《网络与系统安全》教学参考文献：Capability Leakage Detection Between Android Applications Based on Dynamic Feedback

2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS) Capability Leakage Detection Between Android Applications Based on Dynamic Feedback Mingsong Zhou Fanping Zeng Zhao Chen School of Computer Science and School of Computer Science and School of Computer Science and Technology Technology Technology University of Science and University of Science and University of Science and Technology of China Technology of china Technology of China Hefei, Anhui, China Hefei, Anhui, China Hefei, Anhui, China mingsong@mail.ustc.edu.cn billzeng@ustc.edu.cn chen95@mail.ustc.edu.cn Abstract-The capability leakage of Android applications is information will not appear in intent-filter, so there are one kind of serious vulnerabilities. It can cause other shortcomings. In this paper, a test case generation method applications to leverage its functions to achieve their illegal goals based on dynamic feedback mechanism is proposed, which In this paper, we propose a tool which can automatically detect combines static analysis and dynamic testing technology. and confirm capability leakages of Android applications with Compared with the existing capability leakage dynamic dynamic-feedback testing. The tool utilizes context-sensitive testing work, it has lower false positive rate. flow-sensitive inter-procedural data flow analysis to find key variables and instrumentation points, then it tests the We define the capability leakage vulnerability between application continuously by test cases generated from test log Android applications as follows. We have made experiments on 607 most popular applications of Assuming that there is Android application A, the set of Wandoujia in 2017, and found a total of 6,070 in 16 kinds of capability leakages. Compared with the famous IntentFuzzer. privileges it owns is set to PSet, and the set of mapping our tool is 19.38% better on the average ability to detect relations between privileges and the statements it protects permission capability leakage. (briefly described as tgtAPI later) is set to PUMap(permission -unitSet). The set of exposed components owned by A is Keywords-Android, capability leakage, inter-procedural ECSet, and the set of root-method owned by exposed data flow analysis, dynamic-feedback testing components (the first method to be executed: root-method) is set to ECMethodMap (export-component-methodSet). The I. INTRODUCTION set of executable paths of the root method to the unit protected Capability leakage is also known as redistribution of by permission is RMUPathMap(root-method, unit-pathSet). authority [1]. It occurs when privileged applications are if PUMap≠,ECMethodMay≠, exploited by non-privileged malicious applications, which enables malicious applications to perform privileged actions 3 intent null, s.t. RMUPathMap# Communication between Android components is widely used Note: intent object is the only input for inter-component and many Android application developers share the functions communication. It mainly contains five attributes: Component. of their applications by exposing components (components Action, Data, Category and Extras, which represent the name that can be invoked by external APPs). However, many of the component to be started (String), the type of operation Android developers do not fully understand the rules of to be executed (String), the type of data to be executed (Uri). communication between Android components, resulting in a collection of component types that can handle this intent unintentionally exposing the components that should not be exposed, or forgetting to check the permissions of calls object (Set), and additional key-value pair information set (Set ). This paper calls between components [2], thus resulting in the leakage of intent objects from other APP components external intent. application capabilities. The formula is that when the PUMap and ECMethodMap There are a lot of research work on vulnerabilities betweer of application A are not empty, there exists an intent that is not Android components, mainly divided into static analysis and empty, so that RMUPathMap of application A is not empty. dynamic testing. The main drawbacks of static analysis work then application A has a capability leakage vulnerability. And (ComDroid [3], PCLeak [4], Yi He [5], AutoPatch Droid [6]. the capability leakage corresponds to authority of the unit in Mr-droid [7]) are that it is impossible to determine whether the RMUPathMap. vulnerabilities exist. Developers need to confirm the vulnerabilities manually, which greatly increases the There are many APIs without parameters in Android development cycle of APP. The existing dynamic testing applications, and many APIs can cause great harm even methods such as Intent Fuzzer [8] and AWiDe [9] also have though they can't control their data inflow. Therefore, this some shortcomings, which lead to a high rate of missed reports paper considers all TGT APIs in APP, even if they don't flow Intent Fuzzer will be described in detail later, which will be into external intent data. It should be noted that there are many selected for comparison with our method in this paper normal interactions between applications that require user AWiDe works for the similar purposes as our paper, but it only operation. We shouldn't think these leaking paths with UI considers capability leakages related to input data from interaction capabilities as illegal, because they are user-aware. external components. When constructing test cases, it only For example, to share the content of a news APP to a friend uses the intent-filter information of exposed components in by short message, this sharing operation involves the user to Android Manifest file to construct test cases, but does not use click to confirm the sending of short messages, we shouldn't the information in code. For example, intent extra attribute think that there is a leakage of the ability to send short 978-1-7281-2583-1/19/S31.0002019IEEE 943 DOI10.1109/ICPADS.2019.00143

&DSDELOLW\/HDNDJH'HWHFWLRQ%HWZHHQ$QGURLG $SSOLFDWLRQV%DVHGRQ'\QDPLF)HHGEDFN 0LQJVRQJ=KRX School of Computer Science and Technology University of Science and Technology of China +HIHL$QKXL&KLQD PLQJVRQJ#PDLOXVWFHGXFQ )DQSLQJ=HQJ School of Computer Science and Technology University of Science and Technology of China +HIHL$QKXL&KLQD ELOO]HQJ#XVWFHGXFQ =KDR&KHQ School of Computer Science and Technology University of Science and Technology of China +HIHL$QKXL&KLQD FKHQ#PDLOXVWFHGXFQ Abstract²7KHFDSDELOLW\OHDNDJHRI$QGURLGDSSOLFDWLRQVLV RQH NLQG RI VHULRXV YXOQHUDELOLWLHV ,W FDQ FDXVH RWKHU DSSOLFDWLRQVWROHYHUDJHLWVIXQFWLRQVWRDFKLHYHWKHLULOOHJDOJRDOV ,QWKLVSDSHUZHSURSRVHDWRROZKLFKFDQDXWRPDWLFDOO\GHWHFW DQG FRQILUP FDSDELOLW\OHDNDJHV RI $QGURLG DSSOLFDWLRQV ZLWK G\QDPLFIHHGEDFN WHVWLQJ 7KH WRRO XWLOL]HV FRQWH[WVHQVLWLYH IORZVHQVLWLYH LQWHUSURFHGXUDO GDWD IORZ DQDO\VLV WR ILQG NH\ YDULDEOHV DQG LQVWUXPHQWDWLRQ SRLQWV WKHQ LW WHVWV WKH DSSOLFDWLRQFRQWLQXRXVO\E\ WHVWFDVHVJHQHUDWHG IURP WHVWORJ :HKDYHPDGHH[SHULPHQWVRQPRVWSRSXODUDSSOLFDWLRQVRI :DQGRXMLDLQ  DQG IRXQG D WRWDO RI LQ  NLQGV RI FDSDELOLW\OHDNDJHV &RPSDUHGZLWK WKH IDPRXV ,QWHQW)X]]HU RXU WRRO LV  EHWWHU RQ WKH DYHUDJH DELOLW\ WR GHWHFW SHUPLVVLRQFDSDELOLW\OHDNDJH Keywords—Android, capability leakage, inter-procedural, data flow analysis, dynamic-feedback testing , ,1752'8&7,21 &DSDELOLW\ OHDNDJH LV DOVR NQRZQ DV UHGLVWULEXWLRQ RI DXWKRULW\ >@ ,W RFFXUV ZKHQ SULYLOHJHG DSSOLFDWLRQV DUH H[SORLWHG E\ QRQSULYLOHJHG PDOLFLRXV DSSOLFDWLRQV ZKLFK HQDEOHVPDOLFLRXVDSSOLFDWLRQVWRSHUIRUPSULYLOHJHGDFWLRQV &RPPXQLFDWLRQEHWZHHQ$QGURLGFRPSRQHQWVLVZLGHO\XVHG DQGPDQ\$QGURLGDSSOLFDWLRQGHYHORSHUVVKDUHWKHIXQFWLRQV RI WKHLU DSSOLFDWLRQV E\ H[SRVLQJ FRPSRQHQWV FRPSRQHQWV WKDW FDQ EH LQYRNHG E\ H[WHUQDO $33V +RZHYHU PDQ\ $QGURLG GHYHORSHUV GR QRW IXOO\ XQGHUVWDQG WKH UXOHV RI FRPPXQLFDWLRQ EHWZHHQ $QGURLG FRPSRQHQWV UHVXOWLQJ LQ XQLQWHQWLRQDOO\H[SRVLQJWKH FRPSRQHQWVWKDW VKRXOG QRW EH H[SRVHG RU IRUJHWWLQJ WR FKHFN WKH SHUPLVVLRQV RI FDOOV EHWZHHQ FRPSRQHQWV >@ WKXV UHVXOWLQJ LQ WKH OHDNDJH RI DSSOLFDWLRQFDSDELOLWLHV 7KHUHDUHDORWRIUHVHDUFKZRUNRQYXOQHUDELOLWLHVEHWZHHQ $QGURLGFRPSRQHQWVPDLQO\GLYLGHGLQWRVWDWLFDQDO\VLVDQG G\QDPLFWHVWLQJ7KHPDLQGUDZEDFNVRIVWDWLFDQDO\VLVZRUN &RP'URLG>@3&/HDN>@@$XWR3DWFK'URLG>@ 0UGURLG>@DUHWKDWLWLVLPSRVVLEOHWRGHWHUPLQHZKHWKHUWKH YXOQHUDELOLWLHV H[LVW 'HYHORSHUV QHHG WR FRQILUP WKH YXOQHUDELOLWLHV PDQXDOO\ ZKLFK JUHDWO\ LQFUHDVHV WKH GHYHORSPHQW F\FOH RI $33 7KH H[LVWLQJ G\QDPLF WHVWLQJ PHWKRGVVXFKDV,QWHQW)X]]HU>@DQG$:L'H>@DOVRKDYH VRPHVKRUWFRPLQJVZKLFKOHDGWRDKLJKUDWHRIPLVVHGUHSRUWV ,QWHQW)X]]HUZLOOEHGHVFULEHGLQGHWDLOODWHUZKLFKZLOOEH VHOHFWHG IRU FRPSDULVRQ ZLWK RXU PHWKRG LQ WKLV SDSHU $:L'HZRUNVIRUWKHVLPLODUSXUSRVHVDVRXUSDSHUEXWLWRQO\ FRQVLGHUV FDSDELOLW\ OHDNDJHV UHODWHG WR LQSXW GDWD IURP H[WHUQDO FRPSRQHQWV :KHQ FRQVWUXFWLQJ WHVW FDVHV LW RQO\ XVHVWKHLQWHQWILOWHULQIRUPDWLRQ RI H[SRVHG FRPSRQHQWVLQ $QGURLG0DQLIHVWILOHWRFRQVWUXFWWHVWFDVHVEXWGRHVQRWXVH WKH LQIRUPDWLRQ LQ FRGH )RU H[DPSOH LQWHQW H[WUD DWWULEXWH LQIRUPDWLRQ ZLOO QRW DSSHDU LQ LQWHQWILOWHU VR WKHUH DUH VKRUWFRPLQJV ,Q WKLV SDSHU D WHVW FDVH JHQHUDWLRQ PHWKRG EDVHG RQ G\QDPLF IHHGEDFNPHFKDQLVPLV SURSRVHG ZKLFK FRPELQHV VWDWLF DQDO\VLV DQG G\QDPLF WHVWLQJ WHFKQRORJ\ &RPSDUHG ZLWK WKH H[LVWLQJ FDSDELOLW\ OHDNDJH G\QDPLF WHVWLQJZRUNLWKDVORZHUIDOVHSRVLWLYHUDWH :H GHILQH WKH FDSDELOLW\ OHDNDJH YXOQHUDELOLW\ EHWZHHQ $QGURLGDSSOLFDWLRQVDVIROORZV $VVXPLQJWKDWWKHUHLV$QGURLGDSSOLFDWLRQ$WKHVHWRI SULYLOHJHV LW RZQV LV VHW WR 36HW DQG WKH VHW RI PDSSLQJ UHODWLRQV EHWZHHQ SULYLOHJHV DQG WKH VWDWHPHQWV LW SURWHFWV EULHIO\GHVFULEHGDVWJW$3,ODWHULVVHWWR380DSSHUPLVVLRQ ĺXQLW6HW 7KH VHW RI H[SRVHG FRPSRQHQWV RZQHG E\ $ LV (&6HW DQG WKH VHW RI URRWPHWKRG RZQHG E\ H[SRVHG FRPSRQHQWVWKHILUVWPHWKRGWREHH[HFXWHGURRWPHWKRGLV VHWWR(&0HWKRG0DS H[SRUWFRPSRQHQWĺPHWKRG6HW7KH VHWRIH[HFXWDEOHSDWKVRIWKHURRWPHWKRGWRWKHXQLWSURWHFWHG E\SHUPLVVLRQLV5083DWK0DSURRWPHWKRGXQLWĺSDWK6HW ׎ ݌ܽܯ݀݋႙ݐ݁ܯܥܧ׎ ݌ܽܯܷܲ ݂݅ ׎ ݌ܽܯ႙ݐܷܽܲܯܴWV݈݈ݑ݊ ݐ݊݁ݐ݊݅ ׌ 1RWHLQWHQWREMHFWLVWKHRQO\LQSXW IRULQWHUFRPSRQHQW FRPPXQLFDWLRQ,WPDLQO\FRQWDLQVILYHDWWULEXWHV&RPSRQHQW $FWLRQ'DWD&DWHJRU\DQG([WUDVZKLFKUHSUHVHQWWKHQDPH RIWKHFRPSRQHQWWREHVWDUWHG6WULQJWKHW\SHRIRSHUDWLRQ WREHH[HFXWHG6WULQJWKHW\SHRIGDWDWREHH[HFXWHG8UL D FROOHFWLRQ RI FRPSRQHQW W\SHVWKDW FDQ KDQGOH WKLV LQWHQW REMHFW 6HW6WULQJ! DQG DGGLWLRQDO NH\YDOXH SDLU LQIRUPDWLRQ VHW 6HW  NH\ĺW\SH YDOXH!7KLV SDSHU FDOOV LQWHQWREMHFWVIURPRWKHU$33FRPSRQHQWVH[WHUQDOLQWHQW 7KHIRUPXODLVWKDWZKHQWKH380DSDQG(&0HWKRG0DS RIDSSOLFDWLRQ$DUHQRWHPSW\WKHUHH[LVWVDQLQWHQWWKDWLVQRW HPSW\VRWKDW5083DWK0DSRIDSSOLFDWLRQ$LVQRWHPSW\ WKHQDSSOLFDWLRQ$KDVDFDSDELOLW\OHDNDJHYXOQHUDELOLW\$QG WKHFDSDELOLW\OHDNDJHFRUUHVSRQGVWRDXWKRULW\RIWKHXQLWLQ 5083DWK0DS 7KHUH DUH PDQ\ $3,V ZLWKRXW SDUDPHWHUV LQ $QGURLG DSSOLFDWLRQV DQG PDQ\ $3,V FDQ FDXVH JUHDW KDUP HYHQ WKRXJK WKH\ FDQ W FRQWURO WKHLU GDWD LQIORZ 7KHUHIRUH WKLV SDSHUFRQVLGHUVDOO7*7$3,VLQ$33HYHQLIWKH\GRQ WIORZ LQWRH[WHUQDOLQWHQWGDWD,WVKRXOGEHQRWHGWKDWWKHUHDUHPDQ\ QRUPDO LQWHUDFWLRQV EHWZHHQ DSSOLFDWLRQV WKDW UHTXLUH XVHU RSHUDWLRQ :H VKRXOGQ¶W WKLQN WKHVH OHDNLQJ SDWKV ZLWK 8, LQWHUDFWLRQFDSDELOLWLHVDVLOOHJDOEHFDXVHWKH\DUHXVHUDZDUH )RUH[DPSOHWRVKDUHWKHFRQWHQWRIDQHZV$33WRDIULHQG E\VKRUWPHVVDJHWKLVVKDULQJRSHUDWLRQLQYROYHVWKHXVHUWR FOLFNWRFRQILUPWKHVHQGLQJRIVKRUWPHVVDJHVZHVKRXOGQ¶W WKLQN WKDW WKHUH LV D OHDNDJH RI WKH DELOLW\ WR VHQG VKRUW 943 2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS) 978-1-7281-2583-1/19/$31.00 ©2019 IEEE DOI 10.1109/ICPADS.2019.00143

messages,because it is ultimately up to the user to decide statically analyze Android APP and build method call graph whether to send or not.However,it is illegal to disclose the by Soot alone.Therefore,in the process of constructing ability of sending short messages without UI method.which method call graph,this paper identifies hidden callback has serious harmfulness.So this paper considers that UI methods in Android APK and adds them to the Android method will not cause a capability leakage. method call graph until the Android method call graph no longer changes (that is,all callback callbacks in the current Ⅱ.SYSTEM OVERVIEW method call graph have been added to the method call graph). As shown in Figure 1.the tool includes two parts:static The proposed method is similar to FlowDroid [13]and IceTa analysis and dynamic testing. [14].Let n be the number of nodes in the complete method call graph and K()be the number of methods with callbacks (1)Static analysis of the detected APP is carried out to find The algorithm complexity of constructing a complete call the control statements related to the intent data flow in and out graph is O(k*n). of the detected APP,to find the set of variables (briefly described as key variables)used in the control statements,to Android APP generate Log instrumented statements that print key variables. and to insert the Log instrumented statements before the control statement blocks.At the same time,this paper finds statements protected by Android privileges,insert the Log statement before it,record the statement information protected Android System by Android privileges,and then repackage the signed APP to get the instrumented APP(Figure I instrumented APP). Figure 2 Example of implicit invocation for Android application (2)The testing APP (Figure 1 testing APP,without any This paper uses API signature and privilege mapping privileges)will dynamically test the instrumented APP by APIPermissionMap file [16]provided by Android malware analysis tool androguard [15]to identify privileged statements sending intent objects.According to the value of key variables in Log,new intent test cases are generated,which can trigger in Android applications,and save these statements in more code and improve the code coverage.If the statement tgtAPISet. information protected by Android privileges appears in the Log,it indicates that the privilege capability is leaked.Next, Algorithm1 Inter-process Data Flow Analysis Algorithms-Arrival we will elaborate on two parts. Definition Test Log Anslysis and Automatic Test Case Generation Input:method,inData Output: Dynamic Testing flowInUnitDataMap(unit-flowInDataset )returnData 1 Function inter-procedure-data-flow: 2 cfgNodes -method.cfgNodes(). 3 for n in cfgNodes do 4 OUT[n]=0; 5 end 6 f+cfgNodes.getFirstNode( 7 IN[f]-INIf]UinData; 8 changed+-cfgNodes: 9 while c hanged≠odo 10 choose a node n in changed; 11 changed =changed-n; Static Analysis 12 for all nodes p in predecessors(n)do 13 Figure I Flow chart IN [n]+IN[n]U OUT[p]; 14 end A.Static Analysis 15 oidOUT-OUT[n]; Our tool builds method call diagram and control flow 16 OUTIn]-transfer function diagram of each method based on Soot [10].Soot is a Java (INn,flowInUnitDataMap), bytecode [11]analysis and optimization framework,which 17 if0ld0UT≠0UTn]then supports the conversion of Java bytecode into multiple intermediate languages.This paper uses Soot framework to 18 for all nodes s in successors(n)do 19 transform the application to be detected into Jimple [12 changed -changed Us; intermediate code with three address codes for analysis. 20 end 21 end There are many implicit calls in Android applications,as 22 end shown in Figure 2.StartActivity (intent)is a calling method 23 1+-cfgNodes.getReurnNode( between Android components.Its function is to start activityA. 24 if LretumLocal in IN1]then First,StartActivity (intent)calls the Android system APl,and finally the Android system API calls the activityA.onCreate ( 25 returnData -IreturnLocal.data; method.But we can't get the call relationship between 26 end startActivity (intent)and activityA.onCreate when we 27 End Funetion 944

PHVVDJHV EHFDXVH LW LV XOWLPDWHO\ XS WR WKH XVHU WR GHFLGH ZKHWKHUWRVHQGRUQRW+RZHYHULWLVLOOHJDOWRGLVFORVHWKH DELOLW\RIVHQGLQJVKRUWPHVVDJHVZLWKRXW8,PHWKRGZKLFK KDV VHULRXV KDUPIXOQHVV 6R WKLV SDSHU FRQVLGHUV WKDW 8, PHWKRGZLOOQRWFDXVHDFDSDELOLW\OHDNDJH ,, 6@6RRWLVD -DYD E\WHFRGH >@ DQDO\VLV DQG RSWLPL]DWLRQ IUDPHZRUN ZKLFK VXSSRUWV WKH FRQYHUVLRQ RI -DYD E\WHFRGH LQWR PXOWLSOH LQWHUPHGLDWHODQJXDJHV 7KLV SDSHU XVHV 6RRW IUDPHZRUNWR WUDQVIRUP WKH DSSOLFDWLRQ WR EH GHWHFWHG LQWR -LPSOH >@ LQWHUPHGLDWHFRGHZLWKWKUHHDGGUHVVFRGHVIRUDQDO\VLV 7KHUHDUHPDQ\LPSOLFLWFDOOVLQ$QGURLGDSSOLFDWLRQVDV VKRZQLQ)LJXUH6WDUW$FWLYLW\LQWHQWLVDFDOOLQJPHWKRG EHWZHHQ$QGURLGFRPSRQHQWV,WVIXQFWLRQLVWRVWDUWDFWLYLW\$ )LUVW6WDUW$FWLYLW\LQWHQWFDOOVWKH$QGURLGV\VWHP$3,DQG ILQDOO\WKH$QGURLGV\VWHP$3,FDOOVWKHDFWLYLW\$RQ&UHDWH PHWKRG %XW ZH FDQ W JHW WKH FDOO UHODWLRQVKLS EHWZHHQ VWDUW$FWLYLW\ LQWHQW DQG DFWLYLW\$RQ&UHDWH ZKHQ ZH VWDWLFDOO\DQDO\]H$QGURLG$33DQGEXLOGPHWKRGFDOOJUDSK E\ 6RRW DORQH 7KHUHIRUH LQ WKH SURFHVV RI FRQVWUXFWLQJ PHWKRG FDOO JUDSK WKLV SDSHU LGHQWLILHV KLGGHQ FDOOEDFN PHWKRGV LQ $QGURLG $3. DQG DGGV WKHP WR WKH $QGURLG PHWKRG FDOO JUDSK XQWLO WKH $QGURLG PHWKRG FDOO JUDSK QR ORQJHUFKDQJHV WKDWLVDOOFDOOEDFNFDOOEDFNVLQWKHFXUUHQW PHWKRGFDOOJUDSKKDYHEHHQDGGHGWRWKHPHWKRGFDOOJUDSK 7KHSURSRVHGPHWKRGLVVLPLODUWR)ORZ'URLG>@DQG,FF7D >@/HWQEHWKH QXPEHURIQRGHVLQWKHFRPSOHWHPHWKRG FDOOJUDSKDQG.EHWKHQXPEHURIPHWKRGVZLWKFDOOEDFNV 7KH DOJRULWKP FRPSOH[LW\ RI FRQVWUXFWLQJ D FRPSOHWH FDOO JUDSKLV2N Q $QGURLG$33 LQWHQWFRPSRQHQW $ VWDUW$FWLYLW\LQWHQW DFWLYLW\$RQ&UHDWH $QGURLG6\VWHP )LJXUH([DPSOHRILPSOLFLWLQYRFDWLRQIRU$QGURLGDSSOLFDWLRQ 7KLV SDSHU XVHV $3, VLJQDWXUH DQG SULYLOHJH PDSSLQJ $3,3HUPLVVLRQ0DS ILOH >@ SURYLGHG E\ $QGURLG PDOZDUH DQDO\VLVWRRODQGURJXDUG>@WRLGHQWLI\SULYLOHJHGVWDWHPHQWV LQ $QGURLG DSSOLFDWLRQV DQG VDYH WKHVH VWDWHPHQWV LQ WJW$3,6HW $OJRULWKP ,QWHUSURFHVV 'DWD )ORZ $QDO\VLV $OJRULWKPV$UULYDO 'HILQLWLRQ ܽݐܽܦ݊݅݀݋႙ݐ݁݉˖QSXW, 2XWSXW˖ ݐ݁ܵܽݐܽܦ݊ܫݓ݋݈݂ĺݐ݅݊ݑ݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂ ܽݐܽܦ݊ݎݑݐ݁ݎ )XQFWLRQLQWHUSURFHGXUHGDWDIORZ ݏ݁݀݋݂ܰ݃ܿ݀݋႙ݐ݁݉ĸݏ݁݀݋݂ܰ݃ܿ IRUn in cfgNodes GR ׎ @݂݊@ܫĸܰ>݂@ܫ ݏ݁݀݋݂ܰ݃ܿĸܽ݊݃݁݀႙ܿ ZKLOHܿ႙ܽ݊݃݁݀׎ GR ݀݁݃݊ܽ႙݀݁ ݊ ݅݊ ܿ݋݊ ܽ ݁ݏ݋݋႙ܿ ܿ႙ܽ݊݃݁݀ ܿ႙ܽ݊݃݁݀݊ IRUall nodes p in predecessors(n) GR @݌݊@ܫĸܰ>݊@ܫ HQG ܱ݈ܱܷ݀ܶĸܱܷܶ>݊@ ݊݋݅ݐܿ݊ݑ݂Bݎ݂݁ݏ݊ܽݎݐĸܱܷܶ>݊@ ݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂݊ܰܫ LIܱ݈ܱܷ݀ܶܱܷܶ>݊@WKHQ IRUall nodes s in successors(n) GR ܿ႙ܽ݊݃݁݀ĸܿ႙ܽ݊݃݁݀ Ĥ ݏ HQG HQG HQG ݁݀݋ܰ݊ݎݑܴ݁ݐ݁݃ݏ݁݀݋݂ܰ݃ܿĸ݈ LIl.returnLocal in IN[l] WKHQ ܽݐ݈ܽ݀ܽܿ݋ܮ݊ݎݑݐ݁ݎ݈ĸܽݐܽܦ݊ݎݑݐ݁ݎ HQG (QG)XQFWLRQ 944

Starting from the starting point of external intent data flow Here GENIn]is the set of variables associated with intent data (the method of obtaining external intent objects,such as added after the node is executed,KILL[n]is the set of variables activity.getIntent (method),this paper uses context-sensitive that are reassigned after executing this node and are not related and flow-sensitive inter-process data flow analysis to find all to intent data.The formula is implemented by the statements related to external intent.The implementation of transfer function function (line 16 of algorithm 1,details of inter-process data flow analysis algorithm is mainly composed implementation are shown in algorithm 2).IN[n]ofeach node of algorithm I and algorithm 2,which mainly uses arrival is the union of OUT[n]sets of all its predecessor nodes definition data flow analysis technology and DFS algorithm. (algorithm 12 to 14 rows).Simulate the execution of each statement (that is,the transfer function function)until all Algorithm 2 Inter-process Data Flow Analysis- -Transfer Function nodes of O07n do not change,and eventually all statements Input:IN,n,flowInUnitDataMap associated with external intent data will be obtained Output:OUT [n The transfer function mainly analyzes whether intent data 1 Function transfer function: related variables are used in node n.If the intent data-related 2 KILLIn1←-0： variables are used,the assigned variables in the node are 3 GEN[n]0; considered intent-related (lines 6 to 7 of algorithm 2).If the 4 useLocals +n.getUsedLocals(); node contains a method call,it enters the method to call 5 defLocal-n.getDefLocal(); algorithm 1 again for analysis (line 15,line 25 ofalgorithm 2). 6 if useLocals n IN/n]#o then For a method that has different data flows in different call contexts,at the call point a copy of the original function is 7 GEN[n]=GEN[n]u defLocal; created to consider different types of data flow input.Because 8 flowInUnitDataMapput only intent-related data streams are considered in this paper, (n.unit,intentData); the input types of parameters of the methods need to 9 else determined and the input types of intent data flows are finite 10 KILL[n]=KILLIn]UdefLocal (Intent,Action,Data,Category,Extras),the number of 11 end replicates created by the methods is limited.Therefore,the 12 if defLocal:≠nll then clone-based context-sensitive inter-process data flow analysis 13 if m=getMethodCall(n)null then can ensure the accuracy of data flow analysis without causing if Pair(marg)not in significant performance overhead. hasProcessedMethodSunmmarySet then If the return value of this method is related to intent data defLocal is added to GENIn](line 17 of algorithm 2).Each -inter-procedure-data-flow node and intent data for each incoming node are put in (m,arg.data)returnData; fow/nUnitDataMap (line 8 of algorithm 2).Intent data record 16 if尼urnData≠l/then their data types,including intent objects,intent action > GEN[]+GEN[n]u de f Local attributes.intent category attributes,intent extras attributes and so on.Querying flowlnUnitDataMap to find all control 18 end statements ifand intent data that flows into control statements. 19 hasProcessedMethodSummarySet and they are stored in ifControlDataMap (ifUnit-intentData). add(Pair(m,arg)); 20 end Through the above-mentioned,the set of statements 21 end protected by privileges tgtAPISet and the set of control 22 else statements related to intent data ifControlDataMap can be obtained.By iterating the set of tgtAPISet,the Log statements 23 if (m=getMethodCall(n))+null then which print the corresponding permissions of tgtAPI and if m not in tgtAPI and the information of the APP where they are located hasProcessedMethodSummarySet then are generated,and Log statements are instrumented before the 25 returnData tgtAPI.Iterating ifControlDataMap,the Log statements are -inter-procedure-data-flow inserted before "if'to print key variables and the attributes of (m,arg.data)returnData; intentData data which flowing into"if.If the data attribute is 26 hasProcessedMethodSummarySet Extra,a Log statement that prints the key variable is inserted add(Pair(m,arg)), before the intentData source statement get"Extra (key).After 27 end the instrumentation is completed,the signature APP is 28 end repackaged and the instrumented APP is obtained.Therefore. 29 end when the instrumented APP runs,we can get the running logs related to intentData data. 30 OUT[n]=GEN[n]U(IN [n]-KILL[n ]) 31 End Function It should be noted that the reinforcement technology [17] and the anti-re-packaging technology are becoming more and Each method corresponds to a control flow graph(CFG) more popular,which results in the application of static and the statements in each method correspond to a node in the analysis can not get the real application code,and the CFG.Each node n has set of IN and OUT,which represent the application of re-packaging can not run properly.However, set of variables related to intent data before node n and the set the tool in this paper is for developers,who can use it before of variables related to intent data after node n executes.After the application is released (before using consolidation and each node is actually executed,the set of variables associated repackaging technology).Therefore,our tool is still valid. with intent data changes,which can be calculated by the following formula:OUTIn]GENIn]U (INIn]-KILL[n]). 945

6WDUWLQJIURPWKHVWDUWLQJSRLQWRIH[WHUQDOLQWHQWGDWDIORZ WKH PHWKRG RI REWDLQLQJ H[WHUQDO LQWHQW REMHFWV VXFK DV DFWLYLW\JHW,QWHQWPHWKRGWKLVSDSHUXVHVFRQWH[WVHQVLWLYH DQGIORZVHQVLWLYHLQWHUSURFHVVGDWDIORZDQDO\VLVWRILQGDOO VWDWHPHQWV UHODWHGWRH[WHUQDOLQWHQW7KHLPSOHPHQWDWLRQ RI LQWHUSURFHVVGDWDIORZDQDO\VLVDOJRULWKPLVPDLQO\FRPSRVHG RI DOJRULWKP  DQG DOJRULWKP  ZKLFK PDLQO\ XVHV arrival definitionGDWDIORZDQDO\VLVWHFKQRORJ\DQG')6DOJRULWKP $OJRULWKP,QWHUSURFHVV'DWD)ORZ$QDO\VLV²²7UDQVIHU)XQFWLRQ ݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂݊ܰܫ˖QSXW, 2XWSXW˖ܱܷܶ>݊@ )XQFWLRQWUDQVIHUBIXQFWLRQ ׎ĸ>݊@ܮܮܫܭ ׎ĸܰ>݊@ܧܩ ݏ݈ܽܿ݋ܮ݀݁ݏܷݐ݁݃݊ĸݏ݈ܽܿ݋ܮ݁ݏݑ ݈ܽܿ݋ܮ݂݁ܦݐ݁݃݊ĸ݈ܿܽ݋ܮ݂݁݀ LIuseLocals ŀIN[n] ׎ WKHQ ݈ܽܿ݋ܮ݂݁݀ Ĥܰ>݊@ܧܩ @݊݊@ܮܮܫܭ @݊݊@ܧܩĸܰ>݊@ܧܩ HQG ݐ݁ܵݕݎܽ݉݉ݑܵ݀݋႙ݐ݁ܯ݀݁ݏݏ݁ܿ݋ݎܲݏܽ႙ ݃ݎܽ݉ݎ݅ܽܲ݀݀ܽ HQG HQG HOVH LI(m=getMethodCall(n)) null WKHQ LIm not in hasProcessedMethodSummarySet WKHQ ܽݐܽܦ݊ݎݑݐ݁ݎ ݓ݋݈݂ܽݐܽ݀݁ݎݑ݀݁ܿ݋ݎ݌ݎ݁ݐ݊݅ĸ ܽݐܽܦ݊ݎݑݐ݁ݎܽݐܽ݀݃ݎܽ݉ ݐ݁ܵݕݎܽ݉݉ݑܵ݀݋႙ݐ݁ܯ݀݁ݏݏ݁ܿ݋ݎܲݏܽ႙ ݃ݎܽ݉ݎ݅ܽܲ݀݀ܽ HQG HQG HQG @݊݊@ܧܩ @݊n@ GEN>n@ 8 IN>n@ KILL>n@ +HUHGEN>n@LVWKHVHWRIYDULDEOHVDVVRFLDWHGZLWKLQWHQWGDWD DGGHGDIWHUWKHQRGHLVH[HFXWHGKILL>n@LVWKHVHWRIYDULDEOHV WKDWDUHUHDVVLJQHGDIWHUH[HFXWLQJWKLVQRGHDQGDUHQRWUHODWHG WR LQWHQW GDWD 7KH IRUPXOD LV LPSOHPHQWHG E\ WKH WUDQVIHUBIXQFWLRQ IXQFWLRQOLQHRIDOJRULWKPGHWDLOVRI LPSOHPHQWDWLRQDUHVKRZQLQDOJRULWKP,1>Q@RIHDFKQRGH LV WKH XQLRQ RI 287>Q@ VHWV RI DOO LWV SUHGHFHVVRU QRGHV DOJRULWKP  WR  URZV 6LPXODWH WKH H[HFXWLRQ RI HDFK VWDWHPHQW WKDW LV WKH WUDQVIHUBIXQFWLRQ IXQFWLRQ XQWLO DOO QRGHVRIOUT>n@GRQRWFKDQJHDQGHYHQWXDOO\DOOVWDWHPHQWV DVVRFLDWHGZLWKH[WHUQDOLQWHQWGDWDZLOOEHREWDLQHG 7KHWUDQVIHUBIXQFWLRQPDLQO\DQDO\]HVZKHWKHULQWHQWGDWD UHODWHGYDULDEOHVDUHXVHGLQQRGHQ,IWKHLQWHQWGDWDUHODWHG YDULDEOHV DUH XVHG WKH DVVLJQHG YDULDEOHV LQ WKH QRGH DUH FRQVLGHUHGLQWHQWUHODWHG OLQHVWRRIDOJRULWKP,IWKH QRGH FRQWDLQV D PHWKRG FDOO LW HQWHUV WKH PHWKRG WR FDOO DOJRULWKPDJDLQIRUDQDO\VLVOLQHOLQHRIDOJRULWKP )RU D PHWKRGWKDW KDV GLIIHUHQW GDWD IORZV LQ GLIIHUHQW FDOO FRQWH[WV DWWKH FDOO SRLQW D FRS\ RIWKH RULJLQDO IXQFWLRQLV FUHDWHGWRFRQVLGHUGLIIHUHQWW\SHVRIGDWDIORZLQSXW%HFDXVH RQO\LQWHQWUHODWHGGDWDVWUHDPVDUHFRQVLGHUHGLQWKLVSDSHU WKH LQSXW W\SHV RI SDUDPHWHUV RI WKH PHWKRGV QHHG WR GHWHUPLQHGDQGWKHLQSXWW\SHVRILQWHQWGDWDIORZVDUHILQLWH ,QWHQW $FWLRQ 'DWD &DWHJRU\ ([WUDV WKH QXPEHU RI UHSOLFDWHV FUHDWHG E\ WKH PHWKRGV LV OLPLWHG 7KHUHIRUH WKH FORQHEDVHGFRQWH[WVHQVLWLYHLQWHUSURFHVVGDWDIORZDQDO\VLV FDQHQVXUHWKHDFFXUDF\RIGDWDIORZDQDO\VLVZLWKRXWFDXVLQJ VLJQLILFDQWSHUIRUPDQFHRYHUKHDG ,IWKHUHWXUQYDOXHRIWKLVPHWKRGLVUHODWHGWRLQWHQWGDWD defLocalLVDGGHGWRGEN>n@ OLQHRIDOJRULWKP(DFK QRGH DQG LQWHQW GDWD IRU HDFK LQFRPLQJ QRGH DUH SXW LQ flowInUnitDataMapOLQHRIDOJRULWKP,QWHQWGDWDUHFRUG WKHLU GDWD W\SHV LQFOXGLQJ LQWHQW REMHFWV LQWHQW DFWLRQ DWWULEXWHV LQWHQW FDWHJRU\ DWWULEXWHV LQWHQW H[WUDV DWWULEXWHV DQG VR RQ4XHU\LQJ IORZ,Q8QLW'DWD0DSWR ILQGDOOFRQWURO VWDWHPHQWVLIDQGLQWHQWGDWDWKDWIORZVLQWRFRQWUROVWDWHPHQWV DQGWKH\DUHVWRUHGLQifControlDataMap LI8QLWĺLQWHQW'DWD 7KURXJK WKH DERYHPHQWLRQHG WKH VHW RI VWDWHPHQWV SURWHFWHG E\ SULYLOHJHV WJW$3,6HW DQG WKH VHW RI FRQWURO VWDWHPHQWV UHODWHG WR LQWHQW GDWD LI&RQWURO'DWD0DS FDQ EH REWDLQHG%\LWHUDWLQJWKHVHWRIWJW$3,6HWWKH/RJVWDWHPHQWV ZKLFK SULQW WKH FRUUHVSRQGLQJ SHUPLVVLRQV RI WJW$3, DQG WJW$3,DQGWKHLQIRUPDWLRQRIWKH$33ZKHUHWKH\DUHORFDWHG DUHJHQHUDWHGDQG/RJVWDWHPHQWVDUHLQVWUXPHQWHGEHIRUHWKH WJW$3, ,WHUDWLQJ LI&RQWURO'DWD0DS WKH /RJ VWDWHPHQWV DUH LQVHUWHGEHIRUH³LI´WRSULQWNH\YDULDEOHVDQGWKHDWWULEXWHVRI LQWHQW'DWDGDWDZKLFKIORZLQJLQWR³LI´,IWKHGDWDDWWULEXWHLV ([WUDD/RJVWDWHPHQWWKDWSULQWVWKHNH\YDULDEOHLVLQVHUWHG EHIRUHWKHLQWHQW'DWDVRXUFHVWDWHPHQWJHW ([WUDNH\$IWHU WKH LQVWUXPHQWDWLRQ LV FRPSOHWHG WKH VLJQDWXUH $33 LV UHSDFNDJHGDQGWKHLQVWUXPHQWHG$33LVREWDLQHG7KHUHIRUH ZKHQWKHLQVWUXPHQWHG$33UXQVZHFDQJHWWKHUXQQLQJORJV UHODWHGWRLQWHQW'DWDGDWD ,WVKRXOGEHQRWHGWKDWWKHUHLQIRUFHPHQWWHFKQRORJ\>@ DQGWKHDQWLUHSDFNDJLQJWHFKQRORJ\DUHEHFRPLQJPRUHDQG PRUH SRSXODU ZKLFK UHVXOWV LQ WKH DSSOLFDWLRQ RI VWDWLF DQDO\VLV FDQ QRW JHW WKH UHDO DSSOLFDWLRQ FRGH DQG WKH DSSOLFDWLRQ RI UHSDFNDJLQJFDQ QRW UXQ SURSHUO\ +RZHYHU WKHWRROLQWKLVSDSHULVIRUGHYHORSHUVZKRFDQXVHLWEHIRUH WKH DSSOLFDWLRQ LV UHOHDVHG EHIRUH XVLQJ FRQVROLGDWLRQ DQG UHSDFNDJLQJWHFKQRORJ\7KHUHIRUHRXUWRROLVVWLOOYDOLG 945

B.Dynamic Analysis continues.Otherwise,new information is added to the intent Algorithms 3 is the test case generation algorithm attribute set (line 29 of algorithm 3).At the same time,for the new extra attribute,we mutate it to generate the extra attribute Algorithm 3 Test Case Generation Method Based on Dynamic Feedback that may satisfy the control statement (line 30 of algorithm 3). Input:detected-app For example,the new obtained extra attribute information Output:capabilityLeakSet is as follows. 1 Function Main: key:"fromPush",type:int,value:0. 2 ECSet-getEC (detected-app.AndroidManifestXmI) Because we don't know the judgment condition of the 3 capabilityLeakSet -0; control statement,two other extra attributes which may satisfy 4 for exported-component in ECSet do the condition of the control statement are generated. actionSet,dataset, 1)key:"fromPush",type:int,value:1 categoryset,extraset-0 while true do 2)key:"fromPush",type:int,value:-1 > ifisFirstTest then Then the test cases are regrouped (11 to 24 lines of initial-intent=newIntent algorithm 3).The Category attribute in intent object is Set.In this paper,all possible category values are taken as 9 logFile-testApp the Category attribute of intent object(line 11 of algorithm 3) (detected-appinitial-intent), The intent extra attribute is Set key,typevalue>.This 10 paper divides the set extraSet attributes of all possible extra else 11 values into different sets according to key and type,and selectCategoryset combines one value from these different sets into an intent add(categorySet). extra attribute at a time (line 12 of algorithm 3).From line 13 12 selectExtraSet- to line 24,arithmetic 3 generates a test case to test APP,and combinewithDiffKey records the test cases that have been tested to ensure that the AndType(extraSet), test cases are not repeated.Arithmetic 3 continuously 13 for a in actionSet do generates new test case tests based on intent-test-info of the 14 for din dataSet do test log until intent-test-info is empty. 15 for c in selectCategorySet do III.EXPERIMENTAL ANALYSIS AND EVALUATION 16 for e in selectExtraSet do 17 intent =newIntent We selected the most popular applications of Wandoujia (a.d.c,e,exported-component); in 2017.There are 810 selected applications,including 18 categories and of the 45 most popular applications in each 18 if hasNotTested(intent)then category.We removed the application of reinforcement and 9 logFile -testApp Soot analysis failure [18],and finally 607 applications were (detected-appintenth selected. 20 end 21 end This paper chooses IntentFuzzer as the contrast of the 22 end dynamic test of capability leakage.Because the author could not be contacted,IntentFuzzer is implemented according to its end paper.The four attributes of IntentFuzzer intent test case are 24 end constructed as follows. 25 end 26 o n e Te s t C L S et intent-test-info (1)IntentFuzzer's intent action construction includes three =analyseLog(logFile) aspects:one is to expose the action value in intent-filter of 27 components,the next is to find strings prefixed by the capabilityLeakSet- application package name from all strings of APP,and the capabilityLeakSetU oneTestCLSet; other is the standard action defined by all Android systems 28 if intent-test-info t then IntentFuzzer uses the above action set as a candidate set of 29 actionSet,dataSet,categorySet,extraSet action attributes for test cases. % addAll(intent-test-info, (2)IntentFuzzer predefines some URIs of common data mutation(intent-test-info)); 31 else types.When testing APP,if the predefined URI matches the intent-filter of exposed components,the URI is used to 32 break; construct the data attributes of intent test cases. 33 end 34 end (3)IntentFuzzer achieves key and type of extra attribute in 35 end dynamic testing by modifying the source code of Android system,and generates value randomly.In this way,the extra 36 End Function attribute of intent test case is constructed. We initially test APP with intent objects without any data (4)IntentFuzzer does not consider the category attribute, (7-9 lines of algorithm 3),and then analyze the generated test and the Category attribute of intent test case is always empty. log.If intent-test-info is empty,that is to say,the actionSet. categorySet,dataSet and extraSet of intent-test-info are empty, the test is stopped,and the next exposed component testing 946

B. Dynamic Analysis $OJRULWKPVLVWKHWHVWFDVHJHQHUDWLRQDOJRULWKP $OJRULWKP7HVW&DVH*HQHUDWLRQ0HWKRG%DVHGRQ'\QDPLF)HHGEDFN ݌݌ܽ݀݁ݐܿ݁ݐ݁݀QSXW, ݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ2XWSXW )XQFWLRQ0DLQ ܥܧݐ݁݃՚ݐ݁ܵܥܧ ݈݉ܺݐݏ݂݁݅݊ܽܯ݀݅݋ݎ݀݊ܣ݌݌ܽ݀݁ݐܿ݁ݐ݁݀ ׎ĸݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ IRUexported-component in ECSet GR ݐ݁ܵܽݐܽ݀ݐ݁ܵ݊݋݅ݐܿܽ ׎ĸݐ݁ܵܽݎݐݔ݁ݐ݁ܵݕݎ݋݃݁ݐܽܿ ZKLOHtrue GR WKHQ ݐݏ݁ܶݐݏݎ݅ܨݏ݅LI ݐ݊݁ݐ݊ܫݓ݁݊ ݐ݊݁ݐ݈݊݅ܽ݅ݐ݅݊݅ ݐ݊݁݊݋݌݉݋ܿ݀݁ݐݎ݋݌ݔ݁ ݌݌ܣݐݏ݁ݐĸ݈݅݁ܨ݃݋݈ ݐ݊݁ݐ݈݊݅ܽ݅ݐ݅݊݅݌݌ܽ݀݁ݐܿ݁ݐ݁݀ HOVH ݐ݁ܵݕݎ݋݃݁ݐܽܥݐ݈ܿ݁݁ݏ ݐ݁ܵݕݎ݋݃݁ݐܽܿ݀݀ܽ ĸݐ݁ܵܽݎݐݔܧݐ݈ܿ݁݁ݏ ݕ݁ܭ݂݂݅ܦ႙ݐܹܾ݅݁݊݅݉݋ܿ ݐ݁ܵܽݎݐݔ݁݁݌ݕܶ݀݊ܣ IRUa in actionSet GR IRUd in dataSet GR IRUc in selectCategorySet GR IRUe in selectExtraSet GR ݐ݊݁ݐ݊ܫݓ݁݊ ݐ݊݁ݐ݊݅ DGFHH[SRUWHGFRPSRQHQW LIhasNotTested(intent) WKHQ ݌݌ܣݐݏ݁ݐĸ݈݅݁ܨ݃݋݈ ݐ݊݁ݐ݊݅݌݌ܽ݀݁ݐܿ݁ݐ݁݀ HQG HQG HQG HQG HQG HQG LQIRWHVWLQWHQWݐ݁ܵܮܥݐݏ݁ܶ݁݊݋ ݈݁݅ܨ݃݋݈݃݋ܮ݁ݏݕ݈ܽ݊ܽ ĸݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ ݐ݁ܵܮܥݐݏ݁ܶ݁݊݋ Ĥݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ LIintent-test-info ׎ WKHQ DFWLRQ6HWGDWD6HWFDWHJRU\6HWH[WUD6HW DGG$OOLQWHQWWHVWLQIR PXWDWLRQLQWHQWWHVWLQIR HOVH EUHDN HQG HQG HQG (QG)XQFWLRQ :HLQLWLDOO\WHVW$33ZLWKLQWHQWREMHFWVZLWKRXWDQ\GDWD OLQHVRIDOJRULWKPDQGWKHQDQDO\]HWKHJHQHUDWHGWHVW ORJ ,ILQWHQWWHVWLQIRLVHPSW\WKDWLVWRVD\WKHDFWLRQ6HW FDWHJRU\6HWGDWD6HWDQGH[WUD6HWRILQWHQWWHVWLQIRDUHHPSW\ WKHWHVWLV VWRSSHGDQGWKH QH[WH[SRVHGFRPSRQHQWWHVWLQJ FRQWLQXHV2WKHUZLVHQHZLQIRUPDWLRQLVDGGHGWRWKHLQWHQW DWWULEXWHVHWOLQHRIDOJRULWKP$WWKHVDPHWLPHIRUWKH QHZH[WUDDWWULEXWHZHPXWDWHLWWRJHQHUDWHWKHH[WUDDWWULEXWH WKDWPD\VDWLVI\WKHFRQWUROVWDWHPHQWOLQHRIDOJRULWKP )RUH[DPSOHWKHQHZREWDLQHGH[WUDDWWULEXWHLQIRUPDWLRQ LVDVIROORZV NH\IURP3XVKW\SHLQWYDOXH %HFDXVH ZH GRQ W NQRZ WKH MXGJPHQW FRQGLWLRQ RI WKH FRQWUROVWDWHPHQWWZRRWKHUH[WUDDWWULEXWHVZKLFKPD\VDWLVI\ WKHFRQGLWLRQRIWKHFRQWUROVWDWHPHQWDUHJHQHUDWHG NH\IURP3XVKW\SHLQWYDOXH NH\IURP3XVKW\SHLQWYDOXH 7KHQ WKH WHVW FDVHV DUH UHJURXSHG  WR  OLQHV RI DOJRULWKP7KH&DWHJRU\DWWULEXWHLQLQWHQWREMHFWLV6HW 6WULQJ!,QWKLVSDSHUDOOSRVVLEOHFDWHJRU\YDOXHVDUHWDNHQDV WKH&DWHJRU\DWWULEXWHRILQWHQWREMHFWOLQHRIDOJRULWKP 7KH LQWHQW H[WUD DWWULEXWH LV 6HW  NH\ W\SHĺYDOXH! 7KLV SDSHUGLYLGHVWKH VHWH[WUD6HWDWWULEXWHVRIDOOSRVVLEOHH[WUD YDOXHV LQWR GLIIHUHQW VHWV DFFRUGLQJ WR NH\ DQG W\SH DQG FRPELQHV RQH YDOXH IURPWKHVH GLIIHUHQW VHWVLQWR DQLQWHQW H[WUDDWWULEXWHDWDWLPHOLQHRIDOJRULWKP)URPOLQH WROLQHDULWKPHWLFJHQHUDWHVDWHVWFDVHWRWHVW$33DQG UHFRUGVWKHWHVWFDVHVWKDWKDYHEHHQWHVWHGWRHQVXUHWKDWWKH WHVW FDVHV DUH QRW UHSHDWHG $ULWKPHWLF  FRQWLQXRXVO\ JHQHUDWHVQHZWHVWFDVHWHVWVEDVHGRQLQWHQWWHVWLQIRRIWKH WHVWORJXQWLOLQWHQWWHVWLQIRLVHPSW\ ,,, (;3(5,0(17$/$1$/@DQG ILQDOO\DSSOLFDWLRQVZHUH VHOHFWHG 7KLV SDSHU FKRRVHV ,QWHQW)X]]HU DV WKH FRQWUDVW RI WKH G\QDPLFWHVWRIFDSDELOLW\OHDNDJH%HFDXVHWKHDXWKRUFRXOG QRWEHFRQWDFWHG,QWHQW)X]]HULVLPSOHPHQWHGDFFRUGLQJWRLWV SDSHU7KHIRXUDWWULEXWHVRI,QWHQW)X]]HULQWHQWWHVWFDVHDUH FRQVWUXFWHGDVIROORZV ,QWHQW)X]]HU VLQWHQWDFWLRQFRQVWUXFWLRQLQFOXGHVWKUHH DVSHFWV RQHLVWR H[SRVHWKH DFWLRQ YDOXHLQLQWHQWILOWHU RI FRPSRQHQWV WKH QH[W LV WR ILQG VWULQJV SUHIL[HG E\ WKH DSSOLFDWLRQ SDFNDJH QDPH IURP DOO VWULQJV RI $33 DQGWKH RWKHULVWKH VWDQGDUGDFWLRQGHILQHGE\DOO$QGURLG V\VWHPV ,QWHQW)X]]HU XVHVWKH DERYH DFWLRQ VHWDVDFDQGLGDWH VHW RI DFWLRQDWWULEXWHVIRUWHVWFDVHV  ,QWHQW)X]]HUSUHGHILQHV VRPH85,V RIFRPPRQ GDWD W\SHV:KHQWHVWLQJ$33LIWKHSUHGHILQHG85,PDWFKHVWKH LQWHQWILOWHU RI H[SRVHG FRPSRQHQWV WKH 85, LV XVHG WR FRQVWUXFWWKHGDWDDWWULEXWHVRILQWHQWWHVWFDVHV ,QWHQW)X]]HUDFKLHYHVNH\DQGW\SHRIH[WUDDWWULEXWHLQ G\QDPLF WHVWLQJ E\ PRGLI\LQJ WKH VRXUFH FRGH RI $QGURLG V\VWHPDQGJHQHUDWHVYDOXHUDQGRPO\,QWKLVZD\WKHH[WUD DWWULEXWHRILQWHQWWHVWFDVHLVFRQVWUXFWHG ,QWHQW)X]]HUGRHVQRWFRQVLGHUWKHFDWHJRU\DWWULEXWH DQGWKH&DWHJRU\DWWULEXWHRILQWHQWWHVWFDVHLVDOZD\VHPSW\ 946

A.Experimental Results The results of 607 APPs detected by this tool and As shown in Table 1,a total of 6,070 in 16 kinds of IntentFuzzer are calculated according to the above formulas to capability leakages were found.The first column of Table 1 get Table 2 is the type of capability leakage,the second column is the Table II Comparing with IntentFuzzer results number of APPs with this type of capability leakage,and the third column is the number of capability leakage points Min(G(AP)) Max(G (A P ) Gutz (location of capability leakage,i.e.tgtAPI location)in all 0% 100% 19.38% APPs.There are serious capability leakages,such as DISABLE_KEYGUARD privilege ability leakage which is Among them,tl is the tool of this paper and t2 is the main privilege to achieve the lock screen function,and IntentFuzzer.According to Table 2,the average test results of KILL BACKGROUND PROCESSES privilege ability this tool are 19.38%better than those of IntentFuzzer.For a leakage which is the privilege to achieve the killing of single APP,the ability to detect permission capability leakage background processes.There are also vulnerabilities with less is up to 100%.That is to say,the tool can detects that the harmful capability leakages.such as BROADCAST STICKY permission has the capability leakage,while IntentFuzzer does capability leakage which will lead to application broadcasting not detect it.Or the results of IntentFuzzer are included in the not working properly, ACCESS FINE LOCATION results of this tool.The worst case of this tool is the same result capability leakage which may lead to application power as that of IntentFuzzer.Therefore,it can be seen that the consumption problems,and BLUETOOTH capability leakage Android inter-application capability leakage detection tool which will lead to arbitrary turn on and off mobile Bluetooth. proposed in this paper is completely superior to IntentFuzzer. Table I Experimental results B.Time Efficiency Permission AppUseCount AllCount Table 3 is the time consumption of data flow analysis. instrumentation and dynamic testing during the analysis of DISABLE KEYGUARD 6 607 APPs. CHANGE WIFI MULTICAST_STATE Table III Running time RECEIVE BOOT COMPLETED 1 Min Max SET WALLPAPER HINTS 3 3 Average data flow 161.70s BROADCAST STICKY 169 261 0.06s 25.40s analysis (2.70min) ACCESS FINE LOCATION 140 454 4 92.32s KILL BACKGROUND PROCESSES instrumentation 0.15s 20.21s (1.54min) ACCESS COARSE LOCATION 126 303 dynamic 2567.09s 507.94s CHANGE WIFI STATE 3 4 7.46s testing (42.78min)(8.47min) GET TASKS 261 626 ACCESS NETWORK STATE 405 3201 Among them,the shortest time of data flow analysis is 0.06s,the longest time is 2.70 min,and the average time of WAKE LOCK 99 187 data flow analysis is 25.40 s per APP.The shortest time of ACCESS WIFI STATE 294 928 instrumentation is 0.15s,the longest time is 1.54min,and the MODIFY AUDIO SETTINGS 4 4 average time of pile insertion is 20.21s.The shortest dynamic testing time was 7.46 seconds,the longest time was 42.78 BLUETOOTH 7 10 minutes,and the average dynamic testing time per APP was READ PHONE STATE 48 23 8.47 minutes.Therefore,the average detection time per APP is about 9 minutes,which meets the actual time efficiency The following formulas are used as indicators of false requirements.For some individual APP dynamic testing time negative rate of evaluation tools.Let the test APP set be is very large,reaching 42.78 minutes.But this time is still AppSet and the size be n.For APP Ai,we assume that its acceptable.Different exposed components of APP deal with cability leakage set is CLSet;and the size is si.We utilize external intent differently,which leads to different tool t to test APP A:.The set of capability leakage points for information obtained by dynamic testing of each APP. detecting P is PS For the ability leakage P of APP A, Therefore,the number of test cases generated by dynamic the detection advantage ratio of tool tl to tool t2 is: testing is different,and the number of exposed components of G)(()(P-P) different APPs is different,so the time of dynamic testing of different APPs may vary greatly. PS+PS-PSn PS号 C.Examples of Exploiting Capability leakage It is the proportion of G to H,here G is the difference Vulnerabilities between the P permission leakage results detected by tool tl Application A is a very popular lock screen application, and tool t2,H is the total result of the two tools detecting APP which has been downloaded more than 10 million times.The A P permission leakage results.Therefore,the average tool in this paper detects that it has DISABLE KEYGUARD detection advantage ratio of tool tI to tool t2 is: capability leakage,so we guess that it has illegal access G6=”%cAP vulnerabilities.We use the test cases generated by this tool to trigger the DISABLE KEYGUARD privilege leak and find that keyboard locks can be crossed without passwords.Attack Demo Video can be found on Youku [19]. 947

A. Experimental Results $V VKRZQ LQ 7DEOH  D WRWDO RI  LQ  NLQGV RI FDSDELOLW\OHDNDJHVZHUHIRXQG7KHILUVWFROXPQRI7DEOH LV WKH W\SH RI FDSDELOLW\ OHDNDJH WKH VHFRQG FROXPQ LV WKH QXPEHURI$33VZLWKWKLVW\SHRIFDSDELOLW\OHDNDJHDQGWKH WKLUG FROXPQ LV WKH QXPEHU RI FDSDELOLW\ OHDNDJH SRLQWV ORFDWLRQ RI FDSDELOLW\ OHDNDJH LH WJW$3, ORFDWLRQ LQ DOO $33V 7KHUH DUH VHULRXV FDSDELOLW\ OHDNDJHV VXFK DV ',6$%/(B.(@ 947

Application B is a cleanup software.which has and Communications,TrustCom 2014,Beijing,China,September 24- KILL BACKGROUND PROCESSES capability leakage.It 26.2014.2014:388-397. can be used to kill background applications.The attack [5]HE Y,LI Q.Detecting and defending against inter-app permission demonstration video can be found on Youku [20]. leaks in android apps[C/OLV/35th IEEE International Performance Computing and Communications Conference,IPCCC 2016,Las Vegas, NV,USA,December 9-11,2016.2016:1-7. IV.CONCLUSION AND PROSPECT [6]XIE J,FU X.DU X,et al.Autopatchdroid:A framework for patching This paper presents an automatic detection tool based on inter-app vulnerabilities in android application[C/OLVIEEE dynamic feedback for capability leakage vulnerabilities International Conference on Communications,ICC 2017,Paris,France, between Android applications.Through context-sensitive and May21-25,2017.2017:1-6. flow-sensitive inter-process data flow analysis,the location [7]LIU F,CAI H,WANG G,et al.Mr-droid:A scalable and prioritized and key variables of pile insertion can be found,and the analysis of inter-app communication risks[C/OL]/2017 IEEE Security and Privacy Workshops,SP Workshops 2017,San Jose,CA,USA,May instrumented APP can be automatically generated. 25,2017.2017:189-198. The tool continuously uses the results of dynamic testing [8]YANG K,ZHUGE J,WANG Y,et al.Intentfuzzer:detecting capability leaks of android applications[C/OLl/9th ACM Symposium of instrumented APP,adjusts the test case to test APP,and can on Information,Computer and Communications Security,ASIA greatly improve the code coverage of the test.Compared with CCs'14,Kyoto,.Japan-June03-06,2014.2014:531-536 the existing capability leak vulnerability detection work,the [9 DEMISSIE B F,GHIO D,CECCATO M,et al.Identifying android tool in this paper has a lower missing rate,and the test results inter app communication vulnerabilities using static and dynamic are better than 19.38%.At the same time,this tool has detected ce on 16 kinds of 6070 capability leakage vulnerabilities of 607 Texas.USA.May14-22.2016.2016:255-266. APPs in Wandoujia,including some serious capability leakage vulnerabilities [10]Soot[EB/OL].https://sable.github.io/soot/. [11]WIKI. Java bytecode[EB/OL] 2019-03-20 The capability leakage vulnerability evaluation is helpful https://en.wikipedia.org/wiki/Java bytecode. for developers to quickly repair serious capability leakage [12]VALLEE-RAI R,HENDREN L J.Jimple:Simplifying java bytecode vulnerabilities.Therefore,we may take the evaluation of for analyses and transformations[Z].1998. capability leakage vulnerability as one of our future research [13]ARZT S,RASTHOFER S,FRITZC,et al.Flowdroid:precise context work. flow,field,objectsensitive and lifecycle-aware taint analysis for android apps[C/OL/ACM SIGPLAN Conference on Programming Language Design and Implementation,PLDI'14,Edinburgh,United ACKNOWLEDGMENT Kingdom-June09-11,2014.2014:259-269. This work is supported partly by the National Key R&D [14]LI L,BARTEL A,BISSYANDE T F,et al.Iceta:Detecting inter- Program of China 2018YFB0803400,2018YFB2100300 and component privacy leaks in android apps[C/OLV/37th IEEE/ACM National Natural Science Foundation of China (NSFC)under International Conference on Software Engineering,ICSE 2015, Florence,Italy,May 16-24,2015,Volume 1.2015:280-291. grant61772487. [15]DESNOS A,et al.Androguard:Reverse en goodware analysis of android applications.URLcode REFERENCES com/p/androguard,2013:153. [1]FELT A P,WANG H J,MOSHCHUK A,et al.Permission re- [16]ANDROGUARD.Android permission api mappings[EB/OL].2019 delegation:Attacks and defenses[C/OL]//20th USENIX Security 03-20 Symposium, San Francisco,CA,USA,August 8-12, htps'/eithub com/androeuard/androguard/blob/master/androguard/co 2011.Proceedings.2011. relapi_specific_resources/api_permission_mappings/permissions 25.j [2]YAN J,DENG X,WANG P,et al.Characterizin eoedactivities in android appicoL son. [I刀Dexguard[EB/OL. the 33rd ACM/IEEE International Conference on Automated Software https://www.guardsquare.com/en/products/dexguard Engineering,ASE 2018,Montpellier,France,September 3-7, [18]BARTEL A,KLEIN J,TRAON YL,et al.Dexpler:converting android 2018.2018:691-701 dalvik bytecode to jimple for static analysis with [3]CHIN E,FELT A P,GREENWOOD K,et al.Analyzing inter- soot[C/OLl/Proceedings of the ACM SIGPLAN International application communication in android[C/OLl/Proceedings of the 9th Workshop on State of the Art in Java Program analysis,SOAP 2012, International Conference on Mobile Systems,Applications,and Beijing,China,June 14,2012.2012:27-38. Services (MobiSys 2011),Bethesda,MD,USA,June 28-July 01,2011 2011:239-252. [19]https://v.youku.com/v_show/id XNDExOTglODA3Mg [4]LI L,BARTEL A,KLEIN J,et al.Automatically exploiting potential [20]https://v.youku.com/v show/id XNDExOTg2MDAxMg component leaks in android applications[C/OL /13th IEEE International Conference on Trust,Security and Privacy in Computing 948

$SSOLFDWLRQ % LV D FOHDQXS VRIWZDUH ZKLFK KDV .,//B%$&.*5281'B352&(66(6FDSDELOLW\OHDNDJH,W FDQ EH XVHG WR NLOO EDFNJURXQG DSSOLFDWLRQV 7KH DWWDFN GHPRQVWUDWLRQYLGHRFDQEHIRXQGRQ@ ,9 &21&/86,21$1'35263(&7 7KLVSDSHUSUHVHQWVDQDXWRPDWLFGHWHFWLRQWRROEDVHGRQ G\QDPLF IHHGEDFN IRU FDSDELOLW\ OHDNDJH YXOQHUDELOLWLHV EHWZHHQ$QGURLGDSSOLFDWLRQV7KURXJKFRQWH[WVHQVLWLYHDQG IORZVHQVLWLYH LQWHUSURFHVV GDWD IORZ DQDO\VLV WKH ORFDWLRQ DQG NH\ YDULDEOHV RI SLOH LQVHUWLRQ FDQ EH IRXQG DQG WKH LQVWUXPHQWHG$33FDQEHDXWRPDWLFDOO\JHQHUDWHG 7KHWRROFRQWLQXRXVO\XVHVWKHUHVXOWVRIG\QDPLFWHVWLQJ RILQVWUXPHQWHG$33DGMXVWVWKHWHVWFDVHWRWHVW$33DQGFDQ JUHDWO\LPSURYHWKHFRGHFRYHUDJHRIWKHWHVW&RPSDUHGZLWK WKHH[LVWLQJFDSDELOLW\OHDNYXOQHUDELOLW\GHWHFWLRQZRUNWKH WRROLQWKLVSDSHUKDVDORZHUPLVVLQJUDWHDQGWKHWHVWUHVXOWV DUHEHWWHUWKDQ$WWKHVDPHWLPHWKLVWRROKDVGHWHFWHG  NLQGV RI  FDSDELOLW\ OHDNDJH YXOQHUDELOLWLHV RI  $33V LQ :DQGRXMLD LQFOXGLQJ VRPH VHULRXV FDSDELOLW\ OHDNDJHYXOQHUDELOLWLHV 7KHFDSDELOLW\OHDNDJHYXOQHUDELOLW\HYDOXDWLRQLVKHOSIXO IRU GHYHORSHUV WR TXLFNO\ UHSDLU VHULRXV FDSDELOLW\ OHDNDJH YXOQHUDELOLWLHV 7KHUHIRUH ZH PD\ WDNH WKH HYDOXDWLRQ RI FDSDELOLW\OHDNDJHYXOQHUDELOLW\DVRQHRIRXUIXWXUHUHVHDUFK ZRUN $&.12:/('*0(17 7KLVZRUNLVVXSSRUWHGSDUWO\E\WKH1DWLRQDO.H\5 ' 3URJUDPRI&KLQD@ )(/7 $ 3 :$1* + - 026+&+8. $ HW DO 3HUPLVVLRQ UH GHOHJDWLRQ $WWDFNV DQG GHIHQVHV>&2/@WK 86(1,; 6HFXULW\ 6\PSRVLXP 6DQ )UDQFLVFR &$ 86$ $XJXVW  3URFHHGLQJV >@ &2/@3URFHHGLQJV RI WKHUG$&0,(((,QWHUQDWLRQDO&RQIHUHQFHRQ$XWRPDWHG6RIWZDUH (QJLQHHULQJ $6(  0RQWSHOOLHU )UDQFH 6HSWHPEHU   >@ &+,1 ( )(/7 $ 3 *5((1:22' . HW DO $QDO\]LQJ LQWHU DSSOLFDWLRQFRPPXQLFDWLRQLQDQGURLG>&2/@3URFHHGLQJVRIWKHWK ,QWHUQDWLRQDO &RQIHUHQFH RQ 0RELOH 6\VWHPV $SSOLFDWLRQV DQG 6HUYLFHV0REL6\V%HWKHVGD0'86$-XQH-XO\  >@ /,/%$57(/$./(,1-HWDO$XWRPDWLFDOO\H[SORLWLQJSRWHQWLDO FRPSRQHQW OHDNV LQ DQGURLG DSSOLFDWLRQV>&2/@WK ,((( ,QWHUQDWLRQDO&RQIHUHQFHRQ7UXVW6HFXULW\DQG3ULYDF\LQ&RPSXWLQJ DQG&RPPXQLFDWLRQV7UXVW&RP%HLMLQJ&KLQD6HSWHPEHU  >@ +( &2/@WK ,((( ,QWHUQDWLRQDO 3HUIRUPDQFH &RPSXWLQJDQG&RPPXQLFDWLRQV&RQIHUHQFH,3&&&/DV9HJDV 1986$'HFHPEHU >@ ;,(-)8;'8;HWDO$XWRSDWFKGURLG$IUDPHZRUNIRUSDWFKLQJ LQWHUDSS YXOQHUDELOLWLHV LQ DQGURLG DSSOLFDWLRQ>&2/@,((( ,QWHUQDWLRQDO&RQIHUHQFHRQ&RPPXQLFDWLRQV,&&3DULV)UDQFH 0D\ >@ /,8)&$,+:$1**HWDO0UGURLG$VFDODEOHDQGSULRULWL]HG DQDO\VLVRILQWHUDSSFRPPXQLFDWLRQULVNV>&2/@,(((6HFXULW\ DQG3ULYDF\:RUNVKRSV63:RUNVKRSV6DQ-RVH&$86$0D\  >@ &2/@WK$&06\PSRVLXP RQ ,QIRUPDWLRQ &RPSXWHU DQG &RPPXQLFDWLRQV 6HFXULW\ $6,$ &&6¶.\RWR-DSDQ-XQH >@ '(0,66,(%) *+,2'&(&&$720HWDO ,GHQWLI\LQJDQGURLG LQWHU DSS FRPPXQLFDWLRQ YXOQHUDELOLWLHV XVLQJ VWDWLF DQG G\QDPLF DQDO\VLV>&2/@3URFHHGLQJV RI WKH ,QWHUQDWLRQDO &RQIHUHQFH RQ 0RELOH6RIWZDUH(QJLQHHULQJDQG6\VWHPV02%,/(6RIW¶$XVWLQ 7H[DV86$0D\ >@ 6RRW>(%2/@KWWSVVDEOHJLWKXELRVRRW >@ :,., -DYD E\WHFRGH>(%2/@  KWWSVHQZLNLSHGLDRUJZLNL-DYDBE\WHFRGH >@ 9$//((5$,5+(1'5(1/--LPSOH6LPSOLI\LQJMDYDE\WHFRGH IRUDQDO\VHVDQGWUDQVIRUPDWLRQV>=@ >@ $5=765$67+2)(56)5,7=&HWDO)ORZGURLGSUHFLVHFRQWH[W IORZ ILHOG REMHFWVHQVLWLYH DQG OLIHF\FOHDZDUH WDLQW DQDO\VLV IRU DQGURLG DSSV>&2/@$&0 6,*3/$1 &RQIHUHQFH RQ 3URJUDPPLQJ /DQJXDJH'HVLJQDQG ,PSOHPHQWDWLRQ3/', ¶(GLQEXUJK8QLWHG .LQJGRP-XQH >@ /, / %$57(/ $ %,66&2/@WK ,((($&0 ,QWHUQDWLRQDO &RQIHUHQFH RQ 6RIWZDUH (QJLQHHULQJ,&6(  )ORUHQFH,WDO\0D\9ROXPH >@ '(6126 $ HW DO $QGURJXDUG 5HYHUVH HQJLQHHULQJ PDOZDUH DQG JRRGZDUH DQDO\VLV RI DQGURLG DSSOLFDWLRQV>-@ 85/ FRGH JRRJOH FRPSDQGURJXDUG >@ $1'52*8$5' $QGURLG SHUPLVVLRQDSLPDSSLQJV>(%2/@   KWWSVJLWKXEFRPDQGURJXDUGDQGURJXDUGEOREPDVWHUDQGURJXDUGFR UHDSLBVSHFLILFBUHVRXUFHVDSLBSHUPLVVLRQBPDSSLQJVSHUPLVVLRQVBM VRQ >@ 'H[JXDUG>(%2/@ KWWSVZZZJXDUGVTXDUHFRPHQSURGXFWVGH[JXDUG >@ %$57(/$./(,1-75$21&2/@3URFHHGLQJV RI WKH $&0 6,*3/$1 ,QWHUQDWLRQDO :RUNVKRSRQ6WDWHRIWKH$UWLQ-DYD3URJUDPDQDO\VLV62$3 %HLMLQJ&KLQD-XQH >@ KWWSVY\RXNXFRPYBVKRZLGB;1'([27J2'$0J >@ KWWSVY\RXNXFRPYBVKRZLGB;1'([27J0'$[0J 948