版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
文献信息文献标题:AndroidSecurityIssuesandSolutions(Android安全问题和解决方案)文献作者:KarthickSowndarajan,SumitraBinu文献出处:《InternationalConferenceonInnovativeMechanismsforIndustryApplications(ICIMIA)》2017:686-689.字数统计:英文2199单词,12157字符;中文3837汉字夕卜文文献AndroidSecurityIssuesandSolutionsAbstractAndroidoperatingsystemusesthepermission-basedmodelwhichallowsAndroidapplicationstoaccessuserinformation,systeminformation,deviceinformationandexternalresourcesofSmartphone.ThedeveloperneedstodeclarethepermissionsfortheAndroidapplication.TheuserneedstoacceptthesepermissionsforsuccessfulinstallationofanAndroidapplication.Thesepermissionsaredeclarations.Atthetimeofinstallation,ifthepermissionsareallowedbytheuser,theappcanaccessresourcesandinformationanytime.Itneednotre-requestforpermissionsagain.AndroidOSissusceptibletovarioussecurityattacksduetoitsweaknessinsecurity.ThispapertellsaboutthemisuseofapppermissionsusingSharedUserID,howtwo-factorauthenticationsfailduetoinappropriateandimproperusageofapppermissionsusingspyware,datatheftinAndroidapplications,securitybreachesorattacksinAndroidandanalysisofAndroid,iOSandWindowsoperatingsystemregardingitssecurity.Keywords—Android;Permissions;SharedUserID;Security;DataTheft;Spyware;iOS;Windows.INTRODUCTIONAversatileworkingframework(OS)isprogrammingthatpermitscellphones,tabletPCs,anddifferentgadgetstorunapplicationsandprojects.Thereareseveraltypesofmobileoperatingsystemavailableinthemarket.ThecommonlyusedmobileoperatingsystemsareAndroid,iOS,WindowsandBlackBerryOS.TheAndroidworkingframeworkisanopensourceandsourcecodedischargebyGoogleunderApachepermitlicense,basedonLinux-Kerneldesignedforsmartphonesandtablets.Androidisoneofthemostpopularoperatingsystemsforsmartphones.Atthelastquarterof2016,thetotalnumberofapplicationsavailableinGoogleplaystorewas2.6Million,andatotalnumberofAndroidoperatingsystem-basedsmartphonessoldwas2.1Billion.ThemarketshareofAndroidinthefirstquarterof2016was84.1%whereasiOS,Windows,BlackBerry,andothershold14.8%,0.7%,0.2%and0.2%respectively.Therefore,itisclearthatAndroidhasthewidestmarketwhencomparedtoothersmobileoperatingsystems.iOS(iPhoneOS)developedbyAppleInc.andusedonlybyAppledevicessuchasiPhone,iPad,andiPodtouch.ItisthesecondmostpopularoperatingsystemnexttoAndroid.InAndroid,otherthangoogleplaystore,itispossibletoinstalltheapplicationsfromunknownsources.But,iniOS,theappscanbeonlyinstalledfromAppStore.ItisoneofthemajorsecuritybreachesinAndroid.DuetovarioussecuritybreachesinAndroid,attackersalreadyregardsmartphoneasthetargettostealpersonalinformationusingvariousmalware.In2013,MohdShahdiAhmadetal.indicatedtheanalysisofAndroidandiOSregardingsecurityanddeclarediOSmoresecurethanAndroid.In2014,A.Kauretal.indicatedthatitispossibletorevokegrantedpermissionsfromandroidapplication.TherestofthepaperorganizesasSectionIIdescribesvarioussecurityattacksonAndroidsuchaspermissionescalationattack,confuseddeputyattack,directcollisionattack,indirectcollisionattackandTOCTOU(TimeOfCheckandTimeofUse)attack.SectionIIIdescribesdifferenttypesofAndroidapppermissions,over-claimingofapppermissions,misuseofapppermissionsusingSharedUserIDandfailureoftwo-factorauthenticationinAndroid-basedsmartphonesduetospyware.SectionIVpresentsthecomparisonofsecuritybetweenAndroidandiOS.SectionVpresentstheproposedmethodtoavoidmisuseofapppermissionsandtheconclusionofthepaper.SECURITYATTACKSINANDROIDPermissionEscalationAttackItallowsamaliciousapplicationtocollaboratewithotherapplicationssoastoaccesscriticalresourceswithoutrequestingforcorrespondingpermissionsexplicitly.CollisionAttackAndroidsupportsshareduserID.Itisatechniquewhereintwoormoreapplicationsharethesameuseridsothattheycanaccessthepermissionswhicharegrantedtoeachother.Forexample,IfapplicationAhaspermissionstoREAD_CONTACTS,READ_PHONE_STATUSandBhaspermissionstoREAD_MESSAGES,LOCATION_ACCESS,ifboththeapplicationsusethesameuseridSHAREDUSERID,thenitispossibleforapplicationAtousethepermissionsgrantedtoitselfandthepermissionsgrantedtoB.Similarly,itispossibleforapplicationBtousethepermissionsgrantedtoitselfandthepermissionsgrantedtoA.EveryAndroidapplicationhasuniqueIDthatisitspackagename.AndroidsupportssharedUserID.ItisanattributeinAndroidManifest.xmlfile.Ifthisattributeassignedwiththesamevalueintwoormoreapplicationsandifthesamecertificatesignstheseapplications.Theycanaccesspermissionsgrantedtoeachother.Collisionattackhasbeenclassifiedasdirectcollisionattackandindirectcollisionattack.Adirectcollisionattackiswhereinapplicationcommunicatesdirectly.InIndirectcollisionattackapplicationcommunicatesviathirdpartyapplicationorcomponent.TimeofCheckandTimeofUseAttackThemainreasonforTOCTOUAttackisnamingcollision.Nonamingruleorconstraintisappliedtoanewpermissiondeclaration.Moreover,permissionsinAndroidarerepresentedasstrings,andanytwopermissionswiththesamenamestringaretreatedasequivalenteveniftheybelongtoseparateapplications.SpywareSpywareisatypeofmalware.Itisanapkfilewhichisdownloadedautomaticallywhentheuservisitsmaliciouswebsiteandappsinstalledfromunknownsources.InAndroid,otherthangoogleplaystore,itispossibletoinstalltheapplicationsfromunknownsources.SpywareisoneofthemainreasonsformajorsecuritythreatsinAndroidoperatingsystem.UNDERSTANDINGPERMISSIONSTheAndroidoperatingsystemusesthepermission-basedmodeltoaccessvariousresourcesandinformation.Thesepermissionsarenotrequests;theyaredeclarations.ThesepermissionsaredeclaredinAndroidManifest.xmlfile.Oncethepermissionsaregranted,thepermissionsremainstaticforAndroidversionslessthan6.But,inAndroidversions,7.0andhighertheapppermissionsareclassifiedintonormalpermissionsanddangerouspermissions.NormalPermissionsNormalpermissionsdon'tspecificallyhazardtheclient'sprivacy.NormalpermissionsneednotbedeclaredintheAndroidManifest.xmlfile.Thesepermissionsaregrantedautomatically.Example:KILL_BACKGROUND_PROCESSESSET_WALLPAPERUNINSTALL_SHORTCUTWRITE_SYNC_SETTINGSDangerousPermissionsDangerousPermissionscanaccesscriticalresourcesofthemobile.Dangerouspermissionscangivetheappaccesstotheuser'sconfidentialdata.Ifapplistsanormalpermissioninitsmanifest,thesystemgrantsthepermissionautomatically.Ifapplistadangerouspermission,theuserhastoexplicitlygiveapprovalfortheappforthesuccessfulinstallationoftheapp.Example:CONTACTSREAD_CONTACTS,WRITE_CONTACTS,GET_ACCOUNTSLOCATIONACCESS_FINE_LOCATION,ACCESS_COARSE_LOCATIONSMSSEND_SMSRECEIVE_SMS,READ_SMS,RECEIVE_WAP_PUSH,RECEIVE_MMSSTORAGEREAD_EXTERNAL_STORAGE,WRITE_EXTERNAL_STORAGEAndroidMarshmallow6.0hasclassifiedthepermissionsintonormalanddangerouspermissions.Whenevertheappneedstousedangerouspermissions,itexplicitlyaskstheusertoconfirmwiththepermission.Thus,Android6.0andhigherversionsprovideexplicitpermissionnotificationtoaccesscriticalresources.But,Marshmallowisavailableonlyon1.2percentofAndroiddevices.TheAndroidoperatingsystemupdatesarenotavailableformostoftheolderdevices.Therefore,securitythreatsrelatedtoapppermissionsarestillnotsolved.CeApplicationSandboxingAndroidusesapplicationsandboxingwhichisusedtolimittheapplicationtoaccesstheresources.Ifanappneedstoaccesstheresourcesoutsideofitssandbox,itneedstorequesttheappropriatepermission.Over-claimingofapplicationpermissionsThepermissionswhichmaynotberequiredfortheapp,buttheapplicationrequestfortheparticularpermission,thisiscalledoverclaimingofpermissions.Itisthedeclarationtouseirrelevantpermissionsthatarenotatallrequiredfortheapplication.Itisthemainreasonfordatatheftinandroidapplication.Theinformationiscollectedandsenttotheconcernedpeople.Thedeveloper’softheappmakesmoneybysellingthisinformation.Severalthirdpartiesbuythisinformationforvariousreasonslikedataminingetc.,Forexample,inFlashLightAndroidapppermissionisgivenforfullinternetaccess.Itisirrelevantforflashlightapplicationtohaveinternetaccess.AshmeetKauretal.developedaframeworkwhereinitispossibletoremovetheunnecessarypermissionsfromtheapp,oncetheapphasbeensuccessfullyinstalled.MisuseofApppermissionsandfailureoftwo-factorauthenticationDuetomisuseofvariousapppermissions,itispossibleforvarioussecuritythreats.Amongvariousthreats,itispossibleforAndroidapplicationstoreadmessages,sendmessages.SMSisacommonandbasicfunctionalityintraditionalmobileandsmartphone.Allconfidentialinformationbasedontwo-factorauthenticationhasbeensentasatextmessage.Forexample,variousbanks,onlinewebsites,etc.,usetwo-factorauthentications.Themainobjectiveoftwo-factorauthenticationistoincreasethesecurityandintegrityfortheusersandtoavoidvarioussecurityattacksthatarebasedontraditionalusernameandpasswordapproach.But,eventhismethodfails,ifmalwareinstalledinasmartphoneorduetooverclaimpermissionapps.Ifthehackerhacksusernameandpasswordoftheuserusingvarioushackingtechniques,thefirstlevelofauthenticationarecompromisedandthentheOTP(OneTimePassword)isbeingsenttotheuser.IftheapplicationormalwarethatisbeinginstalledinSmartphonethenitispossiblefortheappormalwaretoreadmessagesandsendtheinformationtothehackerwithouttheknowledgeoftheuser.So,eventwo-factorauthenticationfails.^COMPARISONOFANDROIDANDIOSAeApplicationDownloadsTheAndroidapplicationscanbedownloadedfromgoogleplaystoreandunknownsources.Androidusescrowdsourcingwhichisbasedonusercommentsandratingoftheapp.Ifenoughuserscomplainabouttheapp,thenitwillberemovedanddeactivatedremotely.TheiOSapplicationscanbedownloadedonlyfromiOSAppStore.ItisnotpossibletodownloadandinstalliOSapplicationsotherthanAppStore.AlltheapplicationsavailableiniOShavebeenproperlycheckedforvarioussecurityissuesinthesourcecodeandafterverifyingitthenitisavailableintheAppStore.B.SigningTechnologySelfSigningisusedinAndroid.TheAndroiddischargeframeworkrequiresthatallapplicationsintroducedonclientgadgetsarecarefullymarkedwithdeclarationswhoseprivatekeysareheldbythedesigneroftheapplications.TheendorsementspermittheAndroidframeworktorecognizethecreatorofanapplicationandsetuptrustconnectionsamongstdesignersandtheirapplications.Theendorsementsarenotusedtocontrolwhichapplicationstheclientcanandcan'tintroduce.CodesigningusediniOS.Itappassuresusersthatitisfromaknownsourceandtheapphasn’tbeenmodifiedsinceitwaslastsigned.Beforepublishinganapp,theapphastobesubmittedtoAppleInc.forapproval.Applesignstheappaftercheckingthecodeforanymaliciouscode.Ifanappissignedthen,anychangestotheappcanbeeasilytracked.InterprocessCommunicationAndroidsupportsinterprocesscommunicationamongitsapplications.AppleiOSdoesnotsupportinter-processcommunicationamongitsapplications.OpenSourceandClosedSourceAndroidisopensource.Inthisguideline,opensourceprogrammingimpliesthesourcecodeismadeaccessibleonanallinclusivelevel.Thethoughtistoopenuptheproducttothegeneralpopulation,makingamasscoordinatedeffortthatoutcomesintheproductbeingcontinuallyupgraded,settled,enhanced,anddeveloped.Apple’siOSisclosedsource.Withclosedsourcesoftware,thesourcecodeisfirmlywatched,regularlyinlightofthefactthatit'sviewedasaprizedformulathatmakesshortageandkeepstheassociationaggressive.Suchprojectsaccompanylimitationsagainstchangingtheproductorutilizingitincoursesintendedbythefirstmakers.MemoryRandomizationItisatechniquewhereintheinformationabouttheapplicationisstoredonthediskintherandomaddresswhichhasbeengenerated.Thisreducesthesecuritythreatssincemaliciouscodeandattackerneedstofindtheexactlocationwheretheinformationisbeingstored.ThistechniqueisusedbybothiOSandAndroidOS.StorageDataofapplicationisstoredeitherininternalstorageorexternalstorage.ForAndroid,theinformationcanbestoredinbothbuiltinstorageandexternalstorage.But,iOSdoesnotsupportexternalstorage.Ithasonlyinternalstoragetoreducevarioussecuritythreatsandfasterprocessing.V.PROPOSEDMETHODAndroidshareduserIDisoneofthemajorreasonsformisusingapppermissions.DuetoshareduserIDpermissionsgrantedtooneappcanaccesspermissionsgrantedbyanotherappifandonlyifbothhastheshareduserIDvaluesetsameandsignedbythesamecertificate.Theusersarenotawareofwhichapplicationsaremisusingthepermissions.Intheproposedmethod,anAndroidsecuritytoolisdeveloped.Thisprocedureincludessixsteps:•ListalltheapplicationsbasedonitsappIDthatisitspackagename.•ListalltheapplicationsforwhichsharedUserIDisset.•ComparealltheapplicationswitheverysharedUserIDsetapp.•Listthefinalizedapps.•ProvidesexplicitnotificationtotheuserwhenthesharedUserIDapptriestoaccessthepermissionswithotherapps.•DisplaytheresourcesusedbyshareduserIDappsbythesecuritytoolapp.VI.CONCLUSIONAndroidismostwidelyusedmobileoperatingsystem.ImprovisingthesecurityofanAndroidOSisveryimportanttosafeguardtheuser'sprivacyandconfidentialinformation.Inthisstudy,itwasshownhowtoavoidmisusingapppermissions.中文译文Android安全问题和解决方案摘要Android操作系统采用基于权限的模式,允许Android应用程序访问智能手机的用户信息、系统信息、设备信息和外部资源。开发人员需要声明Android应用程序的权限。用户需要接受这些权限才能成功安装Android应用程序。这些权限是声明。在安装时,如果用户允许权限,则应用程序可以随时访问资源和信息。它不需要再次请求权限。由于Android操作系统在安全性方面的弱点,它很容易受到各种安全攻击。本文介绍了使用共享用户ID滥用应用程序权限、由于间谍软件对应用程序权限的不当和不正确使用而导致的双因素身份验证失败、Android应用程序中的数据被盗、Android中的安全漏洞或攻击,以及Android、iOS和Windows操作系统的安全性分析。关键词一Android;权限;共享用户ID;安全性;数据窃取;间谍软件;iOS;Windows。简介通用的运行框架(OS)是一种允许手机、平板电脑和不同的设备运行应用程序和项目的编程。市场上有几种类型的移动操作系统。常用的移动操作系统是Android、iOS、Windows和BlackBerryOSoAndroid运行框架是Google在Apache许可下发布的开放源代码和源代码,基于Linux内核,专为智能手机和平板电脑而设计的。Android是最流行的智能手机操作系统之一。截至2016年第四季度,GooglePlayStore中可用的应用程序总数为260万,而基于Android操作系统的智能手机销售总量为21亿。2016年第一季度,Android的市场份额为84.1%,而iOS、Windows、BlackBerry和其他操作系统分别占14.8%、0.7%、0.2%和0.2%。因此,与其他移动操作系统相比,Android显然拥有最广泛的市场。iOS(iPhoneOS)由苹果公司开发,仅供iPhone、iPad和iPodtouch等苹果设备使用。它是仅次于Android的第二大流行操作系统。在Android中,除了GooglePlayStore之外,还可以从未知来源安装应用程序。但是,在 iOS中,应用程序只能从AppStore安装。这是Android的主要安全漏洞之一。由于Android的各种安全漏洞,攻击者已经将智能手机作为利用各种恶意软件窃取个人信息的目标。2013年,MohdShahdiAhmad等人指出了Android和iOS在安全方面的分析,并宣布iOS比Android更安全。2014年,A.Kaur等人表明可以撤销Android应用程序授予的权限。本文的其余部分组织为,第2节描述了Android上的各种安全攻击,如权限提升攻击、混淆代理人攻击、直接共谋攻击、间接共谋攻击和TOCTOU(检查时间和使用时间)攻击。第3节介绍了不同类型的Android应用程序权限、应用程序权限声明过多、使用共享用户ID滥用应用程序权限,以及基于Android的智能手机由于间谍软件的双因素身份认证失败。第4节对Android和iOS的安全性进行了比较。第5节提出了避免应用程序权限被滥用的方法,弟6借为本文的结论。Android中的安全攻击权限提升攻击它允许恶意应用程序与其他应用程序协作,以便在不明确请求相应权限的情况下访问关键资源。共谋攻击Android支持共享用户ID。这是一种技术,其中两个或多个应用程序共享同一个用户ID,以便它们可以访问彼此授予的权限。例如,如果应用程序A具有READ_CONTACTS、READ_PHONE_STATUS权限和B具有READ_MESSAGES、LOCATION_ACCESS权限,如果这两个应用程序都使用相同的用户ID,即共享用户ID,则应用程序A可以使用授予其自身的权限和授予B的权限。同样,应用程序B也可以使用授予自身的权限和授予A的权限。每个Android应用程序都有唯一的ID,即它的包名。Android支持共享用户ID。它是AndroidManifest.xml文件中的一个属性。如果此属性在两个或多个应用程序中分配了相同的值,并且相同的证书对这些应用程序进行签名。它们可以访问彼此授予的权限。共谋攻击被分类为直接共谋攻击和间接共谋攻击。直接共谋攻击在应用程序中直接通信。在间接共谋攻击中,应用程序通过第三方应用程序或组件进行通信。检查时间和使用时间攻击TOCTOU攻击的主要原因是命名冲突。没有将命名规则或约束应用于新的权限声明。此外,Android中的权限表示为字符串,具有相同名称字符串的任何两个权限都被视为等效权限,即使它们属于不同的应用程序。间谍软件间谍软件是一种恶意软件。这是一个apk文件,当用户访问恶意网站和从未知来源安装应用程序时,会自动下载该文件。在Android中,除了GooglePlayStore之外,还可以安装来自未知来源的应用程序。间谍软件是Android操作系统面临重大安全威胁的主要原因之一。了解权限这些权限不是请求;它们是声明。这些权限在AndroidManifest.xml文件中声明。一旦授予了权限,对于Android版本小于6的版本,权限将保持静态。但是,在Android版本中,7.0及以上的应用程序权限分为正常权限和危险权限。正常权限正常权限不会特别危害客户的隐私。正常权限不需要在AndroidManifest.xml文件中声明。这些权限是自动授予的。例如:KILL_BACKGROUND_PROCESSESSET_WALLPAPERUNINSTALL_SHORTCUTWRITE_SYNC_SETTINGSB危险权限危险权限可以访问移动设备的关键资源。危险权限允许应用程序访问用户的机密数据。如果应用程序在其清单中列出了正常权限,系统将自动授予该权限。如果应用程序列出了危险权限,则用户必须明确批准该应用程序才能成功安装。例如:联系方式READ_CONTACTS,WRITE_CONTACTS,GET_ACCOUNTS位置ACCESS_FINE_LOCATION,ACCESS_COARSE_LOCATION短讯服务SEND_SMS,RECEIVE_SMS,READ_SMS,RECEIVE_WAP_PUSH,RECEIVE_MMS存储READ_EXTERNAL_STORAGE,WRITE_EXTERNAL_STORAGEAndroid6.0Marshmallow已将权限分为正常和危险权限。每当应用程序需要使用危险权限时,它都会明确要求用户对使用该权限进行确认。因此,Android6.0及更高版本为访问关键资源提供了明确的权限通知。但是,Marshmlow只在1.2%的Android设备上可用。Android操作系统更新不适用于大多数较旧的设备。因此,与应用程序权限相关的安全威胁仍未解决。C.应用程序沙盒Android使用应用程序沙盒来限制应用程序访问资源。如果应用程序需要访问其沙箱外的资源,则需要请求相应的权限。应用程序权限的过度声明权限可能不是应用程序所需要的,但应用程序还是请求特定的权限,这是对权限的过度声明。它是使用与应用程序完全不需要的无关权限的声
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2024版代收款业务委托管理三方合同2篇
- 2024版水库养鱼与渔业科普教育承包合同2篇
- 2024年个人新能源汽车租赁借款合同及借条3篇
- 2024年度金融服务合同(担保)5篇
- 2024版城市更新项目联合开发合同规范文本3篇
- 2024版房产购房合同之城市更新项目3篇
- 2024版房地产典当业务债务重组与清算合同3篇
- 2024版广播剧配音制作合同3篇
- 2024年度物业托管合同标的及托管范围3篇
- 2024版新能源汽车租赁合同绿色能源使用补充协议书3篇
- GB/T 25767-2010滚动轴承圆锥滚子
- GB/T 10590-2006高低温/低气压试验箱技术条件
- 控制工程基础matlab大作业
- GA/T 946.4-2011道路交通管理信息采集规范第4部分:道路交通违法处理信息采集
- 安全生产十大定律(安全生产培训模板)
- RPA初级考试试题附答案
- 保险活动策划方案
- 公共部门决策的理论与方法第9-14章课件
- 人教版八年级上册 历史全册课件【部编教材】
- 2021年四川音乐学院辅导员招聘试题及答案解析
- 《语文课程标准》学习笔记
评论
0/150
提交评论