安卓云备份模块的代码安全问题分析

doi:10.11959/j.issn.2096-109x.2017.00132

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (1): 68-78.doi: 10.11959/j.issn.2096-109x.2017.00132

• 学术论文 • 上一篇

安卓云备份模块的代码安全问题分析

梁蛟¹,刘武¹,韩伟力¹(),王晓阳¹,甘似禹²,沈烁³

¹ 上海市数据科学重点实验室（复旦大学），上海 201203
² 上海市信息投资股份有限公司，上海 200120
³ 中国科学院计算机网络信息中心，北京 100190

修回日期:2016-11-15 出版日期:2017-01-15 发布日期:2020-03-20
作者简介:梁蛟（1993-），女，山西忻州人，复旦大学硕士生，主要研究方向为云备份系统安全、访问控制。|刘武（1992-），男，湖南湘潭人，复旦大学硕士生，主要研究方向为云备份系统安全、访问控制。|韩伟力（1975-），男，浙江绍兴人，博士，复旦大学副教授，主要研究方向为访问控制、数字身份安全、网络与系统安全。|王晓阳（1960-），男，上海人，博士，复旦大学特聘教授、博士生导师，主要研究方向为数据库、并行式数据分析和信息安全。|甘似禹（1966-），男，江西抚州人，上海市信息投资股份有限公司大数据研究院高级工程师，主要研究方向为电子数据交换、数据质量和系统安全。|沈烁（1977-），男，辽宁阜新人，博士，中国科学院计算机网络信息中心物联网中心副主任、副研究员，主要研究方向为物联网标准体系、信息安全。
基金资助:
上海市科技创新行动计划基金资助项目(16DZ1100200);上海市科技创新行动计划基金资助项目(15511101500)

Code security of mobile backup modules on the Android platform

Jiao LIANG¹,Wu LIU¹,Wei-li HAN¹(),Xiao-yang WANG¹,Si-yu GAN²,Shuo SHEN³

¹ Shanghai Key Laboratory of Data Science, Fudan University, Shanghai 201203, China
² Shanghai Information Investment Inc, Shanghai 200120, China
³ Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China

Revised:2016-11-15 Online:2017-01-15 Published:2020-03-20
Supported by:
The Shanghai Innovation Action Project(16DZ1100200);The Shanghai Innovation Action Project(15511101500)

摘要/Abstract

摘要：

随着移动端云备份服务的日益普及，为保障用户隐私数据不被泄露，研究第三方应用调用云备份软件开发工具包（SDK,software development kit）的安全问题变得尤为重要。通过对目前国内外安卓应用市场中调用云备份服务的普遍性进行调研，总结出4个当前主流的安卓云备份SDK。分析其SDK实现代码和官方文档，对比使用情况、协议和接口功能，总结和发现了第三方应用错误调用SDK以及云备份SDK自身存在的代码安全问题，同时向第三方开发者提供了相应的解决方案。

关键词: 移动云存储, 代码安全, 备份服务, 软件开发工具包

Abstract:

Since more and more third-party Android applications integrate backup services, the security issues of mobile backup modules are critical. By studying how widely these backup services were being used in the Android applications, the differences of code security about four mainstream Android backup SDK were investigated. After analyzing and comparing the usages, protocols and API functions of these SDK. Based on the above findings and three reported security issues of mobile backup services, the countermeasures for third-party application developers were suggested to securely call the SDK of mobile backup services.

Key words: mobile cloud storage, code security, backup services, SDK

中图分类号:

TP309

梁蛟,刘武,韩伟力,王晓阳,甘似禹,沈烁. 安卓云备份模块的代码安全问题分析[J]. 网络与信息安全学报, 2017, 3(1): 68-78.

Jiao LIANG,Wu LIU,Wei-li HAN,Xiao-yang WANG,Si-yu GAN,Shuo SHEN. Code security of mobile backup modules on the Android platform[J]. Chinese Journal of Network and Information Security, 2017, 3(1): 68-78.

图/表 5

图1

表1

表2

表3

图2

参考文献 54

[1]	BUYYA R , YEO S , VENUGOPAL S , et al. Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility[J]. Future Generation Computer Sys-tems, 2009, 25 (6): 599-616.
[2]	[EB/OL]..
[3]	[EB/OL]..
[4]	[EB/OL]..
[5]	[EB/OL]..
[6]	HAY R , PELES O . Remote exploitation of the dropbox SDK for Android[EB/OL]. .
[7]	[EB/OL]..
[8]	[EB/OL]..
[9]	[EB/OL]..
[10]	[EB/OL]..
[11]	[EB/OL]..
[12]	[EB/OL]..
[13]	[EB/OL]..
[14]	VLADIMIROVA T , BANU R , SWEETING M N , et al. On-board security services in small satellites[C]// IETF RFC. 2000.
[15]	HARNIK D , PINKAS B , SHULMAN-PELEG A . Side channels in cloud services: deduplication in cloud storage[J]. IEEE Security＆Privacy[C]. 2010, 8 (6): 40-47.
[16]	RECORDON D , HARDT D . The OAuth 2.0 authorization frame-work[J]. Polymer, 2009, 50 (24): 5708-5712.
[17]	GOLDBERG A , BUFF R , SCHMITT A . A comparison of HTTP and HTTPS performance[J]. Computer Measurement Group, 1998.
[18]	SUN T , HAWKEY K , BEZNOSOV K . Systematically breaking and fixing OpenID security: formal analysis, semi-automated em-pirical evaluation, and practical countermeasures[J]. Computers＆Security, 2012, 31 (4): 465-483.
[19]	DURUMERIC Z , KASTEN J , ADRIAN D , et al. The Matter ofHeartbleed[C]// Conference on Internet Measurement, 2014: 475-488.
[20]	魏兴国 . HTTP 和 HTTPS 协议安全性分析[J]. 程序员， 2007 (7): 53-55.
	WEI X G , Security analysis of HTTP and HTTPS protocol[J]. The Programmer, 2007 (7): 53-55.
[21]	FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android: an analysis of Android SSL (in)security[C]// ACM Conference on Computer and Communications Security. 2012: 50-61.
[22]	FAHL S , HARBACH M , PERL H , et al. Rethinking SSL develop-ment in an appified world[C]// ACM Sigsac Conference on Com-puter＆Communications Security. 2013: 49-60.
[23]	PATIL M A V , KALE M N D . Survey on secure authorized de-duplication in hybrid cloud[J]. International Journal on Recent and Innovation Trends in Computing and Communication. 2014, 2 (11): 3574-3577.
[24]	WANG X , YU H . How to break MD5 and other hash functions[C]// International Conference on Theory and Applications of Crypto-graphic Techniques. 2005: 561-561.
[25]	PULLS T . (More) Side channels in cloud storage[M]// Privacy and Identity Management for Life. Berlin Heidelberg: Springer 2011: 102-115.
[26]	BELLARE M , KEELVEEDHI S , RISTENPART T . DupLESS:server-aided encryption for deduplicated storage[C]// Usenix Con-ference on Security. 2013: 179-194.
[27]	LIU J , ASOKAN N , PINKAS B . Secure deduplication of encrypted data without additional independent servers[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015: 874-885.
[28]	XU J , CHANG E C , ZHOU J . Weak leakage-resilient client-side deduplication of encrypted data in cloud storage[C]// The 8th ACM SIGSAC Symposium on Information, Computer and Communica-tions Security. 2013: 195-206.
[29]	张天琪 . OAuth 协议安全性研究[J]. 信息网络安全， 2013, (3): 68-70.
	ZHANG T Q , Study on OAuth protocol security[J]. Netinfo Secu-rity, 2013 (3): 68-70.
[30]	HAMMER-LAHAV E . Introducing oauth 2.0[J]. Hueniverse, 2010.
[31]	PAI S , SHARMA Y , KUMAR S , et al. Formal verification of OAuth 2.0 using alloy framework[C]// The International Conference on Communication Systems and Network Technologies. 2011: 655-659.
[32]	CHARI S , JUTLA C S , ROY A . Universally composable security analysis of OAuth v2.0.[J]. Iacr Cryptology Eprint Archive, 2011.
[33]	SLACK Q , FROSTIG R . OAuth 2.0 implicit grant flow analysis using Murphi[J].
[34]	ALESSANDRI T , BESCHI D , CASCIARO S , et al. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems[C]// ACM Conference on Computer and Communications Security. 2012: 378-390.
[35]	MCGLOIN M , HUNT P , OAuth 2.0 Threat model and security considerations[J]. Internet Engineering Task Force (IETF) RFC, 2013:
[36]	KIANI K . How to secure your oauth implementation[EB/OL]. KIANI K . How to secure your oauth implementation[EB/OL]. .
[37]	WANG R , ZHOU Y , CHEN S , et al. Explicating SDKS: uncovering assumptions underlying secure authentication and authoriza-tion[C]// Presented as Part of the 22nd USENIX Security Sympo-sium. 2013: 399-314.
[38]	CHEN E Y , PEI Y , CHEN S , et al. Oauth demystified for mobile application developers[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2014: 892-903.
[39]	WANG H , ZHANG Y , LI J , et al. Vulnerability assessment of oauth implementations in android applications[C]// The 31st Annual Computer Security Applications Conference. ACM. 2015: 61-70.
[40]	[EB/OL]..
[41]	[EB/OL]..
[42]	FERNANDES D A B , SOARES L F B , GOMES J V , et al. Security issues in cloud environments: a survey[J]. International Journal of Information Security, 2013, 13 (2): 113-170.
[43]	SUBASHINI S , KAVITHA V . A survey on security issues in ser-vice delivery models of cloud computing[J]. Journal of Network＆Computer Applications, 2011, 35 (1): 1-11.
[44]	CHOW R , GOLLE P , JAKOBSSON M , et al. Controlling data in the cloud: outsourcing computation without outsourcing control[J]. ACM Workshop on Cloud Computing Security, 2009: 85-90.
[45]	ATENIESE G , BURNS R , CURTMOLA R , et al. Provable data possession at untrusted stores[C]// ACM Conference on Computer and Communications Security. ACM, 2007: 598-609.
[46]	JUELS A , KALISKI B S . Pors: proofs of retrievability for large files[C]// ACM Conference on Computer and Communications Se-curity. ACM, 2007: 584-597.
[47]	BOWERS K D , JUELS A , OPREA A . Proofs of retrievability:theory and implementation[C]// ACM Cloud Computing Security Workshop 2009: 43-54.
[48]	ATENIESE G , PIETRO R D , MANCINI L V , et al. Scalable and effi-cient provable data possession.[C]// The 4th International Conference on Security and Privacy in Communication Networks. 2008: 1-10.
[49]	ERWAY C C , PAPAMANTHOU C , TAMASSIA R . Dynamic provable data possession[J]. ACM Transactions on Information＆System Security. 2009, 17 (4): 213-222.
[50]	QUINLAN S , DORWARD S . Venti: a new approach to archival storage[C]// The Conference on File and Storage Technologies. USENIX Association. 2002: 89-101.
[51]	DOUCEUR J R , ADYA A , BOLOSKY W J , et al. Reclaiming space from duplicate files in a serverless distributed file system[C]// The International Conference on Distributed Computing Systems. 2002: 617-624.
[52]	BELLARE M , KEELVEEDHI S . Interactive message-locked en-cryption and secure deduplication[M]// Public-Key Cryptography-PKC 2015. Berlin Heidelberg: Springer 2015: 516-538.
[53]	MULAZZANI M , SCHRITTWIESER S , LEITHNER M , et al. Dark clouds on the horizon: using cloud storage as attack vector and online slack space[C]// USENIX Security. 2011: 5.
[54]	[EB/OL]..

云备份服务	Google Play	酷安网
云备份服务	应用个数/个应用比例	应用个数/个	应用比例
Dropbox	122.79％	49	9.80％
Google Drive	153.49％	30	6.00％
OneDrive	40.93％	11	2.20％
百度云	00.00％	3	0.60％

云备份服务	Dropbox	Google Drive	OneDrive	百度云
文件管理特性	有	有	有	有
配额管理特性	有	有	有	有
批量处理特性	无	无	无	有
高级功能特性	无	无	无	有

云备份服务	通信协议	加密协议	去重协议	授权协议
Dropbox	HTTPS	无	无	OAuth 1.0/2.0
Google Drive	HTTPS	无	无	OAuth 2.0
OneDrive	HTTPS	无	无	OAuth 2.0
百度云	HTTPS	无	基于源的去重	OAuth 2.0

安卓云备份模块的代码安全问题分析

Code security of mobile backup modules on the Android platform

在线阅读

pdf下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 54

相关文章 15

Metrics

推荐阅读 0

[1]	胡爱群, 方兰婷, 李涛. 基于仿生机理的内生安全防御体系研究[J]. 网络与信息安全学报, 2021, 7(1): 11-19.
[2]	周旺, 胡红钢, 俞能海. 快速响应的高效多值拜占庭共识方案[J]. 网络与信息安全学报, 2021, 7(1): 57-64.
[3]	曹琪, 阮树骅, 陈兴蜀, 兰晓, 张红霞, 金泓键. Hyperledger Fabric平台的国密算法嵌入研究[J]. 网络与信息安全学报, 2021, 7(1): 65-75.
[4]	沈剑, 周天祺, 王晨, 杨惠杰. 面向边缘计算的隐私保护密钥分配协议[J]. 网络与信息安全学报, 2021, 7(1): 93-100.
[5]	普黎明, 卫红权, 李星, 江逸茗. 面向云应用的拟态云服务架构[J]. 网络与信息安全学报, 2021, 7(1): 101-112.
[6]	赵明烽, Lei Chen, 钟洋, 熊金波. 移动边缘群智感知动态隐私度量模型与评价机制[J]. 网络与信息安全学报, 2021, 7(1): 157-166.
[7]	郭京城,舒辉,熊小兵,康绯. 基于代码碎片化的软件保护技术[J]. 网络与信息安全学报, 2020, 6(6): 57-68.
[8]	杨路辉,白惠文,刘光杰,戴跃伟. 基于可分离卷积的轻量级恶意域名检测模型[J]. 网络与信息安全学报, 2020, 6(6): 112-120.
[9]	王昊,吴天昊,朱孔林,张琳. 交叉口场景下基于区块链技术的匿名车辆身份认证方案[J]. 网络与信息安全学报, 2020, 6(5): 27-35.
[10]	超凡,杨智,杜学绘,孙彦. 基于深度神经网络的Android恶意软件检测方法[J]. 网络与信息安全学报, 2020, 6(5): 67-79.
[11]	李喆,韩益亮,李鱼. 基于Polar码改进的RLCE公钥加密方案[J]. 网络与信息安全学报, 2020, 6(5): 110-118.
[12]	张勖,马欣. 基于区块链的轻量化移动自组网认证方案[J]. 网络与信息安全学报, 2020, 6(4): 14-22.
[13]	钱思杰,陈立全,王诗卉. 基于改进PBFT算法的PKI跨域认证方案[J]. 网络与信息安全学报, 2020, 6(4): 37-44.
[14]	尹小康,刘鎏,刘龙,刘胜利. PPC和MIPS指令集下二进制代码中函数参数个数的识别方法[J]. 网络与信息安全学报, 2020, 6(4): 95-103.
[15]	张煜,吕锡香,邹宇聪,李一戈. 基于生成对抗网络的文本序列数据集脱敏[J]. 网络与信息安全学报, 2020, 6(4): 109-119.