通信学报 ›› 2021, Vol. 42 ›› Issue (6): 171-181.doi: 10.11959/j.issn.1000-436x.2021115

• 学术论文 • 上一篇    

基于虚拟机字节码注入的Android应用程序隐私保护机制

宋宇波1,2,3, 陈琪1,2,3, 宋睿1,2,3, 胡爱群3,4   

  1. 1 东南大学网络空间安全学院,江苏 南京 211189
    2 东南大学江苏省计算机网络技术重点实验室,江苏 南京 211189
    3 网络通信与安全紫金山实验室,江苏 南京 211189
    4 东南大学信息科学与工程学院,江苏 南京 211189
  • 修回日期:2021-03-10 出版日期:2021-06-01 发布日期:2021-06-01
  • 作者简介:宋宇波(1977− ),男,江苏无锡人,博士,东南大学副教授,主要研究方向为无线网络和移动通信安全、移动终端安全、专有数据安全、区块链安全等
    陈琪(1996− ),女,江苏泰州人,东南大学硕士生,主要研究方向为物联网流量识别、Android隐私保护等
    宋睿(1994− ),男,江苏宿迁人,东南大学硕士生,主要研究方向为移动终端安全、专有数据安全、区块链安全等
    胡爱群(1966− ),男,江苏南通人,博士,东南大学教授,主要研究方向为无线网络安全、物理层安全技术
  • 基金资助:
    国家重点研发计划基金资助项目(2020YFE0200600);江苏省网络与信息安全重点实验室基金资助项目(BM2003201)

Android application privacy protection mechanism based on virtual machine bytecode injection

Yubo SONG1,2,3, Qi CHEN1,2,3, Rui SONG1,2,3, Aiqun HU3,4   

  1. 1 School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China
    2 Key Laboratory of Computer Network Technology of Jiangsu Province, Southeast University, Nanjing 211189, China
    3 Purple Mountain Laboratories, Nanjing 211189, China
    4 School of Information Science and Engineering, Southeast University, Nanjing 211189, China
  • Revised:2021-03-10 Online:2021-06-01 Published:2021-06-01
  • Supported by:
    The National Key Research and Development Program of China(2020YFE0200600);Jiangsu Province Key Laboratory of Network and Information Security(BM2003201)

摘要:

为了解决Android应用权限机制的滥用,提出了一种基于虚拟机字节码注入技术的 Android 应用程序权限访问控制方法。所提方法能够根据用户的安全需求和使用场景,生成虚拟机字节码形式的安全策略,并将其注入Android应用的涉及危险权限请求和敏感数据访问的代码单元中,从而实现动态应用行为控制。对国内4家主流应用商店爬取的应用程序进行测试,结果表明,所提方法可以对合法App的敏感API调用和危险权限请求进行有效拦截,并根据预定的安全策略实施控制,注入虚拟机字节码后的大部分App运行不受注入代码影响,稳健性得到保证,且具有较好的普适性。

关键词: 安卓安全, 隐私保护, 安全策略, 虚拟机字节码

Abstract:

To solve the abuse of the Android application permission mechanism, a method of Android application access control based on virtual machine bytecode injection technology was proposed.The security policy in the form of virtual machine bytecode was generated according to the user’s security requirement and usage scenario, and injected into the coding unit of Android application that involves dangerous permission request and sensitive data access, to realize dynamic application behavior control.Tests on applications crawled from four mainstream domestic App stores show that the method can effectively intercept sensitive API calls and dangerous permission requests of legitimate App programs and implement control according to pre-specified security policies.Also, after injecting virtual machine bytecode, most of the App program operation is not affected by the injected code, and the robustness is guaranteed.The proposed method has a good universality.

Key words: Android security, privacy protection, security strategy, virtual machine bytecode

中图分类号: 

No Suggested Reading articles found!