[1]蒋 旺,陈 昊,许逸超,等.基于调用图的Android应用权限泄露检测方法[J].南京理工大学学报(自然科学版),2018,42(06):662.[doi:10.14177/j.cnki.32-1397n.2018.42.06.005]
 Jiang Wang,Chen Hao,Xu Yichao,et al.Permission leak detection method for Android APPsbased on call graph[J].Journal of Nanjing University of Science and Technology,2018,42(06):662.[doi:10.14177/j.cnki.32-1397n.2018.42.06.005]
点击复制

基于调用图的Android应用权限泄露检测方法()
分享到:

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

卷:
42卷
期数:
2018年06期
页码:
662
栏目:
出版日期:
2018-12-30

文章信息/Info

Title:
Permission leak detection method for Android APPsbased on call graph
文章编号:
1005-9830(2018)06-0662-09
作者:
蒋 旺1陈 昊2许逸超1徐 建1
1.南京理工大学 计算机科学与工程学院,江苏 南京 210094; 2.江苏省电力公司 电力科学研究院,江苏 南京210036
Author(s):
Jiang Wang1Chen Hao2Xu Yichao1Xu Jian1
1.School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China; 2.Jiangsu Electric Power Company Research Institute,Nanjing 210036,China
关键词:
调用图 安卓 应用 权限泄露 检测 公开接口 应用程序接口
Keywords:
call graphs Android applications permission leak detection public interfaces application program interfaces
分类号:
TP309
DOI:
10.14177/j.cnki.32-1397n.2018.42.06.005
摘要:
为提高安卓(Android)应用权限泄露漏洞检测的准确性,提出了1种基于调用图的权限泄露检测方法。提取应用程序的公开接口,进而得到公开方法。提取程序中使用敏感应用程序编程接口(API)的敏感方法,然后构建程序方法间调用图。在公开方法和敏感方法间搜索权限泄露路径。以APKPure应用市场的286个应用程序包(APK)为实验对象进行验证。批量样本检测实验结果表明该文方法能够准确检测多种接口的权限泄露漏洞。选取Drozer、AndroBugs和腾讯金刚审计系统作为对比工具进行对比实验。结果显示,在公开接口检测时,该文方法检测范围最广、考虑的因素最多、漏报误报情况最少。
Abstract:
A method for permission leak detection based on a call graph is proposed for Android applications(APPs)to improve the accuracy. Public interfaces are extracted,and public methods are obtained. Sensitive methods accessing sensitive application program interface(API)in Android are extracted,a method call graph of the applications is built. Permission leak vulnerabilities are detected by searching the call paths from public methods to sensitive methods on the call graph. This mothod is tested by 286 Android packages(APKs)of APKPure. The experimental results of a batch of samples show this method can detect permission leak vulnerabilities of multiple interfaces accurately. The experimental results of comparing with Drozer,AndroBugs etc. show that for this method the detection range is the widest,the factors considered is the most,and the mistake is the least for the public interface detection.

参考文献/References:

[1] Grace M C,Zhou Yajin,Wang Zhi,et al. Systematic detection of capability leaks in stock Android smartphones[C]//Proceedings of the 19th Annual Symposium on Network and Distributed System Security. London,UK:Internet Society,2012:19-33.
[2]Felt A P,Wang H J,Moshchuk A,et al. Permission re-delegation:Attacks and defenses[C]//USENIX Conference on Security. Berkeley,CA,USA:USENIX Association,2011:22-37.
[3]Lu Long,Li Zhichun,Wu Zhenyu,et al. CHEX:Statically vetting Android Apps for component hijacking vulnerabilities[C]//Computer and Communications Security. New York,USA:ACM,2012:229-240.
[4]Zhou Yajin,Jiang Xuxian. Detecting passive content leaks and pollution in Android applications[C]//Proceedings of the 20th Network and Distributed System Security Symposium. London,UK:Internet Society,2013:1-16.
[5]Zhongyang Yibing,Xin Zhi,Mao Bing,et al. DroidAlarm:An all-sided static analysis tool for Android privilege-escalation malware[C]//ACM Symposium on Information,Computer and Communications Security. New York,USA:ACM,2013:353-358.
[6]Hay R,Tripp O,Pistoia M. Dynamic detection of inter-application communication vulnerabilities in Android[C]//International Symposium on Software Testing and Analysis. New York,USA:ACM,2015:118-128.
[7]Au K W Y,Zhou Yifan,Huang Zhen,et al. PScout:Analyzing the Android permission specification[C]//Computer and Communications Security. New York,USA:ACM,2012:217-228.
[8]俞研,金凤,吴家顺.基于自定义安全策略的Android应用细粒度访问控制方法[J]. 南京理工大学学报,2016,40(2):142-148.
Yu Yan,Jin Feng,Wu Jiashun.Android application fine-grained access control based on self-defined security policy[J]. Journal of Nanjing University of Science and Technology,2016,40(2):142-148.
[9]陈昊,姜海涛,郭静,等. 基于系统调用的安卓恶意应用检测方法[J]. 南京理工大学学报,2017,41(6):720-724.
Chen Hao,Jiang Haitao,Guo Jing,et al. Android malware detection method based on system calls[J]. Journal of Nanjing University of Science and Technology,2017,41(6):720-724.
[10]APKPure. APKPure应用市场[EB/OL]. https://apkpure.com/cn/app,2018-05-28.
[11]MWR Labs. Drozer:Comprehensive security and attack framework for Android[EB/OL]. https://labs.mwrinfosecurity.com/tools/drozer,2018-05-28.
[12]AndroBugs. AndroBugs framework[EB/OL]. https://github.com/AndroBugs/AndroBugs_Framework,2015-11-12.
[13]腾讯公司. 金刚-腾讯安全应急响应中心[EB/OL]. https://service.security.tencent.com/kingkong,2014-09-18.

备注/Memo

备注/Memo:
收稿日期:2018-06-05 修回日期:2018-07-15
作者简介:蒋旺(1994-),男,硕士生,主要研究方向:Android安全分析,E-mail:1394366114@qq.com; 通讯作者:徐建(1979-),男,博士,教授,主要研究方向:数据挖掘,E-mail:dolphin.xu@njust.edu.cn。
引文格式:蒋旺,陈昊,许逸超,等. 基于调用图的Android应用权限泄露检测方法[J]. 南京理工大学学报,2018,42(6):662-670.
投稿网址:http://zrxuebao.njust.edu.cn
更新日期/Last Update: 2018-12-30