| Application-level virtualization is a popular application development method that allows multiple applications to run on the same host system.However,this also poses security risks,because the host system can manipulate the applications that are duplicated,breaking the Android security mechanism.Some malicious applications may exploit the vulnerabilities of the virtualization framework to obtain user’s private data.For example,they can launch zero-permission attacks,private component attacks,phishing attacks,system service attacks and isolation mechanism attacks.To prevent Android private data leakage,some protection methods have been proposed by the research community,but they have some drawbacks.Some system-level methods require modifying the Android system,which is not conducive to portability and promotion.Some other application-level methods require root privileges,but Android system increasingly restricts root privileges acquisition.In response to these two issues,this paper investigates the use of virtualization frameworks combined with taint analysis methods to protect private data.Firstly,a detailed study is conducted on the privacy data leakage vulnerabilities of virtualization frameworks,and the virtualization framework is improved to design a more secure one.Then,the static taint analysis method is optimized to expand the scope of taint detection and provide strong support for protecting private data in virtualization frameworks.Finally,based on the above,an Android privacy data protection system is developed.The main contributions of this paper are as follows:Firstly,we studied the principle of the Android virtualization framework VirtualApp and summarized seven vulnerabilities that currently exist in virtualization frameworks,such as zero-permission attacks and bypassing program isolation mechanisms.These seven vulnerabilities can cause privacy data leakage.This article proposes corresponding solutions for these seven vulnerabilities and proposes an improved,more secure and reliable virtualization framework based on VirtualApp by solving these seven vulnerabilities.The data generated by applications running in this virtualization framework can avoid malicious apps from using these seven vulnerabilities to steal data.Secondly,we proposes an Android privacy data protection method that combines static analysis and dynamic monitoring.Static analysis used an optimized static taint analysis method and can identify the privacy data propagation scenarios involved in the apk file,including inter-component communication within App,inter-component communication across App,native method invocation and Java reflection invocation.The dynamic monitoring part used an improved virtualization framework to provide a secure running environment for applications,and proposes to use the characteristics of Java language dynamic stack and Android method invocation at runtime,to judge and protect the privacy leakage behavior of applications by combining static detection results with hook method.Different protection measures are taken according to different privacy leakage behaviors to dynamically protect privacy data.Thirdly,we developed an Android privacy data protection system based on a virtualization framework,which combines an improved virtualization framework and a static taint analysis method to protect privacy data.The system consists of two parts:the server is mainly responsible for code instrumentation of apk files under different scenarios,then using static analysis to detect leakage paths,and generating privacy data policy protection files.The client uses the virtualization framework and the policy protection files to dynamically monitor and protect privacy data.The system runs on the application layer,can be compatible with most Android devices,does not require root privileges,and has good portability. |
PDF Full Text Request