Android平台NFC应用漏洞挖掘技术研究

为了提高NFC技术的安全性，针对Android平台NFC应用进行NDEF协议漏洞挖掘研究，提出了一种基于Fuzzing技术的测试方法。该方法采用手工、生成和变异3种策略构造测试用例，使用报文逆向分析和嗅探2种手段辅助分析并构造报文；然后，利用构造的测试用例对NFC应用目标进行漏洞挖掘并输出结果。根据该方法，开发了一个NFC应用安全漏洞挖掘系统ANDEFVulFinder，采用logcat和进程监控的手段在漏洞挖掘过程中对目标进行监测，并通过模拟标签和触碰操作实现漏洞挖掘过程自动化。最后，通过测试MIUI系统和6个应用，发现了8个漏洞，结果表明了漏洞挖掘方法的有效性。

Research of discovering vulnerabilities of NFC applications on Android platform

To improve the security of NFC technology,a research is done for discovering NDEF vulnerabilities of NFC applications on Android platform,and a method of bug hunting is proposed on based Fuzzing technology.The method adopts manual craft,the generation and the mutation strategies to construct test cases,and uses two assistant means of analyzing and constructing test cases,including reverse message anylysis and packet sniffing.Then,NFC applications’ vulnerabilities with constructed test cases and output results are discovered.According to the method,a system called ANDEFVulFinder is developed for discovering the security vulnerabilities of NFC applications.The tool logcat and process monitoring are used to monitor targets’ exceptions during the discovering process,and the test is automated