安卓云备份模块的代码安全问题分析

doi:10.11959/j.issn.2096-109x.2017.00132

Abstract

Abstract:

Since more and more third-party Android applications integrate backup services, the security issues of mobile backup modules are critical. By studying how widely these backup services were being used in the Android applications, the differences of code security about four mainstream Android backup SDK were investigated. After analyzing and comparing the usages, protocols and API functions of these SDK. Based on the above findings and three reported security issues of mobile backup services, the countermeasures for third-party application developers were suggested to securely call the SDK of mobile backup services.

Key words: mobile cloud storage, code security, backup services, SDK

CLC Number:

TP309

Jiao LIANG,Wu LIU,Wei-li HAN,Xiao-yang WANG,Si-yu GAN,Shuo SHEN. Code security of mobile backup modules on the Android platform[J]. Chinese Journal of Network and Information Security, 2017, 3(1): 68-78.

Figures/Tables 5

References 54

[1]	BUYYA R , YEO S , VENUGOPAL S , et al. Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility[J]. Future Generation Computer Sys-tems, 2009, 25 (6): 599-616.
[2]	[EB/OL]..
[3]	[EB/OL]..
[4]	[EB/OL]..
[5]	[EB/OL]..
[6]	HAY R , PELES O . Remote exploitation of the dropbox SDK for Android[EB/OL]. .
[7]	[EB/OL]..
[8]	[EB/OL]..
[9]	[EB/OL]..
[10]	[EB/OL]..
[11]	[EB/OL]..
[12]	[EB/OL]..
[13]	[EB/OL]..
[14]	VLADIMIROVA T , BANU R , SWEETING M N , et al. On-board security services in small satellites[C]// IETF RFC. 2000.
[15]	HARNIK D , PINKAS B , SHULMAN-PELEG A . Side channels in cloud services: deduplication in cloud storage[J]. IEEE Security＆Privacy[C]. 2010, 8 (6): 40-47.
[16]	RECORDON D , HARDT D . The OAuth 2.0 authorization frame-work[J]. Polymer, 2009, 50 (24): 5708-5712.
[17]	GOLDBERG A , BUFF R , SCHMITT A . A comparison of HTTP and HTTPS performance[J]. Computer Measurement Group, 1998.
[18]	SUN T , HAWKEY K , BEZNOSOV K . Systematically breaking and fixing OpenID security: formal analysis, semi-automated em-pirical evaluation, and practical countermeasures[J]. Computers＆Security, 2012, 31 (4): 465-483.
[19]	DURUMERIC Z , KASTEN J , ADRIAN D , et al. The Matter ofHeartbleed[C]// Conference on Internet Measurement, 2014: 475-488.
[20]	魏兴国 . HTTP 和 HTTPS 协议安全性分析[J]. 程序员， 2007 (7): 53-55.
	WEI X G , Security analysis of HTTP and HTTPS protocol[J]. The Programmer, 2007 (7): 53-55.
[21]	FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android: an analysis of Android SSL (in)security[C]// ACM Conference on Computer and Communications Security. 2012: 50-61.
[22]	FAHL S , HARBACH M , PERL H , et al. Rethinking SSL develop-ment in an appified world[C]// ACM Sigsac Conference on Com-puter＆Communications Security. 2013: 49-60.
[23]	PATIL M A V , KALE M N D . Survey on secure authorized de-duplication in hybrid cloud[J]. International Journal on Recent and Innovation Trends in Computing and Communication. 2014, 2 (11): 3574-3577.
[24]	WANG X , YU H . How to break MD5 and other hash functions[C]// International Conference on Theory and Applications of Crypto-graphic Techniques. 2005: 561-561.
[25]	PULLS T . (More) Side channels in cloud storage[M]// Privacy and Identity Management for Life. Berlin Heidelberg: Springer 2011: 102-115.
[26]	BELLARE M , KEELVEEDHI S , RISTENPART T . DupLESS:server-aided encryption for deduplicated storage[C]// Usenix Con-ference on Security. 2013: 179-194.
[27]	LIU J , ASOKAN N , PINKAS B . Secure deduplication of encrypted data without additional independent servers[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015: 874-885.
[28]	XU J , CHANG E C , ZHOU J . Weak leakage-resilient client-side deduplication of encrypted data in cloud storage[C]// The 8th ACM SIGSAC Symposium on Information, Computer and Communica-tions Security. 2013: 195-206.
[29]	张天琪 . OAuth 协议安全性研究[J]. 信息网络安全， 2013, (3): 68-70.
	ZHANG T Q , Study on OAuth protocol security[J]. Netinfo Secu-rity, 2013 (3): 68-70.
[30]	HAMMER-LAHAV E . Introducing oauth 2.0[J]. Hueniverse, 2010.
[31]	PAI S , SHARMA Y , KUMAR S , et al. Formal verification of OAuth 2.0 using alloy framework[C]// The International Conference on Communication Systems and Network Technologies. 2011: 655-659.
[32]	CHARI S , JUTLA C S , ROY A . Universally composable security analysis of OAuth v2.0.[J]. Iacr Cryptology Eprint Archive, 2011.
[33]	SLACK Q , FROSTIG R . OAuth 2.0 implicit grant flow analysis using Murphi[J].
[34]	ALESSANDRI T , BESCHI D , CASCIARO S , et al. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems[C]// ACM Conference on Computer and Communications Security. 2012: 378-390.
[35]	MCGLOIN M , HUNT P , OAuth 2.0 Threat model and security considerations[J]. Internet Engineering Task Force (IETF) RFC, 2013:
[36]	KIANI K . How to secure your oauth implementation[EB/OL]. KIANI K . How to secure your oauth implementation[EB/OL]. .
[37]	WANG R , ZHOU Y , CHEN S , et al. Explicating SDKS: uncovering assumptions underlying secure authentication and authoriza-tion[C]// Presented as Part of the 22nd USENIX Security Sympo-sium. 2013: 399-314.
[38]	CHEN E Y , PEI Y , CHEN S , et al. Oauth demystified for mobile application developers[C]// The 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2014: 892-903.
[39]	WANG H , ZHANG Y , LI J , et al. Vulnerability assessment of oauth implementations in android applications[C]// The 31st Annual Computer Security Applications Conference. ACM. 2015: 61-70.
[40]	[EB/OL]..
[41]	[EB/OL]..
[42]	FERNANDES D A B , SOARES L F B , GOMES J V , et al. Security issues in cloud environments: a survey[J]. International Journal of Information Security, 2013, 13 (2): 113-170.
[43]	SUBASHINI S , KAVITHA V . A survey on security issues in ser-vice delivery models of cloud computing[J]. Journal of Network＆Computer Applications, 2011, 35 (1): 1-11.
[44]	CHOW R , GOLLE P , JAKOBSSON M , et al. Controlling data in the cloud: outsourcing computation without outsourcing control[J]. ACM Workshop on Cloud Computing Security, 2009: 85-90.
[45]	ATENIESE G , BURNS R , CURTMOLA R , et al. Provable data possession at untrusted stores[C]// ACM Conference on Computer and Communications Security. ACM, 2007: 598-609.
[46]	JUELS A , KALISKI B S . Pors: proofs of retrievability for large files[C]// ACM Conference on Computer and Communications Se-curity. ACM, 2007: 584-597.
[47]	BOWERS K D , JUELS A , OPREA A . Proofs of retrievability:theory and implementation[C]// ACM Cloud Computing Security Workshop 2009: 43-54.
[48]	ATENIESE G , PIETRO R D , MANCINI L V , et al. Scalable and effi-cient provable data possession.[C]// The 4th International Conference on Security and Privacy in Communication Networks. 2008: 1-10.
[49]	ERWAY C C , PAPAMANTHOU C , TAMASSIA R . Dynamic provable data possession[J]. ACM Transactions on Information＆System Security. 2009, 17 (4): 213-222.
[50]	QUINLAN S , DORWARD S . Venti: a new approach to archival storage[C]// The Conference on File and Storage Technologies. USENIX Association. 2002: 89-101.
[51]	DOUCEUR J R , ADYA A , BOLOSKY W J , et al. Reclaiming space from duplicate files in a serverless distributed file system[C]// The International Conference on Distributed Computing Systems. 2002: 617-624.
[52]	BELLARE M , KEELVEEDHI S . Interactive message-locked en-cryption and secure deduplication[M]// Public-Key Cryptography-PKC 2015. Berlin Heidelberg: Springer 2015: 516-538.
[53]	MULAZZANI M , SCHRITTWIESER S , LEITHNER M , et al. Dark clouds on the horizon: using cloud storage as attack vector and online slack space[C]// USENIX Security. 2011: 5.
[54]	[EB/OL]..

Metrics

Recommended 0

No Suggested Reading articles found!

云备份服务	Google Play	酷安网
云备份服务	应用个数/个应用比例	应用个数/个	应用比例
Dropbox	122.79％	49	9.80％
Google Drive	153.49％	30	6.00％
OneDrive	40.93％	11	2.20％
百度云	00.00％	3	0.60％

云备份服务	Dropbox	Google Drive	OneDrive	百度云
文件管理特性	有	有	有	有
配额管理特性	有	有	有	有
批量处理特性	无	无	无	有
高级功能特性	无	无	无	有

云备份服务	通信协议	加密协议	去重协议	授权协议
Dropbox	HTTPS	无	无	OAuth 1.0/2.0
Google Drive	HTTPS	无	无	OAuth 2.0
OneDrive	HTTPS	无	无	OAuth 2.0
百度云	HTTPS	无	基于源的去重	OAuth 2.0

Code security of mobile backup modules on the Android platform

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 54

Related Articles 15

Metrics

Recommended 0

[1]	Yilong WANG, Zhenyu LI, Daofu GONG, Fenlin LIU. Image double fragile watermarking algorithm based on block neighborhood [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 38-48.
[2]	Renfeng CHEN, Hongbin ZHU. Research on credit card transaction security supervision based on PU learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 73-78.
[3]	Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112.
[4]	Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.
[5]	Peng HOU, Zhixin LI, Fei ZHANG, Xu SUN, Dan CHEN, Yihao CUI, Hanbing ZHANG, Yinan JIN, Hongfeng CHAI. Technology and practice of intelligent governance for financial data security [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 174-187.
[6]	Min XIAO, Faying MAO, Yonghong HUANG, Yunfei CAO. Anonymous trust management scheme of VANET based on attribute signature [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 33-45.
[7]	Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80.
[8]	Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102.
[9]	Jiashuo SONG, Zhenzhen LI, Haiyang DING, Zichen LI. Efficient and fully simulated oblivious transfer protocol on elliptic curve [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 158-166.
[10]	Fenghua LI, Hui LI, Ben NIU, Weidong QIU. Academic connotation and research trends of privacy computing [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 1-8.
[11]	Fei TANG, Ning GAN, Xianggui YANG, Jinyang WANG. Anti malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 9-19.
[12]	Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51.
[13]	Jun LIU, Lin YUAN, Zhishang FENG. Survey of key management schemes for cluster networks [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 52-69.
[14]	Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83.
[15]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.