CN114021142A - Android application program vulnerability detection method - Google Patents
Android application program vulnerability detection method Download PDFInfo
- Publication number
- CN114021142A CN114021142A CN202111292532.3A CN202111292532A CN114021142A CN 114021142 A CN114021142 A CN 114021142A CN 202111292532 A CN202111292532 A CN 202111292532A CN 114021142 A CN114021142 A CN 114021142A
- Authority
- CN
- China
- Prior art keywords
- detection
- vulnerability
- application
- data
- webview
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an android application program vulnerability detection method, which comprises decompiling and vulnerability mining, wherein the decompiling comprises the steps of analyzing a file structure, analyzing an instruction, analyzing cross reference and optimizing and detecting a flow; the vulnerability mining comprises contents such as encryption security detection, WebView security detection, communication security detection, sensitive behavior detection, component security detection, data security detection, application security detection and the like; the method has an efficient and accurate decompilation framework, references and searches, simulates execution and the like on codes by combining vulnerability rules, realizes filtering of invalid codes, finds out an execution path of the whole flow, accurately positions vulnerabilities, obtains more accurate and refined analysis reports, can automatically unpack, decompilate and mine vulnerabilities aiming at android applications, and supports analysis on various vulnerabilities.
Description
Technical Field
The invention relates to an android application program vulnerability detection method.
Background
Under the rapid development of the mobile internet, the number of android applications is more and more, the size is larger and larger, and the number of related codes is huge, so that the android applications are easy to cause safety risks. In order to perform risk assessment and security testing on android applications, many security companies have introduced their own automated security detection methods to eliminate potential vulnerabilities in applications.
The existing security detection scheme basically adopts an open-source decompilation framework, combines with a known vulnerability compiling mode based on pattern matching and static analysis, has insufficient accuracy of report codes and low analysis efficiency, and needs to spend a large amount of manpower for removing after an automatic analysis result is obtained.
Therefore, it is necessary to find an efficient and accurate decompilation framework, perform reference search, simulation execution and the like on the code by combining the bug rules, filter invalid codes, find out an execution path of the whole flow, accurately locate the bug, and obtain a more accurate and refined analysis report.
Disclosure of Invention
In view of this, the present invention provides a detection method that has an efficient and accurate decompilation framework, performs reference search, simulation execution, and the like on a code in combination with a bug rule, implements filtering on invalid codes, finds out an execution path of a full flow, accurately locates a bug, and obtains a more accurate and refined analysis report.
In order to solve the technical problems, the technical scheme of the invention is as follows:
an android application program vulnerability detection method comprises the following steps:
(1) decompilation
S1, analyzing the file structure; and analyzing resource files such as android, arsc and the like according to the compiled file formats to obtain contents, and translating the contents into corresponding file formats, such as: xml, txt, etc.; the DEX byte code file is analyzed by dx to obtain basic information such as specific classes, methods, variables, registers of the methods, operation instructions and the like;
s2, analyzing the instruction; the operation codes of the Dalvik virtual machine comprise arithmetic operation, logic operation, assignment operation, method calling and the like, direct reading of Dalvik instructions is unrealistic, the instructions need to be analyzed, the Dalvik instructions are translated into Smali which is easier to read and consistent in logic, and Smali is far less than Java code smoothness after reading the Java codes regardless of grammar and calling flow and the like, so that the operation codes are indispensible important codes which are reversely compiled into simpler pseudo codes which are closer to Java source codes;
s3, cross reference analysis; by analyzing the instructions, the method, the line and the called information of the instructions are collected to form a basic cross reference database, and given the method and the line, the type, the method and the variable called at the current position can be immediately found out, or a type, a method and a variable are provided, and the place where the type, the method and the variable are called can be immediately found out;
s4, optimizing the process; the flow optimization relates to variable arrangement, expression contraction and the like, intermediate variables which are meaningless to analysis are hidden, only meaningful expressions are left, data flow information in the method is needed to know where an expression is contracted, the life cycle of a variable in the method and the read-write condition of the variable can be determined by carrying out static single assignment processing on each variable of the method, and with the information, the data flow in the method can be tracked, and the flow of certain data can be completely displayed under the conditions of cross functions and cross variables by matching with cross reference information obtained earlier;
(2) vulnerability mining
S1, encryption security detection; the encryption security detection mainly surrounds key security and encryption algorithm strength security detection, the key security is divided into detection of key leakage and key length, and the encryption algorithm strength is influenced by encryption types, encryption modes, filling modes, key length and the like, so that the specific detection modes surround the contents for detection;
s2, WebView security detection; WebView is a control for showing a web page, the detection mode of the WebView mainly surrounds security detection in aspects of self-configuration misallocation, external interaction and the like, and possible risks comprise: arbitrary command execution, data leakage, etc.;
s3, communication safety detection; the communication security is usually to detect whether the communication between the client and the server is secure, and there are: whether an unsafe protocol (HTTP, etc.) is used, whether a certificate is verified, whether a host name is verified, etc.;
s4, sensitive behavior detection; the sensitive behavior refers to the behavior of acquiring the private information of the user and operating the sensitive function, for example: reading/sending short messages, using a camera, using a recording, making a call and the like, wherein privacy information of a user may be leaked due to the behaviors, the user can detect whether sensitive behaviors exist in the application, and a manufacturer can detect whether sensitive behaviors exist in the SDK;
s5, detecting the safety of the assembly; most of the four major components of the android application are in a derived state on the premise of insecurity, and the components in the derived state can be accessed to other applications without permission, so that risks can be generated when convenience is provided; particularly, when an Intent sent from the outside is received, if corresponding abnormal capture and data verification are not carried out, a denial of service is generated to crash the application, and leaks such as information leakage, bypassing authentication and any code execution are caused;
s6, data security detection; data security mainly detects that internal data can be read/written by the outside due to application configuration errors or risk operation, and common risks of global file read/write, data backup and the like exist;
s7, applying safety detection; application security we mainly detect whether apk platform is used wrongly, configured improperly, has redundant functions and other risk vulnerabilities, for example: janus signature bugs, debug flag turn-on, log information leakage, arbitrary code execution bugs, and the like.
Preferably, the detection mode of encryption security detection uses a DES encryption algorithm to judge that a risk exists, firstly, a position quoted by a system method, namely, getInstance (String), is found out through cross reference, then, whether a parameter of the position matches with regular 'DES/(\ \ w) {3}/. + Padding' is judged, if the parameter matches with regular 'DES/(\\ \ w)/. + > Padding', the existence of a DES encryption algorithm is indicated, but the existence of the encryption algorithm does not necessarily represent the use, then, an object of the circer is obtained according to static single assignment, the position of the circer.doFinal (.) method is obtained according to cross reference, then, the source of a first parameter of the doFinal method is analyzed and tracked, and the data source is added by the DES algorithm to judge that the vulnerability may exist in the current application.
Preferably, the WebView security detection method comprises a first step of obtaining a minimum version supported by the current application according to android manifest, and if the minimum version is less than 4.4(19), continuing to detect downwards; finding out the positions quoted by a system method WebView.removeJavascript interface (String) according to cross quote, then judging whether all the first parameters are matched with the three risk interfaces or not, and continuously detecting downwards when any one risk interface is not removed; backtracking the calling process according to the cross reference and the static single assignment, acquiring the WebView object with the removed code, and temporarily storing the WebView object; finding out all WebView objects used by the application according to cross reference, comparing the WebView objects with previously temporarily stored WebView objects, screening out WebView objects without risk interface removal, and judging that the vulnerability may exist in the current application if the WebView objects exist;
preferably, whether the Certificate is checked or not is detected through the communication security detection, a place where X509TrustManager chekserverTrusted (X509Certificate [ ], String) is realized is found out through cross reference, all instructions of the method are obtained, if the instructions are null, the verification of all certificates is ignored, then reverse query is carried out through cross reference and static single assignment, a reference process of the class which realizes the X509TrustManager interface is obtained, X509TrustManager interface realization exists, but the content of the chekserverTrusted judges that the vulnerability may exist in the current application.
Preferably, the sensitive behavior detection detects whether the application has a recording operation, and the recording needs to apply for a permission, so that in the first step, whether the permission applied by the current application includes the recording permission, record _ AUDIO is obtained according to android modify, and then a place referred by a system method, media recorder, setaudiosource (int), is found according to cross reference.
Preferably, the detection mode of the component safety detection is as follows: the method comprises the steps that an Intent data exception causes denial of Service, and the first premise that four components Receive other data is that the components are in an export state, so that in the first step, all export components (export values are true, export components are not present, export attributes are active, Receive and Service components and Intent filters are in the export state if the export attributes are present, and if the export attributes are Context Provider components, the export attributes are also in the export state if the export attributes are not present, then an attack android application and a detected android application are installed, a non-existing object test.
Preferably, the data security detection is performed in a manner as follows: the reason for generating the global READABLE and writable detection is that when a file/file stream is obtained through content, openfileoutput (String, int), content, getshared preference (String, int), and content, getdir (String, int), a MODE _ word _ read/MODE _ word _ write MODE is set so that the corresponding file can be unconditionally read/written by other applications, which may cause the risk of sensitive information leakage. The method comprises the steps of obtaining the calling places of the system methods through cross reference, judging whether a second parameter of the method is MODE _ WORLD _ READABLE or MODE _ WORLD _ WRITEABLE, obtaining a Context calling flow according to cross reference and static single assignment backtracking if the second parameter of the method is MODE _ WORLD _ READABLE or MODE _ WORLD _ WRITEABLE, associating the Context calling flow corresponding to the Context calling flow, and judging that the vulnerability may exist in the current application when the global read-write setting and the calling of the Context calling exist.
Preferably, the detection method of the application security detection comprises the following steps: taking any code execution vulnerability as an example, in the first step, a system function runtime.exec (java.lang.string) is found out through cross reference, then an invoking process is obtained according to cross reference and static single assignment to find out an initial data source, in the backtracking process, string processing of the types such as stringBuilder and stringBuffer may be encountered, when the types of the data are encountered, the using positions of instantiation objects of the types of the data are searched simultaneously through the static single assignment, whether a stringBuilder/stringBuffer.apend method is invoked or not is judged, if the invoking process of parameters in the tracing-bound method is invoked and returned together, and so on, when the backtracking is that the origin is the static string, the application is regarded as safe, and when the backtracking is that the origin is from the places such as Intent, IO stream and the current application is judged to have the vulnerability.
The technical effects of the invention are mainly reflected in the following aspects:
1. aiming at android application vulnerability analysis tools of security companies at present, a self-research decompilation framework can be used for positioning risk codes more efficiently, accurately and precisely
2. Aiming at the problems of accuracy and low efficiency of the scheme of pattern matching and static analysis which is commonly used at present, detection is carried out by adopting modes of reference searching, simulation execution and the like, invalid codes can be effectively eliminated, the code execution context can be accurately found, and the accuracy of the analysis result is improved.
Drawings
Fig. 1 is a flowchart of an android application vulnerability detection method of the present invention.
Detailed Description
The following detailed description of the present invention is provided in conjunction with the accompanying fig. 1 to make the technical solution of the present invention easier to understand and grasp.
Examples
A method for detecting android application program bugs is shown in FIG. 1, and comprises decompiling and bug mining;
1 decompilation
1.1 parsing File structures
The general android application programs are ZIP format files composed of android configuration files, DEX compiled byte code files, arsC compiled resource file directories and the like.
And analyzing resource files such as android, arsc and the like according to the compiled file formats to obtain contents, and translating the contents into corresponding file formats, such as: xml, txt, etc.; and the DEX byte code file is analyzed by using dx to obtain basic information such as specific classes, methods, variables, registers of the methods, operation instructions and the like.
1.2 instruction resolution
The operation codes of the Dalvik virtual machine comprise arithmetic operation, logic operation, assignment operation, method calling and the like, and direct reading of Dalvik instructions is unrealistic, so that the instructions need to be analyzed and translated into Smali which is easier to read and keeps consistent logic.
1.3 Cross-reference
By analyzing the instruction, the method can know what kind, method and variable are called by a certain line of instruction. The method, row, line and call information of the instructions are collected to form a basic cross reference database. With this cross-reference data, given a method, row, or column, it is possible to immediately find out what class, method, or variable was called by the current location, or to provide a class, method, or variable, and to immediately find out where they were referenced.
1.4 flow optimization
The process optimization relates to variable arrangement, expression contraction and the like. For example, chain calls in source code are expressed in multiple intermediate expressions before optimization. The variable returned by the previous expression is called by the next expression. The scattered expressions can be expressions of chain call in the source code by replacing the previous expression into the current expression through contraction. Through this step, intermediate variables that are not meaningful to the analysis will be hidden, leaving only meaningful expressions. To know where an expression should shrink, there must be data (variable) flow information within the method. In addition, the aforementioned cross-referencing exposes cross-method cross-referencing, but it still lacks intra-method data flow information. From these two factors, it can be seen that the flow of data within the method is also important to the overall analysis. By performing Static Single Assignment (SSA) processing on each variable of a method, the life cycle of a variable in the method and the read-write condition thereof can be determined. With this information, the flow of data within the method can be tracked. And by matching with cross-reference information obtained earlier, the flow of certain data can be completely displayed under the conditions of cross-function and cross-variable.
2 vulnerability mining
With the various basic components, various vulnerability mining modes have enough technical support, firstly, a vulnerability mining plug-in is applied to the complete data tracking, and through the plug-in system, a user can define input and output which may have vulnerabilities and run the plug-in to automatically find vulnerabilities.
2.1 encryption Security
The key security and the encryption algorithm strength security detection mainly surround the encryption security, the key security is divided into key leakage and key length detection, and the encryption algorithm strength is influenced by encryption types, encryption modes, filling modes, key length and the like, so that the specific detection modes surround the contents for detection.
Examples of detection methods include: because the encryption strength of the DES type can not reach the security standard and is easy to suffer from blasting attack, the DES encryption algorithm is used for judging that the risk exists. The method comprises the steps of firstly finding out a position quoted by a system method, namely, cipher, getInstance (String) through cross reference, then judging whether a parameter of the system method is matched with regular 'DES/(\ \ w) {3}/. + Padding', if the parameter is matched with regular 'DES/(\\ \ w)', the situation that a DES encryption algorithm exists is indicated, but the encryption algorithm does not necessarily represent use, then obtaining an object of the cipher according to static single assignment, obtaining the position of the cipher, namely, doFinal (. -) method according to cross reference, then analyzing and tracking a source of a first parameter of the doFinal method, using the DES algorithm and adding a data source, and judging that the vulnerability may exist in current application.
2.2 WebView Security
WebView is a control for showing a web page, the detection mode of the WebView mainly surrounds security detection in aspects of self-configuration misallocation, external interaction and the like, and possible risks comprise: executing any command, leaking data and the like, wherein the most typical method is that before android4.4, the webview loads unsafe scripts, and the scripts reflect to cause any command execution loopholes; and the information leakage includes leakage of sensitive information such as private files, passwords and the like.
Examples of detection methods include: WebView has several risk interfaces, searchBoxJavaBridge _, accessibility Transsal, accessibility before android4.4, which may cause any command to execute if not removed. Firstly, acquiring a minimum version supported by the current application according to the android manifest, and if the minimum version is less than 4.4(19), continuing to detect downwards; finding out the positions quoted by a system method WebView.removeJavascript interface (String) according to cross quote, then judging whether all the first parameters are matched with the three risk interfaces or not, and continuously detecting downwards when any one risk interface is not removed; backtracking the calling process according to the cross reference and the static single assignment, acquiring the WebView object with the removed code, and temporarily storing the WebView object; and searching all WebView objects used by the application according to the cross reference, comparing the WebView objects with previously temporarily stored WebView objects, screening out WebView objects without risk interface removal, and judging that the vulnerability may exist in the current application if the WebView objects exist.
2.3 communication Security
The communication security is usually to detect whether the communication between the client and the server is secure, and there are: whether an unsecure protocol (HTTP, etc.) is used, whether the certificate is verified, whether the host name is verified, etc. If an insecure protocol is used/the certificate is not verified, there is a risk of a man-in-the-middle attack, which may cause data leakage or tampering.
Examples of detection methods include: whether the Certificate is checked is detected, when https protocol communication is used, the legitimacy of the Certificate is checked through a checkserverTrusted method (checking a server Certificate) rewriting an X509TrustManager interface, therefore, a place where the X509TrustManager chekserverTrusted (X509Certificate [ ], String) is realized is found out through cross-reference, all instructions of the method are obtained, if the instructions are null, the verification of all certificates is ignored, then reverse query is carried out through cross-reference and static single assignment, a reference process of the type of the X509TrustManager interface is obtained, the X509TrustManager interface is realized, but the checkserverTrusted content judges that the vulnerability may exist in the current application.
2.4 sensitive behavior detection
Sensitive behavior we notify refers to the behavior of obtaining user privacy information, operating sensitive functions, such as: reading/sending short messages, using a camera, using a recording, making a call, etc. The existence of these behaviors may cause the leakage of user privacy information; the user can detect whether the application has sensitive behavior, and the manufacturer can detect whether the SDK has sensitive behavior.
Examples of detection methods include: whether the application has a recording operation or not is detected, and the recording needs to apply for the permission, so that whether the permission applied by the current application contains the recording permission, namely android, record _ AUDIO is obtained according to the android Manifest, then the place referred by a system method, namely media Recorder, setAudioSource (int), is found according to cross reference, and if the application permission and the AUDIO source for setting the recording exist at the same time, the current application is judged to possibly have an operation sensitive behavior.
2.5 component safety detection
Most of the four major components of the android application are in a derived state on the premise of insecurity, and the components in the derived state can be accessed to other applications without permission, so that risks can be generated when convenience is provided; particularly, when an Intent sent from the outside is received, if corresponding abnormal capture and data verification are not carried out, a denial of service is generated to crash the application, and leaks such as information leakage, bypassing authentication and any code execution are caused.
Examples of detection methods include: the method comprises the steps that an Intent data exception causes denial of Service, and the first premise that four components Receive other data is that the components are in an export state, so that in the first step, all export components (export values are true, export components are not present, export attributes are active, Receive and Service components and Intent filters are in the export state if the export attributes are present, and if the export attributes are Context Provider components, the export attributes are also in the export state if the export attributes are not present, then an attack android application and a detected android application are installed, a non-existing object test.
2.6 data Security
Data security mainly detects that an application is configured wrongly or risk operation is used, so that internal data can be read/written externally. The risk of global file read-write, the risk of data backup and the like are common.
Examples of detection methods include: the reason for generating the global READABLE and writable detection is that when a file/file stream is obtained through content, openfileoutput (String, int), content, getshared preference (String, int), and content, getdir (String, int), a MODE _ word _ read/MODE _ word _ write MODE is set so that the corresponding file can be unconditionally read/written by other applications, which may cause the risk of sensitive information leakage. And obtaining the calling places of the system methods through cross reference, judging whether the second parameter of the method is MODE _ WORLD _ READABLE or MODE _ WORLD _ WRITEABLE, if so, obtaining a Context calling flow according to cross reference and static single assignment backtracking, and associating the Context calling flow corresponding to the Context calling flow. When the global read-write setting and its call exist, we judge that the current application may have the vulnerability.
2.7 application safety
The application security mainly detects whether the apk has risk vulnerabilities such as wrong platform use, improper configuration, redundant functions and the like, for example: janus signature bugs, debug flag turn-on, log information leakage, arbitrary code execution bugs, and the like.
Examples of detection methods include: taking any code execution vulnerability as an example, in the first step, a system function runtime.exec (java.lang.string) is found through cross reference, then an invoking process is obtained according to cross reference and static single assignment to find an initial data source, in the backtracking process, string processing of classes such as stringBuilder and stringBuffer may be encountered, when a class of the class is encountered, the using positions of instantiated objects of the classes are simultaneously found through the static single assignment, whether a stringBuilder/stringBuffer.open (..) method is invoked or not is judged, and if the invoking process of parameters in the open method is invoked and backtracked together, and so on. When the origin is traced to be a static character string, the application is regarded as safe, and when the origin position is traced to be from the Intent, the IO stream and other places, the application is judged to have the vulnerability.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.
Claims (8)
1. A vulnerability detection method for an android application program is characterized by comprising the following steps: the method comprises the following steps:
(1) decompilation
S1, analyzing the file structure; and analyzing resource files such as android, arsc and the like according to the compiled file formats to obtain contents, and translating the contents into corresponding file formats, such as: xml, txt, etc.; the DEX byte code file is analyzed by dx to obtain basic information such as specific classes, methods, variables, registers of the methods, operation instructions and the like;
s2, analyzing the instruction; the operation codes of the Dalvik virtual machine comprise arithmetic operation, logic operation, assignment operation, method calling and the like, direct reading of Dalvik instructions is unrealistic, the instructions need to be analyzed, the Dalvik instructions are translated into Smali which is easier to read and consistent in logic, and Smali is far less than Java code smoothness after reading the Java codes regardless of grammar and calling flow and the like, so that the operation codes are indispensible important codes which are reversely compiled into simpler pseudo codes which are closer to Java source codes;
s3, cross reference analysis; by analyzing the instructions, the method, the line and the called information of the instructions are collected to form a basic cross reference database, and given the method and the line, the type, the method and the variable called at the current position can be immediately found out, or a type, a method and a variable are provided, and the place where the type, the method and the variable are called can be immediately found out;
s4, optimizing the process; the flow optimization relates to variable arrangement, expression contraction and the like, intermediate variables which are meaningless to analysis are hidden, only meaningful expressions are left, data flow information in the method is needed to know where an expression is contracted, the life cycle of a variable in the method and the read-write condition of the variable can be determined by carrying out static single assignment processing on each variable of the method, and with the information, the data flow in the method can be tracked, and the flow of certain data can be completely displayed under the conditions of cross functions and cross variables by matching with cross reference information obtained earlier;
(2) vulnerability mining
S1, encryption security detection; the encryption security detection mainly surrounds key security and encryption algorithm strength security detection, the key security is divided into detection of key leakage and key length, and the encryption algorithm strength is influenced by encryption types, encryption modes, filling modes, key length and the like, so that the specific detection modes surround the contents for detection;
s2, WebView security detection; WebView is a control for showing a web page, the detection mode of the WebView mainly surrounds security detection in aspects of self-configuration misallocation, external interaction and the like, and possible risks comprise: arbitrary command execution, data leakage, etc.;
s3, communication safety detection; the communication security is usually to detect whether the communication between the client and the server is secure, and there are: whether an unsafe protocol (HTTP, etc.) is used, whether a certificate is verified, whether a host name is verified, etc.;
s4, sensitive behavior detection; the sensitive behavior refers to the behavior of acquiring the private information of the user and operating the sensitive function, for example: reading/sending short messages, using a camera, using a recording, making a call and the like, wherein privacy information of a user may be leaked due to the behaviors, the user can detect whether sensitive behaviors exist in the application, and a manufacturer can detect whether sensitive behaviors exist in the SDK;
s5, detecting the safety of the assembly; most of the four major components of the android application are in a derived state on the premise of insecurity, and the components in the derived state can be accessed to other applications without permission, so that risks can be generated when convenience is provided; particularly, when an Intent sent from the outside is received, if corresponding abnormal capture and data verification are not carried out, a denial of service is generated to crash the application, and leaks such as information leakage, bypassing authentication and any code execution are caused;
s6, data security detection; data security mainly detects that internal data can be read/written by the outside due to application configuration errors or risk operation, and common risks of global file read/write, data backup and the like exist;
s7, applying safety detection; application security we mainly detect whether apk platform is used wrongly, configured improperly, has redundant functions and other risk vulnerabilities, for example: janus signature bugs, debug flag turn-on, log information leakage, arbitrary code execution bugs, and the like.
2. The android application vulnerability detection method of claim 1, wherein: the detection method of encryption security detection is characterized in that a DES encryption algorithm is used to judge that a risk exists, firstly, a position quoted by a system method cipher. getInstance (String) is found out through cross reference, then whether a parameter of the position matches with regular ' DES/(\\ \ w) {3 }/+ Padding ' is judged, if the parameter matches with regular ' DES/(\\ \ w) } is judged to exist, but the encryption algorithm does not necessarily represent the use, then, an object of the cipher is obtained according to static single assignment, the position of the cipher. doFinal (.) method is obtained according to the cross reference, then, a source of a first parameter of the doFinal method is analyzed and tracked, and the data source is added by the DES algorithm to judge that the vulnerability may exist in the current application.
3. The android application vulnerability detection method of claim 1, wherein: the WebView safety detection method comprises the first step of obtaining the minimum version supported by the current application according to the android Manifest, and if the minimum version is less than 4.4(19), continuing to detect downwards; finding out the positions quoted by a system method WebView.removeJavascript interface (String) according to cross quote, then judging whether all the first parameters are matched with the three risk interfaces or not, and continuously detecting downwards when any one risk interface is not removed; backtracking the calling process according to the cross reference and the static single assignment, acquiring the WebView object with the removed code, and temporarily storing the WebView object; and searching all WebView objects used by the application according to the cross reference, comparing the WebView objects with previously temporarily stored WebView objects, screening out WebView objects without risk interface removal, and judging that the vulnerability may exist in the current application if the WebView objects exist.
4. The android application vulnerability detection method of claim 1, wherein: whether the Certificate is checked or not is detected through the communication security detection, a place where X509TrustManager chekserverTrusted (X509Certificate [ ], String) is realized is found out through cross reference, all instructions of the method are obtained, if the instructions are null, the instructions ignore all Certificate verification, then reverse query is carried out through cross reference and static single assignment, a reference process of realizing the class of the X509TrustManager interface is obtained, X509TrustManager interface realization exists, but the content of the chekserverTrusted judges that the vulnerability may exist in the current application.
5. The android application vulnerability detection method of claim 1, wherein: the method comprises the steps of detecting whether sound recording operation exists in an application or not and recording needs to apply for permission, so that whether permission applied by the current application contains sound recording permission android, permission, record _ AUDIO is obtained according to android Manifest in the first step, then a place referred by a system method, namely media recorder, setAudioSource (int) is found according to cross reference, and if the permission applied and an AUDIO source for setting the sound recording exist at the same time, the situation that operation sensitive behavior possibly exists in the current application is judged.
6. The android application vulnerability detection method of claim 1, wherein: the detection mode of the component safety detection is as follows: the method comprises the steps that an Intent data exception causes denial of Service, and the first premise that four components Receive other data is that the components are in an export state, so that in the first step, all export components (export values are true, export components are not present, export attributes are active, Receive and Service components and Intent filters are in the export state if the export attributes are present, and if the export attributes are Context Provider components, the export attributes are also in the export state if the export attributes are not present, then an attack android application and a detected android application are installed, a non-existing object test.
7. The android application vulnerability detection method of claim 1, wherein: the detection mode of the data security detection is as follows: the reason for generating the global READABLE and writable detection is that when a file/file stream is obtained through content, openfileoutput (String, int), content, getshared preference (String, int), and content, getdir (String, int), a MODE _ word _ read/MODE _ word _ write MODE is set so that the corresponding file can be unconditionally read/written by other applications, which may cause the risk of sensitive information leakage. The method comprises the steps of obtaining the calling places of the system methods through cross reference, judging whether a second parameter of the method is MODE _ WORLD _ READABLE or MODE _ WORLD _ WRITEABLE, obtaining a Context calling flow according to cross reference and static single assignment backtracking if the second parameter of the method is MODE _ WORLD _ READABLE or MODE _ WORLD _ WRITEABLE, associating the Context calling flow corresponding to the Context calling flow, and judging that the vulnerability may exist in the current application when the global read-write setting and the calling of the Context calling exist.
8. The android application vulnerability detection method of claim 1, wherein: the detection mode of the application security detection is as follows: taking any code execution vulnerability as an example, in the first step, a system function runtime.exec (java.lang.string) is found out through cross reference, then an invoking process is obtained according to cross reference and static single assignment to find out an initial data source, in the backtracking process, string processing of the types such as stringBuilder and stringBuffer may be encountered, when the types of the data are encountered, the using positions of instantiation objects of the types of the data are searched simultaneously through the static single assignment, whether a stringBuilder/stringBuffer.apend method is invoked or not is judged, if the invoking process of parameters in the tracing-bound method is invoked and returned together, and so on, when the backtracking is that the origin is the static string, the application is regarded as safe, and when the backtracking is that the origin is from the places such as Intent, IO stream and the current application is judged to have the vulnerability.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111292532.3A CN114021142A (en) | 2021-11-03 | 2021-11-03 | Android application program vulnerability detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111292532.3A CN114021142A (en) | 2021-11-03 | 2021-11-03 | Android application program vulnerability detection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114021142A true CN114021142A (en) | 2022-02-08 |
Family
ID=80060117
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111292532.3A Pending CN114021142A (en) | 2021-11-03 | 2021-11-03 | Android application program vulnerability detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114021142A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114564208A (en) * | 2022-03-17 | 2022-05-31 | 杭州云深科技有限公司 | Decompiling method of android application program, electronic device and medium |
CN114780952A (en) * | 2022-03-09 | 2022-07-22 | 浙江吉利控股集团有限公司 | Method, system and storage medium for detecting sensitive application calling scene |
CN115859360A (en) * | 2022-12-22 | 2023-03-28 | 郑州云智信安安全技术有限公司 | APP personal data security detection scoring device and method |
CN116070250A (en) * | 2023-03-07 | 2023-05-05 | 卓望数码技术(深圳)有限公司 | Password algorithm evaluation method and device for android system application program |
CN116520882A (en) * | 2023-04-28 | 2023-08-01 | 北京交通大学 | Unmanned aerial vehicle system-oriented configuration defect analysis method and system |
CN117494148A (en) * | 2024-01-03 | 2024-02-02 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security detection method, security detection device, terminal equipment and computer readable storage medium |
CN118158679A (en) * | 2024-03-25 | 2024-06-07 | 中国人民解放军61660部队 | Wireless signal interception method based on baseband attack |
-
2021
- 2021-11-03 CN CN202111292532.3A patent/CN114021142A/en active Pending
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114780952A (en) * | 2022-03-09 | 2022-07-22 | 浙江吉利控股集团有限公司 | Method, system and storage medium for detecting sensitive application calling scene |
CN114564208A (en) * | 2022-03-17 | 2022-05-31 | 杭州云深科技有限公司 | Decompiling method of android application program, electronic device and medium |
CN115859360A (en) * | 2022-12-22 | 2023-03-28 | 郑州云智信安安全技术有限公司 | APP personal data security detection scoring device and method |
CN115859360B (en) * | 2022-12-22 | 2024-05-10 | 郑州云智信安安全技术有限公司 | APP personal data security detection scoring device and method |
CN116070250A (en) * | 2023-03-07 | 2023-05-05 | 卓望数码技术(深圳)有限公司 | Password algorithm evaluation method and device for android system application program |
CN116070250B (en) * | 2023-03-07 | 2023-06-23 | 卓望数码技术(深圳)有限公司 | Password algorithm evaluation method and device for android system application program |
CN116520882A (en) * | 2023-04-28 | 2023-08-01 | 北京交通大学 | Unmanned aerial vehicle system-oriented configuration defect analysis method and system |
CN116520882B (en) * | 2023-04-28 | 2024-02-06 | 北京交通大学 | Unmanned aerial vehicle system-oriented configuration defect analysis method and system |
CN117494148A (en) * | 2024-01-03 | 2024-02-02 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security detection method, security detection device, terminal equipment and computer readable storage medium |
CN117494148B (en) * | 2024-01-03 | 2024-03-26 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security detection method, security detection device, terminal equipment and computer readable storage medium |
CN118158679A (en) * | 2024-03-25 | 2024-06-07 | 中国人民解放军61660部队 | Wireless signal interception method based on baseband attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114021142A (en) | Android application program vulnerability detection method | |
US11657154B2 (en) | System and method for securing applications through an application-aware runtime agent | |
Xue et al. | Malton: Towards {On-Device}{Non-Invasive} Mobile Malware Analysis for {ART} | |
Canfora et al. | Leila: formal tool for identifying mobile malicious behaviour | |
TWI575397B (en) | Point-wise protection of application using runtime agent and dynamic security analysis | |
Bonett et al. | Discovering flaws in {Security-Focused} static analysis tools for android using systematic mutation | |
Arzt et al. | Instrumenting android and java applications as easy as abc | |
Xue et al. | Packergrind: An adaptive unpacking system for android apps | |
Dawoud et al. | Bringing balance to the force: Dynamic analysis of the android application framework | |
Zhang et al. | IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time | |
CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
Hejderup et al. | Can we trust tests to automate dependency updates? a case study of java projects | |
Bao et al. | Mining sandboxes: Are we there yet? | |
Li et al. | Large-scale third-party library detection in android markets | |
Arzt et al. | The soot-based toolchain for analyzing android apps | |
Tuan et al. | Enhancing the accuracy of static analysis for detecting sensitive data leakage in Android by using dynamic analysis | |
Brito et al. | Study of javascript static analysis tools for vulnerability detection in node. js packages | |
CN104657259A (en) | Android application testing method and device | |
EP3945441A1 (en) | Detecting exploitable paths in application software that uses third-party libraries | |
Peng et al. | {GLeeFuzz}: Fuzzing {WebGL} Through Error Message Guided Mutation | |
Yang et al. | Towards Practical Binary Code Similarity Detection: Vulnerability Verification via Patch Semantic Analysis | |
CN113836023A (en) | Compiler security testing method based on system structure cross check | |
Duan et al. | Automatic Generation of Non-intrusive Updates for {Third-Party} Libraries in Android Applications | |
CN112632547A (en) | Data processing method and related device | |
Wan et al. | A dynamic app anti-debugging approach on android art runtime |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |