CN105303112B - The detection method and device of component call loophole - Google Patents
The detection method and device of component call loophole Download PDFInfo
- Publication number
- CN105303112B CN105303112B CN201410290260.7A CN201410290260A CN105303112B CN 105303112 B CN105303112 B CN 105303112B CN 201410290260 A CN201410290260 A CN 201410290260A CN 105303112 B CN105303112 B CN 105303112B
- Authority
- CN
- China
- Prior art keywords
- caller
- calling
- module
- application program
- call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of detection method and device of component call loophole.Wherein, this method includes:Obtain the source code file and component call loophole rule file of application program;According to the characteristic preserved in component call loophole rule file, characteristic matching is carried out to the source code file of application program, to which extraction has the caller for kidnapping risk, it constitutes and calls Risk list, wherein, component call loophole rule file, which is used to preserve determining caller, has the characteristic for kidnapping risk;Detection module is called based on calling Risk list to construct automatically;Based on calling detection module detection to call the caller in Risk list, the safety detection result of caller is obtained.The present invention, which solves the prior art, can not determine that the component call program of system there is technical issues that kidnap.
Description
Technical field
The present invention relates to computer internet fields, a kind of detection method in particular to component call loophole and
Device.
Background technology
With the development of mobile Internet, mobile platform emerges thousands of miscellaneous application program app so that
People's lives are increasingly dependent on intelligent movable equipment, between the component in application program in mobile terminal and application program
Between component can complete mutual calling or interaction based on component call program Intent.
For example, in android system, Intent is the tie mutually communicated between different components, realizes different groups
The data interaction communicated between part.Intent may include the once-through operation in application function calling process action, action relate to
And the description of data, additional data, the application program of android system can call corresponding group according to the description of this Intent
Part.It follows that Intent plays a part of media mediation between the component of android system, between special offer component
The relevant information mutually called realizes the decoupling between caller and callee.
In addition, in android system, in order to realize calling or the interaction of various aspects third-party product, can open very
Multipair outer broadcast interface realizes this function.Such as in android system, component is the basis of Android app, is used for
Types of functionality and the service of app are built, wherein Broadcast Receiver components (radio receiver) are for receiving and responding
Broadcast.Herein it is clear that, android system provides a set of exclusive propagation data between the components based on broadcast
A kind of mechanism, these components can be located at different processes in, play the role of interprocess communication.It in this way can by broadcast mechanism
Self data interaction is realized with the data interaction or application of realizing different mobile applications.Broadcast kidnap refer to broadcast transmission it
Afterwards, receiving unit is explicitly specified to cause broadcast that may escape from current app and by other app malice abduction due to no
And about the message on Android, inter-module realizes that its loose feature of communication mechanism leads to group by Intent
Part communication is easy that there are risks.Rogue program by register valid application the corresponding component of Intent message, it is legal to receive
Using the Intent message sent out, leakage of information, malice fishing etc. is caused to kidnap risk.
It can not determine that the component call program of system there are problems that kidnapping risk for the above-mentioned prior art, at present not yet
It is proposed effective solution scheme.
Invention content
An embodiment of the present invention provides a kind of detection method and device of component call loophole, at least to solve the prior art
It can not determine that the component call program of system there is technical issues that kidnap.
One side according to the ... of the embodiment of the present invention provides a kind of detection method of component call loophole, this method packet
It includes:Obtain the source code file and component call loophole rule file of application program;According in component call loophole rule file
The characteristic of preservation carries out characteristic matching, to which extraction has the calling for kidnapping risk to the source code file of application program
Program constitutes and calls Risk list, wherein component call loophole rule file has abduction wind for preserving determining caller
The characteristic of danger;Detection module is called based on calling Risk list to construct automatically;Wind is called based on detection module detection is called
Caller in dangerous list obtains the safety detection result of caller.
Another aspect according to the ... of the embodiment of the present invention additionally provides a kind of detection device of component call loophole, the device
Including:Acquisition module, the source code file for obtaining application program and component call loophole rule file;Module is built, is used
The characteristic preserved according to component call loophole rule file carries out feature to the source code file of application program
Match, to which extraction has the caller for kidnapping risk, constitutes and call Risk list, wherein component call loophole rule file
There is the characteristic for kidnapping risk for preserving determining caller;Detection module, for automatic based on calling Risk list
Construction calls detection module, and based on calling detection module detection to call the caller in Risk list, obtains caller
Safety detection result.
In embodiments of the present invention, using the source code file and component call loophole rule file for obtaining application program;
According to the characteristic preserved in component call loophole rule file, characteristic matching is carried out to the source code file of application program,
To which extraction has the caller for kidnapping risk, constitutes and call Risk list, wherein component call loophole rule file is used for
It preserves and determines that caller has the characteristic for kidnapping risk;Detection module is called based on calling Risk list to construct automatically;
Based on calling detection module detection to call the caller in Risk list, the side of the safety detection result of caller is obtained
Formula can obtain the calling journey that there is high risk to be held as a hostage after carrying out characteristic matching to the source program code of application program
The file set of sequence, for these callers, by constructing corresponding test device, to realize that the automation of caller is surveyed
Method for testing can construct test caller and be sent to corresponding application program, the result fed back by the component of application program
Come determine in application program for caller whether safety, thus solve the component tune that the prior art can not determine system
There is technical issues that kidnap with program, may thereby determine that the invocation component or caller in current application program
It is held as a hostage with high risk.
Description of the drawings
Attached drawing described herein is used to provide further understanding of the present invention, and is constituted part of this application, this hair
Bright illustrative embodiments and their description are not constituted improper limitations of the present invention for explaining the present invention.In the accompanying drawings:
Fig. 1 is a kind of movement for running the method for the component call loophole of detection application program of the embodiment of the present invention
The hardware block diagram of terminal;
Fig. 2 is the flow chart of the method for the component call loophole of according to embodiments of the present invention one detection application program;
Fig. 3 is the detail flowchart of according to embodiments of the present invention one broadcast safe detection method;
Fig. 4 is according to embodiments of the present invention one to carry out reverse-engineering to the compression installation kit of application program and be converted to java
The method flow schematic diagram of source code;
Fig. 5 is the schematic diagram of the detection device of according to embodiments of the present invention two component call loophole;
Fig. 6 is a kind of schematic diagram of the detection device of according to embodiments of the present invention two optional component call loophole;
Fig. 7 is a kind of schematic diagram of the detection device of according to embodiments of the present invention two optional component call loophole;
Fig. 8 is a kind of schematic diagram of the detection device of according to embodiments of the present invention two optional component call loophole;
Fig. 9 is a kind of schematic diagram of the detection device of according to embodiments of the present invention two optional component call loophole;With
And
Figure 10 is a kind of structure diagram of mobile terminal according to the ... of the embodiment of the present invention.
Specific implementation mode
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The every other embodiment that member is obtained without making creative work should all belong to the model that the present invention protects
It encloses.
It should be noted that term " first " in description and claims of this specification and above-mentioned attached drawing, "
Two " etc. be for distinguishing similar object, without being used to describe specific sequence or precedence.It should be appreciated that using in this way
Data can be interchanged in the appropriate case, so as to the embodiment of the present invention described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover
It includes to be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment to cover non-exclusive
Those of clearly list step or unit, but may include not listing clearly or for these processes, method, product
Or the other steps or unit that equipment is intrinsic.
Below just to this application involves to name word concept illustrate:
Android:It is a kind of freedom based on Linux and the operating system of open source code, is mainly used for movement and sets
Standby, such as smart mobile phone and tablet computer reach 80% in current smart mobile phone occupation rate of market.
Reverse-engineering:Also known as reversal technique or reverse engineering, refer to executable program or application by decryption, dis-assembling,
The structure of the methods of decompiling dismantling and analysis software or application program, algorithm and code etc..
App:Herein refer to the application program run in Android platform.
APK:It is the abbreviation of Application Package File, refers to the application program installation kit of android system
File format.
Intent components:The tie mutually communicated between android system difference component encapsulates and leads between different components
The condition of news.
Implicitly (implicit) is called:The title of target element is not explicitly defined so that caller is unknown to call
Who, only knows the action of execution, this request is handled by Systematic selection component.
Explicitly (explicit) is called:Define the title of target element so that caller, which is known, will call whom, pass through group
Part name specifies specific callee.
In explicit Intent information, determine that the unique elements of target element are component Name, therefore, if in Intent
The title for having exactly defined target element, without re-defining other Intent contents.
And for implicit Intent information, due to not specific target element title, therefore, it is necessary to android systems
Application matches are helped to obtain being intended to most matched component with Intent requests.
Embodiment 1
The embodiment of the present invention can provide a kind of embodiment of the method for the component call loophole of detection application program, need
Illustrate, step shown in the flowchart of the accompanying drawings can be in the computer system of such as a group of computer-executable instructions
It executes, although also, logical order is shown in flow charts, and it in some cases, can be with suitable different from herein
Sequence executes shown or described step.
The embodiment of the method that the embodiment of the present application one is provided can be held in mobile terminal or similar communication device
Row.For running on mobile terminals, Fig. 1 is a kind of component tune for running detection application program of the embodiment of the present invention
With the hardware block diagram of the mobile terminal of the method for loophole.As shown in Figure 1, mobile terminal 10 may include one or more
(processor 102 can include but is not limited to Micro-processor MCV or programmable logic device to (one is only shown in figure) processor 102
The processing unit of part FPGA etc.), memory 104 for storing data and the transmitting device 106 for communication function.
It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate, not to above-mentioned electronic device
Structure cause to limit.For example, mobile terminal 10 may also include more either less components than shown in Fig. 1 or have
The configuration different from shown in Fig. 1.
Memory 104 can be used for storing the software program and module of application software, such as the detection in the embodiment of the present invention
Program instruction/module corresponding to the method for the component call loophole of application program and corresponding database data, processor
102 are stored in software program and module in memory 104 by operation, to perform various functions at application and data
Reason, that is, realize the processing of the detection method of above-mentioned component call loophole.Wherein, memory 104 may include high speed random storage
Device may also include nonvolatile memory, such as one or more magnetic storage device, flash memory or other are non-volatile solid
State memory.In some instances, memory 104 can further comprise the memory remotely located relative to processor 102, this
A little remote memories can pass through network connection to mobile terminal 10.The example of above-mentioned network includes but not limited to internet, enterprise
Industry intranet, LAN, mobile radio communication and combinations thereof.
Transmitting device 106 is used to receive via a network or transmission data.Above-mentioned network specific example may include
The wireless network that the communication providers of mobile terminal 10 provide.In an example, transmitting device 106 may include a network
Adapter (Network Interface Controller, NIC), can be connected with other network equipments by base station so as to
It is communicated with internet.In an example, transmitting device 106 is radio frequency (Radio Frequency, RF) module, is used
In wirelessly being communicated with internet.
Under above-mentioned running environment, this application provides the component call loopholes of detection application program as shown in Figure 2
Method.Fig. 2 is the flow chart of the method for the component call loophole of according to embodiments of the present invention one detection application program.
As shown in Fig. 2, the method for the component call loophole of above-mentioned detection application program may include that step is implemented as follows:
Step S20 can obtain the source code file and component call of application program by the processor 102 in Fig. 1
Loophole rule file.
In conjunction with Fig. 3 it is found that by taking Android android system as an example, the source generation of the application program in the application above-mentioned steps S20
Code file can be java source code file collection, the source code file of application program can by the installation kit to application program into
The processing of row reverse-engineering obtains.
Component call loophole rule file in above-mentioned steps S20, which can preserve determining caller, has abduction risk
Characteristic.Caller can be the Intent components of implicit invocation type, can also be to contain implicit invocation type
The broadcast component of Intent data.
Herein it should be noted that in android system, one is constructed in a calling function for application system
After the Intent programs of corresponding implicit invocation type, application program system can be matched according to this Intent intentions asked
To corresponding component, and can be executed according to the description in Intent or the function of component that Operating match arrives.
Wherein, system is found can realize in the following way with the most matched component of Intent request intentions:Android
By the request content of Intent compared with the filter of invocation component, all possible target element is obtained.If calling file
In the Intent of a certain component and implicit invocation ask content match, it is determined that the component is as implicit invocation Intent
Target element.
Step S22 can be preserved to realize according in component call loophole rule file by the processor 102 in Fig. 1
Characteristic, characteristic matching is carried out to the source code file of application program, to which extraction has the caller for kidnapping risk,
It constitutes and calls Risk list, wherein component call loophole rule file, which is used to preserve determining caller, has abduction risk
Characteristic.
Still by taking Android Android operation system as an example, above-mentioned caller can be to have already registered in advance using journey
Intent components in sequence can also be the broadcast component being registered in application program, when broadcast component sends out broadcast request,
Radio receiver can be registered in an operating system to realize by adding receiver labels in system list file
(Broadcast Receiver)。
In conjunction with Fig. 3 it is found that it is found that calling the calling in Risk list in above-described embodiment for building Intent components
Program Intent can carry out feature according to component call loophole rule file to reverse-engineering treated source code file
Match and obtains.
Step S24 can be based on calling Risk list to construct calling inspection automatically by the processor 102 in Fig. 1 to realize
Survey module.
In conjunction with Fig. 3 it is found that the construction in above-mentioned steps S24 calls the process of detection module that can pass through the spy of caller
Attribute is levied, carries out corresponding simulation process to realize.
Step S26 can be based on calling detection module detection to call risk row by the processor 102 in Fig. 1 to realize
Caller in table obtains the safety detection result of caller.
In conjunction with Fig. 3, still by taking Android Android operation system as an example, above-mentioned test process can be for application program
In existing caller simulate one new caller of structure, the caller of simulation is injected in detection reaches
Executive condition after Android device, to obtain the safety detection result of caller in android system.
The above embodiments of the present application provide caller (Intent) in a kind of automatic detection Android operation system
Kidnap the universal method of Hole Detection.Said program is determined to have according to the characteristic in component call loophole rule base and be kidnapped
The caller of risk constitutes and calls Risk list, then by calling detection module to calling the calling journey in Risk list
Sequence carries out safety monitoring, final to obtain safety monitoring result.
It follows that in the above embodiments of the present application, after carrying out characteristic matching to the source program code of application program,
The file set that can obtain the caller that there is high risk to be held as a hostage, it is corresponding by constructing for these callers
Test device can construct test caller and be sent to corresponding application to realize the automated testing method of caller
Program, the result fed back by the component of application program determine in application program for caller whether safety, thus
Solving the prior art can not determine that the component call program of system there is technical issues that kidnap, and may thereby determine that and work as
Invocation component or caller in preceding application program are held as a hostage with high risk.
Herein it should be noted that the step S20 to step S26 that the above embodiments of the present application are provided can be mounted with
It is run on the mobile terminal of Android operation system, in implementation process, mobile terminal in the above-described embodiments can be installation
Client after Android operation system, by the application by taking Android Android operation system as an example, above-mentioned Fig. 1 and figure
Embodiment shown in 2 realizes the process of the safety detection result of the caller injected in detection application program, wherein detection
Process can include mainly:The installation kit of Android application programs is being converted into java source codes by reverse Engineering Technology
After collection, wind can be kidnapped to screen to have according to the component call loophole rule file for presetting and being stored in rule base
The caller of danger, determining has high kidnapping risk, the calling Risk list not verified.
In the scheme that the above embodiments of the present application one provide, obtaining for step S20 realizations can be implemented by the following steps
Take the scheme of the source code file of application program:
Step S201 reads the installation file of application program.Installation file in step S201 can be a compression
Packet document APK.
Step S203, the installation file of decompression applications program obtain class file collection and binary system inventory.It can adopt
Above-mentioned APK documents are decompressed with 7z.exe, contain the files such as class file collection (i.e. classes.dex) in the file after decompression
With binary system inventory (i.e. AndroidManifest.xml binary documents).
Step S205 carries out decompiling to class file collection using reversal technique, generates the source code file of application program, and
Binary system inventory is converted into system list file.
Reversal technique may include a variety of implementation methods such as dis-assembling, decompiling, and the side of decompiling may be used in the application
Formula obtains the source code file of application program.
Herein it should be noted that in Android operation system, since AndroidManifest.xml is using soft
The core configuration document of part app, the details of most of component for defining application software app, the application can pass through
AndroidManifest.xml binary documents are converted to visual XML document by java programs AXMLPrinter2.jar;
In addition, classes.dex is the transformed binary file of app compilation of source code, and it can be by dex2jar, jad.exe etc. can
Decompiling generates java source codes.
Just the process of the source code file of above-mentioned acquisition application program is described in detail in conjunction with Fig. 4 below.
The reverse modules of APK are the primary and crucial steps of Android application static analyses, input Android application peaces
Dress packet, exports java source codes.APK reverse process is divided into that APK unpackings, dex2jar, jar are unpacked and batch decompiling,
As shown in figure 4, the specific steps are:
First, after the APK installation kits of input Android app, APK packets are decompressed, obtain classes.dex texts
Part.Decompression procedure can be completed by 7z.exe herein.
It is then possible to using the programs decompiling classes.dex files such as dex2jar programs, jad.exe, java is generated
Code.The step may include:Classes.dex is first converted into jar file, then decompresses jar file, obtains class classes
File set.
Finally, batch decompiling class class files are to java source file set.
In addition, it is also necessary to by AXMLPrinter2.jar Program transformation AndroidManifest.xml documents, generate
XML document.
Realizing that Intent interface risks detect mould in Android operation system it follows that this application provides one kind
The scheme of block can leak after the java source code set for the program that is applied by APK reversal techniques according to component call
The characteristic recorded in the rule file of hole carries out data extraction to above-mentioned source code set, obtains and calls Risk list, the list
The source code program with abduction risk is at least saved, and automatically generates the intent list names of list.
Preferably, in the above embodiments of the present application, characteristic may include any one or more features:Caller
Implicit invocation feature, broadcast type, the explicit calling feature for sending broadcast flag and caller.As a result, in said program
The step S22 of realization is according to the characteristic preserved in component call loophole rule file, to the source code file of application program
Carry out characteristic matching, to extraction have kidnap risk caller, constitute call Risk list the step of may include as
Any one or more lower realization method:
Mode one:Extraction includes the source code of implicit invocation feature from the source code file of application program, is had
There is the caller for kidnapping risk.
Aforesaid way one is described in detail for:
In Android operation system, in the case where caller is Intent components, realized due to Intent components
Calling may include:The mode that the mode of implicit invocation and display are called, implicit invocation and display, which are called, has apparent feature
Difference, below just the feature description of two kinds of method of calling is illustrated:
Caller under display method of calling can include at least following feature:
intent.setClass(getApplicationContext(),Activtity.class);
intent.setClassName("com.example.app","com.example.app.activity");
intent.setComponent(new Component("com.example.app",".activity"));
Caller under implicit invocation mode can include at least following feature:
intent.setAction(Intent.ACTION);
startActivity(intent);
Since the feature of, implicit invocation does not include the information such as title of target element, therefore it is that a kind of there are security risks
Intent method of calling, thus, it is possible to define implicit invocation feature formulation detected rule be:If the source generation of application program
Include implicit invocation feature in code file, such as:Intent.setAction (), then extraction includes implicit invocation feature
Source code as with kidnap risk caller.That is source program generation of the detection as the application APP of intended application
Whether the calling of such as " intent.setAction " this method is included in code, if including, it may be considered that above application
Program is the application program app for including abduction risk.
Herein it should be noted that scheme provided by the present application, can extract in the source code file from application program
Include implicit invocation feature source code after, can by the file extracted directly regard as with kidnap loophole calling
Program.
Mode two:Extraction includes broadcast type, sends broadcast flag and call journey from the source code file of application program
The source code of the implicit invocation feature of sequence is obtained with the caller for kidnapping risk.
Aforesaid way two is described in detail by taking Android operation system as an example:
In Android operation system, in the case where caller is broadcast, the radio receiver of registration can be built
(Broadcast Receiver).Can be in operation to realize by adding receiver labels in system list file
Static registration radio receiver (Broadcast Receiver) in system, without starting application program with prior;It can also answer
With in program by develop radio receiver (Broadcast Receiver), then this class of radio receiver or object
It is registered in Android operation system to realize dynamic registration radio receiver.
Since broadcast files herein include broadcast type, send the implicit invocation Intent of broadcast flag and caller
Feature source code so that only need to obtain the broadcast title recorded in broadcast type i.e. during follow-up simulation caller
It can.
Herein it should be noted that above-mentioned broadcast type is characterized by following any one or more parameters:
LocalBroadcastManager、
android.support.v4.content.LocalBroadcastManager、
LocalBroadcastManager.getInstance。
Sending broadcast flag can be characterized by parameter sendBroadcast, the implicit invocation Intent's of caller
Feature source code may include following any one or more parameters:setAction(),putExtra.
I.e. if it includes the broadcast type parameter using any of the above one or more parameter to detect above-mentioned broadcast files
(LocalBroadcastManager, LocalBroadcastManager.getInstance and
Android.support.v4.content.LocalBroadcastManager), and include that can characterize current caller
For the parameter setAction () and/or putExtra of implicit invocation, and it include the parameter for sending broadcast flag
SendBroadcast, it may be considered that the broadcast files have the risk being held as a hostage.
Mode three:Extraction, which does not include, from the source code file of application program the explicit source code for calling feature, obtains
With the caller for kidnapping risk.
Said program detect current caller whether be non-explicit invocation pattern method calling (i.e. do not include it is following
Explicit call method, i.e., if caller includes following any one or more parameters:setClass,setClassName,
SetComponent), then the caller is explicitly to call, and can be confirmed that the wind being held as a hostage is not present in the caller at this time
Danger.
The scheme that analysis aforesaid way one and mode two provide is it is found that be determined as containing in the rule with abduction risk
The condition of mode three, it follows that aforesaid way three can also be mode as the necessary condition of mode one and mode two
One and mode two supplementary condition, for determine in application program have kidnap risk caller.
Herein it should be further noted that above-mentioned three kinds of regular fashions provided by the present application can select one of which,
It is applied to extraction and there is the caller for kidnapping risk for two or three, it, can be in the application process that three kinds of modes all use
The process for using three kinds of mode sequences to extract successively, the sequence of extraction of these three modes can carry out arbitrary combination, this Shen
It does not limit herein please.
Have the mode for the caller for kidnapping risk, one kind that the application can provide optional based on above-mentioned three kinds of determinations
Embodiment in, above-mentioned steps S24 and S26 realize based on calling Risk list construct calling detection module automatically, and be based on
Detection module detection is called to call the caller in Risk list, the step of obtaining the safety detection result of caller can be with
It is achieved by the following scheme:
Step S241 obtains caller pair by calling detection module simulation to call the caller in Risk list
The calling test program answered.
Step S241 is realized carries out simulation process for the caller for kidnapping risk, simulates the caller
Corresponding test program.
The simulation process that above-mentioned steps S241 is provided is as follows:First, the calling Risk list that cycle detection is got;So
Afterwards, the information such as function name, type, the function content of caller in the calling Risk list are read;Then, according to reading
To above- mentioned information build new caller, that is, simulate one it is similar to the caller but with the new calling of abduction property
Program obtains a calling test program corresponding with caller;At this point, test sequence will be called to be injected into source files of program
Precalculated position after, so that it may process is kidnapped so that simulation one is complete, to which application program is running to calling test program
Later, the abduction of corresponding destination application app is executed.
Step S243 will call test program to be passed to application program.
The mode that call instruction may be used in above-mentioned steps S243 will call test program to be passed to application program, call life
The format of order is:Adb install test program titles.
Analysis is it is found that the caller in above-mentioned steps S241 and the application program of step S243 simulations is held as a hostage and is realized
Core code can be as follows:
Intent hijackIntent=new Intent (getBaseContext (),
mHashMap.get(processName));
hijackIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
getApplication().startActivity(hijackIntent);
It is possible to note that the realization principle of this part code key is:Flag bit, which is arranged, is:Intent.FLAG_
ACTIVITY_NEW_TASK realizes the activity that setting starts and is located at stack top, that is to say, that can utilize setting mark
Before the calling test program that simulation obtains is set caller in the application by the method for position, or directly replaces and call
Program.By taking the interface function in application program as an example, said program may be implemented (such as to step at the interface of normal application app
Record interface etc.) it is replaced with the interface forged by calling test program, and then realize the abduction operation of normal application.
Step S245 sends call request to application program, wherein if application program success according to test program is called
The call result for returning to call result or return is not sky, thens follow the steps S247, if application program does not return to calling knot
The call result of fruit or return is sky, thens follow the steps S249.
Step S247 determines that safety detection result is that caller has abduction loophole.
Step S249 determines that safety detection result is that there is no kidnap loophole for caller.
Based on above-mentioned three kinds of determinations have kidnap risk caller mode, the application can provide another
In optional embodiment, above-mentioned steps S24 and being constructed automatically based on calling Risk list for step S26 realizations call detection mould
Block, and based on calling detection module detection to call the caller in Risk list, obtain the safety detection result of caller
The step of can be achieved by the following scheme:
Step S261, by calling detection module extraction to call the broadcast title of the caller in Risk list.
Step S262 registers corresponding radio receiver in the application according to broadcast title.
The caller in Risk list is called in step S263, simulation, obtains the corresponding test broadcast of caller.
Step S264 sends to contain and the test of test program is called to broadcast into application program corresponding broadcast reception
Device.
Step S265, the call result for calling test program to return for including in extraction test broadcast, wherein if broadcast
It is not sky that receiver, which successfully returns to call result or the call result of return, S266 is thened follow the steps, if radio receiver
The call result for not returning to call result or return is sky, thens follow the steps S267.
Step S266 determines that safety detection result is that caller has abduction loophole.
Step S267 determines that safety detection result is that there is no kidnap loophole for caller.
Preferably, in another alternative embodiment, above-mentioned steps S263 and step S267 are also to pass through following scheme
To determine caller with the presence or absence of abduction loophole:Caller i.e. in Risk list is called in simulation, obtains caller
After corresponding test broadcast, detect in test broadcast whether (the calling test program refers to leading to comprising test program is called
Cross detection method provided by the invention and determine the caller for having and kidnapping risk), wherein it should if do not included in test broadcast
Test program is called, then can determine that safety detection result is that there is no abduction loopholes for caller, if wrapped in test broadcast
Containing test program is called, but if it is sky to call the parameter of test program, then it can also determine that safety detection result is to call journey
Abduction loophole is not present in sequence, and broadcasting the parameter comprising calling test program and calling test program in test in the application is not
Sky can then determine that safety detection result is that caller has abduction loophole.
Preferably, the caller in Risk list is called in the simulation that the application above-mentioned steps S263 is realized, is called
The scheme of the corresponding test broadcast of program can be achieved by the steps of:
Step S2631 is obtained and is called the component Name and module diagnostic in Risk list in each caller.
Step S2633 generates test broadcast using component Name and the corresponding broadcast of module diagnostic construction caller.
Herein it should be noted that said program, which realizes, simulates each caller for having and kidnapping risk, in structure
It builds after corresponding calling test program, debugging test result is sent to application program, for simulating the calling of caller
Process tests whether the caller being currently modeled is tool by being tested the result that application program app is responded thereto
The component of risky loophole.
In summary, in the Android Android operation system in embodiment one provided by the present application, it is with caller
For Intent, whether detection intent components there is the detection process for kidnapping loophole can be divided into Part III:First part,
Reverse-engineering processing, source code (the i.e. java for the program that is applied can be carried out by the installation compressed package APK to application program
Source code set) and system list file (the AndroidManifest.xml files for registering broadcast);Second part passes through
The source code file of application program is matched according to component call loophole rule file, above-mentioned intent components is obtained and corresponds to
Calling Risk list (intent lists), wherein the component call loophole rule file save with kidnap risk tune
The characteristic for being included with program;Part III, according to the intent lists of acquisition, simulation sends intent requests to application
Program detects application program returned data, if returned data fails or returned data is successful but the returned data is sky,
Determine that the intent components of current detection do not have abduction loophole, if returned data is successful and returned data is not sky, really
The intent components for determining current detection have abduction loophole.
Detecting system detailed process is as follows:
First, the APK installation kits of input Android applications, and securing component calls the broadcast component of loophole rule file
Loophole rule can be carried out characterization said modules by characteristic and call loophole rule.As previously mentioned, passing through the component call
Loophole rule match obtains calling Risk list may include three kinds of modes.
Then, APK installation kits are received by the reverse modules of APK, java source code files is converted to by reverse decompiling
Collection:
(1), APK installation kits are decompressed, classes.dex files are obtained.
(2), using dex2jar programs, classes.dex is converted as jar file.
(3), jar file is decompressed, class class files and its bibliographic structure are obtained.
(4), batch decompiling class class files obtain java source files and its bibliographic structure.
Then, for a unchecked java source code file in java source code file bibliographic structures, text is opened
Part, and execute following operation:
A1, the content that source code file is read by row, read next line (or first trip) content of text, and execute b1.
B1, the intent callers that are determined for recorded in component call loophole rule file had into abduction wind
The characteristic of danger is matched with the content of source code file and (if rule needs multirow to match, is read automatically follow-up as rule
Style of writing is originally), if correct matching, records source code lines text of the characteristic of registration in source program code text, and jump
To d1;Otherwise c1 is skipped to.
C1, judge that current style of writing part is not the end-of-file row of source program code, then return to step a1, otherwise skip to
Step d1.
D1, it is detected processing for matching acquisition intent call methods.The test processes process includes being implemented as follows
Step:First, being submitted to the source code text message for kidnapping risk recorded in above-mentioned b1 to c1 is constructed automatically
Intent detection modules, intent detection modules construction intent requests are sent in the system of application program;Then, pass through
Detect whether successfully whether returned data or volume detection returned data are that sky kidnaps leakage to determine whether intent programs have
Hole, if there is data successfully return, or not only succeed returned data and returned data are not sky, then illustrate to kidnap successfully, instead
It, which, which does not have, kidnaps loophole;Finally, mobile terminal can be acquired in the presence of the successful intent programs of abduction
Gather the final detection result as this system.
E1, cleaning temporary file.The temporary file generated in reverse-engineering processing procedure is cleared up, to reduce system resource
Waste.
It follows that examples detailed above, which realizes one kind, automating reverse Android application installation packages, the sources java are converted to
Program in machine code, and obtain in Android platform for detect caller (such as intent) whether safety rule set after,
It is applied to Android to detect whether safe method by sending intent requests automatically.
It is wide with caller in Android Android operation system in another embodiment provided by the present application
For broadcasting, whether detection broadcast there is the detection process for kidnapping loophole can equally be divided into Part III:First part, Ke Yitong
It crosses the installation compressed package APK to application program and carries out reverse-engineering processing, source code (the i.e. java source codes for the program that is applied
Set) and system list file (the AndroidManifest.xml files for registering broadcast);Second part, by according to group
Part calls loophole rule file to match the source code file of application program, obtains by with the broadcast structure for kidnapping risk
At broadcast call Risk list, said modules call loophole rule file save with kidnap risk caller is wrapped
The characteristic contained;Part III calls Risk list, the corresponding test of simulation caller to broadcast according to the broadcast of acquisition,
Application program returned data is detected, the call result that call result or return are successfully returned in radio receiver is not empty feelings
Under condition, it is determined that the broadcast of current detection has abduction loophole, if radio receiver does not return to call result or return
Call result is sky, it is determined that the broadcast of current detection does not have abduction loophole.
Detecting system detailed process is as follows:
First, the APK installation kits of input Android applications, and securing component calls the broadcast component of loophole rule file
Loophole rule can be carried out characterization said modules by characteristic and call loophole rule.As previously mentioned, passing through the component call
Loophole rule match obtains calling Risk list may include three kinds of modes.
Then, APK installation kits are received by the reverse modules of APK, java source code files is converted to by reverse decompiling
Collection:
(1), APK installation kits are decompressed, classes.dex files are obtained.
(2), using dex2jar programs, classes.dex is converted as jar file.
(3), jar file is decompressed, class class files and its bibliographic structure are obtained.
(4), batch decompiling class class files obtain java source files and its bibliographic structure.
Then, for a unchecked java source code file in java source code file bibliographic structures, text is opened
Part, and execute following operation:
A2, the content that source code file is read by row, read next line (or first trip) content of text, and execute b2.
B2, the intent callers that are determined for recorded in component call loophole rule file had into abduction wind
The characteristic of danger is matched with the content of source code file and (if rule needs multirow to match, is read automatically follow-up as rule
Style of writing is originally), if correct matching, records source code lines text of the characteristic of registration in source program code text, and jump
To d2;Otherwise c2 is skipped to.
C2, judge that current style of writing part is not the end-of-file row of source program code, then return to step a2, otherwise skip to
Step d2.
D2, it is detected processing for matching acquisition broadcast call method.The test processes process includes that step is implemented as follows
Suddenly:First, will there is the source code text message for kidnapping risk recorded in above-mentioned b2 to c2, i.e., will calls Risk list
(such as intent Risk lists) submits to the intent detection modules constructed automatically;Then, according to the above-mentioned tune that detected
With Risk list (such as intent Risk lists), extraction calls the broadcast corresponded in Risk list in target program (wide
Broadcast) title, and according to this broadcast title, radio receiver is registered in the application;Then, according to the target journey got
The test that sequence simulation is sent is broadcasted to application program, and detects in the broadcast whether the data comprising caller (can make
To call the intent data of test program);Finally, whether include calling test program, Yi Jijian in broadcast by detecting
The supplemental characteristic that parsing calls test program to include is surveyed, to determine whether broadcast has the risk being held as a hostage, wherein if broadcast
In include calling test program, and as call test program intent data included supplemental characteristic be sky, then
Illustrate to contain and call the broadcast of test program there are the risks of leaking data, test program is called if do not included in broadcast,
Although including calling test program but being sky as the supplemental characteristic that the intent data of test program are included is called, then
It can be confirmed that the risk of leaking data is not present in above-mentioned broadcast.
E2, cleaning temporary file.
In above-described embodiment, by clearing up the temporary file generated in reverse-engineering processing procedure, it is possible to reduce system provides
Source wastes.
It follows that the application, which realizes one kind, automating reverse Android application installation packages, the sources java generation is converted to
Coded program, and obtain in Android platform for detecting whether caller (such as including the broadcast of intent data) pacifies
After full rule set, applied to Android to detect whether safe method by sending broadcast request automatically.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because
According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know
It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on this understanding, technical scheme of the present invention is substantially in other words to existing
The part that technology contributes can be expressed in the form of software products, which is stored in a storage
In medium (such as ROM/RAM, magnetic disc, CD), including some instructions are used so that a station terminal equipment (can be mobile phone, calculate
Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
According to embodiments of the present invention, a kind of device embodiment for implementing above method embodiment is additionally provided.Fig. 5 is
The schematic diagram of the detection device of according to embodiments of the present invention two component call loophole.
As shown in figure 5, the detection device of the component call loophole may include:Acquisition module 50, structure module 52 and inspection
Survey module 54.
Wherein, acquisition module 50, the source code file for obtaining application program and component call loophole rule file;Structure
Block 52 is modeled, for according to the characteristic preserved in component call loophole rule file, to the source code file of application program
Characteristic matching is carried out, to which extraction has the caller for kidnapping risk, constitutes and calls Risk list, wherein component call is leaked
Hole rule file, which is used to preserve determining caller, has the characteristic for kidnapping risk;Detection module 54, for based on calling
Risk list constructs automatically calls detection module, and calls the caller in Risk list based on calling detection module detection,
Obtain the safety detection result of caller.
The above embodiments of the present application provide caller (Intent) in a kind of automatic detection Android operation system
Kidnap the fexible unit of Hole Detection.Said program is determined to have according to the characteristic in component call loophole rule base and be kidnapped
The caller of risk constitutes and calls Risk list, then by calling detection module to calling the calling journey in Risk list
Sequence carries out safety monitoring, final to obtain safety monitoring result.
It follows that in the above embodiments of the present application, after carrying out characteristic matching to the source program code of application program,
The file set that can obtain the caller that there is high risk to be held as a hostage, it is corresponding by constructing for these callers
Test device can construct test caller and be sent to corresponding application to realize the automated testing method of caller
Program, the result fed back by the component of application program determine in application program for caller whether safety, thus
Solving the prior art can not determine that the component call program of system there is technical issues that kidnap, and may thereby determine that and work as
Invocation component or caller in preceding application program are held as a hostage with high risk.
Herein it should be noted that acquisition module 50, structure module 52 and detection that the above embodiments of the present application are provided
Module 54 can be run on the mobile terminal for be mounted with Android operation system, in implementation process, in the above-described embodiments
Mobile terminal can be the client after being mounted with Android operation system, to be with Android Android operations in the application
For system, embodiment shown in above-mentioned apparatus realizes the safety detection result of the caller injected in detection application program
Process, wherein detection process can include mainly:The installation kit of Android application programs is being turned by reverse Engineering Technology
Be changed to after java source code collection, can according to preset and be stored in the component call loophole rule file in rule base come
The caller for having and kidnapping risk is screened, determining has high kidnapping risk, the calling Risk list not verified.
Herein it should be noted that acquisition module 50, structure module 52 and detection mould that the above embodiments of the present application provide
Method and step S20 to the step S26 application scenarios having the same provided in block 54 and embodiment one, but method offer is provided
Example.And above-mentioned modules can operate in mobile terminal shown in FIG. 1 as a part for hardware.
In device embodiment provided by the present application, characteristic may include any one or more features:Caller
Implicit invocation feature, broadcast type, the explicit calling feature for sending broadcast flag and caller, wherein as shown in fig. 6,
The structure module 52 may include any one or more following extraction module:First extraction module 521, the second extraction module
523, third extraction module 525.
First extraction module 521 includes implicit invocation feature for being extracted from the source code file of application program
Source code is obtained with the caller for kidnapping risk.
Second extraction module 523 includes broadcast type, transmission broadcast for being extracted from the source code file of application program
The source code of the implicit invocation feature of mark and caller, it obtains with the caller for kidnapping risk.
Third extraction module 525 has explicit calling feature for extracting not including from the source code file of application program
Source code, obtain with kidnap risk caller.
Herein it should be noted that providing in each extraction module and embodiment one that the above embodiments of the present application provide
Three kinds obtain the mode application scenarios having the same for calling Risk list, but are not limited to the example of method offer.And it is above-mentioned
Modules can operate in mobile terminal shown in FIG. 1 as a part for hardware.
Preferably, as shown in fig. 7, in a kind of alternative embodiment provided by the present application, above-mentioned detection module 54 may include:
First analog module 541a, the first injection module 543a, the first sending module 545a, the first determining module 547a and second determine
Module 549a.
Wherein, the first analog module 541a, for by calling detection module simulation to call the calling journey in Risk list
Sequence obtains the corresponding calling test program of caller;First injection module 543a, for the incoming application of test program will to be called
Program;First sending module 545a, for sending call request to application program according to calling test program;First determining module
547a, if the call result for successfully returning to call result or return for application program is not sky, safety detection result
Exist for caller and kidnaps loophole;Second determining module 549a, if not returning to call result for application program or returning
The call result returned is sky, then safety detection result is that there is no kidnap loophole for caller.
Herein it should be noted that the first analog module 541a, the first injection module that the above embodiments of the present application provide
The side provided in 543a, the first sending module 545a, the first determining module 547a and the second determining module 549a and embodiment one
Method step S241 is not limited to the example of method offer to step S249 application scenarios having the same.And above-mentioned each mould
Block can operate in mobile terminal shown in FIG. 1 as a part for hardware.
Preferably, as shown in figure 8, in another alternative embodiment provided by the present application, above-mentioned detection module 54 includes:
Sub- extraction module 541b, the second registration module 543b, the second analog module 545b, the second sending module 547b, the first son obtain
Module 549b, third determining module 551b, the 4th determining module 553b.
Wherein, sub- extraction module 541b, for by calling detection module extraction to call the caller in Risk list
Broadcast title;Second registration module 543b, for registering corresponding radio receiver in the application according to broadcast title;
Second analog module 545b obtains the corresponding test broadcast of caller for simulating the caller called in Risk list;
Second sending module 547b, for send contain call test program test broadcast into application program it is corresponding broadcast connect
Receive device;First sub-acquisition module 549b, for obtaining the call result for calling test program to return for including in test broadcast;The
Three determining module 551b, if the call result for successfully returning to call result or return for radio receiver is not sky,
Safety detection result is that caller has abduction loophole;4th determining module 553b, if do not returned for radio receiver
Call result or the call result of return are sky, then safety detection result is that there is no kidnap loophole for caller.
Herein it should be noted that sub- extraction module 541b, the second registration module that the above embodiments of the present application provide
543b, the second analog module 545b, the second sending module 547b, the first sub-acquisition module 549b, third determining module 551b,
Method and step S261 to the step S267 application scenarios having the same provided in four determining module 553b and embodiment one, but not
The example of method offer is provided.And above-mentioned modules can operate in movement shown in FIG. 1 eventually as a part for hardware
End.
Preferably, above-mentioned second analog module 545b may include:Second sub-acquisition module 5451, generation module 5453.
Wherein, the second sub-acquisition module 5451, for obtaining and calling the component in Risk list in each caller
Title and module diagnostic;Generation module 5453, for constructing the corresponding broadcast of caller using component Name and module diagnostic,
Generate test broadcast.
Herein it should be noted that the second sub-acquisition module 5451 of the above embodiments of the present application offer, generation module
5453 with method and step S2631 to the step S2633 application scenarios having the same that provide in embodiment one, but be not limited to method
The example of offer.And above-mentioned modules can operate in mobile terminal shown in FIG. 1 as a part for hardware.
Preferably, the application as described in Figure 9 is provided in above-described embodiment, and above-mentioned acquisition module 50 includes:Read module
501, decompression module 503, decompiling module 505.
Wherein, read module 501, the installation file for reading application program;Decompression module 503, for decompressing
The installation file of application program obtains class file collection;Decompiling module 505, for being carried out to class file collection using reversal technique
Decompiling generates the source code file of application program.
Herein it should be noted that the read module 501 of the above embodiments of the present application offer, decompression module 503, anti-volume
Method and step S201 to the step S205 application scenarios having the same provided in module 505 and embodiment one are provided, but are not limited to
The example that method provides.And above-mentioned modules can operate in mobile terminal shown in FIG. 1 as a part for hardware.
Embodiment 3
The embodiment of the present invention can provide a kind of mobile terminal, which can be arbitrary in mobile terminal group
One mobile terminal device.Optionally, in the present embodiment, above-mentioned mobile terminal can also replace with the terminals such as terminal
Equipment.
Optionally, in the present embodiment, above-mentioned mobile terminal can be located in multiple network equipments of computer network
At least one network equipment.
In the present embodiment, above-mentioned mobile terminal can be with the journey of following steps in the detection method of executive module calling loophole
Sequence code:Obtain the source code file and component call loophole rule file of application program;According to component call loophole rule text
The characteristic preserved in part, characteristic matching is carried out to the source code file of application program, and risk is kidnapped to which extraction has
Calling constitutes and calls Risk list, wherein component call loophole rule file has abduction wind for preserving determining caller
The characteristic of danger;Detection module is called based on calling Risk list to construct automatically;Wind is called based on detection module detection is called
Caller in dangerous list obtains the safety detection result of caller.
Optionally, Figure 10 is a kind of structure diagram of mobile terminal according to the ... of the embodiment of the present invention.As shown in Figure 10, the shifting
Moving terminal 10 may include:One or more (one is only shown in figure) processors 51, memory 53 and transmitting device 55.
Wherein, memory 53 can be used for storing software program and module, such as the component call leakage in the embodiment of the present invention
Corresponding program instruction/the module of detection method and device in hole, processor 51 are stored in the software in memory 53 by operation
Program and module realize the leakage of caller in above-mentioned system to perform various functions application and data processing
The detection method of hole attack.Memory 53 may include high speed random access memory, can also include nonvolatile memory, such as one
Or multiple magnetic storage devices, flash memory or other non-volatile solid state memories.In some instances, memory 53 can
Further comprise that the memory remotely located relative to processor 51, these remote memories can pass through network connection to terminal
A.The example of above-mentioned network includes but not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
Above-mentioned transmitting device 55 is used to receive via a network or transmission data.Above-mentioned network specific example can
Including cable network and wireless network.In an example, transmitting device 55 includes a network adapter (Network
Interface Controller, NIC), can be connected with other network equipments with router by cable so as to interconnection
Net or LAN are communicated.In an example, transmitting device 55 is radio frequency (Radio Frequency, RF) module, is used
In wirelessly being communicated with internet.
Wherein, specifically, memory 53 is used to store information and the application of deliberate action condition and default access user
Program.
Processor 51 can call the information and application program that memory 53 stores by transmitting device, to execute following steps
Suddenly:Obtain the source code file and component call loophole rule file of application program;According in component call loophole rule file
The characteristic of preservation carries out characteristic matching, to which extraction has the calling for kidnapping risk to the source code file of application program
Program constitutes and calls Risk list, wherein component call loophole rule file has abduction wind for preserving determining caller
The characteristic of danger;Detection module is called based on calling Risk list to construct automatically;Wind is called based on detection module detection is called
Caller in dangerous list obtains the safety detection result of caller.
Optionally, the program code of following steps can also be performed in above-mentioned processor 51:By calling detection module simulation
The caller in Risk list is called, the corresponding calling test program of caller is obtained;It will call test program is incoming to answer
Use program;Call request is sent to application program according to test program is called, wherein if application program successfully returns to calling knot
The call result of fruit or return is not sky, then safety detection result is that caller has abduction loophole;If application program
The call result for not returning to call result or return is sky, then safety detection result is that there is no kidnap loophole for caller.
Optionally, the program code of following steps can also be performed in above-mentioned processor 51:By calling detection module extraction
Call the broadcast title of the caller in Risk list;Corresponding broadcast reception is registered in the application according to broadcast title
Device;The caller in Risk list is called in simulation, obtains the corresponding test broadcast of caller;Transmission contains calling test
Corresponding radio receiver is broadcasted into application program in the test of program;The calling test program for including in extraction test broadcast returns
The call result returned;Wherein, if it is not sky that radio receiver, which successfully returns to call result or the call result of return, pacify
Full testing result is that caller has abduction loophole;If radio receiver does not return to the calling knot of call result or return
Fruit is sky, then safety detection result is that there is no kidnap loophole for caller.
Optionally, the program code of following steps can also be performed in above-mentioned processor 51:It obtains and calls in Risk list
Component Name and module diagnostic in each caller;It is corresponding wide using component Name and module diagnostic construction caller
It broadcasts, generates test broadcast.
Optionally, the program code of following steps can also be performed in above-mentioned processor 51:Read the installation text of application program
Part;The installation file of decompression applications program obtains class file collection;Decompiling is carried out to class file collection using reversal technique, it is raw
At the source code file of application program.
It will appreciated by the skilled person that structure shown in Fig. 10 is only to illustrate, terminal can also be
Smart mobile phone (such as Android phone, iOS mobile phones), tablet computer, applause computer and mobile internet device (Mobile
Internet Devices, MID), the terminal devices such as PAD.Figure 10 it does not cause to limit to the structure of above-mentioned electronic device.Example
Such as, terminal 10 may also include more than shown in Figure 10 or less component (such as network interface, display device),
Or with the configuration different from shown in Figure 10.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
To be completed come command terminal device-dependent hardware by program, which can be stored in a computer readable storage medium
In, storage medium may include:Flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random
Access Memory, RAM), disk or CD etc..
Embodiment 4
The embodiments of the present invention also provide a kind of storage mediums.Optionally, in the present embodiment, above-mentioned storage medium can
For preserving the program code performed by the leak detection method for the application program that above-described embodiment one is provided.
Optionally, in the present embodiment, above-mentioned storage medium can be located in mobile internet in mobile terminal group
In any one mobile terminal.
Optionally, in the present embodiment, storage medium is arranged to store the program code for executing following steps:It obtains
Take the source code file and component call loophole rule file of application program;According to what is preserved in component call loophole rule file
Characteristic carries out characteristic matching, to which extraction has the caller for kidnapping risk, structure to the source code file of application program
At calling Risk list, wherein component call loophole rule file, which is used to preserve determining caller, has the spy for kidnapping risk
Levy data;Detection module is called based on calling Risk list to construct automatically;Risk list is called based on detection module detection is called
In caller, obtain the safety detection result of caller.
Optionally, storage medium is also configured to store the program code for executing following steps:It is detected by calling
Module simulation calls the caller in Risk list, obtains the corresponding calling test program of caller;Journey is tested by calling
Sequence is passed to application program;Call request is sent to application program according to test program is called, wherein if application program is successfully returned
The call result for returning call result or return is not sky, then safety detection result exists for caller kidnaps loophole;If
It is sky that application program, which does not return to call result or the call result of return, then safety detection result is that there is no rob for caller
Hold loophole.
Optionally, storage medium is also configured to store the program code for executing following steps:It is detected by calling
The broadcast title of the caller in Risk list is called in module extraction;It is registered in the application according to broadcast title corresponding
Radio receiver;The caller in Risk list is called in simulation, obtains the corresponding test broadcast of caller;Transmission contains
The test of test program is called to broadcast into application program corresponding radio receiver;The calling for including in extraction test broadcast is surveyed
Try the call result that program returns;Wherein, if radio receiver successfully returns to the call result of call result or return not
For sky, then safety detection result is that caller has abduction loophole;If radio receiver does not return to call result or returns
The call result returned is sky, then safety detection result is that there is no kidnap loophole for caller.
Optionally, storage medium is also configured to store the program code for executing following steps:It obtains and calls wind
Component Name and module diagnostic in dangerous list in each caller;Caller is constructed using component Name and module diagnostic
Corresponding broadcast generates test broadcast.
Optionally, storage medium is also configured to store the program code for executing following steps:Read application program
Installation file;The installation file of decompression applications program obtains class file collection;Class file collection is carried out using reversal technique anti-
Compiling, generates the source code file of application program.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to:USB flash disk, read-only memory (ROM,
Read-Only Memory), random access memory (RAM, Random AccessMemory), mobile hard disk, magnetic disc or light
The various media that can store program code such as disk.
Optionally, the specific example in the present embodiment can refer to showing described in above-described embodiment 1 and embodiment 2
Example, details are not described herein for the present embodiment.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
If the integrated unit in above-described embodiment is realized in the form of SFU software functional unit and as independent product
Sale in use, can be stored in the storage medium that above computer can be read.Based on this understanding, skill of the invention
Substantially all or part of the part that contributes to existing technology or the technical solution can be with soft in other words for art scheme
The form of part product embodies, which is stored in a storage medium, including some instructions are used so that one
Platform or multiple stage computers equipment (can be personal computer, server or network equipment etc.) execute each embodiment institute of the present invention
State all or part of step of method.
In the above embodiment of the present invention, all emphasizes particularly on different fields to the description of each embodiment, do not have in some embodiment
The part of detailed description may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed client, it can be by others side
Formula is realized.Wherein, the apparatus embodiments described above are merely exemplary, for example, the unit division, only one
Kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can combine or
It is desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or discussed it is mutual it
Between coupling, direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module
It connects, can be electrical or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list
The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (12)
1. a kind of detection method of component call loophole, which is characterized in that including:
Obtain the source code file and component call loophole rule file of application program;
According to the characteristic preserved in the component call loophole rule file, to the source code file of the application program into
Row characteristic matching constitutes to which extraction has the caller for kidnapping risk and calls Risk list, wherein the component call
Loophole rule file, which is used to preserve, determines that the caller has the characteristic for kidnapping risk;
It is constructed automatically based on the calling Risk list and calls detection module;
The caller in the calling Risk list is detected based on the calling detection module, obtains the peace of the caller
Full testing result.
2. according to the method described in claim 1, it is characterized in that, the characteristic includes any one or more features:
The implicit invocation feature of the caller, broadcast type, the explicit calling spy for sending broadcast flag and the caller
Sign, wherein according to the characteristic preserved in the component call loophole rule file, to the source code text of the application program
Part carries out characteristic matching, and to which extraction has the caller for kidnapping risk, it includes as follows to constitute the step of calling Risk list
Any one or more realization method:
Mode one:Extraction includes the source code of the implicit invocation feature from the source code file of the application program, is obtained
To the caller for having and kidnapping risk;
Mode two:Extraction includes broadcast type, sends broadcast flag and the tune from the source code file of the application program
With the source code of the implicit invocation feature of program, the caller for having and kidnapping risk is obtained;
Mode three:Extraction, which does not include, from the source code file of the application program the explicit source code for calling feature,
Obtain the caller for having and kidnapping risk.
3. method according to claim 1 or 2, which is characterized in that construct calling automatically based on the calling Risk list
Detection module, and the caller in the calling Risk list is detected based on the calling detection module, obtain the calling
The step of safety detection result of program includes:
The caller in the calling Risk list is simulated by the calling detection module, the caller is obtained and corresponds to
Calling test program;
The calling test program is passed to the application program;
Call request is sent according to the calling test program to the application program,
Wherein, described if it is not sky that the application program, which successfully returns to call result or the call result of return,
Safety detection result is that the caller has abduction loophole;If the application program do not return the call result or
The call result returned is sky, then the safety detection result is that there is no kidnap loophole for the caller.
4. method according to claim 1 or 2, which is characterized in that construct calling automatically based on the calling Risk list
Detection module, and the caller in the calling Risk list is detected based on the calling detection module, obtain the calling
The step of safety detection result of program includes:
The broadcast title of the caller in the calling Risk list is extracted by the calling detection module;
Corresponding radio receiver is registered in the application program according to the broadcast title;
The caller in the calling Risk list is simulated, the corresponding test broadcast of the caller is obtained;
Sending to contain calls the test of test program to broadcast into the application program the corresponding radio receiver;
Extract the call result that the calling test program for including in the test broadcast returns;
Wherein, if it is not sky that the radio receiver, which successfully returns to the call result or the call result of return,
Then the safety detection result is that the caller has abduction loophole;If the radio receiver does not return to the calling
As a result or the call result of return is sky, then the safety detection result is that there is no abduction to leak for the caller
Hole.
5. according to the method described in claim 4, it is characterized in that, the simulation caller called in Risk list, obtains
Include to the step of caller corresponding test broadcast:
It obtains and the component Name and module diagnostic in each caller in the calling Risk list;
The corresponding broadcast of the caller is constructed using the component Name and the module diagnostic, it is wide to generate the test
It broadcasts.
6. according to the method described in claim 1, it is characterized in that, the step of obtaining the source code file of the application program is wrapped
It includes:
Read the installation file of the application program;
The installation file for decompressing the application program obtains class file collection;
Decompiling is carried out to the class file collection using reversal technique, generates the source code file of the application program.
7. a kind of detection device of component call loophole, which is characterized in that including:
Acquisition module, the source code file for obtaining application program and component call loophole rule file;
Module is built, for according to the characteristic preserved in the component call loophole rule file, to the application program
Source code file carry out characteristic matching, to extraction have kidnap risk caller, constitute call Risk list,
In, the component call loophole rule file, which is used to preserve, determines that the caller has the characteristic for kidnapping risk
According to;
Detection module is called detection module for being constructed automatically based on the calling Risk list, and is detected based on the calling
Module detects the caller in the calling Risk list, obtains the safety detection result of the caller.
8. device according to claim 7, which is characterized in that the characteristic includes any one or more features:
The implicit invocation feature of the caller, broadcast type, the explicit calling spy for sending broadcast flag and the caller
Sign, wherein the structure module includes any one or more following extraction module:
First extraction module includes the implicit invocation feature for being extracted from the source code file of the application program
Source code obtains the caller for having and kidnapping risk;
Second extraction module includes broadcast type, transmission broadcast mark for being extracted from the source code file of the application program
The source code of will and the implicit invocation feature of the caller obtains the caller for having and kidnapping risk;
Third extraction module has the explicit calling feature for extracting not including from the source code file of the application program
Source code, obtain the caller for having and kidnapping risk.
9. device according to claim 7 or 8, which is characterized in that the detection module includes:
First analog module is obtained for simulating the caller in the calling Risk list by the calling detection module
To the corresponding calling test program of the caller;
Injection module, for the calling test program to be passed to the application program;
First sending module, for sending call request to the application program according to the calling test program;
First determining module, if successfully returning to the call result of call result or return not for the application program
For sky, then the safety detection result is that the caller has abduction loophole;
Second determining module, if not returning to the call result or the call result of return for the application program
For sky, then the safety detection result is that there is no kidnap loophole for the caller.
10. device according to claim 7 or 8, which is characterized in that the detection module includes:
Sub- extraction module, the broadcast for extracting the caller in the calling Risk list by the calling detection module
Title;
Registration module, for registering corresponding radio receiver in the application program according to the broadcast title;
It is corresponding to obtain the caller for simulating the caller in the calling Risk list for second analog module
Test broadcast;
Second sending module calls the test of test program to broadcast into the application program correspondence for sending to contain
The radio receiver;
First sub-acquisition module, the calling knot returned for obtaining the calling test program for including in the test broadcast
Fruit;
Third determining module, if successfully returning to the call result or the calling of return for the radio receiver
As a result it is not sky, then the safety detection result is that the caller has abduction loophole;
4th determining module, if not returning to the calling knot of the call result or return for the radio receiver
Fruit is sky, then the safety detection result is that there is no kidnap loophole for the caller.
11. device according to claim 10, which is characterized in that second analog module includes:
Second sub-acquisition module, for obtaining and the component Name and component in each caller in the calling Risk list
Feature;
Generation module, it is raw for constructing the corresponding broadcast of the caller using the component Name and the module diagnostic
It is broadcasted at the test.
12. device according to claim 7, which is characterized in that the acquisition module includes:
Read module, the installation file for reading the application program;
Decompression module, the installation file for decompressing the application program obtain class file collection;
Decompiling module generates the source of the application program for carrying out decompiling to the class file collection using reversal technique
Code file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410290260.7A CN105303112B (en) | 2014-06-24 | 2014-06-24 | The detection method and device of component call loophole |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410290260.7A CN105303112B (en) | 2014-06-24 | 2014-06-24 | The detection method and device of component call loophole |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105303112A CN105303112A (en) | 2016-02-03 |
CN105303112B true CN105303112B (en) | 2018-11-06 |
Family
ID=55200367
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410290260.7A Active CN105303112B (en) | 2014-06-24 | 2014-06-24 | The detection method and device of component call loophole |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105303112B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105528298A (en) * | 2016-02-26 | 2016-04-27 | 百度在线网络技术(北京)有限公司 | Safety testing method and device |
CN106228071B (en) * | 2016-07-20 | 2019-02-22 | 北京奇虎科技有限公司 | A kind of method and apparatus for testing encoding and decoding component |
CN106294149A (en) * | 2016-08-09 | 2017-01-04 | 北京邮电大学 | A kind of method detecting Android application component communication leak |
CN106503563B (en) * | 2016-10-17 | 2019-03-08 | 成都知道创宇信息技术有限公司 | Batch leak detection method based on general framework |
CN107885501B (en) * | 2017-11-03 | 2020-09-08 | 武汉斗鱼网络科技有限公司 | Method and device for obtaining mutual reference relationship of components in Android |
CN109542511A (en) * | 2018-11-26 | 2019-03-29 | 北京梆梆安全科技有限公司 | A kind of detection method of application installation package, device and mobile device |
CN109670308A (en) * | 2018-12-06 | 2019-04-23 | 北京梆梆安全科技有限公司 | A kind of Intent calls risk checking method and device |
CN110032871A (en) * | 2019-04-22 | 2019-07-19 | 广东工业大学 | A kind of safety detection method, device and the medium of the inter-component communication of application program |
CN110378107A (en) * | 2019-07-25 | 2019-10-25 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of installation kit detection |
CN111027053A (en) * | 2019-10-28 | 2020-04-17 | 深圳市跨越新科技有限公司 | Detection method and system for Android application program with Activity hijacking prevention function |
CN110855642B (en) * | 2019-10-30 | 2021-08-03 | 腾讯科技(深圳)有限公司 | Application vulnerability detection method and device, electronic equipment and storage medium |
CN113626312B (en) * | 2021-07-15 | 2022-12-06 | 北京荣耀终端有限公司 | Test method, electronic device and storage medium |
CN113419971B (en) * | 2021-08-25 | 2021-12-14 | 北京邮电大学 | Android system service vulnerability detection method and related device |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102314394A (en) * | 2010-06-25 | 2012-01-11 | 微软公司 | The dynamic data competition of data areaization detects |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103473509A (en) * | 2013-09-30 | 2013-12-25 | 清华大学 | Android platform malware automatic detecting method |
CN103839005B (en) * | 2013-11-22 | 2016-09-28 | 北京智谷睿拓技术服务有限公司 | The malware detection method of Mobile operating system and malware detection system |
-
2014
- 2014-06-24 CN CN201410290260.7A patent/CN105303112B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102314394A (en) * | 2010-06-25 | 2012-01-11 | 微软公司 | The dynamic data competition of data areaization detects |
Also Published As
Publication number | Publication date |
---|---|
CN105303112A (en) | 2016-02-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105303112B (en) | The detection method and device of component call loophole | |
CN105787364B (en) | Automatic testing method, device and system for tasks | |
CN107436844B (en) | Method and device for generating interface use case aggregate | |
CN104331662B (en) | Android malicious application detection method and device | |
CN106469044B (en) | Method and device for realizing page jump | |
CN105224869B (en) | Assembly test method and device | |
CN108134708B (en) | Method and device for monitoring third-party interface | |
CN100512274C (en) | Device and method for simulating communication system capable of easily controlling protocol message | |
CN105095753B (en) | Broadcast safe detection method, device | |
CN107038354A (en) | Code obfuscation method, code operation method and device | |
CN109618176B (en) | Processing method, equipment and storage medium for live broadcast service | |
CN105389263A (en) | Method, system and equipment for monitoring application software permissions | |
CN108920359B (en) | Application program testing method and device, storage medium and electronic device | |
CN104899016A (en) | Call stack relationship obtaining method and call stack relationship obtaining device | |
CN103634935B (en) | WPS (Wi-Fi protected setup) or QSS (quick secure setup)-based network accessing method and device | |
CN103581185A (en) | Cloud searching and killing method, device and system for resisting anti-antivirus test | |
CN110381101A (en) | API gateway control system, control method, equipment and medium | |
CN109739704A (en) | A kind of interface test method, server-side and computer readable storage medium | |
CN113778879A (en) | Fuzzy test method and device for interface | |
CN103686821A (en) | Control method for application program traffic statistics according to unique identification of mobile terminal | |
CN110096380B (en) | Android internal communication method, system, device and storage medium | |
CN107122307B (en) | Internet of things execution system | |
CN110162310B (en) | Plug-in interface test method and device, computer equipment and storage medium | |
CN104836831A (en) | Object service method used for Internet of Things | |
CN116560691A (en) | Data processing method, device, computer equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |