基于TaintDroid扩展的WebView隐私泄露检测

doi:10.3969/j.issn.1000-3428.2016.10.030

计算机工程

基于TaintDroid扩展的WebView隐私泄露检测

王伟平,林漫涛,李天明,吴伟

(中南大学信息科学与工程学院,长沙 410083)

收稿日期:2015-11-23 出版日期:2016-10-15 发布日期:2016-10-15
作者简介:王伟平(1969—),女,教授,主研方向为虚拟化安全、Web安全;林漫涛、李天明、吴伟,硕士研究生。
基金资助:
国家自然科学基金资助项目(61173169)。

Privacy Leakage Detection of WebView Based on TaintDroid Extension

WANG Weiping,LIN Mantao,LI Tianming,WU Wei

(School of Information Science and Engineering,Central South University,Changsha 410083,China)

Received:2015-11-23 Online:2016-10-15 Published:2016-10-15

摘要/Abstract

摘要： 针对Android应用程序与WebView交互可能导致隐私泄露的问题,分析WebView的2个隐私泄露主要通道addJavascriptInterface和loadUrl,提出一种扩展TaintDroid的数据流跟踪框架WTD。WTD扩展了Android源码中的addJavascriptInterface和敏感API,在敏感API中利用Java函数栈执行跟踪机制记录系统中的函数调用层次关系,从而判断addJavascriptInterface注册对象是否访问敏感API,同时增加loadUrl加载页面参数的污点检测。实验结果表明,WTD能有效检测WebView引起的隐私数据泄露。

关键词: Android平台, WebView组件, 隐私泄露, 数据流跟踪, 污点检测

Abstract: Interaction between Android application program and WebView will lead to privacy leakage.Aiming at the problem,this paper analyzes two privacy leakage channel of WebView,addJavascriptInterface and loadUrl,and proposes a data flow tracking framework of extended WebView,named WebView Tainted Detection(WTD).WTD extends the addJavascriptInterface and sensitive API in the Android source code.In sensitive API,Java function stack executes trace mechanism to record function hierarchy call relation in the system to detect whether the addJavascriptInterface registering objects accessed Android privacy API.Besides,WTD increases the taint detection of loadUrl loading page parameters.Experimental result shows that WTD can effectively detect the private data leakage from WebView.

Key words: Android platform, WebView component, privacy leakage, data flow tracking, taint detection

中图分类号:

TP309.2

王伟平,林漫涛,李天明,吴伟. 基于TaintDroid扩展的WebView隐私泄露检测[J]. 计算机工程, doi: 10.3969/j.issn.1000-3428.2016.10.030.

WANG Weiping,LIN Mantao,LI Tianming,WU Wei. Privacy Leakage Detection of WebView Based on TaintDroid Extension[J]. Computer Engineering, doi: 10.3969/j.issn.1000-3428.2016.10.030.

http://www.ecice06.com/CN/Y2016/V42/I10/169

参考文献

参考文献［1］Google Inc..Android Security Overview［EB/OL］.［2015-03-15］.https://source.android.com/devices/tech/security/index.html. ［2］Enck W,Ongtang M,McDaniel P.Understanding Android Security［J］.IEEE Security & Privacy,2009,7(1):50-57. ［3］Tan D J J,Chua T W,Thing V L L.Securing Android:A Survey,Taxonomy,and Challenges［J］.ACM Com-puting Surveys,2015,47(4):1-45. ［4］张玉清,王凯,杨欢,等.Android安全综述［J］.计算机研究与发展,2014,51(7):1385-1396. ［5］Smalley S,Craig R.Security Enhanced(SE) Android:Bringing Flexible MAC to Android［C］//Proceedings of Network and Distributed System Security Symposium.San Diego,USA:ISOC,2013:20-38. ［6］Shebaro B,Oluwatimi O,Bertino E.Context-based Access Control Systems for Mobile Devices［J］.IEEE Transactions on Dependable and Secure Computing,2015,12(2):150-163. ［7］杨欢,张玉清,胡予濮,等.基于权限频繁模式挖掘算法的 Android 恶意应用检测方法［J］.通信学报,2013,34(1):106-115. ［8］Wang Wei,Wang Xing,Feng Dawei,et al.Exploring Permission-induced Risk in Android Applications for Malicious Application Detection［J］.IEEE Transactions on Information Forensics and Security,2014,9(11):1869-1882. ［9］Lu Long,Li Zhichun,Wu Zhenyu,et al.CHEX:Statically Vetting Android Apps for Component Hijacking Vulnerabilities［C］//Proceedings of 2012 ACM Conference on Computer and Communications Security.New York,USA:ACM Press,2012:229-240. ［10］Arzt S,Rasthofer S,Fritz C,et al.FlowDroid:Precise Context,Flow,Field,Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps［C］//Pro-ceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation.New York,USA:ACM Press,2014:29-35. ［11］Enck W,Gilbert P,Han S,et al.TaintDroid:An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones［J］.ACM Transactions on Computer Systems,2014,32(2):5-10. ［12］Tang Y,Ames P,Bhamidipati S,et al.CleanOS:Limiting Mobile Data Exposure with Idle Eviction［C］//Proceedings of Symposium on Operating System Design and Implementation.Berkeley,USA:USENIX Associa-tion,2012:77-91. ［13］Qian Chenxiong,Luo Xiapu,Shao Yuru,et al.On Tracking Information Flows Through JNI in Android Applications［C］//Proceedings of the 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.Washington D.C.,USA:IEEE Press,2014:180-191. ［14］Luo Tongbo,Hao Hao,Du Wenliang,et al.Attacks on WebView in the Android System［C］//Proceedings of the 27th Annual Computer Security Applications Con-ference.New York,USA:ACM Press,2011:343-352. ［15］Yu Jing,Yamauchi T.Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS［C］//Proceedings of IEEE International Conference on High Performance Computing & Communications.Washington D.C.,USA:IEEE Press,2013:1628-1633. ［16］Georgiev M,Jana S,Shmatikov V.Breaking and Fixing Origin-based Access Control in Hybrid Web/Mobile Application Frameworks［C］//Proceedings of Network and Distributed System Security Symposium.San Diego,USA:ISOC,2014:1-8. ［17］Oracle Inc..Trail:The Reflection API［EB/OL］.［2015-03-15］.https://docs.oracle.com/javase/tutorial/reflect/. ［18］Tutorialspoint.Java.lang.Throwable.get Stack Trace() Method［EB/OL］.［2015-03-15］.http://www.tutorial spoint.com/java/lang/throwable_getstacktrace.htm. 编辑陆燕菲

[1]	冉玲琴, 彭长根, 许德权, 吴宁博. 基于区块链技术架构的隐私泄露风险评估方法[J]. 计算机工程, 2023, 49(1): 146-153.
[2]	吴勇，罗腾元，王美珍. 可定位图像采集与检索方法研究[J]. 计算机工程, 2014, 40(7): 207-211,220.
[3]	于卫红, 陈燕. 轻量级嵌入式Agent在Android平台上的实现[J]. 计算机工程, 2013, 39(7): 298-301.
[4]	吴大勇, 郑紫微. 基于Android平台的访问权限机制优化方案[J]. 计算机工程, 2013, 39(5): 144-147.
[5]	杨广亮, 龚晓锐, 姚刚, 韩心慧. 一个面向Android的隐私泄露检测系统[J]. 计算机工程, 2012, 38(23): 1-6.
[6]	刘宇, 戴鸿君, 郭凤华, 赵国玲. Android平台可增量同步的网络应用协议[J]. 计算机工程, 2011, 37(18): 59-61.

选择文件类型/文献管理软件名称

选择包含的内容

基于TaintDroid扩展的WebView隐私泄露检测

Privacy Leakage Detection of WebView Based on TaintDroid Extension

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 6

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于TaintDroid扩展的WebView隐私泄露检测

Privacy Leakage Detection of WebView Based on TaintDroid Extension

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 6

编辑推荐

Metrics

本文评价