Research On Source Code Security Audit Technology For Android Applications

Compared with traditional Web applications,mobile applications have distinctive features in terms of development language,program structure and code compilation.As Android OS is one of the mainstream operating systems for mobile application development,it is important to improve the source code security audit technology specifically for Android applications.The source code security audit contains several aspects,and this thesis focuses on two aspects of source code detection and component security analysis.In the source code detection of Android applications,taint analysis and symbolic execution play an important role as two common techniques,but they still have the shortcomings of high false alarm rate or leakage rate and low detection efficiency.Context-sensitive program analysis can analyze program behavior more accurately and identify more program defects and security issues.Therefore,combining the advantages of context-sensitive source code detection to improve the source code detection method of Android applications is the core problem of this thesis.On the other hand,the security of many components in the software supply chain is also a research topic that is currently receiving much attention from academia.This thesis builds a secure and auditable Android third-party SDK component feature library to help application developers discover and solve insecure components in time,strengthen the security control in the application development process,and reduce the security risks in the software supply chain.This thesis focuses on three aspects of Android applications: source code detection algorithm improvement,component feature library construction and source code security audit system development.The main work is as follows:(1)Improving context-sensitive source code detection methods for Android application specificity.Combining the shortcomings and optimization ideas of traditional taint analysis and symbolic execution on source code detection,the advantages of applying selective context-sensitive improved source code detection methods are analyzed.Further,an accuracy identification algorithm is proposed,which selectively applies context-sensitive program analysis on a subset of detection methods.Experimental results show that the algorithm improves detection efficiency while preserving accuracy,thus achieving a good balance between detection accuracy and efficiency.(2)Optimize the construction strategy of Android third-party SDK component feature library to solve the component security problem.Strengthen the performance of Android application security analysis based on plug-in technology to achieve accurate identification of component security vulnerabilities,malicious behaviors and information leakage information.(3)A source code security audit system is designed and implemented.Combined with the previous research results,the related process of source code security detection and analysis is improved,and the actual operation effect of each module is demonstrated.