ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2016, Vol. 53 ›› Issue (11): 2431-2445.doi: 10.7544/issn1000-1239.2016.20150528

    Next Articles

Security Analysis and Enhancement of Third-Party Android Push Service

Lu Yemian1, Li Yifu2, Ying Lingyun1,3, Gu Yacong1, Su Purui1,3, Feng Dengguo1   

  1. 1(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190); 2(National Computer Emergency Response Team and Coordination Center of China, Beijing 100029); 3(School of Computer and Control Engineering, University of Chinese Academy of Sciences, Beijing 101408)
  • Online:2016-11-01

Abstract: Push service is becoming a basic service for smartphone applications. Many companies, including official and third parties, have released their push services. In order to reduce resource cost, some third-party push services share push channels among applications running on the same device and using the same push service, which means that the background push component of one application acts as the push data distribution center for other applications. Due to the lack of considering security attributes such as confidentiality and integrity, the distribution part faces a variety of attacks. In this work we analyze the security issues in the data distribution part of third-party push services on Android. We design a corresponding attack model and implement attacks including eavesdropping, data tampering, forgery and replay attacks. During our experiments, it shows that most of the third-party Android push services using shared channels are subject to these attacks. It may cause some security hazards such as user privacy leakage and phishing attack. To mitigate the above threats, we propose SecPush which is a security enhancement scheme for Android push service. SecPush secures data distribution by introducing encryption and HMAC algorithm. Experimental results show that SecPush can effectively protect push data against eavesdropping, data tampering, forgery and replay attacks.

Key words: Android, push service, data distribution, shared channel, security analysis, security enhancement

CLC Number: