| With the rapid development of Internet,Android mobile computing platform has become a fundamental device in the lives of millions of people in a remarkably short time.Not only can users enjoy their life and entertainment by mobile devices,but also do business and manage finance.Every day,users handle,store,and share their sensitive data in the mobile terminals,including telephone,SMS,the geographical position,bank card number and even password.Nowadays,large number of Android apps will take the initiative to request the user to enter the relevant data privacy as one of standards for identifying the users,making more and more users focused on how the apps guarantee the secure of sensitive data through Internet.Android apps rely on secure communication protocol to prove the confidentiality of sensitive data transmission.However,security protocols need more cost and time,making inexperienced developers tend to adopt insecure communication and introduce security risks.At present,existing techniques of sensitive data analysis are statical or dynamic taint analysis to detect potential vulnerabilities in the Android apps.However,there is no systematic research on analyzing the insecure communication protocols in Android apps,especially on unstandard protocols.In order to address the limitations of existing methods and study how prevalent the insecure communication protocols are used by real world Android apps,we conducted an in-depth analysis to examine popular apps from Google Play and MyApp Android app market and monitored the communication of those apps.Finally,we investigated those unstandard ones to find potential insecure implementation.We designed and implemented RawDroid,a protocol audit system combining network monitoring and program analysis technique to systematically inspect the security of unstandard protocol.The results demonstrate that a large number of developers frequently use non-standard unstandard protocols,making users' personal information leakage.We believe this kind of protocols poses great security threats to Android ecosystem.In this paper,we make the following contributions:· We conduct an in-depth analysis on insecure network communications of Android apps,which provide a panoramic view of the usage of insecure communication in Android apps.· We present RawDroid as a protocol audit system to analyze the security of data transmission through unstandard protocols in Android and use it to perform a large scale evaluation of unstandard protocols.· Our study demonstrates that transferring data through unstandard protocols is common in modern Android apps.However,most of them fail to protect the data due to security flaws. |
PDF Full Text Request