| With the rapid development and popularization of smart phone, Mobile Internet Security has become one of major security threats at present. Android is the mobile smart device platform which has the largest market share, and becomes the target of numerous malicious codes. Malicious codes can cause enormous damage to the users. Not only can they steal user’s personal privacy and infringe the rights, but also cause serious damage to one’s property. Regularly auditing the security of the smart mobile devices will help to reduce the risk of the system being invaded, and improve the security of the system. However, the current audit system of Android security has many scarcities in comprehensiveness, security and flexibility. Therefore, the research on the method of Android system security audit has an important theoretical significance and practical application value.According to the fact that existing behavior monitoring methods need to either recompile the system or alter the applications which is monitored, while most of them are not comprehensive enough and could not identify the hidden behaviors of malicious codes, a method of Android system malware behavior monitoring based on multi-level and crossview analysis is proposed. It is based on process injection and loadable kernel module technology, which monitors malware behavior in Java level, Native level and Kernel level. Then it obtains the result of behavior monitoring and identify the hidden behaviors by crossview analysis. Under Android simulator environment, the experiment uses 12 kinds of malware which can cover most of the malware behaviors. The results show that the monitoring accuracy rate of malicious behavior reaches to 91.43% and the method can detect the hidden behaviors effectively. It has fine audit granularity and strong practicality.According to the problem that current Android audit systems only detect file integrity or memory integrity which effects the practicality, a method of Android system data integrity detection which combines file and memory is proposed. Firstly, the method detects the file integrity using MD5 hash algorithm based on credible baseline database. Secondly, detect the memory integrity under the conditions of the complete file. Finally, the results of data integrity detection are obtained. Under Android simulator environment, the experiment uses 7 kinds of malware which attack data integrity. The results show that the method can detect the damage to system data integrity caused by malicious codes which use different means of attacks. It has a highly detection accuracy and strong practicality.The prototype system of Android security audit is designed and realized based on two methods above. The content of system audit is contained with malware behavior monitoring, data integrity detection, traffic monitoring, the capturing and analysis of packet, recording log and so on. The audit report is generated at last. The experiment is aiming at Android simulator which is installed with 27 applications and 14 malware. The results show that the system’s comprehensiveness, security and flexibility are satisfactory. It has a high practical value and can be applied to Android system security auditing directly. |