In this paper, the author provided a thorough analysis of the signature authentication mechanism in Android, via statically analyzing the Android source code and dynamically monitoring the executing of the signature authentication mechanism during the process of application installation and executing. Through the analysis, the author finds that Android applications are authenticated only at the installation, but not at the execution. Every time the applications are executed, only the applications’ timestamps and file paths are verified. The security risk makes it possible for the attack codes to bypass the signature authentication mechanism, and launch attacks successfully.% 文章通过静态分析Android系统源代码以及动态监控应用程序安装、执行过程中的签名验证流程,对Android系统的代码签名验证机制进行深入的剖析,发现Android系统仅在应用程序安装时进行完整的代码签名验证,在后续的程序执行过程中只对程序包进行简单的时间戳及路径验证。该安全隐患使得攻击代码可以绕过签名验证机制,成功实施攻击。
展开▼