摘要
为提高安卓(Android)应用权限泄露漏洞检测的准确性,提出了1种基于调用图的权限泄露检测方法。提取应用程序的公开接口,进而得到公开方法。提取程序中使用敏感应用程序编程接口(API)的敏感方法,然后构建程序方法间调用图。在公开方法和敏感方法间搜索权限泄露路径。以APKPure应用市场的286个应用程序包(APK)为实验对象进行验证。批量样本检测实验结果表明该文方法能够准确检测多种接口的权限泄露漏洞。选取Drozer、AndroBugs和腾讯金刚审计系统作为对比工具进行对比实验。结果显示,在公开接口检测时,该文方法检测范围最广、考虑的因素最多、漏报误报情况最少。
A method for permission leak detection based on a call graph is proposed for Android applications(APPs)to improve the accuracy.Public interfaces are extracted,and public methods are obtained.Sensitive methods accessing sensitive application program interface(API)in Android are extracted,a method call graph of the applications is built.Permission leak vulnerabilities are detected by searching the call paths from public methods to sensitive methods on the call graph.This mothod is tested by 286 Android packages(APKs)of APKPure.The experimental results of a batch of samples show this method can detect permission leak vulnerabilities of multiple interfaces accurately.The experimental results of comparing with Drozer,AndroBugs etc.show that for this method the detection range is the widest,the factors considered is the most,and the mistake is the least for the public interface detection.
作者
蒋旺
陈昊
许逸超
徐建
Jiang Wang;Chen Hao;Xu Yichao;Xu Jian(School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China;Jiangsu Electric Power Company Research Institute,Nanjing 210036,China)
出处
《南京理工大学学报》
EI
CAS
CSCD
北大核心
2018年第6期662-670,共9页
Journal of Nanjing University of Science and Technology
关键词
调用图
安卓
应用
权限泄露
检测
公开接口
应用程序接口
call graphs
Android
applications
permission leak
detection
public interfaces
application program interfaces
