CN105205356A - APP application re-packaging detection method - Google Patents
APP application re-packaging detection method Download PDFInfo
- Publication number
- CN105205356A CN105205356A CN201510595733.9A CN201510595733A CN105205356A CN 105205356 A CN105205356 A CN 105205356A CN 201510595733 A CN201510595733 A CN 201510595733A CN 105205356 A CN105205356 A CN 105205356A
- Authority
- CN
- China
- Prior art keywords
- installation kit
- web page
- files
- file
- consistance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title abstract description 15
- 238000004806 packaging method and process Methods 0.000 title abstract description 12
- 238000009434 installation Methods 0.000 claims abstract description 68
- 238000000034 method Methods 0.000 claims description 93
- 238000010009 beating Methods 0.000 claims description 49
- 230000008569 process Effects 0.000 claims description 45
- 238000007689 inspection Methods 0.000 claims description 30
- 238000012856 packing Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000004308 accommodation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/128—Restricting unauthorised execution of programs involving web programs, i.e. using technology especially used in internet, generally interacting with a web browser, e.g. hypertext markup language [HTML], applets, java
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an APP application re-packaging detection method which is used for detecting whether an installation package generated by APP packaging is subjected to re-packaging processing or not. The APP application re-packaging detection method comprises the following steps: judging whether the inner part of each file in the installation package has the consistency or not and/or the different files in the installation package have the consistency or not; if so, judging that the installation package is not subjected to the re-packaging processing; otherwise, judging that the installation package is subjected to the re-packaging processing. According to the APP application re-packaging detection method disclosed by the invention, an original APP does not need to be additionally acquired, and a third-party APP and the original APP do not need to be compared; the APP application re-packaging detection method has better practicability and flexibility.
Description
Technical field
The present invention relates to a kind of APP application and beat again packet inspection method.
Background technology
Along with the development of mobile Internet, increasing people carries out traditional the Internet activity on mobile phone, such as, see video, payment, do shopping, log in social network sites etc.Smart mobile phone occupies more and more consequence in daily life, greatly enriches and facilitate everybody life.Meanwhile, various malice mobile phone attack software emerges in an endless stream.Beat again the important sources that bag APP is mobile phone Malware, destroy the sound development of the Android ecosystem, cause the interests of developer to incur loss, facilitate the propagation of Malware, the security privacy of harm domestic consumer.The APP beating again bag compares with original APP, but maintaining substantially constantly can increase or delete some functions, as replaced some pictures in APP, gives up the address in URL, load the webpage of fishing website, or add some additional modules to steal the information of user.
HybridAPP refers to the APP between both WebAPP and NativeAPP, adopts html language and java language to develop simultaneously, has had the advantage of WebAPP and NativeAPP concurrently, had well cross-platform advantage.HybridAPP and NativeAPP and WebAPP has again larger difference simultaneously, and HybridAPP is divided into Native layer and Web layer, and Native layer mainly realizes with java language, and Web layer mainly uses HTML5 to realize, and NativeAPP is primarily of java codes implement.Suspicious APK and original APK mainly compares by the detection method of beating again bag about NativeAPP, and the similarity according to comparing content judges whether to beat again bag, and similarity is higher, and the signature of APK is different, and so this APK beats again bag.HybridAPP and NativeAPP compares, and decompiling is more prone to, because NativeAPP mainly uses java codes implement, if want to beat again bag to NativeAPP, must to carry out decompiling be that java code is modified again.And HybridAPP is mainly realized by Html5, as long as carry out decompress(ion) to APK file just can see main Web code, assailant is easy to understand Html and JavaScript code, thus easy to do realization is revised and beaten again bag.Therefore HybridAPP is easier than NativeAPP is beaten again bag.
Scheme described in patent CN201210204247 discloses the detection method of heavy packaging applications in a kind of Android market, the method calculates the length of used character string according to the dex file that each Android is applied, using this as the condition code distinguishing different application, by calculate different application condition code between editing distance obtain different Android application between similarity, and this similarity and given threshold value are compared, thus determine whether packaging applications of attaching most importance to.The present invention can as the effective supplementary means of one detecting Android Malware, but this method is mainly for NativeAPP, what can not solve HybridAPP well beats again bag problem, and when can not find original APP, this method cannot detect the APP whether an APP beats again bag.
Scheme described in patent CN201410261034 disclose a kind of Android is beaten again to the malicious code of bag Malware detection, excision and recovery method, by setting up the feature database be made up of fuzzy hash value, for mating with the entrance class of the program to be detected after dis-assembling to the malice entrance class of known malicious program; Then excise successively and beaten again the resource file wrapping complete malicious snippets of code and the malicious code added, finally find out the code snippet beaten again to original program implementation modification in packet procedures, recover its original function.This main propagation characteristic of malicious code implanted by the bag of beating again that the present invention is directed to the day by day serious rogue program use of current Android platform, detects and excise the malicious code part implanted in those normal procedures.This method, mainly for the detection in malice generation, is not the test problems beating again bag, thisly carrys out counterweight packing for malicious code and carries out detecting and have larger limitation.If beat again bag just substituted for some pictures in master APP or some resources, then this packet inspection method of beating again will can't detect, and this method is also mainly for NativeAPP, because HybridAPP and NativeAPP program structure there are differences, this method is inapplicable for HybridAPP.
Scheme described in patent CN201310438647 discloses a kind of Android based on application programming interface and beats again bag application detection method.First application programs file processes, and obtains smali code file; For each file, from smali code, extract the service condition of Android application programming interface, statistical frequency information; Then by mutually relatively carrying out cluster between file, the file that similarity is high, number of iterations is many is considered as third party library; After removing third party library interference, then in units of application file, the program file high to similarity carries out cluster; Finally in conjunction with author's signing messages, judge whether to have between application program to beat again bag relation.Utilize technical scheme provided by the invention, counterweight packing application can detect automatically in other application of large-scale application market grade, have very high efficiency and accuracy.But the method is mainly for NativeAPP, do not consider the difference of HybridAPP and NativeAPP, so inapplicable for HybridAPP, and when can not find original APP, this method cannot detect the APP whether an APP beats again bag.
Scheme described in patent US2014082729A discloses and a kind ofly calculates by venture analysis the risk that is beaten again the APP of bag, this risk analysis method by calculate in this APP whether have malicious code to judge whether this APP is through beats again bag, the method that have employed blacklist is mated.The packing of the method counterweight detects has larger limitation, if just substituted for some resource files in master APP when beating again bag, this detection method will be difficult to detect, and this method is also mainly for NativeAPP, inapplicable for HybridAPP.
Summary of the invention
The object of the invention is that proposing a kind of APP application beats again packet inspection method, to solve the heavy packaging method of the existing application technical matters not strong to HybridAPP application applicability.
For this reason, the present invention proposes a kind of APP application and beats again packet inspection method, whether the installation kit generated for detecting APP packing processes through beating again bag, comprise the following steps: judge whether each file internal contained by described installation kit has between consistance and/or contained different files whether have consistance, if have consistance, then judging that described installation kit is without beating again bag process, if not there is consistance, then judging that described installation kit is through beating again bag process.
Preferably, whether each file internal judging contained by described installation kit has one or more whether to have between consistance and/or contained different files that consistance can adopt in following manner is carried out:
Mode one, judge whether the local file that described installation kit is accessed and the file contained by described installation kit have consistance;
Mode two, judge whether network file chained address that described installation kit the is accessed Main Domain corresponding with described APP has consistance;
Mode three, judge whether the content of web page files in described installation kit has consistance;
Mode four, judge whether the applicating category in described installation kit between files in different types has consistance.
Preferably, adopt described mode for the moment, described APP beats again packet inspection method and comprises the following steps:
S31, obtain all decompressing files contained by described installation kit and decompressing files name;
S32, obtain described installation kit access all local filenames;
S33, each local filename to be handled as follows: the filename similarity judging described local filename and each decompressing files name, if the filename similarity of described local filename and all decompressing files names is all less than first threshold, then described installation kit is through beating again bag process; If the filename similarity of described local filename and a certain described decompressing files name is not less than first threshold, then described installation kit is without beating again bag process.
Preferably, when adopting described mode two, described APP beats again packet inspection method and comprises the following steps:
S41, obtain all decompressing files contained by described installation kit;
S42, obtain described installation kit access all-network file chaining address;
S43, each chained address to be handled as follows: the domain name similarity judging each subdomain name in described chained address and white list, if the domain name similarity of described chained address and all subdomain names is all less than Second Threshold, then described installation kit is through beating again bag process; If the domain name similarity of described chained address and a certain subdomain name is not less than Second Threshold, then described installation kit is without beating again bag process; Wherein, described white list comprises the subdomain name corresponding with described APP.
Preferably, when adopting described mode three, described APP beats again packet inspection method and comprises the following steps:
S51, obtain the content characteristic values of each web page files in described installation kit, the content characteristic values of note i-th web page files is H (i);
S52, obtain Difference of content D (s) between all web page files in described installation kit:
Wherein, n
hfor the number of web page files in installation kit, H (j) is the content characteristic values of a jth web page files, d (H (i), H (j)) is the Difference of content between i-th web page files and a jth web page files, 1≤i < j≤n
h, and i, j are positive integer;
S53, obtain content consistency f in described installation kit between all web page files
html:
f
html=1-2D(s)/[n
h(n
h+1)]
Judge f
htmlwhether be not less than the 3rd threshold value, if so, then described installation kit processes without beating again bag; If not, then described installation kit processes through beating again bag.
Preferably, in step S51, using the content characteristic values H (i) of the key word of i-th web page files as i-th web page files;
In step S52, using key word number different between i-th web page files and a jth web page files as described Difference of content d (H (i), H (j)).
Preferably, when adopting described mode four, described APP beats again packet inspection method and comprises the following steps:
S71, obtain applicating category corresponding to web page files in described installation kit, xml file and JavaScript file respectively;
S72, obtain the consistance P of applicating category between web page files and JavaScript file
hJ;
S73, obtain the consistance Q of applicating category between xml file and JavaScript file
xJ;
S74, obtain web page files, the consistance F of applicating category between xml file and JavaScript file:
F=w
1*P
HJ+w
2*Q
XJ;
Wherein, w
1and w
2for positive number; Judge whether F value is not less than the 4th threshold value, if so, then described installation kit is without beating again bag process, and if not, then described installation kit is through beating again bag process.
Preferably, in step S71,
The applicating category that described JavaScript file is corresponding is
n
jfor the number of API in JavaScript file, J (j) is applicating category corresponding to a jth API in JavaScript file;
The applicating category that described web page files is corresponding is
n
hfor the number of web page files, H (h) is the applicating category that in h web page files, key word is corresponding;
The applicating category that described xml file is corresponding is X, X is the applicating category that in all xml files, key word is corresponding.
In step S72, the consistance P of applicating category between web page files and JavaScript file
hJ:
Wherein, p (h, j) represents the consistance of applicating category between h web page files and a jth API, and formula is:
p(h,j)=|J(j)∩H(h)|/|J(j)∪H(h)|,
If h web page files does not call a jth API, p (h, j) is 0; Wherein, | J (j) ∩ H (h) | be the element number during J (j) and H (h) occur simultaneously, | J (j) ∪ H (h) | for J (j) and H (h) and the element number concentrated;
In step S73, the consistance Q of applicating category between xml file and JavaScript file
xJ:
Q
XJ=min{q(1),q(2),…,q(n
a)};
Wherein, q (j) represents the consistance of applicating category between all xml files and a jth API, n
arepresent the number of API in JavaScript file, formula is:
q(j)=|J(j)∩X|/|J(j)∪X|,
Wherein, | J (j) ∩ X| is the element number during X and J (j) occurs simultaneously.
Preferably, 0 < w
2< w
1< 1, w
1+ w
2=1.
Preferably, described APP is HybridAPP.
The APP application that the present invention proposes is beaten again packet inspection method and is utilized " consistency principle " of APP to realize, " consistency principle " refers to that normal APP is in order to realize same major function, interior, perhaps functionally there is certain contact between its each file internal and different file, there is conforming feature.This APP application is beaten again packet inspection method and need not be compared with original APK, just can judge whether this APK is beaten again bag, effectively can improve the verification and measurement ratio that bag is beaten again in application.
Accompanying drawing explanation
Fig. 1 is that bag overhaul flow chart one is beaten again in the APP application of the specific embodiment of the invention;
Fig. 2 is that bag overhaul flow chart two is beaten again in the APP application of the specific embodiment of the invention.
Embodiment
Contrast accompanying drawing below in conjunction with embodiment the present invention is described in further detail.It is emphasized that following explanation is only exemplary, instead of in order to limit the scope of the invention and apply.
With reference to the following drawings, will describe the embodiment of non-limiting and nonexcludability, wherein identical Reference numeral represents identical parts, unless stated otherwise.
The present invention proposes a kind of APP application and beat again packet inspection method, whether the installation kit generated for detecting APP packing wraps process through beating again.In order to ensure that installation kit through beating again bag process is at interface with functionally have certain similarity with original APK, the common following certain situation of amendment that assailant makes installation kit:
1) revise the parameter of loadurl () in Java code, change the webpage that APP loads, load fishing website as made this APP thus steal the sensitive information of user;
2) revise the link URL in html webpage file, the resource loaded in URL is changed;
3) html webpage file is revised, as increased the html webpage file in this APP;
4) revise JavaScript code, change the function realized.
For these potential attacks, the APP application that the present invention proposes is beaten again each file internal of packet inspection method contained by installation kit and whether is had between consistance and/or contained different files whether have consistance, if, then judge that this installation kit is without beating again bag process, if not, then judge that this installation kit is through beating again bag process.Here consistance refers to that one should have consistent theme without between file contained by the installation kit beating again bag, and realizes consistent function, and bag overhaul flow chart one is beaten again in the APP application being the specific embodiment of the invention see Fig. 1.Packet inspection method is beaten again in the APP application of this proposition not to be needed to obtain original APP in addition, does not need third party APP and original APP to compare yet, has better practicality and dirigibility.
For convenience of description, for APK installation kit, other installation kits such as IPA etc. has similar processing procedure.In one embodiment of the invention, APP application beat again that packet inspection method can adopt in following manner one or more carry out:
Detection mode one:
Judge whether the local file that APK accesses and the file contained by APK have consistance, if so, then this APK processes without beating again bag; If not, then this APK processes through beating again bag.In one embodiment, comprise the steps:
S1, decompress(ion) APK, obtain all decompressing files and decompressing files name;
S2, in decompressing files by obtain loadurl () parameter, obtain APK access all local filenames;
S3, successively each local filename to be handled as follows: the filename similarity judging this local filename and each decompressing files name, the mode of string matching can be utilized to calculate, if the filename similarity of this local filename and all decompressing files names is all less than default first threshold (as 0.5), think that the parameter consistency of loadurl () is damaged in APK, then this APK is through beating again bag process; If the filename similarity of this local filename and a certain decompressing files name is not less than default first threshold, think that the parameter consistency of loadurl () is not damaged in APK, then this APK is without beating again bag process.
Detection mode two:
Judge whether network file chained address that APK the accesses Main Domain corresponding with APP has consistance, if so, then this APK without beating again bag process; If not, then this APK processes through beating again bag.In one embodiment, comprise the steps:
S1, decompress(ion) APK file, obtain all decompressing files;
S2, obtain in decompressing files APK access all-network file chaining address;
S3, successively each chained address to be handled as follows: the domain name similarity judging each subdomain name in this chained address and white list, KMP string matching algorithm can be utilized to calculate, if the domain name similarity of this chained address and all subdomain names is all less than default Second Threshold (as 0.5), think that the link consistance in APK is damaged, then this APK is through beating again bag process; If the domain name similarity of this chained address and a certain subdomain name is not less than default Second Threshold, think that the link consistance in APK is not damaged, then this APK is without beating again bag process.Wherein, the subdomain name relevant to this APP is listed in white list.As the APP of Baidu's news, in its white list, include the subdomain name www.news.baidu.com belonging to its main territory www.baidu.com.
Detection mode three:
Judge whether the content of web page files in APK has consistance, if so, then this APK processes without beating again bag; If not, then this APK processes through beating again bag.In one embodiment, comprise the steps:
The content characteristic values of each web page files in S1, acquisition APK, the content characteristic values of note i-th web page files is H (i); In one embodiment, using the key word of i-th web page files as content characteristic values H (i), as for i-th html webpage file, for avoiding extracting garbage, content of text is extracted after first can removing the label substance in this html webpage file, from content of text, screen five words that occurrence number is maximum again, as the content characteristic values of this html webpage file, be designated as: H (i)={ C (i)
1, C (i)
2, C (i)
3, C (i)
4, C (i)
5, wherein, C (i)
prepresent the word by occurrence number rank p in i-th html webpage file, 1≤p≤5;
Suppose total n in APK
hindividual html webpage file, n
hfor positive integer, then the content characteristic value set of this APK can be designated as: S={H (1), H (2) ..., H (n
h);
Difference of content D (s) in S2, acquisition APK between all web page files:
Wherein, H (j) is the content characteristic values of a jth web page files, d (H (i), H (j)) be Difference of content between i-th web page files and a jth web page files, as the number of different content eigenwert between i-th web page files and a jth web page files, 1≤i < j≤n
h, and i, j are positive integer;
Content consistency f in S3, acquisition APK between all web page files
html:
f
html=1-2D(s)/[n
h(n
h+1)]
Judge f
htmlwhether be not less than the 3rd default threshold value, if so, think that webpage consistance is not damaged in APK, then this APK is without beating again bag process; If not, think that webpage consistance is damaged in APK, then this APK is through beating again bag process.
Detection mode four:
Judge whether the APK type in APK between files in different types has consistance, if so, then this APK processes without beating again bag; If not, then this APK processes through beating again bag.Include the dissimilar types such as web page files (as html webpage file, htm file), xml file and javascript file in a usual APK, in one embodiment, comprise the steps:
The APK classification that in S1, respectively acquisition APK, web page files, xml file and JavaScript file are corresponding, in an embodiment of the present invention, APK classification comprises: map, navigation, communication, friend-making, shopping, weather, news, video, education, study, financing, game;
(1) JavaScript file:
Successively to each API process in JavaScript file: obtain APK classification corresponding to this API by the API Calls table searching every class APK; As a jth API appears in the API Calls table of map class APK, then the APK classification that this API is corresponding is just " map "; Due to a corresponding multiple APK classification of API possibility, represent the APK classification that a jth API is corresponding, as J (j)={ A, B, C with set J (j), D} represents that the APK classification that a jth API is corresponding is A, B, C, D, A, B, C, D are by the sequence of possibility size;
Wherein, the API Calls table of every class APK can adopt following steps to obtain:
Sa, a large amount of APK to be analyzed, the API that APK all in every class APK call is extracted, obtains the public API of every class APK;
Sb, delete belong to the API of other APK class in the public API of every class APK, remaining API thinks the feature API of such APK, and namely all feature API of such APK form the API Calls table of such APK; For example, A, B, C are three class APK, and wherein, A has 5 APK{A.1, A.2, A.3, A.4, A.5}, B has 5 APK{B.1, B.2, B.3, B.4, B.5}, C has 4 APK{C.1, C.2, C.3, C.4, C.5}, if { A.1, A.2, A.3, A.4 a.1, all call a.1 A.5}, be then the public API of category-A APK, is a.1 again the public API of A but is not the public API of B or C, therefore, be a.1 the feature API of A, in like manner find out other feature API of category-A APK, form the API Calls table of category-A APK;
(2) web page files:
Successively each html webpage file is processed: utilize HtmlParser to extract a key word in this html webpage file; In html Keyword List, search this key word, obtain the APK classification that this html webpage file is corresponding, represent with set H (h) the APK classification that h html webpage file is corresponding;
Wherein, html Keyword List can adopt following steps to obtain:
Sa, analyze a large amount of html webpage file, the html webpage document keyword corresponding to APK all in every class APK extracts, and obtains the public keyword of every class APK;
Sb, delete and belong to the key word of other class successively in the public keyword of every class APK, the feature critical word of such APK thought in remaining key word, and namely all feature critical words of such APK form the html Keyword List of such APK;
(3) xml file:
All xml files are processed: utilize regular expression to extract content of text from all xml files, utilize TextRank from content of text, extract a key word; In xml Keyword List, search this key word, obtain the APK classification that all xml files are corresponding, represent with X the APK classification that all xml files are corresponding; Wherein, acquisition methods and the html Keyword List of xtml Keyword List are similar, do not repeat them here;
S2, obtain the consistance P of APK type between html webpage file and JavaScript file
hJ:
Wherein, n
hrepresent the number of html webpage file, n
arepresent the number of API in JavaScript file, p (h, j) represents the consistance of APK type between h html webpage file and a jth API, and j, h are positive integer, and p (h, j) formula is:
p(h,j)=|J(j)∩H(h)|/|J(j)∪H(h)|,
If h html webpage file does not call a jth API, p (h, j) is 0; | J (j) ∩ H (h) | be the element number during J (j) and H (h) occur simultaneously, | J (j) ∪ H (h) | for J (j) and H (h) and the element number concentrated; The value of p (h, j) is larger, and between h html webpage file and a jth API, the consistance of APK type is larger;
S3, obtain the consistance Q of APK type between xml file and JavaScript file
xJ:
Q
XJ=min{q(1),q(2),…,q(n
a)};
Wherein, q (j) represents the consistance of APK type between all xml files and a jth API, and computing formula is:
q(j)=|J(j)∩X|/|J(j)∪X|,
Wherein, | J (j) ∩ X| is the element number during X and J (j) occurs simultaneously; Q (j) value is larger, and the consistance between all xml files and a jth API is larger;
S4, obtain html webpage file, the consistance F of APK type between xml file and JavaScript file;
In HybridAPP, xml file only processes layout, and html webpage file has tangible meaning and function, so the contribution of html webpage file HybridAPP more individual than xml Document Alignment is larger, in an embodiment of the present invention, consider the Different Effects power of this two class file to global consistency, if the weights of xml file are w (0 < w < 1/2), the weights of html webpage file are (1-w), and the computing formula of F is:
F=w*Q
XJ+(1-w)*P
HJ
F value is larger, illustrates that the global consistency of this APK is larger.Judge whether F value is not less than the 4th default threshold value, if so, thinks that the global consistency of APK is not damaged, then this APK is without beating again bag process, if not, thinks that the global consistency of APK is damaged, then this APK is through beating again bag process.
Bag overhaul flow chart two is beaten again in the APP application being the specific embodiment of the invention see Fig. 2, the difference that packet inspection method take into account HybridAPP and NativeAPP is beaten again in the APP application that the present invention proposes, utilize parameter consistency in HybridAPP, link consistance, html file consistence and global consistency realize detect, in other application of large-scale application market grade, bag can be beaten again to HybridAPP and carry out Aulomatizeted Detect, and there is very high efficiency and accuracy.
Those skilled in the art will recognize that, it is possible for making numerous accommodation to above description, so embodiment is only used to describe one or more particular implementation.
Although described and described and be counted as example embodiment of the present invention, it will be apparent to those skilled in the art that and can make various change and replacement to it, and spirit of the present invention can not have been departed from.In addition, many amendments can be made so that particular case is fitted to religious doctrine of the present invention, and central concept of the present invention described here can not be departed from.So the present invention is not limited to specific embodiment disclosed here, but the present invention also may comprise all embodiments and equivalent thereof that belong to the scope of the invention.
Claims (10)
1. packet inspection method is beaten again in an APP application, whether the installation kit generated for detecting APP packing processes through beating again bag, it is characterized in that, comprise the following steps: judge whether each file internal contained by described installation kit has between consistance and/or contained different files whether have consistance, if have consistance, then judging that described installation kit is without beating again bag process, if not there is consistance, then judging that described installation kit is through beating again bag process.
2. packet inspection method is beaten again in APP application as claimed in claim 1, it is characterized in that, whether each file internal judging contained by described installation kit has one or more whether to have between consistance and/or contained different files that consistance can adopt in following manner is carried out:
Mode one, judge whether the local file that described installation kit is accessed and the file contained by described installation kit have consistance;
Mode two, judge whether network file chained address that described installation kit the is accessed Main Domain corresponding with described APP has consistance;
Mode three, judge whether the content of web page files in described installation kit has consistance;
Mode four, judge whether the applicating category in described installation kit between files in different types has consistance.
3. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, adopt described mode for the moment, described APP beats again packet inspection method and comprises the following steps:
S31, obtain all decompressing files contained by described installation kit and decompressing files name;
S32, obtain described installation kit access all local filenames;
S33, each local filename to be handled as follows: the filename similarity judging described local filename and each decompressing files name, if the filename similarity of described local filename and all decompressing files names is all less than first threshold, then described installation kit is through beating again bag process; If the filename similarity of described local filename and a certain described decompressing files name is not less than first threshold, then described installation kit is without beating again bag process.
4. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, when adopting described mode two, described APP beats again packet inspection method and comprises the following steps:
S41, obtain all decompressing files contained by described installation kit;
S42, obtain described installation kit access all-network file chaining address;
S43, each chained address to be handled as follows: the domain name similarity judging each subdomain name in described chained address and white list, if the domain name similarity of described chained address and all subdomain names is all less than Second Threshold, then described installation kit is through beating again bag process; If the domain name similarity of described chained address and a certain subdomain name is not less than Second Threshold, then described installation kit is without beating again bag process; Wherein, described white list comprises the subdomain name corresponding with described APP.
5. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, when adopting described mode three, described APP beats again packet inspection method and comprises the following steps:
S51, obtain the content characteristic values of each web page files in described installation kit, the content characteristic values of note i-th web page files is H (i);
S52, obtain Difference of content D (s) between all web page files in described installation kit:
Wherein, n
hfor the number of web page files in installation kit, H (j) is the content characteristic values of a jth web page files, d (H (i), H (j)) is the Difference of content between i-th web page files and a jth web page files, 1≤i < j≤n
h, and i, j are positive integer;
S53, obtain content consistency f in described installation kit between all web page files
html:
f
html=1-2D(s)/[n
h(n
h+1)]
Judge f
htmlwhether be not less than the 3rd threshold value, if so, then described installation kit processes without beating again bag; If not, then described installation kit processes through beating again bag.
6. packet inspection method is beaten again in APP application as claimed in claim 5, it is characterized in that, in step S51, using the content characteristic values H (i) of the key word of i-th web page files as i-th web page files;
In step S52, using key word number different between i-th web page files and a jth web page files as described Difference of content d (H (i), H (j)).
7. packet inspection method is beaten again in APP application as claimed in claim 2, and it is characterized in that, when adopting described mode four, described APP beats again packet inspection method and comprises the following steps:
S71, obtain applicating category corresponding to web page files in described installation kit, xml file and JavaScript file respectively;
S72, obtain the consistance P of applicating category between web page files and JavaScript file
hJ;
S73, obtain the consistance Q of applicating category between xml file and JavaScript file
xJ;
S74, obtain web page files, the consistance F of applicating category between xml file and JavaScript file:
F=w
1*P
HJ+w
2*Q
XJ;
Wherein, w
1and w
2for positive number; Judge whether F value is not less than the 4th threshold value, if so, then described installation kit is without beating again bag process, and if not, then described installation kit is through beating again bag process.
8. packet inspection method is beaten again in APP application as claimed in claim 7, it is characterized in that, in step S71,
The applicating category that described JavaScript file is corresponding be { J (j) } j=1 ..., n
j, n
jfor the number of API in JavaScript file, J (j) is applicating category corresponding to a jth API in JavaScript file;
The applicating category that described web page files is corresponding be { H (h) } h=1 ..., n
h, n
hfor the number of web page files, H (h) is the applicating category that in h web page files, key word is corresponding;
The applicating category that described xml file is corresponding is X, X is the applicating category that in all xml files, key word is corresponding.
In step S72, the consistance P of applicating category between web page files and JavaScript file
hJ:
Wherein, p (h, j) represents the consistance of applicating category between h web page files and a jth API, and formula is:
p(h,j)=|J(j)∩H(h)/J(j)∪H(h)|,
If h web page files does not call a jth API, p (h, j) is 0; Wherein, | J (j) ∩ H (h) | be the element number during J (j) and H (h) occur simultaneously, | J (j) ∪ H (h) | for J (j) and H (h) and the element number concentrated;
In step S73, the consistance Q of applicating category between xml file and JavaScript file
xJ:
Q
XJ=min{q(1),q(2),…,q(n
a)};
Wherein, q (j) represents the consistance of applicating category between all xml files and a jth API, n
arepresent the number of API in JavaScript file, formula is:
q(j)=|J(j)∩X/J(j)∪X|,
Wherein, | J (j) ∩ X| is the element number during X and J (j) occurs simultaneously.
9. packet inspection method is beaten again in APP application as claimed in claim 7, it is characterized in that, 0 < w
2< w
1< 1, w
1+ w
2=1.
10. packet inspection method is beaten again in the APP application as described in any one of claim 1 ~ 9, and it is characterized in that, described APP is HybridAPP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510595733.9A CN105205356B (en) | 2015-09-17 | 2015-09-17 | Packet inspection method is beaten again in a kind of APP applications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510595733.9A CN105205356B (en) | 2015-09-17 | 2015-09-17 | Packet inspection method is beaten again in a kind of APP applications |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105205356A true CN105205356A (en) | 2015-12-30 |
CN105205356B CN105205356B (en) | 2017-12-29 |
Family
ID=54953032
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510595733.9A Active CN105205356B (en) | 2015-09-17 | 2015-09-17 | Packet inspection method is beaten again in a kind of APP applications |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105205356B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897923A (en) * | 2016-05-31 | 2016-08-24 | 中国科学院信息工程研究所 | APP installation package network flow identification method |
CN106951780A (en) * | 2017-02-08 | 2017-07-14 | 中国科学院信息工程研究所 | Beat again the static detection method and device of bag malicious application |
CN108280647A (en) * | 2018-02-12 | 2018-07-13 | 北京金山安全软件有限公司 | Private key protection method and device for digital wallet, electronic equipment and storage medium |
CN108958826A (en) * | 2017-05-22 | 2018-12-07 | 北京京东尚科信息技术有限公司 | The method and apparatus of dynamic configuration application installation package |
CN109800575A (en) * | 2018-12-06 | 2019-05-24 | 成都网安科技发展有限公司 | A kind of safety detection method of Android application program |
CN109858249A (en) * | 2019-02-18 | 2019-06-07 | 暨南大学 | The quick, intelligent comparison of mobile Malware big data and safety detection method |
TWI675310B (en) * | 2016-10-11 | 2019-10-21 | 香港商阿里巴巴集團服務有限公司 | Method and device for preventing repackaging |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101719821A (en) * | 2008-10-09 | 2010-06-02 | 爱思开电讯投资(中国)有限公司 | System for managing application program of intelligent card and method thereof |
US20140059690A1 (en) * | 2012-02-16 | 2014-02-27 | Nec Laboratories America, Inc. | Method for Scalable Analysis of Android Applications for Security Vulnerability |
CN104392181A (en) * | 2014-11-18 | 2015-03-04 | 北京奇虎科技有限公司 | SO file protection method and device and android installation package reinforcement method and system |
-
2015
- 2015-09-17 CN CN201510595733.9A patent/CN105205356B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101719821A (en) * | 2008-10-09 | 2010-06-02 | 爱思开电讯投资(中国)有限公司 | System for managing application program of intelligent card and method thereof |
US20140059690A1 (en) * | 2012-02-16 | 2014-02-27 | Nec Laboratories America, Inc. | Method for Scalable Analysis of Android Applications for Security Vulnerability |
CN104392181A (en) * | 2014-11-18 | 2015-03-04 | 北京奇虎科技有限公司 | SO file protection method and device and android installation package reinforcement method and system |
Non-Patent Citations (1)
Title |
---|
张思琪: "基于改进贝叶斯分类的Android恶意软件检测", 《综合电子信息技术》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897923A (en) * | 2016-05-31 | 2016-08-24 | 中国科学院信息工程研究所 | APP installation package network flow identification method |
CN105897923B (en) * | 2016-05-31 | 2019-04-30 | 中国科学院信息工程研究所 | A kind of APP installation kit network flow identification method |
US10685117B2 (en) | 2016-10-11 | 2020-06-16 | Alibaba Group Holding Limited | Method and apparatus for anti-repackaging |
TWI675310B (en) * | 2016-10-11 | 2019-10-21 | 香港商阿里巴巴集團服務有限公司 | Method and device for preventing repackaging |
CN106951780B (en) * | 2017-02-08 | 2019-09-10 | 中国科学院信息工程研究所 | Beat again the static detection method and device of packet malicious application |
CN106951780A (en) * | 2017-02-08 | 2017-07-14 | 中国科学院信息工程研究所 | Beat again the static detection method and device of bag malicious application |
CN108958826A (en) * | 2017-05-22 | 2018-12-07 | 北京京东尚科信息技术有限公司 | The method and apparatus of dynamic configuration application installation package |
CN108958826B (en) * | 2017-05-22 | 2022-06-07 | 北京京东尚科信息技术有限公司 | Method and device for dynamically configuring application installation package |
CN108280647A (en) * | 2018-02-12 | 2018-07-13 | 北京金山安全软件有限公司 | Private key protection method and device for digital wallet, electronic equipment and storage medium |
CN109800575A (en) * | 2018-12-06 | 2019-05-24 | 成都网安科技发展有限公司 | A kind of safety detection method of Android application program |
CN109800575B (en) * | 2018-12-06 | 2023-06-20 | 成都网安科技发展有限公司 | Security detection method for Android application program |
CN109858249A (en) * | 2019-02-18 | 2019-06-07 | 暨南大学 | The quick, intelligent comparison of mobile Malware big data and safety detection method |
CN109858249B (en) * | 2019-02-18 | 2020-08-07 | 暨南大学 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
Also Published As
Publication number | Publication date |
---|---|
CN105205356B (en) | 2017-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105205356A (en) | APP application re-packaging detection method | |
Skolka et al. | Anything to hide? studying minified and obfuscated code in the web | |
US11126723B2 (en) | Systems and methods for remote detection of software through browser webinjects | |
Wang et al. | A deep learning approach for detecting malicious JavaScript code | |
Liu et al. | A novel approach for detecting browser-based silent miner | |
US10620945B2 (en) | API specification generation | |
Stock et al. | From facepalm to brain bender: Exploring client-side cross-site scripting | |
Zhang et al. | SaaS: A situational awareness and analysis system for massive android malware detection | |
CN104735074A (en) | Malicious URL detection method and implement system thereof | |
CN105760379B (en) | Method and device for detecting webshell page based on intra-domain page association relation | |
CN107437026B (en) | Malicious webpage advertisement detection method based on advertisement network topology | |
CN105959324A (en) | Regular matching-based network attack detection method and apparatus | |
CN104021346A (en) | Method for detecting Android malicious software based on program flow chart | |
CN103279710A (en) | Method and system for detecting malicious codes of Internet information system | |
Shahriar et al. | Injecting comments to detect JavaScript code injection attacks | |
Nguyen et al. | Detecting repackaged android applications using perceptual hashing | |
Gupta et al. | An infrastructure-based framework for the alleviation of JavaScript worms from OSN in mobile cloud platforms | |
Bird et al. | Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection | |
Malviya et al. | Development of web browser prototype with embedded classification capability for mitigating Cross-Site Scripting attacks | |
CN110135153A (en) | The credible detection method and device of software | |
Casino et al. | Analysis and correlation of visual evidence in campaigns of malicious office documents | |
CN102799524A (en) | Defect detection method of browser extension | |
CN108171057B (en) | Android platform malicious software detection method based on feature matching | |
Feichtner et al. | Obfuscation-resilient code recognition in Android apps | |
CN103390129A (en) | Method and device for detecting security of uniform resource locator |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 518055 Guangdong city of Shenzhen province Nanshan District Xili of Tsinghua Applicant after: Graduate School at Shenzhen, Tsinghua University Address before: 518000 Guangdong city in Shenzhen Province, Nanshan District City Xili Shenzhen Tsinghua Campus of Tsinghua University Applicant before: Graduate School at Shenzhen, Tsinghua University |
|
COR | Change of bibliographic data | ||
GR01 | Patent grant | ||
GR01 | Patent grant |