CN114077737A - Android inter-component communication data flow detection method based on taint analysis - Google Patents

Android inter-component communication data flow detection method based on taint analysis Download PDF

Info

Publication number
CN114077737A
CN114077737A CN202210059722.9A CN202210059722A CN114077737A CN 114077737 A CN114077737 A CN 114077737A CN 202210059722 A CN202210059722 A CN 202210059722A CN 114077737 A CN114077737 A CN 114077737A
Authority
CN
China
Prior art keywords
component
icc
link
components
intent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210059722.9A
Other languages
Chinese (zh)
Inventor
金正平
郭一卿
秦素娟
时忆杰
温巧燕
李明柱
张胜
陈飞
陈静华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Mingbo Internet Safety Innovation Research Institute Co ltd
Beijing University of Posts and Telecommunications
Original Assignee
Nanjing Mingbo Internet Safety Innovation Research Institute Co ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Mingbo Internet Safety Innovation Research Institute Co ltd, Beijing University of Posts and Telecommunications filed Critical Nanjing Mingbo Internet Safety Innovation Research Institute Co ltd
Priority to CN202210059722.9A priority Critical patent/CN114077737A/en
Publication of CN114077737A publication Critical patent/CN114077737A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a taint analysis-based Android inter-component communication data flow detection method, which adopts a brand-new design logic, and firstly obtains an ICC link containing an explicit Intent or an implicit Intent aiming at Android application; then, aiming at the ICC link, the ICC link is modified in a code implantation mode to form an ICC test link for execution, and the ICC link to be processed, which is used for realizing communication connection between the two corresponding components, is obtained; finally, internal communication connection among all components related to all ICCs to be processed is established, data flow analysis is carried out, and data flow analysis among the components in the Android application to be tested is achieved; therefore, data flow analysis is carried out by considering communication connection among the application components, communication detection among the components is efficiently and accurately realized, and a better effect is provided for analyzing stains among the Android application components.

Description

Android inter-component communication data flow detection method based on taint analysis
Technical Field
The invention relates to a taint analysis-based Android inter-component communication data stream detection method, and belongs to the technical field of data stream communication detection among application groups.
Background
The dependence of people on mobile applications has increased dramatically over the last decade. According to the global digital report data, the average time spent by the user on the mobile device in 2018 per day reaches 3 hours, and the market of the mobile application is not surprisingly developed. The development of the china mobile internet is also at the top of the global ranking. By 12 months in 2018, the scale of mobile phone net citizens in China reaches 8.17 hundred million, and 6433 thousands of mobile phone net citizens are newly added all the year round. In the process of rapid development of the system, the safety problem on the Android system is always noted. Data show that the number of malicious programs of the Android platform is rapidly increased from 2012 to 2018. By the end of the third quarter of 2018, the G DATA statistics show that over 320 thousands of new malware samples were found in the Android system, on average over 11000 new malware samples per day. In 2017, the number of mobile internet malicious programs acquired through autonomous capture and exchange of manufacturers by national internet emergency centers reaches 253 ten thousand, and the increase of the number of the mobile internet malicious programs is 23.4 percent on a same scale. In summary, under the condition that the occupancy rate of the Android device is so large, the Android application has more and more loopholes, and the threat caused by the loopholes is more and more large. Therefore, vulnerability detection for the Android applications on the market is very urgent and necessary.
The Android malware detection technology can be divided into three categories: static detection, dynamic detection, and hybrid detection. Static analysis detects vulnerabilities without executing an application, and there are mainly rule or template-based analysis, detection of code similarity, symbol-based execution analysis, and static taint analysis. Rule or template based analysis means that a human expert is required to manually make some rules according to the characteristics of each vulnerability, and when an application or code meets some conditions, the application or code can be judged to contain or not contain a certain vulnerability. The code similarity detection is judged from a code level, the similarity between an application and the application containing the vulnerability can be compared by taking a code statement, a method, a class and a component as granularity, and whether the application contains the vulnerability or not is judged according to the similarity. Static taint analysis refers to detecting whether data can be propagated from a taint source to a taint gathering point by analyzing data dependencies among program variables without running and modifying code. The Android application has a life cycle of the Android application, and the corresponding callback method can be called at different running time of the application. Therefore, an effective static detection tool must be able to analyze the control flow of an application and accurately model the life cycle. Inaccurate life cycle modeling will result in important data streams being lost or masked.
Taint analysis can be represented by three concepts source, sink, and sanition. Where source represents the point of origin of the contamination. Some operations and functions have a field that is a subset of the type field of their operands or parameters. When the actual value exceeds the defined domain, the result may be uncertain. A value of an operand or parameter is tainted if the value is likely outside the domain of the operation or function that uses the value, and the value is derived from any external input to the program (e.g., command line parameters, data returned by a system call, or data in shared memory), the value is tainted, a source of which is referred to as a taint source. Contaminated data can only be a variable value and not an operand or parameter. In some cases, the same operand or parameter may hold dirty or non-dirty values along different paths.
Sink represents the point of contamination convergence. After the Source is subjected to data dependence propagation or control dependence propagation, the Source is sent or leaked to the outside through a function, and the function is called a sink point.
The process of Sanitization refers to the fact that after taint data are encrypted or processed by a confusion function, the taint data become unrecognizable to the outside, and the system cannot be damaged by the spread of the taint data. To remove the stain from the value, the value must be sanitized to ensure that it is within the definition of any restricted receiver into which it flows. Sterilization is performed by replacement or termination. In the replacement, the value outside the domain is replaced with the value inside the domain, and then the processing is continued using the value inside the domain instead of the original value. Upon termination, program logic typically terminates the execution path upon detecting a value that exceeds a domain, typically by branching through any code that uses that value.
FlowDroid is the first Android static taint analysis tool to be fully context, object and flow sensitive. It analyzes the application bytecode and configuration files for vulnerabilities. It is used to identify sensitive data leaks due to malicious Intent. FlowDroid expands the Soot framework, using a plug-in named Dexpler in the Soot to convert the Dalvik bytecode of Android into a Jimple code (Jimple is an intermediate representation of the Soot, based on the three-address code). Furthermore, FlowDroid does not compute aliases or pointing information for all objects in a context and flow sensitive manner. Many Android static taint analysis tools were developed based on FlowDroid. FlowDroid, however, can only perform intra-component taint analysis and does not address inter-component communication issues, and therefore does not address security issues related to intended delivery between multiple components. Thus, current static taint analysis tools do not fully support inter-component communication.
The Android system design is unique in that any application can launch components of other applications. When the system starts a component, it starts the application's process (if not already running) and instantiates the classes required by the component. The Android system is responsible for finding a corresponding component according to the description of the Intent, transmitting the Intent to the called component and completing the calling of the component. In the Android system, Inter-Component Communication (ICC) is a common phenomenon. There are four major components in Android, which enable extensive communications between them. In Android, many vulnerabilities do not occur within a single component, but may involve two or more components, such as Inter-process Denial-Of-Service (IDOS), cross-Application scripting (XAS), Fragment Injection vulnerabilities (FI), and so on.
Chex is a tool to detect component hijacking vulnerabilities in applications that tracks contamination between externally accessible interfaces and sensitive sources or receivers. FlowDroid is the first Android static taint analysis tool to be fully context, object and flow sensitive. It analyzes the application bytecode and configuration files for vulnerabilities. It is used to identify sensitive data leaks due to malicious Intent. FlowDroid expands the Soot framework, using a plug-in named Dexpler in the Soot to convert the Dalvik bytecode of Android into a Jimple code (Jimple is an intermediate representation of the Soot, based on the three-address code). Furthermore, FlowDroid does not compute aliases or pointing information for all objects in a context and flow sensitive manner. This is a design decision based on computational cost considerations. Amandroid extends FlowDroid by capturing control and data dependencies between components. The Amandroid flow comprises the steps of converting application Dalvik byte codes into intermediate representation, generating an environment model, establishing inter-component data flow (IDFG), establishing a Data Dependency Graph (DDG), and then carrying out security detection. Amandroid can be used for data leak detection, data injection detection, and API abuse. DidFail (Floating object Data Flow Analysis for Information leak) incorporates and augments FlowDraid and EPICC (which can identify an object property, such as the "action" property) to detect leaks in a set of Android applications.
FlowDroid is a popular tool for taint analysis for Android applications. It does not address the ICC issue and therefore does not address the security issues related to the intended transfer between multiple components. FlowDroid is the most common Android static taint analysis framework, and is the first taint analysis method sensitive to context, flow, fields and objects in academia. The method is used for modeling the lifecycle of Android, simulating the complete lifecycle of the Android and processing various callback methods in the Android. FlowDroid approximates explicit communication between components by treating the function that sends Intent as sinks and the callback function that receives Intent as sources. Here, we can say by way of example that FlowDroid cannot recognize inter-component communication.
Consider the following code:
Figure DEST_PATH_IMAGE001
in FirstActivity, we create an Intent and set action for it. Then a bigintegrar is passed through the putExtra method. The method receives two parameters, the first is a key for subsequent value taking from Intent and the second is data to be transferred. We write the following code in secondavity:
Figure 705837DEST_PATH_IMAGE002
we set an intent filter for secondavity in the android manifest.
Figure DEST_PATH_IMAGE003
Indicating that SecondActivity can be initiated by FirstActivity. When SecondActivity is started, it calls getIntent method to get the Intent to start itself, i.e., the Intent variable in FirstActivity. And then it receives and converts the bigInteger type data coming from FirstActivity into String type. Where the program runs, it will deny service. Assuming that FirstActivity is written by an attacker, he deliberately introduces a BigInteger type of data and starts SecondActivity using the implicit Intege. It is not reachable by the ICC because these two activities are not linked in code, meaning that static dataflow analysis with FlowDroid cannot directly create an inter-component control flow graph.
Epicc computes the invocation parameters of Android Intent by explicitly modeling Intent's data structure in flow functions using the same integrated development environment framework as FlowDroid. To our knowledge, in the general case, epic does not use the intent parameter analysis results to parse the intent call target, nor does it use the results to perform inter-component dataflow analysis.
Icctta and droidsssafe made advances in the latest technology of Android application static analysis. IccTA extends FlowDroid and can now track data flow through periodic intent calls and returns. However, IccTA has not yet tracked the flow of information through Remote Procedure Calls (RPCs). Droiddssafe tracks intent and RPC calls, but does not capture data flow through "stateful ICC" or inter-application analysis.
DidFail does not handle explicit ICC, so it cannot report leakage of test cases between components using explicit intent. DidFail uses an over-approximation method to establish implicit ICC links. As long as the actions and categories match, an ICC link is constructed. DidFail currently only focuses on activity, so it does not report any leakage of service, broadcast receiver (dynamically registered or unregistered), and content provider test cases.
Amandroid is the latest tool capable of detecting ICC leaks, it does not fully model the lifecycle of the service, and Amandroid currently does not deal with the bindService method and Content Provider components.
As can be seen, many of the current Android taint analysis tools are related to FlowDroid. They all have some drawbacks to detecting the data flow of communication between components: some components cannot detect communication among certain components, and some components cannot detect communication among certain components accurately.
Disclosure of Invention
The invention aims to solve the technical problem of providing a taint analysis-based Android inter-component communication data flow detection method, adopting brand-new design logic, considering application of inter-component communication connection to perform data flow analysis, and efficiently realizing inter-component communication detection.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a taint analysis-based method for detecting communication data streams between Android components, which is used for realizing data stream analysis between the components in to-be-detected Android applications and comprises the following steps:
step A, aiming at each component in the Android application to be tested, obtaining ICC links which respectively contain an Intent representing interaction between the two components and are used for activating communication between the two components and then entering step B;
b, modifying the ICC link by a code implantation mode aiming at each ICC link to form an ICC test link for execution, and judging whether the communication connection between the two components corresponding to the ICC link is realized; obtaining each ICC link for realizing communication connection between the two corresponding modules as each ICC link to be processed, and then entering the step C;
and C, according to the communication connection between the two assemblies corresponding to each ICC link to be processed, establishing the internal communication connection between the assemblies related to all ICCs to be processed, performing data flow analysis, and realizing the data flow analysis between the assemblies in the Android application to be tested.
As a preferred technical scheme of the invention: in the step a, for each component in the to-be-tested Android application, applying an IC3 tool to obtain an ICC link which respectively contains an Intent representing interaction between the two components and is used for activating communication between the two components, where an ICC link structure is represented as follows:
(C1,m1)→(C2,m2)
wherein the content of the first and second substances,C1 denotes a source component which,C2the components of interest are shown in a block diagram,m1representing a source componentC1 locally included for invoking a presentation Source componentC1 and target assemblyC2The Intent's method of interaction between them,m2target-displaying componentC2 locally included reach Source componentC2 initiated lifecycle method.
As a preferred technical scheme of the invention: the Intent comprises Component, action, category, data, type, extra and Flags; wherein, Component represents a destination Component, action represents an action that can be executed by the destination Component receiving the Intent, category represents type information that can be processed by the destination Component receiving the Intent, data represents data to be accessed by the Intent, type represents a description of a data case, extra represents extension information, and Flags represents a flag bit of the expected Intent operation mode.
As a preferred technical scheme of the invention: the content comprises an explicit content and an implicit content, wherein the Component in the explicit content is a known destination Component; the hidden indication is unknown, and the hidden indication determines a target Component through the knowledge of any at least one of action, category and data.
As a preferred technical scheme of the invention: in the step B, modifying the ICC link by a code implantation method according to the following steps B1 to B6 for each ICC link, so as to form an ICC test link, and determining whether the two components corresponding to the ICC link realize communication connection with each other;
step B1 according tom1All parameter types, in the destination componentC2 locally creating a corresponding local variable, and then entering step B2;
step B2 rewriting destination ComponentsC2 constructor ofm1All parameters in (1) are saved to the destination componentC2, then go to step B3;
step B3 rewriting destination ComponentsC2 getIntent () method to return saved at destination componentC2 localm1Then to step B4;
step B4 at the destination componentC2 locally creating dummy Main method for realizing target assemblyC2, calling the lifecycle method and the callback method to be executed in sequence after the lifecycle method and the callback method are started, and then entering step B5;
step B5 at the destination componentC2 creating the helper class ICCHElper locally and within the helper class ICCA static method hellp is written in Helper, and the parameter ism1All parameters of, first call the rewritten destination component in the static method helpC2 constructor creating a destination componentC2, then call the destination componentC2, then step B6;
step B6. construct source componentC1 and target assemblyC2The ICC link internal communication connection testing method is used for judging whether the two components corresponding to the ICC link realize communication connection or not.
As a preferred technical scheme of the invention: in step B6, the source component is constructed as follows from step B6-1 to step B6-5C1 and target assemblyC2The ICC link internal communication connection testing method is used for judging whether the two modules corresponding to the ICC link realize communication connection or not;
step B6-1. based on source componentC1 according to its local inclusionm1Component towards purposeC2Initiating an internal communication connection request, determining a destination componentC2Whether to source componentC1, returning data, if yes, entering step B6-2; otherwise, judging that the two components corresponding to the ICC link cannot realize communication connection with each other;
step B6-2 passing the destination componentC2Calling destination component by static method help in local auxiliary class ICCHEpperC2Local neutral source componentC1 return tom1Method of interest, and judging source componentC1 whether a component from a destination is receivedC2If yes, go to step B6-3; otherwise, judging that the two components corresponding to the ICC link cannot realize communication connection with each other;
step B6-3 at the destination componentC2In creating local variablesintent_to_1For representing the source componentC1 receiving a message from a destination componentC2And at the destination componentC2Method getIntentTo1 is created for returning destination componentsC2Local variables ofintent_to_1Then, go to step B6-4;
step B6-4 passing the destination componentC2Calling destination component by static method help in local auxiliary class ICCHEpperC2Method (5) getIntentTo1, resultIs stored ascurIThen, go to step B6-5;
step B6-5 passing the target componentC2Calling source component by using static method help in local auxiliary class ICCHElperC1 method of receiving Intent, the result is stored ascurIAnd determining that the two components corresponding to the ICC link can realize communication connection with each other internally.
As a preferred technical scheme of the invention: and in the step C, according to the communication connection between the two assemblies corresponding to each ICC link to be processed, the internal communication connection between the assemblies related to all ICCs to be processed is established, and FlowDroid is applied to perform data flow analysis to realize the data flow analysis between the assemblies in the Android application to be tested.
Compared with the prior art, the method for detecting the communication data stream between the Android components based on the taint analysis has the following technical effects:
(1) the invention relates to a taint analysis-based Android inter-component communication data flow detection method, which adopts a brand-new design logic, and firstly obtains an ICC link containing an explicit Intent or an implicit Intent aiming at Android application; then, aiming at the ICC link, the ICC link is modified in a code implantation mode to form an ICC test link for execution, and the ICC link to be processed, which is used for realizing communication connection between the two corresponding components, is obtained; finally, internal communication connection among all components related to all ICCs to be processed is established, data flow analysis is carried out, and data flow analysis among the components in the Android application to be tested is achieved; therefore, data flow analysis is carried out by considering communication connection among the application components, communication detection among the components is efficiently and accurately realized, and a better effect is provided for analyzing stains among the Android application components.
Drawings
FIG. 1 is a flow chart of a taint analysis-based Android inter-component communication data flow detection method;
fig. 2 is a schematic control flow diagram of bindService according to an embodiment of the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
The method for detecting the communication data stream between the Android components based on the taint analysis is used for realizing the data stream analysis between the components in the Android application to be detected, and in practical application, as shown in fig. 1, the following steps A to C are specifically executed.
Step A, aiming at each component in the Android application to be tested, applying an IC3 tool to obtain ICC links which respectively contain an Intent representing interaction between the two components and are used for activating communication between the two components and exist in the Android application to be tested, wherein the ICC link structure is represented as follows:
(C1,m1)→(C2,m2)
wherein the content of the first and second substances,C1 denotes a source component which,C2the components of interest are shown in a block diagram,m1representing a source componentC1 locally included for invoking a presentation Source componentC1 and target assemblyC2The Intent's method of interaction between them,m2target-displaying componentC2 locally included reach Source componentC2, and then to step B.
The Android application component can be connected to other Android applications, the connection being based on the task description represented by the Intent object; intent is an asynchronous message that allows application components to request functionality from other Android components. Use of Intent allows interaction with components from the same application, as well as components provided by other applications. For example, an activity may initiate an external activity for taking a photograph, and Intent may contain data via Bundle. The receiving component can use this data.
The Intent comprises Component, action, category, data, type, extra and Flags; the Component represents a destination Component, the action represents an action that can be executed by the destination Component receiving the Intent, the category represents information of the type of the action that can be processed by the destination Component receiving the Intent, the data represents data to be accessed by the action in the Intent, the type represents a description of a data case, the extra represents extended information, and the Flags represents a flag bit of the expected Intent operation mode.
The content comprises an explicit content and an implicit content, wherein the Component in the explicit content is a known destination Component; the hidden indication is unknown, and the hidden indication determines a target Component through the knowledge of any at least one of action, category and data.
Where for an explicit Intent, the Component attribute explicitly specifies the class name of the Intent's target Component. Explicit Intent explicitly defines the components that the Android system should call by using Java classes as identifiers. Explicit Intent is typically used in applications because classes in an application are controlled by the application developer. The following shows how an explicit Intent is created and sent to the Android system to initiate an activity:
Figure 599144DEST_PATH_IMAGE004
the piece of code is located in FitstActivity, first, an Intent is created and its parameters are set using its setClass method, the first parameter represents the context of the current activity, the second parameter specifies the target activity that is desired to be started, then we transfer this Intent into startActivity, an inter-component communication method, which can start SecondActivities according to the settings. Similarly, if line 2 of the above code is changed to the following code:
Figure 362569DEST_PATH_IMAGE005
it means that the Intent is used to start the system alarm, where the two parameters are the package name to start and the class (component) name to start, respectively. When the Intent is explicit, when a series of ICC methods such as startActivity are called, the component pointed by the Intent is directly continued to perform data flow analysis.
For implicit Intent, implicit Intent is a more flexible method of use, and we do not need to specify which component to communicate with, but rather specify the action, category, etc. attributes of Intent. The Android system will match the information in the request Intent with any activity available on the device that can perform the task. If there is only one matching activity, then the component is started. If there are multiple components that conform to the Intent, an application selector is displayed to the user and the application they want to perform the task is selected.
In Intent, the action attribute represents the action that the component receiving the Intent can perform. A common ACTION is defined in intetc. class as a constant and starts with "ACTION _. E.g., ACTION VIEW, is used when we need an activity to display certain information to the user, e.g., a photograph to be viewed in a gallery or an address to be viewed in a map. The action can be specified for Intent by the setAction () method, or in the constructor of Intent. An Intent Filter may contain multiple actions.
Category attribute for providing information of categories that the receiving component is capable of handling. Category is optional, and we can add multiple categories to one Intent. CATEGORY is also defined as a constant in intent, and begins with "CATEGORY _. The cate may be added to the Intent using the addCategory () method.
The Data attribute is the Data that the Intent wants to access, and the same way as the ACTION and Category declarations, also in < Intent-filter >, the Data content is generally determined by the ACTION, for example, the ACTION is ACTION _ VIEW, then the Data can be a web address, or the Data uri such as a picture.
The components, actions, categories and data involved in the analysis process of the explicit Intent and the implicit Intent influence the analysis of the Intent by the system to determine which component is finally started, and the Extra and Flag belong to additional information and do not influence the analysis of the system to start which component.
In Android applications, no code directly connects two components, which means that no component can reach any other component in the call graph; to solve this problem, step a is executed, the IC3 tool is applied to obtain ICC links, each of which contains an Intent representing interaction between two components and is used to activate Communication between the two components, which exist in the Android application to be tested, and the IC3 tool (Inter-Component Communication analysis with COAL) is an Android Inter-Component Communication analysis tool, which tries to find all possible values of an object of interest at an important program point, so that the analysis has a multi-valued characteristic.
And common ICC links are shown in table 1 below.
TABLE 1
Figure 619763DEST_PATH_IMAGE006
After the ICC link is extracted, we can reduce the inter-component communication problem to an intra-component problem, enabling FlowDroid to perform very accurate data flow analysis of intra-component communication on it. Then we use the code-instrumentation approach to modify the extracted ICC link to enable it to connect the two components. Finally, the FlowDroid is continuously used for performing data flow analysis among the components, namely, the following steps B to C are continuously performed.
B, modifying the ICC link by a code implantation mode aiming at each ICC link to form an ICC test link for execution, and judging whether the communication connection between the two components corresponding to the ICC link is realized; and further obtaining each ICC link of the two corresponding components which realize communication connection with each other as each to-be-processed ICC link, and then entering the step C.
In practical application, the ICC link is modified by a code implantation method according to steps B1 to B6 to form an ICC test link, and whether the two components corresponding to the ICC link implement communication connection with each other is determined.
Step B1 according tom1All parameter types, in the destination componentC2 locally creates the corresponding local variable and then proceeds to step B2.
Step B2 rewriting destination ComponentsC2 constructor ofm1All parameters in (1) are saved to the destination componentC2, then enterStep B3.
Step B3 rewriting destination ComponentsC2 getIntent () method to return saved at destination componentC2 localm1Then to step B4.
Step B4 at the destination componentC2 locally creating dummy Main method for realizing target assemblyC2 are invoked in order, and then step B5 is entered.
Step B5 at the destination componentC2 creating the auxiliary class ICCHElper locally and writing a static method help in the auxiliary class ICCHElper, the parameter of which ism1All parameters of, first call the rewritten destination component in the static method helpC2 constructor creating a destination componentC2, then call the destination componentC2, then to step B6.
Step B6 construction of Source component according to steps B6-1 through B6-5C1 and target assemblyC2The ICC link internal communication connection testing method is used for judging whether the two components corresponding to the ICC link realize communication connection or not.
Step B6-1. based on source componentC1 according to its local inclusionm1Component towards purposeC2Initiating an internal communication connection request, determining a destination componentC2Whether to source componentC1, returning data, if yes, entering step B6-2; otherwise, the two components corresponding to the ICC link are judged to be incapable of realizing communication connection with each other.
Step B6-2 passing the destination componentC2Calling destination component by static method help in local auxiliary class ICCHEpperC2Local neutral source componentC1 return tom1Method of interest, and judging source componentC1 whether a component from a destination is receivedC2If yes, go to step B6-3; otherwise, the two components corresponding to the ICC link are judged to be incapable of realizing communication connection with each other.
Step B6-3 at the destination componentC2In creating local variablesintent_to_1For representing the source componentC1 receiving a message from a destination componentC2And at the destination componentC2Method getIntentTo1 is created for returning destination componentsC2Local variables ofintent_to_1Then, the process proceeds to step B6-4.
Step B6-4 passing the destination componentC2Calling destination component by static method help in local auxiliary class ICCHEpperC2The method of (1) getIntentTo1, the result is stored ascurIThen, the process proceeds to step B6-5.
Step B6-5 passing the target componentC2Calling source component by using static method help in local auxiliary class ICCHElperC1 method of receiving Intent, the result is stored ascurIAnd determining that the two components corresponding to the ICC link can realize communication connection with each other internally.
And C, according to the communication connection between the two assemblies corresponding to each ICC link to be processed, establishing the internal communication connection between the assemblies related to all the ICCs to be processed, and performing data flow analysis by using FlowDroid to realize the data flow analysis between the assemblies in the Android application to be tested.
The designed Android inter-component communication data stream detection method based on taint analysis is applied to practice, and described by using bind Service (), when method calling or data exchange is required between Service and a visitor, a source component can start a target Service, the target Service can return related data to the source component after starting, and a caller can see some information of the Service or execute some other operations. Part of the code of one Service class Bindservice is as follows:
Figure DEST_PATH_IMAGE007
the 3 rd to 5 th lines realize the IBinder object of the line by adopting a succession Binder mode, the MyBinder class is an internal class of the Service, and the common situation is that the local Service is bound and communicated with the scene. Lines 6-8 implement its onBind () method and let it return a valid IBinder object that will be passed to the Server class visitor.
Next, define an Activity to bind the Service, the code is as follows:
Figure 664161DEST_PATH_IMAGE008
and (3) establishing a ServiceConnection object in the 3 rd to 8 th rows, wherein the object is used for monitoring the connection condition between the visitor and the Service. When the visitor is successfully connected with the Service, the onServiceConnected () method of the ServiceConnection object is called back. Line 6 is configured to obtain a MyBinder object returned by the onBind () method of the Service when the Activity and the BindService are successfully connected, that is, the onBind method of the Service communicates with the onServiceConnected method in the ServiceConnection object of the Activity. Usually, a logic can be added in the MyBinder class according to the Service requirement, so that the Service can be operated in the Activity, or the state of the Service can be viewed. The codes in lines 11 and 12 indicate that Activity binds BindService through implicit Intent, and the third parameter of the bindService method indicates that the service is automatically created after Activity and service binding, so that the onCreate method of BindService is executed. The control flow of the whole process is passed as shown in fig. 2.
In the application, an auxiliary class ICCHElper is first created to connect a source component and a destination component. The code is as follows:
Figure 470312DEST_PATH_IMAGE009
there is a static method hellp in the class, and the two methods called inside are explained below.
Then, in MainActivity, the ICC method of bindService is deleted and replaced by calling the help method in ICCHELLER, that is, the line 12 code of MainActivity is replaced by the following code:
Figure 583018DEST_PATH_IMAGE010
this is done in (1) and (2) of fig. 2, i.e. the start of the target component by the source component is done through the auxiliary function. The key point is how our rewriting construction method and dummyMain method in BindService works. Adding the following codes in the BindService class:
Figure 296765DEST_PATH_IMAGE011
firstly, a construction method of BindService is rewritten, and three parameters originally bound with one Service are respectively stored in local variables. We also construct a virtual master method, dummyMain, to invoke all relevant methods of the destination component, including lifecycle methods, callback methods, etc. Here we first perform its onCreate method, indicating that the Service is created, according to the Service lifecycle, and then we call mcon. The second execution would be the onBind method, indicating that the service is bound. And then, the returned IBinder object is used as a parameter and is transmitted into an onserviceConnected callback method, and lines 5-7 in MainActivity are executed to show that the service is connected. In addition, the getIntent method is rewritten to return the correct Intent. This is done at (3) and (4) in the figure, i.e. after the service starts and connects, the target component returns data to the source component. Similarly, startActivityForResult is also an ICC method for the target component to return data back to the source component after it is started. Unlike bindService, it needs to pass an intent to the source component when returning data to the source component, so we need to save the intent and call the method of the source component to receive the intent in the hellp method.
According to the technical scheme, the communication data flow detection method between Android components based on taint analysis is designed, brand new design logic is adopted, and firstly ICC links containing explicit Intent or implicit Intent are obtained aiming at Android application; then, aiming at the ICC link, the ICC link is modified in a code implantation mode to form an ICC test link for execution, and the ICC link to be processed, which is used for realizing communication connection between the two corresponding components, is obtained; finally, internal communication connection among all components related to all ICCs to be processed is established, data flow analysis is carried out, and data flow analysis among the components in the Android application to be tested is achieved; therefore, data flow analysis is carried out by considering communication connection among the application components, communication detection among the components is efficiently and accurately realized, and a better effect is provided for analyzing stains among the Android application components.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (7)

1. The method for detecting the communication data flow between the Android components based on the taint analysis is used for realizing the data flow analysis between the components in the Android application to be detected, and is characterized by comprising the following steps:
step A, aiming at each component in the Android application to be tested, obtaining ICC links which respectively contain an Intent representing interaction between the two components and are used for activating communication between the two components and then entering step B;
b, modifying the ICC link by a code implantation mode aiming at each ICC link to form an ICC test link for execution, and judging whether the communication connection between the two components corresponding to the ICC link is realized; obtaining each ICC link for realizing communication connection between the two corresponding modules as each ICC link to be processed, and then entering the step C;
and C, according to the communication connection between the two assemblies corresponding to each ICC link to be processed, establishing the internal communication connection between the assemblies related to all ICCs to be processed, performing data flow analysis, and realizing the data flow analysis between the assemblies in the Android application to be tested.
2. The method for detecting the communication data flow between the Android components based on the taint analysis, according to claim 1, is characterized in that: in the step a, for each component in the to-be-tested Android application, applying an IC3 tool to obtain an ICC link which respectively contains an Intent representing interaction between the two components and is used for activating communication between the two components, where an ICC link structure is represented as follows:
(C1,m1)→(C2,m2)
wherein the content of the first and second substances,C1 denotes a source component which,C2the components of interest are shown in a block diagram,m1representing a source componentC1 locally included for invoking a presentation Source componentC1 and target assemblyC2The Intent's method of interaction between them,m2target-displaying componentC2 locally included reach Source componentC2 initiated lifecycle method.
3. The Android inter-component communication data flow detection method based on taint analysis according to claim 1 or 2, characterized by comprising the following steps: the Intent comprises Component, action, category, data, type, extra and Flags; wherein, Component represents a destination Component, action represents an action that can be executed by the destination Component receiving the Intent, category represents type information that can be processed by the destination Component receiving the Intent, data represents data to be accessed by the Intent, type represents a description of a data case, extra represents extension information, and Flags represents a flag bit of the expected Intent operation mode.
4. The Android inter-component communication data flow detection method based on taint analysis according to claim 1 or 2, characterized by comprising the following steps: the content comprises an explicit content and an implicit content, wherein the Component in the explicit content is a known destination Component; the hidden indication is unknown, and the hidden indication determines a target Component through the knowledge of any at least one of action, category and data.
5. The method for detecting the communication data flow between the Android components based on the taint analysis as claimed in claim 2, wherein: in the step B, modifying the ICC link by a code implantation method according to the following steps B1 to B6 for each ICC link, so as to form an ICC test link, and determining whether the two components corresponding to the ICC link realize communication connection with each other;
step B1 according tom1All parameter types, in the destination componentC2 locally creating a corresponding local variable, and then entering step B2;
step B2 rewriting destination ComponentsC2 constructor ofm1All parameters in (1) are saved to the destination componentC2, then go to step B3;
step B3 rewriting destination ComponentsC2 getIntent () method to return saved at destination componentC2 localm1Then to step B4;
step B4 at the destination componentC2 locally creating dummy Main method for realizing target assemblyC2, calling the lifecycle method and the callback method to be executed in sequence after the lifecycle method and the callback method are started, and then entering step B5;
step B5 at the destination componentC2 creating the auxiliary class ICCHElper locally and writing a static method help in the auxiliary class ICCHElper, the parameter of which ism1All parameters of, first call the rewritten destination component in the static method helpC2 constructor creating a destination componentC2, then call the destination componentC2, then step B6;
step B6. construct source componentC1 and target assemblyC2The ICC link internal communication connection testing method is used for judging whether the two components corresponding to the ICC link realize communication connection or not.
6. The method for detecting the communication data flow between the Android components based on the taint analysis, according to claim 5, characterized by comprising the following steps: in step B6, the source component is constructed as follows from step B6-1 to step B6-5C1 and target assemblyC2The ICC link internal communication connection testing method is used for judging whether the two modules corresponding to the ICC link realize communication connection or not;
step B6-1. based on source componentC1 according to its local inclusionm1Component towards purposeC2Initiating an internal communication connection request to determine destinationAssembly ofC2Whether to source componentC1, returning data, if yes, entering step B6-2; otherwise, judging that the two components corresponding to the ICC link cannot realize communication connection with each other;
step B6-2 passing the destination componentC2Calling destination component by static method help in local auxiliary class ICCHEpperC2Local neutral source componentC1 return tom1Method of interest, and judging source componentC1 whether a component from a destination is receivedC2If yes, go to step B6-3; otherwise, judging that the two components corresponding to the ICC link cannot realize communication connection with each other;
step B6-3 at the destination componentC2In creating local variablesintent_to_1For representing the source componentC1 receiving a message from a destination componentC2And at the destination componentC2Method getIntentTo1 is created for returning destination componentsC2Local variables ofintent_to_1Then, go to step B6-4;
step B6-4 passing the destination componentC2Calling destination component by static method help in local auxiliary class ICCHEpperC2The method of (1) getIntentTo1, the result is stored ascurIThen, go to step B6-5;
step B6-5 passing the target componentC2Calling source component by using static method help in local auxiliary class ICCHElperC1 method of receiving Intent, the result is stored ascurIAnd determining that the two components corresponding to the ICC link can realize communication connection with each other internally.
7. The method for detecting the communication data flow between the Android components based on the taint analysis, according to claim 1, is characterized in that: and in the step C, according to the communication connection between the two assemblies corresponding to each ICC link to be processed, the internal communication connection between the assemblies related to all ICCs to be processed is established, and FlowDroid is applied to perform data flow analysis to realize the data flow analysis between the assemblies in the Android application to be tested.
CN202210059722.9A 2022-01-19 2022-01-19 Android inter-component communication data flow detection method based on taint analysis Withdrawn CN114077737A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210059722.9A CN114077737A (en) 2022-01-19 2022-01-19 Android inter-component communication data flow detection method based on taint analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210059722.9A CN114077737A (en) 2022-01-19 2022-01-19 Android inter-component communication data flow detection method based on taint analysis

Publications (1)

Publication Number Publication Date
CN114077737A true CN114077737A (en) 2022-02-22

Family

ID=80284722

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210059722.9A Withdrawn CN114077737A (en) 2022-01-19 2022-01-19 Android inter-component communication data flow detection method based on taint analysis

Country Status (1)

Country Link
CN (1) CN114077737A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117272331A (en) * 2023-11-23 2023-12-22 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832619A (en) * 2017-10-10 2018-03-23 电子科技大学 Vulnerability of application program automatic excavating system and method under Android platform
CN113934507A (en) * 2020-07-14 2022-01-14 中国电信股份有限公司 Method and device for detecting privacy disclosure of jQuery library based on taint mark tracking

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832619A (en) * 2017-10-10 2018-03-23 电子科技大学 Vulnerability of application program automatic excavating system and method under Android platform
CN113934507A (en) * 2020-07-14 2022-01-14 中国电信股份有限公司 Method and device for detecting privacy disclosure of jQuery library based on taint mark tracking

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郭一卿等: "基于污点分析的Android组件间通信数据流检测方法", 《HTTP://WWW.PAPER.EDU.CN/RELEASEPAPER/CONTENT/202103-209》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117272331A (en) * 2023-11-23 2023-12-22 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine
CN117272331B (en) * 2023-11-23 2024-02-02 北京安普诺信息技术有限公司 Cross-thread vulnerability analysis method, device, equipment and medium based on code vaccine

Similar Documents

Publication Publication Date Title
Klieber et al. Android taint flow analysis for app sets
Cao et al. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework.
Felt et al. Android permissions demystified
Bagheri et al. Practical, formal synthesis and automatic enforcement of security policies for android
US9720798B2 (en) Simulating black box test results using information from white box testing
Sadeghi et al. Analysis of android inter-app security vulnerabilities using covert
Backes et al. R-droid: Leveraging android app analysis with static slice optimization
Brucker et al. On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation
Huang et al. Detecting sensitive data disclosure via bi-directional text correlation analysis
US20240121261A1 (en) Automated Security Analysis of Software Libraries
US10423793B2 (en) Install runtime agent for security test
CN110096433A (en) The method of encryption data is obtained on a kind of iOS platform
CN111563257A (en) Data detection method and device, computer readable medium and terminal equipment
Bagheri et al. Automated dynamic enforcement of synthesized security policies in android
Boxler et al. Static taint analysis tools to detect information flows
Schindler et al. Privacy leak identification in third-party android libraries
CN114077737A (en) Android inter-component communication data flow detection method based on taint analysis
Jha et al. Modeling and test case generation of inter-component communication in android
Burket et al. Making didfail succeed: Enhancing the cert static taint analyzer for android app sets
Khodayari et al. It’s (dom) clobbering time: Attack techniques, prevalence, and defenses
Li et al. MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps
WO2021243555A1 (en) Quick application test method and apparatus, device, and storage medium
US11057416B2 (en) Analyze code that uses web framework using local parameter model
CN116933267A (en) Intelligent contract vulnerability detection method, system and equipment for symbol execution
CN114091028B (en) Android application information leakage detection method based on data flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220222