Android 應用程式能力分析與潛在權限機制洩漏隱憂之偵測

Abstract

隨著應用程式數量快速的成長,智慧型手機的能力日漸茁壯。現代的 人們使用手機完成許多日常生日上的事務,這些事務經常是和隱私相關。 我們很好奇在我們智慧型手機上的應用程式能夠做些什麼。它們有什麼能 力?是否有可能存在潛在的漏洞?Android 提供了以權限為基礎的機制來 限制應用程式之間及與系統資源之間的存取。應用程式必需請求特定的權 限來取得對受保護資源的存取。然而,在現存的 Android 權限機制中仍然存 在著某些潛在的漏洞及隱憂。 我們提出了一個 client-server 為架構的系統來進行應用程式的能力分 析,我們的系統利用圖形資料庫中的 cypher query language 來支援潛在漏洞 的偵測。我們分析了 125 個由 Android market 上取得的第三方應用程式,發 現有 3 支應用程式具有攔截簡訊的能力。我們也實作了三支 demo 應用程式 來展示在權限機制中潛在漏洞的應用情境。

With the rapid increase in the number of mobile applications, smartphones have become even more versatile and powerful. People nowadays use smartphone a lot for their daily work, many of which involve private data. We are curious about what those applications in our smartphone can do. What are their capabilities? Is there any potential vulnerability in our smartphone? Android provides a permission-based mechanism to control the access of applications and system resources. To access protected resources on Android, an application needs to request specific permissions to acquire the corresponding privileges. However, the permission mechanism is quite complex, and potential vulnerabilities can arise as a result of misconfiguration of the permissions. We propose a system of client-server architecture to analyze the capability of applications on an Android device. Our system leverages the cypher query language [1] in graph database and supports queries of potential vulnerabilities. We analyzed 125 third party applications from Android market and found 3 applications with the capability to intercept SMS message. We also built 3 concept applications to demonstrate scenarios of potential vulnerabilities as a result of misconfiguration in the permission system.