Android应用程序第三方库的恶意行为隔离技术综述

Android应用程序第三方库的大量使用,提高了移动软件的开发效率,同时也带来了新的安全问题。目前的Android系统只提供一种粗粒度的权限控制机制,第三方库会与其所在主应用具有相同的权限,导致第三方库权限过大,对用户隐私造成严重威胁。目前,越来越多的学者开始对第三方库的恶意行为进行研究,取得了一定的成果。通过对恶意第三方库隔离技术的相关背景和已有方案进行综述,分析出现有研究工作中存在的问题,并对未来研究方向进行展望。     

大规模移动应用第三方库自动检测和分类方法

移动应用中广泛使用第三方库来帮助开发和增强应用功能.很多关于移动应用分析以及访问控制的研究工作,需要在分析之前对第三方库进行检测、过滤或者对其进行功能分类.当前大部分研究工作都使用白名单的方式来检测第三方库或者对其功能进行分类.然而,通过白名单检测第三方库不完善且不准确,其原因包括：（1）第三方库的种类和数量很大,（2）常见的代码混淆或者第三方库伪装等技术使得白名单方法不能准确的识别第三方库.本文提出一种第三方库自动检测和分类方法,包括基于多级聚类技术准确识别第三方库,以及基于机器学习对第三方库的功能进行准确分类.实验对超过130,000个Android应用进行分析,验证所提出方法的有效性.实验总共检测到4,916个不同的第三方库.在人工标记的数据集上,通过十折交叉验证,对第三方库分类的准确率达到84.28%.将训练好的分类器应用于全部4,916个检测到的第三方库,人工进行抽样验证的准确率达到75%.     

基于机器学习的第三方SDK漏洞检测技术研究

随着智能手机的普及,手机应用市场的发展也变得如火如荼。开发人员在新应用的开发中,会用到一些第三方提供的SDK,但是其经常存在安全漏洞,对用户的隐私造成威胁。本文基于机器学习的方法设计了针对Android第三方SDK的漏洞检测系统,同时利用设计出的检测系统对常见的50款第三方SDK进行了漏洞测试,发现50个样本中有31个存在漏洞,漏洞类型主要包括恶意索取敏感权限、滥用HTTP协议、API误用以及本地服务器漏洞。     

第三方库依赖冲突问题研究综述

软件开发过程中, 开发人员通过大量使用第三方库来实现代码复用. 不同第三方库之间存在依赖关系, 第三方库间的不兼容会导致第三方库的安装、加载、调用时出现错误, 进而导致系统异常, 这类问题称之为第三方库依赖冲突问题. 依赖冲突的根本原因是加载的第三方库无法覆盖软件引用的必需特性(例如: 方法). 依赖冲突问题会在第三方库的下载安装, 项目编译和运行时中出现, 且定位困难. 依赖冲突问题的修复要求开发人员对使用的第三方库版本间差别具有准确的理解, 并且第三方库之间复杂的依赖关系增加了修复难度. 为了能够在软件运行前, 发现软件中存在的依赖冲突, 并且能够响应和处理运行过程中由依赖冲突引发的系统异常, 国内外学者展开了各种针对依赖冲突问题的研究. 从依赖冲突问题的4个方面, 对当前已有研究工作进行了梳理, 包括: 第三方库的使用实证分析、依赖冲突原因分析、依赖冲突检测方法以及依赖冲突常用修复方式. 最后对该领域未来值得关注的研究问题进行了展望.     

基于Clang编译前端的Android源代码静态分析技术

Android手机在全球占有很大的市场份额,基于Android衍生的第三方系统也为数不少.针对Android系统重大安全问题频发的现状,提出一种使用Clang编译前端对Android源码进行静态分析的方法.该方法从已公布的CVE漏洞中提取规则和模型,通过改进的Clang编译前端,对Android源码进行静态分析,从而检测出有潜在安全风险的代码片段.在对Android源码进行污点分析时,调用新加入的stp约束求解器,通过符号执行,对敏感数据进行污点标记,并对敏感函数、敏感操作、敏感规则进行污点分析,如果存在潜在的安全隐患,则进行报告.经过实验分析,该方法可以找出Android源代码中存在的同类型有安全风险的代码片段,可以检出libstagefright模块5个高危CVE漏洞.     

国内第三方Android应用市场安全性的检测

根据目前第三方Android应用市场应用存在的重新打包行为,随机选取国内官方的150个应用以及作为对比的第三方应用市场的572个同款应用,设计了Android重新打包应用安全检测系统。该系统先进行相似性计算,细粒度识别出重新打包应用,再通过逆向工程获得其资源文件,根据系统API与权限之间的映射匹配分析其越权行为,并根据构建的方法控制流图分析其权限滥用行为。系统通过并行化处理检测出第三方应用市场存在33.17%的重新打包应用,其中19.58%修改了权限。在修改过权限的应用中,45.95%存在越权行为,27.03%存在滥用权限行为。     

Android移动应用检测研究

随着Android操作系统在智能设备上的广泛应用,Android应用的安全性检测成为了当前关注的重点。为了从Android应用程序中检测出恶意软件,研究Android应用静态分析技术、动态分析技术及基于机器学习的Android应用检测技术。提出一个通用的恶意软件检测框架。该框架通过逆向工程从Android应用中提取(安全应用、受感染应用)特征信息并建立关键信息特征库。通过机器学习建立检测模型,采用分类检测技术完成检测。通过该检测框架,可在软件安装前执行应用安全评估,其检测正确率高,并具有良好的扩展性,为Android应用的安全性检测提供参考。     

Android应用内第三方支付协议的形式化分析

应用内第三方支付具有便捷实用的特点,使得众多的移动应用选择嵌入第三方支付功能,但其安全性缺乏系统全面的分析,导致支付安全难以保证.为此,对基于Android平台的五种第三方支付协议的协议流程、安全假设和安全目标进行形式化建模,并采用ProVerif对协议进行分析,分析结果表明,协议在Android平台上的实现难以抵御订...     

基于静态污点分析的Android应用Intent注入漏洞检测方法

针对Android应用程序组件间通信过程中的消息载体Intent有可能被攻击者构造进而引发组件被恶意注入的安全风险问题,提出了一种基于静态污点分析的检测方法。在构建Android应用的函数调用图和控制流图的基础上,通过跟踪应用组件内和组件间不可信Intent消息的污点传播过程,检测应用中潜在的Intent注入漏洞。用该方法对4类标准测试应用和50款第三方应用进行测试,实验结果表明了该方法的可行性和有效性。     

基于同源性分析的嵌入式设备固件漏洞检测

嵌入式设备的制造过程研产分离,导致不同的固件可能包含相同的第三方库,进而相同设备的不同版本甚至是不同设备的固件中都存在大量相同的已公开漏洞。针对该问题,基于第三方库同源性分析提出一种嵌入式设备固件漏洞检测方法,为固件漏洞修复提供参考,减少不必要的重复分析。通过对固件分类,并采用二进制差量分析、字符串常量匹配、模糊哈希3种方法分析第三方库同源性,从而检测同类固件中存在的漏洞。实验结果表明,该方法能够有效检测D-Link系列路由器固件中的缓冲区溢出和越界漏洞,以及Linksys系列路由器固件中的远程命令注入漏洞。     

Discovering and understanding android sensor usage behaviors with data flow analysis

Today’s Android-powered smartphones have various embedded sensors that measure the acceleration, orientation, light and other environmental conditions. Many functions in the third-party applications (apps) need to use these sensors. However, embedded sensors may lead to security issues, as the third-party apps can read data from these sensors without claiming any permissions. It has been proven that embedded sensors can be exploited by well designed malicious apps, resulting in leaking users’ privacy. In this work, we are motivated to provide an overview of sensor usage patterns in current apps by investigating what, why and how embedded sensors are used in the apps collected from both a Chinese app. market called “AppChina” and the official market called “Google Play”. To fulfill this goal, We develop a tool called “SDFDroid” to identify the used sensors’ types and to generate the sensor data propagation graphs in each app. We then cluster the apps to find out their sensor usage patterns based on their sensor data propagation graphs. We apply our method on 22,010 apps collected from AppChina and 7,601 apps from Google Play. Extensive experiments are conducted and the experimental results show that most apps implement their sensor related functions by using the third-party libraries. We further study the sensor usage behaviors in the third-party libraries. Our results show that the accelerometer is the most frequently used sensor. Though many third-party libraries use no more than four types of sensors, there are still some third-party libraries registering all the types of sensors recklessly. These results call for more attentions on better regulating the sensor usage in Android apps.     

A static technique for detecting input validation vulnerabilities in Android apps

Input validation vulnerabilities are common in Android apps, especially in inter-component communications. Malicious attacks can exploit this kind of vulnerability to bypass Android security mechanism and compromise the integrity, confidentiality and availability of Android devices. However, so far there is not a sound approach at the source code level for app developers aiming to detect input validation vulnerabilities in Android apps. In this paper, we propose a novel approach for detecting input validation flaws in Android apps and we implement a prototype named EasyIVD, which provides practical static analysis of Java source code. EasyIVD leverages backward program slicing to extract transaction and constraint slices from Java source code. Then EasyIVD validates these slices with predefined security rules to detect vulnerabilities in a known pattern. To detect vulnerabilities in an unknown pattern, EasyIVD extracts implicit security specifications as frequent patterns from the duplicated slices and verifies them. Then EasyIVD semi-automatically confirms the suspicious rule violations and reports the confirmed ones as vulnerabilities. We evaluate EasyIVD on four versions of original Android apps spanning from version 2.2 to 5.0. It detects 58 vulnerabilities including confused deputy attacks and denial of service attacks. Our results prove that EasyIVD can provide a practical defensive solution for app developers.     

VAnDroid: A framework for vulnerability analysis of Android applications using a model-driven reverse engineering technique

Android is extensively used worldwide by mobile application developers. Android provides applications with a message passing system to communicate within and between them. Due to the risks associated with this system, it is vital to detect its unsafe operations and potential vulnerabilities. To achieve this goal, a new framework, called VAnDroid, based on Model Driven Reverse Engineering (MDRE), is presented that identifies security risks and vulnerabilities related to the Android application communication model. In the proposed framework, some security-related information included in an Android app is automatically extracted and represented as a domain-specific model. Then, it is used for analyzing security configurations and identifying vulnerabilities in the corresponding application. The proposed framework is implemented as an Eclipse-based tool, which automatically identifies the Intent Spoofing and Unauthorized Intent Receipt as two attacks related to the Android application communication model. To evaluate the tool, it has been applied to several real-world Android applications, including 20 apps from Google Play and 110 apps from the F-Droid repository. VAnDroid is also compared with several existing analysis tools, and it is shown that it has a number of key advantages over those tools specifically regarding its high correctness, scalability, and usability in discovering vulnerabilities. The results well indicate the effectiveness and capacity of the VAnDroid as a promising approach in the field of Android security.     

面向Android生态系统中的第三方SDK安全性分析

现如今,许多Android开发人员为了缩短开发时间,选择在其应用程序中内置第三方SDK.第三方SDK是一种由广告平台,数据提供商,社交网络和地图服务提供商等第三方服务公司开发的工具包,它已经成为Android生态系统的重要组成部分.令人担心的是,一个SDK有安全漏洞,会导致所有包含该SDK的应用程序易受攻击,这严重影响了Android生态系统的安全性.因此,我们在市场上选取了129个流行的第三方SDK并对其安全性进行了全面分析.为了提高分析的准确性,我们将第三方SDK的demo应用作为分析对象并使用了在分析Android应用中有效的分析方法（例如静态污点追踪、动态污点追踪、动态二进制插桩等）和分析工具（例如flowdroid、droidbox等）.结果显示,在选取的这些SDK中,超过60%含有各种漏洞（例如：HTTP的误用, SSL/TLS的不正确配置, 敏感权限滥用,身份识别, 本地服务,通过日志造成信息泄露,开发人员的失误）.这对于相关应用程序的使用者构成了威胁.     

基于OVAL的安卓漏洞检测评估系统

传统漏洞检测工具检测时间长,占用大量系统资源,需要对系统进行模拟攻击,难以应对越来越复杂的安卓漏洞威胁。提出了一种“C/S”架构的、基于开放漏洞评估语言(OVAL)的安卓漏洞检测评估系统。这种架构将大部分评估工作放在控制台端执行,减少了对安卓系统性能的影响,其以OVAL作为漏洞评估标准,在保证评估高精度的同时也具有更好的开放性和可扩展性。     

Detecting plagiarized mobile apps using API birthmarks

This paper addresses the problem of detecting plagiarized mobile apps. Plagiarism is the practice of building mobile apps by reusing code from other apps without the consent of the corresponding app developers. Recent studies on third-party app markets have suggested that plagiarized apps are an important vehicle for malware delivery on mobile phones. Malware authors repackage official versions of apps with malicious functionality, and distribute them for free via these third-party app markets. An effective technique to detect app plagiarism can therefore help identify malicious apps. Code plagiarism has long been a problem and a number of code similarity detectors have been developed over the years to detect plagiarism. In this paper we show that obfuscation techniques can be used to easily defeat similarity detectors that rely solely on statically scanning the code of an app. We propose a dynamic technique to detect plagiarized apps that works by observing the interaction of an app with the underlying mobile platform via its API invocations. We propose API birthmarks to characterize unique app behaviors, and develop a robust plagiarism detection tool using API birthmarks.