Research On Third-party Library Access Control Method In Android Applications

Mobile devices are widely used because they can meet people's daily demand.Android is favored by application developers and consumers because of its openness.Unfortunately,the security of Android devices is getting worse.The security of application software has received widespread attention,and the third-party library has made application software security issues more serious.This is because the third-party library has all the permissions of the application,and the Android native system's security mechanism cannot control the illegal access behavior of third-party libraries in the application software.For the access control of third-party libraries,it is roughly divided into two solutions:extending the Android security mechanism or rewriting the application.However,there have been problems such as inconvenient deployment of third-party library access control rules and incompleteness of access control rules for third-party libraries.Therefore,we proposed a third-party library access control method for developers in this thesis.To avoid modifying Android system and APK files,our solution deploys the third-party library access control policies during application development.We further improved the access control rules for third-party libraries by analyzing the access methods of sensitive resource on devices.The research work of this thesis is as follows:(1)We analyzed and summarized the ideas and problems of the existing research works,which related to third-party library access control.Extending the Android security mechanism will intensify Android fragmentation.Rewriting the APK file will destroy the signature information of original APK file.Therefore,those solutions have drawback during deploying access control policies.In addition,we find that the access control rules of existing solutions are imperfect.(2)We proposed a developer-oriented third-party library access control policy deployment scheme.During application development,developers assign reasonable permissions to third-party libraries based on documentation and program features.According to the developer's setting of permissions to third-party libraries,analyzing the security of system API calls in third-party libraries.Recording third-party library's behaviors which is related to unscrupulously access sensitive resources.Completing the code reconstruction of the third-party library based on the analysis results.Replacing or instrumenting the system API call that has a security issue.After code refactoring,the deployment of third-party library access control policies is completed,so that the behavior of third-party libraries accessing sensitive resources meets the access control policy.In addition,we improved the access control rules for third-party libraries by analyzing and summarizing the methods for accessing sensitive device resources.(3)We implemented the prototype based on the proposed solution,a third-party library access control policies deployment tool.Through theoretical analysis and experiments,the results show that our solution can facilitate the deployment of access control policies and achieve effective access control to third-party libraries.Moreover,the performance overhead of the access control module is negligible for the user experience.