CN104049973A - Safety verification method and device for android application program - Google Patents
Safety verification method and device for android application program Download PDFInfo
- Publication number
- CN104049973A CN104049973A CN201410291357.XA CN201410291357A CN104049973A CN 104049973 A CN104049973 A CN 104049973A CN 201410291357 A CN201410291357 A CN 201410291357A CN 104049973 A CN104049973 A CN 104049973A
- Authority
- CN
- China
- Prior art keywords
- android application
- application program
- pki
- signed
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention relates to a safety verification method and device for an android application program. The safety verification method for the android application program comprises the steps that (1), a public key is extracted from a signed installation file of the android application program and stored in a service access end, and a public key extracted from a signed APK file is written as the first public key; (2), when the signed android application program is initialized, the service access end obtains the public key of the signed android application program, and the public key of the signed android application program is written as the second public key; (3), the service access end compares the second public key with the first public key, and whether the signed android application program is safe is judged according to the compared result. According to the safety verification method and device for the android application program, lawbreakers are effectively prevented from attacking a platform maliciously through counterfeit of an APK identity, the safety risk brought by the android application program falsified maliciously can be effectively prevented, and the safety of the platform is improved.
Description
Technical field
The present invention relates to areas of information technology, relate in particular to a kind of safe verification method and device of Android application program.
Background technology
Android (being translated into " Android ") is a kind of freedom based on Linux and the operating system of open source code, is mainly used in mobile device, for example smart mobile phone and panel computer.Below Android operating system is called to Android operating system.APK (Android application program installation file) refers to the application program installation file of Android operating system.Crack means " cracking ", specifically refers to that decompiling APK file carries out the code analysis of assembly level, and revises or insert the code of oneself, and signature is packaged as APK file again, to reach the object of the original behavior of reprogramming.That is to say, APK file of Crack, main flow process has three steps: decompiling, code analysis, repack signature.
APK file is cracked and can brings great potential safety hazard to user.For example, installing on the mobile phone of Android operating system, " palm business hall " application of each operator has attracted millions of users to download, and online friend uses these application to exempt the trouble of queuing up in business hall.But mobile phone application is repacked after cracking in a large number, implants multiple malice ad plug-in, part malice ad plug-in also can be stolen the sensitive informations such as cell-phone number, address list.When the cellphone subscriber of Android operating system being installed while downloading and installing the popular Android softwares such as " palm business halls " of distorting, cell-phone number, geographical location information, address list all may be collected.After these sensitive informations are resell by lawless person, user can receive a large amount of refuse messages, harassing call, and the advertising message of various accurate propelling movements.The mobile phone application software backstage of distorting also can automatic coupling net downloading advertising data, produces larger traffic consumes, finally can allow user lose mobile phone charge.
Visible, how to verify whether the application of android mobile phone is tampered, and the security risk of bringing with the android application program of mobile phone that prevents from being maliciously tampered, is that current android mobile phone is applied a major issue urgently to be resolved hurrily.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of safe verification method and device of Android application program, and the security risk that the android application program that effectively prevents from being maliciously tampered is brought strengthens security.
For solving the problems of the technologies described above, the present invention proposes a kind of safe verification method of Android application program, comprising:
Step 1, Android application program installation file from signature is in APK file, to extract PKI to be saved in service incoming end, the PKI that this is taken out from the APK file signature is designated as the first PKI, described service incoming end refers to the downloading end of Android application program, described PKI is included in the APK file after signature, wherein, the signature file for described APK file signature is generated by developer;
Step 2, when signing Android application initialization, described service incoming end obtains the PKI of this Android application program of having signed, the PKI that this has been signed to Android application program is designated as the second PKI, and the described Android application program of having signed refers to by the Android application program after described signature file signature;
Step 3, service incoming end compares described the second PKI and described the first PKI, and whether the Android application program of having signed described in judging according to comparative result safety.
Further, the safe verification method of above-mentioned Android application program also can have following characteristics, described step 3 comprises: consistent with described the first PKI if described comparative result is described the second PKI, the Android application security of having signed described in judging, if described comparative result is that described the second PKI and described the first PKI are inconsistent, the Android application program of having signed described in judging is dangerous.
Further, the safe verification method of above-mentioned Android application program also can have following characteristics, after described step 3, also comprise step 4, if signed Android application security described in judgment result is that, described service incoming end returns to related data to the described Android application program of having signed.
For solving the problems of the technologies described above, the invention allows for a kind of safety verification device of Android application program, comprise in turn connected preservation module, acquisition module and authentication module, wherein:
Preserve module, for the Android application program installation file from signature, be that APK file extracts PKI and is saved in service incoming end, the PKI that this is taken out from the APK file signature is designated as the first PKI, described service incoming end refers to the downloading end of Android application program, described PKI is included in the APK file after signature, wherein, the signature file for described APK file signature is generated by developer;
Acquisition module, for when signing Android application initialization, described service incoming end obtains the PKI of this Android application program of having signed, the PKI that this has been signed to Android application program is designated as the second PKI, and the described Android application program of having signed refers to by the Android application program after described signature file signature;
Authentication module, compares described the second PKI and described the first PKI for serving incoming end, according to the whether safety of Android application program of having signed described in comparative result judgement.
Further, the safety verification device of above-mentioned Android application program also can have following characteristics, and described authentication module comprises:
The first identifying unit, for being described the second PKI at described comparative result with described the first PKI when consistent, the Android application security of having signed described in judgement;
The second identifying unit, at described comparative result being described the second PKI and described the first PKI when inconsistent, the Android application program of having signed described in judgement is dangerous.
Further, the safety verification device of above-mentioned Android application program also can have following characteristics, also comprise and return to module, the described module of returning is connected with described authentication module, for when having signed Android application security described in judgment result is that of described authentication module, to the described Android application program of having signed, return to related data.
The safe verification method of Android application program of the present invention and device utilize the APK after decompiling to repack, and APK after repacking signature must different this mechanism of Hui Yu official signature carry out authentication to APK, by on-line signature, compare and carry out proof of identity, the behavior that has effectively stoped lawless person to remove malicious attack platform by copying APK identity, the security risk that the android application program that effectively prevents from being maliciously tampered is brought, has strengthened the security of platform.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of the safe verification method of Android application program in the embodiment of the present invention;
Fig. 2 is the application example figure of the safe verification method of Android application program in the embodiment of the present invention;
Fig. 3 is the structured flowchart of the safety verification device of Android application program in the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example, only for explaining the present invention, is not intended to limit scope of the present invention.
Fig. 1 is the process flow diagram of the safe verification method of Android application program in the embodiment of the present invention.As shown in Figure 1, in the present embodiment, the flow process of the safe verification method of Android application program can comprise the steps:
Step S101, Android application program installation file from signature is in APK file, to extract PKI to be saved in service incoming end, the PKI that this is taken out from the APK file signature is designated as the first PKI, described service incoming end refers to the downloading end of Android application program, PKI is included in the APK file after signature, wherein, the signature file for APK file signature is generated by developer;
Here, signature file refers to Android application signature file.
Step S102, when signing Android application initialization, service incoming end obtains the PKI of this Android application program of having signed, the PKI that this has been signed to Android application program is designated as the second PKI, and the described Android application program of having signed refers to by the Android application program after described signature file signature;
Step S103, service incoming end compares the second PKI and the first PKI, according to comparative result, judges the whether safety of Android application program of having signed.
Particularly, in step S103, according to comparative result, judge whether the Android application program of having signed can comprise safely: consistent with described the first PKI if comparative result is the second PKI, judge the Android application security of having signed, also this Android application program of having signed is legal, if comparative result is that the second PKI and the first PKI are inconsistent, judge that the Android application program of having signed is dangerous, also this Android application program of having signed is illegal.
In other embodiments of the invention, if can also comprise the steps: judgment result is that the Android application security of signing after step S103, serve incoming end and return to related data to the Android application program of signing.
Fig. 2 is the application example figure of the safe verification method of Android application program in the embodiment of the present invention.As shown in Figure 2, in the present embodiment, the safe verification method of Android application program comprises the steps:
Step S201, application developer generate keystore file;
Keystore file is android application signature file (being also above-mentioned Android application signature file).
Step S202, from the APK file with keystore file signature, extract PKI and be submitted to service incoming end;
Step S203, with the keystore file generating, be android application signature;
Step S204, the android application initialization of having signed;
Step S205, the success of android application initialization;
Step S206, ability are called, and SDK (Software Development Kit, SDK (Software Development Kit)) obtains the PKI of the android application program of having signed;
Whether step S207, verification public key be consistent;
Verify that whether from keystore file, extract and be submitted to the PKI that service preserves in incoming end consistent with the PKI obtaining from the android application program of signing, if the android application security of having signed is unanimously described, otherwise explanation has been signed, android application program is dangerous.
If step S208 unanimously ability call return data.Here, the data of returning refer to the related data that ability is called.
The safe verification method of Android application program of the present invention provides a kind of scheme of verifying whether application is tampered for vast Android developer.Because different developer's signature files is unique, so the signature of the APK after different developers packing can be not identical yet.The safe verification method of Android application program of the present invention utilizes the APK after decompiling to repack, and APK after repacking signature must different this mechanism of Hui Yu official signature carry out authentication to APK, by on-line signature, compare and carry out proof of identity, the behavior that has effectively stoped lawless person to remove malicious attack platform by copying APK identity, the security risk that the android application program that effectively prevents from being maliciously tampered is brought, has strengthened the security of platform.
The invention allows for a kind of safety verification device of Android application program, in order to carry out the safe verification method of above-mentioned Android application program.
Fig. 3 is the structured flowchart of the safety verification device of Android application program in the embodiment of the present invention.As shown in Figure 3, in the present embodiment, the safety verification device of Android application program comprises in turn connected preservation module 310, acquisition module 320 and authentication module 330.Wherein, preserving module 310 is that APK file extracts PKI and is saved in service incoming end for the Android application program installation file from signature, the PKI that this is taken out from the APK file signature is designated as the first PKI, described service incoming end refers to the downloading end of Android application program, wherein, PKI is included in the APK file after signature, wherein, and for the signature file of APK file signature is generated by developer.Here, signature file refers to Android application signature file.Acquisition module 320 is for when signing Android application initialization, described service incoming end obtains the PKI of this Android application program of having signed, the PKI that this has been signed to Android application program is designated as the second PKI, wherein, the Android application program of having signed refers to by the Android application program after above-mentioned signature file signature.Authentication module 330 compares described the second PKI and described the first PKI for serving incoming end, according to the whether safety of Android application program of having signed described in comparative result judgement.
In embodiments of the present invention, authentication module 330 can further include the first identifying unit and the second identifying unit.Wherein, the first identifying unit is for being described the second PKI at described comparative result with described the first PKI when consistent, the Android application security of having signed described in judgement.The second identifying unit is at described comparative result being described the second PKI and described the first PKI when inconsistent, and the Android application program of having signed described in judgement is dangerous.
In embodiments of the present invention, the safety verification device of Android application program can further include and returns to module.This returns to module and is connected with authentication module 330, and for when judgment result is that of authentication module 330 signed Android application security, to signing, Android application program is returned to related data.
Here, related data refers to the related data that ability is called.
The safety verification device of Android application program of the present invention utilizes the APK after decompiling to repack, and APK after repacking signature must different this mechanism of Hui Yu official signature carry out authentication to APK, by on-line signature, compare and carry out proof of identity, the behavior that has effectively stoped lawless person to remove malicious attack platform by copying APK identity, the security risk that the android application program that effectively prevents from being maliciously tampered is brought, has strengthened the security of platform.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (6)
1. a safe verification method for Android application program, is characterized in that, comprising:
Step 1, Android application program installation file from signature is in APK file, to extract PKI to be saved in service incoming end, the PKI that this is taken out from the APK file signature is designated as the first PKI, described service incoming end refers to the downloading end of Android application program, described PKI is included in the APK file after signature, wherein, the signature file for described APK file signature is generated by developer;
Step 2, when signing Android application initialization, described service incoming end obtains the PKI of this Android application program of having signed, the PKI that this has been signed to Android application program is designated as the second PKI, and the described Android application program of having signed refers to by the Android application program after described signature file signature;
Step 3, service incoming end compares described the second PKI and described the first PKI, and whether the Android application program of having signed described in judging according to comparative result safety.
2. the safe verification method of Android application program according to claim 1, it is characterized in that, described step 3 comprises: consistent with described the first PKI if described comparative result is described the second PKI, the Android application security of having signed described in judging, if described comparative result is that described the second PKI and described the first PKI are inconsistent, the Android application program of having signed described in judging is dangerous.
3. the safe verification method of Android application program according to claim 1, it is characterized in that, after described step 3, also comprise step 4, if signed Android application security described in judgment result is that, described service incoming end returns to related data to the described Android application program of having signed.
4. a safety verification device for Android application program, is characterized in that, comprises in turn connected preservation module, acquisition module and authentication module, wherein:
Preserve module, for the Android application program installation file from signature, be that APK file extracts PKI and is saved in service incoming end, the PKI that this is taken out from the APK file signature is designated as the first PKI, described service incoming end refers to the downloading end of Android application program, described PKI is included in the APK file after signature, wherein, the signature file for described APK file signature is generated by developer;
Acquisition module, for when signing Android application initialization, described service incoming end obtains the PKI of this Android application program of having signed, the PKI that this has been signed to Android application program is designated as the second PKI, and the described Android application program of having signed refers to by the Android application program after described signature file signature;
Authentication module, compares described the second PKI and described the first PKI for serving incoming end, according to the whether safety of Android application program of having signed described in comparative result judgement.
5. the safety verification device of Android application program according to claim 4, is characterized in that, described authentication module comprises:
The first identifying unit, for being described the second PKI at described comparative result with described the first PKI when consistent, the Android application security of having signed described in judgement;
The second identifying unit, at described comparative result being described the second PKI and described the first PKI when inconsistent, the Android application program of having signed described in judgement is dangerous.
6. the safety verification device of Android application program according to claim 4, it is characterized in that, also comprise and return to module, the described module of returning is connected with described authentication module, for when having signed Android application security described in judgment result is that of described authentication module, to the described Android application program of having signed, return to related data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410291357.XA CN104049973A (en) | 2014-06-25 | 2014-06-25 | Safety verification method and device for android application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410291357.XA CN104049973A (en) | 2014-06-25 | 2014-06-25 | Safety verification method and device for android application program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104049973A true CN104049973A (en) | 2014-09-17 |
Family
ID=51502882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410291357.XA Pending CN104049973A (en) | 2014-06-25 | 2014-06-25 | Safety verification method and device for android application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104049973A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104469768A (en) * | 2014-11-06 | 2015-03-25 | 中国联合网络通信集团有限公司 | User identity verifying method and device based on application software |
| CN104933355A (en) * | 2015-06-18 | 2015-09-23 | 上海斐讯数据通信技术有限公司 | Installation checkout system and checkout method thereof of trustable application of mobile terminal |
| WO2016109955A1 (en) * | 2015-01-07 | 2016-07-14 | 华为技术有限公司 | Software verifying method and device |
| CN106355081A (en) * | 2016-09-07 | 2017-01-25 | 深圳市新国都支付技术有限公司 | Android program start verification method and device |
| CN107169318A (en) * | 2017-03-31 | 2017-09-15 | 咪咕数字传媒有限公司 | A kind of method and device of application security protection |
| WO2017206185A1 (en) * | 2016-06-03 | 2017-12-07 | 华为技术有限公司 | Method, apparatus and system for verifying legitimacy of application program |
| CN107958150A (en) * | 2017-12-05 | 2018-04-24 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of method for detecting Android hot patch security |
| WO2018165951A1 (en) * | 2017-03-16 | 2018-09-20 | 深圳大趋智能科技有限公司 | Method and device for signature authentication during android apk startup |
| CN108923910A (en) * | 2018-07-12 | 2018-11-30 | 南方电网科学研究院有限责任公司 | Mobile application APK tamper-proofing method |
| CN109408074A (en) * | 2018-09-26 | 2019-03-01 | 平安普惠企业管理有限公司 | Installation method, device, computer equipment and the storage medium of application program |
| CN109687974A (en) * | 2018-12-26 | 2019-04-26 | 努比亚技术有限公司 | APK verification method, device, mobile terminal and readable storage medium storing program for executing |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024120A (en) * | 2009-09-18 | 2011-04-20 | 无锡安腾软件开发有限公司 | Method for using digital signature to detect falsification possibility of software |
| CN102300065A (en) * | 2011-08-31 | 2011-12-28 | 四川长虹电器股份有限公司 | Security authentication method for android-platform-based smart television software |
| CN103577206A (en) * | 2012-07-27 | 2014-02-12 | 北京三星通信技术研究有限公司 | Method and device for installing application software |
-
2014
- 2014-06-25 CN CN201410291357.XA patent/CN104049973A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024120A (en) * | 2009-09-18 | 2011-04-20 | 无锡安腾软件开发有限公司 | Method for using digital signature to detect falsification possibility of software |
| CN102300065A (en) * | 2011-08-31 | 2011-12-28 | 四川长虹电器股份有限公司 | Security authentication method for android-platform-based smart television software |
| CN103577206A (en) * | 2012-07-27 | 2014-02-12 | 北京三星通信技术研究有限公司 | Method and device for installing application software |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104469768B (en) * | 2014-11-06 | 2018-03-02 | 中国联合网络通信集团有限公司 | User identity method of calibration and device based on application software |
| CN104469768A (en) * | 2014-11-06 | 2015-03-25 | 中国联合网络通信集团有限公司 | User identity verifying method and device based on application software |
| CN106170763B (en) * | 2015-01-07 | 2019-10-18 | 华为技术有限公司 | A kind of software check method and apparatus |
| WO2016109955A1 (en) * | 2015-01-07 | 2016-07-14 | 华为技术有限公司 | Software verifying method and device |
| CN106170763A (en) * | 2015-01-07 | 2016-11-30 | 华为技术有限公司 | A kind of software check method and apparatus |
| US10796001B2 (en) | 2015-01-07 | 2020-10-06 | Huawei Technologies Co., Ltd. | Software verification method and apparatus |
| CN104933355A (en) * | 2015-06-18 | 2015-09-23 | 上海斐讯数据通信技术有限公司 | Installation checkout system and checkout method thereof of trustable application of mobile terminal |
| WO2017206185A1 (en) * | 2016-06-03 | 2017-12-07 | 华为技术有限公司 | Method, apparatus and system for verifying legitimacy of application program |
| CN106355081A (en) * | 2016-09-07 | 2017-01-25 | 深圳市新国都支付技术有限公司 | Android program start verification method and device |
| WO2018165951A1 (en) * | 2017-03-16 | 2018-09-20 | 深圳大趋智能科技有限公司 | Method and device for signature authentication during android apk startup |
| CN107169318A (en) * | 2017-03-31 | 2017-09-15 | 咪咕数字传媒有限公司 | A kind of method and device of application security protection |
| CN107958150A (en) * | 2017-12-05 | 2018-04-24 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of method for detecting Android hot patch security |
| CN108923910A (en) * | 2018-07-12 | 2018-11-30 | 南方电网科学研究院有限责任公司 | Mobile application APK tamper-proofing method |
| CN108923910B (en) * | 2018-07-12 | 2021-06-25 | 南方电网科学研究院有限责任公司 | Mobile application APK tamper-proofing method |
| CN109408074A (en) * | 2018-09-26 | 2019-03-01 | 平安普惠企业管理有限公司 | Installation method, device, computer equipment and the storage medium of application program |
| CN109687974A (en) * | 2018-12-26 | 2019-04-26 | 努比亚技术有限公司 | APK verification method, device, mobile terminal and readable storage medium storing program for executing |
| CN109687974B (en) * | 2018-12-26 | 2023-10-17 | 努比亚技术有限公司 | APK verification method and device, mobile terminal and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104049973A (en) | Safety verification method and device for android application program | |
| CN105260663B (en) | A kind of safe storage service system and method based on TrustZone technologies | |
| CN105453102B (en) | The system and method for the private cipher key leaked for identification | |
| CN109726588B (en) | Privacy protection method and system based on information hiding | |
| KR101503785B1 (en) | Method And Apparatus For Protecting Dynamic Library | |
| US20030163685A1 (en) | Method and system to allow performance of permitted activity with respect to a device | |
| CN103890770A (en) | System and method for whitelisting applications in a mobile network environment | |
| CN106529218B (en) | Application verification method and device | |
| CN105531692A (en) | Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines | |
| CN106656513B (en) | The secondary packing signature verification method of APK file on Android platform | |
| CN104009977A (en) | Information protection method and system | |
| CN104751049A (en) | Application program installing method and mobile terminal | |
| KR101498820B1 (en) | Method for Detecting Application Repackaging in Android | |
| CN102340398A (en) | Security policy setting and determining method, and method and device for executing operation by application program | |
| CN104809397A (en) | Android malicious software detection method and system based on dynamic monitoring | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| CN108229144B (en) | Verification method of application program, terminal equipment and storage medium | |
| CN104933366A (en) | Mobile terminal application program processing method | |
| CN104680061A (en) | Method and system for verifying code signing during startup of application in Android environment | |
| CN1869927B (en) | Device controller, method for controlling a device, and program therefor | |
| CN103617387A (en) | Method and device for preventing application program from being installed automatically | |
| CN103685194A (en) | Capacity calling method and device, and terminal | |
| KR20190073255A (en) | Device and method for managing risk of mobile malware behavior in mobiel operating system, recording medium for performing the method | |
| CN112231702A (en) | Application protection method, device, equipment and medium | |
| CN105873044B (en) | application program publishing method based on android platform, developer tracing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140917 |