网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (1): 68-78.doi: 10.11959/j.issn.2096-109x.2017.00132
• 学术论文 • 上一篇
修回日期:
2016-11-15
出版日期:
2017-01-15
发布日期:
2020-03-20
作者简介:
梁蛟(1993-),女,山西忻州人,复旦大学硕士生,主要研究方向为云备份系统安全、访问控制。|刘武(1992-),男,湖南湘潭人,复旦大学硕士生,主要研究方向为云备份系统安全、访问控制。|韩伟力(1975-),男,浙江绍兴人,博士,复旦大学副教授,主要研究方向为访问控制、数字身份安全、网络与系统安全。|王晓阳(1960-),男,上海人,博士,复旦大学特聘教授、博士生导师,主要研究方向为数据库、并行式数据分析和信息安全。|甘似禹(1966-),男,江西抚州人,上海市信息投资股份有限公司大数据研究院高级工程师,主要研究方向为电子数据交换、数据质量和系统安全。|沈烁(1977-),男,辽宁阜新人,博士,中国科学院计算机网络信息中心物联网中心副主任、副研究员,主要研究方向为物联网标准体系、信息安全。
基金资助:
Jiao LIANG1,Wu LIU1,Wei-li HAN1(),Xiao-yang WANG1,Si-yu GAN2,Shuo SHEN3
Revised:
2016-11-15
Online:
2017-01-15
Published:
2020-03-20
Supported by:
摘要:
随着移动端云备份服务的日益普及,为保障用户隐私数据不被泄露,研究第三方应用调用云备份软件开发工具包(SDK,software development kit)的安全问题变得尤为重要。通过对目前国内外安卓应用市场中调用云备份服务的普遍性进行调研,总结出4个当前主流的安卓云备份SDK。分析其SDK实现代码和官方文档,对比使用情况、协议和接口功能,总结和发现了第三方应用错误调用SDK以及云备份SDK自身存在的代码安全问题,同时向第三方开发者提供了相应的解决方案。
中图分类号:
梁蛟,刘武,韩伟力,王晓阳,甘似禹,沈烁. 安卓云备份模块的代码安全问题分析[J]. 网络与信息安全学报, 2017, 3(1): 68-78.
Jiao LIANG,Wu LIU,Wei-li HAN,Xiao-yang WANG,Si-yu GAN,Shuo SHEN. Code security of mobile backup modules on the Android platform[J]. Chinese Journal of Network and Information Security, 2017, 3(1): 68-78.
[1] | BUYYA R , YEO S , VENUGOPAL S , et al. Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility[J]. Future Generation Computer Sys-tems, 2009, 25 (6): 599-616. |
[2] | [EB/OL].. |
[3] | [EB/OL].. |
[4] | [EB/OL].. |
[5] | [EB/OL].. |
[6] | HAY R , PELES O . Remote exploitation of the dropbox SDK for Android[EB/OL]. . |
[7] | [EB/OL].. |
[8] | [EB/OL].. |
[9] | [EB/OL].. |
[10] | [EB/OL].. |
[11] | [EB/OL].. |
[12] | [EB/OL].. |
[13] | [EB/OL].. |
[14] | VLADIMIROVA T , BANU R , SWEETING M N , et al. On-board security services in small satellites[C]// IETF RFC. 2000. |
[15] | HARNIK D , PINKAS B , SHULMAN-PELEG A . Side channels in cloud services: deduplication in cloud storage[J]. IEEE Security&Privacy[C]. 2010, 8 (6): 40-47. |
[16] | RECORDON D , HARDT D . The OAuth 2.0 authorization frame-work[J]. Polymer, 2009, 50 (24): 5708-5712. |
[17] | GOLDBERG A , BUFF R , SCHMITT A . A comparison of HTTP and HTTPS performance[J]. Computer Measurement Group, 1998. |
[18] | SUN T , HAWKEY K , BEZNOSOV K . Systematically breaking and fixing OpenID security: formal analysis, semi-automated em-pirical evaluation, and practical countermeasures[J]. Computers&Security, 2012, 31 (4): 465-483. |
[19] | DURUMERIC Z , KASTEN J , ADRIAN D , et al. The Matter ofHeartbleed[C]// Conference on Internet Measurement, 2014: 475-488. |
[20] | 魏兴国 . HTTP 和 HTTPS 协议安全性分析[J]. 程序员, 2007 (7): 53-55. |
WEI X G , Security analysis of HTTP and HTTPS protocol[J]. The Programmer, 2007 (7): 53-55. | |
[21] | FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android: an analysis of Android SSL (in)security[C]// ACM Conference on Computer and Communications Security. 2012: 50-61. |
[22] | FAHL S , HARBACH M , PERL H , et al. Rethinking SSL develop-ment in an appified world[C]// ACM Sigsac Conference on Com-puter&Communications Security. 2013: 49-60. |
[23] | PATIL M A V , KALE M N D . Survey on secure authorized de-duplication in hybrid cloud[J]. International Journal on Recent and Innovation Trends in Computing and Communication. 2014, 2 (11): 3574-3577. |
[24] | WANG X , YU H . How to break MD5 and other hash functions[C]// International Conference on Theory and Applications of Crypto-graphic Techniques. 2005: 561-561. |
[25] | PULLS T . (More) Side channels in cloud storage[M]// Privacy and Identity Management for Life. Berlin Heidelberg: Springer 2011: 102-115. |
[26] | BELLARE M , KEELVEEDHI S , RISTENPART T . DupLESS:server-aided encryption for deduplicated storage[C]// Usenix Con-ference on Security. 2013: 179-194. |
[27] | LIU J , ASOKAN N , PINKAS B . Secure deduplication of encrypted data without additional independent servers[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015: 874-885. |
[28] | XU J , CHANG E C , ZHOU J . Weak leakage-resilient client-side deduplication of encrypted data in cloud storage[C]// The 8th ACM SIGSAC Symposium on Information, Computer and Communica-tions Security. 2013: 195-206. |
[29] | 张天琪 . OAuth 协议安全性研究[J]. 信息网络安全, 2013, (3): 68-70. |
ZHANG T Q , Study on OAuth protocol security[J]. Netinfo Secu-rity, 2013 (3): 68-70. | |
[30] | HAMMER-LAHAV E . Introducing oauth 2.0[J]. Hueniverse, 2010. |
[31] | PAI S , SHARMA Y , KUMAR S , et al. Formal verification of OAuth 2.0 using alloy framework[C]// The International Conference on Communication Systems and Network Technologies. 2011: 655-659. |
[32] | CHARI S , JUTLA C S , ROY A . Universally composable security analysis of OAuth v2.0.[J]. Iacr Cryptology Eprint Archive, 2011. |
[33] | SLACK Q , FROSTIG R . OAuth 2.0 implicit grant flow analysis using Murphi[J]. |
[34] | ALESSANDRI T , BESCHI D , CASCIARO S , et al. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems[C]// ACM Conference on Computer and Communications Security. 2012: 378-390. |
[35] | MCGLOIN M , HUNT P , OAuth 2.0 Threat model and security considerations[J]. Internet Engineering Task Force (IETF) RFC, 2013: |
[36] | KIANI K . How to secure your oauth implementation[EB/OL]. KIANI K . How to secure your oauth implementation[EB/OL]. . |
[37] | WANG R , ZHOU Y , CHEN S , et al. Explicating SDKS: uncovering assumptions underlying secure authentication and authoriza-tion[C]// Presented as Part of the 22nd USENIX Security Sympo-sium. 2013: 399-314. |
[38] | CHEN E Y , PEI Y , CHEN S , et al. Oauth demystified for mobile application developers[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2014: 892-903. |
[39] | WANG H , ZHANG Y , LI J , et al. Vulnerability assessment of oauth implementations in android applications[C]// The 31st Annual Computer Security Applications Conference. ACM. 2015: 61-70. |
[40] | [EB/OL].. |
[41] | [EB/OL].. |
[42] | FERNANDES D A B , SOARES L F B , GOMES J V , et al. Security issues in cloud environments: a survey[J]. International Journal of Information Security, 2013, 13 (2): 113-170. |
[43] | SUBASHINI S , KAVITHA V . A survey on security issues in ser-vice delivery models of cloud computing[J]. Journal of Network&Computer Applications, 2011, 35 (1): 1-11. |
[44] | CHOW R , GOLLE P , JAKOBSSON M , et al. Controlling data in the cloud: outsourcing computation without outsourcing control[J]. ACM Workshop on Cloud Computing Security, 2009: 85-90. |
[45] | ATENIESE G , BURNS R , CURTMOLA R , et al. Provable data possession at untrusted stores[C]// ACM Conference on Computer and Communications Security. ACM, 2007: 598-609. |
[46] | JUELS A , KALISKI B S . Pors: proofs of retrievability for large files[C]// ACM Conference on Computer and Communications Se-curity. ACM, 2007: 584-597. |
[47] | BOWERS K D , JUELS A , OPREA A . Proofs of retrievability:theory and implementation[C]// ACM Cloud Computing Security Workshop 2009: 43-54. |
[48] | ATENIESE G , PIETRO R D , MANCINI L V , et al. Scalable and effi-cient provable data possession.[C]// The 4th International Conference on Security and Privacy in Communication Networks. 2008: 1-10. |
[49] | ERWAY C C , PAPAMANTHOU C , TAMASSIA R . Dynamic provable data possession[J]. ACM Transactions on Information&System Security. 2009, 17 (4): 213-222. |
[50] | QUINLAN S , DORWARD S . Venti: a new approach to archival storage[C]// The Conference on File and Storage Technologies. USENIX Association. 2002: 89-101. |
[51] | DOUCEUR J R , ADYA A , BOLOSKY W J , et al. Reclaiming space from duplicate files in a serverless distributed file system[C]// The International Conference on Distributed Computing Systems. 2002: 617-624. |
[52] | BELLARE M , KEELVEEDHI S . Interactive message-locked en-cryption and secure deduplication[M]// Public-Key Cryptography-PKC 2015. Berlin Heidelberg: Springer 2015: 516-538. |
[53] | MULAZZANI M , SCHRITTWIESER S , LEITHNER M , et al. Dark clouds on the horizon: using cloud storage as attack vector and online slack space[C]// USENIX Security. 2011: 5. |
[54] | [EB/OL].. |
[1] | 王艺龙, 李震宇, 巩道福, 刘粉林. 基于块邻域的图像双脆弱水印算法[J]. 网络与信息安全学报, 2023, 9(3): 38-48. |
[2] | 陈任峰, 朱鸿斌. 基于PU learning的信用卡交易安全监管研究[J]. 网络与信息安全学报, 2023, 9(3): 73-78. |
[3] | 冯冠云, 付才, 吕建强, 韩兰胜. 基于操作注意力和数据增强的内部威胁检测[J]. 网络与信息安全学报, 2023, 9(3): 102-112. |
[4] | 谢根琳, 程国振, 王亚文, 王庆丰. 基于gadget特征分析的软件多样性评估方法[J]. 网络与信息安全学报, 2023, 9(3): 161-173. |
[5] | 侯鹏, 李智鑫, 张飞, 孙旭, 陈丹, 崔毅浩, 张寒冰, 荆一楠, 柴洪峰. 金融数据安全治理智能化技术与实践[J]. 网络与信息安全学报, 2023, 9(3): 174-187. |
[6] | 肖敏, 毛发英, 黄永洪, 曹云飞. 基于属性签名的车载网匿名信任管理方案[J]. 网络与信息安全学报, 2023, 9(2): 33-45. |
[7] | 许建龙, 林健, 黎宇森, 熊智. 分布式用户隐私保护可调节的云服务个性化QoS预测模型[J]. 网络与信息安全学报, 2023, 9(2): 70-80. |
[8] | 陈训逊, 李明哲, 吕宁, 黄亮. 内禀安全:网络安全能力体系化构建方法[J]. 网络与信息安全学报, 2023, 9(1): 92-102. |
[9] | 宋佳烁, 李祯祯, 丁海洋, 李子臣. 椭圆曲线上高效可完全模拟的不经意传输协议[J]. 网络与信息安全学报, 2023, 9(1): 158-166. |
[10] | 李凤华, 李晖, 牛犇, 邱卫东. 隐私计算的学术内涵与研究趋势[J]. 网络与信息安全学报, 2022, 8(6): 1-8. |
[11] | 唐飞, 甘宁, 阳祥贵, 王金洋. 基于区块链与国密SM9的抗恶意KGC无证书签名方案[J]. 网络与信息安全学报, 2022, 8(6): 9-19. |
[12] | 白雪, 秦宝东, 郭瑞, 郑东. 基于SM2的两方协作盲签名协议[J]. 网络与信息安全学报, 2022, 8(6): 39-51. |
[13] | 刘军, 袁霖, 冯志尚. 集群网络密钥管理方案研究综述[J]. 网络与信息安全学报, 2022, 8(6): 52-69. |
[14] | 肖敏, 姚涛, 刘媛妮, 黄永洪. 具有隐私保护的动态高效车载云管理方案[J]. 网络与信息安全学报, 2022, 8(6): 70-83. |
[15] | 林佳滢, 周文柏, 张卫明, 俞能海. 空域频域相结合的唇型篡改检测方法[J]. 网络与信息安全学报, 2022, 8(6): 146-155. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|