Security Analysis and Enhancement of Third-Party Android Push Service

Lu Yemian; Li Yifu; Ying Lingyun; Gu Yacong; Su Purui; Feng Dengguo

doi:10.7544/issn1000-1239.2016.20150528

Journal of Computer Research and Development > 2016 > 53(11): 2431-2445. > DOI: 10.7544/issn1000-1239.2016.20150528 CSTR: 32373.14.issn1000-1239.2016.20150528

Lu Yemian, Li Yifu, Ying Lingyun, Gu Yacong, Su Purui, Feng Dengguo. Security Analysis and Enhancement of Third-Party Android Push Service[J]. Journal of Computer Research and Development, 2016, 53(11): 2431-2445. DOI: 10.7544/issn1000-1239.2016.20150528

Citation:

PDF (2832 KB)

Security Analysis and Enhancement of Third-Party Android Push Service

¹(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190)
²(National Computer Emergency Response Team and Coordination Center of China, Beijing 100029)
³(School of Computer and Control Engineering, University of Chinese Academy of Sciences, Beijing 101408)

More Information

Published Date: October 31, 2016

Graphical Abstract

Abstract

Abstract

Push service is becoming a basic service for smartphone applications. Many companies, including official and third parties, have released their push services. In order to reduce resource cost, some third-party push services share push channels among applications running on the same device and using the same push service, which means that the background push component of one application acts as the push data distribution center for other applications. Due to the lack of considering security attributes such as confidentiality and integrity, the distribution part faces a variety of attacks. In this work we analyze the security issues in the data distribution part of third-party push services on Android. We design a corresponding attack model and implement attacks including eavesdropping, data tampering, forgery and replay attacks. During our experiments, it shows that most of the third-party Android push services using shared channels are subject to these attacks. It may cause some security hazards such as user privacy leakage and phishing attack. To mitigate the above threats, we propose SecPush which is a security enhancement scheme for Android push service. SecPush secures data distribution by introducing encryption and HMAC algorithm. Experimental results show that SecPush can effectively protect push data against eavesdropping, data tampering, forgery and replay attacks.
- Android,
- push service,
- data distribution,
- shared channel,
- security analysis,
- security enhancement

FullText(HTML)

References (0)

[1]	Zhuang Junjie, Hu Shuang, Hua Baojian, Wang Yang, Pan Zhizhong. Survey of WebAssembly Security[J]. Journal of Computer Research and Development, 2024, 61(12): 3027-3053. DOI: 10.7544/issn1000-1239.202330049
[2]	Luo Yating, He Hongjie, Chen Fan, Qu Lingfeng. Security Analysis of Image Encryption for Redundant Transfer Based on Non-Zero-Bit Number Feature[J]. Journal of Computer Research and Development, 2022, 59(11): 2606-2617. DOI: 10.7544/issn1000-1239.20210558
[3]	Qu Lingfeng, He Hongjie, Chen Fan, Zhang Shanjun. Security Analysis of Image Encryption Algorithm Based on Block Modulation-Scrambling[J]. Journal of Computer Research and Development, 2021, 58(4): 849-861. DOI: 10.7544/issn1000-1239.2021.20200011
[4]	Lu Bingjie, Zhou Jun, Cao Zhenfu. A Multi-User Forward Secure Dynamic Symmetric Searchable Encryption with Enhanced Security[J]. Journal of Computer Research and Development, 2020, 57(10): 2104-2116. DOI: 10.7544/issn1000-1239.2020.20200439
[5]	Meng Yan, Li Shaofeng, Zhang Yichi, Zhu Haojin, Zhang Xinpeng. Cyber Physical System Security of Smart Home Platform[J]. Journal of Computer Research and Development, 2019, 56(11): 2349-2364. DOI: 10.7544/issn1000-1239.2019.20190412
[6]	Geng Xin, Xu Ning, Shao Ruifeng. Label Enhancement for Label Distribution Learning[J]. Journal of Computer Research and Development, 2017, 54(6): 1171-1184. DOI: 10.7544/issn1000-1239.2017.20170002
[7]	Zhou Yanwei, Yang Qiliang, Yang Bo, Wu Zhenqiang. A Tor Anonymous Communication System with Security Enhancements[J]. Journal of Computer Research and Development, 2014, 51(7): 1538-1546.
[8]	Bao Yibao, Yin Lihua, Fang Binxing, Guo Li. Logic-Based Dynamical Security Policy Language and Verification[J]. Journal of Computer Research and Development, 2013, 50(5): 932-941.
[9]	Xu Shiwei, Zhang Huanguo. Formal Security Analysis on Trusted Platform Module Based on Applied π Calculus[J]. Journal of Computer Research and Development, 2011, 48(8): 1421-1429.
[10]	Wu Zhongdong, Xie Weixin, Yu Jianping. A Security Enhancement Method of a Verifiable Threshold Signature Scheme Based on the Elliptic Curve[J]. Journal of Computer Research and Development, 2005, 42(4): 705-710.