Study Of Android Application Inter-component Communication Vulnerability Detection Method

In recent years,with the rapid development of mobile Internet technology and the widespread use of smart devices,Android system has increasingly become one of the most popular operating systems in smartphones.Undoubtedly,the applications running in this system also have lots of downloads and usage.However,as the current smartphone operating platform with the highest market share,Android applications,just like their operating systems,expose a lot of security issues while facilitating people's lives and work,such as the leakage and theft of user data.It not only occurs in a single component of an application,but also between components within the application or even between applications,through the Inter-Component Communication mechanism(ICC)in the process of component call and data transfer.This paper focuses on the research work of Android application components using the ICC mechanism.First,understand the architecture of Android system,understand the basic components of Android application,and conduct a detailed study on ICC,and analyze the existence of this mechanism.Defects and summarizes several common types of ICC vulnerabilities,and then propose a method for detecting communication vulnerabilities between components by summarizing the characteristics of these vulnerabilities.The main research contents and research results of this paper are as follows:(1)Introduce the research background and research significance of Android application vulnerability detection,and then describe the research status at home and abroad,next summarize the theoretical knowledge of Android security mechanism and its application basis,and combine a large amount of reference to summarize several Android application ICC vulnerability.(2)Through study of the principle of each ICC vulnerability,and detailed analysis of the reasons for their occurrence,generalize the feature of these vulnerabilities,as a classification method before the implementation of the Test,to match the corresponding vulnerability type,for the detection work ready.The innovations of this paper include:(1)Aiming at the ICC vulnerability caused by components involving multiple applications,such as data tampering caused by component hijacking,there is no good detection scheme.A static detection method based on component call set and constructing control flow graph based on it is proposed.(2)Aiming at the problem that the efficiency of detection is ineffective in the Test of data injection vulnerability,a component security analysis algorithm is proposed.Based on this,a method of detecting non-secure components by combining static analysis with dynamic fuzzy Testing is detected.Theoretical analysis and experimental results show that this method reduces the time required to Test safety components and improves the detection efficiency.(3)Aiming at an ICC method using an implicit intent usually requires manually analyzing the source code of Android application and the component information in the manifest file,so that the source component can be connected to the target component receiving the intent,which will be preparing for the next analysis.This paper implements a source component and target component automatic matching program by extracting relevant parameters of ICC method in application and combining with java language to improve the speed and efficiency of detection.