Please wait a minute...
信息通信学术期刊网 | 设为首页 | 加入收藏
首 页   |  期刊简介   |  编辑委员会   |  投稿须知   |  广告咨询   |  期刊订阅   |  会议活动   |  联系我们   |  English
网络与信息安全学报  2016 Issue (12)    DOI: 10.11959/j.issn.2096-109x.2016.00134
  学术论文 本期目录 | 过刊浏览 | 高级检索 |
面向服务端私有Web API的自动发现技术研究
1 山东大学计算机科学与技术学院,山东 济南 250101
2 山东大学教育部直属密码学和信息安全重点实验室,山东 济南 250101
Toward discovering and exploiting private server-side Web API
Jia CHEN1,Shan-qing1 GUO1,2
1 School of Computer Science and Technology,Shandong University,Jinan 250101,China
2 Key Laboratory of Cryptologic Technology and Information Security,Ministry of Education,Shandong University,Jinan 250101,China
全文: PDF(719 KB)   HTML     XML
输出: BibTeX | EndNote (RIS)  

移动应用和服务器交互的接口大多都采用Web API进行通信,但这些移动应用所引入的Web API会带来一些新的安全问题。为方便研究这些Web API的安全问题,在常规的Android程序测试框架的基础上,设计并实现了一个自动发现APK中面向服务器端Web API接口的系统,该系统有助于开展对服务器端私有Web API接口方面的安全研究。

E-mail Alert
关键词 WebAPI安卓应用静态分析动态分析    

Most of the interfaces for mobile application and server interaction use the Web API for communication,but the Web API introduced by these mobile applications may introduce new security issues.To facilitate the study of the security of Web API,a system for automatically discovering the server-side Web API interface in APK files based on the conventional Android program testing framework was designed and implemented.This system can help to develop the research on private server-side Web API interface security.

Key words: Web API    Android App    static analysis    dynamic analysis
出版日期: 2016-12-28
图1   优酷用户注册页面
图2   系统架构
图3   在Smali代码中,3种网络客户端发送请求所对应的代码
图4   由Smali代码生成的网络调用树结构
图5   Smali代码片段
图6   Web端接口注册需要的参数
图7   优酷移动端登录接口
图8   通过短信验证码接口成功地发送信息
[1] BOSOMWORTH D . Mobile marketing statistics compilation[EB/OL]. .
[2] SOUNTHIRARAJ D , SAHS J , GREENWOOD , et al. SMV-HUNTER:large scale,automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android App[C]//The 21st Annual Network and Distributed System Security Symposium.
[3] LU L , LI Z , WU Z , et al. Chex:statically vetting android apps for component hijacking vulnerabilities[C]//The 2012 ACM conference on Computer and communications security. 2012:229-240.
[4] ENCK W , GILBERT P , CHUN B G , et al. Taintdroid:an informa-tion-flow tracking system for realtime privacy monitoring on smartphones[C]//The 9th Usenix Conference on Operating Systems Design and Implementation. 2016:1-6.
[5] FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android:an analysis of Android SSL (in) security[C]//The 2012 ACM Conference on Computer and Communications Security. 2012:50-61.
[6] CAI F , CHEN H , WU Y , et al. Appcracker:widespread vulnerabili-ties in user and session authentication in mobile Apps[C]//Mobile Security Technologies Workshop. 2015.
[7] DEVELOPERS A . Transmitting network data using volley[EB/OL]. .
[8] YANG W , PRASAD M R , XIE T . A grey-box approach for mated GUI-model generation of mobile applications[C]//In Fun-damental Approaches to Software Engineering. 2013:250-265.
[9] AMALFITANO D , FASOLINO A R , TRAMONTANA P , et al. Using GUI ripping for automated testing of Android applica-tions[C]//The 27th IEEE/ACM International Conference on Auto-mated Software Engineering. 2012:258-261.
[10] HAO S , LIU B , NATH S , et al. PUMA:programmable UI-automation for large-scale dynamic analysis of mobile Apps[C]//The 12th Annual International Conference on Mobile Systems,Applications,and Services. 2014:204-217.
[11] CHOUDHARY S R , GORLA A , ORSO A . Automated test input generation for Android:are we there yet?[C]//ArXiv Preprint ArXiv:1503. 2015.
[12] WEB SECURITY P . Burp suite[EB/OL]. .
[13] EGELE M , KRUEGEL C , KIRDA E , et al. PiOS:detecting privacy leaks in iOS applications[C]//Network and Distributed System Se-curity Symposium (NDSS). 2011.
[14] ARZT S , RASTHOFER S , FRITZ C , et al. Flowdroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analy-sis for android Apps [C]//ACM SIGPLAN Notices. 2014:259-269.
[15] WEI F , ROY S , OU X , et al. Amandroid:a precise and general inter-component data flow analysis framework for security vetting of android Apps[C]//The 2014 ACM Sigsac Conference on Com-puter and Communications Security. 2014:1329-1341.
[16] CUI X , WANG J , HUI L C , et al. Wechecker:efficient and precise detection of privilege escalation vulnerabilities in android Apps[C]//The 8th ACM Conference on Security& Privacy in Wireless and Mo-bile Networks. 2015:25.
[17] CUI X , YU D , CHAN P , et al. Cochecker:detecting capability and sensitive data leaks from component chains in an-droid[C]//Information Security and Privacy. 2014:446-453.
[18] LUO T , HAO H , DU W , et al. Attacks on WebView in the Android system[C]//The 27th Annual Computer Security Applications Conference. 2011:343-352.
[19] CHAOSHUN Z , WUBING W , RUI W , et al. Automatic forgery of cryptographically consistent messages to identify security vulner-abilities in mobile services[C]//The 23rd ISOC Network and Dis-tributed System Security Symposium (NDSS). 2016.
[20] MACHIRY A , TAHILIANI R , NAIK M Dynodroid:an input gen-eration system for Android Apps[C]//The 9th Joint Meetingon Foundations of Software Engineering. 2013:224-234.
[21] .
[22] ANAND S , NAIK M , HARROLD M J , et al. Automated concolic testing of smartphone Apps[C]//The ACM Sigsoft 20th Interna-tional Symposium on the Foundations of Software Engineering. 2012:59.
[23] MAHMOOD R , MIRZAEI N , MALEK S . EvoDroid:segmented evolutionary testing of android Apps[C]//The 22nd ACM Sigsoft International Symposium on Foundations of Software. 2014:599-609.
[1] 邢月秀,胡爱群,王永剑,赵 然. 多维度iOS隐私泄露评估模型研究[J]. 网络与信息安全学报, 2016, 2(4): 73-79.


版权所有 © 2015 《网络与信息安全学报》编辑部
地址:北京市丰台区成寿寺路11号邮电出版大厦8层 邮编:100078
电话:010-81055479,010-81055456,010-81055483  电子邮件