【摘要】：近年來,Android應(yīng)用中的安全漏洞迅速增長。由于大部分Android應(yīng)用需要訪問Web頁面,導(dǎo)致JavaScript相關(guān)的安全漏洞占據(jù)了這些安全漏洞的40%,嚴(yán)重威脅到用戶的隱私安全。然而,目前業(yè)界對于Android應(yīng)用中JavaScript安全漏洞的研究存在三點(diǎn)不足:一是沒有全面研究所有類型JavaScript安全漏洞的形成原因和攻擊方式;二是沒有調(diào)研Android應(yīng)用中JavaScript使用模式及其安全漏洞的現(xiàn)狀;三是沒有給出一個(gè)公開可用的JavaScript安全漏洞檢測工具。為解決上述問題,本文做了以下三個(gè)主要工作:1.首先針對100個(gè)最流行的Android應(yīng)用中的JavaScript使用及其安全漏洞進(jìn)行實(shí)證分析。通過實(shí)證分析,本文總結(jié)出Android應(yīng)用中常見的四種JavaScript使用模式,發(fā)現(xiàn)其中三種模式若使用不當(dāng)會分別導(dǎo)致三種對應(yīng)的JavaScript安全漏洞,并對每種漏洞分析其形成原因和建立攻擊模型。另外,本文統(tǒng)計(jì)歸納出這些JavaScript使用模式及其安全漏洞在100個(gè)Android應(yīng)用中的分布現(xiàn)狀,并將發(fā)現(xiàn)的漏洞反饋給應(yīng)用的開發(fā)者。2.進(jìn)一步設(shè)計(jì)并實(shí)現(xiàn)一個(gè)原型工具JSDroid,用于自動化檢測Android應(yīng)用中所有類型的JavaScript安全漏洞。JSDroid工具基于靜態(tài)分析技術(shù)實(shí)現(xiàn),能夠從輸入的APK文件中解析出應(yīng)用的代碼和資源,分析應(yīng)用使用到的JavaScript模式、存在的JavaScript安全漏洞以及暴露的攻擊入口,并輸出漏洞檢測報(bào)告。該工具不僅能夠一次對大量Android應(yīng)用進(jìn)行漏洞檢測,還提供簡潔美觀的交互界面,方便使用。3.使用JSDroid工具對1000個(gè)流行的Android應(yīng)用進(jìn)行實(shí)驗(yàn),了解大量Android應(yīng)用中的JavaScript安全現(xiàn)狀,并評估工具的性能。首先,實(shí)驗(yàn)發(fā)現(xiàn)共有806個(gè)應(yīng)用使用JavaScript,其中有708個(gè)應(yīng)用包含至少一種JavaScript安全漏洞,192個(gè)應(yīng)用可以被攻擊。其次,通過分析有效性和效率,以及與相關(guān)工作的實(shí)驗(yàn)效果進(jìn)行對比,驗(yàn)證了工具的良好性能。然后,本文選取30個(gè)存在漏洞的應(yīng)用進(jìn)行攻擊測試,并給出詳細(xì)的案例分析。最后,對開發(fā)者和用戶分別給出有效建議,以減少Android應(yīng)用中的JavaScript安全風(fēng)險(xiǎn)。
[Abstract]:In recent years, security vulnerabilities in Android applications have grown rapidly. Because most Android applications require access to the Web page, JavaScript-related security vulnerabilities take up 40% of these security vulnerabilities and pose a serious threat to the privacy of users. However, there are three defects in the research of the JavaScript security hole in the Android application: one is the reason and the attack mode of the type JavaScript security hole of the comprehensive research institute, and the second is the current situation of the JavaScript usage pattern and the security hole in the Android application. Third, a publicly available JavaScript security vulnerability detection tool is not given. In order to solve the above problems, the following three main work is done:1. First of all, the paper makes an empirical analysis of the use of JavaScript in the 100 most popular Android applications and its security vulnerabilities. Through the empirical analysis, this paper sums up four kinds of JavaScript usage patterns that are common in the Android application, and finds that if the three modes are used improperly, the three corresponding JavaScript security holes can be caused respectively, and the cause of the formation and the attack model are analyzed for each vulnerability. In addition, this paper summarizes the distribution of these JavaScript usage patterns and their security vulnerabilities in 100 Android applications, and feeds back the discovered vulnerabilities to the developers of the application. Further design and implement a prototype tool JDroid for automated detection of all types of JavaScript security vulnerabilities in an Android application. The JDroid tool is implemented based on static analysis technology, can analyze the code and resources of the application from the input APK file, analyze the JavaScript mode used in the application, the JavaScript security vulnerability existing and the exposed attack portal, and output the vulnerability detection report. The tool not only can detect a large number of Android applications at a time, but also provides a simple and beautiful interactive interface, and is convenient to use. Use the JDroid tool to experiment with 1000 popular Android applications to understand the security status of JavaScript in a large number of Android applications and to evaluate the performance of the tool. First, the lab found a total of 806 applications using JavaScript, with 708 applications including at least one JavaScript security breach, and 192 applications can be attacked. Secondly, the good performance of the tool is verified by analyzing the effectiveness and efficiency, and comparing with the experimental results of the related work. Then, this paper selects 30 existing vulnerabilities to attack and test, and gives a detailed case analysis. Finally, an effective recommendation is given to the developer and the user to reduce the JavaScript security risk in the Android application.
【學(xué)位授予單位】：南京理工大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP316;TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 葉嘉羲;張權(quán);王劍;;基于權(quán)限控制和腳本檢測的Webview漏洞防護(hù)方案研究[J];信息網(wǎng)絡(luò)安全;2015年03期

，

本文編號：2504955