基于关联分析的Android权限滥用攻击检测系统

为了限制应用软件的行为,Android系统设计了权限机制.然而对于用户授予的权限,Android应用软件却可以不受权限机制的约束,任意使用这些权限,造成潜在的权限滥用攻击.为检测应用是否存在权限滥用行为,提出了一种基于关联分析的检测方法.该方法动态检测应用的敏感行为与用户的操作,并获得两者的关联程度.通过比较待检测应用与良性应用的关联程度的差别,得到检测结果.基于上述方法,设计并实现了一个原型系统DroidDect.实验结果表明,DroidDect可以有效检测出Android应用的权限滥用行为,并具有系统额外开销低等优点.     

基于机器学习的第三方SDK漏洞检测技术研究

随着智能手机的普及,手机应用市场的发展也变得如火如荼。开发人员在新应用的开发中,会用到一些第三方提供的SDK,但是其经常存在安全漏洞,对用户的隐私造成威胁。本文基于机器学习的方法设计了针对Android第三方SDK的漏洞检测系统,同时利用设计出的检测系统对常见的50款第三方SDK进行了漏洞测试,发现50个样本中有31个存在漏洞,漏洞类型主要包括恶意索取敏感权限、滥用HTTP协议、API误用以及本地服务器漏洞。     

Android权限滥用检测系统

凭借开源策略及精准的市场定位,Android系统占据了智能移动终端操作系统84.2%的市场份额.然而,其开放的权限机制带来更多使用者和开发者的同时,也带来了相应的安全问题.中国互联网络信息中心调查数据显示,仅有44.4%的用户在下载安装Android应用的过程中会仔细查看授权说明,而大部分人存在着盲目授权的行为.对于应用开发者来说,由于缺乏安全开发监管,缺乏权限申请相关代码规范,权限滥用问题在Android应用开发中普遍存在,严重影响了代码的规范和质量.其次,用户的盲目授权和软件开发者的权限申请滥用也是用户信息泄露的主要原因,存在严重的安全风险.针对以上问题,本文在现有的权限检测方案基础上,设计和实现了一套新的权限滥用检测系统PACS（Pemission Abuse Checking System）.PACS针对1077个应用进行分析,发现812个应用存在权限滥用问题,约占全部应用的75.4%,同时对实验结果进行抽样验证,证明了PACS的权限检测结果的准确性和有效性.     

一种面向Android应用第三方库的安全性分析框架

针对目前Android应用第三方库增大了应用程序攻击面的现状,随机选取国内5大知名官方市场上的305个应用进行了安全性分析研究,设计了Android第三方库安全性分析系统。该系统先进行第三方库的检测,细粒度识别出Android应用中的第三方库,再通过逆向工程技术静态分析apk文件,同时在Android模拟器中安装运行apk并监控它的相关行为,从而检测出第三方库带来的安全威胁。分析结果显示,相对于当下的移动漏洞扫描平台不能很好对第三方库进行安全检测的不足,该系统能够有效的检测应用中第三方库的漏洞,具有一定是实用性。     

基于函数调用图的Android重打包应用检测

针对Android第三方市场中重打包应用日益增多的现象,提出一种利用函数调用图检测Android重打包应用的方法。对应用进行反编译,提取并分析Smali代码生成函数调用图,同时将函数中的操作码作为结点的属性对函数调用图进行处理,实现第三方库过滤并保留与界面相关的应用程序接口。在此基础上,用Motif子图结构表示函数调用图,根据子图的相似度计算应用的相似度,从而判断是否为重打包应用。通过对市场中1 630个应用的检测结果表明,该方法具有较高的准确性和良好的可扩展性。     

Android应用程序第三方库的恶意行为隔离技术综述

Android应用程序第三方库的大量使用,提高了移动软件的开发效率,同时也带来了新的安全问题。目前的Android系统只提供一种粗粒度的权限控制机制,第三方库会与其所在主应用具有相同的权限,导致第三方库权限过大,对用户隐私造成严重威胁。目前,越来越多的学者开始对第三方库的恶意行为进行研究,取得了一定的成果。通过对恶意第三方库隔离技术的相关背景和已有方案进行综述,分析出现有研究工作中存在的问题,并对未来研究方向进行展望。     

面向Android生态系统中的第三方SDK安全性分析

现如今,许多Android开发人员为了缩短开发时间,选择在其应用程序中内置第三方SDK.第三方SDK是一种由广告平台,数据提供商,社交网络和地图服务提供商等第三方服务公司开发的工具包,它已经成为Android生态系统的重要组成部分.令人担心的是,一个SDK有安全漏洞,会导致所有包含该SDK的应用程序易受攻击,这严重影响了Android生态系统的安全性.因此,我们在市场上选取了129个流行的第三方SDK并对其安全性进行了全面分析.为了提高分析的准确性,我们将第三方SDK的demo应用作为分析对象并使用了在分析Android应用中有效的分析方法（例如静态污点追踪、动态污点追踪、动态二进制插桩等）和分析工具（例如flowdroid、droidbox等）.结果显示,在选取的这些SDK中,超过60%含有各种漏洞（例如：HTTP的误用, SSL/TLS的不正确配置, 敏感权限滥用,身份识别, 本地服务,通过日志造成信息泄露,开发人员的失误）.这对于相关应用程序的使用者构成了威胁.     

Android平台恶意应用程序静态检测方法

本文构建的静态检测系统主要用于检测Android平台未知恶意应用程序.首先,对待检测应用程序进行预处理,从Android Manifest.xml文件中提取权限申请信息作为一类特征属性;如待检测应用程序存在动态共享库,则提取从第三方调用的函数名作为另一类特征属性.对选取的两类特征属性分别选择最优分类算法,最后根据上述的两个最优分类算法对待检测应用程序的分类结果判定待检测应用程序是否为恶意应用程序.实验结果表明:该静态检测系统能够有效地检测出Android未知恶意应用程序,准确率达到95.4%,具有良好的应用前景.     

一种Android系统上对应用程序权限进行限制的方法

Android系统上的安装系统存在着"全部同意或取消安装"的问题,即用户同意应用程序要求的所有权限或取消安装,这使用户不能够灵活地限制应用程序的权限。通过修改Android系统上的安装系统和包权限检查系统,可以实现对应用程序权限的动态限制。在此基础上,通过检查和记录应用程序的权限使用情况,还可以帮助用户发现滥用权限的应用程序。实验结果表明,这种方法可以有效地限制应用程序的权限,并在一定程度上避免应用程序对权限的滥用。     

Android应用程序权限自动裁剪系统

Android系统使用权限机制对应用程序进行控制,即应用程序需要使用哪些系统资源就必须提前声明相应的权限。为了确保安全性和可靠性,应用程序声明权限时应该满足最小特权原则,即只声明其所需要使用到的最少权限,但现实中有很多应用存在权限过度声明的现象,给用户带来安全隐患。提出了一种Android应用程序权限自动裁剪系统PTailor,通过对Android应用程序安装文件（APK文件）进行分析和修改,使其满足最小特权原则。PTailor首先从APK文件中提取程序所调用的所有系统API,并在预先生成的API权限映射表中查找该API所对应的系统权限,从而得到应用程序实际使用到的最少权限列表。然后根据该权限列表对程序的权限声明文件进行修改,裁剪掉已声明但未使用的权限。最后将裁剪过的权限声明文件与程序的其他部分重新合并成新的APK文件,新的APK文件中除了所声明权限满足最小特权原则外,其结构和语义都没有发生改变。使用PTailor对现实中的1 246个Android应用进行权限裁剪实验,实验结果表明,PTailor能够在很短的时间内完成权限分析和裁剪,而且大多数被裁剪的程序都能够正确运行。     

Component-based permission management of Android applications

Most Android applications include third-party libraries (3PLs) to make revenues, to facilitate their development, and to track user behaviors. 3PLs generally require specific permissions to realize their functionalities. Current Android systems manage permissions in app (process) granularity. As a result, the permission sets of apps with 3PLs (3PL-apps) may be augmented, introducing overprivilege risks. In this paper, we firstly study how severe the problem is by analyzing the permission sets of 27 718 real-world Android apps with and without 3PLs downloaded in both 2016 and 2017. We find that the usage of 3PLs and the permissions required by 3PL-apps have increased over time. As a result, the possibility of overprivilege risks increases. We then propose Perman, a fine-grained permission management mechanism for Android. Perman isolates the permissions of the host app and those of the 3PLs through dynamic code instrumentation. It allows users to manage permission requests of different modules of 3PL-apps during app runtime. Unlike existing tools, Perman does not need to redesign Android apps and systems. Therefore, it can be applied to millions of existing apps and various Android devices. We conduct experiments to evaluate the effectiveness and efficiency of Perman. The experimental results verify that Perman is capable of managing permission requests of the host app and those of the 3PLs. We also confirm that the overhead introduced by Perman is comparable to that by existing commercial permission management tools.     

大规模移动应用第三方库自动检测和分类方法

移动应用中广泛使用第三方库来帮助开发和增强应用功能.很多关于移动应用分析以及访问控制的研究工作,需要在分析之前对第三方库进行检测、过滤或者对其进行功能分类.当前大部分研究工作都使用白名单的方式来检测第三方库或者对其功能进行分类.然而,通过白名单检测第三方库不完善且不准确,其原因包括：（1）第三方库的种类和数量很大,（2）常见的代码混淆或者第三方库伪装等技术使得白名单方法不能准确的识别第三方库.本文提出一种第三方库自动检测和分类方法,包括基于多级聚类技术准确识别第三方库,以及基于机器学习对第三方库的功能进行准确分类.实验对超过130,000个Android应用进行分析,验证所提出方法的有效性.实验总共检测到4,916个不同的第三方库.在人工标记的数据集上,通过十折交叉验证,对第三方库分类的准确率达到84.28%.将训练好的分类器应用于全部4,916个检测到的第三方库,人工进行抽样验证的准确率达到75%.     

Discovering and understanding android sensor usage behaviors with data flow analysis

Today’s Android-powered smartphones have various embedded sensors that measure the acceleration, orientation, light and other environmental conditions. Many functions in the third-party applications (apps) need to use these sensors. However, embedded sensors may lead to security issues, as the third-party apps can read data from these sensors without claiming any permissions. It has been proven that embedded sensors can be exploited by well designed malicious apps, resulting in leaking users’ privacy. In this work, we are motivated to provide an overview of sensor usage patterns in current apps by investigating what, why and how embedded sensors are used in the apps collected from both a Chinese app. market called “AppChina” and the official market called “Google Play”. To fulfill this goal, We develop a tool called “SDFDroid” to identify the used sensors’ types and to generate the sensor data propagation graphs in each app. We then cluster the apps to find out their sensor usage patterns based on their sensor data propagation graphs. We apply our method on 22,010 apps collected from AppChina and 7,601 apps from Google Play. Extensive experiments are conducted and the experimental results show that most apps implement their sensor related functions by using the third-party libraries. We further study the sensor usage behaviors in the third-party libraries. Our results show that the accelerometer is the most frequently used sensor. Though many third-party libraries use no more than four types of sensors, there are still some third-party libraries registering all the types of sensors recklessly. These results call for more attentions on better regulating the sensor usage in Android apps.     

FSDroid:- A feature selection technique to detect malware from Android using Machine Learning Techniques

With the recognition of free apps, Android has become the most widely used smartphone operating system these days and it naturally invited cyber-criminals to build malware-infected apps that can steal vital information from these devices. The most critical problem is to detect malware-infected apps and keep them out of Google play store. The vulnerability lies in the underlying permission model of Android apps. Consequently, it has become the responsibility of the app developers to precisely specify the permissions which are going to be demanded by the apps during their installation and execution time. In this study, we examine the permission-induced risk which begins by giving unnecessary permissions to these Android apps. The experimental work done in this research paper includes the development of an effective malware detection system which helps to determine and investigate the detective influence of numerous well-known and broadly used set of features for malware detection. To select best features from our collected features data set we implement ten distinct feature selection approaches. Further, we developed the malware detection model by utilizing LSSVM (Least Square Support Vector Machine) learning approach connected through three distinct kernel functions i.e., linear, radial basis and polynomial. Experiments were performed by using 2,00,000 distinct Android apps. Empirical result reveals that the model build by utilizing LSSVM with RBF (i.e., radial basis kernel function) named as FSdroid is able to detect 98.8% of malware when compared to distinct anti-virus scanners and also achieved 3% higher detection rate when compared to different frameworks or approaches proposed in the literature.

     

GridDroid---An Effective and Efficient Approach for Android Repackaging Detection Based on Runtime Graphical User Interface

Repackaging brings serious threats to Android ecosystem.Software birthmark techniques are typically applied to detect repackaged apps.Birthmarks based on apps'runtime graphical user interfaces(GUI)are effective,especially for obfuscated or encrypted apps.However,existing studies are time-consuming and not suitable for handling apps in large scale.In this paper,we propose an effective yet efficient dynamic GUI birthmark for Android apps.Briefly,we run an app with automatically generated GUI events and dump its layout after each event.We divide each dumped layout into a grid,count in each grid cell the vertices of boundary rectangles corresponding to widgets within the layout,and generate a feature vector to encode the layout.Similar layouts are merged at runtime,and finally we obtain a graph as the birthmark of the app.Given a pair of apps to be compared,we build a weighted bipartite graph from their birthmarks and apply a modified version of the maximum-weight-bipartite-matching algorithm to determine whether they form a repackaging pair(RP)or not.We implement the proposed technique in a prototype,GridDroid,and apply it to detect RPs in three datasets involving 527 apks.GridDroid reports only six false negatives and seven false positives,and it takes GridDroid merely 20 microseconds on average to compare a pair of birthmarks.     

Detecting plagiarized mobile apps using API birthmarks

This paper addresses the problem of detecting plagiarized mobile apps. Plagiarism is the practice of building mobile apps by reusing code from other apps without the consent of the corresponding app developers. Recent studies on third-party app markets have suggested that plagiarized apps are an important vehicle for malware delivery on mobile phones. Malware authors repackage official versions of apps with malicious functionality, and distribute them for free via these third-party app markets. An effective technique to detect app plagiarism can therefore help identify malicious apps. Code plagiarism has long been a problem and a number of code similarity detectors have been developed over the years to detect plagiarism. In this paper we show that obfuscation techniques can be used to easily defeat similarity detectors that rely solely on statically scanning the code of an app. We propose a dynamic technique to detect plagiarized apps that works by observing the interaction of an app with the underlying mobile platform via its API invocations. We propose API birthmarks to characterize unique app behaviors, and develop a robust plagiarism detection tool using API birthmarks.     

Ripple: Reflection analysis for Android apps in incomplete information environments

Reflection poses grave problems for static security analysis, despite its widespread use in Android apps. In general, string inference has been mainly used to handle reflection, resulting in significantly missed security vulnerabilities. In this work, we bring forward the ubiquity of incomplete information environments (IIEs) for Android apps, where some critical dataflows are missing during static analysis and the need for resolving reflective calls under IIEs. We present Ripple , the first IIE‐aware static reflection analysis for Android apps that resolves reflective calls more soundly than string inference. Validation with 17 popular Android apps from Google Play demonstrates the effectiveness of Ripple in discovering reflective targets with a low false positive rate (due to its trade‐off made among soundness, precision, and scalability). As a result, Ripple enables FlowDroid , a taint analysis for Android apps, to find hundreds of sensitive data leakages that would otherwise be missed. As a fundamental analysis, Ripple will be valuable for many security analysis clients, since more program behaviors can now be analyzed under IIEs.     

使用敏感路径识别方法分析安卓应用安全性

安卓系统在手机端操作系统中长期占据主导地位,但由于安卓系统开放共享的特性和不够严谨的第三方市场审核机制,安卓平台受到众多恶意应用的侵扰.本文结合静态程序分析和机器学习方法,提出了基于敏感路径识别的安卓应用安全性分析方法.首先,针对恶意应用中存在的恶意行为以及触发条件,定义了敏感路径.其次,针对安卓应用中存在大量组件间函数调用关系,提出了一种生成应用组件间函数调用关系图的方法.再次,由于提取出的敏感路径信息无法直接作为识别特征,实现了一种基于敏感路径信息抽象的特征提取方法.最后,从GooglePlay、豌豆荚、Drebin等来源收集了493个应用APK文件作为实验数据集,本文方法的准确率为97.97%,高于基于API-Feature的检测方法（90.47%）,此外,在恶意应用和良性应用检测的精度、召回率、F度量等方面,本文方法均优于API-Feature方法.另外,实验表明APK文件大小会影响实验的结果,尤其体现在分析时间上（0-4MB大小的APK平均分析用时89秒;文件增大后,平均分析用时增长明显）.