Research On Key Technology Of Android Vulnerability Detection

The rapid development of mobile applications has increased the convenience of people's lives.When people use mobile applications,they often inadvertently upload photos,phone numbers,identity information and other sensitive data to the network.It makes the security of mobile applications becomes crucial.Although the update and development speed of mobile applications is extremely fast,developers mainly focus on the implementation of applications and the improvement of user experience.They pay little attention to the security of APP,which leading to the overall security issues of the mobile applications.This thesis mainly studies the key technologies of vulnerability detection of the Android platform,and has achieved the following research results:1.For the problem of poor generalization of analysis methods and verification methods for vulnerability detection researches of APPs.This thesis conducted a comprehensive re-search on the vulnerabilities related to APP's network functions,and proposed a scalable APP vulnerability detection method.In order to verify the effectiveness of the method,a detec-tion tool(VulArcher)was implemented in the thesis.Through manual analysis of 400 APPs,we found that the misuse of API is the main cause of APP vulnerabilities.Among them,the vulnerability caused by API misuse is the risk of incorrect certificate verification(CWE-295:ICV),Web View remote code execution vulnerability(CVE-2014-1939:WRCEV),Webview bypass certificate verification vulnerability(CVE-2014-5531:WBCVV),and Alibaba Cloud OSS credential information disclosure vulnerability(CNVD-2017-09774:ACOCDV).This thesis conducted a comprehensive analysis of the severity of these vulnerabilities,studied the hazards caused by four vulnerabilities.This thesis proposed analysis methods and repair suggestions for each vulnerability and proposed a complete workflow for vulnerability ver-ification.In order to make the vulnerability analysis method is generalizable,this thesis di-vided the above four vulnerabilities into three categories based on their behavior:overriding methods(Cat1:OM),using unsafe settings(Cat2:USS)and sensitive information disclosure(Cat3:DLSI).This thesis summarizes the analysis methods of three types of vulnerabilities.Based on these analysis and research,this thesis proposed a detection method(VulArcher)for vulnerabilities caused by API misuse.VulArcher supports vulnerability detection of both packed and unpacked APPs.For the above four vulnerabilities,the average detection accu-racy rate of VulArcher can reach 91%.2.For the false positives of vulnerability detection caused by the lack of semantics in APP's vulnerability feature,this thesis proposed a context-aware vulnerability abstract representation method based on code slice-Code information stack(CIS).Learning-based APP vulnerability detection can alleviate the labor-consuming problem of heavily on manual extraction of rule-based detection.At present,vulnerability features lack semantics.In order to retain semantics of an APP vulnerability feature,this thesis proposed a feature abstraction method called CIS for APP vulnerabilities.This feature abstraction method can extract code variables only related to vulnerabilities from an APP.In order to eliminate the influence of variable naming on the model effect,the customed function name and variable name in the feature are formatted uniformly.The result of one feature retains semantic logic with no nosie data.In order to verify the effectiveness of CIS,this thesis proposed a deep learning detection model for APP vulnerabilities with Bi-LSTM algorithm-VulDGArcher.Experiment results showed that the vulnerability detection accuracy rate of this model can reach 96%.Compared with the vulnerability detection models based on abstract syntax tree(AST)as the feature and source code as the feature,VulDGArcher's metric values are better.3.This thesis focused on the low coverage of automated driving methods in the dynamic Web vulnerabilities of Android application(APP),proposed an automated dynamic detection method for Web vulnerabilities based on UI event call graph driving methods.APPs does not contain the source code of the dynamically loaded Web functions,which leads to the poor effect of the automated driven Web functions in the current automated dynamic vulnerability detection.This thesis identifies and builds the driver events of the UI event call graph for the elements of each UI page of the APP without relying on an APP's source code.In order to enrich the type of driver events,it also builds inter-process communication driver event of an APP.Based on the above driver events,this thesis proposed a method to automatically drive APPs-UIMDroid.This method can effectively solve the automatic driving of the Web functions of APPs.Based on this method,a dynamic detection method for Web vulnerabil-ities of APPs was implemented.The average code coverage of the method proposed in this thesis can reach 57.8%.Compared with the existing tools Monkey,Dynadroid,GUIRipper and Acteve,the average code coverage rate of UIMDroid increases by 17%of the same data set and experiment environment.4.For the problem of inconsistent data transmission between the client and the server and the inconsistency of conditional logic processing in the Android system service,this the-sis proposed a vulnerability fuzzing method for Android native services based on the client association relationship.At present,the researches on vulnerability detection of Android native services pay little attention to the problem of inconsistent data transmission between the client and server and the inconsistency of conditional logic processing.This thesis ana-lyzed the vulnerability detection method of Android native service,and proposed a fuzzing method of native service from the perspective of client association relationship.This method used abstract syntax tree(AST)to extract data types.Based on genetic algorithm and priority strategy,a test case construction method supporting multi-parameter variation was proposed.Based on the above methods an effective automatic fuzzing tool(BA rcherFuzzer)for Android native services was implemented.BArcherFuzzer can obtain more interface parameter types from the perspective of the client interface to facilitate the discovery of deep vulnerabilities,and the genetic algorithm-based data mutation method can speed up the coverage rate and improve the test efficiency.Using this tool,this thesis successfully found 4 vulnerabilities from hundreds of crash messages,3 of them are confirmed by Google,and 1 is assigned a Common Vulnerabilities and Exposures(CVE)number(CVE-2020-0363).