Research And Implementation Of Android Application Cryptography Misuse Detection

Android applications are developing rapidly in the Internet age,and the security functions in Android applications are becoming more and more important.When developing the security functions of Android applications,the cryptography API is mainly used to deal with user privacy and important data protection related functions.It will cause the risk of privacy information leakage of Android applications.The existing Android cryptography API detection tools can be roughly divided into two types:one is a static detection tool based on data flow analysis,and the other is a dynamic detection tool for the misuse of a specific cryptography API.Both types of tools use cryptography API Misuse Rules as a reference.However,there are still problems with the detection tools.First of all,the existing detection tools have serious false positives,and some tools can only detect specific misuse rules,so the existing detection tools have the problems of low accuracy and low coverage.Secondly,the current detection tools can only identify the misuse of cryptographic APIs in the application,without considering the sensitive flow of the generated data,and cannot quantitatively analyze the threats caused by it;currently there is no specific cryptographic API misuse of Android applications.With risk research,it is impossible to conduct quantitative analysis on the actual risk caused by misuse.This paper has done the following work:(1)Aiming at the problems of low accuracy and low coverage of Android application cryptography API misuse detection tools,this paper constructs a cryptography misuse rule set containing 21 rules and proposes a dynamic and static misuse detection method.In terms of static technology,the slicing standard of static detection is expanded,and the problem of hard-coded false positives is dealt with.In terms of dynamic technology,log analysis technology is used,and the log recorder and log checker can monitor and detect the entire process of running Android applications.In the benchmark test framework and the existing tool CryptoGuard,the results show that the accuracy is increased by 11.2%,the rule coverage rate is increased by 9.3%,and it has better misuse detection ability.(2)Aiming at the problem that existing detection tools do not analyze the impact of misuse threats,this paper uses data flow analysis based on graph reachability algorithm to obtain misuse API as the data source,and uses taint analysis to find the path of sensitive data flow.It also classifies the sink points of misuse data streams and quantitatively analyzes the misuse threats.This paper comprehensively considers the characteristics of misuse risk and data flow risk,and uses clustering algorithm to build a risk scoring model.The Android application cryptography API risk scoring tool CryptoAssess was developed.In the experiment,the overall risk situation of 10,000 applications of various types in the application market was evaluated,and the risk level of each application was given.The results point out that each market has a certain regulatory effect on the security of applied cryptography,but the auditing efforts still need to be strengthened to prove the practicability and practical application value of the risk scoring tool in this paper.