| Android系统代码签名验证机制的实现及安全性分析 |
| |
| 引用本文: | 雷灵光,张中文,王跃武,王雷. Android系统代码签名验证机制的实现及安全性分析[J]. 信息网络安全, 2012, 0(8): 61-63 |
| |
| 作者姓名: | 雷灵光 张中文 王跃武 王雷 |
| |
| 作者单位: | 中国科学院信息工程研究所信息安全国家重点实验室,北京 100093 |
| |
| 基金项目: | 中国科学院战略性先导专项子课题海云信息安全共性关键技术研究[XDA06010702];国家自然科学基金[70890084/G021102、61003274] |
| |
| 摘 要: | 文章通过静态分析Android系统源代码以及动态监控应用程序安装、执行过程中的签名验证流程。对Android系统的代码签名验证机制进行深入的剖析,发现Android系统仅在应用程序安装时进行完整的代码签名验证,在后续的程序执行过程中只对程序包进行简单的时间戳及路径验证。该安全隐患使得攻击代码可以绕过签名验证机制,成功实施攻击。
|
| 关 键 词: | 代码签名 Android apk程序 签名验证 |
Studying the Implementation and Security of the Signature Authentication Mechanism in Android |
| |
| LEI Ling-guang, ZHANG Zhong-wen, WANG Yue-wu, WANG Lei. Studying the Implementation and Security of the Signature Authentication Mechanism in Android[J]. Netinfo Security, 2012, 0(8): 61-63 |
| |
| Authors: | LEI Ling-guang ZHANG Zhong-wen WANG Yue-wu WANG Lei |
| |
| Affiliation: | ( State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China ) |
| |
| Abstract: | In this paper, the author provided a thorough analysis of the signature authentication mechanism in Android, via statically analyzing the Android source code and dynamically monitoring the executing of the signature authentication mechanism during the process of application installation and executing. Through the analysis, the author finds that Android applications are authenticated only at the installation, but not at the execution. Every time the applications are executed, only the applications’ timestamps and file paths are verified. The security risk makes it possible for the attack codes to bypass the signature authentication mechanism, and launch attacks successfully. |
| |
| Keywords: | code signing Android apk applications signature authentication |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
