• 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
Advanced Search
Zhang Lei, Yang Zhemin, Li Mingqi, Yang Min. TipTracer: Detecting Android Application Vulnerabilities Based on the Compliance with Security Guidance[J]. Journal of Computer Research and Development, 2019, 56(11): 2315-2329. DOI: 10.7544/issn1000-1239.2019.20190348
Citation: Zhang Lei, Yang Zhemin, Li Mingqi, Yang Min. TipTracer: Detecting Android Application Vulnerabilities Based on the Compliance with Security Guidance[J]. Journal of Computer Research and Development, 2019, 56(11): 2315-2329. DOI: 10.7544/issn1000-1239.2019.20190348
shu

TipTracer: Detecting Android Application Vulnerabilities Based on the Compliance with Security Guidance

  • (Software School, Fudan University, Shanghai 201203)

More Information
  • Published Date: October 31, 2019
    Graphical Abstract
    • Abstract
  • Many security vulnerabilities are caused by the unsafe use of library programming interfaces. To protect applications from security attacks, library designers provide security tips to help developers use security-sensitive APIs correctly. However, developers often fail to follow security tips, which can introduce vulnerabilities to their programs. To evaluate the scale and impact of this problem, we conduct the first systematic, large-scale study on security tips and their violations in Android apps. Our study shows that existing security tips are less effective, due to their imprecise descriptions, misleading sample code, incorrect default settings, fragmentation (scattered across different sources), and lack of compliance check. As a result, the significant portion of Android apps we analyze are found to be vulnerable. To help the security guidance better followed by app developers, we propose TipTracer, a framework for verifying Android security tips automatically and efficiently. TipTracer contains a security property language that formally describes constraints expressed in security tips and a static code analyzer that checks whether applications satisfy security tips. We demonstrate the effectiveness, efficiency and usability of TipTracer using a large set of real-world apps.
    • FullText(HTML)
    • References (0)
    • Related Articles

  • Related Articles

    [1]Tang Chenghua, Cai Weijia, Yang Mengmeng, Qiang Baohua. CBFuzzer: Fuzzy Detection of Program Defects Based on Execution Context Orientation and Protection Breakthrough[J]. Journal of Computer Research and Development, 2025, 62(3): 790-807. DOI: 10.7544/issn1000-1239.202330755
    [2]Chen Xiaoquan, Liu Jian, Xia Xiangyu, Zhou Shaoxiang. A Vulnerability Detection Approach Based on Comparative Learning[J]. Journal of Computer Research and Development, 2023, 60(9): 2152-2168. DOI: 10.7544/issn1000-1239.202220140
    [3]Yang Yi, Li Ying, Chen Kai. Vulnerability Detection Methods Based on Natural Language Processing[J]. Journal of Computer Research and Development, 2022, 59(12): 2649-2666. DOI: 10.7544/issn1000-1239.20210627
    [4]Xiao Tianming, Guan Jianbo, Jian Songlei, Ren Yi, Zhang Jianfeng, Li Bao. Software Vulnerability Detection Method Based on Code Property Graph and Bi-GRU[J]. Journal of Computer Research and Development, 2021, 58(8): 1668-1685. DOI: 10.7544/issn1000-1239.2021.20210297
    [5]Zhang Yuqing, Fang Zhejun, Wang Kai, Wang Zhiqiang, Yue Hongzhou, Liu Qixu, He Yuan, Li Xiaoqi, Yang Gang. Survey of Android Vulnerability Detection[J]. Journal of Computer Research and Development, 2015, 52(10): 2167-2177. DOI: 10.7544/issn1000-1239.2015.20150572
    [6]Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.
    [7]Yang Dingning, Xiao Hui, and Zhang Yuqing. Vulnerability Detection in ActiveX Controls Based on Fuzzing Technology[J]. Journal of Computer Research and Development, 2012, 49(7): 1525-1532.
    [8]Wang Yawen, Yao Xinhong, Gong Yunzhan, Yang Zhaohong. A Method of Buffer Overflow Detection Based on Static Code Analysis[J]. Journal of Computer Research and Development, 2012, 49(4): 839-845.
    [9]Wang Lei, Chen Gui, and Jin Maozhong. Detection of Code Vulnerabilities via Constraint-Based Analysis and Model Checking[J]. Journal of Computer Research and Development, 2011, 48(9): 1659-1666.
    [10]Hu Chaojian, Li Zhoujun, Guo Tao, Shi Zhiwei. Detecting the Vulnerability Pattern of Writing Tainted Value to Tainted Address[J]. Journal of Computer Research and Development, 2011, 48(8): 1455-1463.

  • Cited by

    Periodical cited type(25)

    1. 张世文,陈双,梁伟,李仁发. 联邦学习中的攻击手段与防御机制研究综述. 计算机工程与应用. 2024(05): 1-16 .
    2. 刘炜,刘宇昭,唐琮轲,王媛媛,佘维,田钊. 基于区块链的联邦蒸馏数据共享模型研究. 计算机科学. 2024(03): 39-47 .
    3. 汤凌韬,陈左宁,张鲁飞,吴东. 联邦学习中的隐私问题研究进展. 软件学报. 2023(01): 197-229 .
    4. 金源,李成智. 智能财务背景下的财务信息安全研究. 财会通讯. 2023(07): 136-144 .
    5. 先兴平,吴涛,乔少杰,吴渝,刘宴兵. 图学习隐私与安全问题研究综述. 计算机学报. 2023(06): 1184-1212 .
    6. 李功源,刘博涵,杨雨豪,邵栋. 可信人工智能系统的质量属性与实现:三级研究. 软件学报. 2023(09): 3941-3965 .
    7. 王守欣,彭长根,刘海,谭伟杰,张弘. 基于联邦学习的PATE教师模型聚合优化方法. 计算机与数字工程. 2023(11): 2608-2614 .
    8. 崔争艳,刘晨晨,孙滨. 基于机器学习的MOOC学习者弃学预测与预警系统实现. 信息与电脑(理论版). 2022(01): 65-67 .
    9. 王坤庆,刘婧,李晨,赵语杭,吕浩然,李鹏,刘炳莹. 联邦学习安全威胁综述. 信息安全研究. 2022(03): 223-234 .
    10. 陈玉明,董建威. 基于粒计算的非线性感知机. 数据采集与处理. 2022(03): 566-575 .
    11. 田枫,冯建臣,刘芳. 改进YOLOv4的油田作业现场烟火检测. 计算机系统应用. 2022(06): 300-306 .
    12. 宁晗阳,马苗,杨波,刘士昌. 密码学智能化研究进展与分析. 计算机科学. 2022(09): 288-296 .
    13. 刘梦君,蒋新宇,石斯瑾,江南,吴笛. 人工智能教育融合安全警示:来自机器学习算法功能的原生风险分析. 江南大学学报(人文社会科学版). 2022(05): 89-101 .
    14. 黄精武. 基于差分隐私的联邦学习数据隐私安全技术. 通信技术. 2022(12): 1618-1625 .
    15. 黄志强. 基于随机化防御的云应用安全体系技术研究. 电子设计工程. 2021(02): 150-154 .
    16. 赵俊杰,王金伟. 基于SmsGAN的对抗样本修复. 郑州大学学报(工学版). 2021(01): 50-55 .
    17. 张颖君,陈恺,周赓,吕培卓,刘勇,黄亮. 神经网络水印技术研究进展. 计算机研究与发展. 2021(05): 964-976 . 本站查看
    18. 拓世英,孙浩,林子涵,陈进. 多模态图像智能目标识别对抗攻击. 国防科技. 2021(02): 8-13 .
    19. 张宇,李海良. 基于RSA的图像可识别对抗攻击方法. 网络与信息安全学报. 2021(05): 40-48 .
    20. 黄静琪,贾西平,陈道鑫,柏柯嘉,廖秀秀. 基于双对抗机制的图像攻击算法. 计算机工程. 2021(11): 150-157 .
    21. 孙爽,李晓会,刘妍,张兴. 不同场景的联邦学习安全与隐私保护研究综述. 计算机应用研究. 2021(12): 3527-3534 .
    22. 周俊,方国英,吴楠. 联邦学习安全与隐私保护研究综述. 西华大学学报(自然科学版). 2020(04): 9-17 .
    23. 李德权,许月,薛生. 基于动态约束自适应方法抵御高维鞍点攻击. 计算机研究与发展. 2020(09): 2001-2008 . 本站查看
    24. 魏立斐,陈聪聪,张蕾,李梦思,陈玉娇,王勤. 机器学习的安全问题及隐私保护. 计算机研究与发展. 2020(10): 2066-2085 . 本站查看
    25. 宋雪亚,王传安. 文本信息分词处理下的智能家电离线语音识别. 自动化与仪器仪表. 2020(12): 161-164 .

    Other cited types(50)

Catalog

    Get Citation
    PDF
    XML
    Article views (1270) PDF downloads (494) Cited by(75)
    Turn off MathJax
    Article Contents
    Abstract
    Related Articles
    Email Alert RSS
    微信订阅号<br/>(实时资讯)

    微信订阅号
    (实时资讯)

    微信服务号<br/>(同步网站)

    微信服务号
    (同步网站)

    微信视频号<br/>(视频分享)

    微信视频号
    (视频分享)

    CCF<br/>(扫码入会)

    CCF
    (扫码入会)

    Copyright © Editorial Department of Computer Research and Development

    Supported by: Beijing Renhe Information Technology Co., Ltd. Baidu Analytics

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return