CN106919844B - A kind of android system vulnerability of application program detection method - Google Patents
A kind of android system vulnerability of application program detection method Download PDFInfo
- Publication number
- CN106919844B CN106919844B CN201710078479.4A CN201710078479A CN106919844B CN 106919844 B CN106919844 B CN 106919844B CN 201710078479 A CN201710078479 A CN 201710078479A CN 106919844 B CN106919844 B CN 106919844B
- Authority
- CN
- China
- Prior art keywords
- apk
- loophole
- packet
- apk packet
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of android system vulnerability of application program detection methods, can be used for penetration testing and APK security test.The method of the present invention analyzes APK packet to be detected first, determines its loophole type that may be present;The earlier version of APK packet is then looked for, and is sorted according to issuing time sequence;The APK packet for looping through earlier version, carries out APK usability testing to it;For there is the APK packet of network connection, the analysis test of network packet capturing sniff is carried out one by one, finds loophole;For carrying out unpacking Reverse engineering operation, analysing whether that there are loopholes there is no the APK packet of network connection;It is attacked using the loophole found, sounds out whether attack succeeds, if it succeeds, being determined as loophole.
Description
Technical field
The invention belongs to cyberspace security technology areas more particularly to a kind of android system vulnerability of application program to examine
Survey method.
Background technique
In recent years, intelligent sliding moved end is quickly grown, and Android operation system is good with its open source, beautiful interface, user experience
Equal many advantages occupy rapidly the maximum market share in the case where intelligent sliding moved end operating system stands in great numbers the situation emerged in large numbers.
The installation procedure APK of Android is also due to its developer enters the reasons such as gate threshold is lower, and support third party develops, by exploitation
The favor of person.In an APK exploitation to during application, normal condition will undergo many versions, interior survey from the beginning
Version is to public testing version, then commercial version finally.More new capital each time is the primary promotion to itself, earlier version
For APK since technology is limited, the experience of developer is insufficient, is especially related to Networks and information security problem in the process of development
Deal with improperly, it is likely that leading to earlier version, there are the loopholes or defect in many logical designs or in security application.
It is very difficult to carry out analysis by reverse-engineering means for the APK application program of latest edition, because
Its code generally takes corresponding safeguard measure.But this point is not obvious in earlier version.In fact, if attack
Person can APK packet to early stage attack is unfolded, recover source code, or by analysis agreement, take some enterprises and still using
RestfulAPI interface, then the ability of attacker will become very strong, it is likely that take some valuable information, very
To directly to enterprise servers expansion attack.
Aforementioned reverse-engineering is exactly as its name suggests to be carried out inversely using some technological means to it by existing product
It deduces, finally restores the original system architecture of product, module composition etc..For an Android application program, we
The logical code, framework, function call tree, interface source of APK can be restored using some tools by the APK packet of most original
Code etc..Common tool has APKTool and dex2jar, this is also that we lead tool to be used.In addition, have specifically in
The (SuSE) Linux OS of Android reverse-engineering is integrated with the tool that can much carry out decompiling.
Traditional APK leak detection method, lays particular emphasis on and carries out Hole Detection in the latest version, can only find to work as in this way
The loophole of preceding version client application, and can not find to be present in server end but the not loophole used in new version.This is
One blind spot of traditional detection method.
In addition, traditional APK leak detection method, Hole Detection only is carried out to the APK of a version, have ignored version with
Connection between version, thus testing result has limitation, and the evaluation and test of Comprehensive can not be carried out to the safety of APK.
Summary of the invention
The purpose of the present invention is to provide a kind of android system vulnerability of application program detection methods, can effectively detect
The loophole of application program aids in the safety of server penetration testing or penetration testing engineer to third party's APK software
Assessment etc..
Android system vulnerability of application program detection method of the present invention, comprising the following steps:
Step 1: analyzing APK packet to be detected, its loophole type that may be present is determined;
Step 2: finding the earlier version of APK packet, and from morning to night sort each version according to issuing time sequence;
Step 3: carrying out the test of APK availability from the APK packet issued earliest, i.e. can test APK packet normal use;
If being unable to normal use, continue that next APK packet is selected to be tested according to issuing time sequence, and so on, until looking for
Until an available APK packet, step 4 is entered after finding;
Step 4: step 5 is directly entered for there is no the APK packet of network connection, for there is the APK of network connection
Packet carries out the analysis test of network packet capturing sniff to APK packet, finds loophole;After being completed, to remaining available earlier version
APK packet carries out the analysis test of network packet capturing sniff one by one, finds loophole, and record each loophole found;
Step 5: carrying out unpacking Reverse engineering operation to APK packet, it is analyzed with the presence or absence of loophole;To remaining available morning
Phase version APK carries out reverse-engineering test, records each loophole found;
Step 6: being attacked using the loophole found, sound out whether attack succeeds, if it succeeds, being determined as loophole.
As can be known from the above technical solutions, the present invention tests APK packet to be detected by analysis, determines its leakage that may be present
Hole type;The earlier version for then looking for APK packet, according to each version that sorts from the old to the new;Loop through the APK of earlier version
Packet, carries out APK usability testing to it, for there is the APK packet of network connection, carries out packet capturing analysis operation, record to APK
The various parameters that APK is generated.For there is no the APK of network connection or packet capturing to analyze the APK finished, unpack reverse
Engineering operation, in conjunction with network flow analysis, it with the presence or absence of loophole finally, being attacked using the loophole found sounds out attack
Whether succeed.
Compared with prior art, the invention has the advantages that and the utility model has the advantages that numerous versions to APK packet, from old edition
This carries out loophole test to new version one by one, i.e., carries out Hole Detection by the way of global version.On the one hand, using former
The loophole of version infers the loophole of new version, so that in the detection process, it is more purposive;Still further aspect, global version
Hole Detection mode, loophole can be more fully detected, to have a more comprehensive evaluation and test knot to the safety of APK
Fruit.
Detailed description of the invention
Fig. 1 is a kind of flow chart of android system vulnerability of application program detection method provided in an embodiment of the present invention.
Specific embodiment
Below with reference to embodiment and Figure of description, the present invention is described in further detail, but specific reality of the invention
It is without being limited thereto to apply mode.
Embodiment
Android system vulnerability of application program detection method of the present invention first determines the APK application program for preparing detection and its
Loophole type that may be present;Then, the earlier version for finding APK packet, is unfolded one according to certain sequence for earlier version one by one
The penetration testing of series;Finally, carrying out the test of packet capturing sniff and converse works analyzing to APK packet;Finally, being sent out using earlier version
Existing loophole attacks the APK application of existing version.Such as Fig. 1, each step is specific as follows:
Step 1: analyzing APK packet to be detected, its loophole type that may be present is determined.Loophole type that may be present
Including following scenario described:
1, the core algorithm continued to use is revealed.Most it is outstanding be exactly in gaming, many algorithms once it is determined that after will not all become
More.Such as 2048, pixel bird, plant Great War corpse, the fruit person's of bearing game.If the source code of early stage is cracked, present
Game is just easy to pirate.
2, the UI design that leakage is continued to use.In existing many android system application programs, it is understood that there may be part interface
It is similar or even identical with early stage.
3, communication mechanism and internal agreement.It is still accessible such as the Andriod system client of 3.0 version of Baidu's cloud
The existing server of Baidu's cloud.
4, the security parameter that client and server are negotiated, the parameter can be used as the Service Ticket of APK login.
5, the coding style of enterprise is revealed.Different enterprises has different management to want in code development management regulation
It asks.Having plenty of can be disclosed, and some coding styles or the code administration specification revealed are disclosed in enterprise does not allow.
6, weak security mechanism operation interface.The operation interface being exposed by earlier version, directly attack security mechanism
Poor server.
7, attacker tries to figure out the code and algorithm of other platforms by android system platform.It is likely to their calculation
Method be it is the same, at least structure is the same.
8, source code is distorted.Around client embed inspection mechanism or implantation virus, if any client exist visit
Ask the limitation in number and time limit, if being easy the client release of decompiling before taking, we can be usurped again using it
Change source code and is transferred to backstage.
Step 2: find the earlier version of the APK packet, and from morning to night sort each version according to issuing time sequence.It seeks
Look for earlier version can be in the following way:
1, third-party platform: it is corresponding to both provide an APK for many third-party platforms, such as Android market, mobile phone paradise
The download link of old version.
2, official issues: official has oneself website, microblog account, discussion bar etc., issues oneself most by these channels
New APK version.By the publication situation of its multiple version, our available APK versions to early stage.
3, search engine.It is scanned for by Baidu or google search engine, the keyword of search includes:
1) APK title+" old version ", such as Taobao's old version;
2) APK title+blurry versions number, such as Taobao 1.0, Baidu's cloud 2.0, youku.com 2.2;
3) APK title+specific version number, specific version number typically set up on the basis of blurry versions number, if when searching
Suo Liao Taobao 1.0, what search engine was fed back is all version informations related with 1.0, if Taobao 1.0.5 is issued today,
The important update of Taobao 3.1.0.In consideration of it, version number can be refined, precise search downloading is completed.
Whether Step 3: carrying out the test of APK availability from the APK packet issued earliest, that is, testing the APK packet can be normal
It uses;If cannot normal use, continue that next APK packet is selected to be tested according to issuing time sequence, and so on,
Until finding an available APK packet, step 4 is entered after finding.
It determines the issuing time of an application program, it can be obtained by the method for decompression APK packet
The generation time of files such as " classes.dex ", the time may be considered the issuing time of APK, this uses programming language right and wrong
It is often easy to accomplish.
Usability testing is in combination with step 4.If an APK cannot be used, the subsequent institute that it is carried out
Operation is all futile.Thus it is possible to which no normal use is the first step of APK detection operation, and a step the most basic.
Step 4: step 5 is directly entered for there is no the APK packet of network connection, for there is the APK of network connection
Packet carries out the analysis test of network packet capturing sniff to APK packet, finds loophole;After being completed, to remaining available earlier version
APK packet carries out the analysis test of network packet capturing sniff one by one, finds loophole, and record each loophole found.
Network packet capturing sniff refers to the communication data by grabbing proper network, packet sniffing is carried out, to what is grabbed
Data packet is unpacked and is unpacked, it is intended to be understood the concrete meaning of each field references of data in wrapping, and be attempted to use data
Packet simulant-client is interacted with server.
Loophole is found, mainly to search and operate relevant parameter by the data flow between client and server,
Data stream is analyzed, with quick lock in target (i.e. loophole).Aforementioned parameters generally comprise variable name and corresponding value, usually
By operator "=" connection, it is very easy to identified.Specifically, valuable parameter, which can be divided into following three, to be judged to loophole
Kind:
(1) operation behavior parameter: the key-value pair of operation behavior is shown.At this point, variable name may be an abbreviation, such as
" op ", " method " etc..Its corresponding value may look like some character strings, comprising the behavior that will be carried out at present, such as
“del”、“delete”。
(2) it operates object parameter: showing the key-value pair of operation object, variable name represents " to delete title ", these changes
Measuring name may be shaped like " name ", " file " etc..Corresponding value is specific filename etc..
(3) key-value pairs such as subscriber identity information or session key parameters for authentication: are shown.Ordinary circumstance, the change of user name
Amount is shaped like " u ", " username " etc..Cryptographic variable name is then shaped like " password ", " pwd " etc..The variable name of parameters for authentication
Then shaped like " secret ", " sig " etc..The value of submission is not always in plain text that, if value is ciphertext, encryption key is necessarily embedded in visitor
In the source code of family end, the further operating of waiting step five is recorded.
Step 5: carrying out unpacking Reverse engineering operation to the APK packet, it is analyzed with the presence or absence of loophole.To remaining available
Earlier version APK carries out reverse-engineering test, records each loophole found.
Because of parameters for authentication obtained in step 4, often it is not necessarily in plain text, cannot be directly used to authenticate or attacks
Behavior, so, general way is that APK packet is carried out Reverse engineering operation, parses internal parameters for authentication algorithm or solid
Change the authentication secret inside application program.Using the version of linked network, we can decode communication mechanism and internal agreement,
The loophole of security parameter that client and server are negotiated, weak security mechanism etc..
For being not connected to the version of network, we can use the source code parsed, thus it is speculated that the core that application program is continued to use
Center algorithm, the UI continued to use design, the coding style of enterprise, spanning operation system platform attack loophole and distort source code permission and bypass
Deng sounding the alarm for enterprise's android system application program development loophole in these areas.
Step 6: being attacked using the loophole found, sound out whether attack succeeds, if it succeeds, being determined as loophole.
The method of attack can be with are as follows:
1) source code is read, core algorithm is decoded.
2) source code is read, UI design is decoded.
3) source code is read, enterprise's coding style is parsed.
4) source code is read, the cross-platform point of attack is found.
5) source code is read, permission is carried out and bypasses.
6) network flow is packed, data are carried out to operation behavior parameter, operation object parameter etc. and are Resealed, are utilized
The tools such as TCPReplay, Fiddler carry out Replay Attack and man-in-the-middle attack etc..
7) source code is read, authentication mechanism and packaging network flow are understood, exhaustion is carried out with password to designated user's name.
8) source code is read, weak security mechanism interface and packaging network flow is understood, directly weak security mechanism interface is carried out
Loophole attack.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (6)
1. a kind of android system vulnerability of application program detection method, which comprises the following steps:
Step 1: analyzing APK packet to be detected, its loophole type that may be present is determined;
Step 2: finding the earlier version of APK packet, and from morning to night sort each version according to issuing time sequence;Pass through decompression
APK packet obtains issuing time of the generation time of its classes.dex file as APK packet;
Step 3: carrying out the test of APK availability from the APK packet issued earliest, i.e. can test APK packet normal use;If
It is unable to normal use, continues that next APK packet is selected to be tested according to issuing time sequence, and so on, until finding one
Until a available APK packet, step 4 is entered after finding;
Step 4: it is directly entered step 5 for there is no the APK packet of network connection, for there is the APK packet of network connection,
The analysis test of network packet capturing sniff is carried out to APK packet, finds loophole;After being completed, to remaining available earlier version APK packet
The analysis test of network packet capturing sniff is carried out one by one, finds loophole, and record each loophole found;
The method for finding loophole are as follows: by the data flow between client and server, search and operate relevant parameter, logarithm
It is analyzed according to stream, to lock loophole;
Step 5: carrying out unpacking Reverse engineering operation to APK packet, it is analyzed with the presence or absence of loophole;To remaining available early stage version
This APK carries out reverse-engineering test, records each loophole found;
Step 6: being attacked using the loophole found, sound out whether attack succeeds, if it succeeds, being determined as loophole.
2. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described in step 1
Loophole type that may be present includes: the core algorithm that leakage is continued to use;Reveal the UI design continued to use;Communication mechanism and internal association
View;The security parameter that client and server are negotiated;Reveal the coding style of enterprise;Weak security mechanism operation interface;Early stage version
Originally the operation interface being exposed;Distort source code.
3. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described in step 2
The mode for finding APK packet earlier version includes: third-party platform, official's publication or search engine.
4. android system vulnerability of application program detection method as described in claim 1, which is characterized in that when the publication
Between method of determination are as follows: pass through the publication of the generation time as APK packet of its " classes.dex " file of decompression APK packet acquisition
Time.
5. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described relevant
Parameter includes:
(1) operation behavior parameter, the operation behavior parameter show the key-value pair of operation behavior;
(2) object parameter is operated, the operation object parameter shows the key-value pair of operation object;
(3) parameters for authentication, the parameters for authentication show subscriber identity information or session key key-value pair.
6. android system vulnerability of application program detection method as described in claim 1, which is characterized in that described in step 6
The method of attack includes:
A, read source code, decode core algorithm, decode UI design, parsing enterprise's coding style, find the cross-platform point of attack or
Permission is carried out to bypass;
B, pack network flow, to operation behavior parameter, operation object parameter carry out data Reseal, using TCPReplay,
Fiddler tool carries out Replay Attack and man-in-the-middle attack;
C, source code is read, authentication mechanism and packaging network flow are understood, exhaustion is carried out with password to designated user's name;
D, source code is read, weak security mechanism interface and packaging network flow is understood, loophole directly is carried out to weak security mechanism interface
Attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710078479.4A CN106919844B (en) | 2017-02-14 | 2017-02-14 | A kind of android system vulnerability of application program detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710078479.4A CN106919844B (en) | 2017-02-14 | 2017-02-14 | A kind of android system vulnerability of application program detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106919844A CN106919844A (en) | 2017-07-04 |
CN106919844B true CN106919844B (en) | 2019-08-02 |
Family
ID=59453606
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710078479.4A Active CN106919844B (en) | 2017-02-14 | 2017-02-14 | A kind of android system vulnerability of application program detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106919844B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109858252B (en) * | 2017-11-30 | 2023-04-25 | 中标软件有限公司 | Vulnerability analysis and repair method for homemade system |
CN108173832A (en) * | 2017-12-25 | 2018-06-15 | 四川长虹电器股份有限公司 | Family's Internet of Things application system penetration testing method based on end cloud translocation |
CN109981715B (en) * | 2017-12-28 | 2021-11-16 | 中移动信息技术有限公司 | Session management method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103227992A (en) * | 2013-04-01 | 2013-07-31 | 南京理工大学常熟研究院有限公司 | Android terminal-based vulnerability scanning system |
CN104537309A (en) * | 2015-01-23 | 2015-04-22 | 北京奇虎科技有限公司 | Application program bug detection method, application program bug detection device and server |
US9245125B2 (en) * | 2014-02-27 | 2016-01-26 | Nec Laboratories America, Inc. | Duleak: a scalable app engine for high-impact privacy leaks |
CN105653943A (en) * | 2015-12-24 | 2016-06-08 | 北京奇虎科技有限公司 | Log auditing method and system for android applications |
CN105989251A (en) * | 2015-02-12 | 2016-10-05 | 卓望数码技术(深圳)有限公司 | Piratic android application discrimination method and piratic android application discrimination system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8397301B2 (en) * | 2009-11-18 | 2013-03-12 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communication device |
US9495542B2 (en) * | 2013-02-28 | 2016-11-15 | Trustees Of Boston University | Software inspection system |
-
2017
- 2017-02-14 CN CN201710078479.4A patent/CN106919844B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103227992A (en) * | 2013-04-01 | 2013-07-31 | 南京理工大学常熟研究院有限公司 | Android terminal-based vulnerability scanning system |
US9245125B2 (en) * | 2014-02-27 | 2016-01-26 | Nec Laboratories America, Inc. | Duleak: a scalable app engine for high-impact privacy leaks |
CN104537309A (en) * | 2015-01-23 | 2015-04-22 | 北京奇虎科技有限公司 | Application program bug detection method, application program bug detection device and server |
CN105989251A (en) * | 2015-02-12 | 2016-10-05 | 卓望数码技术(深圳)有限公司 | Piratic android application discrimination method and piratic android application discrimination system |
CN105653943A (en) * | 2015-12-24 | 2016-06-08 | 北京奇虎科技有限公司 | Log auditing method and system for android applications |
Non-Patent Citations (1)
Title |
---|
"安卓平台下恶意软件的检测";张焕;《中国优秀硕士学位论文全文数据库 信息科技辑》;20141015(第10期);第I138-69页 * |
Also Published As
Publication number | Publication date |
---|---|
CN106919844A (en) | 2017-07-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11489855B2 (en) | System and method of adding tags for use in detecting computer attacks | |
CN102546576B (en) | A kind of web page horse hanging detects and means of defence, system and respective code extracting method | |
US9479526B1 (en) | Dynamic comparative analysis method and apparatus for detecting and preventing code injection and other network attacks | |
RU2568295C2 (en) | System and method for temporary protection of operating system of hardware and software from vulnerable applications | |
US8726387B2 (en) | Detecting a trojan horse | |
JP5396051B2 (en) | Method and system for creating and updating a database of authorized files and trusted domains | |
TW201642135A (en) | Detecting malicious files | |
EP2179532A1 (en) | System and method for authentication, data transfer, and protection against phishing | |
WO2018076697A1 (en) | Method and apparatus for detecting zombie feature | |
CN106919844B (en) | A kind of android system vulnerability of application program detection method | |
Luoshi et al. | A3: automatic analysis of android malware | |
Chen et al. | Mass discovery of android traffic imprints through instantiated partial execution | |
CN111182060A (en) | Message detection method and device | |
CN105205398B (en) | It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours | |
KR101487476B1 (en) | Method and apparatus to detect malicious domain | |
Le Jamtel | Swimming in the Monero pools | |
Kandukuru et al. | Android malicious application detection using permission vector and network traffic analysis | |
TWI671655B (en) | System and method for program security protection | |
Guo et al. | An Empirical Study of Malicious Code In PyPI Ecosystem | |
Shahriar et al. | Detection of repackaged android malware | |
JP2015132942A (en) | Connection destination information determination device, connection destination information determination method and program | |
Niu et al. | Clone analysis and detection in android applications | |
Mulders | Network based ransomware detection on the samba protocol | |
Wrench et al. | A sandbox-based approach to the deobfuscation and dissection of php-based malware | |
Hightower et al. | Classifying Android Applications Via System Stats |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |