面向Android生态系统中的第三方SDK安全性分析

现如今，许多Android开发人员为了缩短开发时间，选择在其应用程序中内置第三方SDK.第三方SDK是一种由广告平台，数据提供商，社交网络和地图服务提供商等第三方服务公司开发的工具包，它已经成为Android生态系统的重要组成部分.令人担心的是，一个SDK有安全漏洞，会导致所有包含该SDK的应用程序易受攻击，这严重影响了Android生态系统的安全性.因此，我们在市场上选取了129个流行的第三方SDK并对其安全性进行了全面分析.为了提高分析的准确性，我们将第三方SDK的demo应用作为分析对象并使用了在分析Android应用中有效的分析方法（例如静态污点追踪、动态污点追踪、动态二进制插桩等）和分析工具（例如flowdroid、droidbox等）.结果显示，在选取的这些SDK中，超过60%含有各种漏洞（例如：HTTP的误用， SSL/TLS的不正确配置， 敏感权限滥用，身份识别， 本地服务，通过日志造成信息泄露，开发人员的失误）.这对于相关应用程序的使用者构成了威胁.

Security Analysis of the Third-Party SDKs in the Android Ecosystem

To shorten the application development time, many Android developers include third-party SDKs in their apps. Thirdparty SDKs are toolkits developed by third-party service companies such as advertising platforms, data providers, social network, and map service providers. These third party SDKs has become an important part of the Android ecosystem. If an SDK contains security vulnerabilities, all the apps that include it would become vulnerable, which affects the security of the Android ecosystem severely. Therefore, we select 129 popular third-party SDK in the market and make comprehensive analysis of their security. In order to improve the accuracy of the analysis, we take demo apps of third-party SDKs as analysis object and make use of effective android-app analysis methods (such as static taint tracking, dynamic taint tracking, dynamic binary instrumentation etc.) and analysis tools (such as flowdroid, droidbox etc.).The result shows that more than 60% of the collected third-party SDKs contain various of vulnerabilities(e.g..Misuse of HTTP, Misuse of SSL/TLS, Abuse of sensitive permissions, Identification, Vulnerabilities brought by the Local Server, Information Leakage Through Logging, Mistakes of Applications Developers), which is a threat to the related applications and the users of these applications.