《网络与系统安全》教学参考文献：Capability Leakage Detection Between Android Applications Based on Dynamic Feedback

2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS) Capability Leakage Detection Between Android Applications Based on Dynamic Feedback Mingsong Zhou Fanping Zeng Zhao Chen School of Computer Science and School of Computer Science and School of Computer Science and Technology Technology Technology University of Science and University of Science and University of Science and Technology of China Technology of china Technology of China Hefei, Anhui, China Hefei, Anhui, China Hefei, Anhui, China mingsong@mail.ustc.edu.cn billzeng@ustc.edu.cn chen95@mail.ustc.edu.cn Abstract-The capability leakage of Android applications is information will not appear in intent-filter, so there are one kind of serious vulnerabilities. It can cause other shortcomings. In this paper, a test case generation method applications to leverage its functions to achieve their illegal goals based on dynamic feedback mechanism is proposed, which In this paper, we propose a tool which can automatically detect combines static analysis and dynamic testing technology. and confirm capability leakages of Android applications with Compared with the existing capability leakage dynamic dynamic-feedback testing. The tool utilizes context-sensitive testing work, it has lower false positive rate. flow-sensitive inter-procedural data flow analysis to find key variables and instrumentation points, then it tests the We define the capability leakage vulnerability between application continuously by test cases generated from test log Android applications as follows. We have made experiments on 607 most popular applications of Assuming that there is Android application A, the set of Wandoujia in 2017, and found a total of 6,070 in 16 kinds of capability leakages. Compared with the famous IntentFuzzer. privileges it owns is set to PSet, and the set of mapping our tool is 19.38% better on the average ability to detect relations between privileges and the statements it protects permission capability leakage. (briefly described as tgtAPI later) is set to PUMap(permission -unitSet). The set of exposed components owned by A is Keywords-Android, capability leakage, inter-procedural ECSet, and the set of root-method owned by exposed data flow analysis, dynamic-feedback testing components (the first method to be executed: root-method) is set to ECMethodMap (export-component-methodSet). The I. INTRODUCTION set of executable paths of the root method to the unit protected Capability leakage is also known as redistribution of by permission is RMUPathMap(root-method, unit-pathSet). authority [1]. It occurs when privileged applications are if PUMap≠,ECMethodMay≠, exploited by non-privileged malicious applications, which enables malicious applications to perform privileged actions 3 intent null, s.t. RMUPathMap# Communication between Android components is widely used Note: intent object is the only input for inter-component and many Android application developers share the functions communication. It mainly contains five attributes: Component. of their applications by exposing components (components Action, Data, Category and Extras, which represent the name that can be invoked by external APPs). However, many of the component to be started (String), the type of operation Android developers do not fully understand the rules of to be executed (String), the type of data to be executed (Uri). communication between Android components, resulting in a collection of component types that can handle this intent unintentionally exposing the components that should not be exposed, or forgetting to check the permissions of calls object (Set<String>), and additional key-value pair information set (Set < key-type value >). This paper calls between components [2], thus resulting in the leakage of intent objects from other APP components external intent. application capabilities. The formula is that when the PUMap and ECMethodMap There are a lot of research work on vulnerabilities betweer of application A are not empty, there exists an intent that is not Android components, mainly divided into static analysis and empty, so that RMUPathMap of application A is not empty. dynamic testing. The main drawbacks of static analysis work then application A has a capability leakage vulnerability. And (ComDroid [3], PCLeak [4], Yi He [5], AutoPatch Droid [6]. the capability leakage corresponds to authority of the unit in Mr-droid [7]) are that it is impossible to determine whether the RMUPathMap. vulnerabilities exist. Developers need to confirm the vulnerabilities manually, which greatly increases the There are many APIs without parameters in Android development cycle of APP. The existing dynamic testing applications, and many APIs can cause great harm even methods such as Intent Fuzzer [8] and AWiDe [9] also have though they can't control their data inflow. Therefore, this some shortcomings, which lead to a high rate of missed reports paper considers all TGT APIs in APP, even if they don't flow Intent Fuzzer will be described in detail later, which will be into external intent data. It should be noted that there are many selected for comparison with our method in this paper normal interactions between applications that require user AWiDe works for the similar purposes as our paper, but it only operation. We shouldn't think these leaking paths with UI considers capability leakages related to input data from interaction capabilities as illegal, because they are user-aware. external components. When constructing test cases, it only For example, to share the content of a news APP to a friend uses the intent-filter information of exposed components in by short message, this sharing operation involves the user to Android Manifest file to construct test cases, but does not use click to confirm the sending of short messages, we shouldn't the information in code. For example, intent extra attribute think that there is a leakage of the ability to send short 978-1-7281-2583-1/19/S31.0002019IEEE 943 DOI10.1109/ICPADS.2019.00143

&DSDELOLW\/HDNDJH'HWHFWLRQ%HWZHHQ$QGURLG $SSOLFDWLRQV%DVHGRQ'\QDPLF)HHGEDFN 0LQJVRQJ=KRX School of Computer Science and Technology University of Science and Technology of China +HIHL$QKXL&KLQD PLQJVRQJ#PDLOXVWFHGXFQ )DQSLQJ=HQJ School of Computer Science and Technology University of Science and Technology of China +HIHL$QKXL&KLQD ELOO]HQJ#XVWFHGXFQ =KDR&KHQ School of Computer Science and Technology University of Science and Technology of China +HIHL$QKXL&KLQD FKHQ#PDLOXVWFHGXFQ Abstract²7KHFDSDELOLW\OHDNDJHRI$QGURLGDSSOLFDWLRQVLV RQH NLQG RI VHULRXV YXOQHUDELOLWLHV ,W FDQ FDXVH RWKHU DSSOLFDWLRQVWROHYHUDJHLWVIXQFWLRQVWRDFKLHYHWKHLULOOHJDOJRDOV ,QWKLVSDSHUZHSURSRVHDWRROZKLFKFDQDXWRPDWLFDOO\GHWHFW DQG FRQILUP FDSDELOLW\OHDNDJHV RI $QGURLG DSSOLFDWLRQV ZLWK G\QDPLFIHHGEDFN WHVWLQJ 7KH WRRO XWLOL]HV FRQWH[WVHQVLWLYH IORZVHQVLWLYH LQWHUSURFHGXUDO GDWD IORZ DQDO\VLV WR ILQG NH\ YDULDEOHV DQG LQVWUXPHQWDWLRQ SRLQWV WKHQ LW WHVWV WKH DSSOLFDWLRQFRQWLQXRXVO\E\ WHVWFDVHVJHQHUDWHG IURP WHVWORJ :HKDYHPDGHH[SHULPHQWVRQPRVWSRSXODUDSSOLFDWLRQVRI :DQGRXMLDLQ  DQG IRXQG D WRWDO RI LQ  NLQGV RI FDSDELOLW\OHDNDJHV &RPSDUHGZLWK WKH IDPRXV ,QWHQW)X]]HU RXU WRRO LV  EHWWHU RQ WKH DYHUDJH DELOLW\ WR GHWHFW SHUPLVVLRQFDSDELOLW\OHDNDJH Keywords—Android, capability leakage, inter-procedural, data flow analysis, dynamic-feedback testing , ,1752'8&7,21 &DSDELOLW\ OHDNDJH LV DOVR NQRZQ DV UHGLVWULEXWLRQ RI DXWKRULW\ >@ ,W RFFXUV ZKHQ SULYLOHJHG DSSOLFDWLRQV DUH H[SORLWHG E\ QRQSULYLOHJHG PDOLFLRXV DSSOLFDWLRQV ZKLFK HQDEOHVPDOLFLRXVDSSOLFDWLRQVWRSHUIRUPSULYLOHJHGDFWLRQV &RPPXQLFDWLRQEHWZHHQ$QGURLGFRPSRQHQWVLVZLGHO\XVHG DQGPDQ\$QGURLGDSSOLFDWLRQGHYHORSHUVVKDUHWKHIXQFWLRQV RI WKHLU DSSOLFDWLRQV E\ H[SRVLQJ FRPSRQHQWV FRPSRQHQWV WKDW FDQ EH LQYRNHG E\ H[WHUQDO $33V +RZHYHU PDQ\ $QGURLG GHYHORSHUV GR QRW IXOO\ XQGHUVWDQG WKH UXOHV RI FRPPXQLFDWLRQ EHWZHHQ $QGURLG FRPSRQHQWV UHVXOWLQJ LQ XQLQWHQWLRQDOO\H[SRVLQJWKH FRPSRQHQWVWKDW VKRXOG QRW EH H[SRVHG RU IRUJHWWLQJ WR FKHFN WKH SHUPLVVLRQV RI FDOOV EHWZHHQ FRPSRQHQWV >@ WKXV UHVXOWLQJ LQ WKH OHDNDJH RI DSSOLFDWLRQFDSDELOLWLHV 7KHUHDUHDORWRIUHVHDUFKZRUNRQYXOQHUDELOLWLHVEHWZHHQ $QGURLGFRPSRQHQWVPDLQO\GLYLGHGLQWRVWDWLFDQDO\VLVDQG G\QDPLFWHVWLQJ7KHPDLQGUDZEDFNVRIVWDWLFDQDO\VLVZRUN &RP'URLG>@3&/HDN>@<L+H>@$XWR3DWFK'URLG>@ 0UGURLG>@DUHWKDWLWLVLPSRVVLEOHWRGHWHUPLQHZKHWKHUWKH YXOQHUDELOLWLHV H[LVW 'HYHORSHUV QHHG WR FRQILUP WKH YXOQHUDELOLWLHV PDQXDOO\ ZKLFK JUHDWO\ LQFUHDVHV WKH GHYHORSPHQW F\FOH RI $33 7KH H[LVWLQJ G\QDPLF WHVWLQJ PHWKRGVVXFKDV,QWHQW)X]]HU>@DQG$:L'H>@DOVRKDYH VRPHVKRUWFRPLQJVZKLFKOHDGWRDKLJKUDWHRIPLVVHGUHSRUWV ,QWHQW)X]]HUZLOOEHGHVFULEHGLQGHWDLOODWHUZKLFKZLOOEH VHOHFWHG IRU FRPSDULVRQ ZLWK RXU PHWKRG LQ WKLV SDSHU $:L'HZRUNVIRUWKHVLPLODUSXUSRVHVDVRXUSDSHUEXWLWRQO\ FRQVLGHUV FDSDELOLW\ OHDNDJHV UHODWHG WR LQSXW GDWD IURP H[WHUQDO FRPSRQHQWV :KHQ FRQVWUXFWLQJ WHVW FDVHV LW RQO\ XVHVWKHLQWHQWILOWHULQIRUPDWLRQ RI H[SRVHG FRPSRQHQWVLQ $QGURLG0DQLIHVWILOHWRFRQVWUXFWWHVWFDVHVEXWGRHVQRWXVH WKH LQIRUPDWLRQ LQ FRGH )RU H[DPSOH LQWHQW H[WUD DWWULEXWH LQIRUPDWLRQ ZLOO QRW DSSHDU LQ LQWHQWILOWHU VR WKHUH DUH VKRUWFRPLQJV ,Q WKLV SDSHU D WHVW FDVH JHQHUDWLRQ PHWKRG EDVHG RQ G\QDPLF IHHGEDFNPHFKDQLVPLV SURSRVHG ZKLFK FRPELQHV VWDWLF DQDO\VLV DQG G\QDPLF WHVWLQJ WHFKQRORJ\ &RPSDUHG ZLWK WKH H[LVWLQJ FDSDELOLW\ OHDNDJH G\QDPLF WHVWLQJZRUNLWKDVORZHUIDOVHSRVLWLYHUDWH :H GHILQH WKH FDSDELOLW\ OHDNDJH YXOQHUDELOLW\ EHWZHHQ $QGURLGDSSOLFDWLRQVDVIROORZV $VVXPLQJWKDWWKHUHLV$QGURLGDSSOLFDWLRQ$WKHVHWRI SULYLOHJHV LW RZQV LV VHW WR 36HW DQG WKH VHW RI PDSSLQJ UHODWLRQV EHWZHHQ SULYLOHJHV DQG WKH VWDWHPHQWV LW SURWHFWV EULHIO\GHVFULEHGDVWJW$3,ODWHULVVHWWR380DSSHUPLVVLRQ ĺXQLW6HW 7KH VHW RI H[SRVHG FRPSRQHQWV RZQHG E\ $ LV (&6HW DQG WKH VHW RI URRWPHWKRG RZQHG E\ H[SRVHG FRPSRQHQWVWKHILUVWPHWKRGWREHH[HFXWHGURRWPHWKRGLV VHWWR(&0HWKRG0DS H[SRUWFRPSRQHQWĺPHWKRG6HW7KH VHWRIH[HFXWDEOHSDWKVRIWKHURRWPHWKRGWRWKHXQLWSURWHFWHG E\SHUPLVVLRQLV5083DWK0DSURRWPHWKRGXQLWĺSDWK6HW ׎ ݌ܽܯ݀݋႙ݐ݁ܯܥܧ׎ ݌ܽܯܷܲ ݂݅ ׎ ݌ܽܯ႙ݐܷܽܲܯܴWV݈݈ݑ݊ ݐ݊݁ݐ݊݅ ׌ 1RWHLQWHQWREMHFWLVWKHRQO\LQSXW IRULQWHUFRPSRQHQW FRPPXQLFDWLRQ,WPDLQO\FRQWDLQVILYHDWWULEXWHV&RPSRQHQW $FWLRQ'DWD&DWHJRU\DQG([WUDVZKLFKUHSUHVHQWWKHQDPH RIWKHFRPSRQHQWWREHVWDUWHG6WULQJWKHW\SHRIRSHUDWLRQ WREHH[HFXWHG6WULQJWKHW\SHRIGDWDWREHH[HFXWHG8UL D FROOHFWLRQ RI FRPSRQHQW W\SHVWKDW FDQ KDQGOH WKLV LQWHQW REMHFW 6HW6WULQJ! DQG DGGLWLRQDO NH\YDOXH SDLU LQIRUPDWLRQ VHW 6HW  NH\ĺW\SH YDOXH!7KLV SDSHU FDOOV LQWHQWREMHFWVIURPRWKHU$33FRPSRQHQWVH[WHUQDOLQWHQW 7KHIRUPXODLVWKDWZKHQWKH380DSDQG(&0HWKRG0DS RIDSSOLFDWLRQ$DUHQRWHPSW\WKHUHH[LVWVDQLQWHQWWKDWLVQRW HPSW\VRWKDW5083DWK0DSRIDSSOLFDWLRQ$LVQRWHPSW\ WKHQDSSOLFDWLRQ$KDVDFDSDELOLW\OHDNDJHYXOQHUDELOLW\$QG WKHFDSDELOLW\OHDNDJHFRUUHVSRQGVWRDXWKRULW\RIWKHXQLWLQ 5083DWK0DS 7KHUH DUH PDQ\ $3,V ZLWKRXW SDUDPHWHUV LQ $QGURLG DSSOLFDWLRQV DQG PDQ\ $3,V FDQ FDXVH JUHDW KDUP HYHQ WKRXJK WKH\ FDQ W FRQWURO WKHLU GDWD LQIORZ 7KHUHIRUH WKLV SDSHUFRQVLGHUVDOO7*7$3,VLQ$33HYHQLIWKH\GRQ WIORZ LQWRH[WHUQDOLQWHQWGDWD,WVKRXOGEHQRWHGWKDWWKHUHDUHPDQ\ QRUPDO LQWHUDFWLRQV EHWZHHQ DSSOLFDWLRQV WKDW UHTXLUH XVHU RSHUDWLRQ :H VKRXOGQ¶W WKLQN WKHVH OHDNLQJ SDWKV ZLWK 8, LQWHUDFWLRQFDSDELOLWLHVDVLOOHJDOEHFDXVHWKH\DUHXVHUDZDUH )RUH[DPSOHWRVKDUHWKHFRQWHQWRIDQHZV$33WRDIULHQG E\VKRUWPHVVDJHWKLVVKDULQJRSHUDWLRQLQYROYHVWKHXVHUWR FOLFNWRFRQILUPWKHVHQGLQJRIVKRUWPHVVDJHVZHVKRXOGQ¶W WKLQN WKDW WKHUH LV D OHDNDJH RI WKH DELOLW\ WR VHQG VKRUW 943 2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS) 978-1-7281-2583-1/19/$31.00 ©2019 IEEE DOI 10.1109/ICPADS.2019.00143

messages,because it is ultimately up to the user to decide statically analyze Android APP and build method call graph whether to send or not.However,it is illegal to disclose the by Soot alone.Therefore,in the process of constructing ability of sending short messages without UI method.which method call graph,this paper identifies hidden callback has serious harmfulness.So this paper considers that UI methods in Android APK and adds them to the Android method will not cause a capability leakage. method call graph until the Android method call graph no longer changes (that is,all callback callbacks in the current Ⅱ.SYSTEM OVERVIEW method call graph have been added to the method call graph). As shown in Figure 1.the tool includes two parts:static The proposed method is similar to FlowDroid [13]and IceTa analysis and dynamic testing. [14].Let n be the number of nodes in the complete method call graph and K()be the number of methods with callbacks (1)Static analysis of the detected APP is carried out to find The algorithm complexity of constructing a complete call the control statements related to the intent data flow in and out graph is O(k*n). of the detected APP,to find the set of variables (briefly described as key variables)used in the control statements,to Android APP generate Log instrumented statements that print key variables. and to insert the Log instrumented statements before the control statement blocks.At the same time,this paper finds statements protected by Android privileges,insert the Log statement before it,record the statement information protected Android System by Android privileges,and then repackage the signed APP to get the instrumented APP(Figure I instrumented APP). Figure 2 Example of implicit invocation for Android application (2)The testing APP (Figure 1 testing APP,without any This paper uses API signature and privilege mapping privileges)will dynamically test the instrumented APP by APIPermissionMap file [16]provided by Android malware analysis tool androguard [15]to identify privileged statements sending intent objects.According to the value of key variables in Log,new intent test cases are generated,which can trigger in Android applications,and save these statements in more code and improve the code coverage.If the statement tgtAPISet. information protected by Android privileges appears in the Log,it indicates that the privilege capability is leaked.Next, Algorithm1 Inter-process Data Flow Analysis Algorithms-Arrival we will elaborate on two parts. Definition Test Log Anslysis and Automatic Test Case Generation Input:method,inData Output: Dynamic Testing flowInUnitDataMap(unit-flowInDataset )returnData 1 Function inter-procedure-data-flow: 2 cfgNodes -method.cfgNodes(). 3 for n in cfgNodes do 4 OUT[n]=0; 5 end 6 f+cfgNodes.getFirstNode( 7 IN[f]-INIf]UinData; 8 changed+-cfgNodes: 9 while c hanged≠odo 10 choose a node n in changed; 11 changed =changed-n; Static Analysis 12 for all nodes p in predecessors(n)do 13 Figure I Flow chart IN [n]+IN[n]U OUT[p]; 14 end A.Static Analysis 15 oidOUT-OUT[n]; Our tool builds method call diagram and control flow 16 OUTIn]-transfer function diagram of each method based on Soot [10].Soot is a Java (INn,flowInUnitDataMap), bytecode [11]analysis and optimization framework,which 17 if0ld0UT≠0UTn]then supports the conversion of Java bytecode into multiple intermediate languages.This paper uses Soot framework to 18 for all nodes s in successors(n)do 19 transform the application to be detected into Jimple [12 changed -changed Us; intermediate code with three address codes for analysis. 20 end 21 end There are many implicit calls in Android applications,as 22 end shown in Figure 2.StartActivity (intent)is a calling method 23 1+-cfgNodes.getReurnNode( between Android components.Its function is to start activityA. 24 if LretumLocal in IN1]then First,StartActivity (intent)calls the Android system APl,and finally the Android system API calls the activityA.onCreate ( 25 returnData -IreturnLocal.data; method.But we can't get the call relationship between 26 end startActivity (intent)and activityA.onCreate when we 27 End Funetion 944

PHVVDJHV EHFDXVH LW LV XOWLPDWHO\ XS WR WKH XVHU WR GHFLGH ZKHWKHUWRVHQGRUQRW+RZHYHULWLVLOOHJDOWRGLVFORVHWKH DELOLW\RIVHQGLQJVKRUWPHVVDJHVZLWKRXW8,PHWKRGZKLFK KDV VHULRXV KDUPIXOQHVV 6R WKLV SDSHU FRQVLGHUV WKDW 8, PHWKRGZLOOQRWFDXVHDFDSDELOLW\OHDNDJH ,, 6<67(029(59,(: $VVKRZQLQ)LJXUHWKHWRROLQFOXGHVWZRSDUWVVWDWLF DQDO\VLVDQGG\QDPLFWHVWLQJ 6WDWLFDQDO\VLVRIWKHGHWHFWHG$33LVFDUULHGRXWWRILQG WKHFRQWUROVWDWHPHQWVUHODWHGWRWKHLQWHQWGDWDIORZLQDQGRXW RI WKH GHWHFWHG $33 WR ILQG WKH VHW RI YDULDEOHV EULHIO\ GHVFULEHGDVNH\YDULDEOHVXVHGLQWKHFRQWUROVWDWHPHQWVWR JHQHUDWH/RJLQVWUXPHQWHGVWDWHPHQWVWKDWSULQWNH\YDULDEOHV DQG WR LQVHUW WKH /RJ LQVWUXPHQWHG VWDWHPHQWV EHIRUH WKH FRQWURO VWDWHPHQWEORFNV$WWKH VDPHWLPHWKLVSDSHU ILQGV VWDWHPHQWV SURWHFWHG E\ $QGURLG SULYLOHJHV LQVHUW WKH /RJ VWDWHPHQWEHIRUHLWUHFRUGWKHVWDWHPHQWLQIRUPDWLRQSURWHFWHG E\$QGURLGSULYLOHJHVDQGWKHQUHSDFNDJHWKHVLJQHG$33WR JHWWKHLQVWUXPHQWHG$33)LJXUHLQVWUXPHQWHG$33 7KHWHVWLQJ$33 )LJXUH WHVWLQJ$33ZLWKRXWDQ\ SULYLOHJHV ZLOO G\QDPLFDOO\ WHVW WKH LQVWUXPHQWHG $33 E\ VHQGLQJLQWHQWREMHFWV$FFRUGLQJWRWKHYDOXHRINH\YDULDEOHV LQ/RJQHZLQWHQWWHVWFDVHVDUHJHQHUDWHGZKLFKFDQWULJJHU PRUHFRGHDQGLPSURYHWKHFRGHFRYHUDJH ,IWKH VWDWHPHQW LQIRUPDWLRQ SURWHFWHG E\ $QGURLG SULYLOHJHV DSSHDUV LQ WKH /RJLWLQGLFDWHVWKDWWKHSULYLOHJHFDSDELOLW\LVOHDNHG1H[W ZHZLOOHODERUDWHRQWZRSDUWV 7HVW&DVH )LOH 7HVWLQJ$33 ,QVWUXPHQWDWLRQ VWDWHPHQW $SSOLFDWLRQ WREH7HVWHG 7HVW5HSRUW 7HVW/RJ ,QVWUXPHQWDWHG $SSOLFDWLRQ 7HVWLQJ 7HVW/RJ$QDO\VLVDQG$XWRPDWLF7HVW&DVH*HQHUDWLRQ ,QVWUXPHQWDWLRQ 6WDWLF$QDO\VLV '\QDPLF7HVWLQJ )LJXUH)ORZFKDUW A. Static Analysis 2XU WRRO EXLOGV PHWKRG FDOO GLDJUDP DQG FRQWURO IORZ GLDJUDP RIHDFKPHWKRG EDVHGRQ6RRW >@6RRWLVD -DYD E\WHFRGH >@ DQDO\VLV DQG RSWLPL]DWLRQ IUDPHZRUN ZKLFK VXSSRUWV WKH FRQYHUVLRQ RI -DYD E\WHFRGH LQWR PXOWLSOH LQWHUPHGLDWHODQJXDJHV 7KLV SDSHU XVHV 6RRW IUDPHZRUNWR WUDQVIRUP WKH DSSOLFDWLRQ WR EH GHWHFWHG LQWR -LPSOH >@ LQWHUPHGLDWHFRGHZLWKWKUHHDGGUHVVFRGHVIRUDQDO\VLV 7KHUHDUHPDQ\LPSOLFLWFDOOVLQ$QGURLGDSSOLFDWLRQVDV VKRZQLQ)LJXUH6WDUW$FWLYLW\LQWHQWLVDFDOOLQJPHWKRG EHWZHHQ$QGURLGFRPSRQHQWV,WVIXQFWLRQLVWRVWDUWDFWLYLW\$ )LUVW6WDUW$FWLYLW\LQWHQWFDOOVWKH$QGURLGV\VWHP$3,DQG ILQDOO\WKH$QGURLGV\VWHP$3,FDOOVWKHDFWLYLW\$RQ&UHDWH PHWKRG %XW ZH FDQ W JHW WKH FDOO UHODWLRQVKLS EHWZHHQ VWDUW$FWLYLW\ LQWHQW DQG DFWLYLW\$RQ&UHDWH ZKHQ ZH VWDWLFDOO\DQDO\]H$QGURLG$33DQGEXLOGPHWKRGFDOOJUDSK E\ 6RRW DORQH 7KHUHIRUH LQ WKH SURFHVV RI FRQVWUXFWLQJ PHWKRG FDOO JUDSK WKLV SDSHU LGHQWLILHV KLGGHQ FDOOEDFN PHWKRGV LQ $QGURLG $3. DQG DGGV WKHP WR WKH $QGURLG PHWKRG FDOO JUDSK XQWLO WKH $QGURLG PHWKRG FDOO JUDSK QR ORQJHUFKDQJHV WKDWLVDOOFDOOEDFNFDOOEDFNVLQWKHFXUUHQW PHWKRGFDOOJUDSKKDYHEHHQDGGHGWRWKHPHWKRGFDOOJUDSK 7KHSURSRVHGPHWKRGLVVLPLODUWR)ORZ'URLG>@DQG,FF7D >@/HWQEHWKH QXPEHURIQRGHVLQWKHFRPSOHWHPHWKRG FDOOJUDSKDQG.EHWKHQXPEHURIPHWKRGVZLWKFDOOEDFNV 7KH DOJRULWKP FRPSOH[LW\ RI FRQVWUXFWLQJ D FRPSOHWH FDOO JUDSKLV2N Q $QGURLG$33 LQWHQWFRPSRQHQW $ VWDUW$FWLYLW\LQWHQW DFWLYLW\$RQ&UHDWH $QGURLG6\VWHP )LJXUH([DPSOHRILPSOLFLWLQYRFDWLRQIRU$QGURLGDSSOLFDWLRQ 7KLV SDSHU XVHV $3, VLJQDWXUH DQG SULYLOHJH PDSSLQJ $3,3HUPLVVLRQ0DS ILOH >@ SURYLGHG E\ $QGURLG PDOZDUH DQDO\VLVWRRODQGURJXDUG>@WRLGHQWLI\SULYLOHJHGVWDWHPHQWV LQ $QGURLG DSSOLFDWLRQV DQG VDYH WKHVH VWDWHPHQWV LQ WJW$3,6HW $OJRULWKP ,QWHUSURFHVV 'DWD )ORZ $QDO\VLV $OJRULWKPV$UULYDO 'HILQLWLRQ ܽݐܽܦ݊݅݀݋႙ݐ݁݉˖QSXW, 2XWSXW˖ ݐ݁ܵܽݐܽܦ݊ܫݓ݋݈݂ĺݐ݅݊ݑ݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂ ܽݐܽܦ݊ݎݑݐ݁ݎ )XQFWLRQLQWHUSURFHGXUHGDWDIORZ ݏ݁݀݋݂ܰ݃ܿ݀݋႙ݐ݁݉ĸݏ݁݀݋݂ܰ݃ܿ IRUn in cfgNodes GR ׎ @݊<ܷܱܶ HQG ݁݀݋ܰݐݏݎ݅ܨݐ݁݃ݏ݁݀݋݂ܰ݃ܿĸ݂ ܽݐܽܦ݊݅ Ĥܰ>݂@ܫĸܰ>݂@ܫ ݏ݁݀݋݂ܰ݃ܿĸܽ݊݃݁݀႙ܿ ZKLOHܿ႙ܽ݊݃݁݀׎ GR ݀݁݃݊ܽ႙݀݁ ݊ ݅݊ ܿ݋݊ ܽ ݁ݏ݋݋႙ܿ ܿ႙ܽ݊݃݁݀ ܿ႙ܽ݊݃݁݀݊ IRUall nodes p in predecessors(n) GR @݌<ܷܱܶ Ĥܰ>݊@ܫĸܰ>݊@ܫ HQG ܱ݈ܱܷ݀ܶĸܱܷܶ>݊@ ݊݋݅ݐܿ݊ݑ݂Bݎ݂݁ݏ݊ܽݎݐĸܱܷܶ>݊@ ݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂݊ܰܫ LIܱ݈ܱܷ݀ܶܱܷܶ>݊@WKHQ IRUall nodes s in successors(n) GR ܿ႙ܽ݊݃݁݀ĸܿ႙ܽ݊݃݁݀ Ĥ ݏ HQG HQG HQG ݁݀݋ܰ݊ݎݑܴ݁ݐ݁݃ݏ݁݀݋݂ܰ݃ܿĸ݈ LIl.returnLocal in IN[l] WKHQ ܽݐ݈ܽ݀ܽܿ݋ܮ݊ݎݑݐ݁ݎ݈ĸܽݐܽܦ݊ݎݑݐ݁ݎ HQG (QG)XQFWLRQ 944

Starting from the starting point of external intent data flow Here GENIn]is the set of variables associated with intent data (the method of obtaining external intent objects,such as added after the node is executed,KILL[n]is the set of variables activity.getIntent (method),this paper uses context-sensitive that are reassigned after executing this node and are not related and flow-sensitive inter-process data flow analysis to find all to intent data.The formula is implemented by the statements related to external intent.The implementation of transfer function function (line 16 of algorithm 1,details of inter-process data flow analysis algorithm is mainly composed implementation are shown in algorithm 2).IN[n]ofeach node of algorithm I and algorithm 2,which mainly uses arrival is the union of OUT[n]sets of all its predecessor nodes definition data flow analysis technology and DFS algorithm. (algorithm 12 to 14 rows).Simulate the execution of each statement (that is,the transfer function function)until all Algorithm 2 Inter-process Data Flow Analysis- -Transfer Function nodes of O07n do not change,and eventually all statements Input:IN,n,flowInUnitDataMap associated with external intent data will be obtained Output:OUT [n The transfer function mainly analyzes whether intent data 1 Function transfer function: related variables are used in node n.If the intent data-related 2 KILLIn1←-0： variables are used,the assigned variables in the node are 3 GEN[n]0; considered intent-related (lines 6 to 7 of algorithm 2).If the 4 useLocals +n.getUsedLocals(); node contains a method call,it enters the method to call 5 defLocal-n.getDefLocal(); algorithm 1 again for analysis (line 15,line 25 ofalgorithm 2). 6 if useLocals n IN/n]#o then For a method that has different data flows in different call contexts,at the call point a copy of the original function is 7 GEN[n]=GEN[n]u defLocal; created to consider different types of data flow input.Because 8 flowInUnitDataMapput only intent-related data streams are considered in this paper, (n.unit,intentData); the input types of parameters of the methods need to 9 else determined and the input types of intent data flows are finite 10 KILL[n]=KILLIn]UdefLocal (Intent,Action,Data,Category,Extras),the number of 11 end replicates created by the methods is limited.Therefore,the 12 if defLocal:≠nll then clone-based context-sensitive inter-process data flow analysis 13 if m=getMethodCall(n)null then can ensure the accuracy of data flow analysis without causing if Pair(marg)not in significant performance overhead. hasProcessedMethodSunmmarySet then If the return value of this method is related to intent data defLocal is added to GENIn](line 17 of algorithm 2).Each -inter-procedure-data-flow node and intent data for each incoming node are put in (m,arg.data)returnData; fow/nUnitDataMap (line 8 of algorithm 2).Intent data record 16 if尼urnData≠l/then their data types,including intent objects,intent action > GEN[]+GEN[n]u de f Local attributes.intent category attributes,intent extras attributes and so on.Querying flowlnUnitDataMap to find all control 18 end statements ifand intent data that flows into control statements. 19 hasProcessedMethodSummarySet and they are stored in ifControlDataMap (ifUnit-intentData). add(Pair(m,arg)); 20 end Through the above-mentioned,the set of statements 21 end protected by privileges tgtAPISet and the set of control 22 else statements related to intent data ifControlDataMap can be obtained.By iterating the set of tgtAPISet,the Log statements 23 if (m=getMethodCall(n))+null then which print the corresponding permissions of tgtAPI and if m not in tgtAPI and the information of the APP where they are located hasProcessedMethodSummarySet then are generated,and Log statements are instrumented before the 25 returnData tgtAPI.Iterating ifControlDataMap,the Log statements are -inter-procedure-data-flow inserted before "if'to print key variables and the attributes of (m,arg.data)returnData; intentData data which flowing into"if.If the data attribute is 26 hasProcessedMethodSummarySet Extra,a Log statement that prints the key variable is inserted add(Pair(m,arg)), before the intentData source statement get"Extra (key).After 27 end the instrumentation is completed,the signature APP is 28 end repackaged and the instrumented APP is obtained.Therefore. 29 end when the instrumented APP runs,we can get the running logs related to intentData data. 30 OUT[n]=GEN[n]U(IN [n]-KILL[n ]) 31 End Function It should be noted that the reinforcement technology [17] and the anti-re-packaging technology are becoming more and Each method corresponds to a control flow graph(CFG) more popular,which results in the application of static and the statements in each method correspond to a node in the analysis can not get the real application code,and the CFG.Each node n has set of IN and OUT,which represent the application of re-packaging can not run properly.However, set of variables related to intent data before node n and the set the tool in this paper is for developers,who can use it before of variables related to intent data after node n executes.After the application is released (before using consolidation and each node is actually executed,the set of variables associated repackaging technology).Therefore,our tool is still valid. with intent data changes,which can be calculated by the following formula:OUTIn]GENIn]U (INIn]-KILL[n]). 945

6WDUWLQJIURPWKHVWDUWLQJSRLQWRIH[WHUQDOLQWHQWGDWDIORZ WKH PHWKRG RI REWDLQLQJ H[WHUQDO LQWHQW REMHFWV VXFK DV DFWLYLW\JHW,QWHQWPHWKRGWKLVSDSHUXVHVFRQWH[WVHQVLWLYH DQGIORZVHQVLWLYHLQWHUSURFHVVGDWDIORZDQDO\VLVWRILQGDOO VWDWHPHQWV UHODWHGWRH[WHUQDOLQWHQW7KHLPSOHPHQWDWLRQ RI LQWHUSURFHVVGDWDIORZDQDO\VLVDOJRULWKPLVPDLQO\FRPSRVHG RI DOJRULWKP  DQG DOJRULWKP  ZKLFK PDLQO\ XVHV arrival definitionGDWDIORZDQDO\VLVWHFKQRORJ\DQG')6DOJRULWKP $OJRULWKP,QWHUSURFHVV'DWD)ORZ$QDO\VLV²²7UDQVIHU)XQFWLRQ ݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂݊ܰܫ˖QSXW, 2XWSXW˖ܱܷܶ>݊@ )XQFWLRQWUDQVIHUBIXQFWLRQ ׎ĸ>݊@ܮܮܫܭ ׎ĸܰ>݊@ܧܩ ݏ݈ܽܿ݋ܮ݀݁ݏܷݐ݁݃݊ĸݏ݈ܽܿ݋ܮ݁ݏݑ ݈ܽܿ݋ܮ݂݁ܦݐ݁݃݊ĸ݈ܿܽ݋ܮ݂݁݀ LIuseLocals ŀIN[n] ׎ WKHQ ݈ܽܿ݋ܮ݂݁݀ Ĥܰ>݊@ܧܩ @݊<ܰܧܩ ݐݑ݌݌ܽܯܽݐܽܦݐܷ݅݊݊ܫݓ݋݈݂ ܽݐܽܦݐ݊݁ݐ݊݅ݐ݅݊ݑ݊ HOVH ݈ܽܿ݋ܮ݂݁݀ Ĥ>݊@ܮܮܫܭ @݊<ܮܮܫܭ HQG LIdefLocal null WKHQ LIm=getMethodCall(n) null WKHQ LIPair(m,arg) not in hasProcessedMethodSummarySet WKHQ ܽݐܽܦ݊ݎݑݐ݁ݎ ݓ݋݈݂ܽݐܽ݀݁ݎݑ݀݁ܿ݋ݎ݌ݎ݁ݐ݊݅ĸ ܽݐܽܦ݊ݎݑݐ݁ݎܽݐܽ݀݃ݎܽ݉ LIreturnData null WKHQ ݈ܽܿ݋ܮ݂݁݀ Ĥܰ>݊@ܧܩĸܰ>݊@ܧܩ HQG ݐ݁ܵݕݎܽ݉݉ݑܵ݀݋႙ݐ݁ܯ݀݁ݏݏ݁ܿ݋ݎܲݏܽ႙ ݃ݎܽ݉ݎ݅ܽܲ݀݀ܽ HQG HQG HOVH LI(m=getMethodCall(n)) null WKHQ LIm not in hasProcessedMethodSummarySet WKHQ ܽݐܽܦ݊ݎݑݐ݁ݎ ݓ݋݈݂ܽݐܽ݀݁ݎݑ݀݁ܿ݋ݎ݌ݎ݁ݐ݊݅ĸ ܽݐܽܦ݊ݎݑݐ݁ݎܽݐܽ݀݃ݎܽ݉ ݐ݁ܵݕݎܽ݉݉ݑܵ݀݋႙ݐ݁ܯ݀݁ݏݏ݁ܿ݋ݎܲݏܽ႙ ݃ݎܽ݉ݎ݅ܽܲ݀݀ܽ HQG HQG HQG @݊<ܮܮܫܭ@݊<ܰܫĤܰ>݊@ܧܩ @݊<ܷܱܶ (QG)XQFWLRQ (DFKPHWKRGFRUUHVSRQGVWRDFRQWUROIORZJUDSK&)* DQGWKHVWDWHPHQWVLQHDFKPHWKRGFRUUHVSRQGWRDQRGHLQWKH &)*(DFKQRGHQKDVVHWRI,1DQG287ZKLFKUHSUHVHQWWKH VHWRIYDULDEOHVUHODWHGWRLQWHQWGDWDEHIRUHQRGHQDQGWKHVHW RIYDULDEOHVUHODWHGWRLQWHQWGDWDDIWHUQRGHQH[HFXWHV$IWHU HDFKQRGHLVDFWXDOO\H[HFXWHGWKHVHWRIYDULDEOHVDVVRFLDWHG ZLWK LQWHQW GDWD FKDQJHV ZKLFK FDQ EH FDOFXODWHG E\ WKH IROORZLQJ IRUPXODOUT>n@ GEN>n@ 8 IN>n@ KILL>n@ +HUHGEN>n@LVWKHVHWRIYDULDEOHVDVVRFLDWHGZLWKLQWHQWGDWD DGGHGDIWHUWKHQRGHLVH[HFXWHGKILL>n@LVWKHVHWRIYDULDEOHV WKDWDUHUHDVVLJQHGDIWHUH[HFXWLQJWKLVQRGHDQGDUHQRWUHODWHG WR LQWHQW GDWD 7KH IRUPXOD LV LPSOHPHQWHG E\ WKH WUDQVIHUBIXQFWLRQ IXQFWLRQOLQHRIDOJRULWKPGHWDLOVRI LPSOHPHQWDWLRQDUHVKRZQLQDOJRULWKP,1>Q@RIHDFKQRGH LV WKH XQLRQ RI 287>Q@ VHWV RI DOO LWV SUHGHFHVVRU QRGHV DOJRULWKP  WR  URZV 6LPXODWH WKH H[HFXWLRQ RI HDFK VWDWHPHQW WKDW LV WKH WUDQVIHUBIXQFWLRQ IXQFWLRQ XQWLO DOO QRGHVRIOUT>n@GRQRWFKDQJHDQGHYHQWXDOO\DOOVWDWHPHQWV DVVRFLDWHGZLWKH[WHUQDOLQWHQWGDWDZLOOEHREWDLQHG 7KHWUDQVIHUBIXQFWLRQPDLQO\DQDO\]HVZKHWKHULQWHQWGDWD UHODWHGYDULDEOHVDUHXVHGLQQRGHQ,IWKHLQWHQWGDWDUHODWHG YDULDEOHV DUH XVHG WKH DVVLJQHG YDULDEOHV LQ WKH QRGH DUH FRQVLGHUHGLQWHQWUHODWHG OLQHVWRRIDOJRULWKP,IWKH QRGH FRQWDLQV D PHWKRG FDOO LW HQWHUV WKH PHWKRG WR FDOO DOJRULWKPDJDLQIRUDQDO\VLVOLQHOLQHRIDOJRULWKP )RU D PHWKRGWKDW KDV GLIIHUHQW GDWD IORZV LQ GLIIHUHQW FDOO FRQWH[WV DWWKH FDOO SRLQW D FRS\ RIWKH RULJLQDO IXQFWLRQLV FUHDWHGWRFRQVLGHUGLIIHUHQWW\SHVRIGDWDIORZLQSXW%HFDXVH RQO\LQWHQWUHODWHGGDWDVWUHDPVDUHFRQVLGHUHGLQWKLVSDSHU WKH LQSXW W\SHV RI SDUDPHWHUV RI WKH PHWKRGV QHHG WR GHWHUPLQHGDQGWKHLQSXWW\SHVRILQWHQWGDWDIORZVDUHILQLWH ,QWHQW $FWLRQ 'DWD &DWHJRU\ ([WUDV WKH QXPEHU RI UHSOLFDWHV FUHDWHG E\ WKH PHWKRGV LV OLPLWHG 7KHUHIRUH WKH FORQHEDVHGFRQWH[WVHQVLWLYHLQWHUSURFHVVGDWDIORZDQDO\VLV FDQHQVXUHWKHDFFXUDF\RIGDWDIORZDQDO\VLVZLWKRXWFDXVLQJ VLJQLILFDQWSHUIRUPDQFHRYHUKHDG ,IWKHUHWXUQYDOXHRIWKLVPHWKRGLVUHODWHGWRLQWHQWGDWD defLocalLVDGGHGWRGEN>n@ OLQHRIDOJRULWKP(DFK QRGH DQG LQWHQW GDWD IRU HDFK LQFRPLQJ QRGH DUH SXW LQ flowInUnitDataMapOLQHRIDOJRULWKP,QWHQWGDWDUHFRUG WKHLU GDWD W\SHV LQFOXGLQJ LQWHQW REMHFWV LQWHQW DFWLRQ DWWULEXWHV LQWHQW FDWHJRU\ DWWULEXWHV LQWHQW H[WUDV DWWULEXWHV DQG VR RQ4XHU\LQJ IORZ,Q8QLW'DWD0DSWR ILQGDOOFRQWURO VWDWHPHQWVLIDQGLQWHQWGDWDWKDWIORZVLQWRFRQWUROVWDWHPHQWV DQGWKH\DUHVWRUHGLQifControlDataMap LI8QLWĺLQWHQW'DWD 7KURXJK WKH DERYHPHQWLRQHG WKH VHW RI VWDWHPHQWV SURWHFWHG E\ SULYLOHJHV WJW$3,6HW DQG WKH VHW RI FRQWURO VWDWHPHQWV UHODWHG WR LQWHQW GDWD LI&RQWURO'DWD0DS FDQ EH REWDLQHG%\LWHUDWLQJWKHVHWRIWJW$3,6HWWKH/RJVWDWHPHQWV ZKLFK SULQW WKH FRUUHVSRQGLQJ SHUPLVVLRQV RI WJW$3, DQG WJW$3,DQGWKHLQIRUPDWLRQRIWKH$33ZKHUHWKH\DUHORFDWHG DUHJHQHUDWHGDQG/RJVWDWHPHQWVDUHLQVWUXPHQWHGEHIRUHWKH WJW$3, ,WHUDWLQJ LI&RQWURO'DWD0DS WKH /RJ VWDWHPHQWV DUH LQVHUWHGEHIRUH³LI´WRSULQWNH\YDULDEOHVDQGWKHDWWULEXWHVRI LQWHQW'DWDGDWDZKLFKIORZLQJLQWR³LI´,IWKHGDWDDWWULEXWHLV ([WUDD/RJVWDWHPHQWWKDWSULQWVWKHNH\YDULDEOHLVLQVHUWHG EHIRUHWKHLQWHQW'DWDVRXUFHVWDWHPHQWJHW ([WUDNH\$IWHU WKH LQVWUXPHQWDWLRQ LV FRPSOHWHG WKH VLJQDWXUH $33 LV UHSDFNDJHGDQGWKHLQVWUXPHQWHG$33LVREWDLQHG7KHUHIRUH ZKHQWKHLQVWUXPHQWHG$33UXQVZHFDQJHWWKHUXQQLQJORJV UHODWHGWRLQWHQW'DWDGDWD ,WVKRXOGEHQRWHGWKDWWKHUHLQIRUFHPHQWWHFKQRORJ\>@ DQGWKHDQWLUHSDFNDJLQJWHFKQRORJ\DUHEHFRPLQJPRUHDQG PRUH SRSXODU ZKLFK UHVXOWV LQ WKH DSSOLFDWLRQ RI VWDWLF DQDO\VLV FDQ QRW JHW WKH UHDO DSSOLFDWLRQ FRGH DQG WKH DSSOLFDWLRQ RI UHSDFNDJLQJFDQ QRW UXQ SURSHUO\ +RZHYHU WKHWRROLQWKLVSDSHULVIRUGHYHORSHUVZKRFDQXVHLWEHIRUH WKH DSSOLFDWLRQ LV UHOHDVHG EHIRUH XVLQJ FRQVROLGDWLRQ DQG UHSDFNDJLQJWHFKQRORJ\7KHUHIRUHRXUWRROLVVWLOOYDOLG 945

B.Dynamic Analysis continues.Otherwise,new information is added to the intent Algorithms 3 is the test case generation algorithm attribute set (line 29 of algorithm 3).At the same time,for the new extra attribute,we mutate it to generate the extra attribute Algorithm 3 Test Case Generation Method Based on Dynamic Feedback that may satisfy the control statement (line 30 of algorithm 3). Input:detected-app For example,the new obtained extra attribute information Output:capabilityLeakSet is as follows. 1 Function Main: key:"fromPush",type:int,value:0. 2 ECSet-getEC (detected-app.AndroidManifestXmI) Because we don't know the judgment condition of the 3 capabilityLeakSet -0; control statement,two other extra attributes which may satisfy 4 for exported-component in ECSet do the condition of the control statement are generated. actionSet,dataset, 1)key:"fromPush",type:int,value:1 categoryset,extraset-0 while true do 2)key:"fromPush",type:int,value:-1 > ifisFirstTest then Then the test cases are regrouped (11 to 24 lines of initial-intent=newIntent algorithm 3).The Category attribute in intent object is Set< (exported-component) String>.In this paper,all possible category values are taken as 9 logFile-testApp the Category attribute of intent object(line 11 of algorithm 3) (detected-appinitial-intent), The intent extra attribute is Set key,typevalue>.This 10 paper divides the set extraSet attributes of all possible extra else 11 values into different sets according to key and type,and selectCategoryset combines one value from these different sets into an intent add(categorySet). extra attribute at a time (line 12 of algorithm 3).From line 13 12 selectExtraSet- to line 24,arithmetic 3 generates a test case to test APP,and combinewithDiffKey records the test cases that have been tested to ensure that the AndType(extraSet), test cases are not repeated.Arithmetic 3 continuously 13 for a in actionSet do generates new test case tests based on intent-test-info of the 14 for din dataSet do test log until intent-test-info is empty. 15 for c in selectCategorySet do III.EXPERIMENTAL ANALYSIS AND EVALUATION 16 for e in selectExtraSet do 17 intent =newIntent We selected the most popular applications of Wandoujia (a.d.c,e,exported-component); in 2017.There are 810 selected applications,including 18 categories and of the 45 most popular applications in each 18 if hasNotTested(intent)then category.We removed the application of reinforcement and 9 logFile -testApp Soot analysis failure [18],and finally 607 applications were (detected-appintenth selected. 20 end 21 end This paper chooses IntentFuzzer as the contrast of the 22 end dynamic test of capability leakage.Because the author could not be contacted,IntentFuzzer is implemented according to its end paper.The four attributes of IntentFuzzer intent test case are 24 end constructed as follows. 25 end 26 o n e Te s t C L S et intent-test-info (1)IntentFuzzer's intent action construction includes three =analyseLog(logFile) aspects:one is to expose the action value in intent-filter of 27 components,the next is to find strings prefixed by the capabilityLeakSet- application package name from all strings of APP,and the capabilityLeakSetU oneTestCLSet; other is the standard action defined by all Android systems 28 if intent-test-info t then IntentFuzzer uses the above action set as a candidate set of 29 actionSet,dataSet,categorySet,extraSet action attributes for test cases. % addAll(intent-test-info, (2)IntentFuzzer predefines some URIs of common data mutation(intent-test-info)); 31 else types.When testing APP,if the predefined URI matches the intent-filter of exposed components,the URI is used to 32 break; construct the data attributes of intent test cases. 33 end 34 end (3)IntentFuzzer achieves key and type of extra attribute in 35 end dynamic testing by modifying the source code of Android system,and generates value randomly.In this way,the extra 36 End Function attribute of intent test case is constructed. We initially test APP with intent objects without any data (4)IntentFuzzer does not consider the category attribute, (7-9 lines of algorithm 3),and then analyze the generated test and the Category attribute of intent test case is always empty. log.If intent-test-info is empty,that is to say,the actionSet. categorySet,dataSet and extraSet of intent-test-info are empty, the test is stopped,and the next exposed component testing 946

B. Dynamic Analysis $OJRULWKPVLVWKHWHVWFDVHJHQHUDWLRQDOJRULWKP $OJRULWKP7HVW&DVH*HQHUDWLRQ0HWKRG%DVHGRQ'\QDPLF)HHGEDFN ݌݌ܽ݀݁ݐܿ݁ݐ݁݀QSXW, ݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ2XWSXW )XQFWLRQ0DLQ ܥܧݐ݁݃՚ݐ݁ܵܥܧ ݈݉ܺݐݏ݂݁݅݊ܽܯ݀݅݋ݎ݀݊ܣ݌݌ܽ݀݁ݐܿ݁ݐ݁݀ ׎ĸݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ IRUexported-component in ECSet GR ݐ݁ܵܽݐܽ݀ݐ݁ܵ݊݋݅ݐܿܽ ׎ĸݐ݁ܵܽݎݐݔ݁ݐ݁ܵݕݎ݋݃݁ݐܽܿ ZKLOHtrue GR WKHQ ݐݏ݁ܶݐݏݎ݅ܨݏ݅LI ݐ݊݁ݐ݊ܫݓ݁݊ ݐ݊݁ݐ݈݊݅ܽ݅ݐ݅݊݅ ݐ݊݁݊݋݌݉݋ܿ݀݁ݐݎ݋݌ݔ݁ ݌݌ܣݐݏ݁ݐĸ݈݅݁ܨ݃݋݈ ݐ݊݁ݐ݈݊݅ܽ݅ݐ݅݊݅݌݌ܽ݀݁ݐܿ݁ݐ݁݀ HOVH ݐ݁ܵݕݎ݋݃݁ݐܽܥݐ݈ܿ݁݁ݏ ݐ݁ܵݕݎ݋݃݁ݐܽܿ݀݀ܽ ĸݐ݁ܵܽݎݐݔܧݐ݈ܿ݁݁ݏ ݕ݁ܭ݂݂݅ܦ႙ݐܹܾ݅݁݊݅݉݋ܿ ݐ݁ܵܽݎݐݔ݁݁݌ݕܶ݀݊ܣ IRUa in actionSet GR IRUd in dataSet GR IRUc in selectCategorySet GR IRUe in selectExtraSet GR ݐ݊݁ݐ݊ܫݓ݁݊ ݐ݊݁ݐ݊݅ DGFHH[SRUWHGFRPSRQHQW LIhasNotTested(intent) WKHQ ݌݌ܣݐݏ݁ݐĸ݈݅݁ܨ݃݋݈ ݐ݊݁ݐ݊݅݌݌ܽ݀݁ݐܿ݁ݐ݁݀ HQG HQG HQG HQG HQG HQG LQIRWHVWLQWHQWݐ݁ܵܮܥݐݏ݁ܶ݁݊݋ ݈݁݅ܨ݃݋݈݃݋ܮ݁ݏݕ݈ܽ݊ܽ ĸݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ ݐ݁ܵܮܥݐݏ݁ܶ݁݊݋ Ĥݐ݁ܵ݇ܽ݁ܮݕݐ݈ܾ݅݅ܽ݌ܽܿ LIintent-test-info ׎ WKHQ DFWLRQ6HWGDWD6HWFDWHJRU\6HWH[WUD6HW DGG$OOLQWHQWWHVWLQIR PXWDWLRQLQWHQWWHVWLQIR HOVH EUHDN HQG HQG HQG (QG)XQFWLRQ :HLQLWLDOO\WHVW$33ZLWKLQWHQWREMHFWVZLWKRXWDQ\GDWD OLQHVRIDOJRULWKPDQGWKHQDQDO\]HWKHJHQHUDWHGWHVW ORJ ,ILQWHQWWHVWLQIRLVHPSW\WKDWLVWRVD\WKHDFWLRQ6HW FDWHJRU\6HWGDWD6HWDQGH[WUD6HWRILQWHQWWHVWLQIRDUHHPSW\ WKHWHVWLV VWRSSHGDQGWKH QH[WH[SRVHGFRPSRQHQWWHVWLQJ FRQWLQXHV2WKHUZLVHQHZLQIRUPDWLRQLVDGGHGWRWKHLQWHQW DWWULEXWHVHWOLQHRIDOJRULWKP$WWKHVDPHWLPHIRUWKH QHZH[WUDDWWULEXWHZHPXWDWHLWWRJHQHUDWHWKHH[WUDDWWULEXWH WKDWPD\VDWLVI\WKHFRQWUROVWDWHPHQWOLQHRIDOJRULWKP )RUH[DPSOHWKHQHZREWDLQHGH[WUDDWWULEXWHLQIRUPDWLRQ LVDVIROORZV NH\IURP3XVKW\SHLQWYDOXH %HFDXVH ZH GRQ W NQRZ WKH MXGJPHQW FRQGLWLRQ RI WKH FRQWUROVWDWHPHQWWZRRWKHUH[WUDDWWULEXWHVZKLFKPD\VDWLVI\ WKHFRQGLWLRQRIWKHFRQWUROVWDWHPHQWDUHJHQHUDWHG NH\IURP3XVKW\SHLQWYDOXH NH\IURP3XVKW\SHLQWYDOXH 7KHQ WKH WHVW FDVHV DUH UHJURXSHG  WR  OLQHV RI DOJRULWKP7KH&DWHJRU\DWWULEXWHLQLQWHQWREMHFWLV6HW 6WULQJ!,QWKLVSDSHUDOOSRVVLEOHFDWHJRU\YDOXHVDUHWDNHQDV WKH&DWHJRU\DWWULEXWHRILQWHQWREMHFWOLQHRIDOJRULWKP 7KH LQWHQW H[WUD DWWULEXWH LV 6HW  NH\ W\SHĺYDOXH! 7KLV SDSHUGLYLGHVWKH VHWH[WUD6HWDWWULEXWHVRIDOOSRVVLEOHH[WUD YDOXHV LQWR GLIIHUHQW VHWV DFFRUGLQJ WR NH\ DQG W\SH DQG FRPELQHV RQH YDOXH IURPWKHVH GLIIHUHQW VHWVLQWR DQLQWHQW H[WUDDWWULEXWHDWDWLPHOLQHRIDOJRULWKP)URPOLQH WROLQHDULWKPHWLFJHQHUDWHVDWHVWFDVHWRWHVW$33DQG UHFRUGVWKHWHVWFDVHVWKDWKDYHEHHQWHVWHGWRHQVXUHWKDWWKH WHVW FDVHV DUH QRW UHSHDWHG $ULWKPHWLF  FRQWLQXRXVO\ JHQHUDWHVQHZWHVWFDVHWHVWVEDVHGRQLQWHQWWHVWLQIRRIWKH WHVWORJXQWLOLQWHQWWHVWLQIRLVHPSW\ ,,, (;3(5,0(17$/$1$/<6,6$1'(9$/8$7,21 :HVHOHFWHGWKHPRVWSRSXODUDSSOLFDWLRQVRI:DQGRXMLD LQ  7KHUH DUH  VHOHFWHG DSSOLFDWLRQV LQFOXGLQJ  FDWHJRULHV DQG RI WKH  PRVW SRSXODU DSSOLFDWLRQV LQ HDFK FDWHJRU\:H UHPRYHGWKHDSSOLFDWLRQRI UHLQIRUFHPHQWDQG 6RRWDQDO\VLV IDLOXUH >@DQG ILQDOO\DSSOLFDWLRQVZHUH VHOHFWHG 7KLV SDSHU FKRRVHV ,QWHQW)X]]HU DV WKH FRQWUDVW RI WKH G\QDPLFWHVWRIFDSDELOLW\OHDNDJH%HFDXVHWKHDXWKRUFRXOG QRWEHFRQWDFWHG,QWHQW)X]]HULVLPSOHPHQWHGDFFRUGLQJWRLWV SDSHU7KHIRXUDWWULEXWHVRI,QWHQW)X]]HULQWHQWWHVWFDVHDUH FRQVWUXFWHGDVIROORZV ,QWHQW)X]]HU VLQWHQWDFWLRQFRQVWUXFWLRQLQFOXGHVWKUHH DVSHFWV RQHLVWR H[SRVHWKH DFWLRQ YDOXHLQLQWHQWILOWHU RI FRPSRQHQWV WKH QH[W LV WR ILQG VWULQJV SUHIL[HG E\ WKH DSSOLFDWLRQ SDFNDJH QDPH IURP DOO VWULQJV RI $33 DQGWKH RWKHULVWKH VWDQGDUGDFWLRQGHILQHGE\DOO$QGURLG V\VWHPV ,QWHQW)X]]HU XVHVWKH DERYH DFWLRQ VHWDVDFDQGLGDWH VHW RI DFWLRQDWWULEXWHVIRUWHVWFDVHV  ,QWHQW)X]]HUSUHGHILQHV VRPH85,V RIFRPPRQ GDWD W\SHV:KHQWHVWLQJ$33LIWKHSUHGHILQHG85,PDWFKHVWKH LQWHQWILOWHU RI H[SRVHG FRPSRQHQWV WKH 85, LV XVHG WR FRQVWUXFWWKHGDWDDWWULEXWHVRILQWHQWWHVWFDVHV ,QWHQW)X]]HUDFKLHYHVNH\DQGW\SHRIH[WUDDWWULEXWHLQ G\QDPLF WHVWLQJ E\ PRGLI\LQJ WKH VRXUFH FRGH RI $QGURLG V\VWHPDQGJHQHUDWHVYDOXHUDQGRPO\,QWKLVZD\WKHH[WUD DWWULEXWHRILQWHQWWHVWFDVHLVFRQVWUXFWHG ,QWHQW)X]]HUGRHVQRWFRQVLGHUWKHFDWHJRU\DWWULEXWH DQGWKH&DWHJRU\DWWULEXWHRILQWHQWWHVWFDVHLVDOZD\VHPSW\ 946

A.Experimental Results The results of 607 APPs detected by this tool and As shown in Table 1,a total of 6,070 in 16 kinds of IntentFuzzer are calculated according to the above formulas to capability leakages were found.The first column of Table 1 get Table 2 is the type of capability leakage,the second column is the Table II Comparing with IntentFuzzer results number of APPs with this type of capability leakage,and the third column is the number of capability leakage points Min(G(AP)) Max(G (A P ) Gutz (location of capability leakage,i.e.tgtAPI location)in all 0% 100% 19.38% APPs.There are serious capability leakages,such as DISABLE_KEYGUARD privilege ability leakage which is Among them,tl is the tool of this paper and t2 is the main privilege to achieve the lock screen function,and IntentFuzzer.According to Table 2,the average test results of KILL BACKGROUND PROCESSES privilege ability this tool are 19.38%better than those of IntentFuzzer.For a leakage which is the privilege to achieve the killing of single APP,the ability to detect permission capability leakage background processes.There are also vulnerabilities with less is up to 100%.That is to say,the tool can detects that the harmful capability leakages.such as BROADCAST STICKY permission has the capability leakage,while IntentFuzzer does capability leakage which will lead to application broadcasting not detect it.Or the results of IntentFuzzer are included in the not working properly, ACCESS FINE LOCATION results of this tool.The worst case of this tool is the same result capability leakage which may lead to application power as that of IntentFuzzer.Therefore,it can be seen that the consumption problems,and BLUETOOTH capability leakage Android inter-application capability leakage detection tool which will lead to arbitrary turn on and off mobile Bluetooth. proposed in this paper is completely superior to IntentFuzzer. Table I Experimental results B.Time Efficiency Permission AppUseCount AllCount Table 3 is the time consumption of data flow analysis. instrumentation and dynamic testing during the analysis of DISABLE KEYGUARD 6 607 APPs. CHANGE WIFI MULTICAST_STATE Table III Running time RECEIVE BOOT COMPLETED 1 Min Max SET WALLPAPER HINTS 3 3 Average data flow 161.70s BROADCAST STICKY 169 261 0.06s 25.40s analysis (2.70min) ACCESS FINE LOCATION 140 454 4 92.32s KILL BACKGROUND PROCESSES instrumentation 0.15s 20.21s (1.54min) ACCESS COARSE LOCATION 126 303 dynamic 2567.09s 507.94s CHANGE WIFI STATE 3 4 7.46s testing (42.78min)(8.47min) GET TASKS 261 626 ACCESS NETWORK STATE 405 3201 Among them,the shortest time of data flow analysis is 0.06s,the longest time is 2.70 min,and the average time of WAKE LOCK 99 187 data flow analysis is 25.40 s per APP.The shortest time of ACCESS WIFI STATE 294 928 instrumentation is 0.15s,the longest time is 1.54min,and the MODIFY AUDIO SETTINGS 4 4 average time of pile insertion is 20.21s.The shortest dynamic testing time was 7.46 seconds,the longest time was 42.78 BLUETOOTH 7 10 minutes,and the average dynamic testing time per APP was READ PHONE STATE 48 23 8.47 minutes.Therefore,the average detection time per APP is about 9 minutes,which meets the actual time efficiency The following formulas are used as indicators of false requirements.For some individual APP dynamic testing time negative rate of evaluation tools.Let the test APP set be is very large,reaching 42.78 minutes.But this time is still AppSet and the size be n.For APP Ai,we assume that its acceptable.Different exposed components of APP deal with cability leakage set is CLSet;and the size is si.We utilize external intent differently,which leads to different tool t to test APP A:.The set of capability leakage points for information obtained by dynamic testing of each APP. detecting P is PS For the ability leakage P of APP A, Therefore,the number of test cases generated by dynamic the detection advantage ratio of tool tl to tool t2 is: testing is different,and the number of exposed components of G)(()(P-P) different APPs is different,so the time of dynamic testing of different APPs may vary greatly. PS+PS-PSn PS号 C.Examples of Exploiting Capability leakage It is the proportion of G to H,here G is the difference Vulnerabilities between the P permission leakage results detected by tool tl Application A is a very popular lock screen application, and tool t2,H is the total result of the two tools detecting APP which has been downloaded more than 10 million times.The A P permission leakage results.Therefore,the average tool in this paper detects that it has DISABLE KEYGUARD detection advantage ratio of tool tI to tool t2 is: capability leakage,so we guess that it has illegal access G6=”%cAP vulnerabilities.We use the test cases generated by this tool to trigger the DISABLE KEYGUARD privilege leak and find that keyboard locks can be crossed without passwords.Attack Demo Video can be found on Youku [19]. 947

A. Experimental Results $V VKRZQ LQ 7DEOH  D WRWDO RI  LQ  NLQGV RI FDSDELOLW\OHDNDJHVZHUHIRXQG7KHILUVWFROXPQRI7DEOH LV WKH W\SH RI FDSDELOLW\ OHDNDJH WKH VHFRQG FROXPQ LV WKH QXPEHURI$33VZLWKWKLVW\SHRIFDSDELOLW\OHDNDJHDQGWKH WKLUG FROXPQ LV WKH QXPEHU RI FDSDELOLW\ OHDNDJH SRLQWV ORFDWLRQ RI FDSDELOLW\ OHDNDJH LH WJW$3, ORFDWLRQ LQ DOO $33V 7KHUH DUH VHULRXV FDSDELOLW\ OHDNDJHV VXFK DV ',6$%/(B.(<*8$5' SULYLOHJH DELOLW\ OHDNDJH ZKLFK LV WKH PDLQ SULYLOHJH WR DFKLHYH WKHORFN VFUHHQ IXQFWLRQ DQG .,//B%$&.*5281'B352&(66(6 SULYLOHJH DELOLW\ OHDNDJH ZKLFK LV WKH SULYLOHJH WR DFKLHYH WKH NLOOLQJ RI EDFNJURXQGSURFHVVHV7KHUHDUHDOVRYXOQHUDELOLWLHVZLWKOHVV KDUPIXOFDSDELOLW\OHDNDJHVVXFKDV%52$'&$67B67,&.< FDSDELOLW\OHDNDJHZKLFKZLOOOHDGWRDSSOLFDWLRQEURDGFDVWLQJ QRW ZRUNLQJ SURSHUO\ $&&(66B),1(B/2&$7,21 FDSDELOLW\ OHDNDJH ZKLFK PD\ OHDG WR DSSOLFDWLRQ SRZHU FRQVXPSWLRQSUREOHPVDQG%/8(7227+FDSDELOLW\OHDNDJH ZKLFKZLOOOHDGWRDUELWUDU\WXUQRQDQGRIIPRELOH%OXHWRRWK 7DEOH,([SHULPHQWDOUHVXOWV 3HUPLVVLRQ $SS8VH&RXQW $OO&RXQW ',6$%/(B.(<*8$5'   &+$1*(B:,),B08/7,&$67B67$7(   5(&(,9(B%227B&203/(7('   6(7B:$//3$3(5B+,176   %52$'&$67B67,&.<   $&&(66B),1(B/2&$7,21   .,//B%$&.*5281'B352&(66(6   $&&(66B&2$56(B/2&$7,21   &+$1*(B:,),B67$7(   *(7B7$6.6   $&&(66B1(7:25.B67$7(   :$.(B/2&.   $&&(66B:,),B67$7(   02',)<B$8',2B6(77,1*6   %/8(7227+   5($'B3+21(B67$7(   7KH IROORZLQJ IRUPXODV DUH XVHG DV LQGLFDWRUV RI IDOVH QHJDWLYH UDWH RI HYDOXDWLRQ WRROV /HW WKH WHVW $33 VHW EH $SS6HW DQGWKH VL]H EH Q )RU $33ܣ ௜ZH DVVXPHWKDWLWV FDELOLW\OHDNDJH VHWLVܮܥ݁ܵݐ௜DQGWKH VL]HLVݏ௜DŽ:H XWLOL]H WRROWWRWHVW$33ܣ௜7KHVHWRIFDSDELOLW\OHDNDJHSRLQWVIRU GHWHFWLQJܲ௝LVܲܵ௜௝ ௧ DŽ)RUWKHDELOLW\OHDNDJHܲ௝RI$33ܣ௜ WKHGHWHFWLRQDGYDQWDJHUDWLRRIWRROWWRWRROWLV ,WLVWKH SURSRUWLRQ RI *WR + KHUH *LVWKH GLIIHUHQFH EHWZHHQWKHܲ௝SHUPLVVLRQOHDNDJHUHVXOWVGHWHFWHGE\WRROW DQGWRROW+LVWKHWRWDOUHVXOWRIWKHWZRWRROVGHWHFWLQJ$33 ܣ௝ܲ௜SHUPLVVLRQ OHDNDJH UHVXOWV 7KHUHIRUH WKH DYHUDJH GHWHFWLRQDGYDQWDJHUDWLRRIWRROWWRWRROWLV 7KH UHVXOWV RI  $33V GHWHFWHG E\ WKLV WRRO DQG ,QWHQW)X]]HUDUHFDOFXODWHGDFFRUGLQJWRWKHDERYHIRUPXODVWR JHW7DEOH 7DEOH,,&RPSDULQJZLWK,QWHQW)X]]HUUHVXOWV 0LQܩ௧భ௧మሺܣ௜ǡ ܲ௝ሻ 0D[ܩ௧భ௧మሺܣ௜ǡ ܲ௝ሻ ܩ௧భ௧మ    $PRQJ WKHP W LV WKH WRRO RI WKLV SDSHU DQG W LV ,QWHQW)X]]HU$FFRUGLQJWR7DEOHWKHDYHUDJHWHVWUHVXOWVRI WKLVWRRODUHEHWWHUWKDQWKRVHRI,QWHQW)X]]HU)RUD VLQJOH$33WKHDELOLW\WRGHWHFWSHUPLVVLRQFDSDELOLW\OHDNDJH LV XSWR  7KDW LV WR VD\WKH WRRO FDQ GHWHFWVWKDW WKH SHUPLVVLRQKDVWKHFDSDELOLW\OHDNDJHZKLOH,QWHQW)X]]HUGRHV QRWGHWHFWLW2UWKHUHVXOWVRI,QWHQW)X]]HUDUHLQFOXGHGLQWKH UHVXOWVRIWKLVWRRO7KHZRUVWFDVHRIWKLVWRROLVWKHVDPHUHVXOW DV WKDW RI ,QWHQW)X]]HU 7KHUHIRUH LW FDQ EH VHHQ WKDW WKH $QGURLG LQWHUDSSOLFDWLRQ FDSDELOLW\ OHDNDJH GHWHFWLRQ WRRO SURSRVHGLQWKLVSDSHULVFRPSOHWHO\VXSHULRUWR,QWHQW)X]]HU B. Time Efficiency 7DEOH  LV WKH WLPH FRQVXPSWLRQ RI GDWD IORZ DQDO\VLV LQVWUXPHQWDWLRQ DQG G\QDPLF WHVWLQJ GXULQJ WKH DQDO\VLV RI $33V 7DEOH,,,5XQQLQJWLPH 0LQ 0D[ $YHUDJH GDWDIORZ DQDO\VLV V V PLQ V LQVWUXPHQWDWLRQ V V PLQ V G\QDPLF WHVWLQJ V V PLQ V PLQ $PRQJ WKHP WKH VKRUWHVWWLPH RI GDWD IORZ DQDO\VLV LV VWKHORQJHVWWLPHLVPLQDQGWKHDYHUDJHWLPHRI GDWD IORZDQDO\VLVLV  VSHU$337KH VKRUWHVWWLPH RI LQVWUXPHQWDWLRQLVVWKHORQJHVWWLPHLVPLQDQGWKH DYHUDJHWLPHRISLOHLQVHUWLRQLVV7KHVKRUWHVWG\QDPLF WHVWLQJ WLPH ZDV  VHFRQGV WKH ORQJHVW WLPH ZDV  PLQXWHVDQGWKHDYHUDJHG\QDPLFWHVWLQJWLPHSHU$33ZDV PLQXWHV7KHUHIRUHWKHDYHUDJHGHWHFWLRQWLPHSHU$33 LV DERXW  PLQXWHV ZKLFK PHHWV WKH DFWXDO WLPH HIILFLHQF\ UHTXLUHPHQWV)RUVRPHLQGLYLGXDO$33G\QDPLFWHVWLQJWLPH LV YHU\ ODUJH UHDFKLQJ  PLQXWHV %XW WKLV WLPH LV VWLOO DFFHSWDEOH'LIIHUHQWH[SRVHGFRPSRQHQWVRI$33GHDOZLWK H[WHUQDO LQWHQW GLIIHUHQWO\ ZKLFK OHDGV WR GLIIHUHQW LQIRUPDWLRQ REWDLQHG E\ G\QDPLF WHVWLQJ RI HDFK $33 7KHUHIRUH WKH QXPEHU RI WHVW FDVHV JHQHUDWHG E\ G\QDPLF WHVWLQJLVGLIIHUHQWDQGWKHQXPEHURIH[SRVHGFRPSRQHQWVRI GLIIHUHQW$33VLVGLIIHUHQWVRWKHWLPHRIG\QDPLFWHVWLQJRI GLIIHUHQW$33VPD\YDU\JUHDWO\ C. Examples of Exploiting Capability leakage Vulnerabilities $SSOLFDWLRQ$LVD YHU\SRSXODUORFN VFUHHQDSSOLFDWLRQ ZKLFKKDVEHHQGRZQORDGHGPRUHWKDQPLOOLRQWLPHV7KH WRROLQWKLVSDSHUGHWHFWVWKDWLWKDV',6$%/(B.(<*8$5' FDSDELOLW\ OHDNDJH VR ZH JXHVV WKDW LW KDV LOOHJDO DFFHVV YXOQHUDELOLWLHV:HXVHWKHWHVWFDVHVJHQHUDWHGE\WKLVWRROWR WULJJHUWKH',6$%/(B.(<*8$5'SULYLOHJHOHDNDQG ILQG WKDWNH\ERDUGORFNVFDQEHFURVVHGZLWKRXWSDVVZRUGV$WWDFN 'HPR9LGHRFDQEHIRXQGRQ<RXNX>@ 947