Android应用中片段组件的污点分析

doi:10.3969/j.issn.1006-2475.2017.07.008

摘要/Abstract

摘要： 近年来手机、平板电脑等移动设备的使用已日渐成为人们日常生活的一部分，与之相关的安全问题也愈演愈烈。一般移动设备中存储有大量用户隐私数据，一旦被恶意应用泄露，会给用户带来不可估量的损失。为此需要对移动设备应用程序做污点分析。目前已有的Android应用污点分析工具没有考虑Android 3.0中新增的片段组件，因此本文设计一种模拟片段组件生命周期的静态代码分析方法对Android应用中片段组件进行污点分析，用来检测Android应用中片段组件是否存在泄露用户隐私数据的行为。实验结果表明，本文所实现的分析方法能有效检测Android应用中的片段组件是否泄露用户隐私数据。


关键词: Android, 污点分析, 片段, 生命周期

Abstract: Nowadays, mobile devices have become an important part of peoples life, which also brings many novel security problems. Normally mobile devices store lots of users’ private data such as contacts’ information, which could be utilized by malwares leading to data leaks. Existing taint analysis tools of Android applications cannot deal with Fragment API, this paper designs a method based on simulation of Fragment lifecycles and static taint analysis to inspect the potential data leaks in Fragments of Android applications. The experiment results verify the effectiveness of the method.

Key words: Android, taint analysis, Fragment, lifecycle

中图分类号:

TP311.5

胡望胜. Android应用中片段组件的污点分析[J]. 计算机与现代化, doi: 10.3969/j.issn.1006-2475.2017.07.008.

HU Wang-sheng. Taint Analysis of Fragments in Android Applications[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2017.07.008.

参考文献

［1］Fritz C. FlowDroid: A precise and scalable data flow analysis for Android［D］. Technische Universitt Darmstadt, 2013.
［2］Reps T, Horwitz S, Sagiv M. Precise interprocedural data flow analysis via graph reachability［J］. Lecture Notes in Computer Science, 1995,167(96):49-61.
［3］Soot. A Framework for Analyzing and Transforming Java and Android Applications［EB/OL］. https://sable.github.io/soot/, 2016-09-01.
［4］Einarsson A, Nielsen J D. A Survivor’s Guide to Java Program Analysis with Soot［EB/OL］. http://www.brics.dk/SootGuide/sootsurvivorsguide.pdf, 2008-07-17.
［5］Google Inc. Android API Guides: App Components［EB/OL］. https://developer.android.com/guide/components/index.html, 2016-09-01.
［6］Yang Zhemin, Yang Min. LeakMiner: Detect information leakage on Android with static taint analysis［C］// Proceedings of the 3rd World Congress on Software Engineering. 2012:101-104.
［7］Gibler C, Crussell J, Erickson J, et al. Androidleaks: Automatically detecting potential privacy leaks in Android applications on a large scale［C］// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. 2012:291-307.
［8］Fuchs A P, Chaudhuri A, Foster J S. ScanDroid: Automated Security Certification of Android Applications, Technical Report CS-TR-4991［R］. Department of Computer Science, University of Maryland, College Park, 2009.
［9］Lu Long, Li Zhichun, Wu Zhenyu, et al. CHEX: Statically vetting Android Apps for component hijacking vulnerabilities［C］// Proceedings of the 19th ACM Conference on Computer and Communications Security. 2012:229-240.
［10］ Zhao Zhibo, Osono F C C. TrustDroid: Preventing the use of smartphones for information leaking in corporate networks through the used of static analysis taint tracking［C］// Proceedings of the 7th International Conference on Malicious and Unwanted Software, 2012:135-143.
［11］Arzt S, Rasthofer S, Fritz C, et al. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android Apps［C］// Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. 2014:259-269.
［12］WikiPedia. APK［EB/OL］. http://zh.wikipedia.org/wiki/APK, 2016-09-01.
［13］DroidBench. A micro-benchmark suite to assess the stability of taint-analysis tools for Android［DB/OL］. https://github.com/secure-software-engineering/DroidBench, 2016-09-01.
［14］King D, Hicks B, Hicks M, et al. Implicit flows: Can’t live with ‘em, can’t live without ‘em［C］// Proceedings of the 4th International Conference on Information Systems Security. 2008:56-70.

[1]	张峻巍1,王浩杰1,王紫琛2,李艳娟1. 基于Android的天文天象实时查看预报系统[J]. 计算机与现代化, 2019, 0(06): 104-.
[2]	董国良1,2，臧洌1，李航1，甘露1. 一种应用于动态污点分析的路径自动生成方法[J]. 计算机与现代化, 2017, 0(7): 32-37+41.
[3]	刘志威1，董正宏2，杨帆2，李梦伟1. 一种基于Android平台的定制化PDF阅读器[J]. 计算机与现代化, 2017, 0(6): 72-75+90.
[4]	王志华，孔建寿，高源. 面向智能变电站的可视化移动监控系统开发[J]. 计算机与现代化, 2017, 0(5): 56-596,66.
[5]	张高祯，刘渊博，张贤坤. 基于Android的科普食道软件[J]. 计算机与现代化, 2017, 0(2): 113-116.
[6]	张春，袁天宁. 针对动车组全生命周期集成管理的多源异构数据融合框架设计[J]. 计算机与现代化, 2017, 0(10): 36-41.
[7]	梁伟伟1，印朝辉1，穆瑞芬2，靳硕1，王兵1. 基于Android的无线弯沉仪测量软件[J]. 计算机与现代化, 2016, 0(6): 49-52,58.
[8]	李金桦1，甄辉2，黄海1，姚剑3. 基于BLE的Android心电监护软件[J]. 计算机与现代化, 2016, 0(4): 114-122.
[9]	张震，张龙. Android平台的Native层加固技术研究与实现[J]. 计算机与现代化, 2016, 0(10): 88-91.
[10]	张飞鸽. LEACH协议簇头个数优化的研究[J]. 计算机与现代化, 2015, 0(9): 95-99,104.
[11]	胡居东1，陆涛2，廖俊1. 基于移动学习的药学实验教学系统[J]. 计算机与现代化, 2015, 0(5): 81-84+89.
[12]	冯玉平1，王曙光2. 基于Android的手机定位软件[J]. 计算机与现代化, 2015, 0(2): 11-.
[13]	刘烽杰，蔡明. 柱面QR码的识别及实现[J]. 计算机与现代化, 2015, 0(2): 110-.
[14]	孙逊1,2，鲜学丰1,2，陈天乐1，王敏1. #br# 基于Android系统的英语听、说自主学习软件的#br# 设计与实现[J]. 计算机与现代化, 2015, 0(12): 104-.
[15]	吴治华1，王晓龙2. 基于Android的智能家居系统的软件设计与实现[J]. 计算机与现代化, 2015, 0(11): 122-126.