基于权限的Android应用风险评估方法
|
摘要
针对Android权限机制存在的问题以及传统的应用风险等级评估方法的不足,提出了一种基于权限的Android应用风险评估方法。首先,通过对应用程序进行逆向工程分析,提取出应用程序声明的系统权限、静态分析的权限以及自定义的权限,和通过动态检测获取应用程序执行使用到的权限;然后,从具有恶意倾向的组合权限、"溢权"问题和自定义权限三个方面对应用程序进行量性风险评估;最后,采用层次分析法(AHP)计算上述三个方面的权重,评估应用的风险值。对6 245个软件样本进行训练,构建自定义权限数据集和具有恶意倾向的权限组合数据集。实验结果表明,与Androguard相比,所提方法能更精确地评估应用软件的风险值。
Focusing on the problems existing in Android permission mechanism and poor capability of traditional measurement methods of Android software security, a risk assessment method of Android APP based on permission was proposed. Firstly, the system permissions declared by application, the permissions obtained through static analysis and custom permissions were extracted by reverse-engineering analysis of application. At the same time, the permissions used by executing application were extracted through dynamic detection. Secondly, quantitative risk assessment of applications was performed from three aspects: permission combination of hiding malicious intent, over-privilege problem and custom permission vulnerability. Finally, the Analytic Hierarchy Process( AHP) evaluation model was adopted to calculate the weights of three aspects above for estimating risk value of application. In addition, custom permission data set and permissions combination dataset with hiding malicious intent were built by training 6 245 software samples collected from application store and Virus Share. The experimental results show that the proposed method can assess risk value of application software more accurately compared with Androguard.
Focusing on the problems existing in Android permission mechanism and poor capability of traditional measurement methods of Android software security, a risk assessment method of Android APP based on permission was proposed. Firstly, the system permissions declared by application, the permissions obtained through static analysis and custom permissions were extracted by reverse-engineering analysis of application. At the same time, the permissions used by executing application were extracted through dynamic detection. Secondly, quantitative risk assessment of applications was performed from three aspects: permission combination of hiding malicious intent, over-privilege problem and custom permission vulnerability. Finally, the Analytic Hierarchy Process( AHP) evaluation model was adopted to calculate the weights of three aspects above for estimating risk value of application. In addition, custom permission data set and permissions combination dataset with hiding malicious intent were built by training 6 245 software samples collected from application store and Virus Share. The experimental results show that the proposed method can assess risk value of application software more accurately compared with Androguard.
引文
[1]IDC. Smartphone market share[EB/OL].(2018-02-20)[2018-03-29]. https://www. idc. com/promo/smartphone-market-share/os.
[2]BAGHERI H, KANG E, MALEK S, et al. A formal approach for detection of security flaws in the Android permission system[J].Formal Aspects of Computing, 2017, 9:1-20.
[3]Google. Permissions best practices[EB/OL].(2018-01-20)[2018-03-26]. https://developer. android. google. cn/training/permissions/best-practice.
[4]FELT A P, CHLN E, HANNA S, et al. Android permissions demystified[C]//CCA2011:Proceedings of the 18th ACM Conference on Computer and Communications Security. New York:ACM,2011:627-638.
[5]张锐,杨吉云.基于权限相关性的Android恶意软件检测[J].计算机应用,2014,34(5):1322-1325.(ZHANG R, YANG J Y.Android malware detection based on permission correlation[J]. Journal of Computer Applications,2014, 34(5):1322-1325.)
[6]TUNCAY G S, DEMETRIOU S, GANJU K, et al. Resolving the predicament of Android custom permissions[C]//NDSS 2018:Proceedings of the 2018 Network and Distributed System Security Symposium. Piscataway, NJ:IEEE, 2018:1-16.
[7]HAMED A, AYED H K B. Privacy risk assessment and users'awareness for mobile APPs permissions[C]//Proceedings of the2017 International Symposium on Computer Systems and Applications. Piscataway, NJ:IEEE, 2017:1-8.
[8]徐君锋,王嘉捷,朱克雷,等.基于AHP的安卓应用安全信用指数度量方法[J].清华大学学报(自然科学版),2018,58(2):131-136.(XU J F, WANG J J, ZHU K L, et al. Credit index measurement method for Android application security based on AHP[J].Journal of Tsinghua University(Science and Technology), 2018,58(2):131-136.)
[9]RAHMAN A, PRADHAN P, PARTHO A, et al. Predicting Android application security and privacy risk with static code metrics[C]//Proceedings of the 2017 IEEE/ACM International Conference on Mobile Software Engineering and Systems. Piscataway, NJ:IEEE, 2017:149-153.
[10]DINI G, MARTINELLI F, MATTEUCCI I, et al. Risk analysis of Android applications:a user-centric solution[J]. Future Generation Computer Systems, 2018, 80:505-518.
[11]TANG W, JIN G, HE J, et al. Extending Android security enforcement with a security distance model[C]//Proceedings of the2011 International Conference on Internet Technology and Applications. Piscataway, NJ:IEEE, 2011:1-4.
[12]VXShare. VirusShare[EB/OL].[2017-10-09]. https://virusshare. com.
[13]DESNOS A, GUEGUEN G, BACHMANN S. Androguard package[EB/OL].[2017-12-29]. http://androguard. readthedocs. io/en/latest/api/androguard. html.
[2]BAGHERI H, KANG E, MALEK S, et al. A formal approach for detection of security flaws in the Android permission system[J].Formal Aspects of Computing, 2017, 9:1-20.
[3]Google. Permissions best practices[EB/OL].(2018-01-20)[2018-03-26]. https://developer. android. google. cn/training/permissions/best-practice.
[4]FELT A P, CHLN E, HANNA S, et al. Android permissions demystified[C]//CCA2011:Proceedings of the 18th ACM Conference on Computer and Communications Security. New York:ACM,2011:627-638.
[5]张锐,杨吉云.基于权限相关性的Android恶意软件检测[J].计算机应用,2014,34(5):1322-1325.(ZHANG R, YANG J Y.Android malware detection based on permission correlation[J]. Journal of Computer Applications,2014, 34(5):1322-1325.)
[6]TUNCAY G S, DEMETRIOU S, GANJU K, et al. Resolving the predicament of Android custom permissions[C]//NDSS 2018:Proceedings of the 2018 Network and Distributed System Security Symposium. Piscataway, NJ:IEEE, 2018:1-16.
[7]HAMED A, AYED H K B. Privacy risk assessment and users'awareness for mobile APPs permissions[C]//Proceedings of the2017 International Symposium on Computer Systems and Applications. Piscataway, NJ:IEEE, 2017:1-8.
[8]徐君锋,王嘉捷,朱克雷,等.基于AHP的安卓应用安全信用指数度量方法[J].清华大学学报(自然科学版),2018,58(2):131-136.(XU J F, WANG J J, ZHU K L, et al. Credit index measurement method for Android application security based on AHP[J].Journal of Tsinghua University(Science and Technology), 2018,58(2):131-136.)
[9]RAHMAN A, PRADHAN P, PARTHO A, et al. Predicting Android application security and privacy risk with static code metrics[C]//Proceedings of the 2017 IEEE/ACM International Conference on Mobile Software Engineering and Systems. Piscataway, NJ:IEEE, 2017:149-153.
[10]DINI G, MARTINELLI F, MATTEUCCI I, et al. Risk analysis of Android applications:a user-centric solution[J]. Future Generation Computer Systems, 2018, 80:505-518.
[11]TANG W, JIN G, HE J, et al. Extending Android security enforcement with a security distance model[C]//Proceedings of the2011 International Conference on Internet Technology and Applications. Piscataway, NJ:IEEE, 2011:1-4.
[12]VXShare. VirusShare[EB/OL].[2017-10-09]. https://virusshare. com.
[13]DESNOS A, GUEGUEN G, BACHMANN S. Androguard package[EB/OL].[2017-12-29]. http://androguard. readthedocs. io/en/latest/api/androguard. html.