Research Of Vulnerability Analysis Method In Android Application Based On Protocol Fuzzing Technology

Android system,since it was born,has got strong support of users and developers.In recent years,the rapid development of Android system brings great convenience to our society.But Android phones always need access to different network hotspots.Unstable network environments lead to the possibility that network data between Android client and its server being monitored.What's more,the attacker can inject malicious code into network data to call the application without informing the user,even directly inject virus into user's phone.So,it's urgent to study the principle of using network to inject code into Android application and vulnerability analysis and mining method in Android application.Traditional Android application vulnerability analysis and mining methods are mostly based on static analysis and dynamic testing.Static analysis is mainly aimed at the negligence of code layer or unreasonable business layer.But static analysis has many shortcomings,such as high rate of false positives,pertinence is not strong.Dynamic testing is in the case of unknown source code,with running the program,to input half effective data according the feedback to judge whether there exists vulnerability.Dynamic testing also exists some shortcomings,such as low code coverage,possible omission.This paper combined static analysis and dynamic testing method,proposed a vulnerability analysis method in Android application based on protocol fuzzing technology.The core of this method is to analysis how to use network data to realize code injection into Android application,finally achieve the goal of analysis and mining Android application vulnerability.The main contents are as follows.(1)Study Android platform security mechanism and the cause of Android application vulnerability.Research the Web View component and the principle of malicious code injection.(2)Study three types of Android vulnerability:JavaScript injection,SQL injection and cross-site scripting vulnerability.In addition,this paper study how to use man in the middle to realize injecting code into Android application.(3)Study Android vulnerability detection method and fuzzing testing technology.Combined static analysis and dynamic testing method,this paper designed a Android application vulnerability analysis scheme based on protocol fuzzing technology.(4)According to the scheme,this paper realize Android application vulnerability analysis system.This system can analysis and mining vulnerability by injecting code into Android application.