Android应用中的JavaScript使用模式及其安全漏洞分析
发布时间:2019-06-24 09:35
【摘要】:近年来,Android应用中的安全漏洞迅速增长。由于大部分Android应用需要访问Web页面,导致JavaScript相关的安全漏洞占据了这些安全漏洞的40%,严重威胁到用户的隐私安全。然而,目前业界对于Android应用中JavaScript安全漏洞的研究存在三点不足:一是没有全面研究所有类型JavaScript安全漏洞的形成原因和攻击方式;二是没有调研Android应用中JavaScript使用模式及其安全漏洞的现状;三是没有给出一个公开可用的JavaScript安全漏洞检测工具。为解决上述问题,本文做了以下三个主要工作:1.首先针对100个最流行的Android应用中的JavaScript使用及其安全漏洞进行实证分析。通过实证分析,本文总结出Android应用中常见的四种JavaScript使用模式,发现其中三种模式若使用不当会分别导致三种对应的JavaScript安全漏洞,并对每种漏洞分析其形成原因和建立攻击模型。另外,本文统计归纳出这些JavaScript使用模式及其安全漏洞在100个Android应用中的分布现状,并将发现的漏洞反馈给应用的开发者。2.进一步设计并实现一个原型工具JSDroid,用于自动化检测Android应用中所有类型的JavaScript安全漏洞。JSDroid工具基于静态分析技术实现,能够从输入的APK文件中解析出应用的代码和资源,分析应用使用到的JavaScript模式、存在的JavaScript安全漏洞以及暴露的攻击入口,并输出漏洞检测报告。该工具不仅能够一次对大量Android应用进行漏洞检测,还提供简洁美观的交互界面,方便使用。3.使用JSDroid工具对1000个流行的Android应用进行实验,了解大量Android应用中的JavaScript安全现状,并评估工具的性能。首先,实验发现共有806个应用使用JavaScript,其中有708个应用包含至少一种JavaScript安全漏洞,192个应用可以被攻击。其次,通过分析有效性和效率,以及与相关工作的实验效果进行对比,验证了工具的良好性能。然后,本文选取30个存在漏洞的应用进行攻击测试,并给出详细的案例分析。最后,对开发者和用户分别给出有效建议,以减少Android应用中的JavaScript安全风险。
[Abstract]:In recent years, security vulnerabilities in Android applications have grown rapidly. Because most Android applications require access to the Web page, JavaScript-related security vulnerabilities take up 40% of these security vulnerabilities and pose a serious threat to the privacy of users. However, there are three defects in the research of the JavaScript security hole in the Android application: one is the reason and the attack mode of the type JavaScript security hole of the comprehensive research institute, and the second is the current situation of the JavaScript usage pattern and the security hole in the Android application. Third, a publicly available JavaScript security vulnerability detection tool is not given. In order to solve the above problems, the following three main work is done:1. First of all, the paper makes an empirical analysis of the use of JavaScript in the 100 most popular Android applications and its security vulnerabilities. Through the empirical analysis, this paper sums up four kinds of JavaScript usage patterns that are common in the Android application, and finds that if the three modes are used improperly, the three corresponding JavaScript security holes can be caused respectively, and the cause of the formation and the attack model are analyzed for each vulnerability. In addition, this paper summarizes the distribution of these JavaScript usage patterns and their security vulnerabilities in 100 Android applications, and feeds back the discovered vulnerabilities to the developers of the application. Further design and implement a prototype tool JDroid for automated detection of all types of JavaScript security vulnerabilities in an Android application. The JDroid tool is implemented based on static analysis technology, can analyze the code and resources of the application from the input APK file, analyze the JavaScript mode used in the application, the JavaScript security vulnerability existing and the exposed attack portal, and output the vulnerability detection report. The tool not only can detect a large number of Android applications at a time, but also provides a simple and beautiful interactive interface, and is convenient to use. Use the JDroid tool to experiment with 1000 popular Android applications to understand the security status of JavaScript in a large number of Android applications and to evaluate the performance of the tool. First, the lab found a total of 806 applications using JavaScript, with 708 applications including at least one JavaScript security breach, and 192 applications can be attacked. Secondly, the good performance of the tool is verified by analyzing the effectiveness and efficiency, and comparing with the experimental results of the related work. Then, this paper selects 30 existing vulnerabilities to attack and test, and gives a detailed case analysis. Finally, an effective recommendation is given to the developer and the user to reduce the JavaScript security risk in the Android application.
【学位授予单位】:南京理工大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP316;TP309
本文编号:2504955
[Abstract]:In recent years, security vulnerabilities in Android applications have grown rapidly. Because most Android applications require access to the Web page, JavaScript-related security vulnerabilities take up 40% of these security vulnerabilities and pose a serious threat to the privacy of users. However, there are three defects in the research of the JavaScript security hole in the Android application: one is the reason and the attack mode of the type JavaScript security hole of the comprehensive research institute, and the second is the current situation of the JavaScript usage pattern and the security hole in the Android application. Third, a publicly available JavaScript security vulnerability detection tool is not given. In order to solve the above problems, the following three main work is done:1. First of all, the paper makes an empirical analysis of the use of JavaScript in the 100 most popular Android applications and its security vulnerabilities. Through the empirical analysis, this paper sums up four kinds of JavaScript usage patterns that are common in the Android application, and finds that if the three modes are used improperly, the three corresponding JavaScript security holes can be caused respectively, and the cause of the formation and the attack model are analyzed for each vulnerability. In addition, this paper summarizes the distribution of these JavaScript usage patterns and their security vulnerabilities in 100 Android applications, and feeds back the discovered vulnerabilities to the developers of the application. Further design and implement a prototype tool JDroid for automated detection of all types of JavaScript security vulnerabilities in an Android application. The JDroid tool is implemented based on static analysis technology, can analyze the code and resources of the application from the input APK file, analyze the JavaScript mode used in the application, the JavaScript security vulnerability existing and the exposed attack portal, and output the vulnerability detection report. The tool not only can detect a large number of Android applications at a time, but also provides a simple and beautiful interactive interface, and is convenient to use. Use the JDroid tool to experiment with 1000 popular Android applications to understand the security status of JavaScript in a large number of Android applications and to evaluate the performance of the tool. First, the lab found a total of 806 applications using JavaScript, with 708 applications including at least one JavaScript security breach, and 192 applications can be attacked. Secondly, the good performance of the tool is verified by analyzing the effectiveness and efficiency, and comparing with the experimental results of the related work. Then, this paper selects 30 existing vulnerabilities to attack and test, and gives a detailed case analysis. Finally, an effective recommendation is given to the developer and the user to reduce the JavaScript security risk in the Android application.
【学位授予单位】:南京理工大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP316;TP309
【参考文献】
相关期刊论文 前1条
1 叶嘉羲;张权;王剑;;基于权限控制和脚本检测的Webview漏洞防护方案研究[J];信息网络安全;2015年03期
,本文编号:2504955
本文链接:https://www.wllwen.com/kejilunwen/ruanjiangongchenglunwen/2504955.html
