| In recent years,the smartphone becomes more and more popular,the popularity of smartphone has also led to the rapid development of mobile applications with powerful function.At the same time,the HTML5-based application is becoming more and more popular among the developers and users due to its good portability.However,when the users enjoy the powerful function that smartphone brings,they also face a concern of the problem of information security at the same time.Such as abusing of permission and revealing of privacy in the third party applications,HTML5-based mobile applications are faced the risk of code injection attacks.In conclusion,it's very important to design and implement the code detection tool for mobile appication.In this paper,the author aimed to solve the problem of abuse of permission and HTML code injection attack vulnerability in Android applications via the static analysis techniques to design and implement a code detection tool for Android application.First,the paper anylisis the work flow,users' requirement and fuctions of system.On the basis of the anylisis,making the system design and detail design.Finally,finish the implementation of the system.The system's function consists of three parts as follows.The first part,unzip APK file and decompile class.dex file to a machine-executable DDX file through the decompiler Dedexer.Then send the DDX file into match query and after this match process,the species and number of APIs called by application will be shown.The second part,decompiling AndroidManifest.xml file to a readable format.Then using the XML analytic tool JDOM to parse XML file.For AndroidManifest.xml files,our analysis follows<permission>and<uses-permission>two tags,find the system permissions and custom permissions.Then,list the detected rights and API which may cause privacy revealing or abusing of permission.The third part,preprocess the HTML files,find out all the vulnerable APIs and rewrite them.Perform a file contain all the JS files after processed,then we perform an extended call graph.On this call graph,we look for unsafe APIs and identify the input of unsafe APIs,find the code injection channel and we if this application is vulnerable.Finally,we test and analyze the APK from the application market.The result shows that this tool are capable to detect whether an application has the behavior of privacy revealing or abusing of permission,and whether be vulnerable for code injection attack or not. |
PDF Full Text Request