Android系统外部SDK安全漏洞检测研究

Research on third party SDK security vulnerability detection in Android application

SDK是面向Android应用程序开发人员的工具集合,包括硬件平台基础信息、软件协议框架、操作系统等,其宗旨在于提高Android应用程序的开发效率。许多Android软件供应商提供的大多数AndroidApp的开发普遍基于已有的SDK,在此基础上二次开发做出产品,如果所采用的SDK中存在安全风险或者漏洞,将导致所有基于此SDK开发的App都面临潜在攻击威胁,将对用户的隐私信息保护和Android系统的安全性产生严重的负面影响。本研究选择了35个使用较为广泛的非官方SDK,结合污点追踪、二进制插值方法,并使用FlowDroid和Droidbox软件工具分析了应用于外部SDK开发的应用程序。研究结果表明,在35个外部SDKS开发工具中,19个(54.3%)存在SSL/TLS错误配置、不合理的敏感数据权限分配、HTTP的非必要调用、用户日志泄漏、开发人员考虑不周等漏洞和威胁,造成用户隐私数据面临较高的安全风险。

SDK is a set of tools for Android application developers,which including hardware platform basic information,software protocol framework,operating system and so on.The purpose of using SDK is to improve Android applications developing efficiency.Most Android Apps developed by many Android software vendors are generally based on existing SDK,then redevelop their own products on this basis.However,if there are security risks or vulnerabilities in the SDK,all Apps developed based on the SDK will face potential attack threats.The consequences will have a serious negative impact on users′ privacy information protection and Android system security.We studied many SDKs and selected thirty-five popular unofficial SDKs.Combining with stain tracing and binary interpolation methods,using Flodroid and Droidbox software tools. We analyzed the application programs developed by these external SDKs.The results show that 19 of the 35 external SDKs development tools (54.3%) have some vulnerabilities and threats,such as false configuration of SSL/TLS,unreasonable permission allocation of sensitive data,unnecessary calls of HTTP,leaks of user logs,and improper consideration by developers,resulting in high security risks for user privacy data.