【摘要】：Android平臺(tái)應(yīng)用數(shù)量迅速增長(zhǎng),隨之而來(lái)的安全問(wèn)題也日益增多。但現(xiàn)有分析工具大多數(shù)只對(duì)應(yīng)用進(jìn)行簡(jiǎn)單的掃描,較少涉及深層次的數(shù)據(jù)流分析,因此某些漏洞無(wú)法有效地被發(fā)現(xiàn)。該文基于對(duì)已有Android應(yīng)用漏洞特征的歸納,提出一種Android應(yīng)用漏洞的靜態(tài)分析框架。從Manifest文件掃描、Smali代碼危險(xiǎn)函數(shù)分析、數(shù)據(jù)流分析等3個(gè)層面歸納了7類(lèi)主流安全漏洞模式,依此構(gòu)建了漏洞檢測(cè)規(guī)則,并結(jié)合相關(guān)靜態(tài)分析技術(shù)對(duì)應(yīng)用進(jìn)行分析,以發(fā)現(xiàn)其中存在的安全漏洞。通過(guò)對(duì)323個(gè)Android應(yīng)用程序的實(shí)驗(yàn)分析,結(jié)果表明:該框架的有效檢出率在70%以上,誤報(bào)率在30%以下。因此,該框架能夠有效發(fā)現(xiàn)Android應(yīng)用中常見(jiàn)的安全漏洞,提高用戶(hù)安全性。
[Abstract]:The number of Android platform applications is increasing rapidly, and the security problems are increasing day by day. However, most of the existing analysis tools only scan applications simply, and less involved in deep-level data flow analysis, so some vulnerabilities can not be effectively found. Based on the characteristics of existing Android application vulnerabilities, this paper proposes a static analysis framework for Android application vulnerabilities. From three aspects of Manifest file scanning, Smali code hazard function analysis and data flow analysis, this paper concludes 7 kinds of mainstream security vulnerability patterns, and constructs vulnerability detection rules according to them, and analyzes the application with the relevant static analysis technology. To detect a security flaw in it. The experimental results of 323 Android applications show that the effective detection rate of the framework is more than 70% and the false positive rate is less than 30%. Therefore, the framework can effectively discover common security vulnerabilities in Android applications and improve user security.
【作者單位】： 中國(guó)信息安全測(cè)評(píng)中心;
【基金】：國(guó)家自然科學(xué)基金資助項(xiàng)目(61272493)
【分類(lèi)號(hào)】：TP316;TP309

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 林耕宇;;觀摩50名Google Android程序開(kāi)發(fā)競(jìng)賽作品[J];電子與電腦;2008年08期

2 樹(shù)子;;Android中文版不完全體驗(yàn)[J];互聯(lián)網(wǎng)天地;2009年04期

3 Jason Whitmire;;產(chǎn)業(yè)軟件專(zhuān)家如何協(xié)助解決Android的分裂困境[J];電子與電腦;2010年02期

4 蔣彬;;10款A(yù)ndroid手機(jī)必備應(yīng)用——Android操作系下的軟件評(píng)測(cè)[J];微電腦世界;2010年04期

5 ;PCWorld Windows Phone 7挑戰(zhàn)Android 毅然崛起的AndroidⅠ洗心革面的Windows Phone 7[J];微電腦世界;2010年08期

6 韓青;;Android平臺(tái)發(fā)展的動(dòng)力與挑戰(zhàn)[J];中國(guó)電子商情(基礎(chǔ)電子);2010年09期

7 方智勇;;Android手機(jī)這樣用[J];電腦迷;2010年15期

8 缺少浪漫;;Android的另一面[J];電腦迷;2010年13期

9 ;ZTE and Three Release Android ，

本文編號(hào)：2324356