The Research Of Android Application Vulnerability Detection Technology Based On Static Taint Analysis

As the largest mobile Internet traffic entrance,Android mobile phone promote social development.At the same time,because of the existence of a large number of application vulnerabilities,it also caused a huge threat to people's information security.The automatic detection method of Android application vulnerabilities is mainly focused on the taint analysis technology,in which the static taint analysis technology has been widely concerned due to the high code coverage and simple operation process.However,the current static taint analysis tools are mostly in the field of academic research.When applied to the actual vulnerability mining work,it will have a lot of problems.First,the current static taint analysis tools have high demand for hardware,and they are almost impossible to detect large Android applications.Second,the analysis procedure will analyze a lot of useless goals,resulting in the lack of pertinence to targeted vulnerability.Finally,the static taint analysis technique is insensitive to the analysis path and therefore produces a large number of false positives.In order to solve the above problems,this paper has improved the traditional static taint analysis technology,designed and implemented a new Android application vulnerability detection system STDroid.On the one hand,STDroid system inherits the advantages of traditional static taint analysis.On the other hand,STDroid adds three improved technologies.They are the wrapper of the analysis to system library functions,selecting analysis target based on the context and the use of symbol execution technology to filter the analysis results.To a certain extent,STDroid solves the performance bottlenecks in static taints taint analysis of large Android application,and improves the relevance of the analysis process and the accuracy of vulnerability detection.The main contributions of this paper are as follows:1.This paper summarizes the key technologies of Android application vulnerability detection by static taint analysis,analyzes the existing problems of traditional static taint analysis tools and sets out the corresponding improvement goals.2.Through the research of Android application structure,an improved scheme of system library function analysis encapsulation is proposed.And according to the Android and Java official API instructions,the system library functions were classified and the corresponding model of the analysis were build,to optimize the performance of the taint analysis.3.The improved scheme of based on context selection analysis is designed and the feasibility of the scheme is proved theoretically.Based on the function call context and the user's existing knowledge,the scheme can locate the vulnerability target to avoid the invalid analysis.It also improve the pertinence and efficiency of the vulnerability detection.4.The improved scheme of static symbol execution filtering analysis is designed.The improved scheme use the symbol execution technology's advantage in solving the program execution conditions satisfaction to check whether the path results of the taint analysis is really reachable.At result,the scheme filters the majority of false positives caused by the path-insensitive characteristics.5.Based on static taint analysis technology and improved design,to achieve a fast,targeted,high accuracy Android application vulnerability detection system STDroid.And through a series of comparative tests to prove that STDroid on the commercial Android application vulnerability detection feasibility.