| With the advent of the ear of mobile internet, the majority share of smart mobile operating system is occupied by the Android. However, Android security is worth concerned. In recent years, high risky vulnerabilities have been discovered in Android.Those defects would bring huge potential security issue for users. Security researcherspay very close attention to the safety of the Android system and its App market. In thispaper, we study the Android vulnerabilities and its classification. Furthermore, an extensible Android vulnerability scanning engine base on LUA scripts is developed.Firstly, Android system architecture is analyzed. The architecture of Android is a layered design that consists of kernel layer, Native layer, framework layer and application layer. For each layer, the function is presented and security mechanism is investigated. As Application Signing, Application Sandbox and Android Permission model are most important to Android, we specify the function and principle respectively. Finally, according to the model, brand and OS, shows the severity of Android fragmentation and the caused problems.Secondly, we have analysis the number of Android vulnerability exploded every year. Our research has demonstrated that a rapidly upward trend of vulnerabilities. Then we introduced the definitions and the classification of software vulnerabilities provided up to now. Three better-known classification what have been introduced in detail are RISOS classification, PA classification and Aslam classification. Then, this paper introduced how they classification the software vulnerabilities at Microsoft and CWE in practical engineering. Finally, we have classified the Android vulnerabilities in terms of the environment the vulnerability take advantage of and the reason for the vulnerability based on experiences of the past.Finally, an extensible scanning engine for Android based on scripts is designed. The four parts of the engine are script parser, supplement model, vulnerability trigger model and log and report model, respectively. Then, we take a look at each of these model specific design and realization and discuss the realization of various types of Android vulnerabilities scanning plug-in based on this scan engine. Finally, a series of plug-ins is written for all types of vulnerability based on our scanning engine. By running the program on a virtual machine, the availability and reliability of the engine is confirmed. |
PDF Full Text Request