Supercharge Your Innovation With Domain-Expert AI Agents!

Web injection code execution vulnerability detection method and system for Android application program

An Android application program and code execution technology, applied in the direction of creating/generating source code, software engineering design, computer security device, etc., can solve problems such as complex operation

Active Publication Date: 2020-08-21
CENT SOUTH UNIV
View PDF4 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] In terms of data injection type vulnerability detection, existing research mostly uses static program analysis methods to discover potential vulnerabilities through control flow or data flow analysis, and then dynamically run The application to verify whether the vulnerability actually exists, the operation of this vulnerability detection method is more complicated

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Web injection code execution vulnerability detection method and system for Android application program
  • Web injection code execution vulnerability detection method and system for Android application program
  • Web injection code execution vulnerability detection method and system for Android application program

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0044] figure 1 This is an attack scenario diagram of exploiting Web injection code execution vulnerabilities, and summarizes the attack scenarios in which attackers exploit the vulnerabilities to implement injection script execution: Because different forms of method parameters make loadUrl() implement different functions, so when developers pass Web-Native across When the language communication interface passes the URL to loadUrl() to display the webpage, and the data loaded by loadUrl() is not verified in the application, the attacker can modify the URL of the webpage to be loaded to a JS (JavaScript) script through a middleman, making the application In the end, the page content is not displayed, but the JavaScript code is executed; for this kind of vulnerability exploitation, the existing research has not proposed a corresponding vulnerability detection method;

[0045] For this reason, the embodiment of the present invention proposes a method for detecting Web injection...

Embodiment 2

[0084] The present embodiment provides a web injection code execution vulnerability detection system for Android applications, including the following modules:

[0085] The static program analysis module is used to perform static program analysis on a given Android application, and obtain the Web-Native cross-language communication interface information that may cause Web injection code execution in the application;

[0086] The Web injection code sample construction module is used to select a string data as the Web data introduced by the Web-Native cross-language communication interface, based on the specific interface information and the selected string data in the static program analysis results, respectively for different The Web-Native cross-language communication mechanism completes the construction of Web injection code samples;

[0087] The Web injection code execution vulnerability detection module is used to intercept the communication flow between the application pr...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a Web injection code execution vulnerability detection method and system for an Android application program, and the method comprises the following steps: 1, carrying out the static program analysis of a given Android application program, and obtaining the cross-language communication interface information possibly causing the execution of a Web injection code in the application program; 2, selecting character string data as Web data introduced by the cross-language communication interface, and for different cross-language communication mechanisms, completing the construction of Web injection code examples; 3, intercepting the communication traffic between the application program and the server in the running process of the application program, modifying the response data of the server, and injecting a constructed Web injection code sample into the response data; and if a message corresponding to the selected character string data popped up on an interface is observed in the running process of the application program, determining that the application program has a Web injection code execution vulnerability. The method can accurately and effectively detect whether the Web injection code execution vulnerability exists in the Android application program or not.

Description

technical field [0001] The invention relates to the field of mobile terminal security, in particular to a method and system for detecting vulnerabilities in Web injection code execution oriented to Android applications. Background technique [0002] With the rapid development of the mobile network, the functions of loading and displaying web pages, which are similar to browser applications, are now very common in ordinary applications. Android provides the WebView control to interpret and execute Web code (HTML code and JavaScript code), allowing developers to display various web pages in the application, and the interaction between Web code and local code (Java code) in the web page is controlled by Android Web- Native (network-local) cross-language communication mechanism support. The Web-Native cross-language communication mechanism can meet user needs and bring great convenience to application development, but it also causes cross-platform code intrusion, which has seri...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/57G06F8/30
CPCG06F21/577G06F8/315
Inventor 王伟平徐蒋婷宋虹王建新
Owner CENT SOUTH UNIV
Features
  • R&D
  • Intellectual Property
  • Life Sciences
  • Materials
  • Tech Scout
Why Patsnap Eureka
  • Unparalleled Data Quality
  • Higher Quality Content
  • 60% Fewer Hallucinations
Social media
Patsnap Eureka Blog
Learn More

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2025 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com