Reasearch On Privacy Leakage And Security Of Third Party SDK In Android Ecosystem

According to IDC's statistics,in the first quarter of 2017,the Android system accounted for 85.0%of the share of mobile operating system.The huge user community of the Android system has led to a huge application market.A large number of applications are put into the market every day,such as Google Play,wandoujia,and so on.To shorten the application development time,many Android developers include third-party SDKs in their apps.Thirdparty SDKs are toolkits developed by third-party service companies such as advertising platforms,data providers,social network,and map service providers.These third party SDKs has become an important part of the Android ecosystem.For example,in the mobile bicycle application,developers use many third-party services such as BaiduMap,Bugly,qiniu,Sina,wechat,Alipay and so on.In addition,many popular third party services are used in a large number of applications,and the number of users of these applications is over million.However,if an SDK contains security vulnerabilities,all the apps that include it would become vulnerable,which affects the security of the Android ecosystem severely.Therefore,we select 129 popular third-party SDK in the market and make comprehensive analysis of their security.The third-party SDK is not an application that does not run independently so that we analyze the demo application of the third-party SDK as the analysis object.In order to improve the accuracy of the analysis,we used the effective analysis methods in the analysis of A ndroid applications,including static taint tracking,dynamic taint tracking and dynamic binary instrumentation,and built a static and dynamic analysis framework for the third-party SDK security.The results showed that over 60% of the selected SDK contained various vulnerabilities(such as misuse of HTTP,improper configuration of SSL/TLS,abuse of sensitive privileges,identity recognition,local service,information leakage through logging,and developer's fault),which makes the users of the related applications face with huge security risks.