Reasearch On Vulnerability Detection And Robustness Testing Method Of Exported Android Activities

With the rapid development of the mobile Internet,smart phones have become an indispensable tool for everyone's life,and mobile phone operating systems are also rapidly developing.The types of Android applications have become more diverse,providing more professional functionality,and applications can share information and collaborate with each other to complete some complex tasks.Android system provides an open activity mechanism that can share specific activities within the application to other applications.EA has two special characteristics relative to other components: 1)EA often contains key functions that developers want to promote and can be called by external applications.Therefore,their quality is a key factor in the effective promotion of key functions.2)EA can be executed by any application.If EA is vulnerable and is exploited by other malicious applications,it may cause serious loss to the user.Therefore,the security of EA is very worthy of attention.Many researches now focus on the research of all aspects of features such as in-application components or in-house component invocation relationships.However,the Android application itself often does not initiate internal open activities.Therefore,open activities are sometimes difficult to cover.In order to detect security vulnerabilities in the open interaction of Android applications between Android applications,this dissertation proposes a detection method based on program static analysis technology.This method uses data flow analysis technology to track the propagation path of data(Extra)in Intent during interaction between Android applications in EA,and analyzes the propagation path to determine whether there is a loophole in the EA.Based on the proposed detection method,we designed and implemented an EA vulnerability detection tool EADetector,and conducted experiments on 500 applications with a large amount of downloads in the application market.We detected a total of 53 open activities in 47 applications that have loopholes.There are two false positives in the verification of the experimental results by means of manual verification,and the rest of the experimental results have been confirmed.Experiments show that this method can effectively detect the loopholes in the process of EA interaction between Android applications.In order to test the robustness of open activities,this article proposes a method for systematically testing open activities.Using this method,a set of proxy applications can be generated as test drivers to launch open applications.First of all,use the static analysis technology to parse the APK file,extract the open activity list and the key values and types of data needed to start them;second,fill the corresponding data into the pre-set template to generate a test-driven application.This article has developed a prototype tool based on the proposed testing method,EASTER,which has been experimented with some real applications.The experimental results show that all the test applications have a total of 65 open activities,of which 20 open activities have loopholes in the process of being launched by external applications.