Android应用程序隐私权限安全研究

摘要/Abstract

摘要： 随着移动互联时代的到来，手机已经成为我们日常生活中使用时间最长的一个智能设备，基本上我们的生活完全离不开手机。手机上成千上万的移动应用程序给用户提供了社交、购物、游戏、工作、娱乐全方位的体验，丰富了我们的生活，但也增加了用户隐私泄露的危险。一个移动应用程序使用和收集用户的某个隐私信息到底是合理还是不合理？对于这个问题有很多的研究人员对移动应用程序的用户隐私权限安全进行了研究。本文首先对Android系统的隐私权限机制和存在的问题进行了阐述，然后归纳和梳理了现在Android应用程序隐私权限安全检测的解决方案，并介绍了各解决方案的主要研究思路和技术手段。最后，展望了Android应用程序隐私权限安全的未来研究方向。

关键词: 安卓, 应用程序, 用户隐私, 安全检测, 手机

Abstract: With the advent of the era of mobile Internet, mobile phone has become the longest used intelligent device in our daily life. Basically, our life is inseparable from mobile phone. Thousands of mobile applications on mobile phones provide users with a full range of social, shopping, games, work and entertainment enriching our lives, but also increasing the risk of privacy leakage. Is it reasonable for a mobile application to use and collect certain privacy information of users? For this problem, in recent years, many researchers have studied the security of user privacy rights of mobile applications. This paper first describes the privacy security mechanism and existing problems of Android mobile applications, and then summarizes and sorts out the solutions to the privacy security problems of Android mobile applications. Then introduces the main research methods and technical means of various solutions in detail. Finally, we prospect the future research direction of privacy security of Android mobile applications.

Key words: Android, application, privacy, security inspection, mobile

钟越付迪阳. Android应用程序隐私权限安全研究[J]. 信息安全研究, 2021, 7(3): 287-292.

参考文献

[1] 荣艳冬. Android软件权限系统的设计与实现[J]. 软件, 2014(2):50-51 [2] Felt A, Ha E, Egelman S, et al. Android permissions: user attention, comprehension, and behavior[C]// Proc of the 8th Symp on Usable Privacy and Security. New York:ACM,2012：1-14 [3] 朱佳伟, 喻梁文, 关志,等. Android权限机制安全研究综述[J]. 计算机应用研究，2015(10) : 2881-2885 [4] Kelley P, Cranor L, Sadeh N. Privacy as part of the app decision making process[C]// Proc of the SIGCHI Conf on Human factors in Computing Systems. New York:ACM,2013:3393-3402 [5] Liu Bin, Andersen, Mads Schaarup, et al. Follow my recommendations: A personalized privacy assistant for mobile app permissions[C]//Proc of the 12th Symp on Usable Privacy and Security. Berkeley, CA: USENIX Association,2016:27-42 [6] Lin J, Liu B, Sadeh N, et al. Modeling users' mobile app privacy preferences: Restoring usability in a sea of permission settings[C]//Proc of the 10th USENIX Conf on Usable Privacy & Security. Berkeley, CA: USENIX Association,2014:199–212 [7] Nauman M, Khan S, Zhang X. Apex: Extending android permission model and enforcement with user-defined runtime constraint [C]//Proc of the 5th ACM Symp on Information, Computer and Communications Security. New York:ACM,2010:328-332 [8] Bugiel S, Heuser S, Sadeghi A. Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies[C]//Proc of USENIX Security Symp. Berkeley, CA:USENIX Association,2013:131–146 [9] 雷磊, 胡勇. Android应用权限检测技术研究[J].信息安全研究, 2017, 3(2):139-144 [10] Felt A, Egelman S, Finifter M, et al. How to ask for permission[C]// Proc of the 7th USENIX conf on Hot Topics in Security. Berkeley, CA: USENIX Association,2012:7 [11] Kathy, Zhou Y, Huang Z, et al. PScout:analyzing the Android permission specification[C] //Proc of the 2012 ACM Conf on Computer and Communications Security (CCS '12). New York:ACM,2012:217–228 [12] Felt A, Chin E, Hanna S, et al. Android permissions demystified[C]//Proc of the 18th ACM Conf on Computer and Communications Security. New York:ACM,2011:627–638 [13] Pandita R, Xiao X, Yang W, et al. Whyper: Towards automating risk assessment of mobile applications[C]//Proc of USENIX Security. New York:ACM,2013:527–542 [14] Qu Z, Rastogi V, Zhang X, et al. Autocog:Measuring the description-to-permission fidelity in android applications[C]//Proc of the 2014 ACM SIGSAC Conf on Computer and Communications Security. New York:ACM,2014:1354–1365 [15] Blei, David M, Andrew Y, et al. Latent dirichlet allocation[J].Journal of Machine Learning Research,2003, 3(5):993-1022 [16] Gorla A, Tavecchia I, Gross F, et al. Checking app behavior against app descriptions[C] //Proc of the 36th Int Conf on Software Engineering. New York:ACM,2014:1025–1035 [17] Han J, Feng Z, Chen S, et al. A framework for permission recommendation and risk evaluation based on skewness-based filtering[C]//Proc of IEEE Int Conf on Services Computing. Piscataway,NJ:IEEE,2016: 774-777 [18] Xiao J, Chen S, He Q, et al. An Android application risk evaluation framework based on minimum permission set identification[J].Journal of Systems and Software,2020:163 [19] Lou S, Cheng S, Huang J, et al. TFDroid: Android malware detection by topics and sensitive data flows using machine learning techniques[C]//Proc of the 2nd IEEE Int Conf on Information and Computer Technologies (ICICT). Piscataway,NJ:IEEE,2019:30-36 [20] Chess B, Mcgraw G. Static analysis for security[J].IEEE Security and Privacy Magazine, 2004,2(6):76-79 [21] Arzt S, Rasthofer S, Fritz C, et al. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps[J].ACM SIGPLAN Notices, 2014,49(6):259-269 [22] Avdiienko, Vitalii, Kuznetsov K, et al. Mining apps for abnormal usage of sensitive data[C]//Proc of the 37th IEEE/ACM Int Conf on Software Engineering. Piscataway, NJ:IEEE,2015: 426-436 [23] Gordon, Kim D, Perkins J, et al. Information flow analysis of android applications in DroidSafe[C]//Proc of Network & Distributed System Security Symp.2015 [24]何平, 胡勇. 一种基于本地代码特征的Android恶意代码检测方法[J].信息安全研究, 2018, 4(6):511-517 [25] Huang J, Zhang X, Tan L, et al. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction[C]// Proc of the 36th Int Conf on Software Engineering (ICSE 2014). New York:ACM,2014:1036–1046 [26] Yang W, Xiao X, Andow B, et al. AppContext: Differentiating malicious and benign mobile app behaviors using context[C]//Proc of IEEE/ACM Int Conf on Software Engineering. Piscataway,NJ:IEEE, 2015:303–313 [27] Fu J, Li P, Lin Y, et al. Android app malicious behavior detection based on user intention[C]// Proc of IEEE Trustcom/BigDataSE/ISPA. Piscataway,NJ:IEEE,2016:560-567 [28] Avdiienko V, Kuznetsov K, Rommelfanger I, et al. Detecting behavior anomalies in graphical user interfaces[C]//Proc of the 39th IEEE/ACM Int Conf on Software Engineering Companion(ICSE-C). Piscataway,NJ:IEEE,2017:201-203 [29] Pan X, Cao Y, Du X, et al. FlowCog: Context-aware semantics extraction and analysis of information flow leaks in android apps[C]//Proc of the 27th USENIX Conf on Security Symp (SEC’18). Berkeley,CA:USENIX Association,2018:1669–1685 [30] Fu H, Zheng Z, Zhu S, et al. Keeping context in mind: Automating mobile app access control with user interface inspection[C]// Proc of IEEE Conf on Computer Communications. Piscataway,NJ: IEEE,2019:2089-2097 [31] Bartel A, Klein J, Le Y, et al. Automatically securing permission-based software by reducing the attack surface: An application to android[C]// Proc of the 27th IEEE/ACM Int Conf on Automated Software Engineering. New York:ACM,2012:274–277 [32] Karim M, Kagdi H, Penta M. Mining android apps to recommend permissions[C]//Proc of the 23rd IEEE Int Conf on Software Analysis, Evolution, and Reengineering (SANER). Piscataway, NJ:IEEE,2016:427–437 [33] Bao L, Lo D, Xia X, et al. What permissions should this android app request?[C]//Proc of Int Conf on Software Analysis, Testing and Evolution. Piscataway,NJ:IEEE,2016:36-41 [34] Liu Z, Xia X, Lo David, et al. Automatic, highly accurate app permission recommendation[J].Automated Software Enginerring, 2019,26(2):241–274 [35] Slavin R, Wang X, Bokaei M, et al. PVDetector: A detector of privacy-policy violations for Android apps[C]//Proc of the Int Conf on Mobile Software Engineering and Systems. New York:ACM,2016:299–300 [36] Yu L, Luo X, Chen J, et al. PPChecker: Towards accessing the trustworthiness of android apps' privacy policies[J].IEEE Trans on Software Engineering,2018:1-1 [37] Wilson S, Schaub F, Liu F, et al. Analyzing privacy policies at scale: From crowdsourcing to automated annotations[J].ACM Trans on the Web,2018,13(1):1-29 [38] Yu L, Luo X, Qian C, et al. Enhancing the description-to-behavior fidelity in android apps with privacy policy[J].IEEE Trans on Software Engineering,2017(99):1-1