Android应用Intent通信风险分析及检测

针对Android应用Intent通信可能导致的安全风险，设计了基于动静结合的安全威胁检测方法.静态分析阶段检测应用中请求的内部和外部组件并判断组件是否存在被劫持的风险，然后对存在利用Extra属性进行数据传输的Intent对象利用污点跟踪确定是否存在数据和权限泄露；动态测试阶段根据静态分析检测到的Intent对象构造Fuzzing测试数据，发送测试指令给测试对象并收集应用的执行日志，确定是否存在拒绝服务风险.实验结果表明检测方法可以有效和全面地检测由Intent通信导致的安全缺陷. 

Risk Analysis and Detection on Communication with Intents in Android Applications

In order to detect the security defects caused by the intent communication in Android applications, a detection method was proposed based on the combination of dynamic test and static analysis. In static analysis phase, the internal and external intentioned components in application were detected to estimate the risk of being hijacked according to the designed method. For components requested by the Intent with Extras attribute, sensitive data and privilege leakage were checked by stain tracking analysis at last. In dynamic testing phase, according to the Intents detected in the static analysis phase, the formatted test data were constructed for the Fuzzing test and the test instructions were sent to the application installed on the test platform. And the execution logs were collected and used to determine whether a risk of service denial exists. Experimental results show that, the detection method can detect effectively and comprehensively the Intent-based security defects.