CN109948338B - Android application sensitive path triggering method based on static analysis - Google Patents
Android application sensitive path triggering method based on static analysis Download PDFInfo
- Publication number
- CN109948338B CN109948338B CN201910208397.6A CN201910208397A CN109948338B CN 109948338 B CN109948338 B CN 109948338B CN 201910208397 A CN201910208397 A CN 201910208397A CN 109948338 B CN109948338 B CN 109948338B
- Authority
- CN
- China
- Prior art keywords
- sensitive
- component
- name
- function
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses an android application sensitive path triggering method based on static analysis, which comprises the steps of constructing an assembly conversion relation graph and a function call relation graph of an android application to be tested; acquiring a sensitive path set; and automatically triggering each sensitive path in the sensitive path set in turn and verifying the correctness of each sensitive path. The invention provides an automatic triggering method of an Android application sensitive path based on static analysis, which forms an execution path from a root component to a sensitive API component by constructing an Android application component conversion relation graph and an intra-component and inter-component function call relation, and verifies the correctness of the sensitive path through automatic triggering.
Description
Technical Field
The invention particularly relates to an android application sensitive path triggering method based on static analysis.
Background
With the widespread use of mobile smart devices, the Android system has become the most widely used mobile smart operating system in the world today. With the rapid development of mobile terminal devices, a great amount of Android applications are continuously developed and version updated, and the Android application security problem gradually becomes a focus of much attention, for example, in the aspects of acquiring the authority information of applications, detecting malicious behaviors of intrusion, tracking sensitive paths of user privacy data leakage, and the like.
At present, there are three main methods for analyzing the safety problem of Android application: static analysis, dynamic analysis, and mixed analysis. The static analysis means that the byte codes and the intermediate codes of the application are obtained through decompiling by a reverse engineering technology under the condition that no code is executed, so that the Android application is detected. The static analysis comprises two modes of control flow analysis and data flow analysis, wherein the purpose of the control flow analysis is to explore logic associated information represented by a function calling relationship, and then the data flow analysis is adopted to explore a communication relationship among Android components and obtain an executable path sequence transmitted by the data flow; however, the static analysis may have certain false alarm and false alarm conditions for the detection of the sensitive path, and cannot dynamically run the Android application to verify the actual trigger result of the sensitive path. The dynamic analysis is different from the static analysis, and is used for dynamically executing the Android application and capturing the behavior during running so as to detect whether a sensitive path exists in the Android application to be detected. The dynamic analysis comprises technologies such as dynamic taint analysis and fuzzy testing, wherein the dynamic taint tracking technology needs to modify underlying Android source codes and monitor the propagation condition of sensitive data in a code instrumentation mode, and in addition, the fuzzy testing technology needs to generate a large amount of random data as test input and observe whether sensitive behaviors exist in the Android application during running; however, in the case of unknown sensitive paths, dynamic analysis lacks an efficient automatic trigger mechanism to completely detect the sensitive paths and malicious behaviors, and detection of some sensitive paths may be omitted. The hybrid analysis technology combines the characteristics of static analysis and dynamic analysis, uses the former to analyze executable path information, and uses the latter to perform dynamic traversal, or extracts respective characteristics of the former and the latter to perform joint analysis, although the respective disadvantages of the static analysis and the dynamic analysis are made up, the stability and the robustness of a test system are improved, the detection of the sensitive path by the existing hybrid analysis technology is only single detection, the efficiency is low, and the detection effect is relatively not ideal.
Disclosure of Invention
The invention aims to provide a static analysis-based Android application sensitive path triggering method which can automatically verify the correctness of a sensitive path possibly causing user privacy data leakage in an Android application to be tested and has high reliability.
The android application sensitive path triggering method based on static analysis provided by the invention comprises the following steps:
adopting data flow analysis to construct a component conversion relation graph of the android application to be tested;
adopting control flow analysis to construct a function call relation graph of the android application to be tested;
acquiring a sensitive path set according to the constructed component conversion relation diagram and the function call relation diagram of the android application to be tested;
and automatically triggering each sensitive path in the sensitive path set in turn and verifying the correctness of each sensitive path.
The method comprises the following steps of adopting data flow analysis to construct an assembly conversion relation graph of the android application to be tested, specifically adopting the following steps:
A. defining the inlet Source and the outlet Sink of the trace:
the tracked entry Source is defined as findViewById () of a control in the Android application to be tested; the export Sink is defined as an event listener function of a control in the Android application and a method for starting the component;
B. defining the description of the component conversion relation diagram of the Android application to be tested:
defining a component conversion relation diagram representation in the form of G ═ V, E, wherein V represents a set of components and E represents a relation between the components; defining triplets { Comp1, widget _ method, Comp2} at the same time, indicating that component Comp1 jumps to component Comp2 through the event processing method widget _ method of control widget;
C. the Android application to be tested is decompiled into a jimple code, the tracked inlet Source and outlet Sink are set, the calling relation between the components on the path from each tracked inlet Source to the outlet Sink is obtained by utilizing a stain tracking technology, and a component conversion relation graph is formed.
The event listener function of the control in the Android application in the step a specifically includes setoncliclclistener, setonnitetclicklistener, onDateChangedListener, setOnKeyListener, setOnCheckedChangeListener, setonselectlistener, and optionselectselectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectectecte.
The method for starting the component of the control in the Android application in the step A specifically comprises startActivity, sendBascast, contentResolver, startActivityForResult and startService/bindService.
And C, the calling relation between the tracked components on the path from the inlet Source to the outlet Sink specifically comprises information such as component names, the intent information and intent filter information of the components, and method names in the components.
The method comprises the following steps of adopting control flow analysis to construct a function call relation graph of the android application to be tested, and specifically adopting the following steps to construct the function call relation graph:
a. changing the Android application to be tested into a smali code, and obtaining components contained in the smali code and method information executed by the components;
b. analyzing the invoke function to obtain a function jump relation of the component;
c. respectively storing the name of the method executed in the component, the function list for calling the method and the function list called by the method into a method _ name, an in _ list and an sd _ list, and taking out the system framework layer function from the sd _ list and storing the system framework layer function into an API _ list so as to form a quadruple { method _ name, in _ list, sd _ list and API _ list }; the method _ name represents the name of the function, the in _ list represents the function set for calling the function, and the sd _ list represents the custom function set called in the function.
And a, changing the Android application to be tested into a smali code, specifically, changing the Android application to be tested into the smali code by adopting a decompiling tool.
The function jump relationship of the component in the step b specifically comprises a method name of the component, a function list for calling the method and a function list for calling the method.
The sensitive path set is obtained by adopting the following steps:
(1) extracting a sensitive API function API _ list in a function call relation graph according to the existing sensitive API function list, and storing the sensitive API function API _ list and the component name of each sensitive API function in the API _ list into a sensitive API set positive _ API;
(2) taking out a component name to which a sensitive API function in the sensitive API belongs, searching an Android application component conversion relation graph, obtaining a component name for calling the component and a control event processing method widget _ method, then searching a component name for calling at the previous stage and a control event processing method according to the searched component name until obtaining a component conversion Path from a root component to the sensitive API function, and storing the component conversion Path into a sensitive Path set sensitive _ Path;
(3) and (5) circulating the step (2) until all the elements in the sensitive API set are processed.
The existing sensitive API function list in step (1) is specifically a sensitive API function list as follows:
1) user sensitive API:
mobile phone identification information:
sensitive API name: getDeviceId (); the corresponding sensitive behavior is described as: obtaining an IMEI number;
sensitive API name: getLine1Number (); the corresponding sensitive behavior is described as: acquiring a mobile phone number;
sensitive API name: getLocation (); the corresponding sensitive behavior is described as: acquiring a current position;
geographical location information:
sensitive API name: getLatitude (); the corresponding sensitive behavior is described as: acquiring longitude;
sensitive API name: getLongitude (); the corresponding sensitive behavior is described as: acquiring a latitude;
sensitive API name: getNetworkType (); the corresponding sensitive behavior is described as: acquiring a network state;
network state information:
sensitive API name: ActiveNetworkInfo (); the corresponding sensitive behavior is described as: acquiring a connection network type;
sensitive API name: openConnection (); the corresponding sensitive behavior is described as: opening a URL connection;
short message information:
sensitive API name: sendSMS (); the corresponding sensitive behavior is described as: sending a short message;
sensitive API name: SmsManager- > getDefault (); the corresponding sensitive behavior is described as: acquiring a default example of the SmsManager;
2) system sensitive API:
inter-component communication:
sensitive API name: broadcastreever (); the corresponding sensitive behavior is described as: broadcast monitoring;
sensitive API name: startActivity (); the corresponding sensitive behavior is described as: starting Activity;
sensitive API name: startService (); the corresponding sensitive behavior is described as: starting service;
loading in runtime:
sensitive API name: gettime (); the corresponding sensitive behavior is described as: acquiring a process runtime environment;
sensitive API name: calendar- > getInstance (); the corresponding sensitive behavior is described as: a Calender instance is obtained.
The method comprises the following steps of automatically triggering each sensitive Path in a sensitive Path set in sequence and verifying the correctness of each sensitive Path, specifically, automatically installing and starting the Android application to be tested, and sequentially triggering each Path from an inlet component to a sensitive API function component in the sensitive _ Path according to the package name and the inlet component, and judging: if the execution is successful, the sensitive path is indicated to exist and be correct; if the execution fails, the sensitive path is indicated to be incorrect or false.
The method comprises the steps of automatically installing and starting the Android application to be tested, specifically, automatically installing and starting the Android application to be tested in an open-source automatic test framework (Apium).
The Android application sensitive path triggering method based on static analysis provided by the invention provides an Android application sensitive path automatic triggering method based on static analysis, and the method forms an execution path from a root component to a sensitive API component by constructing an Android application component conversion relation graph, an intra-component and inter-component function calling relation, and verifies the correctness of the sensitive path through automatic triggering.
Drawings
FIG. 1 is a schematic process flow diagram of the process of the present invention.
Fig. 2 is a jimple code diagram of the NetStart component after the org.uc.netspeed decompilation according to the embodiment of the present invention.
Fig. 3 is an information diagram of each data table obtained by decompiling org.uc.netspeed in the embodiment of the present invention.
Fig. 4 is a diagram of the smali code of the NetStart component after the decompiling of org.uc.netspeed according to the embodiment of the present invention.
Fig. 5 is a function call relationship diagram of the onCreate function of the NetStart component of org.uc.netspeed according to an embodiment of the present invention.
Fig. 6 is a component conversion relationship diagram of org.uc.netspeed according to an embodiment of the present invention.
Detailed Description
FIG. 1 is a schematic flow chart of the method of the present invention: the android application sensitive path triggering method based on static analysis provided by the invention comprises the following steps:
adopting data flow analysis to construct a component conversion relation graph of the android application to be tested; specifically, the method comprises the following steps of:
A. defining the inlet Source and the outlet Sink of the trace:
the tracked entry Source is defined as findViewById of a control in the Android application to be tested; the export Sink is defined as an event listener function of a control in the Android application and a method for starting the component;
event listener functions of controls in Android applications, specifically including setoncliclclistener, setonitemcliclclistener, onDateChangedListener, setOnKeyListener, setOnCheckedChangeListener, setonselectlistener, and onoptionselectselectedpriecter;
the method for starting the component of the control in the Android application specifically comprises startActivity, sendBascast, contentResolver, startActivityForResult and startService/bindService;
B. defining the description of the component conversion relation diagram of the Android application to be tested:
defining a component conversion relation diagram representation in the form of G ═ V, E, wherein V represents a set of components and E represents a relation between the components; defining triplets { Comp1, widget _ method, Comp2} at the same time, indicating that component Comp1 jumps to component Comp2 through the event processing method widget _ method of control widget;
C. decompiling the Android application to be tested into a jimple code, setting tracked inlet sources and outlet Sink, and obtaining calling relations (specifically including information such as component names, the intent information and intent filter information of the components, and the names of methods in the components) between the components on the path from each tracked inlet Source to the outlet Sink by using a stain tracking technology to form a component conversion relation graph;
adopting control flow analysis to construct a function call relation graph of the android application to be tested; specifically, the method comprises the following steps of:
a. the method comprises the steps that Android application to be tested is changed into a smali code (for example, a decompilation tool is adopted), and components contained in the smali code and method information executed by the components are obtained;
b. analyzing the invoke function to obtain a function jump relation of the component (specifically comprising a method name of the component, a function list for calling the method and a function list for calling the method);
c. respectively storing the name of the method executed in the component, the function list for calling the method and the function list called by the method into a method _ name, an in _ list and an sd _ list, and taking out the system framework layer function from the sd _ list and storing the system framework layer function into an API _ list so as to form a quadruple { method _ name, in _ list, sd _ list and API _ list }; the method _ name represents the name of a function, in _ list represents a function set for calling the function, and sd _ list represents a self-defined function set called in the function;
acquiring a sensitive path set according to the constructed component conversion relation diagram and the function call relation diagram of the android application to be tested; specifically, the sensitive path set is obtained by the following steps:
(1) extracting a sensitive API function in the function call relation graph according to the existing sensitive API function list, and storing the sensitive API function and the component name to which the sensitive API function belongs into a sensitive API set positive _ API;
the list of the existing sensitive API functions is specifically shown in table 1 below:
TABLE 1 existing sensitive API function List
(2) Taking out a component name to which a sensitive API function in the sensitive API belongs, searching an Android application component conversion relation graph, obtaining a component name for calling the component and a control event processing method widget _ method, then searching a component name for calling at the previous stage and a control event processing method according to the searched component name until obtaining a component conversion Path from a root component to the sensitive API function, and storing the component conversion Path into a sensitive Path set sensitive _ Path;
(3) looping step (2) until all elements in the sensitive API set are processed;
automatically triggering each sensitive path in the sensitive path set in sequence and verifying the correctness of each sensitive path; specifically, the Android application to be tested is automatically installed and started (for example, the Android application to be tested is automatically installed and started in an open source automatic test framework (Appium)), and each Path from an inlet component to a sensitive API function component in the positive _ Path is sequentially triggered according to the packet name and the inlet component, and is judged: if the execution is successful, the sensitive path is indicated to exist and be correct; if the execution fails, the sensitive path is indicated to be incorrect or false.
The process of the invention is illustrated below with reference to several examples:
example 1:
and describing the execution process of the Android application sensitive path automatic triggering method based on static analysis by combining a sample org.uc.netspeed randomly selected from the Android market application. The method comprises the following specific steps:
s1: the data flow analysis is used for constructing a component conversion relation graph of the Android application to be tested, and the method specifically comprises the following steps:
(1) defining an inlet Source and an outlet Sink for tracking;
(2) defining the description of the component conversion relation diagram of the Android application to be tested;
(3) the Android application to be tested is decompiled into a jimple code, Source and Sink are set, the calling relation between each Source and the components on the Sink path is obtained by utilizing a stain tracking technology, the calling relation comprises information such as component names, component intent information, intent filter information and method names in the components, and a component conversion relation graph is formed.
Compiling the application org.uc.netspeed back into a jimple code, as shown in fig. 2, which corresponds to the component NetStart in org.uc.netspeed; a findViewById method for determining Source as a control in each component, as shown in FIG. 2, the NetStart component includes the findViewById method for four controls, which respectively corresponds to the controls with IDs 2131099649, 2131099650, 2131099651 and 2131099652; determining Sink as the event listener function described in step a and the name of the method for starting the component, where $ r3.< android. widget. button shown in fig. 2 is void on click list (android. view. View on click list) > which is the event listener of the control 2131099649; the taint tracking is performed by using the existing IccTA tool, and the obtained information is stored in the data tables shown in table 2, and the details of each data table are shown in fig. 3.
TABLE 2 data sheet information
| Serial number | Table name | |
| ① | Classes | Storing application name, package name, component name, etc. of each component in the form of |
| ② | Components | Storing information such as application name, package name, component name, etc. called by each |
| ③ | ExitPoints | Storing method names corresponding to all components, etc |
| ④ | Intents | Storing all intent information in an |
| ⑤ | Links | Storing Intent and component information between |
| ⑥ | Paths | Storing the names, methods and other information of the trigger components experienced on each |
| ⑦ | Stmts | Storing trigger statements stmt, method names, etc. of methods in each component |
Analyzing the relationship among the components in the data table to obtain a component set V of org.uc.netspeed as { NetStart, SpeedPreferences, NetSpeedService, Settings, About, ConfigActivity, DeviceCheck, HelpActivity }; shows that the application org.uc.netspeed contains 8 components, and the side information converted by the components is shown in table 3:
table 3 side information of component translations of sample org.uc.netspeed
| Comp1 (source assembly) | widget ID method (triggering method) | Comp2 (target component) |
| NetStart | NetStart$1:onClick() | SpeedPreferences |
| NetStart | NetStart$2:onClick() | NetSpeedService |
| NetStart | NetStart$3:onClick() | Settings |
| NetStart | NetStart$4:onClick() | About |
| SpeedPreferences | SpeedPreferences$1:onClick() | ConfigActivity |
| SpeedPreferences | SpeedPreferences$2:onClick() | DeviceCheck |
| Settings | Settings:onClick() | HelpActivity |
Thus, a component conversion relation diagram of org.uc.netspeed is constructed as shown in fig. 6.
S2: and (5) the control flow analysis constructs a function call relation diagram of org.uc.netspeed. The method specifically comprises the following steps:
(1) the method comprises the steps that an anti-compiling tool is used for changing an Android application to be tested into a smali code, and components contained in the smali code and method information executed by the components are obtained;
(2) analyzing the invoke function to obtain the function jump relation of the component, wherein the function jump relation comprises the method name of the component, a function list for calling the method and a function list for calling the method;
(3) the method name executed in the component, the function list for calling the method and the function list called by the method are respectively stored into a method _ name, an in _ list and an sd _ list, wherein the method _ name represents the name of a function, the in _ list represents the function set for calling the function, the custom function set called in the function is stored into the sd _ list, the system framework layer function is taken out from the sd _ list and stored into the API _ list, and a quadruple { method _ name, in _ list, sd _ list and API _ list } is formed.
Decompiling org.uc.netspeed into a smal code, obtaining component and executed method information from the smal code, such as the component NetStart and its direct methods or virtual methods information shown in fig. 4; the invoke-direct call chain and the invoke-virtual call chain are analyzed in sequence, as shown in Table 4. And extracting the called method of the self-defined internal class from the invoke-direct call chain, and extracting information such as the framework layer API function name from the invoke-virtual call chain. Calling a graph quadruple structure by combining a function to form the function org.uc.netspeed.netstart; the invocation relationship description of onCreate method, as shown in FIG. 5. The method _ name in the function call relation diagram of the function is org/uc/netspeed/NetStart; onCreate (Landoroid/os/Bundle); in _ list is null; sd _ list is the custom inner class method of the four called methods contained in "invoke-direct" in table 4, and API _ list is the framework layer API function name of the three called methods contained in "invoke-virtual".
Table 4 invoke chart chain example
S3: the acquiring of the sensitive path set in step S3 includes the specific steps of:
s3.1, extracting a sensitive API function API _ list in the function call relation graph, and storing the sensitive API function API _ list into a sensitive API set sensitive _ API;
s3.2, a component name to which a sensitive API function in the sensitive API belongs is taken out, an Android application component conversion relation graph is searched, the component name for calling the component and the widget event processing method widget _ method are obtained, the component name for calling the component and the control event processing method are searched according to the searched component name, the component name for calling at the previous stage and the control event processing method are searched until a component conversion Path from the root component to the sensitive API function is obtained, and the component conversion Path is stored into a sensitive Path set sensitive _ Path.
S3.3 loops through the S3.2 steps until all elements of the sensitive API set have been processed. Netspeed's sensitive API set sensitive _ API is extracted, as shown in table 5, where broadcastreecepter is a system sensitive API, and getDeviceId is a user sensitive API.
Table 5 example org.uc.netspeed sensitive API set sensory _ API
Taking out a sensitive API function BroadcastReceiver, obtaining a component name NetSpeedService to which the sensitive API function BroadcastReceiver belongs, and setting a triggering method as onCreate; searching a component conversion relation diagram of org.uc.netspeed, and obtaining a control event processing method widget _ method triggering the component to execute, wherein the widget _ ID _ method is onClick, the component name of the widget _ method is NeStart, and the triggered control is startButton; because NetStart is a root component, a sensitive Path NetStart- > NetSpeedservice is formed and added into the sensitive Path set reactive _ Path; continuously taking out the sensitive API function getDeviceId to obtain the component name DeviceCheck of the sensitive API function getDeviceId, wherein the triggering method is onCreate; searching a component conversion relation diagram of org.uc.netspeed, obtaining a control event processing method for triggering the component to execute, wherein the control event processing method is onClick and the component name of the onClick is SpeedPreferences, and the triggering control is checkButton; continuing reverse searching, obtaining a calling component of speedPreferences as NetStart, a triggering control of the calling component as speedButton and a triggering method of onClick, forming a second sensitive Path NetStart- > speedPreferences- > DeviceCheck, and adding the second sensitive Path NetStart- > speedPreferences- > DeviceCheck into a sensitive Path set sensitive _ Path; thus, the set of sensitive paths formed is shown in table 6.
Table 6 sample org.uc.netspeed sensitive path set
S4: dynamically executing the sensitive path set, and automatically triggering the test; the method comprises the following specific steps: and sequentially and automatically triggering each Path in the sensitive Path set, automatically installing and starting the Android application to be tested in the open source automatic test framework (Apium), and sequentially triggering each Path from the inlet component to the sensitive API function component in the positive _ Path acquired in the step S3 according to the package name org.
According to the method and the device, the sensitive path which possibly causes the leakage of the private data of the user is triggered and detected in an automatic mode, so that the problems that the sensitive path in the Android application to be detected can be verified through automatic dynamic triggering and the like are solved.
Example 2:
this example illustrates the correctness of the above method in practical application. 53 market applications randomly selected from a Google application store can be divided into six types of images, learning, communication, maps, systems, safety and the like to be tested, the 45 Android applications containing sensitive APIs are successfully tested by combining the method disclosed by the invention, the average test success rate is 84.91%, and the test results of the Android applications to be tested are shown in Table 7.
TABLE 7 test results of Android applications to be tested
Further analyzing the paths containing the sensitive data leakage behaviors, as shown in table 8, specifically analyzing the results of the sensitive API triggering of 45 Android applications containing the sensitive API in table 7, which are tested successfully.
TABLE 8 successful test Android application sensitive API analysis to be tested
In the table, I represents the number of sensitive APIs obtained by static analysis; II represents the number of sensitive APIs triggered by the method of the present invention.
The experimental results in table 8 show that the method of the present invention can automatically trigger more than 83.33% of various sensitive API paths, including system sensitive API and user sensitive API. Therefore, the method and the device can effectively trigger and verify the sensitive path containing the sensitive API automatically based on the Android application to be tested by static analysis.
Claims (9)
1. An android application sensitive path triggering method based on static analysis comprises the following steps:
adopting data flow analysis to construct a component conversion relation graph of the android application to be tested;
adopting control flow analysis to construct a function call relation graph of the android application to be tested; specifically, the method comprises the following steps of:
a. changing the Android application to be tested into a smali code, and obtaining components contained in the smali code and method information executed by the components;
b. analyzing the invoke function to obtain a function jump relation of the component;
c. respectively storing the name of the method executed in the component, the function list for calling the method and the function list called by the method into a method _ name, an in _ list and an sd _ list, and taking out the system framework layer function from the sd _ list and storing the system framework layer function into an API _ list so as to form a quadruple { method _ name, in _ list, sd _ list and API _ list }; the method _ name represents the name of a function, in _ list represents a function set for calling the function, and sd _ list represents a self-defined function set called in the function;
acquiring a sensitive path set according to the constructed component conversion relation diagram and the function call relation diagram of the android application to be tested;
and automatically triggering each sensitive path in the sensitive path set in turn and verifying the correctness of each sensitive path.
2. The android application sensitive path triggering method based on static analysis of claim 1, wherein the component conversion relationship graph of the android application to be tested is constructed by adopting data flow analysis, specifically the component conversion relationship graph is constructed by adopting the following steps:
A. defining the inlet Source and the outlet Sink of the trace:
the tracked entry Source is defined as findViewById () of a control in the Android application to be tested; the export Sink is defined as an event listener function of a control in the Android application and a method for starting the component;
B. defining the description of the component conversion relation diagram of the Android application to be tested:
defining a component conversion relation diagram representation in the form of G ═ V, E, wherein V represents a set of components and E represents a relation between the components; defining triplets { Comp1, widget _ method, Comp2} at the same time, indicating that component Comp1 jumps to component Comp2 through the event processing method widget _ method of control widget;
C. the Android application to be tested is decompiled into a jimple code, the tracked inlet Source and outlet Sink are set, the calling relation between the components on the path from each tracked inlet Source to the outlet Sink is obtained by utilizing a stain tracking technology, and a component conversion relation graph is formed.
3. The method as claimed in claim 2, wherein the event listener function of the control in the Android application in step a includes setoncliclclistener, setonitemclicitklistener, onDateChangedListener, setOnKeyListener, setOnCheckedChangeListener, setonselectedselectlistener, and onationoptterselectedfect.
4. The Android application sensitive path triggering method based on static analysis as claimed in claim 2, wherein the method for starting a component of a control in the Android application in step a specifically includes startActivity, sendBroadcast, contenttreserver, startactiveforresult, and startService/bindService.
5. The android application sensitive path triggering method based on static analysis of claim 2, characterized in that the calling relationship between the tracked components on the path from the entry Source to the exit Sink in step C specifically includes a component name, the intent information and intent filter information of the component, and a method name in the component.
6. The android application sensitive path triggering method based on static analysis of any of claims 1 to 5, wherein the function jump relationship of the component in step b specifically includes a method name of the component, a function list calling the method, and a function list called by the method.
7. The android application sensitive path triggering method based on static analysis of any of claims 1 to 5, wherein the obtaining of the sensitive path set specifically comprises the following steps:
(1) extracting a sensitive API function API _ list in the function call relation graph according to the existing sensitive API function list, and storing the sensitive API function API _ list and the component name to which the sensitive API function belongs into a sensitive API set positive _ API;
(2) taking out a component name to which a sensitive API function in the sensitive API belongs, searching an Android application component conversion relation graph, obtaining a component name for calling the component and a control event processing method widget _ method, then searching a component name for calling at the previous stage and a control event processing method according to the searched component name until obtaining a component conversion Path from a root component to the sensitive API function, and storing the component conversion Path into a sensitive Path set sensitive _ Path;
(3) and (5) circulating the step (2) until all the elements in the sensitive API set are processed.
8. The android application sensitive path triggering method based on static analysis of claim 7, wherein the existing sensitive API function list in step (1) is specifically a sensitive API function list as follows:
1) user sensitive API:
mobile phone identification information:
sensitive API name: getDeviceId (); the corresponding sensitive behavior is described as: obtaining an IMEI number;
sensitive API name: getLine1Number (); the corresponding sensitive behavior is described as: acquiring a mobile phone number;
sensitive API name: getLocation (); the corresponding sensitive behavior is described as: acquiring a current position;
geographical location information:
sensitive API name: getLatitude (); the corresponding sensitive behavior is described as: acquiring longitude;
sensitive API name: getLongitude (); the corresponding sensitive behavior is described as: acquiring a latitude;
sensitive API name: getNetworkType (); the corresponding sensitive behavior is described as: acquiring a network state;
network state information:
sensitive API name: ActiveNetworkInfo (); the corresponding sensitive behavior is described as: acquiring a connection network type;
sensitive API name: openConnection (); the corresponding sensitive behavior is described as: opening a URL connection;
short message information:
sensitive API name: sendSMS (); the corresponding sensitive behavior is described as: sending a short message;
sensitive API name: SmsManager- > getDefault (); the corresponding sensitive behavior is described as: acquiring a default example of the SmsManager;
2) system sensitive API:
inter-component communication:
sensitive API name: broadcastreever (); the corresponding sensitive behavior is described as: broadcast monitoring;
sensitive API name: startActivity (); the corresponding sensitive behavior is described as: starting Activity;
sensitive API name: startService (); the corresponding sensitive behavior is described as: starting service;
loading in runtime:
sensitive API name: gettime (); the corresponding sensitive behavior is described as: acquiring a process runtime environment;
sensitive API name: calendar- > getInstance (); the corresponding sensitive behavior is described as: a Calender instance is obtained.
9. The Android application sensitive Path triggering method based on static analysis according to any one of claims 1 to 5, characterized in that each sensitive Path in the sensitive Path set is automatically triggered in sequence and correctness of each sensitive Path is verified, specifically, the Android application to be tested is automatically installed and started, and each Path from an entry component to a sensitive API function component in a passive _ Path is sequentially triggered according to a package name and an entry component thereof, and is judged: if the execution is successful, the sensitive path is indicated to exist and be correct; if the execution fails, the sensitive path is indicated to be incorrect or false.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910208397.6A CN109948338B (en) | 2019-03-19 | 2019-03-19 | Android application sensitive path triggering method based on static analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910208397.6A CN109948338B (en) | 2019-03-19 | 2019-03-19 | Android application sensitive path triggering method based on static analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109948338A CN109948338A (en) | 2019-06-28 |
| CN109948338B true CN109948338B (en) | 2020-03-17 |
Family
ID=67009117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910208397.6A Active CN109948338B (en) | 2019-03-19 | 2019-03-19 | Android application sensitive path triggering method based on static analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109948338B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111797400B (en) * | 2020-07-08 | 2023-09-01 | 国家计算机网络与信息安全管理中心 | Dynamic detection method and device for malicious application of Internet of vehicles |
| CN113132346A (en) * | 2021-03-05 | 2021-07-16 | 国家计算机网络与信息安全管理中心 | Detection method and system for mobile application information stealing and returning master control address |
| CN113535566B (en) * | 2021-07-20 | 2024-06-21 | 广州虎牙科技有限公司 | Android application verification method, device, equipment and storage medium |
| CN117009970B (en) * | 2023-10-07 | 2023-12-29 | 华中科技大学 | Method for generating malicious software countermeasure sample in blind feature scene and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103473507A (en) * | 2013-09-25 | 2013-12-25 | 西安交通大学 | Android malicious software detection method based on method call graph |
| CN104504337A (en) * | 2014-12-31 | 2015-04-08 | 中国人民解放军理工大学 | Method for detecting malicious application disclosing Android data |
| CN104834859A (en) * | 2015-04-24 | 2015-08-12 | 南京邮电大学 | Method for dynamically detecting malicious behavior in Android App (Application) |
| CN107193742A (en) * | 2017-05-23 | 2017-09-22 | 电子科技大学 | A kind of symbolism function digest algorithm of path-sensitive based on state |
| CN109145603A (en) * | 2018-07-09 | 2019-01-04 | 四川大学 | A kind of Android privacy leakage behavioral value methods and techniques based on information flow |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709356B (en) * | 2016-12-07 | 2019-05-24 | 西安电子科技大学 | Android application bug excavation method based on static stain analysis and semiology analysis |
| CN107623738B (en) * | 2017-09-28 | 2019-08-16 | 中南大学 | A kind of WebView bridge joint mouth stain mapping and analysis method towards Android application |
-
2019
- 2019-03-19 CN CN201910208397.6A patent/CN109948338B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103473507A (en) * | 2013-09-25 | 2013-12-25 | 西安交通大学 | Android malicious software detection method based on method call graph |
| CN104504337A (en) * | 2014-12-31 | 2015-04-08 | 中国人民解放军理工大学 | Method for detecting malicious application disclosing Android data |
| CN104834859A (en) * | 2015-04-24 | 2015-08-12 | 南京邮电大学 | Method for dynamically detecting malicious behavior in Android App (Application) |
| CN107193742A (en) * | 2017-05-23 | 2017-09-22 | 电子科技大学 | A kind of symbolism function digest algorithm of path-sensitive based on state |
| CN109145603A (en) * | 2018-07-09 | 2019-01-04 | 四川大学 | A kind of Android privacy leakage behavioral value methods and techniques based on information flow |
Non-Patent Citations (3)
| Title |
|---|
| 基于上下文的Android隐私泄露检测技术研究;孙贝;《中国优秀硕士学位论文全文数据库》;20190115;正文第16页第1段-第46页第2段 * |
| 基于敏感路径识别的安卓应用安全性分析方法;缪小川;《中国优秀硕士学位论文全文数据库》;20161015;正文第7页第1段-第22页第5段以及图3-1 * |
| 缪小川.基于敏感路径识别的安卓应用安全性分析方法.《中国优秀硕士学位论文全文数据库》.2016, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109948338A (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109948338B (en) | Android application sensitive path triggering method based on static analysis | |
| Yang et al. | Appintent: Analyzing sensitive data transmission in android for privacy leakage detection | |
| CN103577324B (en) | Static detection method for privacy information disclosure in mobile applications | |
| CN108268371B (en) | Intelligent fuzzy test method for Android application | |
| KR101972825B1 (en) | Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method | |
| CN108694320B (en) | Method and system for measuring sensitive application dynamic under multiple security environments | |
| Mercaldo et al. | Hey malware, i can find you! | |
| Borges Jr et al. | Droidmate-2: a platform for android test generation | |
| JP2007241906A (en) | Web application vulnerability dynamic inspection method and system | |
| Mahmud et al. | Android compatibility issue detection using api differences | |
| CN105653946A (en) | Android malicious behavior detection system based on combined event behavior triggering and detection method of Android malicious behavior detection system | |
| Alhanahnah et al. | Dina: Detecting hidden android inter-app communication in dynamic loaded code | |
| Gao et al. | Em-fuzz: Augmented firmware fuzzing via memory checking | |
| Tang et al. | Towards dynamically monitoring android applications on non-rooted devices in the wild | |
| CN115361203A (en) | Vulnerability analysis method based on distributed scanning engine | |
| KR101324691B1 (en) | System and method for detecting malicious mobile applications | |
| Ni et al. | Real-time detection of malicious behavior in android apps | |
| WO2021243555A1 (en) | Quick application test method and apparatus, device, and storage medium | |
| Zhang et al. | Firmware fuzzing: The state of the art | |
| US11860765B2 (en) | Method and system for fuzzing windows kernel by utilizing type information obtained through binary static analysis | |
| CN111190813B (en) | Android application network behavior information extraction system and method based on automatic testing | |
| Hatas et al. | Efficient Evolutionary Fuzzing for Android Application Installation Process | |
| CN108108615A (en) | Using detection method, device and detection device | |
| Perez et al. | Predicate callback summaries | |
| Song et al. | Ads-sa: System for automatically detecting sensitive path of android applications based on static analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |