Security Analysis and Enhancement of Third-Party Android Push Service

doi:10.7544/issn1000-1239.2016.20150528

Abstract

Abstract: Push service is becoming a basic service for smartphone applications. Many companies, including official and third parties, have released their push services. In order to reduce resource cost, some third-party push services share push channels among applications running on the same device and using the same push service, which means that the background push component of one application acts as the push data distribution center for other applications. Due to the lack of considering security attributes such as confidentiality and integrity, the distribution part faces a variety of attacks. In this work we analyze the security issues in the data distribution part of third-party push services on Android. We design a corresponding attack model and implement attacks including eavesdropping, data tampering, forgery and replay attacks. During our experiments, it shows that most of the third-party Android push services using shared channels are subject to these attacks. It may cause some security hazards such as user privacy leakage and phishing attack. To mitigate the above threats, we propose SecPush which is a security enhancement scheme for Android push service. SecPush secures data distribution by introducing encryption and HMAC algorithm. Experimental results show that SecPush can effectively protect push data against eavesdropping, data tampering, forgery and replay attacks.

Key words: Android, push service, data distribution, shared channel, security analysis, security enhancement

CLC Number:

TP309

Lu Yemian, Li Yifu, Ying Lingyun, Gu Yacong, Su Purui, Feng Dengguo. Security Analysis and Enhancement of Third-Party Android Push Service[J]. Journal of Computer Research and Development, 2016, 53(11): 2431-2445.

	Articles by Authors
	Lu Yemian
	Li Yifu
	Ying Lingyun
	Gu Yacong
	Su Purui
	Feng Dengguo

[1]	Jia Yingxia, Lang Congyan, Feng Songhe. A Semantic Segmentation Method of Traffic Scene Based on Categories-Aware Domain Adaptation [J]. Journal of Computer Research and Development, 2020, 57(4): 876-887.
[2]	Liu Qixu, Liu Xinyu, Luo Cheng, Wang Junnan, Chen Langping, Liu Jiaxi. Android Browser Fingerprinting Identification Method Based on Bidirectional Recurrent Neural Network [J]. Journal of Computer Research and Development, 2020, 57(11): 2294-2311.
[3]	Li Zhen, Tang Zhanyong, Li Zhengqiao, Wang Hai, Gong Xiaoqing, Chen Feng, Chen Xiaojiang， Fang Dingyi. An Automatic Detection Method for Privacy Leakage Across Application Components [J]. Journal of Computer Research and Development, 2019, 56(6): 1252-1262.
[4]	Wang Lei, He Dongjie, Li Lian, Feng Xiaobing. Sparse Framework Based Static Taint Analysis Optimization [J]. Journal of Computer Research and Development, 2019, 56(3): 480-495.
[5]	Zhang Lei, Yang Zhemin, Li Mingqi, Yang Min. TipTracer: Detecting Android Application Vulnerabilities Based on the Compliance with Security Guidance [J]. Journal of Computer Research and Development, 2019, 56(11): 2315-2329.
[6]	Meng Yan, Li Shaofeng, Zhang Yichi, Zhu Haojin, Zhang Xinpeng. Cyber Physical System Security of Smart Home Platform [J]. Journal of Computer Research and Development, 2019, 56(11): 2349-2364.
[7]	Li Jie, Hong Tao, Wang Xingwei, Huang Min, Guo Jing. A Data Dissemination Mechanism Based on Group Structure in Opportunistic Mobile Social Networks [J]. Journal of Computer Research and Development, 2019, 56(11): 2494-2505.
[8]	Tang Benxiao, Wang Lina, Wang Run, Zhao Lei, Wang Danlei. A Defensive Method Against Android Physical Sensor-Based Side-Channel Attack Based on Differential Privacy [J]. Journal of Computer Research and Development, 2018, 55(7): 1371-1392.
[9]	Yue Hongzhou, Zhang Yuqing, Wang Wenjie, Liu Qixu. Android Static Taint Analysis of Dynamic Loading and Reflection Mechanism [J]. Journal of Computer Research and Development, 2017, 54(2): 313-327.
[10]	Zhang Mi, Yang Li, Zhang Junwei. FuzzerAPP：The Robustness Test of Application Component Communication in Android [J]. Journal of Computer Research and Development, 2017, 54(2): 338-347.
[11]	Lu Yemian, Ying Lingyun, Su Purui, Feng Dengguo, Jing Erxia, Gu Yacong. Security Analysis and Evaluation for the Usage of Settings Mechanism in Android [J]. Journal of Computer Research and Development, 2016, 53(10): 2248-2261.
[12]	Chen Tieming, Yang Yimin, Chen Bo. Maldetect: An Android Malware Detection System Based on Abstraction of Dalvik Instructions [J]. Journal of Computer Research and Development, 2016, 53(10): 2299-2306.
[13]	Wang Xiaoyan, Chen Jinchuan, Guo Xiaoyan, Du Xiaoyong. A Nash-Pareto Strategy Based Automatic Data Distribution Method and Its Supporting Tool [J]. Journal of Computer Research and Development, 2015, 52(9): 1965-1975.
[14]	Zhang Yuqing, Fang Zhejun, Wang Kai, Wang Zhiqiang, Yue Hongzhou, Liu Qixu, He Yuan, Li Xiaoqi, Yang Gang. Survey of Android Vulnerability Detection [J]. Journal of Computer Research and Development, 2015, 52(10): 2167-2177.
[15]	Zhang Yuqing, Wang Kai, Yang Huan, Fang Zhejun, Wang Zhiqiang, and Cao Chen. Survey of Android OS Security [J]. Journal of Computer Research and Development, 2014, 51(7): 1385-1396.

Security Analysis and Enhancement of Third-Party Android Push Service

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments