Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Testing method and system for Android application permission leakage vulnerabilities

A technology of application permissions and testing methods, applied in the fields of instruments, digital data processing, platform integrity maintenance, etc., can solve the problems of lack of strict specification of feature definition mode, false positives in vulnerability detection, inability to decompile Android applications into Java code, etc. , to achieve the effect of reducing the detection false positive rate

Inactive Publication Date: 2014-08-20
诸葛建伟
View PDF4 Cites 36 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The disassembly technology used has certain obstacles in terms of correctness, and it is currently impossible to completely and correctly decompile Android applications into Java code
Although the program control flow graph technology is a relatively mature technology, the Java inheritance mechanism and asynchronous callback characteristics of Android applications make the construction of Android control flow graphs difficult.
In addition, the feature definition of permission leakage vulnerability based on static analysis technology is vague, and there is no strict and standardized feature definition mode, which leads to false positives and false negatives in vulnerability detection to a certain extent.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Testing method and system for Android application permission leakage vulnerabilities
  • Testing method and system for Android application permission leakage vulnerabilities
  • Testing method and system for Android application permission leakage vulnerabilities

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

[0021] The inventor found through research that: ICC (Inter Component Communication) is a communication mechanism between Android application components. There are three components in the Android application that use the ICC mechanism to communicate: Activity, Service, and Broadcast Receiver. These three components can communicate through the Intent object, and the Intent object contains the data information transmitted during the communication process. There are two types of Intent: explicit and implicit. The explicit Intent contains the component name to specify the target component. The implicit Intent does no...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a testing method for Android application permission leakage vulnerabilities. The method includes the steps that step1, all Service and Broadcast Receiver components public externally are extracted from a Manifest file in an Android application package; step2, for Service and Broadcast Receiver inter-module communication component interfaces in Android application, Action, Data and Extras information is extracted to construct an Intent object serving as fuzz test input; step3, through an ICC mechanism, agent application is used for sending the constructed Intent object to the communication interfaces of application target components; step4, through modifying a permission checking function in an Android system, conditions of a permission checking log are monitored, and whether permission leakage happens or not is judged based on the log. The invention further provides a testing system for the Android application permission leakage vulnerabilities. Powerful supports are provided for automatically finding out permission leakage security vulnerabilities in the Android application in a large-scale mode, and the testing method and system have the advantages of having no false positives and few false negatives.

Description

technical field [0001] The invention relates to the technical field of computer program testing, in particular to a method and system for testing Android (Android system) application authority leakage vulnerabilities. Background technique [0002] Android smart phones have become more and more popular, and the Android application market has also grown rapidly. While bringing convenience to users, users' sensitive data is also facing the threat of malicious theft. Google introduces a permission model to protect various sensitive data in users' mobile phones. However, some malicious applications can access sensitive data by calling public interfaces of vulnerable applications without applying for any permissions. This phenomenon is called It is permission leakage, also known as permission re-delegation. In order to reduce the threat to the user's personal sensitive data, Google designed a permission-based model. By default, Android applications are prohibited from obtaining a...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57
CPCG06F21/577
Inventor 诸葛建伟杨坤王永科魏克段海新
Owner 诸葛建伟
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com