面向服务端私有Web API的自动发现技术研究

doi:10.11959/j.issn.2096-109x.2016.00134

网络与信息安全学报 ›› 2016, Vol. 2 ›› Issue (12): 27-38.doi: 10.11959/j.issn.2096-109x.2016.00134

面向服务端私有Web API的自动发现技术研究

陈佳¹,郭山清^1,²

¹ 山东大学计算机科学与技术学院，山东济南 250101
² 山东大学教育部直属密码学和信息安全重点实验室，山东济南 250101

修回日期:2015-12-05 出版日期:2016-12-01 发布日期:2016-12-28
作者简介:陈佳（1993-），男，福建福州人，山东大学硕士生，主要研究方向为移动安全。|郭山清（1976-），男，山东滨州人，山东大学副教授、博士生导师，主要研究方向为应用安全、网络安全。
基金资助:
国家自然科学基金资助项目(91546203);山东省重点研发计划基金资助项目(2015GGE27033);山东省自主创新及成果转化专项基金资助项目(2014CGZH1106);山东省自然基金面上资助项目(ZR2014FM020)

Toward discovering and exploiting private server-side Web API

Jia CHEN¹,Shan-qing1 GUO^1,²

¹ School of Computer Science and Technology,Shandong University,Jinan 250101,China
² Key Laboratory of Cryptologic Technology and Information Security,Ministry of Education,Shandong University,Jinan 250101,China

Revised:2015-12-05 Online:2016-12-01 Published:2016-12-28
Supported by:
TheNationalNaturalScienceFoundationofChina(91546203);The Key Science Technology Project of Shandong Province(2015GGE27033);The Independent Innovation Foundation of Shandong Province(2014CGZH1106);The Independent Innovation Foundation of Shandong Province(ZR2014FM020)

摘要/Abstract

摘要：

移动应用和服务器交互的接口大多都采用Web API进行通信，但这些移动应用所引入的Web API会带来一些新的安全问题。为方便研究这些Web API的安全问题，在常规的Android程序测试框架的基础上，设计并实现了一个自动发现APK中面向服务器端Web API接口的系统，该系统有助于开展对服务器端私有Web API接口方面的安全研究。

关键词: WebAPI, 安卓应用, 静态分析, 动态分析

Abstract:

Most of the interfaces for mobile application and server interaction use the Web API for communication,but the Web API introduced by these mobile applications may introduce new security issues.To facilitate the study of the security of Web API,a system for automatically discovering the server-side Web API interface in APK files based on the conventional Android program testing framework was designed and implemented.This system can help to develop the research on private server-side Web API interface security.

Key words: Web API, Android App, static analysis, dynamic analysis

中图分类号:

TP393

陈佳,郭山清. 面向服务端私有Web API的自动发现技术研究[J]. 网络与信息安全学报, 2016, 2(12): 27-38.

Jia CHEN,Shan-qing1 GUO. Toward discovering and exploiting private server-side Web API[J]. Chinese Journal of Network and Information Security, 2016, 2(12): 27-38.

图/表 8

图1

图2

图3

图4

图5

图6

图7

图8

参考文献 23

[1]	BOSOMWORTH D . Mobile marketing statistics compilation[EB/OL]. .
[2]	SOUNTHIRARAJ D , SAHS J , GREENWOOD , et al. SMV-HUNTER:large scale,automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android App[C]//The 21st Annual Network and Distributed System Security Symposium.
[3]	LU L , LI Z , WU Z , et al. Chex:statically vetting android apps for component hijacking vulnerabilities[C]//The 2012 ACM conference on Computer and communications security. 2012:229-240.
[4]	ENCK W , GILBERT P , CHUN B G , et al. Taintdroid:an informa-tion-flow tracking system for realtime privacy monitoring on smartphones[C]//The 9th Usenix Conference on Operating Systems Design and Implementation. 2016:1-6.
[5]	FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android:an analysis of Android SSL (in) security[C]//The 2012 ACM Conference on Computer and Communications Security. 2012:50-61.
[6]	CAI F , CHEN H , WU Y , et al. Appcracker:widespread vulnerabili-ties in user and session authentication in mobile Apps[C]//Mobile Security Technologies Workshop. 2015.
[7]	DEVELOPERS A . Transmitting network data using volley[EB/OL]. .
[8]	YANG W , PRASAD M R , XIE T . A grey-box approach for mated GUI-model generation of mobile applications[C]//In Fun-damental Approaches to Software Engineering. 2013:250-265.
[9]	AMALFITANO D , FASOLINO A R , TRAMONTANA P , et al. Using GUI ripping for automated testing of Android applica-tions[C]//The 27th IEEE/ACM International Conference on Auto-mated Software Engineering. 2012:258-261.
[10]	HAO S , LIU B , NATH S , et al. PUMA:programmable UI-automation for large-scale dynamic analysis of mobile Apps[C]//The 12th Annual International Conference on Mobile Systems,Applications,and Services. 2014:204-217.
[11]	CHOUDHARY S R , GORLA A , ORSO A . Automated test input generation for Android:are we there yet?[C]//ArXiv Preprint ArXiv:1503. 2015.
[12]	WEB SECURITY P . Burp suite[EB/OL]. .
[13]	EGELE M , KRUEGEL C , KIRDA E , et al. PiOS:detecting privacy leaks in iOS applications[C]//Network and Distributed System Se-curity Symposium (NDSS). 2011.
[14]	ARZT S , RASTHOFER S , FRITZ C , et al. Flowdroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analy-sis for android Apps [C]//ACM SIGPLAN Notices. 2014:259-269.
[15]	WEI F , ROY S , OU X , et al. Amandroid:a precise and general inter-component data flow analysis framework for security vetting of android Apps[C]//The 2014 ACM Sigsac Conference on Com-puter and Communications Security. 2014:1329-1341.
[16]	CUI X , WANG J , HUI L C , et al. Wechecker:efficient and precise detection of privilege escalation vulnerabilities in android Apps[C]//The 8th ACM Conference on Security＆ Privacy in Wireless and Mo-bile Networks. 2015:25.
[17]	CUI X , YU D , CHAN P , et al. Cochecker:detecting capability and sensitive data leaks from component chains in an-droid[C]//Information Security and Privacy. 2014:446-453.
[18]	LUO T , HAO H , DU W , et al. Attacks on WebView in the Android system[C]//The 27th Annual Computer Security Applications Conference. 2011:343-352.
[19]	CHAOSHUN Z , WUBING W , RUI W , et al. Automatic forgery of cryptographically consistent messages to identify security vulner-abilities in mobile services[C]//The 23rd ISOC Network and Dis-tributed System Security Symposium (NDSS). 2016.
[20]	MACHIRY A , TAHILIANI R , NAIK M Dynodroid:an input gen-eration system for Android Apps[C]//The 9th Joint Meetingon Foundations of Software Engineering. 2013:224-234.
[21]	.
[22]	ANAND S , NAIK M , HARROLD M J , et al. Automated concolic testing of smartphone Apps[C]//The ACM Sigsoft 20th Interna-tional Symposium on the Foundations of Software Engineering. 2012:59.
[23]	MAHMOOD R , MIRZAEI N , MALEK S . EvoDroid:segmented evolutionary testing of android Apps[C]//The 22nd ACM Sigsoft International Symposium on Foundations of Software. 2014:599-609.

面向服务端私有Web API的自动发现技术研究

Toward discovering and exploiting private server-side Web API

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 23

相关文章 9

Metrics

推荐阅读 0

[1]	超凡, 杨智, 杜学绘, 韩冰. 基于多因素聚类选择的Android应用程序分类风险评估方法[J]. 网络与信息安全学报, 2021, 7(2): 161-173.
[2]	周天昱,申文博,杨男子,李金库,秦承刚,喻望. Docker组件间标准输入输出复制的DoS攻击分析[J]. 网络与信息安全学报, 2020, 6(6): 45-56.
[3]	超凡,杨智,杜学绘,孙彦. 基于深度神经网络的Android恶意软件检测方法[J]. 网络与信息安全学报, 2020, 6(5): 67-79.
[4]	尹小康,刘鎏,刘龙,刘胜利. PPC和MIPS指令集下二进制代码中函数参数个数的识别方法[J]. 网络与信息安全学报, 2020, 6(4): 95-103.
[5]	肖达,刘博寒,崔宝江,王晓晨,张索星. 基于程序基因的恶意程序预测技术[J]. 网络与信息安全学报, 2018, 4(8): 21-30.
[6]	张东,张尧,刘刚,宋桂香. 基于机器学习算法的主机恶意代码检测技术研究[J]. 网络与信息安全学报, 2017, 3(7): 25-32.
[7]	叶益林,周振吉,洪征,颜慧颖,吴礼发. 基于静态分析的Android应用事件输入生成方法[J]. 网络与信息安全学报, 2017, 3(6): 21-32.
[8]	孙博文,黄炎裔,温俏琨,田斌,吴鹏,李祺. 基于静态多特征融合的恶意软件分类方法[J]. 网络与信息安全学报, 2017, 3(11): 68-76.
[9]	邢月秀,胡爱群,王永剑,赵然. 多维度iOS隐私泄露评估模型研究[J]. 网络与信息安全学报, 2016, 2(4): 73-79.