面向服务端私有Web API的自动发现技术研究

doi:10.11959/j.issn.2096-109x.2016.00134

Abstract

Abstract:

Most of the interfaces for mobile application and server interaction use the Web API for communication,but the Web API introduced by these mobile applications may introduce new security issues.To facilitate the study of the security of Web API,a system for automatically discovering the server-side Web API interface in APK files based on the conventional Android program testing framework was designed and implemented.This system can help to develop the research on private server-side Web API interface security.

Key words: Web API, Android App, static analysis, dynamic analysis

CLC Number:

TP393

Jia CHEN,Shan-qing1 GUO. Toward discovering and exploiting private server-side Web API[J]. Chinese Journal of Network and Information Security, 2016, 2(12): 27-38.

Figures/Tables 8

References 23

[1]	BOSOMWORTH D . Mobile marketing statistics compilation[EB/OL]. .
[2]	SOUNTHIRARAJ D , SAHS J , GREENWOOD , et al. SMV-HUNTER:large scale,automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android App[C]//The 21st Annual Network and Distributed System Security Symposium.
[3]	LU L , LI Z , WU Z , et al. Chex:statically vetting android apps for component hijacking vulnerabilities[C]//The 2012 ACM conference on Computer and communications security. 2012:229-240.
[4]	ENCK W , GILBERT P , CHUN B G , et al. Taintdroid:an informa-tion-flow tracking system for realtime privacy monitoring on smartphones[C]//The 9th Usenix Conference on Operating Systems Design and Implementation. 2016:1-6.
[5]	FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android:an analysis of Android SSL (in) security[C]//The 2012 ACM Conference on Computer and Communications Security. 2012:50-61.
[6]	CAI F , CHEN H , WU Y , et al. Appcracker:widespread vulnerabili-ties in user and session authentication in mobile Apps[C]//Mobile Security Technologies Workshop. 2015.
[7]	DEVELOPERS A . Transmitting network data using volley[EB/OL]. .
[8]	YANG W , PRASAD M R , XIE T . A grey-box approach for mated GUI-model generation of mobile applications[C]//In Fun-damental Approaches to Software Engineering. 2013:250-265.
[9]	AMALFITANO D , FASOLINO A R , TRAMONTANA P , et al. Using GUI ripping for automated testing of Android applica-tions[C]//The 27th IEEE/ACM International Conference on Auto-mated Software Engineering. 2012:258-261.
[10]	HAO S , LIU B , NATH S , et al. PUMA:programmable UI-automation for large-scale dynamic analysis of mobile Apps[C]//The 12th Annual International Conference on Mobile Systems,Applications,and Services. 2014:204-217.
[11]	CHOUDHARY S R , GORLA A , ORSO A . Automated test input generation for Android:are we there yet?[C]//ArXiv Preprint ArXiv:1503. 2015.
[12]	WEB SECURITY P . Burp suite[EB/OL]. .
[13]	EGELE M , KRUEGEL C , KIRDA E , et al. PiOS:detecting privacy leaks in iOS applications[C]//Network and Distributed System Se-curity Symposium (NDSS). 2011.
[14]	ARZT S , RASTHOFER S , FRITZ C , et al. Flowdroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analy-sis for android Apps [C]//ACM SIGPLAN Notices. 2014:259-269.
[15]	WEI F , ROY S , OU X , et al. Amandroid:a precise and general inter-component data flow analysis framework for security vetting of android Apps[C]//The 2014 ACM Sigsac Conference on Com-puter and Communications Security. 2014:1329-1341.
[16]	CUI X , WANG J , HUI L C , et al. Wechecker:efficient and precise detection of privilege escalation vulnerabilities in android Apps[C]//The 8th ACM Conference on Security＆ Privacy in Wireless and Mo-bile Networks. 2015:25.
[17]	CUI X , YU D , CHAN P , et al. Cochecker:detecting capability and sensitive data leaks from component chains in an-droid[C]//Information Security and Privacy. 2014:446-453.
[18]	LUO T , HAO H , DU W , et al. Attacks on WebView in the Android system[C]//The 27th Annual Computer Security Applications Conference. 2011:343-352.
[19]	CHAOSHUN Z , WUBING W , RUI W , et al. Automatic forgery of cryptographically consistent messages to identify security vulner-abilities in mobile services[C]//The 23rd ISOC Network and Dis-tributed System Security Symposium (NDSS). 2016.
[20]	MACHIRY A , TAHILIANI R , NAIK M Dynodroid:an input gen-eration system for Android Apps[C]//The 9th Joint Meetingon Foundations of Software Engineering. 2013:224-234.
[21]	.
[22]	ANAND S , NAIK M , HARROLD M J , et al. Automated concolic testing of smartphone Apps[C]//The ACM Sigsoft 20th Interna-tional Symposium on the Foundations of Software Engineering. 2012:59.
[23]	MAHMOOD R , MIRZAEI N , MALEK S . EvoDroid:segmented evolutionary testing of android Apps[C]//The 22nd ACM Sigsoft International Symposium on Foundations of Software. 2014:599-609.

Metrics

Recommended 0

No Suggested Reading articles found!

Toward discovering and exploiting private server-side Web API

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 23

Related Articles 10

Metrics

Recommended 0

[1]	Fan CHAO, Zhi YANG, Xuehui DU, Bing HAN. Classified risk assessment method of Android application based on multi-factor clustering selection [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173.
[2]	Tianyu ZHOU,Wenbo SHEN,Nanzi YANG,Jinku LI,Chenggang QIN,Wang YU. Analysis of DoS attacks on Docker inter-component stdio copy [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 45-56.
[3]	Fan CHAO,Zhi YANG,Xuehui DU,Yan SUN. Android malware detection method based on deep neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 67-79.
[4]	Xiaokang YIN,Liu LIU,Long LIU,Shengli LIU. Function argument number identification in stripped binary under PPC and MIPS instruction set [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 95-103.
[5]	Da XIAO,Bohan LIU,Baojiang CUI,Xiaochen WANG,Suoxing ZHANG. Malware prediction technique based on program gene [J]. Chinese Journal of Network and Information Security, 2018, 4(8): 21-30.
[6]	Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG. Research on host malcode detection using machine learning [J]. Chinese Journal of Network and Information Security, 2017, 3(7): 25-32.
[7]	Hui-ying YAN,Zhen-ji ZHOU,Li-fa WU,Zheng HONG,He SUN. Symbolic execution based control flow graph extraction method for Android native codes [J]. Chinese Journal of Network and Information Security, 2017, 3(7): 33-46.
[8]	Yi-lin YE,Zhen-ji ZHOU,Zheng HONG,Hui-ying YAN,Li-fa WU. Static-analysis-based event input generation approach for Android application [J]. Chinese Journal of Network and Information Security, 2017, 3(6): 21-32.
[9]	Bo-wen SUN,Yan-yi HUANG,Qiao-kun WEN,Bin TIAN,Peng WU,Qi LI. Malware classification method based on static multiple-feature fusion [J]. Chinese Journal of Network and Information Security, 2017, 3(11): 68-76.
[10]	Yue-xiu XING,Ai-qun HU,Yong-jian WANG,Ran ZHAO. Research on multi-dimensional iOS privacy disclosure evaluation model [J]. Chinese Journal of Network and Information Security, 2016, 2(4): 73-79.