一种跨APP组件间隐私泄露自动检测方法

doi:10.7544/issn1000-1239.2019.20180548

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (6): 1252-1262.doi: 10.7544/issn1000-1239.2019.20180548

一种跨APP组件间隐私泄露自动检测方法

李振^1,2，汤战勇^1,2，李政桥^1,2，王海¹，龚晓庆¹，陈峰¹，陈晓江^1,2，房鼎益^1,2

¹（西北大学信息科学与技术学院西安 710075）；²（陕西省无源物联网国际联合研究中心西安 710075) (rongzhenl@stumail.nwu.edu.cn)

出版日期: 2019-06-01
基金资助:
国家自然科学基金项目(61672427)；陕西省国际合作项目(2017KW-008)；陕西省国际合作计划 (2019KW-009)；陕西省重点研发计划 (2017GY-191)；陕西省创新团队(2018SD0011)

An Automatic Detection Method for Privacy Leakage Across Application Components

Li Zhen^1,2, Tang Zhanyong^1,2, Li Zhengqiao^1,2, Wang Hai¹, Gong Xiaoqing¹, Chen Feng¹, Chen Xiaojiang^1,2， Fang Dingyi^1,2

¹（School of Computer Science and Technology, Northwest University, Xi’an 710075）；²（Shaanxi International Joint Research Centre for the Battery-free Internet of Things, Xi’an 710075)

Online: 2019-06-01
Supported by:
This work was supported by the National Natural Science Foundation of China (61672427), the International Cooperation Program of Shaanxi Province (2017KW-008), the International Cooperation Program of Shaanxi Province(2019KW-009), the Key R&D Project of Shaanxi Province (2017GY-191), and the Innovation Research Team of Shaanxi Province (2018SD0011).

摘要/Abstract

摘要： 近年来，Android操作系统发展迅猛，大量的移动用户使用Android智能设备作为私人通信和工作的工具.Android移动用户的隐私信息随之成为黑色产业从业者的主要攻击目标之一.现有的隐私检测研究主要集中于解决Android应用程序内部的隐私泄露风险，包括程序组件内隐私泄露、组件间隐私泄露以及组件间通信(inter-component communication, ICC)漏洞的检测.然而在实际环境中，不同应用程序间通过协作获取用户隐私的行为广泛存在，这造成大量用户隐私信息被泄露的风险.如何有效检测和防止跨APP组件间隐私泄露是亟待解决的问题.然而Android应用程序中组件数量庞大并且存在大量与跨APP间隐私泄露无关的组件.因此在应用程序之间如何检测可能存在的隐私泄露路径面临严峻的挑战.针对该问题，提出一种构建潜在泄露隐私的组件序列的方法，并利用数据流分析技术实现一个跨APP组件间隐私泄露的检测系统PLDetect.PLDetect解决了现有技术存在的检测结果滞后的问题以及代码覆盖率不全的问题.最后，PLDetect在隐私泄露路径的基础上，使用一种基于加密的隐私泄露防护方法对隐私信息进行加密，保证在不影响应用程序运行时性能的情况下有效阻止隐私数据被恶意传送.最终实验表明，PLDetect在81个应用程序中监测出5组应用程序存在跨APP组件间隐私泄露问题并有效阻断了隐私数据的泄露.

关键词: Android安全, 隐私泄露, 静态分析, 数据流分析, 污点分析

Abstract: In recent years, Android operating system has developed rapidly. A large number of mobile users use Android smart devices as tools for personal communication and work. The privacy information of Android mobile users has become one of the main targets of black industry practitioners. Existing privacy detection research mainly focuses on addressing privacy leakage risk within Android applications, including the detection of privacy leakage within program components, the detection of privacy leakage between components, and the detection of ICC vulnerability. Actually, the behavior of sharing users’ privacy through collaboration among application components is widespread, which causes a large number of users’ privacy information to be leaked. How to effectively detect and prevent privacy leakage between application components is an urgent problem. However, the number of components in Android applications is huge and there are plenty of components unrelated to privacy leaks between applications. Therefore, how to detect possible privacy leaks between applications meets a serious challenge. Aiming at this problem, this paper presents a method to construct a component sequence with potential privacy leaks, and the method uses data flow analysis technology to realize a detection system for privacy leakage between application components, named PLDetect. PLDetect solves the problem of incomplete coverage of code and lagging detection results in the existing technology. Finally, based on the privacy leak path, PLDetect utilizes an encryption-based privacy leak protection method to encrypt privacy information, ensuring that information is effectively prevented from being maliciously transmitted without affecting application runtime performance. The final experiment shows that PLDetect detects 5 groups of applications with privacy leaks across application components in 81 applications and effectively blocks privacy data leaks.

Key words: Android security, privacy leakage, static analysis, data-flow analysis, taint analysis

中图分类号:

TP393.0

李振，汤战勇，李政桥，王海，龚晓庆，陈峰，陈晓江，房鼎益. 一种跨APP组件间隐私泄露自动检测方法[J]. 计算机研究与发展, 2019, 56(6): 1252-1262.

Li Zhen, Tang Zhanyong, Li Zhengqiao, Wang Hai, Gong Xiaoqing, Chen Feng, Chen Xiaojiang， Fang Dingyi. An Automatic Detection Method for Privacy Leakage Across Application Components[J]. Journal of Computer Research and Development, 2019, 56(6): 1252-1262.

	作者相关文章
	李振
	汤战勇
	李政桥
	王海
	龚晓庆
	陈峰
	陈晓江
	房鼎益

[1]	于畅, 王雅文, 林欢, 宫云战. 基于故障检测上下文的等价变异体识别算法[J]. 计算机研究与发展, 2021, 58(1): 83-97.
[2]	郭方方, 王欣悦, 王慧强, 吕宏武, 胡义兵, 吴芳, 冯光升, 赵倩. 基于最大频繁子图挖掘的动态污点分析方法[J]. 计算机研究与发展, 2020, 57(3): 631-638.
[3]	王蕾,何冬杰,李炼,冯晓兵. 基于稀疏框架的静态污点分析优化技术[J]. 计算机研究与发展, 2019, 56(3): 480-495.
[4]	乐洪舟,张玉清,王文杰,刘奇旭. Android动态加载与反射机制的静态污点分析研究[J]. 计算机研究与发展, 2017, 54(2): 313-327.
[5]	姜淑娟,韩寒,史娇娇,张艳梅,鞠小林,钱俊彦. 基于分支相关性分析的不可达路径检测方法[J]. 计算机研究与发展, 2016, 53(5): 1072-1085.
[6]	路晔绵,应凌云,苏璞睿,冯登国,靖二霞,谷雅聪. Android Settings机制应用安全性分析与评估[J]. 计算机研究与发展, 2016, 53(10): 2248-2261.
[7]	张慧琳,丁羽,张利华,段镭,张超,韦韬,李冠成,韩心慧. 基于敏感字符的SQL注入攻击防御方法[J]. 计算机研究与发展, 2016, 53(10): 2262-2276.
[8]	孟小峰,张啸剑. 大数据隐私管理[J]. 计算机研究与发展, 2015, 52(2): 265-281.
[9]	张玉清,方喆君,王凯,王志强,乐洪舟,刘奇旭,何远,李晓琦,杨刚. Android安全漏洞挖掘技术综述[J]. 计算机研究与发展, 2015, 52(10): 2167-2177.
[10]	魏强武泽慧王清贤. 基于内存依赖关系度量的解密数据提取方法[J]. 计算机研究与发展, 2014, 51(7): 1547-1554.
[11]	董龙明, 王戟, 陈立前, 董威,. 基于局部堆内存抽象表示的堆操作程序内存泄露检测[J]. , 2012, 49(9): 1832-1842.
[12]	周虹伯金大海宫云战. 基于域敏感指向分析的区间运算在软件测试中的应用[J]. , 2012, 49(9): 1852-1862.
[13]	赵云山宫云战周傲王前周虹伯. 静态缺陷检测中的误报消除技术研究[J]. , 2012, 49(9): 1822-1831.
[14]	王雅文, 姚欣洪, 宫云战, 杨朝红,. 一种基于代码静态分析的缓冲区溢出检测算法[J]. , 2012, 49(4): 839-845.
[15]	王雷陈归金茂忠. 基于约束分析与模型检测的代码安全漏洞检测方法研究[J]. , 2011, 48(9): 1659-1666.

一种跨APP组件间隐私泄露自动检测方法

An Automatic Detection Method for Privacy Leakage Across Application Components

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价