Android Application Authentication And Authorization Security Research

As the first line of defense,the identity authentication and authorization mechanism ensures the security of user privacy information against the risk caused by a large number of applications accessing various services related to user privacy information over the network.At present,however,the security environment of Android application authentication and authorization is facing acute challenges.The security vulnerabilities in the process of authentication and authorization of applications can be exploited by attackers to steal private or sensitive information.Therefore,a comprehensive security assessment of authentication and authorization of Android applications is very important.In view of the above problems,an Android application identity authentication and authorization security analysis method is proposed,respectively designing the Android application third-party login authentication and SMS verification code authentication security analysis methods,and Android application token revocation and refresh security analysis methods,and an Android application program identity authentication and authorization vulnerability detection system has been designed and implemented.The main research contents of this paper are as follows:(1)The security problems existing in the Android application program identity authentication and authorization mechanism are studied.The security problem of insufficient activity protection in the process of third-party Android application identity authentication is found,through the analysis of the third-party login authentication and SMS verification code authentication mechanism and process.It is found that there may be vulnerabilities in the token revocation and refresh in the Android application authorization process by the analysis of security of the token usage in the authorization process.These lay the foundation for further proposing the security analysis and detection of the Android application identity authentication and authorization mechanism..(2)A security analysis method for Android application identity authentication is proposed,in which the security of the third-party login authentication method has been analyzed by using the string query algorithm,Toast query algorithm and class-matching algorithm,and the security of the SMS verification code authentication method has been analyzed through the string feature extraction and pattern matching algorithm.Insufficient activity protection of third-party login authentication of the application and the security vulnerabilities of authentication of the SMS verification code such as incorrect storage of identity credentials and multiple valid verification codes have been discovered.(3)A security analysis method for Android application authorization mechanism is proposed,in which target request information has been obtained through URL recognition,and field-content key-value pairs has been obtained through string traversal,and security of token revocation has been analyzed by the use of field extraction algorithm,and security of token refresh has been analyzed by the use of field filtering algorithm.It is found that there are security issues such as skip checking tokens and false revocation tokens in application token revocation and refresh,which has caused application to face the risks of server denial of access and user information theft.Manual retesting is used,in which 4 false positives has been found,indicating that the accuracy rate was 94.7%.(4)An Android application program identity authentication and authorization vulnerability detection system is designed and implemented,which realizes the function of detecting the vulnerabilities of Activity,application credentials,verification codes,and tokens in identity authentication and authorization by statically analyzing application source files and dynamically analyzing traffic information.The experimental results indicate that the system can effectively solve the problem of implementing identity authentication and incorrectly authorization in Android applications,and improve the security of identity authentication and authorization.