Android application digital certificate verification vulnerability detection system and method

Abstract

The invention belongs to the field of application software detection of Android terminals, and particularly relates to an Android application digital certificate verification vulnerability detection system and method, and the system comprises a static detection module, a dynamic detection module and an intermediary agent module. The static detection module is used for discovering potential applications with digital certificate verification vulnerabilities according to static code characteristics of vulnerability applications; the dynamic detection module is used for dynamically executing application triggering vulnerability codes; the intermediary agent module is used for initiating intermediary attacks and trying to decrypt HTTPS flow so as to confirm whether digital certificate verification vulnerabilities really exist in applications or not, and the method makes up for the defects of false alarms caused by single use of static detection and low efficiency caused by single use of dynamic detection through the mode of combining dynamic detection and static detection, effective detection of the application is achieved, and the problems of low efficiency of manual auditing, high cost of large-scale market-level application detection and the like are solved.

Description

technical field [0001] The invention belongs to the field of application software detection of Android terminals, and in particular relates to a digital certificate verification loophole detection system and method for Android applications. Background technique [0002] The SSL protocol is to protect the user's communication security and ensure the user's privacy and information security transmission. It is a layer of security protocol added on the basis of the HTTP protocol. The protocol will negotiate the encryption key through digital certificates before communication. , while ensuring that the negotiation process will not be eavesdropped by the middleman. After the protocol is completed, the communication process between the two parties will be encrypted. In the communication process of the SSL protocol, the verification of the digital certificate is an important link to ensure the security of the protocol. If the client does not verify the certificate, it may be attack...

AI Technical Summary

Problems solved by technology

[0009] The purpose of the present invention is to provide an Android application digital certificate verification vulnerability detection system and method for the problems existing in the prior art. The method uses a combination of dynamic detection and static detection to make up for the false positives caused by the single use of static detection. It also makes up for the inefficiency caused by the single use of dynamic detection, realizes effective detection of applications, and improves the problems of low efficiency faced by manual review and high cost of large-scale market-level application detection.

Images