CN109933976B - Android application similarity detection method, mobile terminal and storage device - Google Patents
Android application similarity detection method, mobile terminal and storage device Download PDFInfo
- Publication number
- CN109933976B CN109933976B CN201711344279.5A CN201711344279A CN109933976B CN 109933976 B CN109933976 B CN 109933976B CN 201711344279 A CN201711344279 A CN 201711344279A CN 109933976 B CN109933976 B CN 109933976B
- Authority
- CN
- China
- Prior art keywords
- application
- control
- detected
- original edition
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses an android application similarity detection method, a mobile terminal and a storage device, wherein the method comprises the following steps: acquiring layout files of original edition application and detected application, a control executable track set and a control actual track set; calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application; if the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, and meanwhile, the condition that the control executable track set of the original edition application is a subset of the control executable track set of the detected application is met, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original edition application are determined to have similarity. The invention provides a reliable similarity detection method for android applications, and aims to detect whether the android applications are tampered maliciously or not and avoid risks caused by tampering of original edition applications.
Description
Technical Field
The invention relates to the technical field of computer applications, in particular to an android application similarity detection method, a mobile terminal and a storage device.
Background
With the development of the mobile internet, smartphones have become an integral part of people's life, and in order to enable smartphone users to conveniently browse and install smartphone applications, platform providers offer a centralized application market, however, among mobile applications in these application markets, there are numerous applications that are modified as intended for legitimate applications and repackaged and released with new signing keys. As a technical approach, application repackaging techniques may be for good intent, however, it is more common in the art that application repackaging techniques are used for malicious purposes, thereby posing a non-negligible risk to application developers, cell phone users, market operators, and even the entire Android ecosystem.
Accordingly, the prior art is still in need of improvement and development.
Disclosure of Invention
Aiming at the problems that Android applications are frequently modified wantonly and repackaged and released by new signature keys in the prior art, risks which cannot be ignored are caused for application developers, mobile phone users, market operators and even the whole Android ecological system, and problems that the Android applications cannot be detected reliably and timely are solved, the invention provides a method for detecting the similarity of the Android applications, a mobile terminal and a storage device, and aims to provide a reliable method for detecting the similarity of the Android applications, so that whether the Android applications are tampered maliciously is conveniently and effectively detected timely, risks caused by tampering of original edition applications are avoided, and safety and reliability of the Android applications are improved.
The technical scheme adopted for solving the technical problems is as follows:
the android application similarity detection method comprises the following steps:
acquiring layout files of original edition application and detected application;
acquiring a control executable track set of an original edition application and a detected application;
acquiring an actual track set of a control of an original edition application and a detected application;
calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application;
if the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, and meanwhile, the condition that the control executable track set of the original edition application is a subset of the control executable track set of the detected application is met, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original edition application are determined to have similarity.
The android application similarity detection method further comprises the following steps before the original edition application and the detected application are obtained:
establishing a control database, and storing an application control, wherein the table field comprises an application package name, an application interface package name, a layout file name corresponding to the application interface, a control name in a layout file corresponding to the application interface, a control coordinate in the layout file corresponding to the application interface and a control attribute in the layout file corresponding to the application interface;
and when the android system is started, starting an application program management service for acquiring and analyzing application program files, and setting a monitor for monitoring installation application or uninstallation application in the android system.
In the android application similarity detection method, when the android system is started, an application program management service is started for acquiring and analyzing application program files, and after a monitor for monitoring installation or uninstallation of the application is arranged in the android system, the method comprises the following steps:
when the monitor monitors the installation application, in the process of installing the application, calling an application program management service to analyze the currently installed application, acquiring related information of the installation application, and adding a corresponding control record in a control database according to the installation application information;
when the monitor monitors the uninstalled application, in the process of uninstalling the application, calling an application program management service to analyze the currently uninstalled application, acquiring related information of the uninstalled application, and deleting a corresponding control record in a control database according to the information of the uninstalled application.
The android application similarity detection method, wherein the judging whether the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value comprises the following steps:
comparing whether the total number of the layout files applied by the original edition is smaller than or equal to the total number of the layout files applied by the detected application;
if yes, any layout file of the original edition application is obtained, and compared with any layout file in the detected application, whether the number of the controls in the original edition application is smaller than or equal to the number of the controls in the detected application is judged;
when yes, acquiring all controls in any layout file in the original edition application and the detected application; if not, comparing with the next layout file in the detected application;
acquiring the number of each control type in any layout file in the original edition application and the detected application;
comparing all the controls in any layout file in the original edition application with all the controls in any layout file in the detected application according to the control types;
if the number of any control type in the original edition application is smaller than or equal to the number of any control type in the detected application, continuing to compare until the original edition application and each control type in the detected application are compared;
if the coordinates of all the controls in any control type in the original application can find the controls with the same coordinates in all the controls in the same control type in the detected application, continuing to compare until the coordinates of all the controls in each control type in the original application and the detected application are compared;
obtaining a next layout file in the original edition application, and continuing to compare until all layout files in the original edition application are compared with all layout files of the detected application;
if all layout files in the original application can find the layout files with similarity in the detected application, judging that the original application and the layout files of the detected application have similarity within a threshold range; otherwise the master application does not have a similarity to the layout file of the detected application.
The android application similarity detection method specifically includes the steps of:
acquiring a control executable track set of the original edition application by traversing all controls in the original edition application;
and acquiring a control executable track set of the detected application by traversing all the controls in the detected application.
The android application similarity detection method specifically includes the steps of:
acquiring an application package name, and acquiring layout files corresponding to all interfaces of the application according to the application package name;
analyzing the layout file, acquiring a control in the layout file, inputting a key operation to the control, confirming whether the control has a jumping interface after the key is pressed, and recording a behavior track when the control is pressed;
traversing all layout files corresponding to all interfaces and traversing all controls in the layout files to obtain an executable track set of the applied controls.
The android application similarity detection method specifically includes the steps of:
in actual use, acquiring an actual behavior track of a control of the original edition application operated by a user, and acquiring an actual track set of the control of the original edition application;
in actual use, the actual behavior track of the control of the detected application operated by the user is obtained, and the actual track set of the control of the detected application is obtained.
The android application similarity detection method specifically includes the steps of:
entering an application, and acquiring the name of a current first application interface;
when key operation on the interface is monitored, acquiring the name of the current second application interface;
comparing whether the first application interface name is the same as the second application interface name;
and when the control and the control attribute are different, recording the behavior track, wherein the control and the control attribute respond to the key operation.
A mobile terminal, comprising: the android application similarity detection system comprises a processor and a memory which is in communication connection with the processor, wherein the memory stores an android application similarity detection program, and the android application similarity detection program is used for realizing the android application similarity detection method when being executed; the processor is used for calling an android application similarity detection program in the memory to realize the android application similarity detection method.
A storage device, wherein the storage device stores an android application similarity detection program, and the android application similarity detection program can be executed to implement the android application similarity detection method.
The invention discloses an android application similarity detection method, a mobile terminal and a storage device, wherein layout files of original edition applications and detected applications are obtained; acquiring a control executable track set of an original edition application and a detected application; acquiring an actual track set of a control of an original edition application and a detected application; calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application; if the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, and meanwhile, the condition that the control executable track set of the original edition application is a subset of the control executable track set of the detected application is met, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original edition application are determined to have similarity. The invention provides a reliable similarity detection method for android applications, and aims to detect whether the android applications are tampered maliciously or not and avoid risks caused by tampering of original edition applications.
Drawings
FIG. 1 is a flow chart of a preferred embodiment of the android application similarity detection method of the present invention.
Fig. 2 is a flowchart of a specific process for determining similarity between a master application and a layout file of a detected application in a preferred embodiment of the android application similarity detection method of the present invention.
FIG. 3 is a flowchart of a specific process for acquiring an executable track set of an application in a preferred embodiment of the android application similarity detection method of the present invention.
Fig. 4 is a flowchart of a specific process of acquiring an actual track set of an application in a preferred embodiment of the android application similarity detection method of the present invention.
Fig. 5 is a flowchart of a specific process for implementing android application detection after similarity is determined in a preferred embodiment of the android application similarity detection method of the present invention.
Fig. 6 is a functional block diagram of a preferred embodiment of the mobile terminal of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clear and clear, the present invention will be further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The method for detecting the android application similarity according to the preferred embodiment of the present invention, as shown in fig. 1, specifically includes:
s100, acquiring layout files of original edition application and detected application;
s200, acquiring a control executable track set of an original edition application and a detected application;
s300, acquiring an actual track set of a control of an original edition application and a detected application;
s400, calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application;
s500, if the similarity between the original application and the layout file of the detected application reaches more than a threshold value and the original application is satisfied, the control executable track set is a subset of the control executable track set of the detected application, the control actual track set of the original application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original application are determined to have similarity.
Specifically, the process of obtaining the layout file of the application is described below, and in the process of starting the Android system, an application management service Package Manager Service is started, and is responsible for scanning a specific directory in the system, finding out the application files inside, that is, files with APK as a suffix, then analyzing the files to obtain relevant information of the application, and storing the relevant information in member variables thereof. According to the method, the application program management service source code is modified, and each application and the interface name thereof are obtained when the APK is analyzed; the path of the APK source code file is analyzed as follows:
frameworks/base/services/java/com/android/server/PackageManagerService.java.
the method and the device can obtain the smali code of the Android application program through a disassembly tool, and the Apktool tool is adopted in the method and the device, so that the smali code, the picture, the XML configuration file and other resource files of the application program can be obtained through disassembly of the APK.
After Apktool decompiling an APK file is used, a smali file is generated under the decompiling engineering directory, all the decompiled smali files are stored in the decompiling engineering directory, the files generate corresponding directories according to the hierarchical structure of the program package, and all the classes in the program generate independent smali files under the corresponding directories, for convenience of description, for example, the following are shown:
assuming that an Activity name is com.supxz.test.MainActivlty, a com/supxz/test/directory structure is sequentially generated under the smali directory, and then a MainActivlty.smali file is generated under the directory.
According to the acquired interface (i.e. Activity) name traversal of the application, the smali code file carrying the Activity name in the smali folder is analyzed, and the following is taken as an example of the MainActivlty.
.class public Lcom/sunxz/test/MainActivlty;
.super Landroid/app/Activlty;
.source "MainActivlty.java"
#virutal methods
.method protected onCreate(Landroid/os/Bundle;)V
.locals 3
.parameter "savedInstanceState"
.prologue
.line 14
invoke-super{p0,p1},Landroid/app/Activity;->onCreate (Landroid/os/Bundle;)V
.line 15
const/high 16 v2, 0x7f03
invoke-virtual {p0,v2}, Lcom/sunxz/test/MainActivlty;-> setContentView(I)V
The first line of the class instruction designates the class name of the current class, the second line of the class instruction designates the parent class of the current class, the third line of the source instruction designates the source file name of the current class, the # virus methods is a method declaration instruction, the parameter is a parameter instruction, the program is a code start instruction, and the invoke-virtual is a method invocation instruction.
The last line of codes completes the setting of the view of the activity of MainActivity, and loads the layout represented by the method parameters through a method of setContentView (I); the invoke-virtual is an opcode, representing that the method call { pO, v2} is a register for placing parameters; lcom/supexz/test/MainActivlty; the method is called, setContentView (I) V is called specific method, wherein I refers to the type of parameter as int, V refers to the return value type as void, in the row disassembly code, two registers pO and V2 respectively store values of Lcom/sample/test/MainActivity and an int type, the value of the int type is defined by data in a code const/high 16V 2 and a code of 0x7f03 in the penultimate row, the row code represents that the value of 0x7f03 is assigned to the register V2, and the activity of MainActivity can be determined by the value to load a layout file with the ID of 0x7f 03.
As described above, after decompiling the APK, an R.class file is also obtained, and the R.class file is analyzed to know that the name of the layout file corresponding to 0x7f03 is activity_main, so that the activity and the map file loaded by the activity are activity_main, wherein the activity_main.xml is located in the APK/res/layout/directory.
So far, by the method, each interface of the application and the loaded layout file thereof can be obtained.
As is well known, each interface (Activity) of an application corresponds to a layout file, elements displayed in each interface are located in the corresponding layout file, and each element corresponds to a control in the layout file; analyzing each obtained layout file, and obtaining each control coordinate and control attribute in the layout file; until the layout file corresponding to each interface in each application in the system is analyzed; the control database is established, the application controls are stored, and the table field comprises application package names, application interface package names, layout file names corresponding to the application interfaces, control names in layout files corresponding to the application interfaces, control coordinates in the layout files corresponding to the application interfaces and control attributes in the layout files corresponding to the application interfaces.
In actual operation, the user may install a third party application and/or uninstall a pre-installed application (or a third party application) in the system, so that the data table created according to the application parsed by the application management service needs to be updated when the system is started. In view of this, the present invention proposes that in the case of installing or uninstalling an application for a user, a monitor for monitoring the installed application or uninstalling the application is added in the system, and the specific steps are as follows:
1. if it is monitored to install an application
When the monitor monitors the installation application, in the process of installing the application, calling an application program management service to analyze the currently installed application, acquiring related information of the installation application, and adding a corresponding control record of the installation application in a control database according to the application information.
2. If it is monitored to uninstall the application
When the monitor monitors the uninstalled application, in the process of uninstalling the application, calling an application program management service to analyze the currently uninstalled application, acquiring the related information of the uninstalled application, and deleting the related control record of the application in a control database according to the application information.
The purpose of monitoring the installation and uninstallation of the applications is to update a control database, which stores relevant information of all applications in the current system, such as interfaces, interface loading layout files, and the like.
Further, the step of obtaining the layout file of the original application and the detected application in S100 specifically includes:
comparing whether the total number of the layout files applied by the original edition is smaller than or equal to the total number of the layout files applied by the detected application; if yes, any layout file of the original edition application is obtained, and compared with any layout file in the detected application, whether the number of the controls in the original edition application is smaller than or equal to the number of the controls in the detected application is judged; when yes, acquiring all controls in any layout file in the original edition application and the detected application; if not, comparing with the next layout file in the detected application; acquiring the number of each control type in any layout file in the original edition application and the detected application; comparing all the controls in any layout file in the original edition application with all the controls in any layout file in the detected application according to the control types; if the number of any control type in the original edition application is smaller than or equal to the number of any control type in the detected application, continuing to compare until the original edition application and each control type in the detected application are compared; if the coordinates of all the controls in any control type in the original application can find the controls with the same coordinates in all the controls in the same control type in the detected application, continuing to compare until the coordinates of all the controls in each control type in the original application and the detected application are compared; obtaining a next layout file in the original edition application, and continuing to compare until all layout files in the original edition application are compared with all layout files of the detected application; if all layout files in the original application can find the layout files with the similarity in the detected application, judging that the original application and the layout files of the detected application have the similarity within a threshold range (the similarity of the layout files is judged as a precondition); otherwise the master application does not have a similarity to the layout file of the detected application.
Specifically, a specific procedure for judging the similarity of the layout files of the original application and the detected application in step S100 is specifically described below, and as shown in fig. 2, the similarity of the layout files of the original application and the detected application is compared as follows:
s10, comparing the total number of the layout files;
s11, judging whether the total number of original application layout files is smaller than or equal to the total number of the layout files of the detected application, executing the step S12 when the total number of original application layout files is smaller than or equal to the total number of the layout files of the detected application, and executing the step S24 when the total number of original application layout files is smaller than or equal to the total number of the layout files of the detected application;
s12, obtaining a certain layout file of the original edition application, and comparing the layout file with a certain layout file in the detected application;
s13, judging that the number of the controls in the former is smaller than or equal to that of the controls in the latter, executing the step S15 when the number of the controls in the former is smaller than or equal to that of the controls in the latter, and executing the step S14 when the number of the controls in the former is smaller than or equal to that of the controls in the latter;
s14, comparing with the next layout file in the detected application, and jumping to the step S12;
s15, acquiring all controls in a layout file in an original edition application, wherein the control attributes comprise: control id, control width, control height, control coordinates and control type; acquiring all controls in a layout file in a detected application, wherein the control attributes comprise: control id, control width, control height, control coordinates and control type;
s16, obtaining the number of each control type in a layout file in an original edition application, such as 1 control type, and 2 control types; the method comprises the steps of obtaining the number of each control type in a layout file in a detected application, such as 1 control type, 1 control type and 2 control types;
s17, comparing all the controls in a layout file in the original edition application with all the controls in a layout file in the detected application according to the control types, namely comparing the same control types;
s18, judging whether the number of a certain control type in the former is smaller than or equal to the number of a certain control type in the latter, executing the step S19 when the number of the control type in the former is smaller than or equal to the number of the control type in the latter, and jumping to the step S12 when the number of the control type in the former is smaller than or equal to the number of the control type in the latter;
s19, continuing to compare until each control type in the former and the latter is compared;
s20, judging whether the coordinates of all the controls in a certain control type in the former can find out the controls with the same coordinates in all the controls in the same control type in the latter, executing the step S21 when yes, and jumping to the step S12 when no;
s21, continuing to compare until the coordinates of all the controls in each control type in the former and the latter are compared;
s22, acquiring the next layout file in the original edition application, and continuing to execute the step S12 until all the layout files in the original edition application are compared with all the layout files of the detected application;
s23, if all layout files in the original application can find the layout files with similarity in the detected application, judging that the similarity between the original application and the layout files of the detected application reaches more than a threshold value; otherwise, the layout files of the two files have no similarity;
s24, exiting.
When judging whether the similarity between the original application and the layout files of the detected application reaches above a threshold, the threshold is not a fixed specific value, and in practice, the threshold can be adjusted according to the training comparison result, wherein the threshold is satisfied in that each layout file in the original application has a similar layout file in the detected application, and the similarity is that: a layout file can be found in the detected application that satisfies:
1. the former number of all controls > = the latter number of all controls;
2. the same control types and numbers are the same;
3. the coordinates of the two identical controls are identical.
That is, all layout files in the original application can find similar layout files in the compared application and meet the above conditions, i.e. it can be determined that the original application has similarity to the layout files of the detected application within the threshold range.
Further, the acquiring a control executable track set of the original application and the detected application specifically includes: acquiring a control executable track set of the original edition application by traversing all controls in the original edition application; and acquiring a control executable track set of the detected application by traversing all the controls in the detected application.
The method for acquiring the control executable track set specifically comprises the following steps: acquiring an application package name, and acquiring layout files corresponding to all interfaces of the application according to the application package name; analyzing the layout file, acquiring a control in the layout file, inputting a key operation to the control, confirming whether the control has a jumping interface after the key is pressed, and recording a behavior track when the control is pressed; traversing all layout files corresponding to all interfaces and traversing all controls in the layout files to obtain an executable track set of the applied controls.
Specifically, as shown in fig. 3, the steps of acquiring an executable track set of an application are as follows:
s201, acquiring an application package name;
s202, obtaining layout files corresponding to all interfaces of the application according to the application package name;
s203, analyzing the layout file;
s204, acquiring a control in the layout file;
s205, aiming at the control acquired in the step S204, carrying out button operation on the control, confirming whether the control has a jumping interface after button pressing, and recording a behavior track if the control has a jumping interface, wherein the format is as follows:
layout corresponding to interface X-layout corresponding to a control in interface X-control coordinate-control attribute-interface Y;
s206, traversing all controls in the layout file in the step 203;
s207, traversing the layout files corresponding to all interfaces in the step 202;
s208, acquiring an executable track set of the application.
Further, before determining whether the original application control actual track set is a subset of the detected application control actual track set, the method further includes:
in actual use, acquiring an actual behavior track of a control of the original edition application operated by a user, and obtaining an actual track set of the control of the original edition application; in actual use, the actual behavior track of the control of the detected application operated by the user is obtained, and the actual track set of the control of the detected application is obtained.
The method for acquiring the actual behavior track set of the control specifically comprises the following steps: entering an application, and acquiring the name of a current first application interface; when key operation on the interface is monitored, acquiring the name of the current second application interface; comparing whether the first application interface name is the same as the second application interface name; and when the control and the control attribute are different, recording the behavior track, wherein the control and the control attribute respond to the key operation.
The user opens the terminal equipment and firstly enters a main interface, and other applications are entered through key operation; for convenience of description, it is assumed that there are an application a having 5 interfaces, i.e., interfaces 1 to 5, respectively, and it is known that each interface (Activity) corresponds to a layout file, and that the layout file corresponding to interface 1 is assumed to be layout 1, the layout file corresponding to interface 2 is assumed to be layout 2, and so on, and the layout file corresponding to interface 5 is assumed to be layout 5.
Assuming that a user starts up and clicks into an application A through a main interface, firstly, an interface 1 is displayed, after the interface 1 is operated for a period of time, the user enters an interface 3 by clicking a control 1 in the interface 1, after the interface 3 is operated for a period of time, the user enters an interface 5 by clicking a control 2 in the interface 3, and finally, the user exits the application after the interface 5 is operated for a period of time.
The behavior record of application a from the beginning of entering application a to exiting the application is:
interface 1, interface 3, interface 5.
It will be appreciated that the behavior of application a is made up of a series of control operations and buttons, and that these are time-ordered.
The invention proposes to abstract the behavior record of an application program from entering to exiting the application as: and a series of control operation and key sequences of an upper interface of the application program combined before and after relative time, and constructing a track set of the application by using a jump interface of the control.
Specifically, as shown in fig. 4, the step of acquiring the actual track set of the application is as follows:
s301, entering an application, and acquiring a current first application interface name;
s302, monitoring key operation on an interface, if the key operation is monitored, executing a step 303, otherwise, exiting;
s303, acquiring the name of a current second application interface;
the method comprises the steps that a first application interface name and a second application interface name are obtained through the same method, if the interface is pressed on, the same interface package name is obtained, if the interface is pressed on, the interface is not pressed on, the same interface package name is not obtained (the application package name of each application is unique, each application is provided with a plurality of interfaces, and the package name of each interface is unique);
s304, comparing whether the first application interface name is the same as the second application interface name, if not, executing step S305, otherwise, jumping to step S302;
s305, recording a control and a control attribute in response to the key operation;
s306, recording a behavior track in the following format:
layout corresponding to interface X-layout corresponding to a control in interface X-control coordinate-control attribute-interface Y;
s307, jump to step S301 until exiting the application.
For convenience of description, taking the operation example of the application a above, the actual track of the application a is:
layout corresponding to interface 1-control 1 coordinates-control 1 attributes-layout corresponding to interface 3-interface 3 in interface 1;
layout corresponding to interface 3-layout corresponding to interface 5-control 2 coordinates-control 2 attributes- > of control 2 in interface 3.
Further, calculating a difference set of the control executable track set of the original edition application and the control executable track set of the detected application, and recording the difference set as the control executable track difference set; calculating a difference set of an original edition application control actual track set and a detected application control actual track set, and recording the difference set as a control actual track difference set; when the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, the control executable track set of the original edition application is a subset of the control executable track set of the detected application, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, and the control actual track difference set is a subset of the control executable track difference set, the detected application and the original edition application are determined to have similarity.
In summary, if the original application and the layout file of the detected application have no similarity within the threshold range, the original application and the layout file of the detected application have no application similarity, and if the original application and the layout file of the detected application have similarity within the threshold range, it may be further determined whether the original application and the layout file of the detected application have application similarity, as shown in fig. 5, which specifically includes:
s40, acquiring a control executable track set of an original edition application;
s41, acquiring a control executable track set of the detected application;
s42, comparing the control executable track set of the original edition application with the control executable track set of the detected application, if the former is a subset of the latter, executing the step S43, otherwise, executing the step S50;
s43, acquiring an actual track set of a control of the original edition application;
s44, acquiring an actual track set of the control of the detected application;
s45, comparing the actual track set of the control of the original edition application with the actual track set of the control of the detected application, if the former is a subset of the latter, executing the step S46, otherwise, executing the step S50;
s46, calculating a difference set of the control executable track set of the original edition application and the control executable track set of the detected application, and recording the difference set as the control executable track difference set;
s47, calculating a difference set of an original edition application control actual track set and a detected application control actual track set, and recording the difference set as a control actual track difference set;
s48, comparing the actual track difference set of the control with the executable track difference set of the control, if the former is a subset of the latter, executing a step S49, otherwise, executing a step S50;
s49, judging that the detected application has similarity with the original application;
s50, ending.
The present invention also provides a mobile terminal, as shown in fig. 6, where the mobile terminal in the embodiment of the present invention may be a mobile phone (or a tablet computer), and the mobile terminal in the embodiment includes a processor 10, and a memory 20 connected to the processor 10;
the memory 20 stores an android application similarity detection program, which when executed by the processor 10 is configured to implement the following steps:
acquiring layout files of original edition application and detected application;
acquiring a control executable track set of an original edition application and a detected application;
acquiring an actual track set of a control of an original edition application and a detected application;
calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application;
if the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, and meanwhile, the condition that the control executable track set of the original edition application is a subset of the control executable track set of the detected application is met, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original edition application are determined to have similarity; as described in detail above.
A storage device, wherein the storage device stores an android application similarity detection program, and the android application similarity detection program is used for implementing the android application similarity detection method when executed by the processor 10; as described in detail above.
In summary, the invention provides an android application similarity detection method, a mobile terminal and a storage device, and layout files of original edition applications and detected applications are obtained; acquiring a control executable track set of an original edition application and a detected application; acquiring an actual track set of a control of an original edition application and a detected application; calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application; if the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, and meanwhile, the condition that the control executable track set of the original edition application is a subset of the control executable track set of the detected application is met, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original edition application are determined to have similarity. The invention provides a reliable similarity detection method for android applications, and aims to detect whether the android applications are tampered maliciously or not and avoid risks caused by tampering of original edition applications.
Of course, those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of a computer program for instructing relevant hardware (e.g., a processor, a controller, etc.), the program may be stored in a computer-readable storage device, and the program may include the steps of the above-described method embodiments when executed. The storage device may be a memory, a magnetic disk, an optical disk, or the like.
It is to be understood that the invention is not limited in its application to the examples described above, but is capable of modification and variation in light of the above teachings by those skilled in the art, and that all such modifications and variations are intended to be included within the scope of the appended claims.
Claims (10)
1. The android application similarity detection method is characterized by comprising the following steps of:
acquiring layout files of original edition application and detected application; each interface of the application corresponds to one layout file, and elements in each interface correspond to one control in the layout file;
acquiring a control executable track set of an original edition application and a detected application; the executable tracks in the control executable track set represent behavior tracks of the interface, which can be jumped to by the controls in the layout file corresponding to the interface of the application;
acquiring an actual track set of a control of an original edition application and a detected application; the control actual track set represents the actual behavior track of the control;
calculating a control executable track difference set and a control actual track difference set of the original edition application and the detected application;
if the similarity of the original edition application and the layout file of the detected application reaches more than a threshold value, and meanwhile, the condition that the control executable track set of the original edition application is a subset of the control executable track set of the detected application is met, the control actual track set of the original edition application is a subset of the control actual track set of the detected application, the control actual track difference set is a subset of the control executable track difference set, and the detected application and the original edition application are determined to have similarity.
2. The android application similarity detection method of claim 1, wherein prior to obtaining layout files of the original application and the detected application further comprises:
establishing a control database, and storing an application control, wherein the table field comprises an application package name, an application interface package name, a layout file name corresponding to the application interface, a control name in a layout file corresponding to the application interface, a control coordinate in the layout file corresponding to the application interface and a control attribute in the layout file corresponding to the application interface;
and when the android system is started, starting an application program management service for acquiring and analyzing application program files, and setting a monitor for monitoring installation application or uninstallation application in the android system.
3. The method for detecting the similarity of the android application according to claim 2, wherein when the android system is started, starting an application management service for acquiring and analyzing an application file, and setting a monitor for monitoring the installation application or the uninstallation application in the android system comprises:
when the monitor monitors the installation application, in the process of installing the application, calling an application program management service to analyze the currently installed application, acquiring related information of the installation application, and adding a corresponding control record in a control database according to the installation application information;
when the monitor monitors the uninstalled application, in the process of uninstalling the application, calling an application program management service to analyze the currently uninstalled application, acquiring related information of the uninstalled application, and deleting a corresponding control record in a control database according to the information of the uninstalled application.
4. The android application similarity detection method of claim 1, wherein determining whether a similarity of a layout file of an original application and a detected application exceeds a threshold value comprises:
comparing whether the total number of the layout files applied by the original edition is smaller than or equal to the total number of the layout files applied by the detected application;
if yes, any layout file of the original edition application is obtained, and compared with any layout file in the detected application, whether the number of the controls in the original edition application is smaller than or equal to the number of the controls in the detected application is judged;
when yes, acquiring all controls in any layout file in the original edition application and the detected application; if not, comparing with the next layout file in the detected application;
acquiring the number of each control type in any layout file in the original edition application and the detected application;
comparing all the controls in any layout file in the original edition application with all the controls in any layout file in the detected application according to the control types;
if the number of any control type in the original edition application is smaller than or equal to the number of any control type in the detected application, continuing to compare until the original edition application and each control type in the detected application are compared;
if the coordinates of all the controls in any control type in the original application can find the controls with the same coordinates in all the controls in the same control type in the detected application, continuing to compare until the coordinates of all the controls in each control type in the original application and the detected application are compared;
obtaining a next layout file in the original edition application, and continuing to compare until all layout files in the original edition application are compared with all layout files of the detected application;
if all layout files in the original application can find the layout files with similarity in the detected application, judging that the original application and the layout files of the detected application have similarity within a threshold range; otherwise the master application does not have a similarity to the layout file of the detected application.
5. The android application similarity detection method according to claim 1, wherein the acquiring a control executable track set of an original application and a detected application specifically comprises:
acquiring a control executable track set of the original edition application by traversing all controls in the original edition application;
and acquiring a control executable track set of the detected application by traversing all the controls in the detected application.
6. The android application similarity detection method of claim 5, wherein obtaining a control executable track set specifically comprises:
acquiring an application package name, and acquiring layout files corresponding to all interfaces of the application according to the application package name;
analyzing the layout file, acquiring a control in the layout file, inputting a key operation to the control, confirming whether the control has a jumping interface after the key is pressed, and recording a behavior track when the control is pressed;
traversing all layout files corresponding to all interfaces and traversing all controls in the layout files to obtain an executable track set of the applied controls.
7. The android application similarity detection method according to claim 1, wherein the obtaining the actual track set of the controls of the original application and the detected application specifically includes:
in actual use, acquiring an actual behavior track of a control of the original edition application operated by a user, and acquiring an actual track set of the control of the original edition application;
in actual use, the actual behavior track of the control of the detected application operated by the user is obtained, and the actual track set of the control of the detected application is obtained.
8. The android application similarity detection method of claim 7, wherein obtaining an actual track set of a control specifically comprises:
entering an application, and acquiring the name of a current first application interface;
when key operation on the interface is monitored, acquiring the name of the current second application interface;
comparing whether the first application interface name is the same as the second application interface name;
and when the control and the control attribute are different, recording the behavior track, wherein the control and the control attribute respond to the key operation.
9. A mobile terminal, comprising: the processor and the memory are in communication connection with the processor, and the memory is stored with an android application similarity detection program, and the android application similarity detection program is used for realizing the android application similarity detection method according to any one of claims 1-8 when being executed; the processor is configured to invoke the android application similarity detection program in the memory, so as to implement the android application similarity detection method according to any one of claims 1 to 8.
10. A storage device, characterized in that the storage device stores an android application similarity detection program, which can be executed to implement the android application similarity detection method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711344279.5A CN109933976B (en) | 2017-12-15 | 2017-12-15 | Android application similarity detection method, mobile terminal and storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711344279.5A CN109933976B (en) | 2017-12-15 | 2017-12-15 | Android application similarity detection method, mobile terminal and storage device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109933976A CN109933976A (en) | 2019-06-25 |
| CN109933976B true CN109933976B (en) | 2023-05-09 |
Family
ID=66979313
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711344279.5A Active CN109933976B (en) | 2017-12-15 | 2017-12-15 | Android application similarity detection method, mobile terminal and storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109933976B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112395470A (en) * | 2019-08-19 | 2021-02-23 | Tcl集团股份有限公司 | Operation event statistical method and device in terminal system, terminal and storage medium |
| CN111898126B (en) * | 2020-06-09 | 2022-11-08 | 东南大学 | Android repackaging application detection method based on dynamically acquired user interface |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105389508A (en) * | 2015-11-10 | 2016-03-09 | 工业和信息化部电信研究院 | Detection method and apparatus for re-packaged Android application |
| CN107169323A (en) * | 2017-05-11 | 2017-09-15 | 南京大学 | Packet inspection method is beaten again in a kind of Android application based on layout cluster figure |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070239993A1 (en) * | 2006-03-17 | 2007-10-11 | The Trustees Of The University Of Pennsylvania | System and method for comparing similarity of computer programs |
| KR101214893B1 (en) * | 2011-12-16 | 2013-01-09 | 주식회사 안랩 | Apparatus and method for detecting similarity amongf applications |
| US9569536B2 (en) * | 2013-12-17 | 2017-02-14 | Microsoft Technology Licensing, Llc | Identifying similar applications |
| KR101579175B1 (en) * | 2014-02-21 | 2015-12-21 | 주식회사 안랩 | Apparatus and method for detection of repackaging |
| CN104778409B (en) * | 2015-04-16 | 2018-01-12 | 电子科技大学 | A kind of detection method and device of Android application software similitude |
-
2017
- 2017-12-15 CN CN201711344279.5A patent/CN109933976B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105389508A (en) * | 2015-11-10 | 2016-03-09 | 工业和信息化部电信研究院 | Detection method and apparatus for re-packaged Android application |
| CN107169323A (en) * | 2017-05-11 | 2017-09-15 | 南京大学 | Packet inspection method is beaten again in a kind of Android application based on layout cluster figure |
Non-Patent Citations (1)
| Title |
|---|
| 陈浩 ; 王广南 ; 孙建华 ; .一种基于图的程序行为相似性比较方法.计算机应用研究.2010,(02),第532-536、551页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109933976A (en) | 2019-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107979508B (en) | Micro-service test method and device | |
| CN106874180B (en) | Detection system and method thereof | |
| CN108829477B (en) | Interface jump method, device, computer equipment and storage medium | |
| CN111625839A (en) | Third-party component vulnerability detection method, device, equipment and computer storage medium | |
| CN106326735B (en) | Method and apparatus for preventing injection | |
| CN108763951B (en) | Data protection method and device | |
| US20220253297A1 (en) | Automated deployment of changes to applications on a cloud computing platform | |
| CN103544434A (en) | Method and terminal used for ensuring safe operation of application program | |
| CN109933976B (en) | Android application similarity detection method, mobile terminal and storage device | |
| CN111475390A (en) | Log collection system deployment method, device, equipment and storage medium | |
| US10229273B2 (en) | Identifying components for static analysis of software applications | |
| CN115576600A (en) | Code change-based difference processing method and device, terminal and storage medium | |
| CN108897588B (en) | Routing method and routing device for communication between modules | |
| CN113835713B (en) | Source code packet downloading method, device, computer equipment and storage medium | |
| CN111679852A (en) | Detection method and device for conflict dependency library | |
| CN112650555B (en) | Development and test method, system and medium for management platform | |
| JP2009122754A (en) | Software development support device | |
| CN108628620B (en) | POS application development implementation method and device, computer equipment and storage medium | |
| CN110727436A (en) | Operation interface script execution method and device, terminal equipment and storage medium | |
| JP2010231594A (en) | Test program and testing device | |
| JP2004326337A (en) | Code analysis program, code analysis automation program and automated code analysis system | |
| CN107239706A (en) | The safety loophole mining method of application program of mobile phone under a kind of Android platform | |
| CN113568834A (en) | SDK code compatibility detection method, device, computer equipment and medium | |
| CN112148301A (en) | Method, system and storage medium for integrated production of customized version of non-compiled Android system | |
| JP2005025543A (en) | Consistency check system, consistency check method, consistency check program and management information creation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |