《计算机应用研究》|Application Research of Computers

一种面向Android应用第三方库的安全性分析框架

Framework for analyzing security of third-party libraries in Android apps

免费全文下载 (已被下载 次)  
获取PDF全文
作者 周敏,周安民,贾鹏
机构 四川大学 电子信息学院,成都 610065
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2018)08-2417-04
DOI 10.3969/j.issn.1001-3695.2018.08.044
摘要 针对目前Android应用第三方库增大了应用程序攻击面的现状,随机选取国内5大知名官方市场上的305个应用进行了安全性分析研究,设计了Android第三方库安全性分析系统。该系统先进行第三方库的检测,细粒度识别出Android应用中的第三方库,再通过逆向工程技术静态分析apk文件,同时在Android模拟器中安装运行apk并监控其相关行为,从而检测出第三方库带来的安全威胁。分析结果显示,相对于当下的移动漏洞扫描平台不能很好对地第三方库进行安全检测的不足,该系统能够有效地检测应用中第三方库的漏洞,具有一定的实用性。
关键词 安卓;第三方库;安全威胁;漏洞检测;逆向工程
基金项目
本文URL http://www.arocmag.com/article/01-2018-08-044.html
英文标题 Framework for analyzing security of third-party libraries in Android apps
作者英文名 Zhou Min, Zhou Anmin, Jia Peng
机构英文名 CollegeofElectronic&InformationEngineering,SichuanUniversity,Chengdu610065,China
英文摘要 In order to reduce the attack surfaces from third-party used in Android apps, this paper selected 305 official apps randomly from 5 famous markets and proposed a third-party android library security analysis system.First, the system made fine grained identification of the third-party libraries in Android app.Secondly it analyzed apk files through reverse engineering statically, and monitored its related behavior dynamically by installing and running it on the Android emulator.Based those, the system could detect security vulnerabilities resulted from third-party libraries.The experiment shows that this system can effectively detect vulnerabilities from third-party libraries compared to current vulnerability scanning platform, and must be practical.
英文关键词 Android; third-party library; security threat; vulnerability detection; reverse engineering
参考文献 查看稿件参考文献
  [1] Viennot N, Garcia E, Nieh J. A measurement study of Google play[C] //Proc of ACM International Conference on Measurement and Modeling of Computer Systems. New York:ACM Press, 2014:221-233.
[2] PrivacyGrade. PrivacyGrade:grading the privacy of smartphones apps[EB/OL] . (2015-11-19)[2017-02-23] . http://privacygrade. org.
[3] Hu Wenhui, Octeau D, McDaniel P D, et al. Duet:library integrity verification for Android applications[C] //Proc of ACM Conference on Security and Privacy in Wireless & Mobile Networks. New York:ACM Press, 2014:141-152.
[4] Backes M, Bugiel S, Derr E. Reliable third-party library detection in Android and its security applications[C] //Proc of ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016:356-367.
[5] Book T. Privacy concerns in Android advertising libraries[M] //Dissertations & Theses-Gradworks. 2013.
[6] 朱佳伟, 喻梁文, 关志, 等. Android权限机制安全研究综述[J] . 计算机应用研究, 2015, 32(10):2881-2885.
[7] Stevens R, Gibler C, Crussell J, et al. Investigating user privacy in Android Ad libraries[C] //Proc of the 1st IEEE Workshop on Mobile Security Technologies. 2012.
[8] 赵全周. Android应用第三方代码安全增强方法研究[D] . 武汉:华中科技大学, 2015.
[9] Pearce P, Felt A P, Nunez G, et al. AdDroid:privilege separation for applications and advertisers in Android[C] //Proc of the 7th ACM Symposium on Information, Computer and Communications Security. New York:ACM Press, 2012:71-72.
[10] Shekhar S, Dietz M, Wallach D S. AdSplit:separating smartphone advertising from applications[M] //Dissertations & Theses-Gradworks. 2012:99.
[11] Kawabata H, Isohara T, Takemori K, et al. SanAdBox:sandboxing third party advertising libraries in a mobile application[C] //Proc of IEEE International Conference on Communications. Piscataway, NJ:IEEE Press, 2013:2150-2154.
[12] 罗亚玲, 黎文伟, 苏欣. 基于 HTTP流量的安卓应用敏感信息泄露检测[J] . 计算机应用研究, 2017, 34(5):1515-1519, 1535.
[13] Ma Ziang, Wang Haoyu, Guo Yao, et al. LibRadar:fast and accurate detection of third-party libraries in Android apps[C] //Proc of the 38th International Conference on Software Engineering Companion. New York:ACM Press, 2016:653-656.
[14] 王浩宇, 郭耀, 马子昂, 等. 一种大规模的移动应用第三方库自动检测和分类方法[J] . 软件学报, 2017, 28(6):1-17.
[15] Aoh. Radamsa[EB/OL] . [2016-10-23] . https://github. com/aoh/radamsa.
收稿日期 2017/5/25
修回日期 2017/6/28
页码 2417-2420
中图分类号 TP309
文献标志码 A