Android系统数据擦除功能的安全性研究

Study on Security of Data Erase Function in Android System

随着移动互联网的飞速发展，智能移动终端已经成为人们个人隐私数据的重要载体之一。但是对于目前的移动智能终端来说，系统所提供的数据擦除接口并没有达到预想中的安全性。在现有的Android设计模型特别是安全模型中存在一些难以回避的缺陷，正是这些缺陷导致了这些不易察觉的数据还残留风险，而这些风险往往被以往的安全分析所忽视，甚至主观认为这些风险不存在。在这种情况下，攻击者就能够利用安全防范的疏忽发起攻击，进而更为严重地威胁到设备相关使用者的隐私和数据安全。以Android系统为目标，对Android系统提供的多种数据擦除和文件删除方法进行了深入的研究，研究表明其中绝大多数方法都存在著严重的安全隐患。着重分析了Android用户比较常用的3种典型的数据擦除手段：删除文件、卸栽应用程序和回复出厂设置。实验成功地从Android设备中恢复出大量通过上述3种手段删除的数据，证明目前这3种数据擦除手段确实会导致数据残留问题出现。提出名为PureEnc的解决方案来保护Android设备中的数据以对抗数据残留问题。PureEnc可以实现对Android应用程序的自动修改，以达到保护数据的目的，不需要修改系统，可以很方便地部署并有效地保护应用程序的数据，以对抗数据残留漏洞。

Smart mobile devices are becoming the main vessel of personal privacy information. But the data erasure interfaces of mobile operating system are somehow much weaker than one has foreseen, and the security mechanisms provided by the system are not flexible enough to provide an agile response. Among the several provided data erasing and file deleting mechanisms, we targeted the Android OS design flaws in data erasure, and unveiled that the design of Android OS contradicts some secure data erasure demands. We presented weaknesses on user privacy protection in three typical scenarios on mainstream Android devices, consisting of data clearing, application uninstallation and facto- ry reset. From the experiments exhibited in this paper, data remains through all levels of data erasure operations, from the application to the system kernel. The demonstrated ethical attack in each scenario successfully reaps a huge a- mount of private data such as online payment account, emails, chat log, etc. Furthermore, considering that those system flaws cannot be repaired in a short time, we proposed a mitigation solution, PureEnc, to protect the privacy against data recovering attacks. PureEnc does not require system modification and is easy to deploy. Our experimental results show that by deploying PureEnc, outdated Android devices are protected against data recovering attacks, and the performance overhead of our solution is acceptable.