JP2013137612A - Application analysis device, application analysis system, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an application analysis device, an application analysis system, and a program that can automatically and forcibly start a component of an application.SOLUTION: A storage unit 10 stores an application file including an execution file including a component that is an element realizing the function of an application and a manifest file defining a function and authority to be used by the application. A manifest analysis unit 111 analyzes the manifest file included in the application file and identifies the component included in the execution file. An intent issue unit 110 generates intent for starting the component identified by the manifest analysis unit 111 and starts the component.

Description

  The present invention relates to an application analysis apparatus and an application analysis system that analyze application functions. The present invention also relates to a program for causing a computer to function as the application analysis apparatus.

  Portable information terminals called smartphones that use an open platform using a general-purpose OS (operating system) have become widespread. As a general-purpose OS installed in smartphones, Android (registered trademark), which has abundant APIs that are a set of instructions and functions for using information and functions managed by terminals, is attracting attention. . As an example, this specification describes a smartphone equipped with an Android (registered trademark) OS.

  A smartphone is a platform that allows anyone to freely develop and publish applications and allow users to freely install published applications. By introducing a published application to a smartphone, various functions of the smartphone can be expanded flexibly and easily.

  However, among applications, there is a malicious application (malware) that collects information in the terminal and transmits it to the outside so that the user does not notice it. In particular, an application that impersonates a legitimate application and performs such illegal behavior is called a Trojan horse, and it is difficult for the user to notice the threat.

  Smartphones are provided with APIs that control phones and cameras, and applications can make calls, SMS (Short Message Service) communications, and take pictures using the APIs. If these actions are secretly performed by a malicious application, self-charging or privacy leakage will occur.

  Smartphones are devices that have a closer connection with users than PCs (personal computers), and collect personal information such as phone numbers, email addresses, address books, email transmission / reception histories, and Internet browsing histories. In addition, because of the high functionality of the terminal and the mode of use that is always carried, it is possible to easily acquire information such as location information that was not collected by conventional PCs, and face the threat of misuse of information.

  In addition, the smartphone has a function of automatically starting the application in response to a change in the state of the terminal, in addition to a function that allows the user to explicitly operate to start the application. For example, the application can be automatically started by a change in the state of the terminal such as an incoming call, a terminal restarted, or WiFi turned on. Therefore, once a user mistakenly installs a malicious application on a terminal, information leakage may occur without the user's knowledge. Therefore, there is a need to protect users from threats where information is misused in environments where applications are readily available.

  As a technique for protecting users from threats caused by malicious applications, a mechanism for verifying application safety in advance and detecting malicious applications is effective. A dynamic analysis technique has been proposed as one technique for detecting an application that leaks information.

  The dynamic analysis is a method for determining malignancy / benignity of an application by actually operating the application and analyzing a log in which the behavior of the application is recorded (see, for example, Non-Patent Document 1). As a typical analysis method, there is a method using information of an strace log. This method is a method for analyzing malignant behavior from information recorded in a log when an application uses a system function.

Keisuke Takemori, Takamasa Sugawara, Ayumu Kubota, Tomoaki Takano, "Information leak detection on Android mobile phones", IEICE, SCIS2011 Symposium, January 2011

  An application that runs on Android (registered trademark) has a plurality of components that realize various functions of the application as components. With the dynamic analysis method, if a desired state change does not occur during the analysis target period for a component that starts automatically in response to a change in the state of the terminal, that component will not start, so a log related to that component can be acquired. Therefore, there is a problem that a malicious application is missed. In addition, there is a limit in covering all the operations that the user performs on the application, and there may be a case where a component that cannot be started occurs.

  The present invention has been made in view of the above-described problems, and an object thereof is to provide an application analysis device, an application analysis system, and a program that can automatically and forcibly start application components. .

  The present invention has been made to solve the above-described problems, and includes an executable file that includes components that are components that realize the functions of the application, and a manifest file that defines the functions and privileges used by the application. A storage unit that stores an application file, an analysis unit that analyzes the manifest file included in the application file and identifies the component included in the execution file, and an interface that activates the component identified by the analysis unit An application analysis apparatus comprising: an activation unit that generates a tent and activates the component.

  In addition, the present invention communicates with a storage unit that stores an application file including an executable file that includes components that are components that realize the functions of the application, and a manifest file that defines the functions and privileges used by the application. A second communication unit that communicates with a terminal device having a first communication unit to perform, an acquisition unit that acquires the application file via the first communication unit and the second communication unit, and the acquisition Analyzing the manifest file included in the application file acquired by a unit, generating an analysis unit for identifying the component included in the execution file, and generating an intent for starting the component specified by the analysis unit , Via the first communication unit and the second communication unit A starting unit that starts the serial component, an application analyzing apparatus characterized by comprising a.

  The application analysis apparatus of the present invention further includes a dynamic analysis unit that performs dynamic analysis of the application based on a log in which operation results of the components activated by the intent generated by the activation unit are recorded. It is characterized by that.

  In addition, the application analysis apparatus according to the present invention acquires, via the first communication unit and the second communication unit, a log in which an operation result of the component activated by the intent generated by the activation unit is recorded. And a dynamic analysis unit that performs dynamic analysis of the application based on the log.

  In addition, the application analysis apparatus of the present invention adds a disassembly unit that disassembles the application file to obtain a source file, and a code related to an ID for the component to receive an intent for the source file. The change unit for changing the source file, the source file to which the code is added is assembled, the assembly unit for generating the application file, and the application file generated by the assembly unit in the storage unit And an installation unit for storing the analysis unit, wherein the analysis unit analyzes the manifest file included in the application file stored in the storage unit by the installation unit and includes the file in the execution file. And identifies the component to be.

  In addition, the present invention is an application analysis system including a terminal device and an application analysis device, wherein the terminal device includes an executable file including components that are components that realize the function of the application, and a function used by the application And a storage unit that stores an application file including a manifest file in which authority is defined, and a first communication unit that communicates with the application analysis device. The application analysis device communicates with the terminal device. A second communication unit that performs the acquisition, an acquisition unit that acquires the application file via the first communication unit and the second communication unit, and the manifest included in the application file acquired by the acquisition unit Parse the file and include it in the executable An analysis unit that identifies the component to be generated, and an intent that activates the component identified by the analysis unit and activates the component via the first communication unit and the second communication unit And an application analysis system characterized by comprising:

  The present invention also provides a storage unit for storing an application file including an executable file including components that are components that realize the functions of the application, and a manifest file in which functions and privileges used by the application are defined, and the application Analyzing the manifest file included in the file, specifying the component included in the execution file, generating an intent for starting the component specified by the analysis unit, and starting the component And a program for causing a computer to function as the unit.

  In addition, the present invention communicates with a storage unit that stores an application file including an executable file that includes components that are components that realize the functions of the application, and a manifest file that defines the functions and privileges used by the application. A second communication unit that communicates with a terminal device having a first communication unit to perform, an acquisition unit that acquires the application file via the first communication unit and the second communication unit, and the acquisition Analyzing the manifest file included in the application file acquired by a unit, generating an analysis unit for identifying the component included in the execution file, and generating an intent for starting the component specified by the analysis unit , Via the first communication unit and the second communication unit A starting unit that starts the serial component is a program for causing a computer to function as a.

  According to the present invention, by analyzing the manifest file included in the application file, the component included in the execution file is specified, the intent for starting the component is generated, and the component is started, thereby starting the component of the application. Can be automatically and forcibly activated.

It is a block diagram which shows the structure of the application analysis apparatus by the 1st Embodiment of this invention. It is a reference diagram which shows the structure of the package file in the 1st Embodiment of this invention. It is a sequence diagram which shows the analysis procedure of the application in the 1st Embodiment of this invention. It is a reference figure which shows the content of the manifest file in the 1st Embodiment of this invention. FIG. 6 is a reference diagram illustrating a method for starting Activity in the first embodiment of the present invention. FIG. 6 is a reference diagram illustrating a method for starting a BroadcastReceiver in the first embodiment of the present invention. It is a block diagram which shows the structure of the application analysis apparatus by the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the application change part with which the application analysis apparatus by the 2nd Embodiment of this invention is provided. It is a sequence diagram which shows the analysis procedure of the application in the 2nd Embodiment of this invention. It is a reference diagram which shows the method which starts Service in the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the application analysis system by the 3rd Embodiment of this invention. It is a sequence diagram which shows the analysis procedure of the application in the 3rd Embodiment of this invention. It is a block diagram which shows the structure of the application analysis system by the 3rd Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In this specification and drawings, for convenience, the character string “android (registered trademark)” is substituted with the character string “* andrd *” and the character string “Android (registered trademark)” is substituted with the character string “* Andrd *” as necessary. ing. That is, the character string * andrd * is equivalent to the character string android (registered trademark), and the character string * Andrd * is equivalent to the character string Android (registered trademark).

  There are four components that are components of an application that runs on Android (registered trademark): Activity, Service, BroadcastReceiver, and ContentProvider. When a component inherited by a class is described in the application source code, a method defined in the class can use the component. Hereinafter, each component will be described.

  Activity is a component that provides a visual interface to the user and interacts with the user on the screen. If the screen is displayed when the application is started, the program described in Activity is running.

  Service is a component that executes processing in the background without having a function of displaying a screen. For example, when the user activates a browser while listening to music and enjoys using the Internet, the user can listen to the music while using the Internet by activating the service for the music application.

  BroadcastReceiver is a component that receives INTENT broadcasted to the entire system of a terminal device equipped with Android (registered trademark). For example, an application that displays a screen that includes the message “Remaining battery level is low” when the battery level is low, receives the BroadcastIntent issued when the battery level changes by the BroadcastReceiver. The application starts Activity and displays the screen.

  ContentProvider is a component that makes it possible for other components to use data held by the application. For example, when an application wants to acquire phonebook data, the application acquires information registered in the phonebook using the ContentProvider of the phonebook application.

  Android (registered trademark) has a mechanism called Intent. The intent plays a role of connecting components such as passing information between components and starting components. Among the components, Activity, BroadcastReciver, and Service are activated by intent. Even if the code that starts the component is described in the source file, it does not make it possible to start the component by intent. In order to explicitly inform the system of the intent, it is necessary to declare the use of the component in a file called a manifest file. In each of the following embodiments, there is a method for forcibly starting a component by analyzing the component information described in the manifest file and issuing an intent to each component included in the application based on the analysis result. explain.

  As a technique for a malicious user to introduce an Android (registered trademark) Trojan to another person's terminal, there is a technique in which a legitimate application is falsified so that an illegal behavior occurs and the application is released to the market. The developer of the malicious application disassembles (disassembles) the executable file of the regular application to acquire the source file, falsifies the source file, and then assembles the source file to generate the executable file of the malicious application. There are the following two methods as a simple method for falsifying a legitimate application so that an illegal behavior occurs. Trojan horses that have appeared so far often take one of two approaches.

  The first technique is a technique for falsifying a legitimate application so that an illegal behavior occurs when a terminal state change occurs by using BroadcastReceiver. This technique can be easily realized by falsifying only the manifest file without falsifying the execution code of a legitimate application.

  In the second method, in the source code of a legitimate application, the code of the method that generates incorrect behavior is written at the place where the onCreate method of Activity that is called and executed first when the application starts is described. It is a technique to append. The onCreate method is a method that is called and executed first when Activity, Service, BroadcastReceiver, and ContentProvider are activated. When an intent that activates each component is issued, it is automatically executed. It is easy to analyze the method that is called first when the application is started, and this method can be realized by an easy method of inserting several lines of code.

  In each of the following embodiments, it is possible to perform dynamic analysis of a Trojan horse-shaped malware having any of the above characteristics by forcibly starting all the components included in the application.

(First embodiment)
First, a first embodiment of the present invention will be described. FIG. 1 shows the configuration of the application analysis apparatus according to the present embodiment. The application analysis apparatus includes a storage unit 10, an application analysis unit 11, and a dynamic analysis unit 12.

  The storage unit 10 stores a package file (application file) including an execution file of an application to be analyzed. FIG. 2 shows the configuration of the package file of the application before installation. The package file is, for example, a file with an extension of .apk, and defines an execution file F1 (for example, an extension of .dex) including a component that is a component that realizes the function of the application, and functions and authority used by the application. And a manifest file F2 (for example, the extension is .xml) and various resource files F3 such as a text file and an image file used by the application. When the application is installed, the package file is expanded and various files are stored in the storage unit 10, and the package file itself is stored under a predetermined folder (/ data / app /) in the storage unit 10.

  The application analysis unit 11 analyzes the function of the application using the package file of the analysis target application. The application analysis unit 11 of the present embodiment is configured as an application. The application analysis unit 11 includes an intent issue unit 110 and a manifest analysis unit 111. The manifest analysis unit 111 analyzes the manifest file included in the package file, and identifies the component included in the execution file. The intent issuing unit 110 issues (generates) an intent for starting each component specified by the manifest analysis unit 111, thereby starting an application for each component. The dynamic analysis unit 12 performs dynamic analysis of the activated application.

  Since ContentProvider is a component for managing data, in this embodiment, it is not a target for issuing intents. Activity and BroadcastReceiver can be started by issuing an intent, but Service cannot be started because intents from other applications do not reach the analysis target application due to security reasons. . In the present embodiment, a method for activating Activity and BroadcastReceiver will be described.

  Next, the operation of the application analysis apparatus will be described. FIG. 3 shows an application analysis procedure. First, the manifest analysis unit 111 extracts a manifest file from the package file of the analysis target application stored in the storage unit 10 (step S100). In Android (registered trademark), a package file of an application installed on a terminal is stored under a predetermined folder (/ data / app /). In step S100, the manifest analysis unit 111 refers to this folder.

  Subsequently, the manifest analysis unit 111 analyzes the contents of the manifest file, and acquires the package name of the analysis target application, the class name of Activity, and the start condition of BroadcastReceiver (step S105). FIG. 4 shows an example of the contents of the manifest file. The package name of the application to be analyzed is "" "that follows the string" package = "in the tag that starts with the string" <manifest "(the part enclosed by" <"and"> "). It is written in the part surrounded by "". In FIG. 4, the package name is “com.sample.app”.

  The class name of Activity is described in the part enclosed by "" and "" "following the string" * andrd *: name = "in the tag that starts with the string" <activity " . In FIG. 4, the class name is “.Main_Activity”. The BroadcastReceiver activation condition is in the part enclosed by the string "<intent-filter>" and the string "</ intent-filter>" after the tag that starts with the string "<receiver". , “<Action”, and a portion starting with the character string “* andrd *: name =” in the tag and surrounded by ““ ”and“ “”. In FIG. 4, the start condition of BroadcastReceiver is “* andrd * .intent.action.BOOT_COMPLETED”. In this example, it is indicated that the BroadcastReceiver is started when the system is started.

  Subsequently, the intent issuing unit 110 issues (generates) an intent for the component included in the analysis target application based on the information acquired in step S105, and the component of the application installed in the storage unit 10 Is activated (step S110). Activity can be started by issuing an intent specifying the package name and class name. Specifically, in step S110, the intent issuing unit 110 generates an intent object and executes the startActivity method. FIG. 5 shows an example of a code for starting Activity. An intent object is generated on the first line, and a package name and a class name are specified on the second line. In the third line, a flag necessary for starting the Activity is added, and in the fourth line, the startActivity method is executed and an intent is issued.

  BroadcastReceiver can be activated by issuing an intent of the condition specified as the activation condition. Specifically, in step S110, the intent issuing unit 110 generates an intent object and executes the sendBroadcast method. FIG. 6 shows an example of a code that activates BroadcastReceiver. An intent object in which a start condition is set is generated on the first line, and a sendBroadcast method is executed on the second line to issue an intent.

  As described above, after the components constituting the analysis target application are started, the dynamic analysis unit 12 performs dynamic analysis of the application based on the log in which the operation result of the component is recorded. Application logs can be obtained by executing commands such as strace and Logcat.

  As described above, according to the present embodiment, by analyzing the manifest file included in the package file, the component of Activity and BroadcastReceiver included in the application is specified, and an intent for starting the component is generated, and the component By starting the application component, the application component can be automatically and forcibly started. For this reason, components that have been difficult to analyze with the conventional dynamic analysis method can be activated, and the comprehensiveness of the dynamic analysis can be improved. Moreover, the evaluation cost can be reduced by automatically starting a component that has been started by a manual operation of the evaluator.

(Second Embodiment)
Next, a second embodiment of the present invention will be described. In Android (registered trademark), an ID called UID, which is different for each application, is given to the application. Resources cannot be shared between applications with different UIDs, and intents from other applications with different UIDs do not reach the analysis target application for Service. However, by using a mechanism called sharedUserId, it is possible to run two applications with the same UID. As a result, the resource can be shared between the two applications, and the component can be activated by the Service intent.

  FIG. 7 shows the configuration of the application analysis apparatus according to the present embodiment. The application analyzing unit 11 is different from the first embodiment in that it includes an application changing unit 112 in addition to the intent issuing unit 110 and the manifest analyzing unit 111. Other configurations are the same as those described in the first embodiment.

  FIG. 8 shows the configuration of the application changing unit 112. The application change unit 112 includes a disassemble unit 112a, a manifest change unit 112b, an assemble unit 112c, and an install unit 112d. The disassembly unit 112a disassembles (disassembles) the package file to be analyzed, and acquires a source file. The manifest changing unit 112b changes the manifest file by adding the code of sharedUserId to the manifest file included in the disassembled source file. The assembler 112c assembles the source file including the changed manifest file and generates a package file. The installation unit 112d installs an application in the storage unit 10 using the assembled package file. As described above, when an application is installed, the package file is expanded and various files are stored in the storage unit 10, and the package file itself is stored under a predetermined folder (/ data / app /) in the storage unit 10. Is stored.

  Next, the operation of the application analysis apparatus will be described. FIG. 9 shows an application analysis procedure. First, the application changing unit 112 changes the package file of the application to be analyzed so that the component can be activated by the Service intent (step S200). Specifically, in step S200, the following processing is performed.

  The disassemble unit 112a disassembles the package file to be analyzed, and acquires the source file of the package file (step S200a). Typical tools for disassembling include Apk-tool and Dedexer. Subsequently, the manifest changing unit 112b changes the manifest file by adding a code to the manifest file included in the disassembled source file (step S200b).

  Specifically, in step S200b, the manifest changing unit 112b adds a character string (code) “sharedUserId =“ aaa.bbb ”” in a tag starting with the character string “<manifest” in the manifest file. . “Aaa.bbb” is an example of a UID. The same code as the sharedUserId code described in the manifest file included in the package file of the application constituting the application analysis unit 11 is added to the manifest file of the application to be analyzed. That is, the application constituting the application analysis unit 11 and the analysis target application after the change have the same UID.

  Subsequently, the assembling unit 112c uses the same certificate as that used when assembling the application constituting the application analyzing unit 11 to sign and assemble the source file including the changed manifest file. Then, a package file is generated (step S200c). Subsequently, the installation unit 112d installs an application in the storage unit 10 using the assembled package file (step S200d).

  After changing the package file, the manifest analysis unit 111 extracts the manifest file from the package file of the analysis target application installed in the storage unit 10 (step S205). Since the package file of the application installed in the terminal is stored under a predetermined folder (/ data / app /), the manifest analysis unit 111 refers to this folder in step S205.

  Subsequently, the manifest analysis unit 111 analyzes the contents of the manifest file, and acquires the package name of the application to be analyzed and the class name of the service (step S210). The package name of the application to be analyzed is described in a portion surrounded by ““ ”and“ “” following the character string “package =” in the tag starting with the character string “<manifest”. In FIG. 4, the package name is “com.sample.app”. The class name of Service is described in the part surrounded by "" and "" "following the string" * andrd *: name = "in the tag that starts with the string" <service " . In FIG. 4, the class name is “.Main_Service”.

  Subsequently, the intent issuing unit 110 issues (generates) an intent for the component included in the analysis target application based on the information acquired in step S210, and the component of the application installed in the storage unit 10 Is activated (step S215). When the application constituting the application analysis unit 11 and the application to be analyzed operate with the same UID, the Service can be started by designating the package name and the class name and issuing an intent. Specifically, in step S215, the intent issuing unit 110 generates an intent object and executes the startService method. FIG. 10 shows an example of code for starting Service. An intent object in which a package name and a class name are set is generated on the first line, and a start service method is executed on the second line to issue an intent.

  As described above, after the components constituting the analysis target application are started, the dynamic analysis unit 12 performs dynamic analysis of the application based on the log in which the operation result of the component is recorded.

  As described above, according to the present embodiment, application components can be automatically and forcibly activated with respect to Service. Note that the application analysis unit 11 may have both the functions of the first embodiment and the functions of the second embodiment.

(Third embodiment)
Next, a third embodiment of the present invention will be described. In the third embodiment, an application analysis system including a terminal device that starts an analysis target application and an application analysis device will be described.

  FIG. 11 shows the configuration of the application analysis system according to this embodiment. The application analysis system includes a terminal device 1 and an application analysis device 2. The terminal device 1 includes a storage unit 10 and a communication unit 13. The application analysis device 2 includes an application analysis unit 20, a storage unit 21, and a dynamic analysis unit 22. The application analysis apparatus 2 is a PC (Personal Computer), for example.

  The storage unit 10 stores a package file (application file) including an execution file of an application to be analyzed. The communication unit 13 communicates with the application analysis device 2.

  The application analysis unit 20 analyzes the function of the application using the package file of the analysis target application. The application analysis unit 20 of this embodiment is configured as an application. The application analysis unit 20 includes a communication unit 200, an acquisition unit 201, an intent issue unit 202, and a manifest analysis unit 203. The communication unit 200 communicates with the terminal device 1. Communication between the terminal device 1 and the application analysis device 2 is performed using an adb Interface. adb Interface is an interface that connects a PC and a terminal device that runs on Android (registered trademark), and can operate the terminal device from a shell that runs on the PC. The Android (registered trademark) SDK (Software Development Kit) It is prepared as a tool.

  The acquisition unit 201 communicates with the communication unit 13 of the terminal device 1 via the communication unit 200 to acquire the package file of the analysis target application stored in the storage unit 10 and the log of the activated application. The manifest analysis unit 203 analyzes the manifest file included in the package file, and identifies the component included in the execution file. The intent issuing unit 202 issues (generates) an intent for starting each component specified by the manifest analysis unit 203, thereby starting an application for each component.

  The storage unit 21 stores a package file of an analysis target application acquired from the terminal device 1 at the time of application analysis. The dynamic analysis unit 22 performs dynamic analysis of the activated application.

  Next, the operation of the application analysis system will be described. FIG. 12 shows an application analysis procedure. First, the acquisition unit 201 communicates with the communication unit 13 of the terminal device 1 via the communication unit 200, and acquires a copy of the package file of the analysis target application stored in the storage unit 10 (step S300). Since the package file of the application installed in the terminal device 1 is stored under a predetermined folder (/ data / app /), the package file can be acquired by referring to this folder. In adb Interface, there is an adb pull command that acquires data of a terminal device from a PC. For example, a package file can be acquired by executing a command “adb pull /data/app/AAA.apk”. “AAA.apk” is the file name of the package file to be acquired. The acquired package file is stored in the storage unit 21.

  Subsequently, the manifest analysis unit 111 extracts a manifest file from the package file of the analysis target application stored in the storage unit 21 (step S305). In the Android (registered trademark) SDK, aapt is prepared as a tool for extracting a manifest file. In step S305, the manifest analysis unit 111 extracts a manifest file using aapt. For example, a manifest file can be extracted by executing a command “aapt d xmltree AAA.apk * Andrd * Manifest.xml”. “AAA.apk” is the file name of the package file to be acquired.

  Subsequently, the manifest analysis unit 203 analyzes the content of the manifest file, and acquires the package name of the application to be analyzed, the class name of Activity, and the broadcast receiver activation condition (step S310). The contents of each information acquired in step S310 are the same as the contents described in the first embodiment.

  Subsequently, the intent issuing unit 202 issues (generates) an intent for a component included in the analysis target application based on the information acquired in step S310. The intent issuing unit 202 transmits the issued intent to the communication unit 13 of the terminal device 1 via the communication unit 200, and activates the component of the application installed in the storage unit 10 (step S315).

  Activity can be started by issuing an intent specifying the package name and class name. In Android (registered trademark), there is an am command as a command for transmitting an intent using an adb interface. For example, the intent can be transmitted by executing a command “am start −n“ com.sample.app ”,“ com.sample.app.Main_Activity ””.

  BroadcastReceiver can be activated by issuing an intent of the condition specified as the activation condition. Like the Activity intent, you can use the am command to send the BroadcastReceiver intent. For example, an intent can be transmitted by executing a command “am broadcast −a“ * andrd * .intent.action.BOOT_COMPLETED ””.

  As described above, after the components constituting the analysis target application are started, the dynamic analysis unit 22 communicates with the communication unit 13 of the terminal device 1 via the communication unit 200, and the operation result of the component is recorded. The acquired log is acquired from the terminal device 1, and the dynamic analysis of the application is performed based on the acquired log.

  In the above, the dynamic analysis is performed by the application analysis apparatus 2, but the terminal apparatus 1 may perform the dynamic analysis. FIG. 13 shows another configuration example of the application analysis system according to the present embodiment. In the application analysis system shown in FIG. 13, the terminal device 1 has a dynamic analysis unit 12. The application analysis unit 20 activates components constituting the analysis target application, communicates with the communication unit 13 of the terminal device 1 via the communication unit 200, and gives a dynamic analysis instruction to the dynamic analysis unit 12. . Upon receiving the instruction, the dynamic analysis unit 12 performs dynamic analysis of the application based on a log in which the operation result of the component is recorded.

  As described above, according to the present embodiment, with regard to Activity and BroadcastReceiver, application components are automatically and forcibly started from the application analysis device 2 connected to the terminal device 1 in which the application to be analyzed is installed. Can do.

  The application analysis units 11 and 20 of each embodiment described above are configured as applications. An application program constituting the application analysis units 11 and 20 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read by a computer (the application analysis apparatus in each of the above embodiments) and executed. By doing so, the application analysis units 11 and 20 execute the prescribed processing.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

  DESCRIPTION OF SYMBOLS 1 ... Terminal device, 2 ... Application analysis apparatus, 10, 21 ... Memory | storage part, 11, 20 ... Application analysis part, 12, 22 ... Dynamic analysis part, 13,200 ... Communication unit 110, 202 ... Intent issuing unit (starting unit), 111, 203 ... Manifest analysis unit (analysis unit), 112a ... Disassembly unit, 112b ... Manifest change unit (change) Part), 112c ... assembly part, 112d ... installation part, 201 ... acquisition part

Claims (8)

A storage unit that stores an application file that includes an executable file that includes components that are components that realize the functions of the application, and a manifest file that defines the functions and privileges used by the application;
Analyzing the manifest file included in the application file, and identifying the component included in the executable file;
Generating an intent for starting the component specified by the analysis unit, and starting the component;
An application analysis apparatus characterized by comprising: A storage unit for storing an application file including an executable file that is a component that realizes the function of the application, and a manifest file in which the function and authority used by the application are defined, and a first communication unit that performs communication A second communication unit that communicates with a terminal device including:
An acquisition unit for acquiring the application file via the first communication unit and the second communication unit;
An analysis unit that analyzes the manifest file included in the application file acquired by the acquisition unit and identifies the component included in the execution file;
An intent that activates the component specified by the analysis unit, and an activation unit that activates the component via the first communication unit and the second communication unit;
An application analysis apparatus characterized by comprising:   The dynamic analysis unit according to claim 1, further comprising a dynamic analysis unit that performs dynamic analysis of an application based on a log in which an operation result of the component activated by the intent generated by the activation unit is recorded. Application analysis device.   A log in which the operation result of the component activated by the intent generated by the activation unit is recorded is acquired via the first communication unit and the second communication unit, and an application operation is performed based on the log. The application analysis apparatus according to claim 2, further comprising a dynamic analysis unit that performs dynamic analysis. A disassemble unit for disassembling the application file to obtain a source file;
A changing unit that changes the source file by adding a code related to an ID for the component to receive an intent for the source file;
Assembling the source file to which the code is added, and generating an application file; and
An installation unit for storing the application file generated by the assembly unit in the storage unit;
Further comprising
2. The analysis unit according to claim 1, wherein the analysis unit analyzes the manifest file included in the application file stored in the storage unit by the installation unit, and identifies the component included in the execution file. Application analysis device. An application analysis system including a terminal device and an application analysis device,
The terminal device
A storage unit that stores an application file that includes an executable file that includes components that are components that realize the functions of the application, and a manifest file that defines the functions and privileges used by the application;
A first communication unit that communicates with the application analysis device;
Have
The application analyzer is
A second communication unit that communicates with the terminal device;
An acquisition unit for acquiring the application file via the first communication unit and the second communication unit;
An analysis unit that analyzes the manifest file included in the application file acquired by the acquisition unit and identifies the component included in the execution file;
An intent that activates the component specified by the analysis unit, and an activation unit that activates the component via the first communication unit and the second communication unit;
An application analysis system characterized by comprising: A storage unit that stores an application file that includes an executable file that includes components that are components that realize the functions of the application, and a manifest file that defines the functions and privileges used by the application;
Analyzing the manifest file included in the application file, and identifying the component included in the executable file;
Generating an intent for starting the component specified by the analysis unit, and starting the component;
As a program to make the computer function as. A storage unit for storing an application file including an executable file that is a component that realizes the function of the application, and a manifest file in which the function and authority used by the application are defined, and a first communication unit that performs communication A second communication unit that communicates with a terminal device including:
An acquisition unit for acquiring the application file via the first communication unit and the second communication unit;
An analysis unit that analyzes the manifest file included in the application file acquired by the acquisition unit and identifies the component included in the execution file;
An intent that activates the component specified by the analysis unit, and an activation unit that activates the component via the first communication unit and the second communication unit;
As a program to make the computer function as.

Images