A kind of Android device Permeation Test System and its automation penetration testing method
Technical field
The present invention is the vulnerability scanning and security rating technical field on Android device, more particularly to a kind of Android device
Permeation Test System and its automation penetration testing method.
Background technology
With the popularization (mobile phone, smart home, Remote, business administration etc.) of Android device, if these Androids are set
It is standby privacy leakage or the in real time potential safety hazard such as monitoring to be present, if by attacker's malicious exploitation, then userspersonal information, even
Most Android devices can all face security risk.
With the more and more extensive Android device used, everybody also increasingly pays close attention to the safety of Android device in itself, had more
Carry out the demand of more Android device security breaches detections.The exploitation of application program can do security audit and scanning for code, peace
Tall and erect system can also receive the leak of outside submission and provide patch, and major security firm can also provide all kinds of virus scan instruments,
Safety of payment insures.But the above method still can not allow domestic consumer to know Android device sheet except labor intensive and time
The safe condition of body, specifically there are which leak, safety coefficient, the safety operation that should be noted, the solution of problem.Lack one
Money, for colony of domestic consumer, plug and play, compatibility is high, versatility is good, meets the security sweep instrument of demand.
To sum up, in the prior art the method for penetration testing both for the personnel for having certain technical foundation, or pin
Service to customer service safety, lacks a penetration testing system for allowing domestic consumer quickly to learn Android device security status
System.And traditional scan mode, from vulnerability mining to vulnerability exploit etc. test need to take a substantial amount of time, be run multiple times,
Also need to be manually entered order and carry out penetration testing using the configuration surroundings step by step of different instruments.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided one kind can realize plug and play, efficiently
Leak existing for display device, and Permeation Test System and its automation penetration testing side of vulnerability database can be automatically updated in realtime
Method.In order to solve the above technical problems, the solution of the present invention is:
A kind of Android device Permeation Test System is provided, including information identification and processing module, Android leak identification module,
Back-end data analysis module and front end effect display module;
Described information identifies and processing module is used for timed collection and samples newest Android leak, analyze ID, leak classification,
Leak title, leak grade, leak description, best repair scheme, detection scheme and user's suggestion for operation field;Pass through ID duplicate removals
Insert background data base table (the background data base table of the Permeation Test System), and scanning rule java files corresponding to generation
(code for corresponding to scanning rule);
The Android leak identification module is used for the local Hole Detection result (leakage i.e. in Android device of Android device
The testing result of hole scanning application;Android device Permeation Test System can install vulnerability scanning application automatically) return to server
(server of the Permeation Test System);
The back-end data analysis module is used to receive Android device application program passback file (Android device application program
Pass back to the file of the osmosis system server), keyword corresponding to this document is parsed, and extract Lou from background data base table
Leak description, recovery scenario and leak score information, export analysis result corresponding to hole;Analysis result includes leak ID, leak
Hazard rating, leak coverage, leak influence, leak recovery scenario, leak safety recommendation, the high, normal, basic danger distribution of leak, leakage
Hole number and corresponding Android device TOP SCORES information;
The front end effect display module is used to after carrying out information processing to the analysis result of back-end data analysis module open up
Show, the content of displaying includes:Equipment leak number (equipment is high-risk, in jeopardize low danger leak number), equipment scoring, safety are built
View, and can click on and check leak details.
In the present invention, the front end effect display module, back-end data analysis module is shown with web page in computer end
Analysis result, in mobile phone terminal with the analysis result of HTML5 page presentation back-end data analysis modules.
In the present invention, the information processing in the front end effect display module, refers to back-end data analysis module
Analysis result, including leak ID, leak harm registration, the influence of leak coverage, leak, leak recovery scenario, leak safety
It is recommended that, the distribution of leak high, normal, basic danger, leak number and corresponding Android device TOP SCORES information, it is defeated after being concluded and being arranged
Go out for text or form web page.
In the present invention, the database uses MYSQL database.
The automation penetration testing method based on described Android device Permeation Test System of offer, specifically includes following steps
Suddenly:
Step 1:After installing Android device Permeation Test System on machine (computer or Raspberry Pi), user need to only beat
Opening usb debugging, (usb debugging is the function of being used for development that Android device provides, can be in computer using the function
Or between Raspberry Pi and Android device equipment, replicate data is carried out, application program is installed on the mobile apparatus, reads the behaviour such as data
Make), it would be desirable to the Android device of scanning is connected on machine by data wire;
Step 2:Android device Permeation Test System can install vulnerability scanning Android application program automatically, and (vulnerability scanning is pacified
Tall and erect application program uses the vulnerability scanning Android application program of independent development), the leak for collecting the Android device for needing to scan is believed
Breath, returns to the server process of Android device Permeation Test System, server from background data base extract the corresponding description of leak,
Recovery scenario and leak score data, match leak and return to analysis result;Analysis result includes leak ID, leak endangers etc.
Level, the influence of leak coverage, leak, leak recovery scenario, leak safety recommendation, the high, normal, basic danger distribution of leak, leak number
And corresponding Android device TOP SCORES information;
Android device Permeation Test System includes to the Hole Detection item of Android device:Man-machine environment inspection, short message are forged
Leak, Remote Code Execution Vulnerability, go-between's information forge leak, go-between's input validation leak, multimedia file serializing
Leak, equipment manager leak, message registration go beyond one's commission leak, broadcast around leak, bluetooth Pin codes remote command perform leak,
Refusal service, unlocking pin bypass leak, unlocking pin distorts leak, camera carries power leak, input method activation bit is revealed,
Monitor carries power leak, message pushes SQL injection leak, memory management resources exhaust leak, leak is restarted in grotesque circulation,
Contact person, which goes beyond one's commission, to be created leak, Bluetooth command injection loophole, intersects signature refusal service leak, broadcast component authority around leakage
Hole, authentication key leakage leak, startup component carries power leak, Samsung message module code performs leak, Huawei Wifi is refused
Absolutely service leak, using exist ad code, component open to the outside world leak, browser address bar cheat leak, mailbox open weight
Orient leak, reader code performs leak, Application Certificate verification leak;
Android device Permeation Test System can be automatic on Permeation Test System backstage to the Hole Detection item of Android device
Newest leak data on collection network, parse the background data base of the simultaneously real-time update Permeation Test System;
Step 3:The data analysis module output of Android device Permeation Test System:Leak ID, leak hazard rating, leakage
Hole coverage, leak influence, leak recovery scenario, the high, normal, basic danger distribution of leak safety recommendation, leak, leak number and right
Answer Android device TOP SCORES information;
Step 4:Android device Permeation Test System vulnerability scanning analysis result respectively in Android device application program and
Shown on the webpage of machine (computer or Raspberry Pi) connection display, obtain the Permeation Test System vulnerability scanning analysis result
After displaying, automatic unloading can be selected to be arranged on the application program in Android device.
In the present invention, root authority of the Android device Permeation Test System without Android device to be scanned.
Compared with prior art, the beneficial effects of the invention are as follows:
Any Android device only needs the Permeation Test System of the data wire connection present invention, you can obtains current device in several seconds
High-risk, middle danger, low danger leak number, equipment safety coefficient, recovery scenario and safety recommendation.The Permeation Test System of the present invention is high
Effect, compatibility are high, plug and play, can be performed entirely automatically and export effective and safe analysis result, allow in several seconds of domestic consumer
Grasp Android device present situation.
Brief description of the drawings
Fig. 1 is the use flow diagram of Android device Permeation Test System.
Fig. 2 is the modules schematic diagram in Android device Permeation Test System.
Fig. 3 is penetration testing schematic flow sheet in embodiment.
Embodiment
It is computer technology in information the present invention relates to information security attacking and defending automatic technology firstly the need of explanation
A kind of application of security fields.In the implementation process of the present invention, the application of multiple software function modules can be related to.Applicant
Think, such as after application documents, accurate understanding realization principle and goal of the invention of the invention is read over, combining existing public affairs
In the case of knowing technology, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely.It is foregoing
Software function module includes but is not limited to:Information identifies and processing module, Android leak identification module, back-end data analysis module
Category this category referred to front end effect display module, all the present patent application files, applicant will not enumerate.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
Android device Permeation Test System as shown in Figure 2, modules are described in detail as follows:
1st, information identification and processing module
Developed, can be used in different operating system platforms using python.Daily timed collection samples newest Android
Leak, analyze ID, leak classification, leak title, leak grade, leak description, detection scheme, best repair scheme and user
Suggestion for operation field.Background data base table is inserted by ID duplicate removals.And generate corresponding scanning rule java files.
2nd, Android leak identification module
This module is developed with java, is mounted in the application program at user mobile phone end, by information identification and processing module from
The java files of the scanning rule of dynamic generation are added in application item, once user connects data wire and authorizes usb tune
Try authority, you can this application program is installed, and with jason format print Hole Detection files, passes back to server.
3rd, back-end data analysis module
This module is developed with java, is received application program passback file, is parsed the output of jason forms, and from database
Extract description, recovery scenario and scoring corresponding to leak.Parsing output herein below:(1) leak it is total and high-risk, in jeopardize it is low
Danger pie chart;(2) Android device safety coefficient;(3) system vulnerability suggestion is upgraded to the system of secure version, and prompts caution of operation
Item.The Apply Names to be upgraded is prompted using leak;(4) leak details button, it can click and enter and check the specific of each leak
Ins and outs.Result is returned into mobile phone terminal with HTML form.
4th, front end effect display module
This module is used for the result for showing back-end data analysis module.Computer end shows with web page, mobile phone terminal with
HTML5TML5 page presentations.Presentation device is high-risk, in jeopardize low danger leak number, equipment scoring, safety recommendation, and can click on
Check leak details.
As shown in figure 1, the automation penetration testing method based on Android device Permeation Test System, is comprised the following steps that:
Step 1:Inventor is after machine upper portion has affixed one's name to leakage location, and user need to only open usb debugging, and plugging needs
The Android device to be scanned.
Step 2:Leakage location can install vulnerability scanning apk automatically, collect current device vulnerability information, return to
Background process, it can extract Data Matching leak from database automatically from the background and return to scanning result.
Detection includes:Man-machine environment inspection, short message are forged leak, Remote Code Execution Vulnerability, go-between's information and forged
Leak, go-between's input validation leak, multimedia file serializing leak, equipment manager leak, message registration go beyond one's commission leak,
Broadcast performs leak around leak, bluetooth Pin codes remote command, refusal services, unlocking pin is distorted around leak, unlocking pin
Leak, camera propose power leak, the leakage of input method activation bit, monitor carries power leak, message pushes SQL injection leak, interior
Deposit management resource exhaustion leak, leak is restarted in grotesque circulation, contact person goes beyond one's commission create leak, Bluetooth command injection loophole,
Intersect refusal service leak of signing, broadcast component authority proposes power leakage around leak, authentication key leakage leak, startup component
Hole, Samsung message module code perform leak, Huawei Wifi refusal services leak, using ad code, component being present to external-open
Put leak, browser address bar deception leak, mailbox opens redirection leak, reader code performs leak, Application Certificate school
Test leak etc..
Wherein detected rule can the automatic collection renewal in backstage.
Penetration testing type includes man-machine environment inspection, short message forges leak, Remote Code Execution Vulnerability, go-between's information
Leak, go-between's input validation leak, multimedia file serializing leak, equipment manager leak, message registration is forged to go beyond one's commission
Leak, broadcast performs leak around leak, bluetooth Pin codes remote command, refusal services, unlocking pin is close around leak, unblock
Code distorts leak, camera carries power leak, input method activation bit is revealed, monitor carries power leak, message push SQL injection leakage
Hole, memory management resources, which exhaust leak, leak is restarted in grotesque circulation, contact person goes beyond one's commission creates leak, Bluetooth command injection
Leak, intersect refusal service leak of signing, broadcast component authority around leak, authentication key leakage leak, startup component
Carry power leak, Samsung message module code performs leak, Huawei Wifi refusal services leak, using ad code, component being present
Leak, the browser address bar of opening to the outside world cheat leak, mailbox opens and redirects leak, reader code execution leak, application
Certificate verifies leak.
Step 3:Only need to can return within several seconds the list of user's leak, equipment safety scoring and leak solution.User is
Current device safe condition and solution can be known rapidly in several seconds.
Step 4:Effect is illustrated in equipment application and webpage respectively, and scanning completes that automatic unloading may be selected.
The present invention is more fully understood in the professional and technical personnel that the following examples can make this professional, but not with any side
The formula limitation present invention.
Such as the schematic diagram that Fig. 3 is vulnerability scanning flow in one embodiment of the present of invention, step includes:
1) user opens Android device usb debugging authorities, plugs data wire, agrees to usb links;
2) computer installs scanning application program in user's Android;
3) program scanning completes return data to computer;
4) information processing is formatted to result, and form is converted into the visual form of user;
5) from the background with HTML5 form, by displaying feedback of the information to mobile phone;
4) in computer webpage front-end and mobile phone terminal display scan result.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to
Above example, there can also be many variations.One of ordinary skill in the art can directly lead from present disclosure
All deformations for going out or associating, are considered as protection scope of the present invention.