游戏库的安全性分析与验证
Security Analysis and Verification of the Game Library
DOI: 10.12677/CSA.2018.88138, PDF,    国家自然科学基金支持
作者: 李若影*, 邵 帅, 崔浩亮, 牛少彰:北京邮电大学计算机学院,北京
关键词: 第三方游戏库安全准则过程模型攻击场景Third-Party Game Libraries Security Rules Process Models Attack Scenarios
摘要: 近年来,Android第三方库的安全问题层出不穷。为了研究第三方游戏库潜在的安全威胁,该文深入分析了21个主流的第三方游戏SDK,并建立了三种过程模型以揭示游戏SDK的实现细节,然后提出了7条安全准则,并说明了违反这些安全准则后游戏SDK提供方、游戏开发方、用户可能遭遇的5种攻击场景。最后,该文提出了检测违反安全准则的三种方法,并利用这三种方法对这21种游戏SDK及Android应用市场中的2000个游戏应用程序进行了检测,实验结果表明,这21个游戏SDK均违反至少一条安全规则,导致上百个游戏应用程序面临安全风险。
Abstract: In recent years, the security issues of Android third-party libraries have appeared in endlessly. In order to study the potential security threats of third-party game libraries, in this paper, 21 main-stream third-party game SDKs are analyzed in depth and three process models are established to reveal the implementation details of the game SDKs. Then it proposes seven security rules and explains five kinds of attack scenarios which game SDK providers, game developers, and users may encounter after the violation of these security guidelines. Lastly, this paper proposes three methods for detecting violations of security guidelines, and uses these three methods to detect the 21 game SDKs and 2000 game applications in Android application markets. The experimental results show that the 21 game SDKs all violated at least one security rule, resulting in hundreds of gaming applications facing security risks.
文章引用:李若影, 邵帅, 崔浩亮, 牛少彰. 游戏库的安全性分析与验证[J]. 计算机科学与应用, 2018, 8(8): 1277-1291. https://doi.org/10.12677/CSA.2018.88138

参考文献

[1] Ma, Z., Wang, H., Guo, Y., et al. (2016) LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps. Proceedings of the 38th International Conference on Software Engineering Companion, Austin, TX, USA, 14-22 May 2016, 653-656. [Google Scholar] [CrossRef
[2] Li, M.H., Wang, W., Wang, P., et al. (2017) LibD: Scalable and Precise Third-Party Library Detection in Android Markets. 2017 IEEE/ACM 39th International Con-ference on Software Engineering (ICSE), Buenos Aires, 20-28 May 2017, 335-346. [Google Scholar] [CrossRef
[3] 环球网. 手机游戏市场规模将破千亿巨头领跑发行市场[EB/OL].
https://m.huanqiu.com/r/MV8wXzExMjAwOTAxXzE4MV8xNTA0MTY4MjAw, 2017-08-31.
[4] Jain, K. (2015) The Hacker News. Warning: 18,000 Android Apps Contains Code That Spy on Your Text Messages.
[5] Chen, Y., Li, T., Wang, X.F., et al. (2015) Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations. ACM Sigsac Conference on Computer & Communications Security, Denver, CO, USA, 12-16 October 2015, 1260-1272. [Google Scholar] [CrossRef
[6] Yang, W.B., Zhang, Y.Y., Li, J.R., et al. (2017) Show Me the Money! Finding Flawed Implementations of Third-Party In-App Payment in Android Apps. Network & Distributed System Security Symposium, San Diego, CA, USA, February 26-March 1 2017. [Google Scholar] [CrossRef
[7] Backes, M., Bugiel, S., Derr, E., et al. (2016) Reliable Third-Party Library Detection in Android and Its Security Applications. Conference on Computer and Communications Security, Vienna, Austria, 24-28 October 2016, 356-367.
[8] Soh, C., Tan, H.B.K., Arnatovich, Y.L., Narayanan, A. and Wang, L (2017) LibSift: Automated Detection of Third-Party Libraries in Android Applications. Software Engineering Confer-ence, Asia-Pacific, Hamilton, New Zealand, 41-48.
[9] Demetriou, S., Merrill, W., Yang, W., et al. (2016) Free for All! Assessing User Data Exposure to Advertising Libraries on Android. Network & Distributed System Security Symposium, San Diego, CA, USA, 21-24 February 2016, 15 p. [Google Scholar] [CrossRef
[10] Wang, H., Zhang, Y.Y., Li, J.R., et al. (2015) Vulnerability As-sessment of Oauth Implementations in Android Applications. Annual Computer Security Applications Conference, Los Angeles, CA, USA, 7-11 December 2015, 10 p.