CN112512046B - Safety detection method for short message verification code authentication process of Android application program - Google Patents
Safety detection method for short message verification code authentication process of Android application program Download PDFInfo
- Publication number
- CN112512046B CN112512046B CN202011481241.4A CN202011481241A CN112512046B CN 112512046 B CN112512046 B CN 112512046B CN 202011481241 A CN202011481241 A CN 202011481241A CN 112512046 B CN112512046 B CN 112512046B
- Authority
- CN
- China
- Prior art keywords
- verification code
- application program
- short message
- authentication process
- detecting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a security detection method for an Android application short message verification code authentication process, which comprises the steps of establishing an authentication process model according to the authentication characteristics of the Android application short message verification code; then, analyzing APK files provided by different application programs, and identifying application program credential sensitive parameters realized by short message verification code authentication; then, filtering and identifying target communication flow based on an HTTP debugging tool, and detecting the transmission security of the mobile phone number; dynamic traffic analysis is then performed to identify operations where the application server incorrectly generated and authenticated the verification code. The method and the system can provide safety guidance for the application program developer to realize the short message verification code authentication, and help the developer to correctly realize the Android application program short message verification code authentication.
Description
Technical Field
The invention relates to the technical field of Android application program communication, in particular to a safety detection method for an Android application program short message verification code authentication process.
Background
In recent years, the Android application program market is developed vigorously, and according to relevant data statistics, the distribution of the Android application program is increased exponentially. More and more application programs provide a short message verification mode to provide a convenient and fast authentication login mode for users, and the short message verification is a target of attack of attackers. In order to avoid the theft of user identity information and the leakage of privacy, program developers need to study and consider the security problem of the short message verification code authentication mode. The Java files are Android application program source files, the Java files are compiled into Class files and then connected into Dex files to run on a Dalvik virtual machine, and the Android Manifest xml files, application program codes (Dex files), resource files and other files are packed into a compression package to become application programs used by users by the APK files.
The existing Android short message verification code authentication process security analysis technology comprises the steps of carrying out matching search in a short message verification code protection strategy library based on the application program scene information to obtain a short message verification code protection strategy matched with the application program scene information; and refusing to respond to the short message verification code request strategy when the short message verification code request is determined not to accord with the short message verification code protection strategy. However, the existing analysis technology is mainly oriented to attack defense, lacks security analysis on the self logic design of an application program, and does not cover the whole process cycle of short message verification code authentication.
Disclosure of Invention
The invention provides a safety detection method for an Android application short message verification code authentication process, which can detect the safety of the Android application short message verification code authentication process by using a static code analysis technology and a dynamic flow analysis technology based on the whole Android application short message verification code authentication process.
The scheme for realizing the aim of the invention is as follows:
a safety detection method for an Android application short message verification code authentication process comprises the following specific steps:
step 1, an authentication process model is formulated according to short message verification code authentication characteristics of an Android application program;
step 2, analyzing APK files provided by different application programs, and detecting the safety of application program credential storage realized by short message verification code authentication through the authentication process model;
step 3, filtering and identifying verification code request messages generated by an application program client in the authentication process model based on a debugging tool of an HTTP protocol, and detecting the transmission security of the mobile phone number;
step 4, analyzing and comparing the verification codes generated by the plurality of application program servers responding to the verification code request message, and detecting the safety of the verification codes generated by the application program servers;
step 5, modifying and replaying the verification code authentication request message generated by the application program client, and detecting the authentication operation security of the application program server;
and 6, if the detection results in the steps 2, 3, 4and 5 are all safe, the short message verification code authentication process of the application program is considered to be safe, otherwise, the short message verification code authentication process of the application program is considered to be unsafe.
Further, the authentication process model in step 1 includes: the authentication process of the model comprises 3 stages:
stage 1, identifying code request stage: an application program client sends a verification code request message to an application program server, wherein the verification code request message carries application program credential information and a mobile phone number;
stage 2, verification code issuing stage: the application program server randomly generates a verification code, stores the mobile phone number, the verification code and the generation time of the verification code into a cache, and calls a third-party short message platform to send a short message;
stage 3, verification code authentication stage: the application program client sends authentication request information containing the mobile phone number and the verification code, and the application program server matches the authentication request information with the corresponding mobile phone number and the verification code in the cache and returns appropriate response information (if the matching is successful, authentication success response information is returned, and if the matching is failed, authentication failure response information is returned).
Further, the analyzing the APK files provided by the different applications in step 2 includes: and converting the dex file after the apk file is decompressed into a class file through dex2jar, constructing a class file directory, and generating Java codes by using JD-GUI.
Further, the detecting the security of the credential information of the application program implemented by the short message verification code authentication in step 2 includes: and if the credential character string corresponding to the application program obtained when the application program is registered on the short message platform is found in the Java code through pattern matching, the storage of the application program credential is considered unsafe, otherwise, the storage of the application program credential is considered safe.
Further, the filtering the id-authenticator request message in step 3 includes: setting a network intermediate agent, monitoring a data packet between an application program client and an application program server, setting a filtering rule as to whether the data packet contains the mobile phone number character string, if so, reserving the data packet, and if not, filtering the data packet.
Further, the detecting security of mobile phone number delivery in step 3 includes: if the data packet is reserved, the transmission of the mobile phone number is not safe, and if the data packet is filtered, the transmission of the mobile phone number is safe.
Further, the step 4 of detecting the security of the verification code generated by the application program server includes: and comparing and analyzing whether continuity and/or regularity exist among the verification codes, if so, considering that the verification codes are unsafe, and if not, considering that the verification codes are safe.
Further, the number of the plurality of verification codes ranges from 15 to 25.
Further, the step 5 specifically includes: modifying the verification code for many times, replaying a verification code authentication request message, modifying the mobile phone number for many times, replaying the verification code authentication request message, resending the verification code authentication request message after 5 minutes, and detecting whether the application program server checks the correctness of the verification code (namely whether the verification code can be checked to be modified), the consistency of the verification code and the mobile phone number and the validity period of the verification code, wherein if the response results of the application program server are authentication failures, the authentication operation of the application program server is considered to be safe, and otherwise, the authentication operation of the application program server is considered to be unsafe.
Further, the number of times of modifying the verification code and the mobile phone number is 10.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a security detection method for an Android application short message verification code authentication process, which can be used for detecting the security of the Android application short message verification code authentication process by detecting the security of application program credential storage, the security of mobile phone number transmission, the security of verification codes generated by an application program server and the security of authentication operation of the application program server based on the whole Android application short message verification code authentication process by using a static code analysis technology and a dynamic flow analysis technology, thereby expanding the detection range and improving the accuracy of security detection.
Drawings
FIG. 1 is a diagram illustrating a model of an Android application short message verification process.
FIG. 2 is a static code analysis method diagram.
Fig. 3 is a diagram of a method for analyzing a network intermediate agent.
FIG. 4 is a diagram of a security detection method in an Android application short message verification code authentication process.
Detailed Description
With reference to fig. 4, a method for detecting security of an Android application short message verification code authentication process includes the following specific steps:
step 1, an authentication process model is formulated according to short message verification code authentication characteristics of an Android application program;
step 2, analyzing APK files provided by different application programs, and detecting the safety of application program credential storage realized by short message verification code authentication through the authentication process model;
step 3, filtering and identifying verification code request messages generated by an application program client in the authentication process model based on a debugging tool of an HTTP protocol, and detecting the transmission security of the mobile phone number;
step 4, analyzing and comparing the verification codes generated by the plurality of application program servers responding to the verification code request message, and detecting the safety of the verification codes generated by the application program servers;
step 5, modifying and replaying the verification code authentication request message generated by the application program client, and detecting the authentication operation security of the application program server;
and 6, if the detection results in the steps 2, 3, 4and 5 are all safe, the short message verification code authentication process of the application program is considered to be safe, otherwise, the short message verification code authentication process of the application program is considered to be unsafe.
Further, in conjunction with fig. 1, the authentication process model in step 1 includes: the authentication process of the model comprises 3 stages:
stage 1, identifying code request stage: an application program client sends a verification code request message to an application program server, wherein the verification code request message carries application program credential information and a mobile phone number;
stage 2, verification code issuing stage: the application program server randomly generates a verification code, stores the mobile phone number, the verification code and the generation time of the verification code into a cache, and calls a third-party short message platform to send a short message;
stage 3, verification code authentication stage: the application program client sends authentication request information containing the mobile phone number and the verification code, and the application program server matches the authentication request information with the corresponding mobile phone number and the verification code in the cache and returns appropriate response information (if the matching is successful, authentication success response information is returned, and if the matching is failed, authentication failure response information is returned).
Further, the analyzing the APK files provided by the different applications in step 2 includes: and converting the dex file decompressed by the apk file into a class file through dex2jar, constructing a class file directory, and generating Java codes by using JD-GUI.
Further, with reference to fig. 3, the detecting the security of the application credential information implemented by the short message verification code authentication in step 2 includes: and if the credential character string corresponding to the application program obtained when the application program is registered on the short message platform is found in the Java code through pattern matching, the storage of the application program credential is considered unsafe, otherwise, the storage of the application program credential is considered safe.
Further, in conjunction with fig. 2, the filtering the id-authenticator request message in step 3 includes: setting a network intermediate agent, monitoring a data packet between an application program client and an application program server, setting a filtering rule as to whether the data packet contains the mobile phone number character string, if so, reserving the data packet, and if not, filtering the data packet.
Further, the detecting security of mobile phone number delivery in step 3 includes: if the data packet is reserved, the transmission of the mobile phone number is not safe, and if the data packet is filtered, the transmission of the mobile phone number is safe.
Further, the step 4 of detecting the security of the verification code generated by the application program server includes: and comparing and analyzing whether continuity and/or regularity exist among the verification codes, if so, determining that the verification codes are unsafe, and otherwise, determining that the verification codes are safe.
Further, the number of the plurality of verification codes ranges from 15 to 25.
Further, the step 5 specifically includes: modifying the verification code for many times, replaying a verification code authentication request message, modifying the mobile phone number for many times, replaying the verification code authentication request message, resending the verification code authentication request message after 5 minutes, and detecting whether the application program server checks the correctness of the verification code (namely whether the verification code can be checked to be modified), the consistency of the verification code and the mobile phone number and the validity period of the verification code, wherein if the response results of the application program server are authentication failures, the authentication operation of the application program server is considered to be safe, and otherwise, the authentication operation of the application program server is considered to be unsafe.
Further, the number of times of modifying the verification code and the mobile phone number is 10.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A safety detection method for an Android application short message verification code authentication process is characterized by comprising the following specific steps:
step 1, an authentication process model is made according to the short message verification code authentication characteristics of the Android application program,
the authentication process model in step 1 includes: the authentication process of the model comprises 3 stages:
stage 1, identifying code request stage: an application program client sends a verification code request message to an application program server, wherein the verification code request message carries application program credential information and a mobile phone number;
stage 2, verification code issuing stage: the application program server randomly generates a verification code, stores the mobile phone number, the verification code and the generation time of the verification code into a cache, and calls a third-party short message platform to send a short message;
stage 3, verification code authentication stage: the application program client sends authentication request information containing the mobile phone number and the verification code, and the application program server matches the authentication request information with the corresponding mobile phone number and the verification code in the cache and returns appropriate response information;
step 2, analyzing APK files provided by different application programs, and detecting the safety of application program credential storage realized by short message verification code authentication through the authentication process model;
step 3, filtering and identifying verification code request messages generated by an application program client in the authentication process model based on a debugging tool of an HTTP protocol, and detecting the transmission security of the mobile phone number;
step 4, analyzing and comparing the verification codes generated by the plurality of application program servers responding to the verification code request message, and detecting the safety of the verification codes generated by the application program servers;
step 5, modifying and replaying the verification code authentication request message generated by the application program client, and detecting the authentication operation security of the application program server;
and 6, if the detection results in the steps 2, 3, 4and 5 are all safe, the short message verification code authentication process of the application program is considered to be safe, otherwise, the short message verification code authentication process of the application program is considered to be unsafe.
2. The method for detecting the safety of the Android application short message verification code authentication process according to claim 1, wherein analyzing the APK files provided by different applications in the step 2 includes: and converting the dex file decompressed by the apk file into a class file through dex2jar, constructing a class file directory, and generating Java codes by using JD-GUI.
3. The method for detecting the security of the Android application short message verification code authentication process of claim 2, wherein detecting the security of the application credential information implemented by the short message verification code authentication in step 2 comprises: and if the credential character string corresponding to the application program obtained when the application program is registered on the short message platform is found in the Java code through pattern matching, the storage of the application program credential is considered unsafe, otherwise, the storage of the application program credential is considered safe.
4. The method for detecting the security of the Android application short message verification code authentication process of claim 3, wherein the filtering of the identification verification code request message in the step 3 includes: setting a network intermediate agent, monitoring a data packet between an application program client and an application program server, setting a filtering rule as to whether the data packet contains a mobile phone number character string, if so, reserving the data packet, and if not, filtering the data packet.
5. The method for detecting the security of the Android application short message verification code authentication process of claim 4, wherein the detecting the mobile phone number transfer security in the step 3 comprises: if the data packet is reserved, the transmission of the mobile phone number is not safe, and if the data packet is filtered, the transmission of the mobile phone number is safe.
6. The method for detecting the security of the Android application short message verification code authentication process of claim 5, wherein detecting the security of the verification code generated by the application server in the step 4 comprises: and comparing and analyzing whether continuity and/or regularity exist among the verification codes, if so, determining that the verification codes are unsafe, and otherwise, determining that the verification codes are safe.
7. The method for detecting the security of the Android application short message verification code authentication process of claim 6, wherein the number of the verification codes is in a range of 15-25.
8. The method for detecting the security of the Android application short message verification code authentication process according to claim 6 or 7, wherein the step 5 specifically includes: and modifying the verification code for multiple times, replaying a verification code authentication request message, modifying the mobile phone number for multiple times, replaying the verification code authentication request message, resending the verification code authentication request message after 5 minutes, and detecting whether the application program server checks the correctness of the verification code, the consistency of the verification code and the mobile phone number and the validity period of the verification code, wherein if the response result of the application program server is authentication failure, the authentication operation of the application program server is considered to be safe, and otherwise, the authentication operation of the application program server is considered to be unsafe.
9. The method for detecting the security of the Android application short message verification code authentication process of claim 8, wherein the number of times of modifying the verification code and the mobile phone number is 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011481241.4A CN112512046B (en) | 2020-12-16 | 2020-12-16 | Safety detection method for short message verification code authentication process of Android application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011481241.4A CN112512046B (en) | 2020-12-16 | 2020-12-16 | Safety detection method for short message verification code authentication process of Android application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112512046A CN112512046A (en) | 2021-03-16 |
| CN112512046B true CN112512046B (en) | 2023-03-24 |
Family
ID=74972135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011481241.4A Active CN112512046B (en) | 2020-12-16 | 2020-12-16 | Safety detection method for short message verification code authentication process of Android application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112512046B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113301019B (en) * | 2021-04-23 | 2023-04-07 | 杭州安恒信息技术股份有限公司 | Verification code vulnerability detection method and device, electronic device and storage medium |
| CN113315786B (en) * | 2021-06-25 | 2023-05-26 | 郑州信源信息技术股份有限公司 | Security authentication method and system |
| CN115623485B (en) * | 2022-12-20 | 2023-04-07 | 杭州孝道科技有限公司 | Short message bombing detection method, system, server and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891843B (en) * | 2012-09-18 | 2015-04-29 | 北京深思洛克软件技术股份有限公司 | Method for authorizing application program at android client side through local service unit |
| CN106294068A (en) * | 2016-08-03 | 2017-01-04 | 福建星海通信科技有限公司 | A kind of Android system APK method for managing and monitoring and device thereof |
| CN106713327A (en) * | 2016-12-29 | 2017-05-24 | 上海众人网络安全技术有限公司 | Authentication method and system of verification code security reinforcement |
| CN108268773B (en) * | 2016-12-30 | 2021-12-28 | 南京理工大学 | Android application upgrade package local storage security detection method |
| CN106803028B (en) * | 2017-01-18 | 2019-08-30 | 西安电子科技大学 | A method of prevent Android mobile phone short message verification code to be stolen |
| CN110830420A (en) * | 2018-08-10 | 2020-02-21 | 杭州字符串科技有限公司 | Method and system for verifying short message verification code |
-
2020
- 2020-12-16 CN CN202011481241.4A patent/CN112512046B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112512046A (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112512046B (en) | Safety detection method for short message verification code authentication process of Android application program | |
| US10073916B2 (en) | Method and system for facilitating terminal identifiers | |
| CN106936835B (en) | Method and system for accessing equipment | |
| CN107483419B (en) | Method, device and system for authenticating access terminal by server, server and computer readable storage medium | |
| CN104199654A (en) | Open platform calling method and device | |
| CN112131577A (en) | Vulnerability detection method, device and equipment and computer readable storage medium | |
| CN116155771A (en) | Network anomaly test method, device, equipment, storage medium and program | |
| CN111818514B (en) | Privacy security equipment identifier generation method, device and system | |
| Huang et al. | Fuzzing the android applications with http/https network data | |
| CN106357694A (en) | Method and device for processing access request | |
| CN109067717A (en) | A kind of method and device detecting SQL injection loophole | |
| CN111371811B (en) | Resource calling method, resource calling device, client and service server | |
| CN111585978A (en) | Method, client, server and system for intercepting false requests | |
| CN110730063B (en) | Security verification method and system, internet of things platform, terminal and readable storage medium | |
| CN114938313B (en) | Man-machine identification method and device based on dynamic token | |
| CN112765588B (en) | Identity recognition method and device, electronic equipment and storage medium | |
| CN112468446B (en) | Mobile operation environment safety detection system for protecting user privacy | |
| CN114520724A (en) | Signature verification method of open API (application program interface) | |
| CN113992353A (en) | Login certificate processing method and device, electronic equipment and storage medium | |
| CN112416624A (en) | Application data interaction method and system based on open platform | |
| CN114416106B (en) | Method, system, electronic device and storage medium for updating compiling count value | |
| CN111027095B (en) | Method, device and equipment for identifying private data and readable storage medium | |
| CN114500025B (en) | Account identifier acquisition method, device, server and storage medium | |
| CN114745216B (en) | Dynamic access method and device | |
| CN112822007B (en) | User authentication method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |