Evaluation For Information Security Of Android Application Based On Penetration Test

With the improvement and development of Android system, smartphones equipped with Android system gets highest share in the smartphone market, and in the meanwhile Android operating system has become the most popular smartphone system. Owe to the rapid development of mobile phone hardware and Android system, the amount as well as the varieties of Android applications got a rapid growth. The multitudinous applications involving all aspects relevant to us and bring unprecedented convenience to our daily lives and work.Along with the stronger of Android family, there are more and more security issues relevant to Android applications, including viruses and malicious code which steal private data both of user’s and application’s so that to cause property damage to users; Android system vulnerabilities or design flaws of Android applications which cause information security issues; information leakage due to the weakness of applications to maintain information security that can be used by malicious applications.The traditional way used to protect the information security of Android applications is usually to detect external malicious applications or dangerous codes, such as mobile antivirus programs and phone guardian, which can protect information of application from external malicious applications, but pay less attention to the test and enhancement of Android application’s self-capability in the field of guaranteeing the information security. This traditional method cannot be comprehensive to respond to the outbreak of information security threats.This paper focus on the study of improving Android application’s capability in the field of guarding the information security. Given the fifteen principal criteria carried out by summary and analyses of vulnerabilities and design flaws which caused extensive influence on information security of Android applications these years, this paper design and implement a penetration testing system with C/S architecture, through the message session mechanism and reflection mechanism can call Agent application code remotely to achieve some special penetration testing functions. In this paper the penetration testing system uses plug-in mode, so the new information security vulnerabilities can be added dynamically and constantly.Android applications run on the Linux2.6 kernel based operating system, as for penetration testing technology, in addition to the traditional technology used in Linux system such as file traversal, SQL injection, this paper studied and designed a series of penetration testing technology which aim at the information security of Android applications and mainly include penetration testing technology for Android’s components in which occurred information security issues fluently and penetration testing technology for Webview which caused wide information security problem these years and the penetration testing technology for library files and so on. The use of these penetration testing technology can cover all issues which can cause threats to information security due to the Android applications’ weakness of maintaining information security.In the aspect of evaluating Android application’s capability of safeguarding information, in this paper we use analytic hierarchy process to establish evaluation model. For analytic hierarchy process, the key of making quantitative analysis of the qualitative problem is to construct judgment matrix which meets the requirements of objective reality and consistency. To analyze the objectivity of the evaluation model in this paper, we use the data of AHP evaluation model to make comparison with the data of CVE-CVSS data base, and the judgment matrix which satisfied the objectivity will be used in ANP evaluation model directly later. As for vulnerabilities and design flaws detected by the penetration test, the proposed evaluation model can evaluate the application’s capability of defending information security threats. After the penetration test and evaluation for 355 different categories applications, the result data show that the system of this paper can make effective penetration test and objective and credible evaluation.