一种易部署的Android应用程序动态监测方案

doi:10.11896/jsjkx.190100117

计算机科学 ›› 2020, Vol. 47 ›› Issue (2): 262-268.doi: 10.11896/jsjkx.190100117

一种易部署的Android应用程序动态监测方案

苏祥,胡建伟,崔艳鹏

(西安电子科技大学网络与信息安全学院西安710071)

收稿日期:2019-01-15 出版日期:2020-02-15 发布日期:2020-03-18
通讯作者: 苏祥(suxiang234@163.com)

Easy-to-deploy Dynamic Monitoring Scheme for Android Applications

SU Xiang,HU Jian-wei,CUI Yan-peng

(School of Cyber Engineering,Xidian University,Xi’an 710071,China)

Received:2019-01-15 Online:2020-02-15 Published:2020-03-18
About author:SU Xiang,Ph.D,is not member of China Computer Federation.His main research is Android security;HU Jian-wei,professor,is not member of China Computer Federation.His main research interests include cyber security and cyber confrontation.

摘要/Abstract

摘要： Android应用程序动态监测方案通常有3种实现形式:1)定制ROM镜像;2)在获取设备Root权限的情况下,修改系统文件或者利用ptrace技术对目标进程注入代码;3)重打包APK。这3种方式都是以侵入式方式实现,依赖于系统环境,难以部署到不同的设备上。针对上述问题,文中提出了一种基于插件化技术的非侵入式动态监测方案。该方案将监测系统以宿主App形式发布并安装到目标设备上;将待监测应用以插件形式加载到宿主App环境中运行,同时由宿主App加载相应的监控模块,完成对待监测App应用行为的动态监测。在待监测应用作为插件运行前,预先启动一个进程,通过动态代理方式对该进程中的Binder服务代理对象进行替换,将Binder服务请求重定向到虚拟服务进程中的虚拟服务进行处理,从而使待监测应用中的四大组件能在预先启动的进程中运行。然后,在待监测应用Application的初始化过程中加载Java层和Native层监控模块,完成监控。根据该思想,在VirtualApp沙箱基础上实现了原型系统AndroidMonitor,并在Nexus5设备上对其进行测试。实验结果表明,与其他方案相比,该方案虽然会使待监测应用的启动时间增加1.4s左右,但不需要获取设备系统Root权限,能够同时对Java层和Native层的敏感API进行监控;同时,引入了设备信息防护模块,以防止App监控过程中设备信息发生泄露。系统以App形式发布,容易部署到不同设备上,同时适应多种应用场景。

关键词: 插件化, 动态代理, 动态监测, 非Root, 挂钩子, 沙箱

Abstract: Android application dynamic monitoring scheme is usually implemented in three ways:1) custom ROM;2) after obtaining the device root permission,modify the system file or use ptrace technology to inject code into the target process;3) repackage APK to add monitoring code.All three methods are implemented in an intrusive manner,which depends on the system environment and is difficult to deploy to different devices.In order to solve the above problems,a non-intrusive dynamic monitoring scheme based on plug-in technology was proposed.The scheme releases the monitoring system in the form of host App and installs it on the target device.The application to be monitored is loaded by host App environment in the form of a plug-in for opera-tion,and the host App loads the corresponding monitoring module when loading the plug-in,so the App is monited.Start a process ahead of time before the application to be monitored runs as a plugin.The Binder proxy object in the process is replaced by a dynamic proxy method,and the Binder service request in the process is redirected to the virtual service in the virtual service process for processing,so that the components in the application to be monitored can run in the pre-started process.When the Application object in the application to be monitored is initialized,the Java layer and the Native layer monitoring module are loadedto complete the monitoring.According to this scheme,the prototype system AndroidMonitor is implemented on the VirtualApp sandbox and tested on the Nexus5 device.The experimental results show that compared with other schemes,although the startup time of the application to be monitored is increased by about 1.4s,the scheme does not need to acquire the root authority of the device system,and can simultaneously monitor the Java layer and the native layer sensitive API.The system introduces a device information protection module to prevent device information from leaking when monitoring applications.The system is distributed in the form of an app,which is easy to deploy to different devices and has multiple application scenarios.

Key words: Dynamic monitoring, Dynamic proxy, Hook, Non-root, Plug-in, Sandbox

中图分类号:

TP311.5

苏祥,胡建伟,崔艳鹏. 一种易部署的Android应用程序动态监测方案[J]. 计算机科学, 2020, 47(2): 262-268. https://doi.org/10.11896/jsjkx.190100117

SU Xiang,HU Jian-wei,CUI Yan-peng. Easy-to-deploy Dynamic Monitoring Scheme for Android Applications[J]. Computer Science, 2020, 47(2): 262-268. https://doi.org/10.11896/jsjkx.190100117

参考文献

[1]PAKW,CHA Y,YEO S.Detecting and tracing leaked private phone number data in Android smartphones[C]∥International Conference on Information Networking(ICOIN).IEEE,2015:503-508.
[2]ZHENG M,SUN M,LUI J C S.DroidTrace:A ptrace based Android dynamic analysis system with forward execution capability[C]∥Wireless Communications and Mobile Computing Confe-rence (IWCMC).IEEE,2014:128-133.
[3]SHEN K,YE X J,LIU X N,LI B.Android App behavior-intent inference based on API usage analysis[J].Journal of Tsinghua University,2017,57(11):1139-1144.
[4]ARZT S,RASTHOFER S,FRITZ C,et al.Flowdroid:Precise context,flow,field,object-sensitive and lifecycle-aware taint analysis for android apps[J].Acm Sigplan Notices,2014,49(6):259-269.
[5]ENCK W,GILBERT P,HAN S,et al.TaintDroid:an information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems (TOCS),2014,32(2):5-34.
[6]REINA A,FATTORI A,CAVALLARO L.A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors.EuroSec,April,2013.
[7]FAN W,SANG Y,ZHANG D,et al.DroidInjector:A process injection-based dynamic tracking system for runtime behaviors of Android applications[J].Computers & Security,2017,70:224-237.
[8]YANG C,XU Z Y,GU G F,et al.DroidMiner:Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications[C]∥European Symposium on Research in Computer Security.2014:163-182.
[9]SCHREIBER T.Android BinderAndroid Interprocess Communication∥Seminar thesis,Ruhr-Universität Bochum,2011.
[10]CONSTANTINESCU A S.Ensuring privacy in the android os by hooking methods in its api[J].Journal of Mobile,Embedded and Distributed Systems,2015,7(3):107-112.
[11]CHEN X Y,WANG D Q.Research and Implementation of Android Proxy Based on Dynamic Agent [J].Industrial Control Computer,2017(7):99-100.
[12]JI S B.Basic principles of VirtualApp[EB/OL].http://rk700.github.io/2017/03/15/virtualapp-basic/.
[13]JIA P,HE X,LIU L,et al.A framework for privacy information protection on Android[C]∥2015 International Conference on Computing,Networking and Communications (ICNC).IEEE,2015:1127-1131.
[14]WIβFELD M.ArtHook:Callee-side Method Hook Injection on the New Android Runtime ART.Saarbrücken:Saarland University,2015.
[15]WEI S.AOP implementation on ART [EB/OL].http://wei-shu.me/2017/11/23/dexposed-on-art/.
[16]JIANG X,ZHANG H X,MU D J A Method for Dynamically Monitoring Android Applications [J].Journal of Northwestern Polytechnical University,2016,34(6):1074-1081.
[17]vul_wish.Inspeckage-Android Package Inspector[EB/OL].https://www.freebuf.com/sectool/98607.html.
[18]vul_wish.Inspeckage:安卓动态分析工具[EB/OL].https://www.freebuf.com/sectool/98607.html.
[19]Tencent.GT[EB/OL].https://gt.qq.com/index.html.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

一种易部署的Android应用程序动态监测方案

Easy-to-deploy Dynamic Monitoring Scheme for Android Applications

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 5

Metrics

本文评价

推荐阅读 0

[1]	孙雅静,赵旭,颜学雄,王清贤. 面向数据泄漏的Web沙箱测试方法 Data Leakage Oriented Testing Method for Web Sandbox 计算机科学, 2017, 44(Z11): 322-328. https://doi.org/10.11896/j.issn.1002-137X.2017.11A.068
[2]	刁铭智,周渊,李舟军,赵宇飞. 基于Wine的Windows安全机制模拟及沙箱系统实现 Windows Security Mechanisms Simulation and Sandbox System Implementation Based on Wine 计算机科学, 2017, 44(11): 246-252. https://doi.org/10.11896/j.issn.1002-137X.2017.11.037
[3]	毛斐巧齐德昱. 适应性构件设计实现关键问题研究计算机科学, 2008, 35(4): 268-272.
[4]	. 一个组件安全自动化测试平台的设计与实现计算机科学, 2008, 35(12): 229-233.
[5]	张阳曹迎春黄皓谢立. 移动Agent系统中的安全问题和技术研究综述计算机科学, 2005, 32(3): 21-25.