基于挂钩的Android应用密码函数识别

doi:10.19678/j.issn.1000-3428.0252012

摘要/Abstract

摘要： 对Android应用的逆向分析不仅有助于检测正常应用中是否存在隐私泄露、密码学误用等安全问题，也可用于分析恶意应用的行为。在此过程中，定位Native层二进制代码中的密码函数并识别其使用的密码算法及具体功能是一项极具挑战性的任务。现有的密码函数识别方法中，动态分析由于可以获取运行时信息，具有较高的准确性。然而，现有基于动态分析的工具主要针对x86/x64架构，难以有效应用于以64位ARM架构为主的Android应用程序。为解决这一问题，本文提出了一种基于挂钩的识别方法，用于定位和识别Android应用Native层代码中的密码函数。该方法首先基于常量特征、运算类指令统计特征、加密类指令特征这三类静态特征筛选出疑似密码函数，然后使用Frida对筛选出的函数执行挂钩操作，收集函数的传入参数、返回值等调用信息。最终，通过将被挂钩函数的运行结果与开源密码算法库中已知密码函数的运行结果进行匹配，识别密码函数的类型及功能。本文在三款主流Android应用上对该方法进行了测试，实验结果表明，该方法能够有效识别真实Android应用Native层代码中的密码函数。

Abstract: Reverse engineering Android applications not only facilitates the detection of security issues such as privacy leaks and cryptographic misuses in legitimate applications but also supports the analysis of malicious application behaviors. Key challenges in this process include locating cryptographic functions within native binary code, identifying the cryptographic algorithms they employ, and determining their functionalities. Among existing methods for identifying cryptographic functions, dynamic analysis-based methods often achieve high accuracy due to their ability to capture detailed runtime information. However, existing dynamic analysis-based tools are primarily designed for x86/x64 architectures, making them less effective for Android applications, which are predominantly based on the 64-bit ARM architecture. To address this issue, this paper proposes a hook-based method for identifying cryptographic functions in the native code of Android applications. The method first filters suspected cryptographic functions using three types of static features: constant characteristics, computational instruction ratios, and cryptographic instructions. Next, the dynamic instrumentation toolkit Frida is employed to hook the filtered functions and collect runtime information, such as parameters and return values. Finally, the execution results of the hooked functions are compared with cryptographic functions from open source cryptographic libraries to identify their types and functionalities. The proposed method is tested on three popular Android applications. Experimental results demonstrate that the proposed method effectively identifies cryptographic functions in the native code of real-world Android applications.

袁寰宇, 傅建明. 基于挂钩的Android应用密码函数识别[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252012.

Yuan Huanyu, Fu Jianming. Cryptographic function identification in Android applications based on function hooking[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252012.

参考文献

[1] ENCK W, ONGTANG M, MCDANIEL P. Understanding Android Security[J]. IEEE Security & Privacy, 2009, 7(1): 50-57.
[2] EILAM E. Reversing: Secrets of Reverse Engineering[M]. Indiana, USA: John Wiley & Sons, 2011.
[3] CIFUENTES C, GOUGH K J. Decompilation of binary programs[J]. Software: Practice and Experience, 1995, 25(7): 811-829.
[4] LINN C, DEBRAY S. Obfuscation of executable code to improve resistance to static disassembly[C]//Proceedings of the 10th ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2003: 290-299.
[5] BUDANOV D O, CAJAS C D. Detecting Execution Under a Debugger Based on INT3 Opcode Misinterpretation[C]//2024 Conference of Young Researchers in Electrical and Electronic Engineering (ElCon). Saint Petersburg, Russian Federation: IEEE, 2024: 130-133.
[6] ALBAKRI A, FATIMA H, MOHAMMED M, et al. Survey on Reverse-Engineering Tools for Android Mobile Devices[J]. Mathematical Problems in Engineering, 2022, 2022(1): 4908134.
[7] LEE S, JEON J W. Evaluating performance of Android platform using native C for embedded systems[C]//ICCAS 2010. Gyeonggi-do, Korea (South): IEEE, 2010: 1160-1163.
[8] Hex-Rays SA. IDA Pro[EB/OL]. [2025-03-16]. https://hex-rays.com/ida-pro.
[9] OpenSSL Software Foundation Inc. OpenSSL Library[EB/OL]. [2025-03-16]. https://openssl-library.org/.
[10] 杨阳, 奥昱杰, 彭泽康, 等. ARIA 加密算法的识别规则提取和检测[J]. 计算机与网络, 2024, 50(04): 371-376. YANG Yang, AO Yujie, PENG Zekang, et al. Identification Rules Extraction and Detection of ARIA Encryption Algorithm[J]. Computer and Network, 2024, 50(04): 371-376.
[11] GUILFANOV I. FindCrypt2[EB/OL]. [2025-01-01]. https://hex-rays.com/blog/findcrypt2.
[12] polymorf. findcrypt-yara[EB/OL]. [2025-01-01]. https://github.com/polymorf/findcrypt-yara.
[13] Sirmabus. IDA_Signsrch[EB/OL]. [2025-01-01]. https://github.com/nihilus/IDA_Signsrch.
[14] igNorAMUS, snaker, Maxx, et al. KANAL - Krypto Analyzer for PEiD[EB/OL]. [2025-01-01]. http://www.dcs.fmph.uniba.sk/zri/6.prednaska/tools/PEiD/ plugins/kanal.htm.
[15] oalieno. cryfind[EB/OL]. [2025-01-01]. https://github.com/oalieno/cryfind.
[16] FAN Haoling, MENG Lingjia, ZHENG Fangyu, et al. Black-Box Testing of Cryptographic Algorithms Based on Data Characteristics[C]//Applied Cryptography in Computer and Communications. Cham: Springer Nature Switzerland, 2022: 153-169.
[17] CABALLERO J, POOSANKAM P, KREIBICH C, et al. Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering[C]//Proceedings of the 16th ACM Conference on Computer andCommunications Security. New York, NY, USA: Association for Computing Machinery, 2009: 621-634.
[18] WANG Qing, LI Juanru, ZHANG Yuanyuan, et al. NativeSpeaker: Identifying Crypto Misuses in Android Native Code Libraries[C]//Information Security and Cryptology. Cham: Springer International Publishing, 2018: 301-320.
[19] LESTRINGANT P, GUIHÉRY F, FOUQUE P A. Automated Identification of Cryptographic Primitives in Binary Code with Data Flow Graph Isomorphism[C]//Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2015: 203-214.
[20] MEIJER C, MOONSAMY V, WETZELS J. Where's Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code[C]//30th USENIX Security Symposium (USENIX Security 21). Berkeley, CA: USENIX Association, 2021: 555-572.
[21] GRÖBERT F, WILLEMS C, HOLZ T. Automated Identification of Cryptographic Primitives in Binary Programs[C]//Recent Advances in Intrusion Detection. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011: 41-60.
[22] CALVET J, FERNANDEZ J M, MARION J Y. Aligot: cryptographic function identification in obfuscated binary programs[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2012: 169-182.
[23] XU Dongpeng, MING Jiang, WU Dinghao. Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping[C]//2017 IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA: IEEE, 2017: 921-937.
[24] LUK C K, COHN R, MUTH R, et al. Pin: building customized program analysis tools with dynamic instrumentation[C]//Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York, NY, USA: Association for Computing Machinery, 2005: 190-200.
[25] 李洋, 康绯, 舒辉. 基于动态二进制分析的密码算法识别[J]. 计算机工程, 2012, 38(17): 106-109,115. LI Yang, KANG Fei, SHU Hui. Cryptographic Algorithm Recognition Based on Dynamic Binary Analysis[J]. Computer Engineering, 2012, 38(17): 106-109,115.
[26] BRUENING D L. Efficient, transparent, and comprehensive runtime code manipulation[D]. Cambridge, USA: Massachusetts Institute of Technology, 2004.
[27] YAN Fei, XING Yunlong, ZHANG Shiwei, et al. Research on Cryptographic Algorithm Recognition Based on Behavior Analysis[C]//Trusted Computing and Information Security. Singapore: Springer Singapore, 2017: 370-382.
[28] 焦龙龙, 罗森林, 丁庸, 等. 基于二进制熵的加解密函数定位方法[J]. 北京理工大学学报, 2018, 38(11): 1163-1167. JIAO Longlong, LUO Senlin, DING Yong, et al. Cryptographic Function Location Based on Binary Entropy[J]. Transactions of Beijing Institute of Technology, 2018, 38(11): 1163-1167.
[29] 李继中, 蒋烈辉, 尹青, 等. 基于 Bayes 决策的密码算法识别技术[J]. 计算机工程, 2008, 34(20): 159-160. LI Jizhong, JIANG Liehui, YIN Qing, et al. Cryptogram Algorithm Recognition Technology Based on Bayes Decision-making[J]. Computer Engineering, 2008, 34(20): 159-160.
[30] 陈梓彤, 贾鹏, 刘嘉勇. 基于 Siamese 架构的恶意软件隐藏函数识别方法[J]. 信息网络安全, 2023, 23(5): 62-75. CHEN Zitong, JIA Peng, LIU Jiayong. Identification Method of Malicious Software Hidden Function Based on Siamese Architecture[J]. Netinfo Security, 2023, 23(5): 62-75.
[31] HILL G, BELLEKENS X. CryptoKnight: Generating and Modelling Compiled Cryptographic Primitives[J]. Information, 2018, 9(9): 231.
[32] LI Xiao, CHANG Yuanhai, YE Guixin, et al. GENDA: A Graph Embedded Network Based Detection Approach on encryption algorithm of binary program[J]. Journal of Information Security and Applications, 2022, 65: 103088.
[33] 赵晨霞, 舒辉, 沙子涵. 基于 IR2Vec 模型的跨架构密码算法识别[J]. 计算机科学, 2023, 50(S1): 730-736.ZHAO Chenxia, SHU Hui, SHA Zihan. Cross-architecture Cryptographic Algorithm Recognition Based on IR2Vec[J]. Computer Science, 2023, 50(S1): 730-736.
[34] SHANG Xiuwei, CHEN Guoqiang, CHENG Shaoyin, et al. FoC: Figure out the Cryptographic Functions in Stripped Binaries with LLMs[J]. arXiv:2403.18403, 2024.
[35] 曹建超. JNFuzz-Droid：面向 Android Native 代码的轻量级模糊测试和污点分析框架[D]. 江西: 江西师范大学, 2023. CAO Jianchao. JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code[D]. Jiangxi: Jiangxi Normal University, 2023.
[36] SONMARK A. Instruction Set Quick Reference Sheets[EB/OL]. [2025-01-01]. https://github.com/flynd/asmsheets.
[37] ANGLANO C, CANONICO M, CEPOLLINA A, et al. Enabling the forensic study of application-level encrypted data in Android via a Frida-based decryption framework[C]//Proceedings of the 18th International Conference on Availability, Reliability and Security. New York, NY, USA: Association for Computing Machinery, 2023: 155.
[38] DeepSeek-AI. DeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement Learning[J]. arXiv:2501.12948, 2025.

选择文件类型/文献管理软件名称

选择包含的内容