CN106919844B - A kind of android system vulnerability of application program detection method - Google Patents

A kind of android system vulnerability of application program detection method Download PDF

Info

Publication number
CN106919844B
CN106919844B CN201710078479.4A CN201710078479A CN106919844B CN 106919844 B CN106919844 B CN 106919844B CN 201710078479 A CN201710078479 A CN 201710078479A CN 106919844 B CN106919844 B CN 106919844B
Authority
CN
China
Prior art keywords
apk
loophole
packet
apk packet
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710078479.4A
Other languages
Chinese (zh)
Other versions
CN106919844A (en
Inventor
翁健
张悦
魏林锋
侯琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan University
Original Assignee
Jinan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan University filed Critical Jinan University
Priority to CN201710078479.4A priority Critical patent/CN106919844B/en
Publication of CN106919844A publication Critical patent/CN106919844A/en
Application granted granted Critical
Publication of CN106919844B publication Critical patent/CN106919844B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of android system vulnerability of application program detection methods, can be used for penetration testing and APK security test.The method of the present invention analyzes APK packet to be detected first, determines its loophole type that may be present;The earlier version of APK packet is then looked for, and is sorted according to issuing time sequence;The APK packet for looping through earlier version, carries out APK usability testing to it;For there is the APK packet of network connection, the analysis test of network packet capturing sniff is carried out one by one, finds loophole;For carrying out unpacking Reverse engineering operation, analysing whether that there are loopholes there is no the APK packet of network connection;It is attacked using the loophole found, sounds out whether attack succeeds, if it succeeds, being determined as loophole.

Description

A kind of android system vulnerability of application program detection method
Technical field
The invention belongs to cyberspace security technology areas more particularly to a kind of android system vulnerability of application program to examine Survey method.
Background technique
In recent years, intelligent sliding moved end is quickly grown, and Android operation system is good with its open source, beautiful interface, user experience Equal many advantages occupy rapidly the maximum market share in the case where intelligent sliding moved end operating system stands in great numbers the situation emerged in large numbers. The installation procedure APK of Android is also due to its developer enters the reasons such as gate threshold is lower, and support third party develops, by exploitation The favor of person.In an APK exploitation to during application, normal condition will undergo many versions, interior survey from the beginning Version is to public testing version, then commercial version finally.More new capital each time is the primary promotion to itself, earlier version For APK since technology is limited, the experience of developer is insufficient, is especially related to Networks and information security problem in the process of development Deal with improperly, it is likely that leading to earlier version, there are the loopholes or defect in many logical designs or in security application.
It is very difficult to carry out analysis by reverse-engineering means for the APK application program of latest edition, because Its code generally takes corresponding safeguard measure.But this point is not obvious in earlier version.In fact, if attack Person can APK packet to early stage attack is unfolded, recover source code, or by analysis agreement, take some enterprises and still using RestfulAPI interface, then the ability of attacker will become very strong, it is likely that take some valuable information, very To directly to enterprise servers expansion attack.
Aforementioned reverse-engineering is exactly as its name suggests to be carried out inversely using some technological means to it by existing product It deduces, finally restores the original system architecture of product, module composition etc..For an Android application program, we The logical code, framework, function call tree, interface source of APK can be restored using some tools by the APK packet of most original Code etc..Common tool has APKTool and dex2jar, this is also that we lead tool to be used.In addition, have specifically in The (SuSE) Linux OS of Android reverse-engineering is integrated with the tool that can much carry out decompiling.
Traditional APK leak detection method, lays particular emphasis on and carries out Hole Detection in the latest version, can only find to work as in this way The loophole of preceding version client application, and can not find to be present in server end but the not loophole used in new version.This is One blind spot of traditional detection method.
In addition, traditional APK leak detection method, Hole Detection only is carried out to the APK of a version, have ignored version with Connection between version, thus testing result has limitation, and the evaluation and test of Comprehensive can not be carried out to the safety of APK.
Summary of the invention
The purpose of the present invention is to provide a kind of android system vulnerability of application program detection methods, can effectively detect The loophole of application program aids in the safety of server penetration testing or penetration testing engineer to third party's APK software Assessment etc..
Android system vulnerability of application program detection method of the present invention, comprising the following steps:
Step 1: analyzing APK packet to be detected, its loophole type that may be present is determined;
Step 2: finding the earlier version of APK packet, and from morning to night sort each version according to issuing time sequence;
Step 3: carrying out the test of APK availability from the APK packet issued earliest, i.e. can test APK packet normal use; If being unable to normal use, continue that next APK packet is selected to be tested according to issuing time sequence, and so on, until looking for Until an available APK packet, step 4 is entered after finding;
Step 4: step 5 is directly entered for there is no the APK packet of network connection, for there is the APK of network connection Packet carries out the analysis test of network packet capturing sniff to APK packet, finds loophole;After being completed, to remaining available earlier version APK packet carries out the analysis test of network packet capturing sniff one by one, finds loophole, and record each loophole found;
Step 5: carrying out unpacking Reverse engineering operation to APK packet, it is analyzed with the presence or absence of loophole;To remaining available morning Phase version APK carries out reverse-engineering test, records each loophole found;
Step 6: being attacked using the loophole found, sound out whether attack succeeds, if it succeeds, being determined as loophole.
As can be known from the above technical solutions, the present invention tests APK packet to be detected by analysis, determines its leakage that may be present Hole type;The earlier version for then looking for APK packet, according to each version that sorts from the old to the new;Loop through the APK of earlier version Packet, carries out APK usability testing to it, for there is the APK packet of network connection, carries out packet capturing analysis operation, record to APK The various parameters that APK is generated.For there is no the APK of network connection or packet capturing to analyze the APK finished, unpack reverse Engineering operation, in conjunction with network flow analysis, it with the presence or absence of loophole finally, being attacked using the loophole found sounds out attack Whether succeed.
Compared with prior art, the invention has the advantages that and the utility model has the advantages that numerous versions to APK packet, from old edition This carries out loophole test to new version one by one, i.e., carries out Hole Detection by the way of global version.On the one hand, using former The loophole of version infers the loophole of new version, so that in the detection process, it is more purposive;Still further aspect, global version Hole Detection mode, loophole can be more fully detected, to have a more comprehensive evaluation and test knot to the safety of APK Fruit.
Detailed description of the invention
Fig. 1 is a kind of flow chart of android system vulnerability of application program detection method provided in an embodiment of the present invention.
Specific embodiment
Below with reference to embodiment and Figure of description, the present invention is described in further detail, but specific reality of the invention It is without being limited thereto to apply mode.
Embodiment
Android system vulnerability of application program detection method of the present invention first determines the APK application program for preparing detection and its Loophole type that may be present;Then, the earlier version for finding APK packet, is unfolded one according to certain sequence for earlier version one by one The penetration testing of series;Finally, carrying out the test of packet capturing sniff and converse works analyzing to APK packet;Finally, being sent out using earlier version Existing loophole attacks the APK application of existing version.Such as Fig. 1, each step is specific as follows:
Step 1: analyzing APK packet to be detected, its loophole type that may be present is determined.Loophole type that may be present Including following scenario described:
1, the core algorithm continued to use is revealed.Most it is outstanding be exactly in gaming, many algorithms once it is determined that after will not all become More.Such as 2048, pixel bird, plant Great War corpse, the fruit person's of bearing game.If the source code of early stage is cracked, present Game is just easy to pirate.
2, the UI design that leakage is continued to use.In existing many android system application programs, it is understood that there may be part interface It is similar or even identical with early stage.
3, communication mechanism and internal agreement.It is still accessible such as the Andriod system client of 3.0 version of Baidu's cloud The existing server of Baidu's cloud.
4, the security parameter that client and server are negotiated, the parameter can be used as the Service Ticket of APK login.
5, the coding style of enterprise is revealed.Different enterprises has different management to want in code development management regulation It asks.Having plenty of can be disclosed, and some coding styles or the code administration specification revealed are disclosed in enterprise does not allow.
6, weak security mechanism operation interface.The operation interface being exposed by earlier version, directly attack security mechanism Poor server.
7, attacker tries to figure out the code and algorithm of other platforms by android system platform.It is likely to their calculation Method be it is the same, at least structure is the same.
8, source code is distorted.Around client embed inspection mechanism or implantation virus, if any client exist visit Ask the limitation in number and time limit, if being easy the client release of decompiling before taking, we can be usurped again using it Change source code and is transferred to backstage.
Step 2: find the earlier version of the APK packet, and from morning to night sort each version according to issuing time sequence.It seeks Look for earlier version can be in the following way:
1, third-party platform: it is corresponding to both provide an APK for many third-party platforms, such as Android market, mobile phone paradise The download link of old version.
2, official issues: official has oneself website, microblog account, discussion bar etc., issues oneself most by these channels New APK version.By the publication situation of its multiple version, our available APK versions to early stage.
3, search engine.It is scanned for by Baidu or google search engine, the keyword of search includes:
1) APK title+" old version ", such as Taobao's old version;
2) APK title+blurry versions number, such as Taobao 1.0, Baidu's cloud 2.0, youku.com 2.2;
3) APK title+specific version number, specific version number typically set up on the basis of blurry versions number, if when searching Suo Liao Taobao 1.0, what search engine was fed back is all version informations related with 1.0, if Taobao 1.0.5 is issued today, The important update of Taobao 3.1.0.In consideration of it, version number can be refined, precise search downloading is completed.
Whether Step 3: carrying out the test of APK availability from the APK packet issued earliest, that is, testing the APK packet can be normal It uses;If cannot normal use, continue that next APK packet is selected to be tested according to issuing time sequence, and so on, Until finding an available APK packet, step 4 is entered after finding.
It determines the issuing time of an application program, it can be obtained by the method for decompression APK packet The generation time of files such as " classes.dex ", the time may be considered the issuing time of APK, this uses programming language right and wrong It is often easy to accomplish.
Usability testing is in combination with step 4.If an APK cannot be used, the subsequent institute that it is carried out Operation is all futile.Thus it is possible to which no normal use is the first step of APK detection operation, and a step the most basic.
Step 4: step 5 is directly entered for there is no the APK packet of network connection, for there is the APK of network connection Packet carries out the analysis test of network packet capturing sniff to APK packet, finds loophole;After being completed, to remaining available earlier version APK packet carries out the analysis test of network packet capturing sniff one by one, finds loophole, and record each loophole found.
Network packet capturing sniff refers to the communication data by grabbing proper network, packet sniffing is carried out, to what is grabbed Data packet is unpacked and is unpacked, it is intended to be understood the concrete meaning of each field references of data in wrapping, and be attempted to use data Packet simulant-client is interacted with server.
Loophole is found, mainly to search and operate relevant parameter by the data flow between client and server, Data stream is analyzed, with quick lock in target (i.e. loophole).Aforementioned parameters generally comprise variable name and corresponding value, usually By operator "=" connection, it is very easy to identified.Specifically, valuable parameter, which can be divided into following three, to be judged to loophole Kind:
(1) operation behavior parameter: the key-value pair of operation behavior is shown.At this point, variable name may be an abbreviation, such as " op ", " method " etc..Its corresponding value may look like some character strings, comprising the behavior that will be carried out at present, such as “del”、“delete”。
(2) it operates object parameter: showing the key-value pair of operation object, variable name represents " to delete title ", these changes Measuring name may be shaped like " name ", " file " etc..Corresponding value is specific filename etc..
(3) key-value pairs such as subscriber identity information or session key parameters for authentication: are shown.Ordinary circumstance, the change of user name Amount is shaped like " u ", " username " etc..Cryptographic variable name is then shaped like " password ", " pwd " etc..The variable name of parameters for authentication Then shaped like " secret ", " sig " etc..The value of submission is not always in plain text that, if value is ciphertext, encryption key is necessarily embedded in visitor In the source code of family end, the further operating of waiting step five is recorded.
Step 5: carrying out unpacking Reverse engineering operation to the APK packet, it is analyzed with the presence or absence of loophole.To remaining available Earlier version APK carries out reverse-engineering test, records each loophole found.
Because of parameters for authentication obtained in step 4, often it is not necessarily in plain text, cannot be directly used to authenticate or attacks Behavior, so, general way is that APK packet is carried out Reverse engineering operation, parses internal parameters for authentication algorithm or solid Change the authentication secret inside application program.Using the version of linked network, we can decode communication mechanism and internal agreement, The loophole of security parameter that client and server are negotiated, weak security mechanism etc..
For being not connected to the version of network, we can use the source code parsed, thus it is speculated that the core that application program is continued to use Center algorithm, the UI continued to use design, the coding style of enterprise, spanning operation system platform attack loophole and distort source code permission and bypass Deng sounding the alarm for enterprise's android system application program development loophole in these areas.
Step 6: being attacked using the loophole found, sound out whether attack succeeds, if it succeeds, being determined as loophole. The method of attack can be with are as follows:
1) source code is read, core algorithm is decoded.
2) source code is read, UI design is decoded.
3) source code is read, enterprise's coding style is parsed.
4) source code is read, the cross-platform point of attack is found.
5) source code is read, permission is carried out and bypasses.
6) network flow is packed, data are carried out to operation behavior parameter, operation object parameter etc. and are Resealed, are utilized The tools such as TCPReplay, Fiddler carry out Replay Attack and man-in-the-middle attack etc..
7) source code is read, authentication mechanism and packaging network flow are understood, exhaustion is carried out with password to designated user's name.
8) source code is read, weak security mechanism interface and packaging network flow is understood, directly weak security mechanism interface is carried out Loophole attack.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.

Claims (6)

1. a kind of android system vulnerability of application program detection method, which comprises the following steps:
Step 1: analyzing APK packet to be detected, its loophole type that may be present is determined;
Step 2: finding the earlier version of APK packet, and from morning to night sort each version according to issuing time sequence;Pass through decompression APK packet obtains issuing time of the generation time of its classes.dex file as APK packet;
Step 3: carrying out the test of APK availability from the APK packet issued earliest, i.e. can test APK packet normal use;If It is unable to normal use, continues that next APK packet is selected to be tested according to issuing time sequence, and so on, until finding one Until a available APK packet, step 4 is entered after finding;
Step 4: it is directly entered step 5 for there is no the APK packet of network connection, for there is the APK packet of network connection, The analysis test of network packet capturing sniff is carried out to APK packet, finds loophole;After being completed, to remaining available earlier version APK packet The analysis test of network packet capturing sniff is carried out one by one, finds loophole, and record each loophole found;
The method for finding loophole are as follows: by the data flow between client and server, search and operate relevant parameter, logarithm It is analyzed according to stream, to lock loophole;
Step 5: carrying out unpacking Reverse engineering operation to APK packet, it is analyzed with the presence or absence of loophole;To remaining available early stage version This APK carries out reverse-engineering test, records each loophole found;
Step 6: being attacked using the loophole found, sound out whether attack succeeds, if it succeeds, being determined as loophole.
2. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described in step 1 Loophole type that may be present includes: the core algorithm that leakage is continued to use;Reveal the UI design continued to use;Communication mechanism and internal association View;The security parameter that client and server are negotiated;Reveal the coding style of enterprise;Weak security mechanism operation interface;Early stage version Originally the operation interface being exposed;Distort source code.
3. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described in step 2 The mode for finding APK packet earlier version includes: third-party platform, official's publication or search engine.
4. android system vulnerability of application program detection method as described in claim 1, which is characterized in that when the publication Between method of determination are as follows: pass through the publication of the generation time as APK packet of its " classes.dex " file of decompression APK packet acquisition Time.
5. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described relevant Parameter includes:
(1) operation behavior parameter, the operation behavior parameter show the key-value pair of operation behavior;
(2) object parameter is operated, the operation object parameter shows the key-value pair of operation object;
(3) parameters for authentication, the parameters for authentication show subscriber identity information or session key key-value pair.
6. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described in step 6 The method of attack includes:
A, read source code, decode core algorithm, decode UI design, parsing enterprise's coding style, find the cross-platform point of attack or Permission is carried out to bypass;
B, pack network flow, to operation behavior parameter, operation object parameter carry out data Reseal, using TCPReplay, Fiddler tool carries out Replay Attack and man-in-the-middle attack;
C, source code is read, authentication mechanism and packaging network flow are understood, exhaustion is carried out with password to designated user's name;
D, source code is read, weak security mechanism interface and packaging network flow is understood, loophole directly is carried out to weak security mechanism interface Attack.
CN201710078479.4A 2017-02-14 2017-02-14 A kind of android system vulnerability of application program detection method Active CN106919844B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710078479.4A CN106919844B (en) 2017-02-14 2017-02-14 A kind of android system vulnerability of application program detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710078479.4A CN106919844B (en) 2017-02-14 2017-02-14 A kind of android system vulnerability of application program detection method

Publications (2)

Publication Number Publication Date
CN106919844A CN106919844A (en) 2017-07-04
CN106919844B true CN106919844B (en) 2019-08-02

Family

ID=59453606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710078479.4A Active CN106919844B (en) 2017-02-14 2017-02-14 A kind of android system vulnerability of application program detection method

Country Status (1)

Country Link
CN (1) CN106919844B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109858252B (en) * 2017-11-30 2023-04-25 中标软件有限公司 Vulnerability analysis and repair method for homemade system
CN108173832A (en) * 2017-12-25 2018-06-15 四川长虹电器股份有限公司 Family's Internet of Things application system penetration testing method based on end cloud translocation
CN109981715B (en) * 2017-12-28 2021-11-16 中移动信息技术有限公司 Session management method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103227992A (en) * 2013-04-01 2013-07-31 南京理工大学常熟研究院有限公司 Android terminal-based vulnerability scanning system
CN104537309A (en) * 2015-01-23 2015-04-22 北京奇虎科技有限公司 Application program bug detection method, application program bug detection device and server
US9245125B2 (en) * 2014-02-27 2016-01-26 Nec Laboratories America, Inc. Duleak: a scalable app engine for high-impact privacy leaks
CN105653943A (en) * 2015-12-24 2016-06-08 北京奇虎科技有限公司 Log auditing method and system for android applications
CN105989251A (en) * 2015-02-12 2016-10-05 卓望数码技术(深圳)有限公司 Piratic android application discrimination method and piratic android application discrimination system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8397301B2 (en) * 2009-11-18 2013-03-12 Lookout, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
US9495542B2 (en) * 2013-02-28 2016-11-15 Trustees Of Boston University Software inspection system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103227992A (en) * 2013-04-01 2013-07-31 南京理工大学常熟研究院有限公司 Android terminal-based vulnerability scanning system
US9245125B2 (en) * 2014-02-27 2016-01-26 Nec Laboratories America, Inc. Duleak: a scalable app engine for high-impact privacy leaks
CN104537309A (en) * 2015-01-23 2015-04-22 北京奇虎科技有限公司 Application program bug detection method, application program bug detection device and server
CN105989251A (en) * 2015-02-12 2016-10-05 卓望数码技术(深圳)有限公司 Piratic android application discrimination method and piratic android application discrimination system
CN105653943A (en) * 2015-12-24 2016-06-08 北京奇虎科技有限公司 Log auditing method and system for android applications

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"安卓平台下恶意软件的检测";张焕;《中国优秀硕士学位论文全文数据库 信息科技辑》;20141015(第10期);第I138-69页 *

Also Published As

Publication number Publication date
CN106919844A (en) 2017-07-04

Similar Documents

Publication Publication Date Title
US11489855B2 (en) System and method of adding tags for use in detecting computer attacks
CN102546576B (en) A kind of web page horse hanging detects and means of defence, system and respective code extracting method
US9479526B1 (en) Dynamic comparative analysis method and apparatus for detecting and preventing code injection and other network attacks
RU2568295C2 (en) System and method for temporary protection of operating system of hardware and software from vulnerable applications
US8726387B2 (en) Detecting a trojan horse
JP5396051B2 (en) Method and system for creating and updating a database of authorized files and trusted domains
TW201642135A (en) Detecting malicious files
EP2179532A1 (en) System and method for authentication, data transfer, and protection against phishing
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
CN106919844B (en) A kind of android system vulnerability of application program detection method
Luoshi et al. A3: automatic analysis of android malware
Chen et al. Mass discovery of android traffic imprints through instantiated partial execution
CN111182060A (en) Message detection method and device
CN105205398B (en) It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours
KR101487476B1 (en) Method and apparatus to detect malicious domain
Le Jamtel Swimming in the Monero pools
Kandukuru et al. Android malicious application detection using permission vector and network traffic analysis
TWI671655B (en) System and method for program security protection
Guo et al. An Empirical Study of Malicious Code In PyPI Ecosystem
Shahriar et al. Detection of repackaged android malware
JP2015132942A (en) Connection destination information determination device, connection destination information determination method and program
Niu et al. Clone analysis and detection in android applications
Mulders Network based ransomware detection on the samba protocol
Wrench et al. A sandbox-based approach to the deobfuscation and dissection of php-based malware
Hightower et al. Classifying Android Applications Via System Stats

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant