Android混合应用细粒度访问控制研究

发布时间：2018-05-30 06:52

本文选题：安卓 + 混合应用　；参考：《华中科技大学》2016年硕士论文

【摘要】：移动智能终端的迅速普及吸引了众多的应用开发者开发丰富的应用来为人们提供便捷的服务。近段时间,随着移动设备性能提升和以HTML5为代表的移动Web技术的发展,一种新的基于HTML5的混合应用以其开发的便捷性和良好的可移植性越来越受到开发者的青睐。在Android、iOS和Windows Phone等平台中,混合应用,又称为移动网络应用,使用系统内置的浏览器组件WebView来加载HTML5页面和执行JavaScript脚本。与移动平台原生应用不同,混合应用包含实现应用功能逻辑的Web端代码和访问设备系统资源的本地代码,WebView组件为Web端代码和本地代码之间的通信提供了多种桥接机制。混合应用的这种新特性在丰富应用功能的同时也引入了新的安全问题。首先对Android混合应用的安全性进行研究,结合混合应用软件架构和中间件开发框架的特点,系统分析了混合应用的安全模型和可能产生的安全问题,指出Android混合应用产生安全问题的主要原因在于其核心组件WebView在引入新的特性时打破了传统浏览器应用的沙箱模型,使得混合应用中加载的Web内容可以访问设备上的系统资源,而Android系统并没有提供系统级别的机制对这类访问进行访问控制。针对这一问题,提出了一种基于混合应用中间件开发框架PhoneGap的细粒度访问控制模型。访问控制模型将对系统资源的访问操作以PhoneGap插件的形式进行封装,并对混合应用中可能加载的来自不同的源的网络内容授予不同的插件的访问权限,以此来控制网络代码对系统资源的访问操作。通过实验分析,本文提出的访问控制模型能有效的控制WebView中加载的Web内容对系统资源的访问,且框架引入的计算负载很低,对应用的性能几乎没有影响。
[Abstract]:The rapid popularity of mobile intelligent terminals has attracted a large number of application developers to develop rich applications to provide convenient services for people. Recently, with the improvement of mobile device performance and the development of mobile Web technology represented by HTML5, a new hybrid application based on HTML5 is becoming more and more popular by developers for its convenience and good portability. In platforms such as Android iOS and Windows Phone, hybrid applications, also known as mobile network applications, use the built-in browser component WebView to load HTML5 pages and execute JavaScript scripts. Unlike native applications of mobile platforms, hybrid applications include Web terminal code that implements application function logic and native code WebView component that accesses device system resources. WebView components provide a variety of bridging mechanisms for communication between Web side code and local code. This new feature of hybrid applications not only enriches application functions, but also introduces new security issues. First of all, the security of Android hybrid application is studied, and the security model and possible security problems of hybrid application are systematically analyzed according to the characteristics of hybrid application software architecture and middleware development framework. It is pointed out that the main reason for the security problems in Android hybrid applications is that its core component, WebView, breaks the sandbox model of traditional browser applications when introducing new features, so that the Web content loaded in hybrid applications can access the system resources on the device. The Android system does not provide a system-level mechanism to control such access. To solve this problem, a fine-grained access control model based on mixed application middleware development framework (PhoneGap) is proposed. The access control model encapsulates the access operations of system resources in the form of PhoneGap plug-ins, and grants different plug-in access rights to network content from different sources that may be loaded in hybrid applications. In order to control the network code to access the system resources operation. Through the experimental analysis, the access control model proposed in this paper can effectively control the access of the Web content loaded in WebView to the system resources, and the computational load introduced by the framework is very low, which has little effect on the performance of the application.
【学位授予单位】：华中科技大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP316;TP309

【参考文献】