面向Android生态系统中的第三方SDK安全性分析
|
摘要
目前,许多Android系统开发人员为了缩短开发时间,选择在其应用程序中内置第三方SDK的方式.第三方SDK是一种由广告平台、数据提供商、社交网络和地图服务提供商等第三方服务公司开发的工具包,它已经成为Android生态系统的重要组成部分.但是,一个SDK有安全漏洞,会导致所有包含该SDK的应用程序易受攻击,这严重影响了Android生态系统的安全性.因此,在市场上选取了129个流行的第三方SDK,并对其安全性进行了全面分析.为了提高分析的准确性,将第三方SDK的demo应用作为分析对象,并使用了在分析Android应用中有效的分析方法(例如静态污点追踪、动态污点追踪、动态二进制插桩等)和分析工具(例如flowdroid、droidbox等).结果显示:在选取的这些SDK中,超过60%含有各种漏洞(例如HTTP的误用、SSL/TLS的不正确配置、敏感权限滥用、身份识别、本地服务、通过日志造成信息泄露、开发人员的失误),这对相关应用程序的使用者构成了威胁.
To shorten the application development time, many Android developers include third-party SDKs in their apps. Third party SDKs are toolkits developed by third-party service companies such as advertising platforms, data providers, social network, and map service providers. These third party SDKs have become an important part of the Android ecosystem. If an SDK contains security vulnerabilities, all the apps that include it would become vulnerable, which severely affects the security of the Android ecosystem. To address this issue, this work selects 129 popular third-party SDK in the market and makes comprehensive analysis of their security. In order to improve the accuracy of the analysis, demo apps of third-party SDKs are taken as analysis object, and certain effective Android-app analysis methods(such as static taint tracking, dynamic taint tracking and dynamic binary instrumentation) and analysis tools(such as flowdroid and droidbox) are employed. The result shows that more than 60% of the collected third-party SDKs contain various of vulnerabilities(e.g. misuse of HTTP, misuse of SSL/TLS, abuse of sensitive permissions, identification, vulnerabilities brought by the local server, information leakage through logging, mistakes of applications developers), which is a threat to the related applications and the users of these applications.
To shorten the application development time, many Android developers include third-party SDKs in their apps. Third party SDKs are toolkits developed by third-party service companies such as advertising platforms, data providers, social network, and map service providers. These third party SDKs have become an important part of the Android ecosystem. If an SDK contains security vulnerabilities, all the apps that include it would become vulnerable, which severely affects the security of the Android ecosystem. To address this issue, this work selects 129 popular third-party SDK in the market and makes comprehensive analysis of their security. In order to improve the accuracy of the analysis, demo apps of third-party SDKs are taken as analysis object, and certain effective Android-app analysis methods(such as static taint tracking, dynamic taint tracking and dynamic binary instrumentation) and analysis tools(such as flowdroid and droidbox) are employed. The result shows that more than 60% of the collected third-party SDKs contain various of vulnerabilities(e.g. misuse of HTTP, misuse of SSL/TLS, abuse of sensitive permissions, identification, vulnerabilities brought by the local server, information leakage through logging, mistakes of applications developers), which is a threat to the related applications and the users of these applications.
引文
[1]IDC.Smartphone OS market share.2015.http://www.idc.com/prodserv/smartphone-os-market-share.jsp
[2]Wang R,Zhou Y,Chen S,Qadeer S,Evans D,Gurevich Y.Explicating SDKs:Uncovering assumptions underlying secure authentication and authorization.In:Proc.of the USENIX Security.2013.399-414.
[3]Google maps API.https://developers.google.com/maps/
[4]Pay Pal.https://developer.paypal.com/
[5]Permission mapping for Android 2.2.3-4.1.1.http://pscout.csl.toronto.edu/
[6]Amazon Webservices.http://aws.amazon.com/
[7]Book T,Pridgen A,Wallach DS.Longitudinal analysis of android ad library permissions.In:Proc.of the Mo ST 2013.IEEE,2013.
[8]Enck W,Octeau D,Mc Daniel P,Swarat C.A study of android application security.In:Proc.of the USENIX Security 2011.USENIX,2011.
[9]Grace M,Zhou W,Jiang X,Sadeghi AR.Unsafe exposure analysis of mobile in-app advertisements.In:Proc.of the WISEC 2012.ACM Press,2012.[doi:10.1145/2185448.2185464]
[10]Seo J,Kim D,Cho D,Kim T,Shin I.Flex Droid:Enforcing in-app privilege separation in Android.In:Proc.of the NDSS 2016.2016.
[11]Stevens R,Gibler C,Crussell J,Erickson J,Chen H.Investigating user privacy in Android ad libraries.In:Proc.of the Mo ST 2012.IEEE,2012.
[12]The Hacker News.Warning:18 000 Android apps contains code that spy on your text messages.2016.http://thehackernews.com/2015/10/android-appssteal-sms.html
[13]The Hacker News.Backdoor in Baidu Android SDK puts 100 million devices at risk.2016.http://thehackernews.com/2015/11/androidmalware-backdoor.html
[14]Parse Blog.Discovering a major security hole in facebooks Android SDK.2016.http://blog.parse.com/learn/engineering/discoveringa-majorsecurity-hole-in-facebooks-android-sdk
[15]Poeplau S,Fratantonio Y,Bianchi A,Kruegel C,Vigna G.Execute this!Analyzing unsafe and malicious dynamic code loading in Android applications.In:Proc.of the NDSS 2014.San Diego,2014.[doi:10.14722/ndss.2014.23328]
[16]Support V.Security vulnerability in Android SDKs prior to 3.3.0.2016.https://support.vungle.com/hc/en-us/articles/205142650-Security-Vulnerability-in-Android SDKs-prior-to-3-3-0
[17]The Hacker News.Facebook SDK vulnerability puts millions of smartphone users accounts at risk.2016.http://thehackernews.com/2014/07/facebook-sdkvulnerabilityputs.html
[18]Dropbox Blog.Security bug resolved in the dropbox SDKs for android.2016.https://blogs.dropbox.com/developers/2015/03/securitybug-resolved-in-thedropbox-sdks-for-android
[19]Shekhar S,Dietz M,Wallach DS.Adsplit:Separating smartphone advertising from applications.In:Proc.of the USENIX Security2012.USENIX,2012.
[20]Pearce P,Porter Felt A,Nunez G,Wagner D.Ad Droid:Privilege separation for applications and advertisers in Android.In:Proc.of the ASIACCS 2012.ACM Press,2012.[doi:10.1145/2414456.2414498]
[21]Yang W,Li J,Zhang Y,Li Y,Shu J,Gu D.Apklancet:Tumor payload diagnosis and purification for android applications.In:Proc.of the ASIACCS 2014.ACM Press,2014.[doi:10.1145/2590296.2590314]
[22]Setting the record straight on moplus SDK and the wormhole vulnerability.http://blog.trendmicro.com/trendlabs-securityintel ligence/setting-the-recordstraight-on-moplus-sdk-and-thewormhole-vulnerability/
[23]Guard Square.Proguard java obfuscator.http://proguard.sourceforge.net
[24]Gibler C,Crussell J,Erickson J,Chen H.Androidleaks:Automatically detecting potential privacy leaks in Android applications on a large scale.In:Proc.of the TRUST 2012.Springer-Verlag,2012.[doi:10.1007/978-3-642-30921-2_17]
[25]Arzt S,Rasthofer S,Fritz C,Bodden E,Bartel A,Klein J,le Traon Y,Octeau D,Mc Daniel P.Flowdroid:Precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for Android apps.In:Proc.of the PLDI 2014.2014.[doi:10.1145/2594291.2594299]
[26]Wei FG,Roy S,Ou XM,Robby.Amandroid:A precise and general inter-component data flow analysis framework for security vetting of Android apps.In:Proc.of the CCS 2014.ACM Press,2014.[doi:10.1145/2660267.2660357]
[27]Gordon MI,Kim D,Perkins J,Gilham L,Nguyen N,Rinard M.Information-Flow analysis of Android applications in Droid Safe.In:Proc.of the NDSS 2015.2015.[doi:10.14722/ndss.2015.23089]
[28]Backes M,Bugiel S,Derr E,Gerling S,Hammer C.RDroid:Leveraging Android app analysis with static slice optimization.In:Proc.of the ASIACCS 2016.ACM Press,2016.[doi:10.1145/2897845.2897927]
[29]Wijesekera P,Baokar A,Hosseini A,Egelman S,Wagner D,Beznosov K.Android permissions remystified:A field study on contextual integrity.In:Proc.of the USENIX Security 2015.USENIX,2015.
[30]Oltrogge M,Acar Y,Dechand S,Smith M,Fahl S.To pin or not to pinhelping app developers bullet proof their TLS connections.In:Proc.of the USENIX Security 2015.USENIX,2015.
[31]Fahl S,Harbach M,Muders T,Baumg?rtner L,Freisleben B,Smith M.Why eve and mallory love Android:An analysis of Android ssl(in)security.In:Proc.of the CCS 2012.ACM Press,2012.[doi:10.1145/2382196.2382205]
[32]Egele M,Brumley D,Fratantonio Y,Kruegel C.An empirical study of cryptographic misuse in Android applications.In:Proc.of the CCS 2013.ACM Press,2013.[doi:10.1145/2508859.2516693]
[33]Ad Mob.https://developers.google.com/admob/
[34]Permission mapping for Android 4.1.1-5.1.1.http://pscout.csl.toronto.edu/
[35]SOOT.https://sable.github.io/soot/
[36]Au KWY,Zhou YF,Huang Z,Lie D.Pscout:Analyzing the Android permission specification.In:Proc.of the 2012 ACM Conf.on Computer and Communications Security.ACM Press,2012.217-228.[doi:10.1145/2382196.2382222]
[37]Cui X,Wang J,Hui LC,Xie Z,Zeng T,Yiu S.Wechecker:Efficient and precise detection of privilege escalation vulnerabilities in Android apps.In:Proc.of the 8th ACM Conf.on Security&Privacy in Wireless and Mobile Networks.ACM Press,2015.[doi:10.1145/2766498.2766509]
[38]Greenwood DSJSG,Khan ZLL.Smv-Hunter:Large scale,automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps.2014.[doi:10.14722/ndss.2014.23205]
[39]Wei X,Gomez L,Neamtiu I,Faloutsos M.Permission evolution in the Android ecosystem.In:Proc.of the 28th Annual Computer Security Applications Conf.ACM Press,2012.31-40.[doi:10.1145/2420950.2420956]
[40]Lu L,Li Z,Wu Z,Lee W,Jiang G.Chex:Statically vetting android apps for component hijacking vulnerabilities.In:Proc.of the2012 ACM Conf.on Computer and Communications Security.ACM Press,2012.229-240.[doi:10.1145/2382196.2382223]
[41]Li T,Zhou X,Xing L,Lee Y,Naveed M,Wang X,Han X.Mayhem in the push clouds:Understanding and mitigating security hazards in mobile pushmessaging services.In:Proc.of the 2014 ACM SIGSAC Conf.on Computer and Communications Security.ACM Press,2014.978-989.[doi:10.1145/2660267.2660302]
[42]Cybercriminals use Google cloud messaging to control malware on Android devices.http://www.pcworld.com/article/2046642/cybercriminals-usegoogle-cloud-messagingservice-tocontrol-malware-on-android-devices.html
[2]Wang R,Zhou Y,Chen S,Qadeer S,Evans D,Gurevich Y.Explicating SDKs:Uncovering assumptions underlying secure authentication and authorization.In:Proc.of the USENIX Security.2013.399-414.
[3]Google maps API.https://developers.google.com/maps/
[4]Pay Pal.https://developer.paypal.com/
[5]Permission mapping for Android 2.2.3-4.1.1.http://pscout.csl.toronto.edu/
[6]Amazon Webservices.http://aws.amazon.com/
[7]Book T,Pridgen A,Wallach DS.Longitudinal analysis of android ad library permissions.In:Proc.of the Mo ST 2013.IEEE,2013.
[8]Enck W,Octeau D,Mc Daniel P,Swarat C.A study of android application security.In:Proc.of the USENIX Security 2011.USENIX,2011.
[9]Grace M,Zhou W,Jiang X,Sadeghi AR.Unsafe exposure analysis of mobile in-app advertisements.In:Proc.of the WISEC 2012.ACM Press,2012.[doi:10.1145/2185448.2185464]
[10]Seo J,Kim D,Cho D,Kim T,Shin I.Flex Droid:Enforcing in-app privilege separation in Android.In:Proc.of the NDSS 2016.2016.
[11]Stevens R,Gibler C,Crussell J,Erickson J,Chen H.Investigating user privacy in Android ad libraries.In:Proc.of the Mo ST 2012.IEEE,2012.
[12]The Hacker News.Warning:18 000 Android apps contains code that spy on your text messages.2016.http://thehackernews.com/2015/10/android-appssteal-sms.html
[13]The Hacker News.Backdoor in Baidu Android SDK puts 100 million devices at risk.2016.http://thehackernews.com/2015/11/androidmalware-backdoor.html
[14]Parse Blog.Discovering a major security hole in facebooks Android SDK.2016.http://blog.parse.com/learn/engineering/discoveringa-majorsecurity-hole-in-facebooks-android-sdk
[15]Poeplau S,Fratantonio Y,Bianchi A,Kruegel C,Vigna G.Execute this!Analyzing unsafe and malicious dynamic code loading in Android applications.In:Proc.of the NDSS 2014.San Diego,2014.[doi:10.14722/ndss.2014.23328]
[16]Support V.Security vulnerability in Android SDKs prior to 3.3.0.2016.https://support.vungle.com/hc/en-us/articles/205142650-Security-Vulnerability-in-Android SDKs-prior-to-3-3-0
[17]The Hacker News.Facebook SDK vulnerability puts millions of smartphone users accounts at risk.2016.http://thehackernews.com/2014/07/facebook-sdkvulnerabilityputs.html
[18]Dropbox Blog.Security bug resolved in the dropbox SDKs for android.2016.https://blogs.dropbox.com/developers/2015/03/securitybug-resolved-in-thedropbox-sdks-for-android
[19]Shekhar S,Dietz M,Wallach DS.Adsplit:Separating smartphone advertising from applications.In:Proc.of the USENIX Security2012.USENIX,2012.
[20]Pearce P,Porter Felt A,Nunez G,Wagner D.Ad Droid:Privilege separation for applications and advertisers in Android.In:Proc.of the ASIACCS 2012.ACM Press,2012.[doi:10.1145/2414456.2414498]
[21]Yang W,Li J,Zhang Y,Li Y,Shu J,Gu D.Apklancet:Tumor payload diagnosis and purification for android applications.In:Proc.of the ASIACCS 2014.ACM Press,2014.[doi:10.1145/2590296.2590314]
[22]Setting the record straight on moplus SDK and the wormhole vulnerability.http://blog.trendmicro.com/trendlabs-securityintel ligence/setting-the-recordstraight-on-moplus-sdk-and-thewormhole-vulnerability/
[23]Guard Square.Proguard java obfuscator.http://proguard.sourceforge.net
[24]Gibler C,Crussell J,Erickson J,Chen H.Androidleaks:Automatically detecting potential privacy leaks in Android applications on a large scale.In:Proc.of the TRUST 2012.Springer-Verlag,2012.[doi:10.1007/978-3-642-30921-2_17]
[25]Arzt S,Rasthofer S,Fritz C,Bodden E,Bartel A,Klein J,le Traon Y,Octeau D,Mc Daniel P.Flowdroid:Precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for Android apps.In:Proc.of the PLDI 2014.2014.[doi:10.1145/2594291.2594299]
[26]Wei FG,Roy S,Ou XM,Robby.Amandroid:A precise and general inter-component data flow analysis framework for security vetting of Android apps.In:Proc.of the CCS 2014.ACM Press,2014.[doi:10.1145/2660267.2660357]
[27]Gordon MI,Kim D,Perkins J,Gilham L,Nguyen N,Rinard M.Information-Flow analysis of Android applications in Droid Safe.In:Proc.of the NDSS 2015.2015.[doi:10.14722/ndss.2015.23089]
[28]Backes M,Bugiel S,Derr E,Gerling S,Hammer C.RDroid:Leveraging Android app analysis with static slice optimization.In:Proc.of the ASIACCS 2016.ACM Press,2016.[doi:10.1145/2897845.2897927]
[29]Wijesekera P,Baokar A,Hosseini A,Egelman S,Wagner D,Beznosov K.Android permissions remystified:A field study on contextual integrity.In:Proc.of the USENIX Security 2015.USENIX,2015.
[30]Oltrogge M,Acar Y,Dechand S,Smith M,Fahl S.To pin or not to pinhelping app developers bullet proof their TLS connections.In:Proc.of the USENIX Security 2015.USENIX,2015.
[31]Fahl S,Harbach M,Muders T,Baumg?rtner L,Freisleben B,Smith M.Why eve and mallory love Android:An analysis of Android ssl(in)security.In:Proc.of the CCS 2012.ACM Press,2012.[doi:10.1145/2382196.2382205]
[32]Egele M,Brumley D,Fratantonio Y,Kruegel C.An empirical study of cryptographic misuse in Android applications.In:Proc.of the CCS 2013.ACM Press,2013.[doi:10.1145/2508859.2516693]
[33]Ad Mob.https://developers.google.com/admob/
[34]Permission mapping for Android 4.1.1-5.1.1.http://pscout.csl.toronto.edu/
[35]SOOT.https://sable.github.io/soot/
[36]Au KWY,Zhou YF,Huang Z,Lie D.Pscout:Analyzing the Android permission specification.In:Proc.of the 2012 ACM Conf.on Computer and Communications Security.ACM Press,2012.217-228.[doi:10.1145/2382196.2382222]
[37]Cui X,Wang J,Hui LC,Xie Z,Zeng T,Yiu S.Wechecker:Efficient and precise detection of privilege escalation vulnerabilities in Android apps.In:Proc.of the 8th ACM Conf.on Security&Privacy in Wireless and Mobile Networks.ACM Press,2015.[doi:10.1145/2766498.2766509]
[38]Greenwood DSJSG,Khan ZLL.Smv-Hunter:Large scale,automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps.2014.[doi:10.14722/ndss.2014.23205]
[39]Wei X,Gomez L,Neamtiu I,Faloutsos M.Permission evolution in the Android ecosystem.In:Proc.of the 28th Annual Computer Security Applications Conf.ACM Press,2012.31-40.[doi:10.1145/2420950.2420956]
[40]Lu L,Li Z,Wu Z,Lee W,Jiang G.Chex:Statically vetting android apps for component hijacking vulnerabilities.In:Proc.of the2012 ACM Conf.on Computer and Communications Security.ACM Press,2012.229-240.[doi:10.1145/2382196.2382223]
[41]Li T,Zhou X,Xing L,Lee Y,Naveed M,Wang X,Han X.Mayhem in the push clouds:Understanding and mitigating security hazards in mobile pushmessaging services.In:Proc.of the 2014 ACM SIGSAC Conf.on Computer and Communications Security.ACM Press,2014.978-989.[doi:10.1145/2660267.2660302]
[42]Cybercriminals use Google cloud messaging to control malware on Android devices.http://www.pcworld.com/article/2046642/cybercriminals-usegoogle-cloud-messagingservice-tocontrol-malware-on-android-devices.html