在智慧型行動裝置蓬勃發展的今日，除了常見的官方市集，如Google Play Store (Android)之外，也存在著為數不少的第三方app市集，這些市集的存在目的可能是為了提供特定族群一個更為自由的app生態系，亦或是供特定組織使用的封閉型市集 (企業內部用市集)。而這些第三方市集由於缺乏官方的基本檢測機制，如Google或Apple都會對要上架的app進行安全性的檢測並確保該app在一定程度上是沒有安全疑慮的，故當第三方市集之使用者在使用這些非經由官方認證的app時，就有可能會無意間下載到重新包裝過的app (Repackaged App)，輕者也許只是個資或使用紀錄等等內容被竊取、重者則可能會出現金錢上的損失等等資安問題。為了確保這些第三方市場能有一個更為安全的app生態環境，我們需要一個快速且有效的檢測機制，以期第三方市場能夠對申請上架的app進行一定程度的安全性檢測進而減少使用者在使用上的疑慮。
在本篇論文中我們提出了一個app指紋 (App Fingerprint )產生機制並將其應用至一個蒐集了來自官方市集 (Google Play)與第三方市集等來源的app樣本資料庫，且以此資料庫之白/黑名單為基礎，建立了一個具備在上傳app時會立即對app進行安全性檢測之機制的第三方市集 (Secure Market)，而在檢測之後會依據白/黑名單之判定結果決定此app所屬的類別進而判斷該app是否可以上架。最後，我們也蒐集了一些已知的正常/重新包裝app作為輸入的資料並且觀察其最後的分類與結果是否可以滿足上架的條件。結果顯示根據此作法可以在一定程度上確保Secure Market所提供之app是比較沒有使用上的安全疑慮的。

The security issue of Android third-party markets has been one of the biggest problems in Android ecosystem. Without the authentication from official organization like Google, there might exist many malicious apps in the third-party markets. When users download apps from those insecure markets, they probably downloaded some malicious apps and the result can be serious. Minor impact can result in the privacy information leakage, while major impact can cause the loss of one's money or endanger one's life. In this paper, we present a mechanism for verifying the app integrity by combining the app fingerprint and an app database with whitelist / blacklist. Based on the fingerprint and database, we built a customized Android market called Secure Market. When someone upload apps to the Secure Market, the apps will be verified by the integrity verification mechanism immediately so that we can ensure the apps from Secure Market are almost secure. Finally, with collected normal/repackaged apps, the testing scenarios has shown that this integrity verification mechanism can almost help us to filter out the malicious apps, which are unqualified for uploading.

中文摘要
ABSTRACT
誌謝
CONTENTS
LIST OF FIGURES
LIST OF TABLES
CHAPTER 1INTRODUCTION
CHAPTER 2RELATED WORK
CHAPTER 3PRELIMINARY
3.1THE BASIC STRUCTURE OF APK FILE
3.2APP-REPACKAGING CATEGORIZATION
3.3APP INTEGRITY
CHAPTER 4AN OVERVIEW OF THE APP VERIFICATION MECHANISM
CHAPTER 5THE IMPLEMENTATION OF THE APP VERIFICATION MECHANISM
5.1ABOUT APP FINGERPRINT
5.2ABOUT VERIFICATION PROCESS
CHAPTER 6ANALYSIS RESULTS
6.1SCENARIO 1: APPS FROM GOOGLE PLAY STORE
6.2SCENARIO 2: LANGUAGE LOCALIZATION APPS
6.3SCENARIO 3: MALICIOUS APPS
6.4BENCHMARK TESTING
CHAPTER 7CONCLUSION
APPENDIX
REFERENCE

[1]Alexios Mylonas, Bill Tsoumas, Stelios Dritsas, Dimitris Gritzalis, “A secure smartphone applications roll-out scheme,” TrustBus'11: proceedings of the 8th international conference on trust, privacy and security in digital business, 2011.
[2]William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri, “A Study of Android Application Security,” SEC'11: proceedings of the 20th USENIX conference on Security, pp. 21-21, 2011.
[3]Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steven Hanna, and David Wagner, “A Survey of Mobile Malware in the Wild,” SPSM’11, October 17, 2011, Chicago, Illinois, USA.
[4]Yacin Nadji, Jonathon Giffin, Patrick Trayno, “Automated remote repair for mobile malware,” ACSAC '11: proceedings of the 27th Annual Computer Security Applications Conference, 2011.
[5]Iker Burguera, Urko Zurutuza, Simin Nadjm-Tehrani, “Crowdroid Behavior-Based Malware Detection System,” SPSM’11, October 17, 2011, Chicago, Illinois, USA.
[6]Wu Zhou, Yajin Zhou, Xuxian Jiang, Peng Ning, “,”Detecting repackaged smartphone applications in third-party android marketplaces, CODASPY '12: proceedings of the second ACM conference on Data and Application Security and Privacy, 2012.
[7]Chen-Yuan Chuang, Yu-Chun Wang, Yi-Bing Lin, “Digital Right Management and Software Protection on Android Phones,” VTC 2010-Spring: 2010 IEEE 71th vehicular technology conference, pp.1-5, 16-19 May 2010.
[8]Inkyung Jeun, Kwangwoo Lee, Dongho Won, “Enhanced code-signing scheme for smartphone applications,” FGIT'11: proceedings of the third international conference on future generation information technology, 2011.
[9]Pern Hui Chia, Yusuke Yamamoto, N. Asokan, “Is this app safe?: a large scale study on application permissions and risk signals,” WWW '12: proceedings of the 21st international conference on World Wide Web, 2012.
[10]Takamasa Isohara, Keisuke Takemori, Ayumu Kubota, “Kernel-based Behavior Analysis for Android Malware Detection,” CIS '11: proceedings of the 2011 seventh international conference on computational intelligence and security, 2011.
[11]Max Landman, “Managing Smart Phone Security Risks,” InfoSecCD '10: 2010 information security curriculum development conference, 2010.
[12]Divya Muthukumaran, Anuj Sawani, Joshua Schiffman, Brian M. Jung, Trent Jaeger, “Measuring Integrity on Mobile Phone Systems,” SACMAT '08: proceedings of the 13th ACM symposium on access control models and technologies, 2008.
[13]Charlie Miller, “Mobile Attacks and Defense,” IEEE Security and Privacy, Volume 9, Issue 4, 2011.
[14]Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, Herbert Bos, “Paranoid Android: versatile protection for smartphones,” ACSAC '10: proceedings of the 26th annual computer security applications conference, 2010.
[15]Chaitrali Amrutkar, Patrick Traynor, “Short paper: rethinking permissions for mobile web apps: barriers and the road ahead,” SPSM '12: proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices, 2012.
[16]Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, Wei Zou, “SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications,” SPSM '12: proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices, 2012.
[17]William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, Anmol N. Sheth, “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones,” OSDI'10: proceedings of the 9th USENIX conference on operating systems design and implementation, 2010.
[18]David Barrera, Jeremy Clark, Daniel McCarney, Paul C. van Oorschot, “Understanding and improving app installation security mechanisms through analysis of android,” SPSM '12: proceedings of the second ACM workshop on security and privacy in smartphones and mobile devices, 2012.
[19]Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, Shihong Zou, “Fast, scalable detection of ‘piggybacked’ mobile applications,” CODASPY’13: proceedings of the third ACM conference on data and application security and privacy, 2013.
[20]Spring Framework, http://spring.io/ (Accessed on 2015/3/15)
[21]google-play-crawler, https://github.com/Akdeniz/google-play-crawler
(Accessed on 2015/3/27)
[22]apk-tool, http://ibotpeaches.github.io/Apktool/ (Accessed on 2015/4/5)
[23]java.util.jar: https://docs.oracle.com/javase/8/docs/api/java/util/jar/package-summary.html
(Accessed on 2015/4/5)
[24]openssl, https://www.openssl.org/docs/apps/openssl.html (Accessed on 2015/4/21)