CN111625823A - Security detection method and device for VPN application of Andriod platform - Google Patents

Abstract

The invention provides a security detection method for VPN applications on the Andriod platform, comprising: constructing a sensitive authority rule base, decompiling a VPN application installation package, and obtaining a sensitive authority detection result; detecting a third-party library of the VPN application, and obtaining a third-party library list; Obtain the scan report of the VPN application, extract the scan result, and obtain the detection result of malicious behavior; install the VPN application to run on the test terminal, establish a line connection, monitor whether there is any DNS data that does not pass through the VPN tunnel, get the DNS leak detection result, and send API requests at the same time. Determine whether the communication is successfully established, and obtain the IPV6 leak detection result; disconnect the VPN connection, access the test IP address, determine whether the access is successful, and obtain the kill-switch detection result; acquire and analyze the encryption protocol of the VPN line, and obtain the tunnel configuration detection result. It can automatically, comprehensively and accurately detect the security of VPN applications.

Description

Security detection method and device for VPN application on Android platform

technical field

The invention relates to the technical field, and in particular, to a security detection method and device for a VPN application on an Andriod platform.

Background technique

In recent years, as information such as hacking attacks, surveillance and censorship continue to make headlines, people have begun to pay more and more attention to online privacy. Network security is ushering in an explosive period, and virtual private networks (VPNs), which can protect online privacy, also gained more and more attention. With a VPN, all internet traffic is encrypted and tunneled through a third-party server, so it cannot be traced back to the user. At present, VPN applications have become one of the most downloaded applications in Google Play, APP Store and other application stores.

Given the particularity of VPN applications, these applications also bring a lot of security and privacy issues to users. On the one hand, once a user uses a VPN service, all network traffic will be transmitted through the VPN server. However, many VPN applications cannot provide complete security and anonymity services during the implementation process, and there are various security loopholes, resulting in the leakage of user sensitive information. risks of. On the other hand, VPN applications have high permissions, and many malicious applications will disguise themselves as VPN applications to obtain users' private information and even spread malicious codes and push malicious advertisements, which brings serious security threats to users.

The existing Android application detection methods cannot well evaluate the security of the services provided by VPN applications. Therefore, a comprehensive and complete security and privacy detection scheme for VPN applications is urgently needed.

SUMMARY OF THE INVENTION

In view of this, the purpose of the present invention is to propose a security detection method and device for a VPN application on an Andriod platform, so as to solve the problem that the existing Android application detection method cannot well evaluate the security of a VPN application service.

Based on the above purpose, the present invention provides a security detection method for an Andriod platform VPN application, including:

Analyze Andriod permission documents, build sensitive permission rule base, decompile VPN application installation package, obtain permission documents, match tags, extract permission list and match sensitive permission rule base, and get sensitive permission detection results;

Use the detection command to detect the third-party library of the VPN application, and obtain a list of third-party libraries, where the third-party library includes at least one of an advertisement library, a game engine library, a map location service library, and a mobile analysis library;

Obtain the virustotal scan report of the VPN application, extract and analyze the result of the AV engine scanning the malicious behavior of the tested application in the scan report, and obtain the malicious behavior detection result;

Install the VPN application to the test terminal to run, locate the line list, resolve the name of the line list, loop through the line list, establish line connections, and perform DNS and IPV6 leak detection, kill-switch detection, and tunnel configuration detection respectively;

Among them, DNS and IPV6 leak detection includes sending a DNS request to the default DNS server of the test machine, monitoring whether any DNS data does not pass through the VPN tunnel, and obtaining the DNS leak detection result; at the same time, sending an API request to determine whether the communication is successfully established, and obtaining the IPV6 leak Test results;

Kill-switch detection includes blocking VPN connections, creating VPN disconnects, accessing test IP addresses, and judging whether the access is successful, and obtaining the kill-switch detection results;

The tunnel configuration detection includes: acquiring traffic data passing through the VPN line, analyzing the traffic data, extracting the encryption protocol of the VPN line, analyzing the encryption protocol, and obtaining the detection result of the tunnel configuration.

In one embodiment, the monitoring whether there is DNS data that does not pass through the VPN tunnel, and obtaining a DNS leak detection result includes:

Use the tcpdump command to capture the data packets passing through the VPN tunnel, generate pcap files from the data packets, transfer the pcap files to the test terminal, and parse the pcap file data. When there is UDP traffic whose port number is the default port number of the DNS protocol, it is judged as DNS request detected, there is a DNS leak.

In one embodiment, the judging whether the communication is successfully established, and obtaining the IPV6 leak detection result includes:

Use the curl command to send a communication request to the test API provided by the network protocol ipv6-tes. When the correct request response code is obtained, it is determined that an IPV6 leak has occurred, and the detection result of the IPV6 leak is obtained.

In one of the embodiments, if the judgment is successful, the kill-switch detection result obtained includes:

Add a rule to block all outbound connections and release the test IP connection in the configuration file of the PF firewall;

Import the configuration file of the PF firewall after adding the rules;

Open the PF firewall after adding rules;

Send a connection request to the test IP, and when the connection is successful, the test result that kill-switch is not set is obtained.

In one embodiment, the analysis of the Andriod permission document and the construction of the sensitive permission rule base include:

Extract all permissions in the Android permissions document;

Map permissions to tariff, networking, SMS, phone, privacy-related categories, and select permissions for privacy-related categories;

The permission categories, the number of permissions, the permission names, and the permission descriptions in the permissions of the privacy-related categories are mapped one-to-one as a list to obtain a sensitive permission rule base.

In one embodiment, obtaining the VirusTotal scan report of the VPN application includes:

Calculate the hash value of the VPN application installation package, call the first interface of the VirusTotal database with the hash value as a parameter, and obtain the scan report in the database; or call the second interface, scan the VPN application installation package, and obtain the scan report, wherein, The scan report includes the scan result of whether the application under test is marked as malware by the AV engine.

In one of the embodiments, the acquiring traffic data passing through the VPN circuit includes:

Use the curl command to construct network traffic;

Use the tcpdump command to capture packets;

Generate a pcap file from the data packet to get the traffic data;

The acquiring API port data includes using the curl command to construct data requesting the API port provided by IPIP.net.

In one embodiment, the analysis of the encryption protocol to obtain a detection result of the tunnel configuration includes:

It is analyzed whether the encryption protocol is an insecure protocol, and when the protocol does not belong to the IPSec, Open VPN or SSLVPN protocols, a detection result that the tunnel configuration is insecure is obtained.

In one embodiment, using the detection command to detect the third-party library of the VPN application includes: using the pythonLibRadar/libradar.py someapp.apk detection command to detect the third-party library in the VPN application.

An embodiment of the present invention also provides a security detection device for a VPN application on an Andriod platform, including:

Sensitive permission detection module, used to analyze Andriod permission documents, build sensitive permission rule base, decompile VPN application installation package, obtain permission documents, match tags, extract permission list and match sensitive permission rule base, and get sensitive permission detection results;

The third-party library detection module uses the detection command to detect the third-party library of the VPN application, and obtains a list of third-party libraries, where the third-party library includes at least one of an advertisement library, a game engine library, a map location service library, and a mobile analysis library. species;

The malicious behavior detection module obtains the scan report of the VPN application, extracts and analyzes the scan results of the pop-up of malicious advertisements, forced modification of device settings and automatic installation of specific applications in the scan report, and obtains the detection result of malicious behavior;

The line connection module is used to install the VPN application to the test terminal to run, locate the line list, parse the name of the line list, loop through the line list, and establish the line connection;

The DNS and IPV6 leak detection module is used to send DNS requests to the default DNS server of the test machine to monitor whether there is any DNS data that does not pass through the VPN tunnel, and obtain the DNS leak detection result; at the same time, it sends an API request to determine whether the communication is successfully established, and the IPV6 leak is obtained. Test results;

The kill-switch detection module is used to block the VPN connection, make the VPN disconnect, access the test IP address, and determine whether the access is successful, and get the kill-switch detection result;

The tunnel configuration detection module is used for acquiring traffic data passing through the VPN line, analyzing the traffic data, extracting the encryption protocol of the VPN line, analyzing the encryption protocol, and obtaining the detection result of the tunnel configuration.

As can be seen from the above, the security detection method and device for VPN applications on the Andriod platform provided by the present invention, by constructing a sensitive authority rule base, decompiling the VPN application installation package, extracting the authority list and matching the sensitive authority rule base, to the VPN Sensitive permission detection for applications; detection of third-party libraries of VPN applications through detection commands; detection of malicious behaviors by obtaining and analyzing malicious behavior scan results of Virustotal scan reports; by monitoring whether DNS data does not pass through the VPN tunnel and determining whether IPv6 communication is successfully established, and DNS leaks and IPV6 leaks are detected; after the VPN is disconnected, it is judged whether the test IP address is successfully accessed, and the kill-switch is detected; by obtaining and analyzing the encryption protocol passing through the VPN tunnel, the The security of the encryption protocol is detected; thus, the timely and effective comprehensive automatic detection of VPN applications with security risks can be realized, and the possible risks of user privacy leakage and the harm caused by malicious behavior can be avoided.

Description of drawings

In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

1 is a schematic flowchart of a security detection method for an Andriod platform VPN application according to an embodiment of the present invention;

2 is a schematic flowchart of analyzing an Andriod permission document and constructing a sensitive permission rule base according to an embodiment of the present invention;

FIG. 3 is a schematic flowchart of establishing a line connection according to an embodiment of the present invention;

4 is a schematic diagram of a line analysis process according to an embodiment of the present invention;

5 is a schematic flowchart of a kill-switch detection result obtained by judging whether the access is successful according to an embodiment of the present invention;

6 is a schematic flowchart of obtaining traffic data passing through a VPN line according to an embodiment of the present invention;

7 is a schematic flowchart of a tunnel configuration detection process according to an embodiment of the present invention;

FIG. 8 is an architecture diagram of a security and privacy analysis system for a VPN application on an Android platform according to an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to specific embodiments and accompanying drawings.

It should be noted that, unless otherwise defined, the technical or scientific terms used in the embodiments of the present invention shall have the usual meanings understood by those with ordinary skill in the art to which the present disclosure belongs. As used in this disclosure, "first," "second," and similar terms do not denote any order, quantity, or importance, but are merely used to distinguish the various components. "Comprises" or "comprising" and similar words mean that the elements or things appearing before the word encompass the elements or things recited after the word and their equivalents, but do not exclude other elements or things. Words like "connected" or "connected" are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "Up", "Down", "Left", "Right", etc. are only used to represent the relative positional relationship, and when the absolute position of the described object changes, the relative positional relationship may also change accordingly.

The inventor of the present invention has noticed that VPN is a type of application that has a large download volume, high application authority and claims to provide online security and privacy enhancement services. Compared with other Android applications, the VPN has higher requirements for security and privacy. The inventor has analyzed in the long-term security research work of Android applications. The current analysis method for Android applications can only detect the security problems existing in common Android applications, and cannot solve the security and privacy problems that may occur in VPNs, such as 1) Requesting sensitive permissions: Provide permission to access irrelevant user information, such as reading text messages, reading contacts, reading albums, etc., resulting in privacy leakage. 2) Third-party tracking libraries are advertisements: There are third-party tracking libraries to monitor users' online behaviors and the proliferation of advertisements, resulting in privacy leakage. 3) DNS request and IPv6 traffic leakage: Improper VPN settings make the Android terminal continue to use the default DNS server of the network where the terminal is located after connecting to the VPN application, instead of the anonymous DNS server of the computer assigned by the anonymous network, resulting in the leakage of DNS requests ;At the same time, when establishing a VPN connection, insert the IPv4 default route, do not support the IPv6 protocol, or completely ignore IPv6, so that all data packets sent to the IPv6 address are sent in plain text using the local IPv6 router, which cannot protect the security of IPv6 traffic, which will cause users The activity of visiting the website is recorded and monitored. 4) Insecure tunnel configuration: The private network is not encrypted, and the traffic is not properly encrypted using a secure protocol, so that the user's data can be monitored or attacked by the middleman. 5) The Kill Switch setting is incorrect, and it is impossible to immediately stop the user's device or terminate the specified application from connecting to the Internet after the VPN connection is accidentally disconnected, resulting in exposure of the user's identity and traffic. 6) Malware behavior: there are malicious behaviors such as malicious advertisements constantly popping up, forcibly modifying certain settings of the device, and automatically installing specific applications.

Please refer to FIG. 8 , the inventor proposes a privacy analysis method, device and electronic device for VPN application security on the Andriod platform based on program analysis and automated testing. By building a sensitive permission rule base, the sensitive permissions of the VPN application are detected; Command to get the list of third-party libraries; analyze the scan report to get the detection results of malicious behavior; trigger the VPN connection of the application, detect DNS and IPV6 leaks in the dynamic detection environment, detect whether the kill-switch is configured correctly, and detect whether the encryption protocol of the tunnel is secure . A complete set of security and privacy analysis methods combined with static analysis and dynamic analysis are formed, so as to conduct a comprehensive automatic detection and analysis of security and privacy problems existing in VPN applications, which can not only detect common security problems in Android applications, but also evaluate The security privacy service provided by the VPN application greatly improves the reliability of the detection result of the security of the VPN application.

Please refer to FIG. 1, which is a security detection method for an Andriod platform VPN application provided by the present invention, including:

S100, analyze the Andriod permission document, build the sensitive permission rule base, decompile the VPN application installation package, obtain the permission document, match the label, extract the permission list and match the sensitive permission rule base, and obtain the sensitive permission detection result;

S200, use the detection command to detect the third-party library of the VPN application, and obtain a list of the third-party library;

S300, obtain the virustotal scanning report of the VPN application, analyze the malicious behavior scanning result of the search engine in the scanning report, and obtain the malicious behavior detection result;

S400, send a DNS request to the default DNS server of the test machine, monitor whether any DNS data does not pass through the VPN tunnel, and obtain the DNS leak detection result; at the same time, send an API request to determine whether IPV6 communication is successfully established, and obtain the IPV6 leak detection result;

S500, make the VPN disconnected, access the test IP address, determine whether the access is successful, and obtain the kill-switch detection result;

S600: Acquire traffic data passing through the VPN line, analyze the traffic data, extract an encryption protocol of the VPN line, analyze the encryption protocol, and obtain a tunnel configuration detection result.

The security detection method of the VPN application on the Andriod platform provided by the present invention, by constructing a sensitive authority rule base, decompiling the VPN application installation package, extracting the authority list and matching the sensitive authority rule base, to perform sensitive authority detection on the VPN application; The third-party library of the VPN application is used for detection; by obtaining and analyzing the malicious behavior scanning results in the virustotal scan report, the malicious behavior is detected; by monitoring whether there is DNS data that does not pass through the VPN tunnel and judging whether the ipv6 communication is successfully established, the DNS leak and IPV6 Leak detection; determine whether the test IP address is successfully accessed by creating a VPN disconnection, and detect the kill-switch; by obtaining and analyzing the IP and encryption protocol of the traffic data passing through the VPN tunnel, the security of the tunnel IP and protocol Therefore, the timely and effective comprehensive automatic detection of VPN applications with security risks can be realized, and the possible risks of user privacy leakage and the harm caused by malicious behavior can be avoided.

Please refer to FIG. 2. In step S100, the analysis of the Andriod permission document and the construction of the sensitive permission rule base include:

S110, extract all permissions in the Android permissions document;

S120, map the permissions to tariff, networking, SMS, phone, and privacy categories, and select the permissions of the privacy category;

S130 , one-to-one correspondence among the permission categories, the number of permissions, the permission names, and the permission descriptions in the permissions of the privacy category is made into a list to obtain a sensitive permission rule base.

Specifically, in the S110, the Android permission document can be obtained from the Android official website. After analyzing the permission document, extract all the permissions in it, and the permissions include various categories and levels.

In S120, by mapping all the permissions one by one, various categories such as tariffs, networking, text messages, phone calls, and privacy-related categories are obtained, and the permissions of the privacy-related categories are selected.

In S130, the permission category may include privacy permission and other permissions. In a specific embodiment, 40 privacy-related permissions can be extracted from the Android permission list, including 19 privacy permissions that are closely related to user privacy data, and 21 other permissions with a lower degree of privacy, corresponding to sensitive permissions An example of the rule base is shown in Table 1 below.

Table 1 Some privacy-related permissions of Android

You can use the APKTool tool to decompile the VPN application APK file (installation package) and obtain the AndroidManifest.xml file (permission document). Apktool is a decompilation tool provided by google, which can decompile and recompile apk, and install the framework-res framework required by the decompile system apk. In this embodiment, the decode command can be executed, such as "apktool d<file.apk><dir>, to decompile the apk file. Wherein, <file.apk> is the path of the apk file to be decompiled, and <dir > is the storage location of the decompiled files.

The tag can be AndroidManifest.xml<permission>. After matching this tag to Android Manifest.xml, you can get the list of permissions declared by the APK.

By building a sensitive permission rule base, the permission categories, number of permissions, permission names and permission descriptions of privacy-related permissions can be mapped one-to-one, which can quickly and accurately identify the privacy permissions in the permission list obtained after decompiling the VPN application APK file, and improve Andriod Detection efficiency of platform VPN applications.

In step S200, the third-party library is a reusable software resource in application development, and the third-party library may be included. The third-party libraries that use the detection command to detect VPN applications include: use the python LibRadar/libradar.pysomeapp.apk detection command to detect third-party libraries in VPN applications.

The detected third-party library list may include at least one of an advertisement library, a game engine library, a social network library, a map location service library, and a mobile analysis library. The advertisement library may be, for example, Admob, Inmobi; the game engine library may be, for example, Unity3D, Badlogic; the map location service library may be, for example, Baidu Location, AmapLocation; the mobile analysis library may be, for example, Umeng, Flurry and Analytics.

By using the python LibRadar/libradar.py someapp.apk detection command to detect third-party libraries, it can effectively identify the third-party libraries that are blurred with the main application and compiled by Dalvik bytecode, so as to efficiently and quickly detect the existence of VPN applications. third-party library.

In step S300, the obtaining of the scan report of the VPN application includes:

Build the script to access the VirusTotal service website; calculate the hash value of the VPN application installation package, call the first interface of the database with the hash value as a parameter, and obtain the scan report in the database; or call the second interface to scan the VPN application installation package, Get a scan report.

The database may be a database in the VirusTotal service website. The website can scan for suspicious files and URLs and get scan reports. Hash values and corresponding scan reports are stored in VirusTotal's database.

The first interface may be the "https://www.virustotal.com/vtapi/v2/file/report" interface. Through the first interface, it is possible to access the database to find out whether there is a hash value that is the same as the hash value of the VPN application installation package. When the same hash value is found, the scan report corresponding to the hash value is extracted. When the corresponding hash value cannot be found, the second interface is called.

Specifically, the second interface may be the "https://www.virustotal.com/vtapi/v2/file/scan" interface. Through the second interface, the APK file (installation package) of the VPN application can be sent to VirusTotal, and scanned by the AV (Anti Virus) engine of VirusTotal to obtain a scan report. The AV engine scans files for viruses and malicious behavior.

The format of the scan report can be JSON. The content of the scan report may include the scanned ID, various common hash values of the APK, and the scan results of several AV engines. As long as the application under test (that is, the VPN application or the application with the same hash value as the VPN application installation package) in the scan result is marked as a malicious file by any search engine in the AV engine, the malicious behavior detection result is malicious behavior.

By calculating the hash value of the VPN application installation package, call the first interface "https://www.virustotal.com/vtapi/v2/file/report" to directly obtain the scan report corresponding to the hash value in the VirusTotal database, or by calling The second interface "https://www.virustotal.com/vtapi/v2/file/scan" scans the VPN application installation package to obtain a scan report, and extracts and analyzes the malicious file flag of the scan result in the scan report, which can quickly Effective automatic detection of malicious behavior.

After step S300, and before step S400 to S600, it also includes S700, installing the VPN application to run the test terminal, locating the line list, parsing the name of the line list, looping through the line list, and establishing a line connection.

As shown in Figure 3, this step S700 may specifically include:

S710, push the VPN application installation package to the test machine, and automatically install the VPN application;

The S720, according to the script written, uses the API (Application Programming Interface) application programming interface provided by Appium, opens the test application, and locates the line list page. Among them, Appium is an open source test automation framework, and in this embodiment, the connection with the test application can be realized through the Node.js interface.

S730, use the page source API provided by Appium to obtain the UI hierarchy structure of the line list page, and parse out the line list name according to the resource-id of the line list control. Its analysis process is shown in Figure 4.

S740, loop through the line list, establish a VPN line connection and execute the test.

By locating the line list, resolving the name of the line list, looping through the line list, and establishing line connections, it can provide a dynamic detection environment, which is convenient for DNS and IPV6 leak detection, kill-switch detection and tunnel configuration detection.

In step S400, the monitoring whether there is DNS data that does not pass through the VPN tunnel, and obtaining a DNS leak detection result may include:

Capture the data packets passing through the VPN tunnel, generate pcap files from the data packets, transmit the pcap files to the test terminal, and parse the pcap file data. When there is UDP traffic whose port number is the default port number 53 of the DNS protocol, it is judged as detected. DNS request, there is DNS leak.

Specifically, you can use the "tcpdump-i ens33" command to capture the data packets passing through the VPN tunnel. The pcap file is a datagram storage format, and the overall structure is in the form of file header - data packet header 1 - data packet 1 - data packet header 2 - data packet 2 and so on. By parsing the data packets in the pcap file, the port number of the transmission data can be obtained. When the port number of the parsed traffic is 53, it is determined that a DNS request is detected and there is a DNS leak.

By capturing the data packets passing through the VPN tunnel, generating the data packets into pcap files and transmitting them, and analyzing the DNS traffic in the data packets at the test terminal, it is possible to quickly and effectively determine whether there is DNS leakage.

Described judging whether the communication is successfully established, the obtained IPV6 leak detection result includes:

Use the curl command to send a communication request to the test API provided by the network protocol ipv6-test. When the correct request response code is obtained, it is determined that there is an IPV6 leak, and the detection result of the IPV6 leak of the network protocol is obtained.

Specifically, the curl command may be "adb shell curl --connect-timeout 20http://v6.ipv6-test.com/json/addrinfo.php?PHPSESSID=5tb5jfujicv8n6araprstm52n5". The correct request response code can be 200.

Through the "adb shell curl--connect-timeout 20http://v6.ipv6-test.com/json/addrinfo.php?PHPSESSID=5tb5jfujicv8n6araprstm52n5" command and the "200" response code, we can accurately determine whether there is a network protocol IPV6 leak .

In step S500, Kill Switch refers to the function of preventing users from accessing unprotected Internet connections when online traffic is not forwarded through the VPN.

As shown in Figure 5, if the judgment is successful, the kill-switch detection result obtained includes:

S510, add a rule to block all outbound connections and release the test IP connection in the configuration file of the PF firewall;

S520, import the configuration file of the PF firewall after adding the rule;

S530, enable the PF firewall after adding the rule;

S540: Send a connection request to the test IP, and when the connection is successful, obtain a detection result that the kill-switch is not set.

PF firewall (Packet Filter) is a software system that performs TCP/IP traffic filtering and network address translation on UNIX LIKE systems. The PF firewall configuration command is pfctl.

Wherein, in step S510, the configuration file of the pfctl command is /etc/pf.conf, the rule for blocking all outbound connections may be block out all; the rule for releasing the destination ip may be pass out any to{*ip}. That is, step S510 is specifically, adding the following rules to the configuration file /etc/pf.conf of ptftcl: block out all#blocks all outbound connections; pass out any to{*ip}#releases the destination ip as *ip connect.

In step S520, the configuration file of the PF firewall after adding the rule can be imported by executing the command "sudo pfctl-ef/etc/pf.conf,".

In step S530, the configuration file of the PF firewall after adding the rule can be opened by executing the command "sudo pfctl-e".

In step S540, if the IP address can be successfully connected, the test IP address can be successfully accessed. That is, in the event of an unexpected disconnection of the VPN connection, the test IP address can still be accessed. Therefore, when the connection is unexpectedly disconnected, the connection to the Internet cannot be stopped or terminated, and it is judged that the kill-switch is not set.

Specifically, when the test terminal receives the data packet with the SYN (Synchronize Sequence Numbers) synchronization sequence number and the ACK (Acknowledge character) confirmation character, it sends the confirmation data packet ACK (ack=k+1) to the test IP, and enters the ESTABLISHED state. , that is, the IP address is successfully connected.

After step S540, step S550 is also included to close the PF firewall to complete the test. Specifically, you can close the PF firewall by executing the "sudo pfctl -d" command.

Artificially fault the VPN tunnel by using pfctl to control the PF firewall to block all outbound connections except the test IP address and access the test IP address. When a successful connection to the test IP address is detected, it can be judged that in the case of the VPN server connection being dropped, it is impossible to stop the user's device or terminate the connection of the specified application to the Internet, and terminate the connection to the Internet. That is, protection of the user's online activity and IP address cannot be achieved, and it cannot be prevented from being suddenly exposed in the event of a VPN server connection being dropped. Therefore, it is determined that the Kill Switch is not set.

In step S600, as shown in FIG. 6 and FIG. 7 , the acquiring traffic data passing through the VPN line may include:

S610, use the curl command to construct network traffic;

S620, use the tcpdump command to capture data packets;

S630, generate a pcap file from the data packet to obtain flow data.

In step S610, the curl command is used to construct a large amount of network traffic, which can generate enough network traffic for analysis as soon as possible and improve the detection efficiency.

In step S630, the structure and form of the pcap file are the same as those described above, which will not be repeated here. After step S630, it also includes: transferring the pcap file to the test terminal, parsing the data packets in the pcap file at the test terminal, extracting the IP address and encryption protocol therein, and obtaining the IP address and encryption protocol of the target website directly connected by the VPN line.

It can also include acquiring API port data and analyzing the data returned by the API port. Specifically, acquiring the API port data may include: using a curl command to construct data requesting the API port provided by IPIP.net. An API port, also known as an application programming interface, is a collection of definitions, procedures, and protocols. Therefore, by analyzing the data returned by the API port, the IP of the target website actually accessed by the VPN can be obtained.

The analysis of the encryption protocol to obtain the detection result of the tunnel configuration includes:

Analyze whether the encryption protocol is an insecure protocol, and obtain a detection result that the tunnel configuration is insecure when there is at least one insecure protocol.

It should be noted that the encryption protocol may include multiple encryption protocols. As long as it is determined that there is an insecure protocol, the tunnel configuration is determined to be insecure; when it is determined that there is no insecure protocol, the tunnel configuration is determined to be insecure. . When judging, it can be judged by the name of the protocol whether it is an insecure protocol. For example, when there is at least one of the TCP, UDP, PPTP or L2TP protocols, it is determined as an insecure protocol; when there is only at least one of the IPSec, IKEv2 and Open VPN protocols, it is determined as a relatively secure protocol.

The detection method provided by the present invention comprehensively summarizes and categorizes the security and privacy problems existing in the VPN application, and can perform automatic detection. Not only can it detect common security issues in Android applications, but it can also evaluate the security and privacy services provided by VPN applications. The detection results obtained by the present invention can provide users with potential risks of VPN applications, possible privacy leaks and malicious behaviors, thereby evading possible privacy leakage risks and malicious behaviors; and can also provide VPN developers with security loopholes existing in VPN applications, Possible specific risks of being exploited by malicious attackers; it can also provide market managers with malicious applications in VPN applications and applications that need to be removed. Therefore, the detection method provided by the present invention can automatically, rapidly, accurately and comprehensively detect the possible risks of VPN applications.

It should be noted that, the method in this embodiment of the present invention may be executed by a single device, such as a computer or a server. The method in this embodiment can also be applied in a distributed scenario, and is completed by the cooperation of multiple devices. In the case of such a distributed scenario, one device among the multiple devices may only perform one or more steps in the method of the embodiment of the present invention, and the multiple devices will interact with each other to complete all the steps. method described.

The foregoing describes specific embodiments of the present specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. Additionally, the processes depicted in the figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

An embodiment of the present invention also provides a security detection device for a VPN application on an Andriod platform, including:

Sensitive permission detection module, used to analyze Andriod permission documents, build sensitive permission rule base, decompile VPN application installation package, obtain permission documents, match tags, extract permission list and match sensitive permission rule base, and get sensitive permission detection results;

The third-party library detection module uses the detection command to detect the third-party library of the VPN application, and obtains a list of third-party libraries, where the third-party library includes at least one of an advertisement library, a game engine library, a map location service library, and a mobile analysis library. ;

The malicious behavior detection module obtains the scan report of the VPN application, extracts and analyzes the result of the AV engine scanning the malicious behavior of the tested application in the scan report, and obtains the malicious behavior detection result;

The line connection module is used to install the VPN application to the test terminal to run, locate the line list, parse the name of the line list, loop through the line list, and establish the line connection;

The DNS and IPV6 leak detection module is used to send DNS requests to the default DNS server of the Andriod platform to monitor whether there is any DNS data that does not pass through the VPN tunnel, and obtain DNS leak detection results; at the same time, send API requests to determine whether the communication is successfully established and obtain IPV6 leaks Test results;

The kill-switch detection module is used to block the VPN connection, make the VPN disconnect, access the test IP address, and determine whether the access is successful, and get the kill-switch detection result;

The tunnel configuration detection module is used for acquiring traffic data passing through the VPN line, analyzing the traffic data, extracting the encryption protocol of the VPN line, analyzing the encryption protocol, and obtaining the detection result of the tunnel configuration.

The DNS and IPV6 leak detection module includes a DNS leak detection sub-module, which is used to capture the data packets passing through the VPN tunnel by using the tcpdump command, generate the pcap files from the data packets, transmit the pcap files to the test terminal, and parse the pcap files. For file data, when there is UDP traffic whose port number is the default port number of the DNS protocol, it is determined that a DNS request is detected and there is a DNS leak, and a DNS leak detection result is obtained.

Wherein, the DNS and IPV6 leak detection module also includes an IPV6 leak detection sub-module, which is used to send a communication request to the test API provided by the network protocol ipv6-test using the curl command. When the correct request response code is obtained, the IPV6 leak is obtained. test results.

Wherein, the kill-switch detection module is used for: adding blocking all outbound connections in the configuration file of the PF firewall, and releasing the rules for testing IP connections;

Import the configuration file of the PF firewall after adding the rules;

Open the PF firewall after adding rules;

Send a connection request to the test IP, and when the connection is successful, the test result that kill-switch is not set is obtained.

Wherein, the sensitive permission detection module includes a sensitive permission rule base construction sub-module, which is used for:

Extract all permissions in the Android permissions document;

Map permissions to tariff, networking, SMS, phone, privacy-related categories, and select permissions for privacy-related categories;

The permission categories, the number of permissions, the permission names, and the permission descriptions in the permissions of the privacy-related categories are mapped one-to-one as a list to obtain a sensitive permission rule base.

The malicious behavior detection module includes a scan report acquisition sub-module for:

Calculate the hash value of the VPN application installation package, call the first interface of the database with the hash value as a parameter, and obtain the scan report in the database; or call the second interface, scan the VPN application installation package, and obtain the scan report, wherein all the The scan report includes the AV engine's scan results for pop-up of malicious advertisements, forced modification of device settings, and automatic installation of specific applications.

The tunnel configuration detection module includes a traffic data acquisition sub-module and a port data acquisition sub-module. Wherein, the traffic data acquisition sub-module is used for:

Use the curl command to construct network traffic;

Use the tcpdump command to capture packets;

Generate a pcap file from the data packet to get the traffic data.

The port data acquisition sub-module is used to construct the data requesting the API port provided by IPIP.net by using the curl command to obtain the port data.

The tunnel configuration detection module includes an analysis sub-module for:

It is analyzed whether the encryption protocol is an insecure protocol, and when the encryption protocol does not belong to IPSec, OpenVPN or SSL VPN protocol, a detection result that the tunnel configuration is insecure is obtained.

The third-party library detection module is used to detect third-party libraries in VPN applications using the python LibRadar/libradar.py someapp.apk detection command.

The apparatuses in the foregoing embodiments are used to implement the corresponding methods in the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.

Those of ordinary skill in the art should understand that the discussion of any of the above embodiments is only exemplary, and is not intended to imply that the scope of the present disclosure (including the claims) is limited to these examples; under the spirit of the present invention, the above embodiments or There may also be combinations between technical features in different embodiments, steps may be carried out in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.

Additionally, well known power/ground connections to integrated circuit (IC) chips and other components may or may not be shown in the figures provided in order to simplify illustration and discussion, and in order not to obscure the present invention. . Furthermore, devices may be shown in block diagram form in order to avoid obscuring the present invention, and this also takes into account the fact that the details of the implementation of these block diagram devices are highly dependent on the platform on which the invention will be implemented (i.e. , these details should be fully within the understanding of those skilled in the art). Where specific details (eg, circuits) are set forth to describe exemplary embodiments of the invention, it will be apparent to those skilled in the art that these specific details may be made without or with changes The present invention is carried out below. Accordingly, these descriptions are to be regarded as illustrative rather than restrictive.

Although the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations to these embodiments will be apparent to those of ordinary skill in the art from the foregoing description. For example, other memory architectures (eg, dynamic RAM (DRAM)) may use the discussed embodiments.

Embodiments of the present invention are intended to cover all such alternatives, modifications and variations that fall within the broad scope of the appended claims. Therefore, any omission, modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1. a security detection method of Andriod platform VPN application, is characterized in that, comprises: Analyze Andriod permission documents, build sensitive permission rule base, decompile VPN application installation package, obtain permission documents, match tags, extract permission list and match sensitive permission rule base, and get sensitive permission detection results; Use the detection command to detect the third-party library of the VPN application, and obtain a list of third-party libraries, where the third-party library includes at least one of an advertisement library, a game engine library, a map location service library, a mobile analysis library, and the like; Obtain the VirusTotal scan report of the VPN application, extract and analyze the scan results of the AV engine scanning the malicious behavior of the application under test in the scan report, and obtain the malicious behavior detection result; Install the VPN application to the test terminal to run, locate the line list, resolve the name of the line list, loop through the line list, establish line connections, and perform DNS and IPV6 leak detection, kill-switch detection, and tunnel configuration detection respectively; Among them, DNS and IPV6 leak detection includes sending a DNS request to the default DNS server of the test machine, monitoring whether any DNS data does not pass through the VPN tunnel, and obtaining the DNS leak detection result; at the same time, sending an API request to determine whether the communication is successfully established, and obtaining the IPV6 leak Test results; The kill-switch detection includes blocking the VPN connection, making the VPN disconnect, accessing the test IP address, judging whether the access is successful, and obtaining the kill-switch detection result; The tunnel configuration detection includes: acquiring traffic data passing through the VPN line, analyzing the traffic data, extracting the encryption protocol of the VPN line, analyzing the encryption protocol, and obtaining the detection result of the tunnel configuration. 2. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, whether described monitoring has DNS data and does not pass through VPN tunnel, obtains DNS leak detection result and comprises, Use the tcpdump command to capture the data packets passing through the VPN tunnel, generate pcap files from the data packets, transfer the pcap files to the test terminal, and parse the pcap file data. When there is UDP traffic whose port number is the default port number of the DNS protocol, it is judged as DNS request detected, there is a DNS leak. 3. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, whether described judging successfully establishes communication, obtains IPV6 leak detection result and comprises: Use the curl command to send a communication request to the test API provided by the network protocol ipv6-test. When the correct request response code is obtained, the detection result of IPV6 leakage is obtained. 4. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, if described judging whether to visit successfully, obtain kill-switch detection result and comprise: Add a rule to block all outbound connections and release the test IP connection in the configuration file of the PF firewall; Import the configuration file of the PF firewall after adding the rules; Open the PF firewall after adding rules; Send a connection request to the test IP, and when the connection is successful, the test result that kill-switch is not set is obtained. 5. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, described analyzing Andriod authority document, building sensitive authority rule base comprises: Extract all permissions in the Android permissions document; Map permissions to tariff, networking, SMS, phone, privacy-related categories, and select permissions for privacy-related categories; The permission categories, the number of permissions, the permission names, and the permission descriptions in the permissions of the privacy-related categories are mapped one-to-one as a list to obtain a sensitive permission rule base. 6. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, the described scan report that obtains VPN application comprises: Calculate the hash value of the VPN application installation package, call the first interface of the database with the hash value as a parameter, and obtain the scan report in the virustotal database; or call the second interface, scan the VPN application installation package, and obtain the scan report, wherein, The scan report includes the scan result of whether the application under test is marked as malware by the AV engine. 7. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, described obtaining the traffic data by VPN line comprises: Use the curl command to construct network traffic; Use the tcpdump command to capture packets; Generate a pcap file from the data packet to get the traffic data; The acquiring API port data includes using the curl command to construct data requesting the API port provided by IPIP.net. 8. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, described analyzing described encryption protocol, the detection result that obtains tunnel configuration comprises: It is analyzed whether the encryption protocol is an insecure protocol, and when the encryption protocol does not belong to IPSec, Open VPN or SSL VPN protocol, a detection result that the tunnel configuration is insecure is obtained. 9. the security detection method of Andriod platform VPN application according to claim 1, is characterized in that, the third-party library that uses detection order to detect VPN application comprises: use python LibRadar/libradar.py someapp.apk detection order to detect VPN application third-party libraries in . 10. A security detection device for Andriod platform VPN application, characterized in that, comprising: Sensitive permission detection module, used to analyze Andriod permission documents, build sensitive permission rule base, decompile VPN application installation package, obtain permission documents, match tags, extract permission list and match sensitive permission rule base, and get sensitive permission detection results; The third-party library detection module uses the detection command to detect the third-party library of the VPN application, and obtains a list of third-party libraries, where the third-party library includes at least one of an advertisement library, a game engine library, a map location service library, and a mobile analysis library. ; The malicious behavior detection module obtains the virustotal scan report of the VPN application, extracts and analyzes the results of the AV engine scanning the malicious behavior of the tested application in the scan report, and obtains the malicious behavior detection result; the line connection module is used to install the VPN application to the test terminal to run, Locate the line list, parse the name of the line list, loop through the line list, and establish a line connection; The DNS and IPV6 leak detection module is used to send DNS requests to the default DNS server of the test machine to monitor whether there is any DNS data that does not pass through the VPN tunnel, and obtain the DNS leak detection result; at the same time, it sends an API request to determine whether the communication is successfully established, and the IPV6 leak is obtained. Test results; The kill-switch detection module is used to block the VPN connection, make the VPN disconnect, access the test IP address, determine whether the access is successful, and get the kill-switch detection result; The tunnel configuration detection module is used for acquiring traffic data passing through the VPN line, analyzing the traffic data, extracting the encryption protocol of the VPN line, analyzing the encryption protocol, and obtaining the detection result of the tunnel configuration.

Images