Research And Implementation Of Source Codes Security Detection System On Android Platform

With the rapid development of mobile internet,Android intelligent terminal is playing an increasingly important role in people's life.Due to the open source characteristics of Android system and the weak intensity of checking software in Google Play,the malicious application in Android intelligent terminal is becoming more and more rampant.Information leakage,information deleted,phone hacking,theft of funds and so on have been serious threat to Android users.For the increasingly rampant attacks in Android intelligent terminal,commonly used methods are static detection technique and dynamic detection technique.The static detection technology is widely attended and applied because of its advantages such as code full coverage,mining automation,high efficiency and so on.But,it has some defects such as high rate of misdiagnosis and omissive judgment,dealing unknown malicious codes lag and so on,that is because the static detection technology mainly uses signature detection method and signature verification method to detect the malicious behavior in applications,or just uses the PC application security detection technology to detect Android application.In order to solve above problems,Android system and Android applications are deeply researched in this paper.On the basis of common static detection technology,the Android source code security detection system based on perfect information flow is designed.Comparing with signature detection method,signature verification method,or the method using PC application security detection technology to detect Android application,this system has advantages such as high automatic scan rate with millions of code lines per hour,high accuracy of result with the misdiagnosis rate of less than 30%and the omissive judgment rate of less than 35%,dealing unknown malicious codes lag and so on.The main work of this paper is as follows:First,the common vulnerabilities and loopholes of Android application in OWASP MOBILE TOP 10 are summarized.The causes of vulnerabilities and loopholes in Android application,the main technology and method of static detection and so on are researched and analysised.Then,from the functional and non-functional requirement,the detail requirement and the design scheme are carried out.In this paper,the system is divided into code parser module,control flow analysis module,data flow analysis module,rule base design and analysis module,application of malicious behavior analysis module.According to the rules,application of malicious behavior analysis module scans the AST,which is the result of code analysis module,uses the result of control flow analysis module and data flow analysis module to analyze the critical data stream information in program,and the gets the coding vulnerabilities and defects in Android application.Process diagrams,figures,tables and so on are used to analyze and design these five modules in detail,and finally completes the systemic design work.Next,according to the results of systemic design,Java language,XML language and ANTLR,which is an open source tool,are used to realize code-analysis engine module,rule management module,report management module and the Swing interface.Code-analysis engine is the core of this system and consists of six modules:code parser,control flow analysis,data flow analysis,structural analysis,security analysis dispatching,security analysis interface.Code-analysis engine automatically analyzes the application source codes according to the rule files provided by the rule management module and gives the detection results to the report management module.Then all the development work of the system is completed in this paper.A number of open source codes in Android platform are scanned with this system,the rate of misdiagnosis and omissive judgment are analyzed in this paper.What's more,the results of our experiment are compared with the scan results of HP Fortify SCA to validate the feasibility of this system.Finally,the main research conclusion is summarized and the drawbacks and limits of the designed system are pointed out in this paper.The system designed in this paper does not have a complete rule base compared with business software Fortify,moreover,if the system is to expand the rules of the system library,it is necessary to further study Android system security,Android application security,code defects,coding standards and so on.And this also indicates the further research work.