检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:方慧鹏 应凌云[1] 苏璞睿[1] 黄桦烽 何亮[1]
出 处:《计算机应用与软件》2015年第7期272-276,共5页Computer Applications and Software
基 金:国家自然科学基金重大研究计划项目(91118006;61073179);北京市自然科学基金项目(4122086)
摘 要:SSL协议已经成为保护通信安全的重要手段。在移动互联网环境下,移动智能终端应用软件也大量使用SSL协议对网络数据进行安全保护。为了评估移动智能终端应用软件的安全性,对国内6万个Android应用软件的SSL实现安全性进行分析,发现这些应用软件SSL实现方面的四类安全缺陷:可信证书链认证不完整、域名认证不完整、Web View错误忽略和证书绑定不完整。提出相应的检测方法,进而实现了分析和检测工具SSLGuard。对150个银行、金融类样本进行深入分析,实验结果表明:目前国内市场的Android应用软件存在较严重的SSL实现安全缺陷,亟需对手机银行等重要应用软件进行全面测评和认证。SSL protocol has become the important means of protecting communications security. In the environment of mobile Internet, the applications of smart mobile terminals also employ the SSL protocol to a great deal to achieve the security protection of network data. In order to evaluate the safety of smart mobile terminal applications, we analysed the security of SSL implementation on nearly 60 000 domestic Android applications, and found four types of security vulnerabilities in the SSL implementation of these applications: the incompletion of trusted certificate chain, the incompletion of domain authentication, the ignorance of WebView errors, and the incompletion of certificate binding. We also presented the corresponding detection method, and the further realised the analysis and detection tool SSLGuard. We conducted thorough analyses on the financial samples from more than 150 banks. Experimental results showed that: there are quite serious security vulnerabilities in SSL implementation of Android applications in domestic market, the comprehensive evaluation and authentication on critical applications such as mobile banking software are the urgent need.
分 类 号:TP3[自动化与计算机技术—计算机科学与技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:18.221.72.117