ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (6): 1252-1262.doi: 10.7544/issn1000-1239.2019.20180548

• 信息安全 • 上一篇    下一篇

一种跨APP组件间隐私泄露自动检测方法

李振1,2,汤战勇1,2,李政桥1,2,王海1,龚晓庆1,陈峰1,陈晓江1,2,房鼎益1,2   

  1. 1(西北大学信息科学与技术学院 西安 710075);2(陕西省无源物联网国际联合研究中心 西安 710075) (rongzhenl@stumail.nwu.edu.cn)
  • 出版日期: 2019-06-01
  • 基金资助: 
    国家自然科学基金项目(61672427);陕西省国际合作项目(2017KW-008);陕西省国际合作计划 (2019KW-009);陕西省重点研发计划 (2017GY-191);陕西省创新团队(2018SD0011)

An Automatic Detection Method for Privacy Leakage Across Application Components

Li Zhen1,2, Tang Zhanyong1,2, Li Zhengqiao1,2, Wang Hai1, Gong Xiaoqing1, Chen Feng1, Chen Xiaojiang1,2, Fang Dingyi1,2   

  1. 1(School of Computer Science and Technology, Northwest University, Xi’an 710075);2(Shaanxi International Joint Research Centre for the Battery-free Internet of Things, Xi’an 710075)
  • Online: 2019-06-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61672427), the International Cooperation Program of Shaanxi Province (2017KW-008), the International Cooperation Program of Shaanxi Province(2019KW-009), the Key R&D Project of Shaanxi Province (2017GY-191), and the Innovation Research Team of Shaanxi Province (2018SD0011).

摘要: 近年来,Android操作系统发展迅猛,大量的移动用户使用Android智能设备作为私人通信和工作的工具.Android移动用户的隐私信息随之成为黑色产业从业者的主要攻击目标之一.现有的隐私检测研究主要集中于解决Android应用程序内部的隐私泄露风险,包括程序组件内隐私泄露、组件间隐私泄露以及组件间通信(inter-component communication, ICC)漏洞的检测.然而在实际环境中,不同应用程序间通过协作获取用户隐私的行为广泛存在,这造成大量用户隐私信息被泄露的风险.如何有效检测和防止跨APP组件间隐私泄露是亟待解决的问题.然而Android应用程序中组件数量庞大并且存在大量与跨APP间隐私泄露无关的组件.因此在应用程序之间如何检测可能存在的隐私泄露路径面临严峻的挑战.针对该问题,提出一种构建潜在泄露隐私的组件序列的方法,并利用数据流分析技术实现一个跨APP组件间隐私泄露的检测系统PLDetect.PLDetect解决了现有技术存在的检测结果滞后的问题以及代码覆盖率不全的问题.最后,PLDetect在隐私泄露路径的基础上,使用一种基于加密的隐私泄露防护方法对隐私信息进行加密,保证在不影响应用程序运行时性能的情况下有效阻止隐私数据被恶意传送.最终实验表明,PLDetect在81个应用程序中监测出5组应用程序存在跨APP组件间隐私泄露问题并有效阻断了隐私数据的泄露.

关键词: Android安全, 隐私泄露, 静态分析, 数据流分析, 污点分析

Abstract: In recent years, Android operating system has developed rapidly. A large number of mobile users use Android smart devices as tools for personal communication and work. The privacy information of Android mobile users has become one of the main targets of black industry practitioners. Existing privacy detection research mainly focuses on addressing privacy leakage risk within Android applications, including the detection of privacy leakage within program components, the detection of privacy leakage between components, and the detection of ICC vulnerability. Actually, the behavior of sharing users’ privacy through collaboration among application components is widespread, which causes a large number of users’ privacy information to be leaked. How to effectively detect and prevent privacy leakage between application components is an urgent problem. However, the number of components in Android applications is huge and there are plenty of components unrelated to privacy leaks between applications. Therefore, how to detect possible privacy leaks between applications meets a serious challenge. Aiming at this problem, this paper presents a method to construct a component sequence with potential privacy leaks, and the method uses data flow analysis technology to realize a detection system for privacy leakage between application components, named PLDetect. PLDetect solves the problem of incomplete coverage of code and lagging detection results in the existing technology. Finally, based on the privacy leak path, PLDetect utilizes an encryption-based privacy leak protection method to encrypt privacy information, ensuring that information is effectively prevented from being maliciously transmitted without affecting application runtime performance. The final experiment shows that PLDetect detects 5 groups of applications with privacy leaks across application components in 81 applications and effectively blocks privacy data leaks.

Key words: Android security, privacy leakage, static analysis, data-flow analysis, taint analysis

中图分类号: