Extraction And Analysis Towards API Security Issues For Android Native Function Layer

At present,with the popularization of the latest communication technology,mobile phones have gradually replaced the status of previous computers.In the 2009 statistics,the proportion of mobile Internet users was only 60.8%,and by 2018,this statistical data had reached 98.6%.In this situation,more and more companies choose to present their services to users not in the form of web pages,but in the form of mobile phone applications,and many services or content providers including large enterprises now provide Applications that can connect to their own servers and communicate with devices used by customers.At the same time,for these applications,the interface used to provide services in their mobile application side is very different from the corresponding interface in the web side,which means that the working logic of an API interface in the web page and its Corresponding mobile API interfaces with the same function are not exactly the same.At the same time,for these mobile phone users,security issues in the use of mobile phones also urgently need more attention.Once there are security-related problems,in the face of such a large user base,it will cause economic damage to many people,or Privacy was leaked.Under the premise of the above situation,we will conduct automated extraction and analysis of these private web interfaces in the native function layer to discover the differences between the web interface and the Java function layer in the native function,and further analyze the existing security vulnerabilities.On the premise of this idea,we first reviewed related work,including automated extraction,protection of online privacy,and different Android automated testing tools;at the same time,we also conducted manual verification work to determine In addition,the native function layer has a completely different network interface from the Java function layer.This also confirmed our initial conjecture and laid the foundation for subsequent tool design.For the overall tool design,we found and automatically extracted the APIs called in the native functions on the premise of automatically discovering the Java private APIs interfaces that are not disclosed in the documents in these Android applications.First we decompile an application file and analyze it as a whole,using a static method to find all the activities that call the web interface of the native function,then our system runs these discovered activities in the virtual machine with the Android system installed,and Complete a network function to obtain related scripts.By executing this script,we can monitor the HTTP request and response information of the network functions from the native layer in these Activities,and finally complete the native functions and Java through automated testing and extraction methods.The dynamic acquisition of APIs in the function,the difference between the two is analyzed by comparing the obtained results,and at the same time we have built a relevant security test platform locally,and automatically carried out security-related analysis of the obtained native layer APIs Analyze the report and the evaluation of security,and sort out different applications and sort related security features according to the API characteristics and application-related characteristics obtained.We verified our conclusion through experiments:we tested a large number of applications with a high number of downloads in total.At the same time,we performed a complete process from static build path to dynamic simulation click to local submission analysis for each application.In this process,we successfully obtained data from more than one hundred application tests.In these tested applications,a total of nearly 20,000 urls were extracted.And in these urls,we found a total of 11 types of vulnerabilities,three of which belong to the vulnerabilities we are concerned about(CSRF,CRLF,XSS).This also proves that there is a certain security problem in the network interface of the native function.This work also has related problems such as incomplete automatic traversal and relatively preliminary safety testing.