智慧型手機和平板等行動裝置，在近年來已經愈來愈普及。隨著智慧型手機開始擁有比以前更多的功能，使擁者傾向於把大部分的個人資訊儲存在手機裡。跟其他的作業系統像是IOS和Windows相比，Android依然是目前最多人使用的系統。因此，如何確保敏感資訊的私密性以及安全性更顯重要。雖然Android可以藉由使用者同意的許可權機制保護我們的個人資訊，許多相關的安全問題還是存在著。使用者無法偵測應用程式何時蒐集他們的個人資訊，然後透過網路將它們散播到遠端的伺服器。

在本篇論文中，我們提出一個可以動態阻隔敏感資訊洩漏的系統。當應用程式試圖透過呼叫API存取一些個人資訊時，使用者可以決定那是否是一個合法的行為。如果不是，那麼我們的系統就可以返回空的資訊或是拒絕API的呼叫。此外，HTTP已經成為最普遍的資料傳輸協定之一。藉由阻隔HTTP請求以及顯示標頭和主體，使用者會被告知從他們的裝置中散佈出去的任何資料。這對於使用者敏感資訊洩漏的二次確認扮演一個重要的角色。

Mobile devices, such as smartphones and tablets, have become more popular in recent years. As smartphones have more functions than before, Users tend to store most of their personal information in it. Compared with other operating systems such as IOS and windows, Android is still the most used one. Therefore, how to guarantee privacy and security of sensitive information appears more important. Although Android system can protect our personal information through permissions granted by users, some security problem still exists. Users cannot detect when an Android app collect their personal information and distribute it to remote server through internet.

In this thesis, we proposed a system for dynamically blocking leakage of sensitive information. When an Android app try to obtain some personal information using API(Application Program Interfaces) calls, users can decide whether it is an legal behavior. If not, our system will return an empty information or deny call of the API. Furthermore, HTTP has become one of the most common protocol used in data transmission. By blocking the HTTP requests and showing the header and the entity, users will be informed the distribution of any data from their devices through internet. This part plays an important role in user's sensitive information leakage for double check.

Contents
Table of Contents i List of Figures iv List of Tables v
1 Introduction 1
1.1 Motivation................................. 2 1.2 Contribution ............................... 2 1.3 Organization ............................... 3
2 Background and Related Works 4
2.1 DalvikandART(AndroidRuntime) .................. 4 2.1.1 Dalvik............................... 4 2.1.2 ART................................ 5
2.2 Androidapplicationpackage....................... 5
2.3 Intents................................... 6
2.4 Intenttypes................................ 6
2.4.1 Intenttypes............................ 6
2.4.2 Intent-Filter............................ 7
2.5 AndroidBasicComponents ....................... 7 2.5.1 Components............................ 7 2.5.2 ComponentsExported...................... 8
2.6 RelatedWork............................... 8 2.6.1 IntentFuzzer ........................... 8
3 System Design
11
i
3.1 Goal.................................... 11
3.2 Challenge ................................. 12 3.2.1 Problemfacedinthisproject .................. 12 3.2.2 Solution.............................. 12
3.3 SystemFramework ............................ 13
3.4 Tools.................................... 15 3.4.1 AndroidDebugBridge...................... 15 3.4.2 LogcatCommand-lineTool ................... 16 3.4.3 Androguard............................ 17 3.4.4 dex2jarandjad.......................... 17
4 Implementation 19
4.1 Requirement................................ 19
4.2 Device................................... 20 4.2.1 RootImplement ......................... 20 4.2.2 AndroidEmulator ........................ 20
4.3 Intentgeneration ............................. 21 4.3.1 ImplicitIntent .......................... 21 4.3.2 ExplicitIntent .......................... 22 4.3.3 FindExtra ............................ 23
4.4 IntentFuzzing............................... 23
4.5 PutExtra................................. 24
4.6 RecordProcess .............................. 24
4.7 AnalysisLog ............................... 25
5 Evaluation 27
5.1 ExperimentDesign ............................ 27 5.1.1 Purposes ............................. 27 5.1.2 SamplesetandExperimentdevice ............... 27 5.1.3 Experimentprocess........................ 29
5.2 Example.................................. 30
5.3 Comparsion................................ 32
5.4 Result................................... 32

6 Conclusion
34

1] App annie, an application market analysis mechanism. https://www. appannie.com/cn/.
[2] Intent. https://developer.android.com/reference/android/content/ Intent.html.
[3] Intentfuzzer. https://www.nccgroup.trust/us/about-us/resources/ intent-fuzzer/.
[4] Dalvik (software). https://en.wikipedia.org/wiki/Dalvik_(software).
[5] Android runtime(art). https://en.wikipedia.org/wiki/AndroidRuntime.
[6] Android application package. https://en.wikipedia.org/wiki/Android_ application_package.
[7] Yongke Wang Lujue Zhou and Haixin Duan Kun Yang, Jianwei Zhuge. In- tentfuzzer detecting capability leaks of android applications. In ASIA CCS ’14 Proceedings of the 9th ACM symposium on Information, computer and commu- nications security, pages 531–536, 2014.
[8] Lanbo Zhang Fan Jiang Hui Ye, Shaoyin Cheng. Droidfuzzer: Fuzzing the android apps with intent- lter tag. In MoMM ’13 Proceedings of International Conference on Advances in Mobile Computing Multimedia, page 68, 2013.
[9] Raimondas Sasnauskas and John Regehr. Intent fuzzer crafting intents of death. In WODA+PERTEA 2014 Proceedings of the 2014 Joint International Work-
shop on Dynamic Analysis (WODA) and Software and System Performance Testing, Debugging, and Analytics (PERTEA), pages 1–5, 2014.
[10] Logcat command-line tool. https://developer.android.com/studio/ command-line/logcat.html.
[11] Androguard. http://androguard.blogspot.tw.
[12] Android debug bridge. https://developer.android.com/studio/
command-line/adb.html.
[13] dex2jar. https://github.com/pxb1988/dex2jar.
[14] Jad(java decompiler). https://en.wikipedia.org/wiki/JAD_(software).
[15] Android studio. https://developer.android.com/studio/index.html.
[16] King root. https://kingroot.net.
[17] Genymotion. https://www.genymotion.com.
[18] Soot - a java optimization framework. https://github.com/Sable/soot.
[19] Flowdroid –taint analysis. https://blogs.uni-paderborn.de/sse/tools/ flowdroid/.