行動裝置的安全是近年來熱門的議題，特別是現今每個人手上都至少有一至兩隻的手機與平板電腦。然而當大部分的行動裝置安全研究人員都專注在惡意程式分析或病毒偵測時，我們專注在應用程式漏洞的檢測上，我們希望能讓Android開發者意識到安全漏洞有可能發生在他們所撰寫的程式中甚至他們所撰寫的每一行程式都有可能是造成安全問題的原因。若這些安全問題不解決，行動裝置上的任何一個應用程式皆可輕易的透過安全漏洞，在使用者不知情的情況下盜取使用者個人的隱私訊息或檔案、透過竊取到的Access Token來盜取帳號等，甚至某些安全漏洞在不必取得使用者裝置或安裝惡意程式的情況下亦可發動攻擊。
　　這篇論文我們提出了一個大量、批次檢測Android應用程式安全漏洞的系統，它可有效的降低Android開發者所開發出來的應用程式的安全風險。我們的系統已經幫助以下公司找到他們所開發的Android應用程式或Android SDK的安全漏洞：Facebook、Microsoft、Yahoo!、Google、Evernote、LINE WhosCall、阿里巴巴、Badoo、新浪微博、百度、騰訊等。我們已經將這些安全問題回報給這些公司並得到他們的漏洞確認與致謝，其中有些公司亦給我們現金獎勵，例如：Facebook。這些漏洞的發現與確認應足以證明我們的系統能有效且精準的幫助Android開發人員找到那些未曾被其他安全研究人員找到的漏洞與尚未被這些公司開發人員所注意到的安全問題。

Mobile security is a hot topic in recent years. Especially nowadays, everyone has at least one or more smart phones. While most mobile security researchers focus on malware analysis and malware detection, we focus on finding security vulnerabilities in mobile applications. We want to make more and more Android developers aware of the potential security holes in their Android applications and how each line of the codes they wrote may cause serious security holes. If these security issues are not fixed, any app on the phone can easily exploit user's phone, stealing user's private files and messages without user's knowledge, compromising user's account by the stolen access token, etc. And some exploits can be made remotely without installing malicious application on user's phone.

In this thesis, we propose a massive vulnerability analysis system to help Android developers reduce the risks of applications being exploited or hacked. Our system had helped us find one or more security vulnerabilities in Android applications or SDKs developed by Facebook, Microsoft, Yahoo!, Google, Evernote, LINE WhosCall, Alibaba, Badoo, Sina Weibo, Baidu, Tencent and other renowned companies. We had reported our findings to these companies and gotten their confirmations and acknowledgements. For some companies like Facebook, we even got monetary reward. These acknowledgements should fully prove our system can efficiently and accurately help find the vulnerabilities in those products that have not been discovered by other security researchers or their Android developers.

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Android App Vulnerabilities v.s Android Malware Detection . . . . . 2
2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 Android OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Android Application Programming and Reverse Engineering . . . . . . 4
2.3 AndroGuard Framework . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Dalvik Virtual Machine(DVM) . . . . . . . . . . . . . . . . . . . . 5
2.5 Dalvik Executable Format . . . . . . . . . . . . . . . . . . . . . 6
2.6 MongoDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1 Lint in Android ADT . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 FindBugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 VirusTotal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.4 drozer (a.k.a Mercury) . . . . . . . . . . . . . . . . . . . . . . 8
3.5 MalloDroid . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.6 ForeSafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.7 TaintDroid . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.8 DroidBox (a.k.a. APIMonitor) . . . . . . . . . . . . . . . . . . . 9
4 New Assistant Engines . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1 Static DVM Engine . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2 Efficient String Search Engine . . . . . . . . . . . . . . . . . . 14
4.3 Filtering Engine . . . . . . . . . . . . . . . . . . . . . . . . . 16
5 Design Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.1 Analysis Flow and Architecture . . . . . . . . . . . . . . . . . . 18
5.2 Properties of Vulnerability Vector . . . . . . . . . . . . . . . . 21
5.2.1 Vector ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.2.2 Severity Level . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.2.3 Vector Category . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.2.4 Vector Title . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2.5 Vector Detail Description and Vulnerability Solution . . . . . . 23
5.2.6 Related Code Paths and Component List . . . . . . . . . . . . . . 24
5.3 Database Persistence . . . . . . . . . . . . . . . . . . . . . . . 24
5.4 Android Sandbox and Vulnerability Clarification . . . . . . . . . . 26
6 Implementation of Vulnerability Vectors . . . . . . . . . . . . . . . 27
6.1 How We Design A New Vulnerability Vector . . . . . . . . . . . . . 27
6.2 Vulnerability Vectors . . . . . . . . . . . . . . . . . . . . . . . 29
6.2.1 Debug Mode Open . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2.2 Detect Checking Package Signature . . . . . . . . . . . . . . . . 29
6.2.3 World Readable or Writeable Vulnerability . . . . . . . . . . . . 30
6.2.4 Fragment Injection Vulnerability . . . . . . . . . . . . . . . . 31
6.2.5 Base64 Decryption . . . . . . . . . . . . . . . . . . . . . . . . 31
6.2.6 Checking Debuggable . . . . . . . . . . . . . . . . . . . . . . . 32
6.2.7 Exported Activity, Service and BroadcastReceiver . . . . . . . . 33
6.2.8 Exported ContentProvider . . . . . . . . . . . . . . . . . . . . 34
6.2.9 Location in Emulator . . . . . . . . . . . . . . . . . . . . . . 35
6.2.10 Signed by Android Debug KeyStore . . . . . . . . . . . . . . . . 36
6.2.11 WebView Remote Code Execution Vulnerability . . . . . . . . . . 37
6.2.12 SQLCipher Database Encryption . . . . . . . . . . . . . . . . . 37
6.2.13 Key for SQLCipher Database . . . . . . . . . . . . . . . . . . . 38
6.2.14 Empty Permission Group . . . . . . . . . . . . . . . . . . . . . 38
6.2.15 Intent Filter Misconfiguration . . . . . . . . . . . . . . . . . 39
6.2.16 Android SQLite Vulnerability . . . . . . . . . . . . . . . . . . 39
6.2.17 WebView Sensitive File Reading . . . . . . . . . . . . . . . . . 40
6.2.18 MonoDroid Framework Detection . . . . . . . . . . . . . . . . . 41
6.2.19 Dynamic Code Loading . . . . . . . . . . . . . . . . . . . . . . 41
6.2.20 HttpURLConnection Bug Warning . . . . . . . . . . . . . . . . . 41
7 Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7.1 Massive Analysis Tools . . . . . . . . . . . . . . . . . . . . . . 43
7.2 Security Hall of Fame and Acknowledgement . . . . . . . . . . . . . 44
7.3 Knowledge Gap in Android Security between Security Researchers
and Venders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7.4 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.5 Analysis Result . . . . . . . . . . . . . . . . . . . . . . . . . . 49
8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
8.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
8.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

[1] Vulnerability in facebook app allows hackers to steal access tokens and hijack accounts. http://thehackernews.com/2013/10/vulnerability-in-facebook-app-allows.html.
[2] Android developer documents. https://developer.android.com/develop/index.html.
[3] Introduction to apt attack. http://en.wikipedia.org/wiki/Advanced_persistent_threat.
[4] Bytecode for the dalvik vm. http://source.android.com/devices/tech/dalvik/dalvik-bytecode.html.
[5] Androguard. http://code.google.com/p/androguard/.
[6] Androguard proposed in blackhat 2011. http://code.google.com/p/androguard/downloads/detail?name=bh2011.pdf.
[7] Dalvik technical information. http://source.android.com/devices/tech/dalvik/index.html.
[8] The java® virtual machine specification. http://docs.oracle.com/javase/specs/jvms/se7/html/.
[9] Dalvik executable format. http://s.android.com/tech/dalvik/dex-format.html.
[10] Introduction to mongodb. http://www.mongodb.org/.
[11] Apache hbase. https://hbase.apache.org/.
[12] Introduction to lint. http://developer.android.com/tools/help/lint.html.
[13] Findbugs. http://findbugs.sourceforge.net/.
[14] Virustotal. https://www.virustotal.com/.
[15] drozer by mwr infosecurity. https://www.mwrinfosecurity.com/products/drozer/.
[16] Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. Why eve and mallory love android: an analysis of android ssl (in)security. Proceeding CCS ’12 Proceedings of the 2012 ACM conference on Computer and communications security, pages 50–61, 2012.
[17] Foresafe. http://www.foresafe.com/.
[18] Foresafe whitepaper. http://www.foresafe.com/ForeSafe_WhitePaper.pdf.
[19] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. Proceedings of the 9th USENIX conference on Operating systems design and implementation, 2010.
[20] Droidbox. http://code.google.com/p/droidbox/.
[21] Httpurlconnection - avoiding bugs in earlier releases. http://developer.android.com/reference/java/net/HttpURLConnection.html.
[22] Hiiir. http://www.hiiir.com/.
[23] Tapjoy sdk. http://tech.tapjoy.com/product-overview/tapjoy-sdks/sdk.
[24] Proguard. http://developer.android.com/tools/help/proguard.html.
[25] Root browser android app in google play. https://play.google.com/store/apps/details?id=com.jrummy.root.browserfree.
[26] Wooyun. http://www.wooyun.org/.
[27] Description of creating world-readable or world-writable files. http://developer.android.com/reference/android/content/Context.html#MODE_WORLD_READABLE.
[28] Roee Hay. Android collapses into fragments. 2013. http://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf.
[29] 遠傳行動客服 android app in google play. https://play.google.com/store/apps/details?id=com.fetself.
[30] Wechat android app in google play. https://play.google.com/store/apps/details?id=com.tencent.mm.
[31] Roee Hay. Android sqlite journal information disclosure (cve-2011-3901). 5 2012. http://blog.watchfire.com/files/androidsqlitejournal.pdf.
[32] Monodroid framework (xamarin). http://xamarin.com/android.
[33] Dexclassloader by android developer docs. http://developer.android.com/reference/dalvik/system/DexClassLoader.html.
[34] Introduction to responsible disclosure by wikipedia. http://en.wikipedia.org/wiki/Responsible_disclosure.
[35] Sebastián. ebay for android content provider injection vulnerability.https://viaforensics.com/mobile-security/ebay-android-content-provider-injection-vulnerability.html.
[36] Tencent security hall of fame, 4 2014. http://security.tencent.com/index.php/thanks/index/2014/04.
[37] Michael Spreitzenbarth, Felix Freiling, Florian Echtler, Thomas Schreck, and Johannes Hoffmann. Mobile-sandbox: having a deeper look into android applications. Proceeding SAC ’13 Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808–1815, 2013.
[38] Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android permissions demystified. Proceeding CCS ’11 Proceedings of the 18th ACM conference on Computer and communications security, pages 627–638, 2011.