面向Android生态系统中的第三方SDK安全性分析

Security Analysis of the Third-Party SDKs in the Android Ecosystem

目前,许多Android系统开发人员为了缩短开发时间,选择在其应用程序中内置第三方SDK的方式.第三方SDK是一种由广告平台、数据提供商、社交网络和地图服务提供商等第三方服务公司开发的工具包,它已经成为Android生态系统的重要组成部分.但是,一个SDK有安全漏洞,会导致所有包含该SDK的应用程序易受攻击,这严重影响了Android生态系统的安全性.因此,在市场上选取了129个流行的第三方SDK,并对其安全性进行了全面分析.为了提高分析的准确性,将第三方SDK的demo应用作为分析对象,并使用了在分析Android应用中有效的分析方法(例如静态污点追踪、动态污点追踪、动态二进制插桩等)和分析工具(例如flowdroid、droidbox等).结果显示:在选取的这些SDK中,超过60%含有各种漏洞(例如HTTP的误用、SSL/TLS的不正确配置、敏感权限滥用、身份识别、本地服务、通过日志造成信息泄露、开发人员的失误),这对相关应用程序的使用者构成了威胁.

To shorten the application development time, many Android developers include third-party SDKs in their apps. Third party SDKs are toolkits developed by third-party service companies such as advertising platforms, data providers, social network, and map service providers. These third party SDKs have become an important part of the Android ecosystem. If an SDK contains security vulnerabilities, all the apps that include it would become vulnerable, which severely affects the security of the Android ecosystem. To address this issue, this work selects 129 popular third-party SDK in the market and makes comprehensive analysis of their security. In order to improve the accuracy of the analysis, demo apps of third-party SDKs are taken as analysis object, and certain effective Android-app analysis methods （such as static taint tracking, dynamic taint tracking and dynamic binary instrumentation） and analysis tools （such as flowdroid and droidbox） are employed. The result shows that more than 60% of the collected third-party SDKs contain various of vulnerabilities （e.g. misuse of HTTP, misuse of SSL/TLS, abuse of sensitive permissions, identification, vulnerabilities brought by the local server, information leakage through logging, mistakes of applications developers）, which is a threat to the related applications and the users of these applications.