CN105468970B - A kind of Android application programs based on protection net are anti-to usurp method and system - Google Patents

Abstract

The invention discloses an anti-tampering method and system for an Android application based on a defense network, wherein the method steps include: constructing a defense node template library, parsing an Android application program to be protected, generating a target node set, constructing a defense association, and according to user input , generating a corresponding defense node instance, generating and initializing a defense network, decompiling an Android application program to be protected, reconstructing and signing a file, and the system is used to implement the method. The method and system have high reliability, easy expansion, low overhead, high efficiency, and process automation. The overall processing flow of software protection is fixed and standardized, mainly based on automation, supplemented by less manual participation, and the processing cycle is short. It is therefore perfectly suitable for batch protection of a large number of applications.

Description

Anti-tampering method and system for Android applications based on defense network

technical field

The invention belongs to the technical field of computer security, and in particular relates to an anti-tampering method for application software on an Android platform.

Background technique

In recent years, with the rapid development of the mobile Internet, the scale of network users is increasing, and the number of mobile terminals connected is increasing. Mobile terminals with increasingly rich functions, especially Android, have replaced PCs and become an indispensable platform in people's work and life. The application software on the mobile terminal plays an extremely important role in the development of the mobile Internet and the popularization of mobile terminals. It covers not only social interaction and entertainment, but also office, communication, and payment. Whether it is a company manufacturer or a government department, more and more units are involved in the development, use and management of mobile terminal software.

While the wide application of Android software brings huge benefits to the society, the security problems it brings are also becoming increasingly prominent. Android software often runs in a "white box attack" environment (see Reference 1). Attackers use software tampering techniques to attack legitimate software and generate malicious software, cracked versions, and pirated software, which seriously affect the economic interests of developers and software. The healthy development of the industry even threatens national security. Therefore, improving software security and enhancing software anti-tampering capability has become an urgent problem to be solved in industry and academia.

At present, the anti-tamper protection technology for Android application software is still immature. The main technologies are: ① Code obfuscation technology, Proguard was first developed by Google and provided in the official development environment Android SDK. Developers can use Proguard to confuse Java source code , which increases the difficulty of analysis, thereby improving the ability of the software itself to prevent tampering. However, Proguard only confuses the variable names, function names, and class names in the code, which only prolongs the period for the attacker to locate key information, but cannot prevent the tampering of key information. ② Packing technology. At present, security providers in the industry, such as DexGuard and Bangcle (see references 3 and 4), provide shell-based reinforcement services for Android software, which increases the difficulty of reverse analysis of Android applications. For these packing protection technologies, Jia Zhijun developed the sheller Zjdroid (see Reference 5), which can effectively attack mainstream packing schemes. ③ Tampered version detection technology. In recent years, some scholars in the academic circle have devoted themselves to studying how to improve the detection rate of tampered version. The tampered version detection scheme is mainly based on code similarity comparison (references 6, 7, 8) or coupling of software components (refer to reference 9), to identify whether the application is a tampered version. However, there are as many as dozens of third-party markets for Android at present, and there are even markets that specially release tampered versions, so the protection scheme based on detection does not work well in practical applications.

references:

S Chow,P Eisen,H Johnson,P Van Oorschot.A white-box DESimplementation for DRM applications[J].Lecture notes in computer science,2003,2696:1-15.

ProGuard. http://developer.android.com/tools/help/proguard.html.

DexGuard. http://www.guardsquare.com/software/dexguard-enterprise.

Bangcle.http://www.bangcle.com/.

ZjDroid.http://seclab.safe.baidu.com/opensec_detail_2.html.

J Crussell. Attack of The Clones: Detecting Cloned Applications on Android Markets. ESORICS, Springer. 2012.

S Hanna, L Huang. Juxtapp: A scalable system for detecting code reuse among android applications. 9th International Conference, DIMVA 2012.

Zhou, Wu. Zhou, Yajin. Detecting repackaged smartphone applications in third-party android marketplaces. Proceedings of the second ACM conference on Data and Application Security and Privacy. 2012.

Zhou, Wu. Zhou, Yajin. Grace, Michael. Fast, scalable detection of piggybacked mobile applications. Proceedings of the third ACM conference on Data and Application Security and Privacy. 2013.

Threat Model. https://msdn.microsoft.com/en-us/library/aa302419.aspx.

Contents of the invention

For the defects and deficiencies in the above-mentioned existing Android application software protection technology, the object of the present invention is to provide a method for anti-tampering of Android application programs based on the defense network. For protection, its protection strength is high and it is easy to expand.

In order to achieve the above tasks, the present invention adopts the following technical solutions:

A kind of anti-tampering method for Android application program based on defense net, comprises the following steps:

Step 1: Construct the defense node template library

The defense node is a code segment embedded in the Android application to be protected, which is used to monitor and respond to tampering threats; build a defense node template library, and store the implementation code of the defense node in the template library;

Step 2, analyzing the Android application program to be protected

Analyzing the Android application program to be protected, generating a function call graph of the Android application program to be protected, and describing each node in the function call graph;

Step 3, generate target node set

In the Android application program to be protected, select the area of interest as the target node, and generate a target node set;

Step 4, Construct Defense Association

Construct the association relationship between the target node and the defense node, and between the defense node and the defense node;

Step 5: Generate corresponding defense node instances according to user input

According to the type and data of the defense node defined by the user, select the implementation code of the defense node of the corresponding type in the defense node template library, and generate the corresponding defense node instance;

Step 6, generate and initialize the defense network

According to the defense association constructed in step 4, combined with the defense node instance generated in step 5, the defense network is initialized, and the defense network includes defense nodes, target nodes and defense associations;

Step seven, decompiling, file reconstruction and signing of the Android application program to be protected.

Further, in the defense node template library in step 1, the implementation code of each defense node includes three parts: a trigger module, a main function module and a key information module, wherein the trigger module is used to Trigger the main function module, the main function module is responsible for performing the anti-tampering function, and the key information module is used to record the key information of the defense node.

Further, in step 4, the specific method of constructing the association relationship between the target node and the defense node and between the defense node and the defense node is as follows:

When constructing an association relationship, the following constraints a to c need to be met:

a. Each target node is protected by at least one defense node J_Guard;

b. Each defense node is protected by at least two defense nodes J_Guard and N_Guard except itself;

c. When the Android application program to be protected is executed, the defense node that performs the protection function must be able to execute it in time near the execution time of the protected node;

For condition a, set the target node to associate with at least one defense node with function protection function;

For condition b, set at least two defense nodes for each defense node to protect, one of which is J_Guard, which is responsible for protecting the trigger module of the defense node, and the other is N_Guard, which is responsible for protecting the main function module of the defense node;

For condition c, when each target node or defense node selects the defense node to protect itself, it should select the defense node that is closer to the execution time interval between the Android application program to be protected and the target node or defense node when it is running. defense node;

Specifically, the function realization of an Android application is composed of functions. When the program is running, multiple functions are executed sequentially according to a certain time sequence. These functions form a function call chain, and two functions in the same function call chain The two functions are close in execution time; the number of functions between two functions is called the number of hops, the smaller the number of hops, the shorter the execution interval between the two functions, so each target node or defense node chooses its hop number The smallest defense node acts as its defense node.

A kind of anti-tampering system of Android application program based on the defense network, the system includes sequentially connected structure defense node template library module, Android application program parsing module, generation target node collection module, construction defense association module, generation corresponding defense node instance module, Generate and initialize the defense network module and decompilation, file reconstruction and signature modules; where:

The construction defense node template library module is used to realize the following functions:

The defense node is a code segment embedded in the Android application to be protected, which is used to monitor and respond to tampering threats; build a defense node template library, and store the implementation code of the defense node in the template library;

The Android application analysis module is used to realize the following functions:

Analyzing the Android application program to be protected, generating a function call graph of the Android application program to be protected, and describing each node in the function call graph;

Generate target node set module is used to realize the following functions:

In the Android application program to be protected, select the area of interest as the target node, and generate a target node set;

The construction defense association module is used to realize the following functions:

Construct the association relationship between the target node and the defense node, and between the defense node and the defense node;

Generate the corresponding defense node instance module to achieve the following functions:

According to the type and data of the defense node defined by the user, select the implementation code of the defense node of the corresponding type in the defense node template library, and generate the corresponding defense node instance;

Generate and initialize the defense network module to achieve the following functions:

According to the constructed defense association, combined with the generated defense node instance, the defense network is initialized, the defense network includes the defense node, the target node and the defense association;

Decompilation, file reconstruction and signature modules are used to implement the following functions:

Decompile, file reconstruct and sign the Android application to be protected.

Compared with the prior art, the present invention has the following technical characteristics:

1. High reliability, nested protection of API nodes in the defense network, no isolated nodes, making it impossible for attackers to directly tamper with key code segments. In addition, randomization makes the structure of the defense network embedded in each application different, so that the attacker's attack knowledge cannot be reused.

2. It is easy to expand. By adjusting the size of the preset value of KeyValue, the scale of the defense network is controllable. At the same time, it supports manual addition of key APIs to enhance the diversity and complexity of the protection effect.

3. Low overhead and high efficiency. The logic of the protection scheme is mainly realized through the native layer with high execution efficiency, so that the performance overhead and space overhead added by the protected software are very small.

4. Process automation, the overall processing flow of software protection is fixed and standardized, mainly based on automation, supplemented by less manual participation, and the processing cycle is short, so it is completely suitable for batch processing protection of a large number of applications.

Description of drawings

Fig. 1 is the overall flowchart of the inventive method;

Fig. 2 is a structural schematic diagram of a defense unit template;

Figure 3 is a schematic diagram of the implementation principle of Java Hook in the D_Guard node;

Fig. 4 is a schematic diagram of a defense network construction framework of the present invention;

Figure 5 is an example diagram of the association relationship between defense units;

Fig. 6 is a schematic diagram of the APK reconstruction process after protection;

Figure 7 is a schematic diagram of the implementation code of D_Guard.

detailed description

1. Detailed description of the specific steps of the method

Comply with above-mentioned technical scheme, as shown in Figure 1, the present invention provides a kind of anti-tampering method of Android application program based on defensive net, comprises the following steps:

Step 1: Construct the defense node template library

The defense node is a code segment embedded in the Android application to be protected, which is used to monitor and respond to tampering threats; build a defense node template library, and store the implementation code of the defense node in the template library;

The defense network in this solution refers to a network structure that performs a specific security function. Usually, the network structure is composed of a group of nodes and edges connecting nodes. In the defense network of this solution, the nodes include the target to be protected Nodes and defense nodes that perform defense functions, and the edges connecting the defense nodes are the protection associations between these nodes.

A defense node refers to a security unit that performs specific anti-tampering protection for a designated target. It is one of the important members of the defense network. It is usually embedded in the protected target in the form of code segments and data to monitor and respond to tampering threats.

In addition to protecting the target node, the defense node also needs to consider protecting other defense nodes. According to the composition and function of the defense node, the defense node is constructed, and the implementation code of the constructed defense node is stored in the defense node template library:

In the defense node template library, the implementation code of each defense node includes three parts: a trigger module, a main function module and a key information module, wherein the trigger module is used to trigger the main function module when an abnormality is detected, and the main function module It is responsible for implementing the anti-tampering function, and the key information module is used to record the key information of the defense node.

In this embodiment, the implementation codes of three defense nodes stored in the template library are given

This scheme is divided into three types of defense nodes. Therefore, the defense node template library is responsible for storing the basic implementation codes of the three types of defense nodes. It is used to provide specific defense nodes and assist in the initialization when the defense network is constructed. The structure of the three types of templates is as follows 1 shows:

Table 1 Description of the three defense node structures in the template library

As shown in Figure 2, considering that the Java layer is less difficult to reverse and tamper with, this solution uses C to implement the main function module of the defense node, and provides a JNI interface for the trigger module to call, which enhances the defense of key functions in the defense node. tamper ability.

In this scheme, these three types of defense nodes are named J_Guard, N_Guard, and D_Guard in turn. The composition structure and specific implementation of these three types of defense nodes are introduced in detail below:

(1) Defense node J_Guard template

J_Guard refers to the security unit responsible for anti-tampering protection of the specified Java code segment of the Android application. The trigger module is implemented by Java code (or smali code), and is responsible for triggering the main function module. By inserting into a Java layer function body to realize the binding with the Java function, it will be executed when the Java function is executed. The implementation code example is as follows:

In the above example, the smali code is used, and for the Android application program to be protected whose source code can be obtained, the trigger module can be directly inserted into the Java source code. For the application to be protected whose source code cannot be obtained, the smali implementation code of the trigger module can be inserted into the obtained smali code file after decompiling it.

The main function module is implemented by C code, which is responsible for implementing the anti-tampering function and is triggered by the trigger module of the Java layer. The protected object is the code of a Java layer function. The realization of anti-tampering is based on the integrity verification of the Java function. The main steps are summarized as extracting the bytecode of the Java function during execution, calculating the hash value, and checking whether the hash value is equal to the predetermined value.

The key information module is used to record the key information of this unit, which will be initialized when the defense network is constructed. Including the unit number, the ID of the bound Java function, the ID of the target Java function and the check value of the function.

(2) Defense node N_Guard template

The defense node N_Guard refers to the security unit responsible for tamper-proof protection of other defense nodes, and it is mainly aimed at the native function part of all defense nodes. N_Guard is also composed of trigger module, main function module and key information module.

The trigger module is implemented by Java and is responsible for invoking the main function module of the native layer. It realizes the binding with the Java function by inserting into a Java layer function execution body, and is triggered when the Java function is executed.

The main function module is still implemented by C code, which is responsible for performing the anti-tampering function. Different from the main function module in J_Guard, its function object is a native function.

The key information module is responsible for recording the key information of the unit, which includes the unit number, the ID of the bound Java function, the ID of the Native function of the target and the check value of the function.

(3) Defense node D_Guard template

The defense node D_Guard refers to the security unit responsible for tamper-proof protection of the dex executable file in the Android application. Since the trigger modules in all defense nodes are in the dex, the tamper-proof protection of the dex file can be realized. Defense node triggers module protection.

D_Guard is also composed of trigger module, main function module and key information module. Among them, the trigger module is implemented by Java code, which is responsible for triggering the main function module. Unlike J_Guard and N_Guard, it realizes the binding with the Java function by replacing a Java API call in the Java function instead of directly inserting it. Triggered when the Java function is executed. The main function module is implemented by C code, and is responsible for performing the anti-tampering function, as well as the function of executing the Java API replaced by the trigger module. The object of action is the dex executable file in the APK. The key information module records the key information of the unit, which includes the unit number, the ID of the bound Java function, and the check value of the dex file.

The main function module has two parts, one is the anti-tampering protection for dex, which is realized based on the integrity check of the dex file. The second is to implement the function of the Java layer being replaced (Hook), as shown in Figure 3, the main idea of the implementation is to use the native method provided by the Android JNI mechanism to call the Java function, and complete the process similar to the Java method Hook. Using this process can effectively prevent attacks by directly deleting or replacing so files.

After long-term research and experiments on the Java layer function Hook in Android applications, most Java functions can be hooked. Table 2 lists the Java functions involved in this solution.

Table 2 List of Hookable Java functions

Taking the first function Java/io/FileWriter/<init> as an example, the implementation code of D_Guard is shown in Figure 7:

Step 2, analyzing the Android application program to be protected

Analyze the Android application to be protected, generate a function call graph of the Android application to be protected, and describe each node in the function call graph; the specific process is:

Figure 4 is a schematic diagram of the structure of the defense network, as shown in step (1) in the figure, to construct the defense network, the input APK or the DEX file in it will be parsed first, and the function call graph of the application will be generated, and the function call graph will be stored as A text file, the file content is a list, each item in the list corresponds to a function node in the function call graph, and is described by the quaternion <function name, function ID, predecessor function ID, successor function ID>.

Step 3, generate target node set

In the Android application program to be protected, select the area of interest as the target node, and generate a target node set;

In this solution, the target node refers to an area in the target application software that needs tamper-proof protection, generally a function or a code segment. As shown in FIG. 4 , step (2) means that after the function call graph is generated, a target node set is generated according to the function call graph and the function set to be protected. Wherein, the function set to be protected is defined by the user, and each item in the set is a function name of a key function to be protected in the application. Each item in the generated target node set is a function ID corresponding to the function to be protected.

Step 4, Construct Defense Association

Construct the association relationship between the target node and the defense node, and between the defense node and the defense node;

As shown in Figure 4, step (3) means inputting the function call graph and target node set generated in steps (1) and (2), using the algorithm in the combination of defense network construction algorithms to construct the association relationship between nodes in the defense network. Algorithms include two types, one is the algorithm for constructing the association between the target node and the defense node; the other is the algorithm for constructing the association between the defense node and the defense node. Since the construction of the association relationship between nodes in step (3) has a certain degree of randomness, a set of different relationship sets can be obtained by repeating step (3). Each item of the relationship set is expressed as a triplet <node ID, function ID of the trigger point, corresponding defense node ID>, which is stored in the XML file in the form of text.

Improving the security of defense nodes can be done from two aspects. One is to increase the difficulty of reverse and tampering of the node itself. In step 1, this solution uses the Android JNI mechanism to migrate the core function code of the defense node from the Java layer with lower security to the native layer with higher difficulty in reverse engineering and tampering through C rewriting. On the other hand, by constructing a defense network, a certain association relationship can be established between the defense nodes, so that the defense nodes can protect each other. The so-called association refers to the process of selecting a suitable location (function body) in the application to deploy the defense node, or refers to the process of building a protection relationship between existing defense nodes in the application.

The defense network is composed of two kinds of nodes, one is the target node that needs to be protected in the program, denoted as g; the other is the defense node that performs the protection function. The association relationship between nodes refers to the one-way protection relationship between two nodes, and usually includes two types. The first type refers to the defense node pointing to the corresponding target node, which is recorded as G->g; the second type refers to the The defense node points to other defense nodes that need to be protected, which is recorded as G->G'; the defense network example is shown in Figure 5, in which G represents the defense node, g represents the target node, and the one-way connection between nodes represents the protection relationship.

When constructing an association relationship, the following constraints a to c need to be met:

a. Each target node is protected by at least one defense node J_Guard;

b. Each defense node is protected by at least two defense nodes J_Guard and N_Guard except itself;

c. When the Android application program is executed, the defense node that executes the protection function must be able to execute in time near the execution time of the protected node;

For condition a, the target node in the defense network is generally a custom Java function in the Android application, and the target node is set to associate with at least one defense node (i.e. J_Guard) with a function protection function;

For condition b, according to the defense node construction process in step 1, the code part of each defense node includes the trigger module of the java layer and the main function module of the native layer. Therefore, in order to prevent the code of the defense node from being tampered with, set At least two defense nodes are protected, one of which is J_Guard, which is responsible for protecting the trigger module of the defense node, and the other is N_Guard, which is responsible for protecting the main function module of the defense node;

For condition c, each target node or defense node needs to consider the response timeliness of the protection function when selecting the defense node to protect itself. The so-called response timeliness means that when the protected node is tampered with, the corresponding defense node can detect the attack and respond in time. Therefore, the defense node whose execution time interval between the Android application program to be protected and the target node or defense node is relatively close should be selected as its defense node.

According to the three constraints of constructing the association relationship, the construction algorithm of the defense network is designed, and the specific design and implementation are as follows:

Assuming that there are M target nodes in the application, the In-degree of each target node g is at least 1, which is recorded as g _IN (i)≥1, i∈M;

Assuming that there are N defense nodes in the application, the in-degree of each defense node G is at least 2, wherein for each in-degree, at least one end point is a J_Guard node, and at least one end point is an N_Guard node, denoted as G _IN (i)= _GIN-JGuard (i)+ _GIN-NGuard (i)≥2, _i∈N , where GIN-JGuard(i)≥1 and GIN _-NGuard (i)≥1. Among the three defense nodes, except for D_Guard, for J_Guard and N_Guard nodes, the Out-degree of each node is at least 1, which is recorded as G _OUT (i)≥1, where

According to step 1, for the D_Guard node, a Hook function will be executed, and D_Guard has different types according to the different Java functions of the Hook in the node. Therefore, the specific type and number of D_Guard nodes are related to the actual protected application, and the number can also be manually adjusted according to the specific situation. For example, the number of call points of the Java function Java/io/FileWriter/<init> in the application is 20, If the upper limit of the number of D_Guards corresponding to this function is set to 5, only any 5 calling points in the original program will be hooked.

For how to satisfy the constraint c, this paper proposes a solution based on the function call chain, the method is as follows:

The function realization of an Android application is composed of functions. When the program is running, multiple functions are executed sequentially according to a certain time sequence. These functions form a function call chain. In the same function call chain, two functions are in The execution time is close; the number of functions between two functions is called the number of hops, the smaller the number of hops, the shorter the execution interval between the two functions, so each target node or defense node chooses the defense with the smallest hops node as its defense node.

According to the specific analysis of the above three constraints, the main algorithm for the construction of the defense network is as follows:

The deployment algorithm of the defense node D_Guard is as follows:

For the establishment of the protection relationship between defense nodes, the association algorithm is as follows:

Step 5: Generate corresponding defense node instances according to user input

According to the type and data of the defense node defined by the user, select the implementation code of the defense node of the corresponding type in the defense node template library, and generate the corresponding defense node instance;

In order to ensure good scalability of the defense network, the construction scheme of the defense network in this paper allows the scale of the defense network to be adjusted by changing the number of defense nodes. Step (4) in Figure 4 shows that according to the type and number of defense nodes defined by the user, the implementation code of the corresponding type of defense node is selected in the defense node template library, and the corresponding defense node instance is generated. The trigger module implementation of the instance is stored in the .smali code file In , the implementation of the main function module and the implementation of the key information module are stored in the code file with the .c suffix.

Step 6, generate and initialize the defense network

According to the defense association constructed in step 4, combined with the defense node instance generated in step 5, the defense network is initialized, and the defense network includes defense nodes, target nodes and defense associations;

As shown in Figure 4, step (5) represents the initialization of the defense network by combining the association relationship set between nodes in the defense network obtained in step (3) and the defense node instance generated in step (4). The specific initialization process includes: first, it will analyze a set of node association relationships obtained in step (3), obtain the number of each node, and the corresponding trigger module binding function ID, then calculate the hash value of each defense node corresponding to the protection target, and finally according to the above information Modify the key information modules of each defense node instance in the .c file generated in step 5, and compile and generate the so library file.

Step seven, decompiling, file reconstruction and signing of the Android application program to be protected.

Use the decompilation engine APKTool or Baksmali to decompile the dex file of the APK to be protected to obtain the corresponding smali code file; as shown in Figure 6, fill the defense node smali command into the corresponding smali command file under the smali folder obtained in step 7 , and at the same time, implant the so library file into the folder libs obtained by decompiling the source APK in step 7 (if the libs folder does not exist, create a new libs folder, and see the document 11 for the APK structure). Use APKTool to reconstruct and generate the protected APK and sign it. The present invention uses the testkey.py8 and testkey.x509.pem files provided by the Android source code to sign the APK by default. It also allows loading the developer's keystore for APK signing.

The present invention also provides a system for realizing the above method:

A kind of anti-tampering system of Android application program based on the defense network, the system includes sequentially connected structure defense node template library module, Android application program parsing module, generation target node collection module, construction defense association module, generation corresponding defense node instance module, Generate and initialize the defense network module and decompilation, file reconstruction and signature modules; where:

The construction defense node template library module is used to realize the following functions:

The defense node is a code segment embedded in the Android application to be protected, which is used to monitor and respond to tampering threats; build a defense node template library, and store the implementation code of the defense node in the template library;

The Android application analysis module is used to realize the following functions:

Analyzing the Android application program to be protected, generating a function call graph of the Android application program to be protected, and describing each node in the function call graph;

Generate target node set module is used to realize the following functions:

In the Android application program to be protected, select the area of interest as the target node, and generate a target node set;

The construction defense association module is used to realize the following functions:

Construct the association relationship between the target node and the defense node, and between the defense node and the defense node;

Generate the corresponding defense node instance module to achieve the following functions:

According to the type and data of the defense node defined by the user, select the implementation code of the defense node of the corresponding type in the defense node template library, and generate the corresponding defense node instance;

Generate and initialize the defense network module to achieve the following functions:

According to the constructed defense association, combined with the generated defense node instance, the defense network is initialized, the defense network includes the defense node, the target node and the defense association;

Decompilation, file reconstruction and signature modules are used to implement the following functions:

Decompile, file reconstruct and sign the Android application to be protected.

2. Experimental verification and analysis

In this plan, the effectiveness, efficiency and feasibility of the protection plan will be verified from three aspects.

1. Analysis and verification of the effectiveness of the protection scheme

Based on the DREAD risk analysis model (reference 10), this part will analyze and quantify the risk faced by the application before and after protection when facing the same tampering attack, and verify the effectiveness of the protection scheme by comparing the two risk values, that is, the application After the software is protected, the risk value decreases, which indicates that the protection scheme enhances the security of the application software.

The DREAD model is a classic security threat analysis framework proposed by Microsoft to conduct risk analysis, assessment, and quantification of application threats, such as security considerations in web application design. The DREAD algorithm usually calculates a risk value as a reference for risk ranking. This risk value is the average value of five attributes, including: Damage Potential, Reproducibility, Exploitability, and Affected Users and Discoverability are represented by the abbreviations D, R, E, A, and D respectively. The calculation formula of RiskValue based on DREAM is as follows:

RiskValue＝(D+R+E+A+D)/5 (1)

It can be seen from the above formula that RiskValue is a value between 0 and 10, and the higher the RiskValue, the greater the risk of the threat

(1) Risk analysis before protection

(1-1) Damage Potential

Damage Potential indicates the potential harm of the threat, that is, the degree of damage that may be caused when the vulnerability is exploited, expressed as the degree of access to in-app assets or sensitive information, and the obtained system privilege level. The degree can be measured from 0 to 10. For example, 0 means no harm, 5 means that individual assets will be compromised, and 10 means that the entire application or asset is threatened.

Since the Android application is in a white-box attack environment, most of the code and data of the application can be exposed to the attacker through reverse engineering. At the same time, the attacker can easily obtain the permission to illegally operate the code and data in the application, and then interfere with the execution process of the application. and business logic. Therefore, for general Android applications, the potential harm of tampering threats is relatively high, that is, D=6-8.

(1-2) Reproducibility

Reproducibility is reusability, which is used to describe the difficulty of the attacker to launch repeated attacks on the target based on a certain threat. The degree of reusability can be measured from 0 to 10. For example, 0 means that it is basically impossible or difficult to repeat the attack, and 5 means that the attacker can repeat the attack, but it is limited, such as times and time. 10 means that the attacker can launch the attack arbitrarily, even automatically.

Tampering attacks on Android applications, because the attack surface, attack process and attack methods are basically fixed and conform to a certain pattern, and the structure of Android applications is regular, so it is relatively difficult for attackers to repeat the attack process. For different versions of the same application, even for Different Android applications can also carry out automated attacks. In addition, for general Android applications, simple protection cannot effectively prevent attackers from repeating the attack process and accumulating attack knowledge to finally complete the attack. Therefore, for general Android applications, the repeatability of tampering threats is R=8-10.

(1-3) Exploitability

Exploitability indicates the availability of a threat, that is, the difficulty of using the threat to launch an attack. The degree of exploitability is measured on a scale of 0 to 10. For example, 0 means that the successful exploitation of the threat requires extensive attack knowledge, skills, and attack experience for complex analysis, as well as specific attack tools or environmental assistance; 5 means that it is based on general attack techniques. Or attack experience, supplemented by conventional tools to complete the attack; 10 means that beginners with basic attack knowledge and some attack techniques can complete the attack in a short time with the assistance of conventional attack tools.

In recent years, the Android system has gradually become popular, but the number of Android applications subjected to tampering attacks has shown an explosive growth. Among the attackers who launch attacks, there are not only many experienced advanced attackers, but also many beginners. One of the important reasons for this situation is that it is not difficult to learn to launch tampering attacks on Android applications that currently lack protection. At the same time, a large number of attack tools have appeared. For beginners, they can be used in a short period of time. Mastering the attack method is enough to tamper with general Android applications. Therefore, for the Android application tampering threat, its exploitability E=8-10.

(1-4) Affected Users

Affected Users is also one of the important attributes in threat risk analysis, which indicates the scale of users affected by the threat. It is also usually measured on a scale of 0 to 10, and the lower the number, the smaller the number of affected users.

There are many channels for releasing applications on the Android platform. In addition to Google Play, users can also download applications from third-party application stores such as 360 Assistant and Pea Pod. In recent years, the number of Android application users has continued to grow. As of the first quarter of 2015, only domestic third-party The scale of active users of mobile application stores has reached 420 million[x]. Among these downloaded applications, there are many applications that have been tampered with, especially in third-party application stores. At the same time, most applications face the threat of tampering, which directly affects the users who download and install these applications. Therefore, in this paper, A can be taken as 8-10.

(1-5) Discoverability

Discoverability is concealment, specifically referring to the difficulty of analyzing and locating the vulnerability that generates the threat for the target application. This article still uses 0 to 10 as the initial measurement range. For example, 0 means that it is difficult to analyze the code or locate the attack point, 5 means that the effective attack point can be traced with the help of partial reasoning or debugging, and 10 means that the analyzable code can be directly obtained and the key point can be located. tamper point.

For most Android applications, which are mainly compiled and generated by Java, it is easy to obtain codes with good readability, such as Java codes or smali codes, by using reverse tools. At the same time, using existing tools, such as DDMS, Android Studio, etc., it is easy to implement dynamic debugging of the Java layer or smali layer. Therefore, this paper takes D=6~8, which means that the program code can be easily obtained and analyzed Debugging to locate the point of tampering.

(2) Risk analysis after protection

In terms of potential harm (Damage Potential), although the protection scheme does not prevent attackers from reverse-analyzing the Android APK, the main function module of the D_Guard node takes over some Java calls in the original program, so part of the Java layer The execution logic is hidden, which increases the difficulty of analysis for attackers and reduces the potential harm of tampering threats.

In terms of reproducibility, because each node is protected by multiple and multi-type defense nodes, the attacker cannot use a single attack method, and the number and effect of repeated attacks are limited.

Regarding the exploitability (Exploitability), the defense network in the protected application has the function of tamper perception and response, and the defense nodes protect each other. Therefore, to complete the attack, the overall structure of the defense network needs to be analyzed first, which requires the attacker to have advanced Experience in reverse analysis and takes a long time.

In terms of the scale of users (Affected Users), the protected application can effectively prevent attackers from tampering, thus avoiding the generation of tampered versions of the application from the source, thus reducing the impact of tampering threats.

In terms of discoverability, for a single defense node, the modules that make up the node are scattered into different operating spaces, namely the java layer and the native layer, which increases the difficulty of locating key information and codes in the program and improves the concealment.

Based on the above analysis, the tampering threat risk value of the application before and after protection is shown in the following table:

Table 3 List of tampering threat risk values before and after protection

Obviously, the tamper threat risk of the protected application is less than that of the unprotected application, which verifies the effectiveness of the protection scheme in the present invention.

2. Experimental verification of protection scheme efficiency

In order to verify the effect of the protection scheme, this article also selects two current mainstream hardening providers to harden the experimental objects, and tests and compares the hardened applications in terms of software size and startup time. The software size comparison is as follows:

Table 4 Comparison data of application software size before and after protection (KB)

It can be seen from the above table that, compared with mature commercial reinforcement providers, the defense network protection scheme in the present invention has less overhead for the software to be protected, which is within an acceptable range.

Startup time test: This article tests the startup time of the original application, the application protected by the defense network, the application protected by Bangcle, and the application protected by 360, and verifies the performance overhead brought by the protection scheme to the application from the perspective of startup speed. A sample application is tested 100 times and its average startup time is calculated. The comparison data are as follows:

Table 5 Application software startup time evaluation data before and after protection (ms)

It can be seen from the above table that compared with mature commercial reinforcement providers, the protection scheme based on the defense network of the present invention causes less performance overhead on the target application.

3. Feasibility (compatibility) verification of the protection scheme:

Due to the large number of Android system versions, the impact of the difference between versions on the normal operation of the application determines the feasibility of the protection scheme. Therefore, in order to verify the feasibility of the protection scheme, five mainstream Android system versions are selected in this paper. It is used to test whether the application is compatible, and the test results are as follows:

Table 6 Application compatibility test data after protection

It can be seen from the above table that the applications protected by the protection scheme in this patent can be executed normally on mainstream Android system versions, so the protection scheme based on the defense network has good compatibility and feasibility.

Claims (4)

1. a kind of anti-tampering method for Android application program based on defense network, is characterized in that, comprises the following steps: Step 1: Construct the defense node template library The defense node is a code segment embedded in the Android application to be protected, which is used to monitor and respond to tampering threats; build a defense node template library, and store the implementation code of the defense node in the template library; Step 2, analyzing the Android application program to be protected Analyzing the Android application program to be protected, generating a function call graph of the Android application program to be protected, and describing each node in the function call graph; Step 3, generate target node set In the Android application program to be protected, select the area of interest as the target node, and generate a target node set; Step 4, Construct Defense Association Construct the association relationship between the target node and the defense node, and between the defense node and the defense node; Step 5: Generate corresponding defense node instances according to user input According to the type and data of the defense node defined by the user, select the implementation code of the defense node of the corresponding type in the defense node template library, and generate the corresponding defense node instance; Step 6, generate and initialize the defense network According to the defense association constructed in step 4, combined with the defense node instance generated in step 5, the defense network is initialized, and the defense network includes defense nodes, target nodes and defense associations; Step seven, decompiling, file reconstruction and signing of the Android application program to be protected. 2. the anti-tampering method of Android application program based on defense network as claimed in claim 1, is characterized in that, in the defense node template storehouse in described step 1, the realization code of each defense node all comprises three parts: trigger module, a main function module and a key information module, wherein the trigger module is used to trigger the main function module when an abnormality is detected, the main function module is responsible for performing the anti-tampering function, and the key information module is used to record the key information of the defense node. 3. the anti-tampering method of Android application program based on defense network as claimed in claim 1, is characterized in that, in described step 4, between the structure target node and defense node, the association relation between defense node and defense node The specific method is as follows: When constructing an association relationship, the following constraints a to c need to be met: a. Each target node is protected by at least one defense node J_Guard; b. Each defense node is protected by at least two defense nodes J_Guard and N_Guard except itself; c. When the Android application program to be protected is executed, the defense node that performs the protection function must be able to execute it in time near the execution time of the protected node; For condition a, set the target node to associate with at least one defense node with function protection function; For condition b, set at least two defense nodes for each defense node to protect, one of which is J_Guard, which is responsible for protecting the trigger module of the defense node, and the other is N_Guard, which is responsible for protecting the main function module of the defense node; For condition c, when each target node or defense node selects the defense node to protect itself, it should select the defense node that is closer to the execution time interval between the Android application program to be protected and the target node or defense node when it is running. defense node; Specifically, the function realization of an Android application is composed of functions. When the program is running, multiple functions are executed sequentially according to a certain time sequence. These functions form a function call chain, and two functions in the same function call chain The two functions are close in execution time; the number of functions between two functions is called the number of hops, the smaller the number of hops, the shorter the execution interval between the two functions, so each target node or defense node chooses its hop number The smallest defense node acts as its defense node. 4. a system for realizing the method described in claim 1, is characterized in that, the system comprises sequentially connected structure defense node template library module, Android application program parsing module, generation target node collection module, structure defense association module, Generate the corresponding defense node instance module, generate and initialize the defense network module and decompile, file reconstruction and signature modules; among them: The construction defense node template library module is used to realize the following functions: The defense node is a code segment embedded in the Android application to be protected, which is used to monitor and respond to tampering threats; build a defense node template library, and store the implementation code of the defense node in the template library; The Android application analysis module is used to realize the following functions: Analyzing the Android application program to be protected, generating a function call graph of the Android application program to be protected, and describing each node in the function call graph; Generate target node set module is used to realize the following functions: In the Android application program to be protected, select the area of interest as the target node, and generate a target node set; The construction defense association module is used to realize the following functions: Construct the association relationship between the target node and the defense node, and between the defense node and the defense node; Generate the corresponding defense node instance module to achieve the following functions: According to the type and data of the defense node defined by the user, select the implementation code of the defense node of the corresponding type in the defense node template library, and generate the corresponding defense node instance; Generate and initialize the defense network module to achieve the following functions: According to the constructed defense association, combined with the generated defense node instance, the defense network is initialized, the defense network includes the defense node, the target node and the defense association; Decompilation, file reconstruction and signature modules are used to implement the following functions: Decompile, file reconstruct and sign the Android application to be protected.