The Design And Realization Of Android Application Vulnerability Excavation Engine Based On Dynamic And Static Scanning Technology

With the growing popularity of the hardware and software technology and the continuous development of mobile Internet, mobile communications and intelligent terminal have entered every family, and changing the way of people’s living, work and entertainment.Among many mobile operating systems, Android operating system with its unique advantages has the largest market share.However, with the increasing of the users of Android operating systems,the number of applications based on Android platform just like a blowout. Although the Android operating system itself provides a relatively robust security mechanisms such as sandboxing, permissions mechanism,etc.With the continuous malicious attacks and security researches on the Android system security, Android system is still exposed to a lot of security vulnerabilities, such as Android system vulnerabilities which lead to the elevation of privilege problems,privacy disclosures, protocol vulnerabilities etc.According to the recent statistics of some big companies and institutions, the number of Android application vulnerabilities still shows a substantial increase and has been a serious threat to the security of the Android system. Therefore, this paper discusses the requirements of the vulnerability scanning engine based on static and dynamic analysis technology.Also introduces the Android system existing security mechanisms and the advantages and disadvantages of static and dynamic analysis technology. At last the paper introduces the design and realization of Android application vulnerability excavation engine based on dynamic and static scanning technology. First,parse the decompiled Smali code and build the Smali Tree and Android application control flow graph.Through the analysising and extracting of the Android application vulnerabilities,complete the static part of the system.Then this paper also completes the design and realization of Android applications local denial of service vulnerability based on Fuzzing.By sending the malformed data to the exposed components to make the application crash and find the vulnerabilities.Finally the experimental results show the availability and stability of the system.For each type of the vulnerability detections are keeping at a high accuracy rate and low false rate.In the concluding section of the paper is summarized the work of the system and lookout the future prospects.