CN109598127B - Privacy risk assessment method and device - Google Patents
Privacy risk assessment method and device Download PDFInfo
- Publication number
- CN109598127B CN109598127B CN201811497273.6A CN201811497273A CN109598127B CN 109598127 B CN109598127 B CN 109598127B CN 201811497273 A CN201811497273 A CN 201811497273A CN 109598127 B CN109598127 B CN 109598127B
- Authority
- CN
- China
- Prior art keywords
- privacy
- application
- version
- evaluated
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a privacy risk assessment method and a privacy risk assessment device. One embodiment of the method comprises the following steps: detecting the consistency of the privacy authority application condition of the version to be evaluated of the application and the privacy authority application notification condition, so as to obtain a privacy risk detection result of the version to be evaluated of the application, wherein the privacy authority application notification condition indicates that all privacy authorities of the version application to be evaluated of the application of a user are notified through a user privacy permission protocol of the version to be evaluated of the application; and generating a privacy risk assessment result of the version of the application to be assessed based on the privacy risk detection result of the version of the application to be assessed. The privacy risk of the multiple versions of the application is detected, the security of the multiple versions of the application in terms of the privacy data of the user is evaluated, and the privacy risk evaluation result is obtained, so that the security of the multiple versions of the application in terms of the privacy data of the user can be known.
Description
Technical Field
The present application relates to the field of computers, and in particular, to the field of security, and more particularly, to a privacy risk assessment method and apparatus.
Background
The privacy risk of an application such as an application that illegally acquires the privacy data of a user not only causes disclosure of the privacy data of the user, but also causes a plurality of security problems. However, due to the current lack of means to evaluate the security of the application in terms of the user's private data, the security of the application in terms of the user's private data is not known, such as by the user.
Disclosure of Invention
The embodiment of the application provides a privacy risk assessment method and device.
In a first aspect, an embodiment of the present application provides a privacy risk assessment method, including: detecting the consistency of a privacy authority application condition of a version to be evaluated of an application and a privacy authority application notification condition, and obtaining a privacy risk detection result of the version to be evaluated of the application, wherein the privacy authority is the authority for acquiring the privacy data of a user of the application, and the privacy authority application notification condition indicates that all privacy authorities of the version application to be evaluated of the application of the user are notified through a user privacy permission protocol of the version to be evaluated of the application; and generating a privacy risk assessment result of the version of the application to be assessed based on the privacy risk detection result of the version of the application to be assessed.
In a second aspect, an embodiment of the present application provides a privacy risk assessment apparatus, including: the detection unit is configured to detect the consistency of the privacy authority application condition of the version to be evaluated of the application and the privacy authority application notification condition, and obtain the privacy risk detection result of the version to be evaluated of the application, wherein the privacy authority is the authority for acquiring the privacy data of the user of the application, and the privacy authority application notification condition indicates all privacy authorities of the version application to be evaluated of the application of the user through the user privacy permission protocol of the version to be evaluated of the application; and the evaluation unit is configured to generate a privacy risk evaluation result of the version of the application to be evaluated based on the privacy risk detection result of the version of the application to be evaluated.
According to the privacy risk assessment method and device, the consistency of the privacy authority application condition of the version to be assessed of the application and the privacy authority application notification condition is detected, and the privacy risk detection result of the version to be assessed of the application is obtained, wherein the privacy authority is the authority for acquiring the privacy data of the user of the application, and the privacy authority application notification condition indicates that all privacy authorities of the version application to be assessed of the user are notified through the user privacy permission protocol of the version to be assessed of the application; and generating a privacy risk assessment result of the version of the application to be assessed based on the privacy risk detection result of the version of the application to be assessed. The method and the device realize the detection of the privacy risks of the multiple versions of the application, evaluate the security of the multiple versions of the application in terms of the privacy data of the user, and obtain the privacy risk evaluation result, so that the security of the multiple versions of the application in terms of the privacy data of the user can be known.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:
FIG. 1 illustrates an exemplary system architecture suitable for use in implementing embodiments of the present application;
FIG. 2 illustrates a flow chart of one embodiment of a privacy risk assessment method according to the present application;
FIG. 3 illustrates a flow chart of another embodiment of a privacy risk assessment method according to the present application;
FIG. 4 illustrates a schematic diagram of the architecture of one embodiment of a privacy risk assessment apparatus according to the present application;
FIG. 5 is a schematic diagram of a computer system suitable for use in implementing embodiments of the present application.
Detailed Description
The present application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
FIG. 1 illustrates an exemplary system architecture suitable for use in implementing embodiments of the present application.
As shown in fig. 1, the system architecture may include a terminal 101, a network 102, and a server 103. The network 102 may be a wired network or a wireless network.
The terminal 101 may be a smart device, a smart phone, a tablet computer, a vehicle terminal. The terminal 101 may be running with a monitoring code, where the monitoring code is configured to monitor an operation performed by the code of the version of the application to be evaluated in the loading and running of the code on the terminal 101 and associated with obtaining the privacy data, and monitor an operation performed by the code of the version of the application to be evaluated in the loading and running of the plug-in associated with the version of the application to be evaluated and associated with obtaining the privacy data. The monitoring code may be utilized to determine privacy permissions available to the version of the application that needs to be evaluated, privacy permissions available to plug-ins associated with the version of the application that needs to be evaluated. The plug-in associated with the version of the application that needs to be evaluated may be referred to as an SDK (Software Development Kit, abbreviated SDK) associated with the version of the application that needs to be evaluated. The SDK associated with the version of the application that needs to be evaluated may be an SDK provided by the provider of the application or an SDK provided by a third party other than the provider of the application.
The terminal 101 may send the determined privacy rights usable by the version requiring evaluation of the application, the privacy rights usable by the SDK associated with the version requiring evaluation of the application, to the server 103, so that the server 103 may determine the privacy rights usable by the version requiring evaluation of the application, the privacy rights usable by the SDK associated with the version requiring evaluation of the application.
The server 103 may obtain, from a server storing installation packages of respective versions of the application, data related to evaluating privacy risks of the version of the application to be evaluated, such as installation packages of the version of the application to be evaluated, a user privacy permission protocol of the version of the application to be evaluated. The server 103 may analyze the data related to evaluating the privacy risk to obtain information related to evaluating the privacy risk, such as all privacy rights of the version application of the application that needs to be evaluated.
The server 103 may detect whether the privacy risk condition exists in the version to be evaluated of the application according to the privacy rights available to the version to be evaluated of the application, the privacy rights available to the SDK associated with the version to be evaluated of the application, and information related to evaluating privacy risk, and obtain a privacy risk evaluation result of the version to be evaluated of the application. The server 103 may provide the privacy risk assessment result of the version of the application that needs to be assessed to the user of the application. The server 103 may provide the privacy risk assessment results of the version of the application that needs to be assessed to relevant personnel, such as security engineers.
It should be understood that the number of terminals 101, servers 103 are exemplary. In the application, privacy risk assessment can be performed on any version of any application to be assessed, a privacy risk assessment result is obtained, and the privacy risk assessment result is provided for related personnel such as security engineers, so that the related personnel such as security engineers can know the security of the version of the application to be assessed in terms of the privacy data of the user.
Referring to fig. 2, a flow of one embodiment of a privacy risk assessment method according to the present application is shown. The method comprises the following steps:
step 201, detecting consistency of privacy authority application condition and privacy authority application notification condition of the version of the application to be evaluated.
In this embodiment, the privacy right is a right to acquire private data of a user of an application. Each privacy right may correspond to a respective privacy data type.
For example, the privacy data types of the privacy data of the user of the application include: the privacy authority comprises the following types of contact information, telephone number, short message/multimedia message information and the like of a user: rights of contact information of a user, rights of telephone numbers, rights of short message/multimedia message information and the like are acquired.
In this embodiment, the version of the application that needs to be evaluated does not feature a certain version, and any version of the application that needs to be evaluated for privacy risk may be referred to as the version that needs to be evaluated.
In this embodiment, it may be detected whether the version of the application to be evaluated has a privacy risk condition that the privacy authority application condition and the privacy authority application notification condition are inconsistent.
In this embodiment, a file recording a version of an application to be evaluated may be analyzed to obtain all privacy rights of the version of the application to be evaluated, thereby determining a privacy rights application condition of the application.
For example, the application is an APP running on an Android operating system, and an Android management file of a version of the APP to be evaluated can be analyzed to obtain all privacy rights of the version application of the APP to be evaluated, and obtain a privacy rights application condition of the APP.
In the present embodiment of the present invention, in the present embodiment, the privacy rights application notification condition of the version of the application to be evaluated is used for describing the knowledge of the privacy rights of the user to the version of the application to be evaluated. When the content of the user privacy permission protocol of the version needing to be evaluated of the application is detected to contain the content indicating that the version needing to be evaluated of the application applies for a privacy authority, the user can be informed that the version needing to be evaluated of the application applies for the privacy authority through the user privacy permission protocol of the version needing to be evaluated of the application.
In other words, it may be determined that when it is detected that the content of the user privacy permission protocol of the version of the application to be evaluated contains the content indicating that the version of the application to be evaluated applies for one privacy right, it may be determined that when the content of the user privacy permission protocol of the version of the application to be evaluated is presented to the user, the user may know that the version of the application to be evaluated applies for the privacy right according to the content indicating that the version of the application to be evaluated applies for the privacy right in the content of the user privacy permission protocol.
In this embodiment, the content of the user privacy permission protocol of the version to be evaluated of the application may be analyzed, and all privacy permissions of the version application to be evaluated of the application may be notified to the user through the user privacy permission protocol of the version to be evaluated of the application, so that a privacy permission application notification condition is determined.
For example, for an APP running on an Android operating system, the content of a user privacy permission protocol of a version of the APP that needs to be evaluated may be analyzed to determine all privacy permissions of the version of the APP that needs to be evaluated that may be notified to a user of the APP by the user privacy permission protocol of the version of the APP that needs to be evaluated, thereby determining a privacy permission application notification of the APP.
In this embodiment, in order to analyze the content of the user privacy permission protocol of the version to be evaluated of the application, determine the notification condition of the privacy permission application, a plurality of privacy permission association statement templates may be constructed in advance. The privacy authority associated statement template contains a plurality of keywords associated with the application privacy authority. Each privacy rights association statement template may correspond to a privacy right. When the content of the user privacy permission protocol of the version to be evaluated of the application is analyzed, and when one statement in the content of the user privacy permission protocol of the version to be evaluated of the application is matched with one privacy permission associated statement template, the user privacy permission protocol of the version to be evaluated of the application can be determined to inform the user that the version to be evaluated of the application applies for privacy permissions corresponding to the privacy permission associated statement template.
In the present embodiment, after obtaining the privacy authority application case and the privacy authority application notification case of the version of the application to be evaluated,
the consistency of the privacy authority application condition and the privacy authority application notification condition of the version of the application to be evaluated can be detected. Whether the privacy authority application condition and the privacy authority application informing condition of the application exist in the version of the application to be evaluated
The consistency of the privacy rights application case and the privacy rights application notification case of the version of the application to be evaluated may be determined by detecting whether the version of the application to be evaluated has the following cases: the application of the version requiring evaluation of the application does not inform the user of the application of the privacy authority of the application of the version requiring evaluation of the application through the user privacy permission protocol of the version requiring evaluation of the application, and at least one of the application requiring evaluation of the application is informed of the privacy authority of the application of the version requiring evaluation of the application through the user privacy permission protocol of the version requiring evaluation of the application is not applied. When detecting that the version of the application to be evaluated exists in any one of the above cases, it may be determined that the privacy authority application case and the privacy authority application notification case of the version of the application to be evaluated are inconsistent.
For example, an application applies for a privacy right for an APP running on an Android operating system, but the user privacy permission protocol of the APP's version to be evaluated does not include content indicating that the APP's version to be evaluated applies for the privacy right. In the installation process of the version to be evaluated of the APP, a user privacy permission protocol is presented to a user, when the user browses the user privacy permission protocol, the user cannot know that the version to be evaluated of the APP applies for the privacy permission, and at the moment, the condition that the application privacy permission application condition and the privacy permission application notification condition of the version to be evaluated of the APP are inconsistent can be determined.
For another example, the user privacy permission protocol of the version to be evaluated of the APP includes content indicating that the version to be evaluated of the APP applies for a privacy permission, but the version to be evaluated of the APP does not apply for the privacy permission, at this time, it may be determined that the version to be evaluated of the APP has a case where the application of the privacy permission and the application of the privacy permission are inconsistent.
In this embodiment, after detecting the consistency of the privacy authority application condition of the version to be evaluated of the application and the privacy authority application notification condition, a privacy risk detection result may be obtained. The privacy risk detection result includes one of the following: the privacy authority application condition of the version of the application needing to be evaluated is consistent with the privacy authority application informing condition, and the privacy authority application condition of the version of the application needing to be evaluated is inconsistent with the privacy authority application informing condition.
Step 202, generating a privacy risk assessment result of the version of the application to be assessed, and providing the privacy risk assessment result of the version of the application to be assessed to a user of the application.
In this embodiment, after obtaining the privacy risk detection result of the version of the application that needs to be evaluated, the privacy risk evaluation result of the version of the application that needs to be evaluated may be generated. The privacy risk assessment result of the version of the application to be assessed includes: and indicating information indicating whether the privacy authority requirement condition of the version of the application to be evaluated is consistent with the privacy authority application condition.
For example, an APP running on an Android operating system, after generating a privacy risk assessment result for a version of the APP that needs to be assessed, the privacy risk assessment result for the version of the APP that needs to be assessed may be provided to a user using the version of the APP that needs to be assessed. The privacy risk assessment result of the version of the APP to be assessed includes: and indicating information indicating whether the privacy authority requirement condition of the version of the APP to be evaluated is consistent with the privacy authority application condition.
In this embodiment, any case where the privacy authority application condition and the privacy authority application notification condition of the version to be evaluated of the application are inconsistent may be referred to as a privacy risk condition. When the privacy risk condition is detected, the privacy risk assessment result may further include information describing the detected privacy risk condition.
Referring to fig. 3, a flow chart of another embodiment of a privacy risk assessment method according to the present application is shown. The method comprises the following steps:
step 301, detecting consistency of privacy authority application condition and privacy authority application notification condition of the version to be evaluated of the application based on the matching result of the evaluation association information.
In this embodiment, when detecting consistency of the privacy authority application condition and the privacy authority application notification condition of the version of the application to be evaluated, it may be detected whether the privacy risk condition that the privacy authority application condition and the privacy authority application notification condition are inconsistent exists in the version of the application to be evaluated.
In this embodiment, the file recording the version of the application to be evaluated may be analyzed to obtain all privacy rights of the version application of the application to be evaluated.
For example, the application is an APP running on an Android operating system, and an Android management file of a version of the APP to be evaluated can be analyzed to obtain all privacy rights of the version application of the APP to be evaluated.
In this embodiment, in order to analyze the content of the user privacy permission protocol of the version of the application that needs to be evaluated, the notification condition of the privacy permission application is determined, and the content of the user privacy permission protocols of a plurality of different applications may be obtained in advance. For an application, the content of the user privacy permissions agreements for multiple different versions of the application may be further acquired. For each version of the acquired content of the user privacy license agreement for each application, privacy association statements associated with privacy permissions in the content of the user privacy license agreement may be determined. For example, statements associated with privacy rights in the content of a user privacy permissions agreement may be annotated by a network security engineer. After determining the privacy-related statements associated with the privacy rights in the content of each version of the user privacy permission protocol for each application, the privacy-related statements associated with the same privacy rights may be aggregated to obtain a plurality of privacy-related statement sets. Each privacy-related statement set contains privacy-related statements associated with the same privacy right. For each privacy associated statement set, keywords in the privacy associated statements in the privacy associated statement set can be further extracted to obtain a keyword set, and the corresponding relation between the privacy associated statement set and the keyword set is established.
In this embodiment, when analyzing the content of the user privacy permission protocol of the version of the application to be evaluated and determining the notification situation of the privacy permission application, the statement associated with the privacy permission in the user privacy permission protocol may be determined according to the pre-established privacy association statement set and the keyword set corresponding to the privacy association statement set, so as to determine the privacy permission of the version application of the application to be evaluated, which is notified to the user by the user privacy permission protocol of the version of the application to be evaluated.
In this embodiment, when detecting whether a privacy authority application condition and a privacy authority application notification condition of a version of an application to be evaluated are inconsistent, it may be determined whether the privacy authority application condition and the privacy authority application notification condition are inconsistent based on a matching result of evaluation association information of the version of the application to be evaluated and evaluation association information of a previous version of the application to be evaluated.
In this embodiment, any version before the version of the application that needs to be evaluated may be referred to as a previous version to the version of the application that needs to be evaluated.
In this embodiment, evaluating the association information includes: privacy rights application information indicating all privacy rights applied, and contents of a user privacy license agreement. The privacy rights application information of the version of the application to be evaluated indicates all privacy rights of the version application of the application to be evaluated. The privacy rights application information of the previous version of the version to be evaluated of the application indicates that all privacy rights of the previous version application of the version to be evaluated of the application can respectively judge whether the privacy rights application information of the version to be evaluated of the application matches the privacy rights application information of all privacy rights of the previous version application of the version to be evaluated of the application, and whether the content of the user privacy license protocol of the version to be evaluated of the application matches the content of the user privacy license protocol of the previous version of the version to be evaluated of the application.
In this embodiment, the privacy rights application information of the version of the application to be evaluated may be a privacy rights application list including identifiers of all privacy rights of the version application to be evaluated of the application. When judging whether the privacy authority application information of the version to be evaluated of the application is matched with the privacy authority application information of the previous version of the version to be evaluated of the application, the privacy authority application list of the version to be evaluated of the application can be compared with the privacy authority application list of the previous version of the version to be evaluated of the application. The privacy authority application list of the version needing to be evaluated of the application comprises all privacy authorities of the version application needing to be evaluated, and the privacy authority application list of the previous version of the version needing to be evaluated of the application comprises all privacy authorities of the previous version application of the version needing to be evaluated of the application. When the privacy application list of the version to be evaluated of the application and the privacy application list of the previous version of the version to be evaluated of the application are the same list, it may be determined that the privacy application information of the version to be evaluated of the application matches the privacy application information of the previous version of the version to be evaluated of the application, otherwise, it may be determined that the privacy application information of the version to be evaluated of the application does not match the privacy application information of the previous version of the version to be evaluated of the application.
In this embodiment, when it is determined whether the content of the user privacy license agreement of the version to be evaluated of the application matches the content of the user privacy license agreement of the previous version of the version to be evaluated of the application, the content of the user privacy license agreement of the version to be evaluated of the application may be compared with the content of the user privacy license agreement of the previous version of the version to be evaluated of the application, and when the content of the user privacy license agreement of the version to be evaluated of the application matches the content of the user privacy license agreement of the previous version of the version to be evaluated of the application, it may be determined that the content of the user privacy license agreement of the version to be evaluated of the application matches the content of the user privacy license agreement of the previous version of the version to be evaluated of the application.
In this embodiment, when a part of the content in the user privacy license agreement of the version requiring evaluation of the application or the user privacy license agreement of the previous version of the version requiring evaluation of the application does not have the content matching the part of the content in the user privacy license agreement of the other version, for example, the content having a semantic similarity with the part of the content, it may be determined that the content of the user privacy license agreement of the version requiring evaluation of the application does not match the content of the user privacy license agreement of the previous version of the version requiring evaluation of the application.
In this embodiment, when the matching result is that the privacy application information of the version to be evaluated of the application matches the privacy application information of the previous version and the content of the privacy license protocol of the version to be evaluated of the application matches the content of the privacy license protocol of the previous version, the evaluation result of the previous version of the version to be evaluated can be directly used as the evaluation result of the version to be evaluated, thereby detecting whether there is a case where the privacy application condition of the application is inconsistent with the privacy application notification condition.
In this embodiment, after obtaining a matching result of the evaluation association information of the version to be evaluated of the application and the evaluation association information of the previous version of the version to be evaluated of the application, when the matching result is that the privacy rights application information of the version to be evaluated of the application and the privacy rights application information of the previous version of the version to be evaluated of the application are not matched and the content of the privacy permissions protocol of the version to be evaluated of the application and the content of the privacy permissions protocol of the previous version of the version to be evaluated of the application are matched, it may be determined that the privacy rights application condition of the version to be evaluated of the application and the privacy rights application notification condition of the version to be evaluated of the application are not consistent, thereby detecting that the version to be evaluated of the application has a privacy rights application condition and a privacy rights application notification condition that are not consistent.
For example, the application is an APP running on an Android operating system, and a version of the APP that needs to be evaluated is a latest version of the APP. The previous version of the latest version of the APP is the previous version of the latest version. The latest version of the APP adds a new function compared with the previous version of the APP, the new function requires the use of privacy rights other than all privacy rights of the previous version of the latest version of the APP. Meanwhile, the user privacy permission protocol of the latest version of the APP still adopts the user privacy permission protocol of the last version, and the user privacy permission protocol does not contain content indicating that the latest version of the APP applies for the privacy permissions required to be used by new functions beyond all the privacy permissions applied by the last version of the APP. The latest version of the android management file of the APP and the latest version of the android management file of the previous version of the APP can be analyzed, all privacy rights of the latest version of the APP and all privacy rights of the latest version of the APP can be determined, the fact that the latest version of the privacy rights application information of the APP is not matched with the latest version of the privacy rights application information of the previous version of the APP and the fact that the content of the latest version of the user privacy permission protocol of the APP is matched with the content of the latest version of the user privacy permission protocol of the previous version of the APP can be determined, and at this time, the fact that the privacy rights application condition of the version of the APP to be evaluated is inconsistent with the rights privacy application notification condition of the version of the APP to be evaluated can be determined, and therefore the privacy risk condition that the privacy rights application condition and the privacy rights application notification condition of the version of the APP to be evaluated are inconsistent can be detected.
Step 302, generating a privacy risk assessment result of a version of the application to be assessed.
In this embodiment, after obtaining the privacy risk detection result of the version of the application that needs to be evaluated, the privacy risk evaluation result of the version of the application that needs to be evaluated may be generated. The privacy risk assessment result of the version of the application to be assessed includes: and indicating information indicating whether the privacy authority requirement condition of the version of the application to be evaluated is consistent with the privacy authority application condition.
In step 303, in response to detecting that the evaluation association information changes, an updated privacy risk evaluation result of the version of the application that needs to be evaluated is generated based on the change condition.
In this embodiment, the change condition of the evaluation association information of the version to be evaluated of the application may be tracked, and when the change of the evaluation association information is detected, an updated privacy risk evaluation result of the version to be evaluated of the application may be generated based on the change condition of the evaluation association information. The change condition of the evaluation association information may be one of the following: the privacy rights application information changes and the content of the user privacy permission protocol does not change, and the privacy rights application information and the user privacy permission protocol both change.
In this embodiment, evaluating the association information includes: privacy rights application information indicating all privacy rights applied, and contents of a user privacy license agreement.
In this embodiment, when any one of the evaluation association information of the version of the application that needs to be evaluated issues a change, the evaluation association information of the version of the application that needs to be evaluated changes. In other words, when any item of the evaluation association information of the version to be evaluated of the application changes, the consistency of the privacy authority application condition and the privacy authority application notification condition of the version to be evaluated of the application needs to be detected again by the version to be evaluated of the application, so as to obtain a new privacy risk evaluation result, which may be referred to as an updated privacy risk evaluation result.
In this embodiment, when the privacy permission application information of the version to be evaluated of the application changes and the content of the privacy permission protocol of the version to be evaluated of the application does not change, the version to be evaluated of the application can be evaluated based on the privacy risk evaluation result of the current version to be evaluated of the application, so as to obtain the updated privacy risk evaluation result of the version to be evaluated of the application. The updated privacy risk assessment results of the version of the application that needs to be assessed may be provided to all users using the version of the application that needs to be assessed.
If the privacy risk assessment result of the current application to be assessed version is that there is no inconsistent privacy rights application condition of the application to be assessed version and the privacy rights application notification condition of the application to be assessed version, because the privacy rights application information of the application to be assessed version changes and the content of the privacy license agreement of the application to be assessed version does not change, after the privacy rights application information of the application to be assessed version changes, it can be determined that the privacy rights application condition of the application to be assessed version and the privacy rights application notification condition of the application to be assessed version are inconsistent, and the updated privacy risk assessment result includes: and indicating information indicating that the privacy authority application condition and the privacy authority application notification condition of the version of the application to be evaluated are inconsistent.
If the privacy risk assessment result of the current application version to be assessed is that the privacy authority application condition of the application version to be assessed and the privacy authority application notification condition of the application version to be assessed are inconsistent, the privacy authority application condition of the application version to be assessed and the privacy authority application notification condition of the application version to be assessed can be determined again, and the updated privacy risk assessment result of the application version to be assessed is obtained according to the privacy authority application condition of the application version to be assessed and the privacy authority application notification condition of the application version to be assessed determined again, after detecting that the privacy authority application information of the application version to be assessed is changed, whether the privacy authority application condition of the application version to be assessed and the privacy authority application notification condition of the application version to be assessed are inconsistent or not.
In this embodiment, when the privacy rights application information of the version to be evaluated of the application changes and the content of the privacy license agreement of the version to be evaluated of the application changes, the privacy rights application condition of the version to be evaluated of the application and the privacy rights application notification condition of the version to be evaluated of the application may be determined again, and according to the privacy rights application condition of the version to be evaluated of the application and the privacy rights application notification condition of the version to be evaluated of the application determined again, whether the privacy rights application condition of the version to be evaluated of the application and the privacy rights application notification condition of the version to be evaluated of the application are inconsistent after the privacy rights application information of the version to be evaluated of the application changes is detected, and an updated privacy risk evaluation result of the version to be evaluated of the application is obtained.
Referring to fig. 4, as an implementation of the method shown in the foregoing figures, the present application provides an embodiment of an apparatus, which corresponds to the method embodiment shown in fig. 2. Specific implementations of respective operations in which the respective units in the apparatus are configured to perform may refer to specific implementations of respective operations described in the method embodiments.
As shown in fig. 4, the privacy risk assessment apparatus of the present embodiment includes: a detection unit 401, an evaluation unit 402. The detecting unit 401 is configured to detect consistency of a privacy authority application condition of a version to be evaluated of an application and a privacy authority application notification condition, so as to obtain a privacy risk detection result of the version to be evaluated of the application, wherein the privacy authority is an authority for acquiring privacy data of a user of the application, and the privacy authority application notification condition indicates all privacy authorities of a version application to be evaluated of the application of the user to be evaluated through a user privacy permission protocol of the version to be evaluated of the application; the evaluation unit 402 is configured to generate a privacy risk evaluation result of the version of the application requiring evaluation based on the privacy risk detection result of the version of the application requiring evaluation.
In some optional implementations of the present embodiment, the privacy risk assessment apparatus further includes: an updating unit configured to generate an updated privacy risk assessment result of the version of the application requiring assessment, in response to detecting that the assessment association information of the version of the application requiring assessment changes, based on the change condition of the assessment association information, wherein the assessment association information includes: privacy rights application information indicating all the applied privacy rights, content of a user privacy license agreement, and the change condition of the evaluation associated information is determined based on the changed items in the evaluation associated information.
In some optional implementations of the present embodiment, the detection unit is further configured to:
and detecting consistency of privacy authority application conditions and privacy authority application notification conditions of the versions of the application requiring evaluation based on a matching result of the evaluation association information of the versions of the application requiring evaluation and the evaluation association information of the previous versions of the application requiring evaluation, wherein the matching result is generated based on matching an item in the evaluation association information of the versions of the application requiring evaluation with an item corresponding to the item of the evaluation association information of the previous versions.
In some optional implementations of this embodiment, the matching result is that the privacy rights application information does not match and the content of the user privacy permission protocol matches, and the detection unit is further configured to: and when the privacy authority application condition and the privacy authority application notification condition of the prior version are not consistent, determining that the privacy authority application condition and the privacy authority application notification condition of the version of the application to be evaluated are inconsistent.
In some optional implementations of the present embodiment, the privacy risk assessment apparatus further includes: a collection unit configured to acquire user privacy permission agreements of a plurality of applications; for each applied user privacy permission protocol, carrying out semantic analysis on the content in the user privacy permission protocol, and determining privacy permission associated sentences associated with privacy permissions; based on the associated privacy authorities, clustering all privacy authority associated sentences to obtain a plurality of clustering results, wherein the clustering results are used for analyzing the user privacy permission protocol of the version of the application to be evaluated to obtain the privacy authorities of the version application to be evaluated, which is informed to the user through the user privacy permission protocol.
Fig. 5 shows a schematic diagram of a computer system suitable for use in implementing the server of the embodiments of the present application.
As shown in fig. 5, the computer system includes a Central Processing Unit (CPU) 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data required for the operation of the computer system are also stored. The CPU501, ROM 502, and RAM503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input section 506; an output section 507; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.
In particular, the processes described in the embodiments of the present application may be implemented as computer programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising instructions for performing the method shown in the flowchart. The computer program can be downloaded and installed from a network through the communication portion 509, and/or installed from the removable medium 511. The above-described functions defined in the method of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 501.
The present application also provides a server that may be configured with one or more processors; and a memory for storing one or more programs, wherein the one or more programs may include instructions for performing the operations described in the above embodiments. The instructions, when executed by the one or more processors, cause the one or more processors to perform the operations described in the above embodiments.
The present application also provides a server that may be configured with one or more processors; and a memory for storing one or more programs, wherein the one or more programs may include instructions for performing the operations described in the above embodiments. The instructions, when executed by the one or more processors, cause the one or more processors to perform the operations described in the above embodiments.
The present application also provides a computer readable medium, which may be included in a server; or may exist alone and not be assembled into a server. The computer-readable medium described above carries one or more programs that, when executed by a server, cause the server to perform the operations described in the above embodiments.
It should be noted that, the computer readable medium described in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this application, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a message execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the preceding. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a message execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable messages for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer messages.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by those skilled in the art that the scope of the invention referred to in this application is not limited to the specific combination of features described above, but encompasses other embodiments in which any combination of features described above or their equivalents is contemplated without departing from the inventive concepts described. Such as those described above, are provided in the present application in place of, but not limited to, the features disclosed in the present application as having similar functions.
Claims (12)
1. A privacy risk assessment method, comprising:
detecting the consistency of a privacy authority application condition of a version to be evaluated of an application and a privacy authority application notification condition, and obtaining a privacy risk detection result of the version to be evaluated of the application, wherein the privacy authority is the authority for acquiring the privacy data of a user of the application, the privacy authority application notification condition indicates all privacy authorities of the version application to be evaluated of the application of the user through a user privacy permission protocol of the version to be evaluated of the application, and the privacy authority application notification condition is used for describing the knowledge condition of the privacy authority of the version application to be evaluated of the application of the user;
the privacy authority application notification condition is determined based on the following steps: determining privacy rights associated statements associated with privacy rights in the content of each version of the user privacy license agreement for each application; aggregating privacy authority associated sentences associated with the same privacy authority to obtain a plurality of privacy authority associated sentence sets; extracting keywords in the privacy authority associated sentences in the privacy authority associated sentence sets for each privacy authority associated sentence set to obtain keyword sets; establishing a corresponding relation between the privacy authority associated statement set and the keyword set; according to the privacy permission associated statement set and the keyword set corresponding to the privacy permission associated statement set, determining statements associated with privacy rights in a user privacy permission protocol so as to determine privacy rights of version applications which need to be evaluated of applications which are informed to a user through the user privacy permission protocol;
And generating a privacy risk assessment result of the version of the application to be assessed based on the privacy risk detection result of the version of the application to be assessed.
2. The method of claim 1, after generating the privacy risk assessment result for the version of the application that needs to be assessed, the method further comprising:
in response to detecting that the evaluation associated information of the version of the application to be evaluated changes, generating an updated privacy risk evaluation result of the version of the application to be evaluated based on the change condition of the evaluation associated information, wherein the evaluation associated information comprises: privacy rights application information indicating all the applied privacy rights, content of a user privacy license agreement, and the change condition of the evaluation associated information is determined based on the changed items in the evaluation associated information.
3. The method of claim 2, detecting the consistency of the privacy rights application case and the privacy rights application notification case of the version of the application that needs to be evaluated comprises:
and detecting consistency of privacy authority application conditions and privacy authority application notification conditions of the versions of the application requiring evaluation based on a matching result of the evaluation association information of the versions of the application requiring evaluation and the evaluation association information of the previous versions of the application requiring evaluation, wherein the matching result is generated based on matching an item in the evaluation association information of the versions of the application requiring evaluation with an item corresponding to the item of the evaluation association information of the previous versions.
4. A method according to claim 3, the matching result being that the privacy rights application information is not matched and the contents of the user privacy permissions agreement are matched; and
based on a matching result of the evaluation association information of the version to be evaluated of the application and the evaluation association information of the previous version of the version to be evaluated of the application, detecting the consistency of the privacy authority application condition and the privacy authority application notification condition of the version to be evaluated of the application includes:
and when the privacy authority application condition and the privacy authority application notification condition of the prior version are not consistent, determining that the privacy authority application condition and the privacy authority application notification condition of the version of the application to be evaluated are inconsistent.
5. The method according to one of claims 1-4, the method further comprising:
acquiring user privacy permission agreements of a plurality of applications;
for each applied user privacy permission protocol, carrying out semantic analysis on the content in the user privacy permission protocol, and determining privacy permission associated sentences associated with privacy permissions;
based on the associated privacy authorities, clustering all privacy authority associated sentences to obtain a plurality of clustering results, wherein the clustering results are used for analyzing the user privacy permission protocol of the version of the application to be evaluated to obtain the privacy authorities of the version application to be evaluated, which is informed to the user through the user privacy permission protocol.
6. A privacy risk assessment apparatus comprising:
the detection unit is configured to detect the consistency of privacy authority application conditions and privacy authority application notification conditions of the versions of the applications to be evaluated, and obtain a privacy risk detection result of the versions of the applications to be evaluated, wherein the privacy authority is the authority for acquiring the privacy data of the users of the applications, the privacy authority application notification conditions indicate all privacy authorities of the version applications of the applications to be evaluated of the users, which are notified through a user privacy permission protocol of the versions of the applications to be evaluated, and the privacy authority application notification conditions are used for describing the knowledge of the privacy authorities of the users to the version applications to be evaluated of the applications;
the privacy authority application notification condition is determined based on the following steps: determining privacy rights associated statements associated with privacy rights in the content of each version of the user privacy license agreement for each application; aggregating privacy authority associated sentences associated with the same privacy authority to obtain a plurality of privacy authority associated sentence sets; extracting keywords in the privacy authority associated sentences in the privacy authority associated sentence sets for each privacy authority associated sentence set to obtain keyword sets; establishing a corresponding relation between the privacy authority associated statement set and the keyword set; according to the privacy permission associated statement set and the keyword set corresponding to the privacy permission associated statement set, determining statements associated with privacy rights in a user privacy permission protocol so as to determine privacy rights of version applications which need to be evaluated of applications which are informed to a user through the user privacy permission protocol;
And the evaluation unit is configured to generate a privacy risk evaluation result of the version of the application to be evaluated based on the privacy risk detection result of the version of the application to be evaluated.
7. The apparatus of claim 6, the apparatus further comprising:
an updating unit configured to generate an updated privacy risk assessment result of the version of the application requiring assessment, in response to detecting that the assessment association information of the version of the application requiring assessment changes, based on the change condition of the assessment association information, wherein the assessment association information includes: privacy rights application information indicating all the applied privacy rights, content of a user privacy license agreement, and the change condition of the evaluation associated information is determined based on the changed items in the evaluation associated information.
8. The apparatus of claim 7, the detection unit further configured to:
and detecting consistency of privacy authority application conditions and privacy authority application notification conditions of the versions of the application requiring evaluation based on a matching result of the evaluation association information of the versions of the application requiring evaluation and the evaluation association information of the previous versions of the application requiring evaluation, wherein the matching result is generated based on matching an item in the evaluation association information of the versions of the application requiring evaluation with an item corresponding to the item of the evaluation association information of the previous versions.
9. The apparatus of claim 8, the matching result being that the privacy rights application information does not match and the contents of the user privacy permission agreement match, the detection unit further configured to: and when the privacy authority application condition and the privacy authority application notification condition of the prior version are not consistent, determining that the privacy authority application condition and the privacy authority application notification condition of the version of the application to be evaluated are inconsistent.
10. The apparatus according to one of claims 6-9, the apparatus further comprising:
a collection unit configured to acquire user privacy permission agreements of a plurality of applications; for each applied user privacy permission protocol, carrying out semantic analysis on the content in the user privacy permission protocol, and determining privacy permission associated sentences associated with privacy permissions; based on the associated privacy authorities, clustering all privacy authority associated sentences to obtain a plurality of clustering results, wherein the clustering results are used for analyzing the user privacy permission protocol of the version of the application to be evaluated to obtain the privacy authorities of the version application to be evaluated, which is informed to the user through the user privacy permission protocol.
11. A server, comprising:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-5.
12. A computer readable medium having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811497273.6A CN109598127B (en) | 2018-12-07 | 2018-12-07 | Privacy risk assessment method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811497273.6A CN109598127B (en) | 2018-12-07 | 2018-12-07 | Privacy risk assessment method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109598127A CN109598127A (en) | 2019-04-09 |
| CN109598127B true CN109598127B (en) | 2023-07-25 |
Family
ID=65961542
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811497273.6A Active CN109598127B (en) | 2018-12-07 | 2018-12-07 | Privacy risk assessment method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109598127B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109922211B (en) * | 2019-04-18 | 2020-12-01 | 福建师范大学 | Mobile phone app privacy disclosure alarm method |
| CN110381204B (en) * | 2019-07-16 | 2021-01-08 | 维沃移动通信有限公司 | Information display method, mobile terminal and computer readable storage medium |
| CN112073584B (en) * | 2019-08-27 | 2021-05-18 | 烟台中科网络技术研究所 | Risk assessment method for App to collect personal sensitive information of user |
| CN111240694B (en) * | 2020-01-03 | 2024-01-09 | 北京小米移动软件有限公司 | Application detection method, application detection device and storage medium |
| CN111221733B (en) * | 2020-01-06 | 2024-08-13 | 北京小米移动软件有限公司 | Information processing method, device, mobile terminal and storage medium |
| CN111752656A (en) * | 2020-05-29 | 2020-10-09 | 维沃移动通信有限公司 | Information display method and device, electronic equipment and storage medium |
| CN112199506B (en) * | 2020-11-10 | 2021-08-24 | 支付宝(杭州)信息技术有限公司 | Information detection method, device and equipment for application program |
| CN114971107A (en) * | 2021-02-25 | 2022-08-30 | 华为技术有限公司 | Privacy risk feedback method and device and first terminal equipment |
| CN113139186A (en) * | 2021-04-14 | 2021-07-20 | 北京开元华创信息技术有限公司 | Personal information security audit evaluation system |
| CN113254923B (en) * | 2021-06-25 | 2021-10-26 | 南京网眼信息技术有限公司 | Method and system for generating privacy policy text according to APK (android package) |
| CN114329595B (en) * | 2021-12-29 | 2023-12-19 | 北京荣耀终端有限公司 | Application program detection method, device, storage medium and program product |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103440456A (en) * | 2013-09-06 | 2013-12-11 | Tcl集团股份有限公司 | Method and device for evaluating safety of application program |
| CN104346566A (en) * | 2013-07-31 | 2015-02-11 | 腾讯科技(深圳)有限公司 | Method, device, terminal, server and system for detecting privacy authority risks |
| CN106529274A (en) * | 2016-10-26 | 2017-03-22 | 努比亚技术有限公司 | Terminal and information security protection method thereof |
| CN106650485A (en) * | 2016-09-18 | 2017-05-10 | 山东大学 | Personalized environmental perception privacy protection method based on Android |
| CN108446572A (en) * | 2018-03-26 | 2018-08-24 | 南京邮电大学 | A kind of privacy authority management method based on service granularity |
-
2018
- 2018-12-07 CN CN201811497273.6A patent/CN109598127B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104346566A (en) * | 2013-07-31 | 2015-02-11 | 腾讯科技(深圳)有限公司 | Method, device, terminal, server and system for detecting privacy authority risks |
| CN103440456A (en) * | 2013-09-06 | 2013-12-11 | Tcl集团股份有限公司 | Method and device for evaluating safety of application program |
| CN106650485A (en) * | 2016-09-18 | 2017-05-10 | 山东大学 | Personalized environmental perception privacy protection method based on Android |
| CN106529274A (en) * | 2016-10-26 | 2017-03-22 | 努比亚技术有限公司 | Terminal and information security protection method thereof |
| CN108446572A (en) * | 2018-03-26 | 2018-08-24 | 南京邮电大学 | A kind of privacy authority management method based on service granularity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109598127A (en) | 2019-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109598127B (en) | Privacy risk assessment method and device | |
| US9436463B2 (en) | System and method for checking open source usage | |
| CN109359194B (en) | Method and apparatus for predicting information categories | |
| CN107729928B (en) | Information acquisition method and device | |
| EP2693356A2 (en) | Detecting pirated applications | |
| CN109344657B (en) | Privacy risk assessment method and device | |
| CN109376534B (en) | Method and apparatus for detecting applications | |
| CN110196790A (en) | The method and apparatus of abnormal monitoring | |
| CN109614327B (en) | Method and apparatus for outputting information | |
| CN111563015A (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
| CN109598146B (en) | Privacy risk assessment method and device | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN109150790B (en) | Web page crawler identification method and device | |
| US10685298B2 (en) | Mobile application compatibility testing | |
| CN111737528A (en) | Data acquisition and verification method and device, electronic equipment and storage medium | |
| CN113641873A (en) | Data processing method and device, electronic equipment and readable storage medium | |
| CN109145220B (en) | Data processing method and device and electronic equipment | |
| US9904661B2 (en) | Real-time agreement analysis | |
| CN115858320A (en) | Operation log recording method, apparatus, medium and product | |
| CN110287087B (en) | Method and device for detecting application | |
| CN111460273B (en) | Information pushing method and device | |
| CN112817603A (en) | Application program processing method and device, electronic equipment, system and storage medium | |
| CN110580626A (en) | Method and apparatus for generating information | |
| CN113094332B (en) | File management method and device | |
| CN112784272B (en) | Application processing method, device, electronic equipment, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |