeQA). Despite cost reductions of 37.29% to 67.81%, LeanContext’s ROUGE-1 score decreases only by 1.41% to 2.65% compared to a baseline that retains the entire context (no summarization). LeanContext stands out for its ability to provide precise responses, outperforming competitors by leveraging open-source summarization techniques. Human evaluations of the responses further confirm and validate this superiority. Additionally, if open-source pre-trained LLM-based summarizers are used to reduce context (into human consumable summaries), LeanContext can further modify the reduced context to enhance the accuracy (ROUGE-1 score) by 13.22% to 24.61%.

Richen: Automated enrichment of Git documentation with usage examples and scenarios

AbstractAs the predominant modern version control system, Git has become an indispensable tool for both commercial and open‐source software projects. It substantially improves software development effectiveness and efficiency through its distributed version control system, fostering seamless collaboration among teams and across locations. However, research has found that many developers have doubts about using Git commands, while the official Git documentation is rather scanty, that is, lacking sufficient explanations and examples. To help developers learn and use Git commands, we propose the first approach (Richen) for enriching Git documentation with usage examples and scenarios by leveraging crowd knowledge from Stack Overflow. Richen retrieves Git‐related posts from Stack Overflow, extracts relevant Q&A pairs, and selects representative command usages, including usage examples and scenarios, for different Git commands. Experimental results have shown that Richen can extract informative and concise command usages for Git commands. Compared with alternative methods adapted from API usage mining, the command usages obtained by Richen have significant advantages in terms of relevance, readability, and usability. Furthermore, we have shown through an empirical study that the command usages extracted by Richen can better help developers complete Git command‐related tasks.

Research оf API architecture for client­server communication

API architectures are an important component of modern systems. They provide interaction between various programs and services, and also provide access to data and functionality to other systems. Equally important is the impact of APIs on business. There are several API trends that affect business: API usage expansion, API usage simplification, API security. These trends have a significant impact on business, they allow companies to: increase interaction with customers, collaborate with partners, optimize internal processes. However, choosing the right API architecture is a difficult task. There are many different API architectures, each with its own advantages and disadvantages. Also, different types of systems have different API architecture requirements. Possible problems can be a lack of sufficient documentation, which makes it difficult for developers to choose the right solution, also incompatibilities between different protocols, data formats, request and response methods, which can make it difficult to interact between different systems, and the cost of implementing an API architecture can be significant, which can be important factor for developers. Future prospects may include: creation of new architectures, expansion of API usage, API automation. This study is devoted to the study of API architectures for communication between the client and the server. The goal of the study is to determine which API architecture is best for a specific type of system with specific requirements. To achieve this research goal, an analysis of existing API architectures will be conducted. The analysis will include a study of the advantages and disadvantages of different architectures, as well as their compatibility with the requirements of different types of systems. The results of the study aim to consider the following API architectures: SOAP, REST, GraphQL, gRPC, WebSocket, WebHook, MQTT, and also help developers in choosing the optimal API architecture to meet the specific needs of their projects.

The Good, the Bad, and the Missing: Neural Code Generation for Machine Learning Tasks

Machine learning (ML) has been increasingly used in a variety of domains, while solving ML programming tasks poses unique challenges due to the fundamental difference in the nature and the construct of general programming tasks, especially for developers who do not have ML backgrounds. Automatic code generation that produces a code snippet from a natural language description can be a promising technique to accelerate ML programming tasks. In recent years, although many deep learning-based neural code generation models have been proposed with high accuracy, the fact that most of them are mainly evaluated on general programming tasks calls into question their effectiveness and usefulness in ML programming tasks. In this article, we set out to investigate the effectiveness of existing neural code generation models on ML programming tasks. For our analysis, we select six state-of-the-art neural code generation models and evaluate their performance on four widely used ML libraries, with newly created 83K pairs of natural-language described ML programming tasks. Our empirical study reveals some good, bad, and missing aspects of neural code generation models on ML tasks, with a few major ones listed below. ( Good ) Neural code generation models perform significantly better on ML tasks than on non-ML tasks with an average difference of 10.6 points in BLEU-4 scores. ( Bad ) More than 80% of the generated code is semantically incorrect. ( Bad ) Code generation models do not have significance in improving developers’ completion time. ( Good ) The generated code can help developers write correct code by providing developers with clues for using correct APIs. ( Missing ) The observation from our user study reveals the missing aspects of code generation for ML tasks, e.g., decomposing code generation for divide-and-conquer into API sequence identification and API usage generation.

Python API Misuse Mining and Classification Based on Hybrid Analysis and Attention Mechanism

APIs play a crucial role in contemporary software development, streamlining implementation and maintenance processes. However, improper API usage can result in significant issues such as unexpected outcomes, security vulnerabilities and system crashes. To detect API misuses, current methods primarily rely on comparing established API usage patterns with target points for automated detection, mainly based on pre-validated datasets. Nonetheless, there is a scarcity of publicly available datasets on API misuses and their corresponding fixes, which hinders data-driven research. Moreover, most existing techniques concentrate on statically typed languages, such as Java and C, with only a few addressing dynamic languages like Python effectively, due to difficulties in handling dynamic features. Therefore, it is essential to identify Python API misuses and their fixes automatically and promptly. In this paper, we introduce HatPAM, a Hybrid Analysis and Attention-based Python API-Misuse Miner, which (a) provides a method for automatically mining true-positive commits related to Python API-misuse fixes from GitHub and (b) presents the subsequent processing for classifying Python API misuses in true-positive cases. Particularly, HatPAM applies hybrid static analysis and introduces a structure-based attention mechanism to examine syntax, semantics and structural features in Python code context, and considers the consistency between code and developers’ natural intent to significantly reduce false-positive cases. Evaluation on six popular Python projects reveals that HatPAM outperforms various state-of-the-art baselines, achieving up to 92.2% Precision, 86.7% Recall and 89.3% F1-score, indicating its capability to identify and classify Python API-misuse commits.

GO METRO-A REAL TIME METRO MANAGEMENT SYSTEM

This is an incorporated carrier which give all statistics approximately the metro rail and it’s routes for public. The proposed device is an internet primarily based totally GUI software which presents statistics concerning timings, routes and fare. The software additionally has a entire module devoted for transactions in which even clever card may be supplied with out the person's bodily presence. This device consists of area monitoring facility which presents the cutting-edge area the usage of Google API. Recommendation device the usage of an ML set of rules can be carried out which recommends locations to go to nearby. The incorporated net software additionally consists of a function of elevating an emergency alert. Online Smart Card Availability in which a person can take a look at his card stability at his very own consolation while not having to go to metro stations. Keywords—API; GUI; Internet;

Recommending third-party APIs via using lightweight graph convolutional neural networks

Third-party APIs have been widely used to develop various applications. As the number of third-party APIs grows, it becomes increasingly challenging to quickly find suitable APIs that meet users’ requirements. Inspired by recommender systems, API recommendation methods have been proposed to address this issue. However, previous API recommendation methods are insufficient in utilising the high-order interactions between users and APIs, and thus have limited performance. Based on the model of lightweight graph convolutional neural network, this paper proposes an effective API recommendation method by exploiting both low-order and high-order interactions between users and APIs. It first learns the embedding of users and APIs from the user-API interaction graph, and then adopts a weighted summation operator to aggregate the embeddings learned from different propagation layers for API recommendation. Extensive experiments are conducted on a real dataset with 160,309 API users and 21,031 Web APIs, and the results show that our method has significantly better precision and recall than other state-of-the-art methods.

Learning a holistic and comprehensive code representation for code summarization

Code summarization is the task of describing the function of code snippets in natural language, which benefits program comprehension and boosts software productivity. Despite lots of effort made by previous studies, existing models are not comprehensive enough to represent code, and yet the literature does not consider to model source code with API usage from a holistic perspective. To this end, this paper proposes a novel multi-modal code summarization approach called HCCS (Learning a Holistic and Comprehensive code representation for Code Summarization). We first design a neural network based on the graph attention mechanism to encode API Context Graph (ACG), which highlights holistic information of source code. Then, a multi-modal framework with a tree encoder for Abstract Syntax Tree (AST) and a code encoder for code tokens is incorporated to learn a more comprehensive code representation. Afterwards, we propose a fusing layer to integrate the encodings, which are then passed to a joint-decoder to generate summaries. The experimental results show that HCCS achieves better performance than the state of the arts (i.e., HCCS scores 9.5% higher in terms of BLEU metric and 11.46% in terms of BERTScore). As a result, HCCS is an effective approach to generate high-quality summaries.

API Usage Recommendation Via Multi-View Heterogeneous Graph Representation Learning

Developers often need to decide which APIs to use for the functions being implemented. With the ever-growing number of APIs and libraries, it becomes increasingly difficult for developers to find appropriate APIs, indicating the necessity of automatic API usage recommendation. Previous studies adopt statistical models or collaborative filtering methods to mine the implicit API usage patterns for recommendation. However, they rely on the occurrence frequencies of APIs for mining usage patterns, thus prone to fail for the low-frequency APIs. Besides, prior studies generally regard the API call interaction graph as homogeneous graph, ignoring the rich information (e.g., edge types) in the structure graph. In this work, we propose a novel method named <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">MEGA</b> for improving the recommendation accuracy especially for the low-frequency APIs. Specifically, besides <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">call interaction graph</i> , MEGA considers another two new heterogeneous graphs: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">global API co-occurrence graph</i> enriched with the API frequency information and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">hierarchical structure graph</i> enriched with the project component information. With the three multi-view heterogeneous graphs, MEGA can capture the API usage patterns more accurately. Experiments on three Java benchmark datasets demonstrate that MEGA significantly outperforms the baseline models by at least 19% with respect to the Success Rate@1 metric. Especially, for the low-frequency APIs, MEGA also increases the baselines by at least 55% regarding the Success Rate@1 score.

An empirical study on API usages from code search engine and local library

An empirical study on API usages from code search engine and local library

Building Enterprise-Wide API-First Strategy for Medium to Large Organizations

In this paper, we provided a comprehensive guide on implementing an API-first approach within medium to large organizations. The basic framework starts by defining APIs and their role in modern business systems, using an example of two companies sharing order-related information through APIs. We covered the concept of API-first as a design philosophy, the growth of API usage, and the complexities faced by medium to large organizations in API adoption. The paper also discusses different integration patterns, the importance of understanding API and integration strategies, and the key elements for a successful API-first integration strategy. Additionally, it emphasizes the role of API gateways, the need for standardized API documentation, and the avoidance of excessive reuse of APIs. The document highlighted the importance of measuring API success using business KPIs. The paper concludes with the real-life example of the large organization with complex ERP and data systems and how the guidelines provided in the paper can help abstract the complexities with the help of API-First approach, finally the paper covered the security and data consistency as an important factor in defining the strategy.

APIMatchmaker: Matching the Right APIs for Supporting the Development of Android Apps

Android developers are often faced with the need to learn how to use different APIs suitable for their projects. Automated API recommendation approaches have been invented to help fill this gap, and these have been demonstrated to be useful to some extent. Unfortunately, most state-of-the-art works are not proposed for Android developers, and the ones dedicated to Android app development often suffer from high redundancy and poor run-time performance, or do not target the problem of recommending API usage patterns. To address this gap we propose to the community a new tool, namely <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">APIMatchmaker</i> , to recommend API usages by learning directly from similar real-world Android apps. Unlike existing recommendation approaches, which leverage a single context to find similar projects, we innovatively introduce a multi-dimensional, context-aware, collaborative filtering approach to better achieve the purpose. Specifically, in addition to code similarity, we also take app descriptions (or topics) into consideration to ensure that similar apps also provide similar functions. We evaluate <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">APIMatchmaker</i> on a large number of real-world Android apps and observe that <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">APIMatchmaker</i> yields a high success rate in recommending APIs for Android apps under development, and it is also able to outperform the state-of-the-art.

Learning How to Listen: Automatically Finding Bug Patterns in Event-Driven JavaScript APIs

Event-driven programming is widely practiced in the JavaScript community, both on the client side to handle UI events and AJAX requests, and on the server side to accommodate long-running operations such as file or network I/O. Many popular event-based APIs allow event names to be specified as free-form strings without any validation, potentially leading to <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">lost events</i> for which no listener has been registered and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">dead listeners</i> for events that are never emitted. In previous work, Madsen <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> presented a precise static analysis for detecting such problems, but their analysis does not scale because it may require a number of contexts that is exponential in the size of the program. Concentrating on the problem of detecting dead listeners, we present an approach to <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">learn</i> how to use event-based APIs by first mining a large corpus of JavaScript code using a simple static analysis to identify code snippets that register an event listener, and then applying statistical modeling to identify anomalous patterns, which often indicate incorrect API usage. In a large-scale evaluation on 127,531 open-source JavaScript code bases, our technique was able to detect 75 anomalous listener-registration patterns, while maintaining a precision of 90.9% and recall of 7.5% over a validation set, demonstrating that a learning-based approach to detecting event-handling bug patterns is feasible. In an additional experiment, we investigated instances of these patterns in 25 open-source projects, and reported 30 issues to the project maintainers, of which 7 have been confirmed as bugs.

An empirical study on the challenges that developers encounter when developing Apache Spark applications

Apache Spark is one of the most popular big data frameworks that abstract the underlying distributed computation details. However, even though Spark provides various abstractions, developers may still encounter challenges related to the peculiarity of distributed computation and environment. To understand the challenges that developers encounter, and provide insight for future studies, in this paper, we conduct an empirical study on the questions that developers encounter. We manually analyze 1,000 randomly selected questions that we collected from Stack Overflow. We find that: 1) questions related to data processing (e.g., transforming data format) are the most common among the 11 types of questions that we uncovered. 2) Even though data processing questions are the most common ones, they require the least amount of time to receive an answer. Questions related to configuration and performance require the most time to receive an answer. 3) Most of the issues are caused by developers’ insufficient knowledge in API usages, data conversation across frameworks, and environment-related configurations. We also discuss the implication of our findings for researchers and practitioners. In summary, our work provides insights for future research directions and highlight the need for more software engineering research in this area.

Holistic Combination of Structural and Textual Code Information for Context Based API Recommendation

Context based API recommendation is an important way to help developers find the needed APIs effectively and efficiently. For effective API recommendation, we need not only a joint view of both structural and textual code information, but also a holistic view of correlated API usage in control and data flow graph as a whole. Unfortunately, existing API recommendation methods exploit structural or textual code information separately. In this work, we propose a novel API recommendation approach called APIRec-CST (API Recommendation by Combining Structural and Textual code information). APIRec-CST is a deep learning model that combines the API usage with the text information in the source code based on an API Context Graph Network and a Code Token Network that simultaneously learn structural and textual features for API recommendation. We apply APIRec-CST to train a model for JDK library based on 1,914 open-source Java projects and evaluate the accuracy and MRR (Mean Reciprocal Rank) of API recommendation with another 6 open-source projects. The results show that our approach achieves respectively a top-1, top-5, top-10 accuracy and MRR of 60.3, 81.5, 87.7 and 69.4 percent, and significantly outperforms an existing graph-based statistical approach and a tree-based deep learning approach for API recommendation. A further analysis shows that textual code information makes sense and improves the accuracy and MRR. The sensitivity analysis shows that the top-k accuracy and MRR of APIRec-CST are insensitive to the number of APIs to be recommended in a hole. We also conduct a user study in which two groups of students are asked to finish 6 programming tasks with or without our APIRec-CST plugin. The results show that APIRec-CST can help the students to finish the tasks faster and more accurately and the feedback on the usability is overwhelmingly positive.

The inconsistency of documentation: a study of online C standard library documents

The C standard libraries are basic function libraries standardized by the C language. Programmers usually refer to their API documentation provided by third-party websites. Unfortunately, these documents are not necessarily complete or accurate, especially for constraint sentences of API usage, which are called Security Specifications (SSs). SS issues can prevent programmers from following obligatory constraints, which results in API misuse vulnerabilities. Previous work studying SS issues could only find certain types of inaccurate SSs through checking the compliance between API usage and existing SSs. Therefore, we propose a novel approach SSeeker for quickly discovering missing and inaccurate SSs through the inconsistency of semantically similar SSs. More specifically, SSeeker first completes broken sentences and discovers SSs from them by judging their constraint sentiment. Then SSeeker puts semantically similar SSs from different sources into a group, which can be used to discover missing or inaccurate SSs. With the help of SSeeker, we investigated 4 popular online third-party C standard library documents, studied their conformity with the C99 standard, analyzed their APIs and SSs, and discovered 92 prototype issues, 15 web page issues, and 96 SS issues.

A novel deep framework for dynamic malware detection based on API sequence intrinsic features

Dynamic malware detection executes the software in a secured virtual environment and monitors its run-time behavior. This technique widely uses API sequence analysis to identify whether the running software is malicious or not. However, existing solutions typically only consider the API name or frequency of API usage, and the feature mining of API sequence is not sufficient, which leads some malware to escape from being detected. In this paper, we propose a novel malware detection framework using deep learning models to capture and combine more meaningful features which are called intrinsic features of the API sequence. Specifically, we first apply embedding and convolutional layers to conduct a joint representation of multiple APIs to represent the software behavior. Secondly, we use the category, action, and operation object of the API to represent the semantic information of each API call. Finally, we use the Bi-LSTM module to mine the relationship information between APIs. Our proposed model achieves an accuracy of 0.9731 and an F1-score of 0.9724 on a large real dataset, which outperforms baselines significantly. We also conduct ablation studies to prove the effectiveness of our intrinsic features.

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

Abstract Browser fingerprinting is a stateless tracking technique that aims to combine information exposed by multiple different web APIs to create a unique identifier for tracking users across the web. Over the last decade, trackers have abused several existing and newly proposed web APIs to further enhance the browser fingerprint. Existing approaches are limited to detecting a specific fingerprinting technique(s) at a particular point in time. Thus, they are unable to systematically detect novel fingerprinting techniques that abuse different web APIs. In this paper, we propose FP-Radar, a machine learning approach that leverages longitudinal measurements of web API usage on top-100K websites over the last decade for early detection of new and evolving browser fingerprinting techniques. The results show that FP-Radar is able to early detect the abuse of newly introduced properties of already known (e.g., WebGL, Sensor) and as well as previously unknown (e.g., Gamepad, Clipboard) APIs for browser fingerprinting. To the best of our knowledge, FP-Radar is the first to detect the abuse of the Visibility API for ephemeral fingerprinting in the wild.