CN112528283A - Detection method and device for collecting user information by SDK, electronic equipment and storage medium - Google Patents
Detection method and device for collecting user information by SDK, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112528283A CN112528283A CN202011489745.0A CN202011489745A CN112528283A CN 112528283 A CN112528283 A CN 112528283A CN 202011489745 A CN202011489745 A CN 202011489745A CN 112528283 A CN112528283 A CN 112528283A
- Authority
- CN
- China
- Prior art keywords
- sdk
- detected
- regular expression
- function
- exists
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a detection method and a detection device for collecting user information by an SDK (software development kit), electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: obtaining an SDK to be detected; carrying out global search on the SDK to be detected according to a first regular expression corresponding to the sensitive function, and judging whether a suspected function matched with the regular expression exists or not; if the suspect function exists, judging whether a calling chain corresponding to the suspect function exists; if the test data exists, the SDK to be detected is operated by using the test data, and data use logs of a suspicion function and a data acquisition function are generated by dynamically executing the script when the SDK to be detected is operated; performing global search on the data use logs according to the second regular expression and the third regular expression, and judging whether data use records matched with the second regular expression or the third regular expression exist or not; and if the data use record exists, determining that the SDK to be detected can collect the user information. The method and the device for detecting the user information collection behavior of the SDK realize the detection of the user information collection behavior of the SDK.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a detection method and apparatus for collecting user information by an SDK, an electronic device, and a computer-readable storage medium.
Background
Applications (APP) on mobile phones and tablet computers usually include SDKs (Software development kits), which can help the APP to implement a series of functions such as maps, payment, statistics, social contact, advertisement, and the like. Statistically, domestically developed APP will use more than ten SDKs on average. In this case, the security of the SDK is very important to the entire mobile internet ecological construction. Currently, the unauthorized collection of user information by SDKs has become a very common problem.
Disclosure of Invention
An object of the embodiments of the present application is to provide a detection method and apparatus for collecting user information by an SDK, an electronic device, and a computer-readable storage medium, which are used to detect whether an SDK has a behavior of collecting user information.
In one aspect, the present application provides a detection method for collecting user information by an SDK, including:
obtaining an SDK to be detected;
carrying out global search on the SDK to be detected according to a first regular expression corresponding to a sensitive function, and judging whether a suspected function matched with the regular expression exists or not;
if the suspect function exists, call chain backtracking is carried out on the suspect function, and whether a call chain corresponding to the suspect function exists is judged; wherein the call chain comprises a data acquisition function;
when the calling chain exists, running the SDK to be detected by using test data, and generating data use logs of the suspect function and the data acquisition function when the SDK to be detected runs by using a dynamic execution script;
performing global search on the data use log according to a second regular expression corresponding to sensitive data and a third regular expression corresponding to sensitive permission, and judging whether a data use record matched with the second regular expression or the third regular expression exists;
and if the data use record exists, determining that the SDK to be detected can collect user information.
In an embodiment, before the acquiring the SDK to be detected, the method further includes:
and acquiring the first regular expression, the second regular expression, the third regular expression and the dynamic execution script.
In an embodiment, the acquiring the SDK to be detected includes:
performing decompiling processing on the target application software to obtain a decompiled code;
judging whether the folder name of the decompiled code is the same as a preset SDK (software development kit) identifier or not;
and when the name of any folder is the same as the SDK identifier, taking the decompilated code in the folder as the SDK to be detected, and generating the SDK fingerprint of the SDK to be detected according to the decompilated code in the folder and the SDK identifier.
In an embodiment, after determining that the SDK to be detected will collect user information, the method further includes:
generating a detection report for the SDK to be detected;
and storing the association relationship between the SDK fingerprint of the SDK to be detected and the detection report in a preset historical detection record library.
In an embodiment, the method further comprises:
when the SDK to be detected does not collect the user information, generating a detection report for the SDK to be detected;
and storing the association relationship between the SDK fingerprint of the SDK to be detected and the detection report in the historical detection record library.
In an embodiment, before the global search is performed on the SDK to be detected according to the first regular expression corresponding to the sensitive function, the method further includes:
searching the historical detection record base according to the SDK fingerprint of the SDK to be detected, and judging whether a detection report corresponding to the SDK fingerprint exists or not;
if not, executing the step of carrying out global search on the SDK to be detected according to the first regular expression corresponding to the sensitive function;
if yes, the detection process is ended.
On the other hand, the application also provides a detection device for collecting user information by the SDK, which includes:
the acquisition module is used for acquiring the SDK to be detected;
the first judgment module is used for carrying out global search on the SDK to be detected according to a first regular expression corresponding to a sensitive function and judging whether a suspected function matched with the regular expression exists or not;
the second judging module is used for backtracking the call chain of the suspect function if the suspect function exists and judging whether the call chain corresponding to the suspect function exists or not; wherein the call chain comprises a data acquisition function;
the generation module is used for running the SDK to be detected by using test data when the calling chain exists, and generating data use logs of the suspicion function and the data acquisition function when the SDK to be detected runs by using a dynamic execution script;
the third judgment module is used for carrying out global search on the data use log according to a second regular expression corresponding to sensitive data and a third regular expression corresponding to sensitive permission and judging whether a data use record matched with the second regular expression or the third regular expression exists or not;
and the determining module is used for determining that the SDK to be detected can collect user information if the data use record exists.
In an embodiment, the obtaining module is further configured to:
performing decompiling processing on the target application software to obtain a decompiled code;
judging whether the folder name of the decompiled code is the same as a preset SDK (software development kit) identifier or not;
and when the name of any folder is the same as the SDK identifier, taking the decompilated code in the folder as the SDK to be detected, and generating the SDK fingerprint of the SDK to be detected according to the decompilated code in the folder and the SDK identifier.
Further, the present application also provides an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to execute the detection method for collecting the user information by the SDK.
In addition, the present application also provides a computer-readable storage medium, wherein the storage medium stores a computer program, and the computer program can be executed by a processor to complete the detection method for collecting the user information by the SDK.
In the application scheme, global search is carried out on the SDK to be detected through a first regular expression corresponding to sensitive data to determine a suspect function, call chain backtracking is carried out on the suspect function to determine a data acquisition function, then data use logs of the suspect function and the data acquisition function during the operation of the SDK to be detected can be generated through a dynamic execution script, global search is carried out on the data use logs through a second regular expression corresponding to the sensitive data and a third regular expression corresponding to the sensitive authority, and whether the SDK to be detected can collect user information or not can be determined; and the information collection behavior of the SDK is accurately detected in a mode of combining static scanning and dynamic scanning.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic view of an application scenario of a detection method for collecting user information by an SDK according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a detection method for collecting user information by an SDK according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a method for acquiring an SDK to be detected according to an embodiment of the present application;
fig. 5 is a block diagram of a detection apparatus for collecting user information by an SDK according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Fig. 1 is a schematic view of an application scenario of a detection method for collecting user information by an SDK according to an embodiment of the present application. As shown in fig. 1, the application scenario includes a server 20, a server 30, and a client 40; the server 20 may be a server, a server cluster or a cloud computing center carrying an application software distribution platform, and may provide application software to the server 30; the client 40 may be an electronic device such as a host, a mobile phone, a tablet computer, etc., and may provide application software or a software development kit to the server 30; the server 30 may be a server, a server cluster or a cloud computing center, and may obtain application software and a software development kit from the server 20 and the client 40, and detect whether the software development kit will collect user information.
As shown in fig. 2, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor 11 being exemplified in fig. 2. The processor 11 and the memory 12 are connected by a bus 10, and the memory 12 stores instructions executable by the processor 11, and the instructions are executed by the processor 11, so that the electronic device 1 can execute all or part of the flow of the method in the embodiments described below. In an embodiment, the electronic device 1 may be the server 30, and is configured to perform a detection method for collecting user information by the SDK.
The Memory 12 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk.
The present application also provides a computer-readable storage medium, which stores a computer program executable by the processor 11 to perform the detection method for collecting user information by the SDK provided by the present application.
Referring to fig. 3, a flowchart of a detection method for collecting user information for an SDK according to an embodiment of the present application is shown, and as shown in fig. 3, the method may include the following steps 310 to 360.
Step 310: and obtaining the SDK to be detected.
Step 320: and carrying out global search on the SDK to be detected according to the first regular expression corresponding to the sensitive function, and judging whether a suspected function matched with the regular expression exists or not.
The sensitive function is a function for collecting user information, and the user information may include a user identification number, a mobile phone number, a home address, a geographic position, a user name, personal biological identification information (such as a fingerprint, an iris, a face image and the like), a bank account number, communication records and contents, a payment account number, health physiological information, order information and the like. Exemplary sensitive functions may include getdeviceid to obtain the user device ID, getLocation to obtain the geographic location, and the like.
The first regular expression refers to a regular expression corresponding to the sensitive functions, and each sensitive function can be configured with a corresponding first regular expression.
A suspect function refers to a function that matches a first regular expression. The suspect function may be subject to further validation to determine whether user information is to be gathered.
The server side can obtain the SDK to be detected from the host of the developer, the SDK to be detected comprises a plurality of folders, and codes exist in the folders. Illustratively, the SDK applied to the android system contains the smali code.
The server side can perform global search on the SDK to be detected according to the first regular expression, judge whether the code of the SDK to be detected has the matching identification indicated by the first regular expression, if so, determine that the SDK to be detected has a function matched with the first regular expression, and take the function as a suspicion function. The matching identifier may be a function identifier and a regular expression representing user information, for example, the matching identifier in the first regular expression is a function identifier getphonenumber, and the server determines whether the function identifier exists in the code of the SDK to be detected during global search; and matching the 18-bit or 15-bit character regular expression marked as the identity card number in the first regular expression, and judging whether the regular expression is matched or not in the global search.
In addition, after the server performs global search on the SDKs to be detected through all the first regular expressions, it is determined that a function matched with any one of the first regular expressions does not exist, and it can be considered that the SDKs to be detected do not collect user information.
Step 330: if the suspect function exists, call chain backtracking is carried out on the suspect function, and whether a call chain corresponding to the suspect function exists is judged; wherein the call chain comprises a data collection function.
For each suspect function, the server can perform call chain backtracking in a taint analysis mode, inquire the function for calling the suspect function and inquire the function for calling the function. And the server continuously queries upwards until the function of the data acquisition at the uppermost layer is searched, wherein the function is the data acquisition function. In this case, the server may determine that there is a complete call chain corresponding to the suspect function. Exemplarily, the server determines that the function a is a suspect function, and finds that the function b calls the function a, the function c calls the function b, and the function d calls the function c, and the function d is a data acquisition function for acquiring sensitive data, at this time, the server may determine that a call chain corresponding to the function a is: function d-function c-function b-function a.
In addition, when the server determines that there is no call chain corresponding to the suspect function (for example, no function calls the suspect function, or no function collects data), it may be determined that the suspect function does not collect the user information. And if all the suspected functions in the SDK to be detected have no corresponding call chain, the SDK to be detected can not collect the user information.
Step 340: and when the calling chain exists, running the SDK to be detected by using the test data, and generating a data use log of the suspect function and the data acquisition function when the SDK to be detected runs by dynamically executing the script.
Wherein the test data may comprise fake user information.
The dynamic execution script can monitor the packet sending and packet returning behaviors of the SDK and generate a data use log of the data used by the SDK when the SDK sends and returns the packet.
When any suspect function in the SDK to be detected has a corresponding calling chain, the server side can operate the SDK to be detected in a monitoring environment. The server can run the SDK to be detected by running the application software containing the SDK to be detected, and uses the test data as the input of the application software. The server can monitor the packet sending and packet returning behaviors of the SDK to be detected through the dynamic execution script, so that a data use log of a suspicion function and a data acquisition function is generated.
Step 350: and performing global search on the data use log according to a second regular expression corresponding to the sensitive data and a third regular expression corresponding to the sensitive authority, and judging whether a data use record matched with the second regular expression or the third regular expression exists.
Step 360: and if the data use record exists, determining that the SDK to be detected collects the user information.
Wherein the second regular expression is a regular expression corresponding to the sensitive data, where the sensitive data may be one or more of the user information described above.
The third regular expression is a regular expression corresponding to the sensitive permission, where the sensitive permission may be permission to acquire location, permission to acquire a mobile phone number, and the like, which relate to sensitive data. For example, the sensitivity right may be android.
The server side carries out global search on the data use logs through the second regular expression and judges whether corresponding data use records exist or not. On the one hand, if the SDK exists, the SDK to be detected is explained to collect user information. On the other hand, if the SDK does not exist, the SDK to be detected does not collect the user information.
And the server side performs global search on the data use log through a third regular expression and judges whether a corresponding data use record exists or not. On the one hand, if the SDK exists, the SDK to be detected is explained to collect user information. On the other hand, if the SDK does not exist, the SDK to be detected does not collect the user information.
Through the measures, the server side accurately detects whether the SDK can collect the user information in a mode of combining static scanning and dynamic scanning.
In an embodiment, before executing the detection method, the server may first obtain a first regular expression, a second regular expression, a third regular expression, and a dynamic execution script. The server can receive the regular expression and the dynamic execution script uploaded by the host of the developer and store the regular expression and the dynamic execution script locally, so that the regular expression and the dynamic execution script are used subsequently.
In an embodiment, the server may obtain the application software from the server carrying the application software publishing platform, or obtain the application software from a host of a developer, and obtain the SDK to be detected from the application software. Referring to fig. 4, a flowchart of a method for acquiring an SDK to be detected according to an embodiment of the present application is schematically shown, and as shown in fig. 4, the method may include the following steps 301 to 303.
Step 301: and performing decompiling processing on the target application software to obtain a decompiled code.
The target application software is the application software which is acquired by the server and needs to receive detection.
The server side can perform decompiling processing on the target application software through a decompiling tool, so that decompiled codes in a plurality of folders are obtained.
Step 302: judging whether the folder name of the decompiled code is the same as the preset SDK identification or not;
the SDK identifier may be a combination of an identifier of an internet company that issues a large number of SDKs and a primary folder name. Illustratively, decompiled code is usually located in a folder named com, net, and the internet company identifier may be baidu, tencent, huawei, etc., then SDK identifiers com/baidu, com/tencent, com/huawei, net/baidu, net/tencent, net/huawei, etc. may be formed.
The server can determine whether the folder name of the decompiled code is the same as any SDK identifier. On the one hand, if there is no folder name that is the same as the SDK identification, the target application software may not use the SDK. On the other hand, if there is a folder name identical to the SDK identification, the server may proceed to step 303.
Step 303: and when the name of any folder is the same as the SDK identifier, taking the decompilated code in the folder as the SDK to be detected, and generating the SDK fingerprint of the SDK to be detected according to the decompilated code in the folder and the SDK identifier.
When the name of any folder is the same as the SDK identifier, the server can use the decompiled code in the folder as the SDK to be detected, and store the SDK to be detected in a preset SDK pool so as to detect the SDK subsequently. In addition, the server side can calculate a hash value for the decompilated code and the SDK identifier in the folder, and the hash value is used as the SDK fingerprint of the SDK to be detected. The SDK fingerprint is used to indicate a unique SDK. The server can store the association relationship between the SDK fingerprint and the SDK to be detected.
Through the above-mentioned methods in steps 301 to 303, the server can obtain the SDK to be detected from the target application software, thereby executing the subsequent detection process.
In an embodiment, after determining that the SDK to be detected collects the user information, the server may generate a detection report for the SDK to be detected. The detection report indicates that the SDK to be detected can collect user information, and records information of application software corresponding to the SDK to be detected (if the SDK to be detected is not obtained by decompiling from the application software, the information can be filled in a blank), where the information of the application software may include a name of the application software, an app hash, md5, and the like; the detection report can also record the information of the SDK to be detected, and the information can comprise an SDK identification, a storage path of decompiled codes, related sensitive data, sensitive functions, sensitive authorities and the like.
The server can keep the association relationship between the SDK fingerprint of the SDK to be detected and the detection report in a preset historical detection record library so as to facilitate subsequent searching.
In an embodiment, after determining that the SDK to be detected does not contain the mobile phone user information, the server may generate a detection report for the SDK to be detected. The detecting includes indicating that the SDK to be detected will not collect user information.
The server can keep the association relationship between the SDK fingerprint of the SDK to be detected and the detection report in a preset historical detection record library so as to facilitate subsequent searching.
In an embodiment, before performing step 320, the server may search the historical detection record library according to the SDK fingerprint of the SDK to be detected, and determine whether a detection report corresponding to the SDK fingerprint exists. Here, if the SDK to be detected is directly obtained by the server, the server may calculate the hash value according to the SDK identifier of the SDK to be detected and the code of the SDK to be detected, so as to obtain the SDK fingerprint.
On one hand, if the corresponding detection report is not found, which indicates that the SDK to be detected has not been detected before, the server may continue to execute step 320.
On the other hand, if the corresponding detection report is found, which indicates that the SDK to be detected has been detected before, the server may end the detection process, and directly determine whether the SDK to be detected will collect the user information according to the detection report.
Referring to fig. 5, a block diagram of a detection apparatus for collecting user information for an SDK according to an embodiment of the present application is shown in fig. 5, where the apparatus may include:
an obtaining module 510, configured to obtain an SDK to be detected;
a first judging module 520, configured to perform global search on the SDK to be detected according to a first regular expression corresponding to a sensitive function, and judge whether a suspect function matching the regular expression exists;
a second determining module 530, configured to, if the suspect function exists, perform call chain backtracking on the suspect function, and determine whether a call chain corresponding to the suspect function exists; wherein the call chain comprises a data acquisition function;
a generating module 540, configured to run the SDK to be detected using test data when the call chain exists, and generate a data usage log of the suspect function and the data acquisition function when the SDK to be detected runs by using a dynamic execution script;
a third determining module 550, configured to perform global search on the data usage log according to a second regular expression corresponding to sensitive data and a third regular expression corresponding to a sensitive permission, and determine whether a data usage record matching the second regular expression or the third regular expression exists;
a determining module 560, configured to determine that the SDK to be detected will collect user information if the data usage record exists.
In an embodiment, the obtaining module 510 is further configured to:
and acquiring the first regular expression, the second regular expression, the third regular expression and the dynamic execution script.
In an embodiment, the obtaining module 510 is further configured to:
performing decompiling processing on the target application software to obtain a decompiled code;
judging whether the folder name of the decompiled code is the same as a preset SDK (software development kit) identifier or not;
and when the name of any folder is the same as the SDK identifier, taking the decompilated code in the folder as the SDK to be detected, and generating the SDK fingerprint of the SDK to be detected according to the decompilated code in the folder and the SDK identifier.
In one embodiment, the apparatus further comprises:
the recording module 570 is configured to generate a detection report for the SDK to be detected;
the storage module 580 is configured to store, in a preset historical detection record library, the association relationship between the SDK fingerprint of the SDK to be detected and the detection report.
In one embodiment, the apparatus further comprises:
the recording module 570 is further configured to generate a detection report for the SDK to be detected after it is determined that the SDK to be detected does not collect the user information;
the storage module 580 is further configured to store, in a preset historical detection record library, an association relationship between the SDK fingerprint of the SDK to be detected and the detection report.
In an embodiment, the first determining module 520 is further configured to:
searching the historical detection record base according to the SDK fingerprint of the SDK to be detected, and judging whether a detection report corresponding to the SDK fingerprint exists or not;
if not, executing the step of carrying out global search on the SDK to be detected according to the first regular expression corresponding to the sensitive function;
if yes, the detection process is ended.
The implementation process of the functions and actions of each module in the device is specifically detailed in the implementation process of the corresponding step in the detection method for collecting user information by the SDK, and is not described herein again.
In the embodiments provided in the present application, the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Claims (10)
1. A detection method for collecting user information by an SDK is characterized by comprising the following steps:
obtaining an SDK to be detected;
carrying out global search on the SDK to be detected according to a first regular expression corresponding to a sensitive function, and judging whether a suspected function matched with the regular expression exists or not;
if the suspect function exists, call chain backtracking is carried out on the suspect function, and whether a call chain corresponding to the suspect function exists is judged; wherein the call chain comprises a data acquisition function;
when the calling chain exists, running the SDK to be detected by using test data, and generating data use logs of the suspect function and the data acquisition function when the SDK to be detected runs by using a dynamic execution script;
performing global search on the data use log according to a second regular expression corresponding to sensitive data and a third regular expression corresponding to sensitive permission, and judging whether a data use record matched with the second regular expression or the third regular expression exists;
and if the data use record exists, determining that the SDK to be detected can collect user information.
2. The method of claim 1, wherein prior to said obtaining the SDK to be detected, the method further comprises:
and acquiring the first regular expression, the second regular expression, the third regular expression and the dynamic execution script.
3. The method of claim 1, wherein the obtaining the SDK to be detected comprises:
performing decompiling processing on the target application software to obtain a decompiled code;
judging whether the folder name of the decompiled code is the same as a preset SDK (software development kit) identifier or not;
and when the name of any folder is the same as the SDK identifier, taking the decompilated code in the folder as the SDK to be detected, and generating the SDK fingerprint of the SDK to be detected according to the decompilated code in the folder and the SDK identifier.
4. The method according to claim 1 or 3, wherein after determining that the SDK to be detected will collect user information, the method further comprises:
generating a detection report for the SDK to be detected;
and storing the association relationship between the SDK fingerprint of the SDK to be detected and the detection report in a preset historical detection record library.
5. The method of claim 4, further comprising:
when the SDK to be detected does not collect the user information, generating a detection report for the SDK to be detected;
and storing the association relationship between the SDK fingerprint of the SDK to be detected and the detection report in the historical detection record library.
6. The method according to claim 5, wherein before the global search is performed on the SDK to be detected according to the first regular expression corresponding to the sensitive function, the method further comprises:
searching the historical detection record base according to the SDK fingerprint of the SDK to be detected, and judging whether a detection report corresponding to the SDK fingerprint exists or not;
if not, executing the step of carrying out global search on the SDK to be detected according to the first regular expression corresponding to the sensitive function;
if yes, the detection process is ended.
7. A detection apparatus for collecting user information by an SDK, comprising:
the acquisition module is used for acquiring the SDK to be detected;
the first judgment module is used for carrying out global search on the SDK to be detected according to a first regular expression corresponding to a sensitive function and judging whether a suspected function matched with the regular expression exists or not;
the second judging module is used for backtracking the call chain of the suspect function if the suspect function exists and judging whether the call chain corresponding to the suspect function exists or not; wherein the call chain comprises a data acquisition function;
the generation module is used for running the SDK to be detected by using test data when the calling chain exists, and generating data use logs of the suspicion function and the data acquisition function when the SDK to be detected runs by using a dynamic execution script;
the third judgment module is used for carrying out global search on the data use log according to a second regular expression corresponding to sensitive data and a third regular expression corresponding to sensitive permission and judging whether a data use record matched with the second regular expression or the third regular expression exists or not;
and the determining module is used for determining that the SDK to be detected can collect user information if the data use record exists.
8. The apparatus of claim 7, wherein the obtaining module is further configured to:
performing decompiling processing on the target application software to obtain a decompiled code;
judging whether the folder name of the decompiled code is the same as a preset SDK (software development kit) identifier or not;
and when the name of any folder is the same as the SDK identifier, taking the decompilated code in the folder as the SDK to be detected, and generating the SDK fingerprint of the SDK to be detected according to the decompilated code in the folder and the SDK identifier.
9. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the detection method of the SDK collecting user information of any one of claims 1-6.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program executable by a processor to perform the detection method of the SDK collecting user information according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011489745.0A CN112528283A (en) | 2020-12-15 | 2020-12-15 | Detection method and device for collecting user information by SDK, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011489745.0A CN112528283A (en) | 2020-12-15 | 2020-12-15 | Detection method and device for collecting user information by SDK, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112528283A true CN112528283A (en) | 2021-03-19 |
Family
ID=75000759
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011489745.0A Pending CN112528283A (en) | 2020-12-15 | 2020-12-15 | Detection method and device for collecting user information by SDK, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112528283A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9038043B1 (en) * | 2012-06-21 | 2015-05-19 | Row Sham Bow, Inc. | Systems and methods of information processing involving activity processing and/or optimization features |
| CN107133519A (en) * | 2017-05-15 | 2017-09-05 | 华中科技大学 | Privacy compromise detection method and system in a kind of Android application network communication |
| WO2019001562A1 (en) * | 2017-06-30 | 2019-01-03 | 中兴通讯股份有限公司 | Model loading method and apparatus, storage medium, and computer device |
| CN110955887A (en) * | 2019-10-15 | 2020-04-03 | 浙江省北大信息技术高等研究院 | Abnormal behavior detection method and device |
| CN111654495A (en) * | 2020-06-03 | 2020-09-11 | 百度在线网络技术(北京)有限公司 | Method, apparatus, device and storage medium for determining traffic generation source |
| CN111967000A (en) * | 2020-08-18 | 2020-11-20 | 中国银行股份有限公司 | Cross-border financial APP compliance monitoring method, device and system |
-
2020
- 2020-12-15 CN CN202011489745.0A patent/CN112528283A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9038043B1 (en) * | 2012-06-21 | 2015-05-19 | Row Sham Bow, Inc. | Systems and methods of information processing involving activity processing and/or optimization features |
| CN107133519A (en) * | 2017-05-15 | 2017-09-05 | 华中科技大学 | Privacy compromise detection method and system in a kind of Android application network communication |
| WO2019001562A1 (en) * | 2017-06-30 | 2019-01-03 | 中兴通讯股份有限公司 | Model loading method and apparatus, storage medium, and computer device |
| CN110955887A (en) * | 2019-10-15 | 2020-04-03 | 浙江省北大信息技术高等研究院 | Abnormal behavior detection method and device |
| CN111654495A (en) * | 2020-06-03 | 2020-09-11 | 百度在线网络技术(北京)有限公司 | Method, apparatus, device and storage medium for determining traffic generation source |
| CN111967000A (en) * | 2020-08-18 | 2020-11-20 | 中国银行股份有限公司 | Cross-border financial APP compliance monitoring method, device and system |
Non-Patent Citations (2)
| Title |
|---|
| 轩志朋 等: "网络应用程序漏洞实时检测系统的设计", 《信息安全》, pages 91 - 93 * |
| 马凯: "面向Android生态系统中的第三方SDK的隐私泄露和安全性研究", 《硕士电子期刊》, pages 12 - 20 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| ES2808954T3 (en) | Procedure and device for use in risk management of application information | |
| EP2691848B1 (en) | Determining machine behavior | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN106484606A (en) | Method and apparatus submitted to by a kind of code | |
| CN110851872B (en) | Risk assessment method and device for private data leakage | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN110516173B (en) | Illegal network station identification method, illegal network station identification device, illegal network station identification equipment and illegal network station identification medium | |
| CN103746992A (en) | Reverse-based intrusion detection system and reverse-based intrusion detection method | |
| CN114036059A (en) | Automatic penetration testing system and method for power grid system and computer equipment | |
| CN106998336B (en) | Method and device for detecting user in channel | |
| CN106301979B (en) | Method and system for detecting abnormal channel | |
| Koch et al. | The {OK} Is Not Enough: A Large Scale Study of Consent Dialogs in Smartphone Applications | |
| Ferreira et al. | Behaviour-based Malware Detection in Mobile AndroidPlatforms Using Machine Learning Algorithms. | |
| CN112613893A (en) | Method, system, equipment and medium for identifying malicious user registration | |
| CN112528283A (en) | Detection method and device for collecting user information by SDK, electronic equipment and storage medium | |
| CN115600201A (en) | User account information safety processing method for power grid system software | |
| CN116305120A (en) | Dual-verification android malicious software hybrid detection system and method | |
| CN105162799A (en) | Method for checking whether client is legal mobile terminal or not and server | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN115080827A (en) | Sensitive data processing method and device | |
| Kedziora et al. | Android malware detection using machine learning and reverse engineering | |
| CN114465926A (en) | Recursive server monitoring method, device, equipment and storage medium | |
| CN113434826A (en) | Detection method and system for counterfeit mobile application and related products | |
| CN112085443A (en) | Distribution resource detection method, distribution resource detection device, distribution resource task execution method, distribution resource detection device, distribution task execution device and electronic equipment | |
| CN107623659B (en) | Method and system for acquiring device characteristic ID |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |