CN112784289A - Extraction system and method for Android application program encrypted network traffic - Google Patents

Extraction system and method for Android application program encrypted network traffic Download PDF

Info

Publication number
CN112784289A
CN112784289A CN202110103856.1A CN202110103856A CN112784289A CN 112784289 A CN112784289 A CN 112784289A CN 202110103856 A CN202110103856 A CN 202110103856A CN 112784289 A CN112784289 A CN 112784289A
Authority
CN
China
Prior art keywords
android
tls
application program
class library
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110103856.1A
Other languages
Chinese (zh)
Other versions
CN112784289B (en
Inventor
陈贞翔
朱宇辉
刘聪
王琳
纪科
杨波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Jinan
Original Assignee
University of Jinan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Jinan filed Critical University of Jinan
Priority to CN202110103856.1A priority Critical patent/CN112784289B/en
Publication of CN112784289A publication Critical patent/CN112784289A/en
Application granted granted Critical
Publication of CN112784289B publication Critical patent/CN112784289B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses an extraction system and method for Android application program encrypted network flow, which comprises the following steps: an Android simulator deployed on a server; an Android application program, an Android system-level TLS class library and a Java virtual machine are deployed on the Android simulator, a service logic code and the TLS class library built in the application are arranged in the Android application program, a hook frame is deployed in the Java virtual machine, and a system calling agent module is arranged in the hook frame; the system call agent module is respectively connected with the service logic code, the built-in TLS class library of the application, the Android system level TLS class library and the flow collection module; the built-in TLS class library and the Android system-level TLS class library are connected with the Internet; the flow collection module is connected with the test result database.

Description

Extraction system and method for Android application program encrypted network traffic
Technical Field
The application relates to the technical field of extraction of encrypted network traffic, in particular to a system and a method for extracting encrypted network traffic of an Android application program.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
For mobile applications, network behaviors are usually important in the mobile applications, and behavior analysis aiming at network traffic also becomes an important way for knowing the behaviors of third-party Android applications. The important task of network behavior analysis is to analyze what content an application program sends in the process of interacting with the network. However, with the popularization of encrypted connection technologies such as TLS, SSL, and HTTPS, more and more Android applications begin to transmit data using encrypted connections, and auditing their behavior based on traffic content becomes an impossible option.
In order to decrypt the ciphertext in the encrypted connection and obtain the information transmitted therein, the most common method at present adopts a man-in-the-middle attack technology. The man-in-the-middle attack technology aiming at the TLS is characterized in that a transparent TLS server is erected between a target server and a client and is disguised as the target server; meanwhile, the man-in-the-middle server can be disguised as a client, re-encrypts the content and sends the content to a real target server, so that the content in the connection is acquired. Since this approach requires handshaking with the client using a self-signed certificate, the client may find its signature inconsistent with expectations and refuse to connect to the server. In Android, the 6.0 previous version allows users to trust self-signed certificates by importing certificates, whereas from the 6.0 version Android defaults to no longer trust user imported certificates and recommends application developers to verify the authenticity of certificates when establishing TLS connections. Thus, bypassing certificate authentication by importing certificates and obtaining its content using man-in-the-middle attacks becomes no longer feasible.
In addition, a scheme for decrypting by brute force cracking also exists in the market at present. However, this method requires a lot of computing resources and time, and is extremely low in feasibility.
Disclosure of Invention
In order to overcome the defects of the prior art, the application provides a system and a method for extracting the encrypted network traffic of the Android application program;
in a first aspect, the application provides an extraction system for Android application encrypted network traffic;
the extraction system of the Android application program encrypted network flow comprises the following steps: an Android simulator; the Android simulator is deployed on a server;
an Android application program, an Android system-level TLS class library and a Java virtual machine are deployed on the Android simulator, a service logic code and the TLS class library built in the application are arranged in the Android application program, a hook frame is deployed in the Java virtual machine, and a system calling agent module is arranged in the hook frame;
the system call agent module is respectively connected with the service logic code, the built-in TLS class library of the application, the Android system level TLS class library and the flow collection module; the built-in TLS class library and the Android system-level TLS class library are connected with the Internet; the flow collection module is connected with the test result database.
In a second aspect, the application provides a method for extracting encrypted network traffic of an Android application program;
the extraction method of the Android application program encrypted network flow comprises the following steps:
acquiring an Android environment in an Android simulator and the type and version of a TLS class library used in an Android application package;
compiling and generating a system call agent module according to the Android environment and the type and version of the TLS class library; loading a system calling agent module into an Android environment;
starting an Android application program in the Android simulator; the Android application program initializes and controls the TLS socket through the system call agent module, and receives and transmits byte strings by using the socket, and all calls to the TLS class library are hijacked by the system call agent module;
the system calls the agent module to catch the byte string transmitted, recombines into the byte stream, separate, store and extract the information the byte stream caught;
and finishing the task, cleaning the Android system environment, and restarting from the first step.
Compared with the prior art, the beneficial effects of this application are:
the invention proposes a technique for obtaining the plaintext transmitted in a TLS encrypted connection by hijacking library calls in an application related to the TLS protocol. In the field of network behavior examination aiming at encrypted traffic, the technology can effectively avoid the problem that a self-signed certificate is not trusted in the traditional method based on man-in-the-middle attack, and effectively improves the feasibility of examining the network behavior of an application program under the background of popularization of TLS encrypted connection.
The invention provides an automatic binary feature matching and generating technology, which can automatically acquire the type and version of the TLS library used in the target application program and automatically generate a proper plug-in module aiming at the target application program, thereby reducing the workload of a user and avoiding manual reverse analysis.
The invention provides a non-invasive TLS library calling replacement technology, which effectively avoids the signature change of an application program caused by binary editing and repacking, and prevents the application program from finding the problem and changing the behavior of the application program when checking the integrity of the application program.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application.
FIG. 1 is a flow chart of a method of the first embodiment;
FIG. 2 is a diagram illustrating internal functional modules of the system call agent module according to the first embodiment;
FIG. 3 is a flowchart of the overall method of the second embodiment;
FIG. 4 is a flowchart illustrating the TLS class library in the scanning application and Android application environment according to the second embodiment;
fig. 5 is a flowchart illustrating the call of the system call agent module to the cryptographic protocol control method set according to the second embodiment.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
Interpretation of terms:
hook programming, also known as "hooking," is a computer programming term that refers to various techniques for modifying or extending the behavior of an operating system, application program, or other software component by intercepting function calls, message passing, event passing between software modules. The code that handles intercepted function calls, events, messages is called hooks (hooks).
Xpos is a hook framework service running in the Android high-privilege mode. The method can provide a set of hot-pluggable framework, and a customized Java virtual machine is used in the Android environment, so that the Java virtual machine can load pre-programmed codes into other applications through a hook mechanism. It can replace specific function calls at very low level locations to dynamically change the behavior of an application or software package.
Example one
The embodiment provides an extraction system for Android application encrypted network traffic;
as shown in fig. 1, the extraction system for Android application encrypted network traffic includes: an Android simulator; the Android simulator is deployed on a server;
an Android application program, an Android system-level TLS class library and a Java virtual machine are deployed on the Android simulator, a service logic code and the TLS class library built in the application are arranged in the Android application program, a hook frame is deployed in the Java virtual machine, and a system calling agent module is arranged in the hook frame;
the system call agent module is respectively connected with the service logic code, the built-in TLS class library of the application, the Android system level TLS class library and the flow collection module; the built-in TLS class library and the Android system-level TLS class library are connected with the Internet; the flow collection module is connected with the test result database.
Further, as shown in fig. 2, the system call agent module includes: the system comprises an encryption protocol control method set, an agent Socket module and an encryption flow mirror module;
the encryption protocol control method set is used for hijacking a TLS library method call from an Android application program and responding to the TLS library method call from the Android application program;
and the proxy Socket module is used for acquiring the byte string to be encrypted from the Android application program and acquiring the decrypted byte string from the real TLS class library. In the normal initialization process of TLS class library encrypted connection, the TLS class library returns a socket object for data interaction to the service logic code of the Android application program.
After the initialization request is hijacked, the proxy Socket module firstly generates a Socket for directly interacting with the service logic code of the Android application program, returns the Socket to the service logic code of the Android application program, and then calls the real TLS connection initialization process to obtain a real TLS Socket object.
And the proxy Socket module exchanges data between the service logic code of the Android application program and various TLS class libraries quoted by the service logic code, copies data of byte strings which are sent by the hijacked TLS class libraries and delivers the copied data to the encrypted flow mirror module.
And the encrypted flow mirror module is used for acquiring byte strings, generating logs and uploading the logs to the flow collection module through a pre-established side channel.
Further, the system call agent module has a working principle including:
when the Android application program service logic code calls an application built-in TLS class library and an Android system-level TLS class library, an initialization method and a control method of the TLS class library and various accessible public variables are intercepted by a Java virtual machine and a hook frame, and a method bound by an encryption protocol control method set is called (the method refers to a method in Java programming and is approximately equal to a function of C programming);
after receiving a method calling event of the hook frame, the encryption protocol control method set firstly modifies the behavior of a function related to an encryption protocol, copies byte string information transmitted through an encryption socket, then calls a method in a TLS class library which should be called originally, and finally returns an execution result to a service logic code of an Android application program.
For the initialization method, the system call agent module firstly returns an agent socket created by itself to the service logic code initiating the call, and uses the initialization method in the TLS class library to be called to create a direct connection socket leading to the server. And then, when the service logic code of the Android application program transmits and receives information to and from the server, only the agent socket which cannot be directly accessed to the server can be used for reading and writing. And the encrypted flow mirror module exchanges data between the proxy socket and the direct connection socket, copies all data flowing through the encrypted flow mirror module per se and sends the copied data to the flow collection module outside the Android environment.
Under the normal process without deploying the system, when the service logic code calls the TLS class libraries, a socket for communicating with a remote server is obtained through an initialization method provided by the TLS class libraries, and the state of the socket is controlled by using a control method and various public variables provided by the TLS class libraries. And the business logic code communicates with a remote server by reading and writing the byte stream of the socket obtained in the previous step.
Further, the Android simulator is used for laying an Android environment for running an Android application program, and the Android environment is allowed to be modified.
Further, the system calls the agent module, is used for replacing and acting on the Android environment inside the Android environment; replacing and acting an encryption protocol database in the Android environment; and mirroring the captured flow information to a flow collection module.
Further, the traffic collection module is configured to receive time, a target host, a URL, and transmitted content, analyze traffic information preliminarily, separate traffic, store, and extract related information.
The invention intercepts the byte stream submitted to the SSH, TLS and HTTPS related encryption components in the hijack system, so that the byte stream flows through the recording components arranged by us firstly and then flows to the real encryption component. The invention can acquire the contents transmitted and received by the application program through the safe connection on the premise of not influencing the normal operation of the application program, and helps testers to audit the network behavior of the application program.
The Android simulator is used for testing the virtual environment of the Android application program. According to the system, a hook frame (typically, xposed) capable of dynamically loading and replacing an executable file is added in a Java virtual machine of an Android simulator, and a system call agent module is loaded by using the hook frame to replace a system component and a system call related to a TLS protocol.
The system call agent module is a hook module containing partial TLS library functions, and can be loaded into a Java virtual machine of the Android simulator through the hook frame, so that calls initiated to various TLS libraries in the application program are hijacked. After receiving the related call of the TLS from the inside of the application program library, the module needs to transparently transmit the related call to the TLS library which is originally called in the inside of the application program or in the Android environment, and sends the plaintext data to be captured by the system to the encrypted traffic mirror module through the proxy socket and uploads the plaintext data to the traffic collection module.
Example two
The embodiment provides an extraction method of Android application encrypted network traffic;
as shown in fig. 3, the method for extracting the Android application encrypted network traffic includes:
s100: acquiring an Android environment in an Android simulator and the type and version of a TLS class library used in an Android application package;
s101: compiling and generating a system call agent module according to the Android environment and the type and version of the TLS class library; loading a system calling agent module into an Android environment;
s102: starting an Android application program in the Android simulator; the Android application program initializes and controls the TLS socket through the system call agent module, and receives and transmits byte strings by using the socket, and all calls to the TLS class library are hijacked by the system call agent module;
s103: the system calls the agent module to catch the byte string transmitted, recombines into the byte stream, separate, store and extract the information the byte stream caught;
s104: and ending the task, cleaning the Android system environment, and restarting from S100.
As one or more embodiments, as shown in fig. 4, the S101: compiling and generating a system call agent module according to the Android environment and the type and version of the TLS class library; loading a system calling agent module into an Android environment; the method comprises the following specific steps:
s1011: running an aapt tool in the Android SDK to acquire the name of the Android application package to be tested, the name of the main Activity and the authority information; storing a test result database;
s1012: and scanning a built-in TLS class library in the Android application program. Extracting information of packages and classes contained in the binary file of the Android application program by using a decompilation tool, judging whether the Android application program uses components such as okhttp, HttpsURLConnection and the like which support TLS and HTTPS or not by using fingerprint information, and scanning version information of a TLS class library; if the system calling agent module is used, adding the agent implementation of the corresponding class library and the version into the system calling agent module; if not, no processing is performed. If the class library or the version which cannot be processed is found, an error is reported;
s1013: and compiling the system call agent module. When the system call agent module is compiled, the system call agent module can hijack all TLS class libraries contained in the Android system and the application program;
s1014: and loading the system calling agent module into the Android simulator through the hook frame, so that the system calling agent module and the hook frame replace a TLS/HTTPS library in the Android system or the application package.
In S1012, judging whether the Android application program uses components such as okhttp, http URLConnection and the like which support TLS and HTTPS or not by using the fingerprint information; the method comprises the following specific steps: the name, class name and version number of the Java package contained in the application program are extracted, and the information is used for direct matching. Or for obfuscated, shelled applications, decompiling the bytecodes to obtain a control flow graph and a data flow graph, matching known implementations.
And compiling the xposed module according to the name and version information of the TLS/HTTPS component obtained in the S1012. Because the behaviors of different class libraries and different versions of the same class library are different, the system call agent module should ensure that the target component to be replaced can correspond to the target application program and the target operating system in the generating process, and the versions must be kept consistent, so that the behaviors are ensured to be consistent.
And the system call agent module is dynamically generated according to the Android environment and the type and version of the TLS library in the application program. Since various TLS/HTTPS implementation libraries exist in the market currently, and certain changes are often made in functions and interfaces between different versions of the same implementation, when an Android application refers to these libraries, only a callable interface of a certain version of the used library is concerned, and if the library of a different version is forcibly transplanted, the application may be crashed. Therefore, the invention has to compile a system call agent module for each application program to be tested respectively, thereby ensuring the compatibility of the application program and the Android environment.
And the flow collection module is used for further classifying and sorting the flow, and packaging and storing the flow.
As one or more embodiments, as shown in fig. 5, S102: starting an Android application program in the Android simulator; the Android application program initializes and controls the TLS socket through the system call agent module, and receives and transmits byte strings by using the socket, and all calls to the TLS class library are hijacked by the system call agent module; the method specifically comprises the following steps:
s1021: the hook framework intercepts a method call;
s1022: judging whether the method is an initialization method or not, if so, calling the hijacked TLS class library initialization method, acquiring a returned socket, and creating a proxy socket object; returning the self-created proxy socket object to the application program;
if not, calling the hijacked TLS class library, and returning the execution result of the function to the Android application program.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

  1. The extraction system of the Android application program encrypted network flow is characterized by comprising the following steps: an Android simulator; the Android simulator is deployed on a server;
    an Android application program, an Android system-level TLS class library and a Java virtual machine are deployed on the Android simulator, a service logic code and the TLS class library built in the application are arranged in the Android application program, a hook frame is deployed in the Java virtual machine, and a system calling agent module is arranged in the hook frame;
    the system call agent module is respectively connected with the service logic code, the built-in TLS class library of the application, the Android system level TLS class library and the flow collection module; the built-in TLS class library and the Android system-level TLS class library are connected with the Internet; the flow collection module is connected with the test result database.
  2. 2. The extraction system of Android application encrypted network traffic of claim 1, wherein the system call proxy module comprises: the system comprises an encryption protocol control method set, an agent Socket module and an encryption flow mirror module;
    the encryption protocol control method set is used for hijacking a TLS library method call from an Android application program and responding to the TLS library method call from the Android application program;
    the proxy Socket module is used for acquiring a byte string to be encrypted from an Android application program and acquiring a decrypted byte string from a real TLS class library; in the normal initialization process of encrypted connection of the TLS class library, the TLS class library returns a socket object for data interaction to a service logic code of an Android application program;
    after the initialization request is hijacked, the proxy Socket module firstly generates a Socket for directly interacting with the service logic code of the Android application program, returns the Socket to the service logic code of the Android application program, and then calls the real TLS connection initialization process to obtain a real TLS Socket object;
    the proxy Socket module exchanges data between the service logic code of the Android application program and various TLS class libraries quoted by the service logic code, copies data of byte strings which are sent by the hijacked TLS class libraries and sends the data to the encrypted flow mirror module;
    and the encrypted flow mirror module is used for acquiring byte strings, generating logs and uploading the logs to the flow collection module through a pre-established side channel.
  3. 3. The extraction system of the Android application encrypted network traffic of claim 1, wherein the system call agent module operates according to a principle comprising:
    when the Android application program service logic code calls the built-in TLS class library and the Android system-level TLS class library, the initialization method and the control method of the TLS class library and various accessible public variables are intercepted by the Java virtual machine and the hook frame, and a method bound by the encryption protocol control method set is called;
    after receiving a method calling event of the hook frame, the encryption protocol control method set firstly modifies the behavior of a function related to an encryption protocol, copies byte string information transmitted through an encryption socket, then calls a method in a TLS class library which should be called originally, and finally returns an execution result to a service logic code of an Android application program.
  4. 4. The extraction system of Android application program encrypted network traffic as recited in claim 3, characterized in that, for the initialization method, the system call agent module first returns a self-created agent socket to the service logic code initiating the call, and creates a direct connection socket to the server using the initialization method in the TLS class library that should be called; then, when the service logic code of the Android application program receives and sends information to the server, only the agent socket which cannot be directly accessed to the server can be used for reading and writing; and the encrypted flow mirror module exchanges data between the proxy socket and the direct connection socket, copies all data flowing through the encrypted flow mirror module per se and sends the copied data to the flow collection module outside the Android environment.
  5. 5. The extraction system of Android application encrypted network traffic of claim 1, characterized by the Android simulator being configured to lay an Android environment for Android applications to run, the Android environment being allowed to be modified.
  6. 6. The extraction system of the Android application encrypted network traffic of claim 3, characterized in that the system calls a proxy module for replacing and proxying the Android environment inside the Android environment; replacing and acting an encryption protocol database in the Android environment; mirroring the captured flow information to a flow collection module; and the flow collection module is used for receiving the time, the target host, the URL and the transmitted content, preliminarily analyzing flow information, separating and storing the flow and extracting related information.
  7. The extraction method of the Android application program encrypted network flow is characterized by comprising the following steps:
    acquiring an Android environment in an Android simulator and the type and version of a TLS class library used in an Android application package;
    compiling and generating a system call agent module according to the Android environment and the type and version of the TLS class library; loading a system calling agent module into an Android environment;
    starting an Android application program in the Android simulator; the Android application program initializes and controls the TLS socket through the system call agent module, and receives and transmits byte strings by using the socket, and all calls to the TLS class library are hijacked by the system call agent module;
    the system calls the agent module to catch the byte string transmitted, recombines into the byte stream, separate, store and extract the information the byte stream caught;
    and finishing the task, cleaning the Android system environment, and restarting.
  8. 8. The method for extracting encrypted network traffic of Android application programs according to claim 7, wherein the system call agent module is compiled and generated according to the Android environment and the type and version of the TLS class library; loading a system calling agent module into an Android environment; the method comprises the following specific steps:
    running an aapt tool in the Android SDK to acquire the name of the Android application package to be tested, the name of the main Activity and the authority information; storing a test result database;
    scanning a built-in TLS class library in an Android application program; extracting information of packages and classes contained in the binary file of the Android application program by using a decompilation tool, judging whether the Android application program uses components of which okhttp and http URL connection support TLS and HTTPS or not by using fingerprint information, and scanning version information of a TLS class library; if the system calling agent module is used, adding the agent implementation of the corresponding class library and the version into the system calling agent module; if not, not processing; if the class library or the version which cannot be processed is found, an error is reported;
    compiling a system call agent module; when the system call agent module is compiled, the system call agent module can hijack all TLS class libraries contained in the Android system and the application program;
    and loading the system calling agent module into the Android simulator through the hook frame, so that the system calling agent module and the hook frame replace a TLS/HTTPS library in the Android system or the application package.
  9. 9. The method for extracting encrypted network traffic of the Android application program according to claim 8, wherein the fingerprint information is used to determine whether the Android application program uses a component that supports TLS and HTTPS in okhttp and HttpsURLConnection; the method comprises the following specific steps: extracting the Java package name, class name and version number contained in the application program, and using the information for direct matching; or for obfuscated, shelled applications, decompiling the bytecodes to obtain a control flow graph and a data flow graph, matching known implementations.
  10. 10. The method for extracting the encrypted network traffic of the Android application program according to claim 7, wherein the Android application program in the Android simulator is started; the Android application program initializes and controls the TLS socket through the system call agent module, and receives and transmits byte strings by using the socket, and all calls to the TLS class library are hijacked by the system call agent module; the method specifically comprises the following steps:
    the hook framework intercepts a method call;
    judging whether the method is an initialization method or not, if so, calling the hijacked TLS class library initialization method, acquiring a returned socket, and creating a proxy socket object; returning the self-created proxy socket object to the application program;
    if not, calling the hijacked TLS class library, and returning the execution result of the function to the Android application program.
CN202110103856.1A 2021-01-26 2021-01-26 System and method for extracting encrypted network traffic of Android application program Active CN112784289B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110103856.1A CN112784289B (en) 2021-01-26 2021-01-26 System and method for extracting encrypted network traffic of Android application program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110103856.1A CN112784289B (en) 2021-01-26 2021-01-26 System and method for extracting encrypted network traffic of Android application program

Publications (2)

Publication Number Publication Date
CN112784289A true CN112784289A (en) 2021-05-11
CN112784289B CN112784289B (en) 2022-10-18

Family

ID=75757851

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110103856.1A Active CN112784289B (en) 2021-01-26 2021-01-26 System and method for extracting encrypted network traffic of Android application program

Country Status (1)

Country Link
CN (1) CN112784289B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826615A (en) * 2022-04-25 2022-07-29 浪潮卓数大数据产业发展有限公司 Mobile terminal acquisition method and system based on mobile phone simulator

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549808A (en) * 2016-11-17 2017-03-29 北京安天电子设备有限公司 A kind of network environment analogy method and system
CN107220083A (en) * 2017-05-22 2017-09-29 韩皓 Exempt from the method and system of installation and operation application program in a kind of Android system
CN107749859A (en) * 2017-11-08 2018-03-02 南京邮电大学 A kind of malice Mobile solution detection method of network-oriented encryption flow
CN111224995A (en) * 2020-01-15 2020-06-02 成都安舟信息技术有限公司 SSL/TLS network encryption communication information real-time decryption method based on memory analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549808A (en) * 2016-11-17 2017-03-29 北京安天电子设备有限公司 A kind of network environment analogy method and system
CN107220083A (en) * 2017-05-22 2017-09-29 韩皓 Exempt from the method and system of installation and operation application program in a kind of Android system
CN107749859A (en) * 2017-11-08 2018-03-02 南京邮电大学 A kind of malice Mobile solution detection method of network-oriented encryption flow
CN111224995A (en) * 2020-01-15 2020-06-02 成都安舟信息技术有限公司 SSL/TLS network encryption communication information real-time decryption method based on memory analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李浩等: "基于网络流量分析的未知恶意软件检测", 《济南大学学报》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826615A (en) * 2022-04-25 2022-07-29 浪潮卓数大数据产业发展有限公司 Mobile terminal acquisition method and system based on mobile phone simulator
CN114826615B (en) * 2022-04-25 2023-08-08 浪潮卓数大数据产业发展有限公司 Mobile terminal acquisition method and system based on mobile phone simulator

Also Published As

Publication number Publication date
CN112784289B (en) 2022-10-18

Similar Documents

Publication Publication Date Title
Rasthofer et al. Harvesting runtime values in Android applications that feature anti-analysis techniques.
US11494484B2 (en) Leveraging instrumentation capabilities to enable monitoring services
US20200236093A1 (en) Extracting Encryption Keys to Enable Monitoring Services
CN107220083B (en) Method and system for installation-free operation of application program in android system
US7287190B2 (en) Simultaneous execution of test suites on different platforms
US10592696B2 (en) CPU obfuscation for cloud applications
US8346897B2 (en) System and method for deploying and maintaining software applications
CN108229112B (en) Protection application program, and running method and device of application program
US7647631B2 (en) Automated user interaction in application assessment
Liu et al. On manually reverse engineering communication protocols of linux-based iot systems
CN110333868B (en) Method and system for generating installation packages of sub-applications
US20160078221A1 (en) Automated vulnerability and error scanner for mobile applications
US9282100B2 (en) Privilege separation
WO2015192637A1 (en) Method and apparatus for reinforced protection of software installation package
TW201337620A (en) Software modification for partial secure memory processing
CN112784289B (en) System and method for extracting encrypted network traffic of Android application program
CN112199151A (en) Application program running method and device
CN106648770B (en) Generation method, loading method and device of application program installation package
JP5941745B2 (en) Application analysis apparatus, application analysis system, and program
CN110309655A (en) A kind of method and detection device detecting safety in APP renewal process
CN117763594B (en) Method, device, equipment and storage medium for externally connecting equipment with integrated credit and debit machine
Volodarsky et al. Internet information services (IIS) 7.0 resource kit
Lohanathan et al. Live Response Training Range mit Velociraptor
CN112163231A (en) Method and device for automatically packaging pre-cached data by iOS application, electronic equipment and computer readable medium
Titze Analysis and Mitigation of Security Issues on Android

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant