期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

用静态信息流分析检测Android应用中的日志隐患 被引量:4

Utilizing Static Information Flow Analysis to Detect Logging Vulnerability in Android Apps
下载PDF
导出
摘要 与传统计算平台相比,移动平台拥有大量涉及用户隐私的私密信息.随着Android移动平台日趋流行和应用商城模式的普及,如何保护用户隐私这一安全性课题日益受到关注.本文发现当前Android日志系统存在泄漏用户隐私数据的安全性风险,设计并实现了一个基于静态信息流分析的Android应用程序检测工具LogMiner,用于辅助应用商城在应用发布时的安全性检测工作.LogMiner对200个Android应用程序进行检测,成功分析177个应用,平均每个应用分析时间为4.3分钟,其中33个应用中存在日志安全性隐患,占总数的18.6%.这一结果表明现实生活中的Android应用程序的确存在着这类安全隐患.最后,本文对现有日志系统提出了改进方案. Compared to the traditional computing platforms, mobile computing platforms usually contain plenty of private information of users. As the increasing popularity of Android and Android Markets, privacy protection on mobile computing platforms has become a growing concern. However, this paper found the existing Android Logging System is vulnerable to the privacy leakage. To detect such security risk, LogMiner is proposed for Android Markets, which is based on static information flow analysis. The experiment re- sults show that 23 of 200 Android applications log the user sensitive data into the Logging System, and prove that some real-world Android applications do have the logging security risk. Finally, this paper gives some advices to improve the existing Android Log- ging System to get rid of this risk.
作者 彭智俊 张源 杨珉
机构地区 复旦大学软件学院
出处 《小型微型计算机系统》 CSCD 北大核心 2013年第6期1276-1281,共6页 Journal of Chinese Computer Systems
基金 国家核高基重大专项项目(2009ZX01036-001-003)资助
关键词 ANDROID 日志系统 隐私泄漏 静态信息流分析 Android logging system privacy leakage static information flow analysis
分类号 TP391 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献12

  • 1Kralevich N. Best practices for handling Android user data [ EB/ OL]. http://android-developers, blogspot, com/2010/08/best-prac- rices-for-handling-android, html,2010. 被引量:1
  • 2First Tech Credit Union. Security fraud:rogue android smartphone app created[ EB/OL]. http ://www. firstte-chcu, com/home/secu- rity/fraud/security_fraud, html,2009. 被引量:1
  • 3Amir Efrati S T, Searcey D. Mobile-app makers face U. S. privacy investigation [ EB/OL]. http://online, wsj. com/article/SB1000 1424052748703806304576242923804770968. htm1,2011. 被引量:1
  • 4Willam Enck, Machigar Ongtang, Patrick McDaniel. Understanding Android security [ J ]. IEEE Security & Privacy Magazine, 2009,7 ( 1 ) :50-57. 被引量:1
  • 5Willam Enck, Damien Octeau, Patrick McDaniel, et al. A survey of Android application security [ C ]. In SEC' 11 : Proceedings of the 20th USENIX Conference on Security ,2011:21-21. 被引量:1
  • 6Machigar Ongtang, McLaughlin S, Willam Enck, et al. Semantical- ly rich application-centric security in Android[ C]. In ACSAC'09: Proceedings of the 25th Annual Computer Security Applications Conference, 2009 : 340 -349. 被引量:1
  • 7Willam Enck, Machigar Ongtang, Patrick McDaniel. On light- weight mobile phone application certification [ C ]. In CCS' 09: Proceedings of the 16th ACM Conference on Computer and Com- munications Security ,2009:235-245. 被引量:1
  • 8David Barrera, Kayacik H G, Paul C. van Oorschot, et al. A methodology for empirical analysis of the permission-based security models and its application to Android[C]. In CCS'10: Proceed- ings of the 16th ACM Conference on Computer and Communica- tions Security,2010:73-84. 被引量:1
  • 9Willam Enck,Peter Gilbert, Byung-Gon Chun, et al. TaintDroid: an information-flow tracking system for real-time privacy monito- ring on smartphones [ C ]. In OSDI' 10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implemen- tation ,2010 : 1-6. 被引量:1
  • 10Peter Hornyack, Seungyeop Han, Jaeyeon Jung,et al. These aren' t the droids you're looking for[C]. In CCS'10: Proceedings of the 16th ACM Conference on Computer and Communications Se- curity, 2010 : 639 -652. 被引量:1

同被引文献17

  • 1杨博,唐祝寿,朱浩谨,沈备军,林九川.基于静态数据流分析的Android应用权限检测方法[J].计算机科学,2012,39(S3):16-18. 被引量:8
  • 2张中文,雷灵光,王跃武.AndroidPermission机制的实现与安全分析[c]//第27次全国计算机安全学术交流会论文集.出版地不详:出版者不祥,2012:3-6. 被引量:2
  • 3W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information - flow tracking nsystem for realtime privacy monitoring on smartphones[ C ]. In Proc. 9th USENIX Symposium on Operating Systems Design and Implementation, 2010. To appear. 被引量:1
  • 4T. Vennon and D. Stroop. Threat analysis of the android market[ EB/OL]. 2010. http ://www. globahhreatcenter. com/wp - content/uploads/2010/06/ Android - Market - Threat - Analysis - 6 - 22 - 10 - vl. pdf. 被引量:1
  • 5Wook Shin, Shlnsaku Ydyomoto, Kazuhide Fukushima, Toshlaki Tanaka. A formal model to analyze the permis- sion authorization and enforcement in the Android frame- work[C]. In Proceedings of the 2010 IEEE Second In- ternational Conference on Social Computing, SOCIAL- COM 10, 2010. 944-951. 被引量:1
  • 6Wook Shin, Sanghoon Kwak, Shinsaku Kiyomoto, Kazu- hide Fukushima, Toshiaki Tanaka. A small but non - negligible aw in the Android permission scheme [ C ]. In Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks, 2010. 107 -110. 被引量:1
  • 7Machigar Ongtang, McLaughlin S, Willam Enck, et al. Semantically rich application - centric security in Android [ C ] . In ACSAC09 : Proceeding of the 25th Annual Com- puter Security Applications Conference, 2009:340 - 349. 被引量:1
  • 8Mohammad Nauman, Sehail Khan, Xinwen Zhang. A- pex: Extending android permission model and enforce- ment with user - defined runtime constraints [ C ]. Pro- ceedlngs of the 5th ACM Symposium on Information, Computer and Communications Security. USA: ACM, 2010:328 - 332. 被引量:1
  • 9A. Chaudhuri. Language -based security on Android [C]. In PLASIY): Programming Languages and Analy- sis for Security, pages 1 - 7. ACM, 2009. 被引量:1
  • 10Idika N,Mathur A. A Survey of Malware Detection Tech- niques,Tech.Rep.SERC-TR-286 [R]. Department of Com- puter Science of Purdue University, West Lafayette, USA, 2007. 被引量:1

引证文献4

二级引证文献11

小型微型计算机系统
2013年 第6期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部