ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (2): 338-347.doi: 10.7544/issn1000-1239.2017.20150993

• 信息安全 • 上一篇    下一篇

FuzzerAPP:Android应用程序组件通信鲁棒性测试

张密,杨力,张俊伟   

  1. (西安电子科技大学网络与信息安全学院 西安 710071) (zmic@sina.cn)
  • 出版日期: 2017-02-01
  • 基金资助: 
    国家自然科学基金项目(61671360,61672409,61672415,61672413,61472310,U1135002);中央高校基本科研业务费项目(JB161505,BDZ011402);信息保障重点实验室开放课题(KJ-14-109)

FuzzerAPP:The Robustness Test of Application Component Communication in Android

Zhang Mi, Yang Li, Zhang Junwei   

  1. (School of Cyber Engineering, Xidian University, Xi'an 710071)
  • Online: 2017-02-01

摘要: 针对Android应用程序的安全性问题,提出一种基于模糊测试方法的组件通信鲁棒性测试方案.首先构造测试集和测试用例,随后将测试用例发送给目标应用程序并收集测试数据,最后对测试数据进行分析.依据测试方案设计并实现了模糊测试工具FuzzerAPP,进而对常用应用程序进行鲁棒性测试.通过对测试数据的分析,发现发送特殊Intent可以导致应用程序的崩溃,甚至引发系统服务的级联崩溃.此外,发现测试集中多款应用程序存在测试模块暴露的问题,可能会导致隐私泄露、拒绝服务等严重安全问题.最后,通过与其他工具的对比,表明测试方法的有效性和测试工具的实用性.

关键词: 安卓, 组件通信, 模糊测试, 鲁棒性, 测试模块暴露

Abstract: The study of Android security has attracted wide attention because of the huge share in operation system market for mobile devices. Aiming at the security issues of Android application, this paper presents a robustness test scheme of application components based on fuzzy testing method. Firstly, a test set and the corresponding test cases are designed. These cases are sent to a target application for collecting and analyzing the test data. Considering the time, efficiency and other factors, the test case is sent to the application components to be tested. Then, the interaction information of the target component in the test process and the statistical analysis of the output data are analyzed. According to the design of test scheme, a platform named as FuzzerAPP is implemented which can test the robustness of the common applications in Android system. Many applications in some famous Android application markets are tested under FuzzerAPP, and the experiments results are collected. By the analysis of the test data, we find that if FuzzerAPP sends a particular Intent to the target application, it will make the application crash or even lead to the cascading breakdown of system services. Besides, there is a test module exposure problem in many applications of the test set, which can cause serious security problems such as privacy leaks and DoS (denial of service attacks). Finally, on contrast of other similar plans in component supporting, test performance, test objectives and Intent construction categories, the results show the effectiveness of the test method and the practicability of the test platform.

Key words: Android, components communication, fuzzy test, robustness, test module exposure

中图分类号: