摘要
Android应用开发完成之后,应用市场或其他开发人员等第三方有可能需要向该应用中增加某些功能.而Android系统要求所有的APK(Android Package,Android应用安装包)必须经过签名之后才能发布,由数字签名机制的性质可知经过第三方修改后的Android应用其签名肯定会发生改变,加之Android应用又极易获得,这就会导致未经授权的第三方擅自修改已发布的Android应用,以及难以验证二次发布的Android应用原设计者签名的有效性等问题.针对未授权修改和验证APK原设计者签名有效性困难等问题,本文提出一种基于可传递签名机制的APK授权方案,方案对Android安全机制中的应用签名机制进行了改进,并利用可传递签名机制适用于二元传递关系签名的特性来实现APK授权和验证原设计者的版权.通过第三方二次开发后发布的APK,任何验证者都很容易计算出合成签名即授权信息,根据声称者(应用开发者)提供的参数和计算出的合成签名验证者能够验证声称者声明的合法性,以此实现保护APK设计者版权和Android应用安全的目的.分析表明该方案能够满足Android应用签名的安全性要求.
After completion of Android applications, third-party developers including application stores, or other android Application developers may need to add some features to the applications. However, the Android operating system requires that the APK(Android Package, Android application installation package) must be signed before its publication. By the property of digital signature mechanism, we can see that if the Android application is modified by a third-party developer, then its signature must be changed, and it is easy for everyone to get some Android applications, which causes a third party developer modifies the published Android applications without authorization, and it is also difficult to verify the validity of the original designer's signature of the Android application. To address these issues, a APK Authorization Scheme is proposed based on transitive signature. In this scheme, the application programs signature mechanism of Android security is improved, and by using the feature that transitive signature scheme applies to binary transfer relationship signature, it is possible to achieve APK authorization and to verify the APK original designer's copyright. Through the APK published by a third-party developer after recomposed, any verifier can easily get the combined signature, i.e., the authorization information. According to the claimer(Android application developers) parameters and combined signatures, verifier can verify the legitimacy of statement provided by the claimer. By this means, it can achieve copyright protection and security purposes of Android application programs. Analysis shows that the scheme can meet the security requirements of Android application programs signature.
出处
《密码学报》
CSCD
2016年第1期22-32,共11页
Journal of Cryptologic Research
基金
国家自然科学基金项目(61362010)
广西自然科学基金项目(2011GXNSFA018152)
广西教育厅科研基金项目(YB2014008
YB2013007)
广西研究生教育创新计划资助项目(YCSZ2015035)
广西大学自然科学基金项目(XBZ110905)
关键词
APK签名
可传递签名
版权保护
APK授权
APK signature
transitive signature
copyright protection
APK authorization