| With the improvement of network infrastructure and the development of the intelligent age,feature-rich mobile applications are convenient for people's lives in various fields,they trigger various privacy leakage introduced by privilege abuse.The existing detection technology can analyze the abuse of Android application permissions from the perspective of the inconsistency between the declared permissions extracted from the Android privacy policy and the actual usage permissions of the Android applications.But for the third-party SDK permissions in the "hybrid" privacy policy,extracting the declared permissions and using them to analyze SDK permissions will result in a large set of extracted claims permissions,so that risky applications are identified as normal applications during consistency comparison.There is no efficient data sets in the Chinese field,this leads to the shortcoming that the permission statement cannot be accurately identified.In response to the above issues,this paper thesis researches on the consistency analysis of Android privacy policy and usage permissions,and achieves the following results:(1)To the problem of missing Chinese data sets,BERT is used as the word vector extraction model to obtain private phrases from the privacy policy,and the cosine similarity is used to automatically fliter the permission phrase samples,reducing the workload of manual labeling and constructing phrase samples.It conforms to the grammatical characteristics of Android official permission description,and covers the semantic expression of affirmed permissions.(2)According to whether there is a third-party SDK permission description or not,two types of Chinese privacy policies are summarized:"hybrid" and "native" privacy policies.The "hybrid"privacy policy adopts a third-party privacy policy to obtain SDK permissions,the set of declared permissions is so large that risky applications are identified as normal applications in the consistency comparison.The application claims permissions are proposed to be compared with third-party SDK.HBTAP is a declared permission extraction scheme that is analyzed separately.Based on permission filtering and permission mapping,HBTAP can effectively identify third-party SDK permissions through SDK permission detection,avoiding the impact of false negatives in consistency analysis by analyzing the redundant declaration permissions in the third-party SDK privacy policy.(3)Designed and implemented the consistency analysis engine of Android privacy policy and permission usage.The framework realizes APK consistency analysis by analyzing Android privacy policy and APK static detection.After functional test and speed test,it can successfully realize the consistency analysis of permissions declaration and usage online. |
PDF Full Text Request