基于权限的Android应用风险评估方法

doi:10.11772/j.issn.1001-9081.2018071643

计算机应用 ›› 2019, Vol. 39 ›› Issue (1): 131-135.DOI: 10.11772/j.issn.1001-9081.2018071643

• 2018年全国开放式分布与并行计算学术年会(DPCS 2018)论文 • 上一篇下一篇

基于权限的Android应用风险评估方法

卜同同, 曹天杰

中国矿业大学计算机科学与技术学院, 江苏徐州 221116

收稿日期:2018-07-19 修回日期:2018-08-15 出版日期:2019-01-10 发布日期:2019-01-21
通讯作者: 卜同同
作者简介:卜同同(1991-),女,江苏徐州人,硕士研究生,CCF会员,主要研究方向:移动终端安全、网络安全;曹天杰(1967-),男,江苏徐州人,教授,博士,主要研究方向:密码学、信息安全。
基金资助:
国家自然科学基金资助项目（61303263）。

Risk assessment method of Android application based on permission

BU Tongtong, CAO Tianjie

School of Computer Science and Technology, China University of Mining and Technology, Xuzhou Jiangsu 221116, China

Received:2018-07-19 Revised:2018-08-15 Online:2019-01-10 Published:2019-01-21
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61303263).

摘要/Abstract

摘要： 针对Android权限机制存在的问题以及传统的应用风险等级评估方法的不足，提出了一种基于权限的Android应用风险评估方法。首先，通过对应用程序进行逆向工程分析，提取出应用程序声明的系统权限、静态分析的权限以及自定义的权限，和通过动态检测获取应用程序执行使用到的权限；然后，从具有恶意倾向的组合权限、"溢权"问题和自定义权限三个方面对应用程序进行量性风险评估；最后，采用层次分析法（AHP）计算上述三个方面的权重，评估应用的风险值。对6245个软件样本进行训练，构建自定义权限数据集和具有恶意倾向的权限组合数据集。实验结果表明，与Androguard相比，所提方法能更精确地评估应用软件的风险值。

关键词: Android安全, 风险评估, 应用权限, 量性评估, 静态分析, 动态检测

Abstract: Focusing on the problems existing in Android permission mechanism and poor capability of traditional measurement methods of Android software security, a risk assessment method of Android APP based on permission was proposed. Firstly, the system permissions declared by application, the permissions obtained through static analysis and custom permissions were extracted by reverse-engineering analysis of application. At the same time, the permissions used by executing application were extracted through dynamic detection. Secondly, quantitative risk assessment of applications was performed from three aspects:permission combination of hiding malicious intent, "over-privilege" problem and custom permission vulnerability. Finally, the Analytic Hierarchy Process (AHP) evaluation model was adopted to calculate the weights of three aspects above for estimating risk value of application. In addition, custom permission data set and permissions combination dataset with hiding malicious intent were built by training 6245 software samples collected from application store and VirusShare. The experimental results show that the proposed method can assess risk value of application software more accurately compared with Androguard.

Key words: Android security, risk assessment, application permission, quantitative assessment, static analysis, dynamic detection

中图分类号:

TP309.2

卜同同, 曹天杰. 基于权限的Android应用风险评估方法[J]. 计算机应用, 2019, 39(1): 131-135.

BU Tongtong, CAO Tianjie. Risk assessment method of Android application based on permission[J]. Journal of Computer Applications, 2019, 39(1): 131-135.

参考文献

[1] IDC. Smartphone market share[EB/OL]. (2018-02-20)[2018-03-29]. https://www.idc.com/promo/smartphone-market-share/os.
[2] BAGHERI H, KANG E, MALEK S, et al. A formal approach for detection of security flaws in the Android permission system[J]. Formal Aspects of Computing, 2017, 9:1-20.
[3] Google. Permissions best practices[EB/OL]. (2018-01-20)[2018-03-26]. https://developer.android.google.cn/training/permissions/best-practice.
[4] FELT A P, CHLN E, HANNA S, et al. Android permissions demystified[C]//CCA2011:Proceedings of the 18th ACM Conference on Computer and Communications Security. New York:ACM, 2011:627-638.
[5] 张锐,杨吉云.基于权限相关性的Android恶意软件检测[J].计算机应用,2014,34(5):1322-1325.(ZHANG R, YANG J Y. Android malware detection based on permission correlation[J]. Journal of Computer Applications,2014, 34(5):1322-1325.)
[6] TUNCAY G S, DEMETRIOU S, GANJU K, et al. Resolving the predicament of Android custom permissions[C]//NDSS 2018:Proceedings of the 2018 Network and Distributed System Security Symposium. Piscataway, NJ:IEEE, 2018:1-16.
[7] HAMED A, AYED H K B. Privacy risk assessment and users' awareness for mobile APPs permissions[C]//Proceedings of the 2017 International Symposium on Computer Systems and Applications. Piscataway, NJ:IEEE, 2017:1-8.
[8] 徐君锋,王嘉捷,朱克雷,等.基于AHP的安卓应用安全信用指数度量方法[J].清华大学学报(自然科学版),2018,58(2):131-136.(XU J F, WANG J J, ZHU K L, et al. Credit index measurement method for Android application security based on AHP[J]. Journal of Tsinghua University (Science and Technology), 2018,58(2):131-136.)
[9] RAHMAN A, PRADHAN P, PARTHO A, et al. Predicting Android application security and privacy risk with static code metrics[C]//Proceedings of the 2017 IEEE/ACM International Conference on Mobile Software Engineering and Systems. Piscataway, NJ:IEEE, 2017:149-153.
[10] DINI G, MARTINELLI F, MATTEUCCI I, et al. Risk analysis of Android applications:a user-centric solution[J]. Future Generation Computer Systems, 2018, 80:505-518.
[11] TANG W, JIN G, HE J, et al. Extending Android security enforcement with a security distance model[C]//Proceedings of the 2011 International Conference on Internet Technology and Applications. Piscataway, NJ:IEEE, 2011:1-4.
[12] VXShare. VirusShare[EB/OL].[2017-10-09]. https://vir-usshare.com.
[13] DESNOS A, GUEGUEN G, BACHMANN S. Androguard package[EB/OL].[2017-12-29]. http://androguard.readthedocs.io/en/latest/api/androguard.html.

[1]	郎大鹏, 丁巍, 姜昊辰, 陈志远. 基于多特征融合的恶意代码分类算法[J]. 计算机应用, 2019, 39(8): 2333-2338.
[2]	周敏, 周安民, 刘亮, 贾鹏, 谭翠江. 组件拒绝服务漏洞自动挖掘技术[J]. 计算机应用, 2017, 37(11): 3288-3293.
[3]	汤杨, 曾凡平, 王健康, 黄心依. 基于静态分析的Android GUI遍历方法[J]. 计算机应用, 2016, 36(10): 2811-2815.
[4]	武文博, 康锐, 李梓. 基于攻击图的信息物理系统信息安全风险评估方法[J]. 计算机应用, 2016, 36(1): 203-206.
[5]	李艳, 黄光球, 张斌. 基于累积效应的网络脆弱性扩散分析方法[J]. 计算机应用, 2015, 35(8): 2169-2173.
[6]	潘磊, 李廷元. 适用于移动自组织网络的信息安全动态评估模型[J]. 计算机应用, 2015, 35(12): 3419-3423.
[7]	傅玥潘世英王建岭. 多决策树的模糊积分融合在银行信贷管理系统中的应用[J]. 计算机应用, 2014, 34(3): 763-766.
[8]	陈亮潘惠勇. 网络安全风险评估的云决策[J]. 计算机应用, 2012, 32(02): 472-479.
[9]	王丹周涛武毅赵文兵. 基于贝叶斯网络的可信平台控制模块风险评估模型[J]. 计算机应用, 2011, 31(03): 767-770.
[10]	魏德健贾智平李新. 面向无线自组网的分布式信任管理模型[J]. 计算机应用, 2011, 31(01): 129-132.
[11]	黄光球李艳. 基于粗糙图的网络风险评估模型[J]. 计算机应用, 2010, 30(1): 190-195.
[12]	肖敏范士喜柴蓉杨富平. 基于可拓集的信息安全风险评估[J]. 计算机应用, 2009, 29(12): 3178-3181.
[13]	李廷元范成瑜秦志光刘晓东. 基于风险事件分类的信息系统评估模型研究[J]. 计算机应用, 2009, 29(10): 2806-2808.
[14]	陈柏强郭涛阮辉严俊. Java程序中数组越界和空指针错误的静态分析[J]. 计算机应用, 2009, 29(05): 1376-1379.
[15]	杨晓明罗衡峰陈明军范成瑜周世杰. 信息系统安全风险评估技术分析[J]. 计算机应用, 2008, 28(8): 1920-1923.

基于权限的Android应用风险评估方法

Risk assessment method of Android application based on permission

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics