高级检索

    Android应用第三方推送服务安全分析与安全增强

    Security Analysis and Enhancement of Third-Party Android Push Service

    • 摘要: 推送服务已成为移动智能终端应用的一个基础服务,各大手机平台及互联网公司相继推出了各自的推送服务供应用程序开发者使用.为了降低资源消耗,部分第三方Android推送服务采用共享通道的设计方式,在设备上使用某个应用的推送后台组件作为其他应用推送数据的分发中心.由于缺乏针对数据机密性、完整性、不可伪造性等安全需求的设计与实现,数据分发环节面临多种攻击的威胁.分析了使用共享通道的第三方Android推送服务在数据分发环节存在的安全问题,通过在攻击程序中Hook相关API调用的方法,实现了针对其他应用推送数据的窃听、篡改、伪造和重放攻击,实验结果表明:大部分共享通道的第三方Android推送服务无法抵抗这些攻击,可能造成用户隐私数据泄露和钓鱼攻击等实际危害.在上述研究的基础上,设计并实现了Android应用推送服务安全增强方案SecPush,使用加密算法及HMAC运算提供推送数据分发环节的安全保护,实验结果表明:SecPush提高了推送数据的安全性,可有效抵挡窃听、篡改、伪造和重放等攻击行为.

       

      Abstract: Push service is becoming a basic service for smartphone applications. Many companies, including official and third parties, have released their push services. In order to reduce resource cost, some third-party push services share push channels among applications running on the same device and using the same push service, which means that the background push component of one application acts as the push data distribution center for other applications. Due to the lack of considering security attributes such as confidentiality and integrity, the distribution part faces a variety of attacks. In this work we analyze the security issues in the data distribution part of third-party push services on Android. We design a corresponding attack model and implement attacks including eavesdropping, data tampering, forgery and replay attacks. During our experiments, it shows that most of the third-party Android push services using shared channels are subject to these attacks. It may cause some security hazards such as user privacy leakage and phishing attack. To mitigate the above threats, we propose SecPush which is a security enhancement scheme for Android push service. SecPush secures data distribution by introducing encryption and HMAC algorithm. Experimental results show that SecPush can effectively protect push data against eavesdropping, data tampering, forgery and replay attacks.

       

    /

    返回文章
    返回