BYOD场景下移动应用安全管控的研究与实现

发布时间：2018-11-22 07:50

【摘要】：近年来,随着自带设备办公(BYOD)的普及,企业员工们倾向于使用个人移动设备访问公司资源。同一个设备同时用于访问企业数据和个人数据引入了新的安全威胁,例如企业机密数据的泄露。现有BYOD解决方案缺乏多实体的管理、基于角色的访问控制(RBAC)的支持和细粒度的数据访问控制,因此不能解决当同一个设备需要访问多个公司的资源时外部企业合作的关键问题。在本文中,我们同时在Android和iOS设备上实现了一个跨平台的解决方案AppShield,它除了满足最基本的需求,如本地企业数据的共享和隔离,还能够进一步支持多实体的管理,文件级别细粒度的权限管理和RBAC,而且不需要修改操作系统。由于iOS闭源的特点,无法进行太多的研究,本文主要介绍Android端的设计与实现,其主要包括:(1)应用程序重写框架,用于将企业移动应用管理(MAM)特性的hook代码自动化地注入到普通的应用程序中来构造企业应用;(2)跨平台的基于代理的数据访问机制,用来进行企业数据的隔离、共享以及安全管控。在小规模测试中,超过90%的应用有效执行了本系统的安全策略。而在大规模测试中,只有不到5%的应用存在运行时奔溃的问题,说明了 AppShield的有效性和可靠性。当然,本系统也引入了一定的性能损耗并稍微增加了内存消耗和代码大小。此外,由于现在移动应用上广告的不断增加,在一定程度上影响了应用的用户体验。为了使用AppShield的IT管理员选择企业应用之前,能够对应用的广告行为有一定的认识,本文提出了一个Android广告行为分析系统。首先将不同的广告根据行为划分为不同的类型,如积分墙广告,内嵌广告等,然后通过手工分析的方法提取了一系列广告类型特征,接着利用这些特征对应用进行静态分析和动态分析。在对应用的大规模测试中,广告分析的准确率高于85%。
[Abstract]:In recent years, with the popularity of (BYOD), employees tend to use personal mobile devices to access company resources. The same device for accessing both enterprise data and personal data introduces new security threats, such as disclosure of confidential enterprise data. Existing BYOD solutions lack of multi-entity management, role-based access control (RBAC) support and fine-grained data access control. Therefore, the key problem of external cooperation can not be solved when the same device needs to access the resources of multiple companies. In this article, we implement a cross-platform solution, AppShield, on both Android and iOS devices, which not only meets the most basic requirements, such as sharing and isolating local enterprise data, but also further supports the management of multiple entities. File-level fine-grained privilege management and RBAC, and no modification of the operating system is required. Because of the characteristic of iOS closed source, we can't do too much research. This paper mainly introduces the design and implementation of Android, which includes: (1) Application rewriting framework, The hook code used for enterprise mobile application management (MAM) feature is automatically injected into common application program to construct enterprise application. (2) Cross-platform agent-based data access mechanism is used to isolate, share and manage enterprise data. In the small scale test, more than 90% of the applications effectively implement the security policy of the system. However, in large scale testing, less than 5% of applications have the problem of run-time collapse, which shows the validity and reliability of AppShield. Of course, the system also introduced a certain performance loss and slightly increased memory consumption and code size. In addition, the increasing advertising in mobile applications has affected the user experience to some extent. In order to have a certain understanding of the advertising behavior of AppShield, a Android advertising behavior analysis system is proposed in this paper. First, different advertisements are divided into different types according to their behavior, such as integral wall ads, embedded advertisements, etc. Then a series of advertising type features are extracted by manual analysis. Then the static analysis and dynamic analysis of the application are carried out by using these characteristics. In large-scale testing of applications, the accuracy of advertising analysis is higher than 8510.
【学位授予单位】：浙江大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP311.52;TP309

【参考文献】