CN110110521A - It is a kind of based on iOS application safety detection method, apparatus and system - Google Patents

Abstract

The invention discloses a kind of safety detection methods based on iOS application, apparatus and system, this method comprises: obtaining corresponding with target application using symbol table, and the type keyword corresponding with preset detection type that will acquire is matched with using symbol table, determines the first evaluation result；Dynamic test instruction corresponding with preset function is sent to target application, according to target application for the test response results of dynamic test instruction return and preconfigured at least two intended response corresponding with dynamic test instruction as a result, determining the second evaluation result；According to the first evaluation result and the second evaluation result, judge whether target application is safe.Which carries out safety detection for two aspects of static code and dynamic running process of target application, the second evaluation result for the first evaluation result of static code and for dynamic running process is obtained, comprehensive first evaluation result and the second evaluation result carry out comprehensive safe sex determination to target application.

Description

It is a kind of based on iOS application safety detection method, apparatus and system

Technical field

The present invention relates to computer software technical fields, and in particular to it is a kind of based on iOS application safety detection method, dress It sets and system.

Background technique

With the fast development of network technology, the quantity of Internet user exponentially increases, and the sales volume of smart phone is big Increase to amplitude.In high-end market field, the mobile terminal Service Market occupation rate of iOS platform is very big.Movement based on iOS platform Increasingly complicated using design, exploitation scale is increasingly huge, and application quality is also more and more important.Especially pay class related application Quantity is increasing rapidly, and the safety for paying the application of class related application is crucial in the whole life cycle of application.

But inventor has found in the implementation of the present invention, since the development technique of the application of iOS platform is irregular not Together, and then cause the safety grades of application irregular.Simultaneously as the self-protection of iOS platform is higher, and in the market More and more mature for the attack technology of the mobile application of iOS platform, the method escaped from prison to iPhone equipment is also gradually simple, The threat that the mobile application of iOS platform is subject to is increasing.Therefore it is required that carrying out various safety detections to iOS application, Developer is asked to do various safeguard protections, safety detection city of the current stage for the application of iOS platform to iOS application Field vacancy is larger.

It can be seen that currently on the market without the safety detection tool of the standard of the application for iOS platform, to application Safety detection also cannot achieve automation, while iOS application detection it is more be static detection, i.e., from static code Angle is compared key-strings, detects not comprehensive.Therefore the mobile application of iOS platform can not be carried out before launch Comprehensive safety detection, developer targetedly can not make modification to the function of mobile application in advance, bring subsequent Various problems in use, the grievous injury usage experience of user.

Summary of the invention

In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind State a kind of safety detection method based on iOS application, the apparatus and system of problem.

According to one aspect of the present invention, a kind of safety detection method of iOS application is provided, comprising:

Acquisition is corresponding with target application to apply symbol table, and will acquire corresponding with preset detection type Type keyword is matched with using symbol table, according to the quantity of the target keywords of successful match and/or character weight, really Fixed the first evaluation result corresponding with target application；

Dynamic test instruction corresponding with preset function is sent to target application, is tested according to target application for dynamic Instruct the test response results returned and preconfigured at least two intended responses knot corresponding with dynamic test instruction Fruit determines the second evaluation result corresponding with target application；

According to the first evaluation result and the second evaluation result, judge whether target application is safe.

According to one aspect of the present invention, a kind of safety detection device of iOS application is provided, comprising:

First evaluation result determining module, obtain it is corresponding with target application using symbol table, and will acquire with The corresponding type keyword of preset detection type is matched with using symbol table, according to the target keywords of successful match Quantity and/or character weight, determine corresponding with target application the first evaluation result；

Second evaluation result determining module sends dynamic test instruction corresponding with preset function, root to target application Testing according to target application for dynamic instructs the test response results of return and preconfigured test with dynamic to instruct relatively At least two intended responses answered are as a result, determine the second evaluation result corresponding with target application；

Target application safety judgment module judges target application according to the first evaluation result and the second evaluation result It is whether safe.

According to the present invention in another aspect, providing a kind of safety detecting system of iOS application, including above-mentioned safety detection Device.

In accordance with a further aspect of the present invention, provide a kind of electronic equipment, comprising: processor, memory, communication interface and Communication bus, processor, memory and communication interface complete mutual communication by communication bus；

For memory for storing an at least executable instruction, it is above-mentioned based on multistage network that executable instruction executes processor The corresponding operation of the Fault Locating Method of node.

In accordance with a further aspect of the present invention, a kind of computer storage medium is provided, at least one is stored in storage medium Executable instruction, executable instruction make processor execute such as the corresponding behaviour of the above-mentioned Fault Locating Method based on multistage network node Make.

In the safety detection method, apparatus and system of a kind of iOS application provided by the invention, obtain and target application phase It is corresponding apply symbol table, and the type keyword corresponding with preset detection type that will acquire and application symbol table into Row matching determines corresponding with target application first according to the quantity of the target keywords of successful match and/or character weight Evaluation result；Dynamic test instruction corresponding with preset function is sent to target application, is surveyed according to target application for dynamic The test response results and preconfigured at least two intended response corresponding with dynamic test instruction that examination instruction returns As a result, determining the second evaluation result corresponding with target application；According to the first evaluation result and the second evaluation result, judgement Whether target application is safe, and thus, it is possible to promote the accuracy of evaluation result.

The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.

Detailed description of the invention

By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:

Fig. 1 shows the flow chart according to a kind of iOS of embodiment one safety detection method applied；

Fig. 2 shows a kind of flow charts of iOS of foundation embodiment two safety detection method applied；

Fig. 3 shows the structure chart according to a kind of iOS of embodiment three safety detection device applied；

Fig. 4 shows the structural schematic diagram of a kind of electronic equipment according to an embodiment of the present invention.

Specific embodiment

Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.

Embodiment one

Fig. 1 shows a kind of flow chart of the safety detection method of target application according to embodiment one.As shown in Figure 1, Method includes the following steps:

Step S110: it obtains corresponding with target application using symbol table and will acquire with preset detection class The corresponding type keyword of type is matched with using symbol table, according to the quantity of the target keywords of successful match and/or Character weight determines the first evaluation result corresponding with target application.

Executing subject of the invention can be to be a variety of, for example, either mobile terminal where being mounted on target application Internal security software client is also possible to the safety test that can be communicated with the mobile terminal where target application end End or safety test server.Wherein, target application is application to be detected, which is that iOS is applied.

Specifically, in this step, the application file for obtaining target application, to the application file of target application Decompiling is carried out, decompiling code is obtained, and is extracted from decompiling code various types of using symbol table.Wherein, it applies Symbol table specifically includes: static symbol table, dynamic symbol table, and/or character list.

The preset key data table in background data base is obtained, the preset key data table of traversal queries obtains Each detection type for storing in key data table and respectively type keyword corresponding with each detection type, will obtain The type keyword got is matched with using symbol table.Wherein, preset key data table specifically includes: detection type With the priority between type keyword mapping relations and detection type.For example, when detection type is anti-leak type, it is corresponding Type keyword be NSLog, print, printf, write.Obtain key data table in store with anti-leak type phase Corresponding type keyword NSLog, print, printf, write, by type keyword NSLog, print, printf, write It is matched with using symbol table.

If type keyword is appeared in using in symbol table, it is target keywords by the type keyword extraction, stores In type set in background data base.Wherein, corresponding type set is set for each detection type respectively, will extracts Each target keywords out are respectively stored into type set corresponding with the detection type of the target keywords, specific real Shi Shi, type set can be embodied in various ways by list, file, data packet, type set packet etc..For example, get with Anti-leak detection type corresponding type keyword NSLog, print, printf, write, by type keyword NSLog, Print, printf, write are matched with using symbol table, and applying in symbol table occur in discovery type keyword NSLog, print, The type set corresponding with anti-leak detection type being then stored in type keyword NSLog, print in background data base In.Wherein, when type keyword is not appeared in using in symbol table, set of types is combined into sky, and the type in type set is crucial Word number is 0.

According to the quantity for the target keywords for including in the type set and/or the character weight of target keywords, determine Types Assessment score corresponding with the type set；According to Types Assessment score corresponding to each type set and each Type weight corresponding to type set determines the first evaluation result score of target application.

First evaluation result of target application is divided into 3 grades, when target application the first evaluation result score 0~ When between 3 (being free of 3 points), the first evaluation result of target application is low；When target application the first evaluation result score 3~ When between 7 (being free of 7 points), during the first evaluation result of target application is；When target application the first evaluation result score 7~ When between 1, the first evaluation result of target application is height.

Step S120: dynamic test instruction corresponding with preset function is sent to target application, according to target application needle To dynamic test instruction return test response results and it is preconfigured with dynamic test instruction corresponding at least two Intended response is as a result, determine the second evaluation result corresponding with target application.

Wherein, preset function of the dynamic test instruction for for target application is configured, to realize for default function The test of energy.Specifically, the concrete type and implementation of dynamic test instruction can be different according to the type of preset function And flexible setting.For example, dynamic test instruction can be all kinds of instructions such as anti-reversing test instruction.Correspondingly, from back-end data Preset negative test instruction catalogue is obtained in library, according to each anti-reversing function of being stored in preset negative test instruction catalogue with And between the type and/or the test instruction of each anti-reversing of each anti-reversing test instruction corresponding with each anti-reversing function Priority, to target application send negative test instruction catalogue in store each anti-reversing test instruction.

It gets each anti-reversing test and instructs corresponding test response results, and test response results are stored in backstage In test response sets in database.Wherein, test response results specifically include: the equipment where target application is to each anti- Test response is made in the corresponding operation of negative test instruction.Test response sets can pass through list, file, data packet, test Response sets etc. are embodied in various ways.For example, when it is implemented, executing the test of anti-debug anti-reversing instructs corresponding anti-debug behaviour Make, terminal command line operation " debugserver*:12349-a application process number " order of equipment where target application, target Test response is made to anti-debug operation using place equipment.

Intended response result corresponding with anti-reversing test instruction is stored in advance in background data base, and inquiry is matched in advance At least two intended responses result corresponding with anti-reversing test instruction set.Wherein, it is directed to anti-reversing test setting respectively Corresponding intended response result.For example, when it is implemented, being pre-configured with when preset anti-reversing function is anti-debug function Include: to be used to indicate target application to have anti-debug with the corresponding at least two intended responses result of anti-reversing test instruction The anti-debug class intended response of function as a result, and be used to indicate target application do not have anti-debug function non-anti-debug class it is pre- Phase response results.

Test response results are matched at least two intended response results, is determined according to matching result and is answered with target With corresponding second evaluation result.For example, when it is implemented, test response results and target application will be used to indicate having instead The anti-debug class intended response of debugging function is as a result, and be used to indicate the non-anti-debug that target application does not have anti-debug function The matching of class intended response result.If anti-debug anti-reversing test response results are that instruction target application has the anti-of anti-debug function Class intended response is debugged as a result, then target application has the function of the anti-reversing of anti-debug, then the second evaluation result of target application For height；If anti-debug anti-reversing test response results are to indicate that target application does not have the expected sound of anti-debug class of anti-debug function It answers as a result, then the second evaluation result of target application is low.

Step S130: according to the first evaluation result and the second evaluation result, judge the safety grades of target application.

Wherein, the first evaluation result is used for the static security from the reflection application of the angle of static test, the second evaluation knot Fruit is used for the dynamic security from the angle reflection application of dynamic test.First evaluation result and the second evaluation result it is specific Intension and acquisition modes can be by those skilled in the art's flexible configurations, according to the knot of the first evaluation result and the second evaluation result Conjunction judges whether target application is safe, can more fully assess the safety of application, as a result more accurate.For example, when first When evaluation result and the second evaluation result are all high, the safety grades of target application are height；First evaluation result and second is commented When one of valence result is low, the safety grades of target application are low；The safety grades of remaining situation, target application are In.

It can be seen that the present embodiment passes through corresponding to the first evaluation result corresponding to static test and dynamic test Second evaluation result is capable of the safety of thoroughly evaluating application, avoids drawback caused by the evaluation method of single dimension, make to comment Valence result is more accurate.

Embodiment two

Fig. 2 shows a kind of flow charts of iOS of foundation embodiment two safety detection method applied.The present embodiment is from quiet State test and dynamic are tested two dimensions realizations and are detected to the comprehensive security of target application.It is applied currently on the market for iOS Detection instrument detection type it is not comprehensive, do not fully consider the anti-reversing function of target application, data protection degree, using operation Safety test in terms of environmental safety, while merely from the angle of static code to progress safety test, obtained test knot Fruit is inaccurate.It is therefore desirable to carry out anti-debug, anti-hook, anti-injection, data security protecting from static and two dimensions of dynamic And the safety test of running environment safety various aspects.

As shown in Fig. 2, method includes the following steps:

Step S210: obtain it is corresponding with target application using symbol table, so as to will acquire with preset detection The corresponding type keyword of type is matched with using symbol table.

Specifically, in this step, the application file of target application is obtained, to the application file of target application Decompiling is carried out, decompiling code is obtained, and is extracted from decompiling code various types of using symbol table.Wherein, it applies Symbol table specifically includes: static symbol table, dynamic symbol table, and/or character list.Obtain the preset key in background data base Digital data table, the preset key data table of traversal queries, obtain in key data table each detection type for storing and Type keyword corresponding with each detection type respectively, the type keyword that will acquire and application symbol table progress Match.Wherein, preset key data table specifically includes: detection type and type keyword mapping relations and detection type it Between priority.

In the present embodiment, it is illustrated so that preset detection type is at least one of following ten seed type as an example:

(1) the first detection type is anti-leak type:

Specifically, anti-leak type is used to detect whether target application has the function of preventing log from revealing, and inventor is in reality It is found during the existing present invention, whether NSLog, print, printf, write keyword prevent day in detection target application In terms of the function of will leakage targetedly.NSLog, print, printf, write keyword have the meaning of print log. NSLog, print, printf, write keyword frequency of occurrence are more, illustrate that the risk of the log leakage of target application is got over The function of preventing log from revealing of height, target application is poorer.Therefore NSLog, print, printf, write keyword are preset For the corresponding type keyword of anti-leak type.

(2) second of detection type are sensitive word type:

Specifically, sensitive word type is used to detect the function of preventing key message from revealing of target application, and inventor is in reality It is found during the existing present invention, encrypt, decrypt, login, password, title, name keyword are in detection mesh Whether mark application has the function aspect for preventing key message from revealing targetedly.encrypt,decrypt,login, The meaning of password, title, name key representations be respectively encrypt, decrypt, logging in, password, title, title. Encrypt, decrypt, login, password, title, name keyword frequency of occurrence are more, illustrate the pass of target application The risk of key information leakage is higher, and the function of preventing key message from revealing of target application is poorer.Therefore by encrypt, Decrypt, login, password, title, name keyword are preset as the corresponding type keyword of sensitive word type.

(3) the third detection type is Code obfuscation type:

Specifically, whether the application file that Code obfuscation type is used to detect target application has showing for Code obfuscation As inventor has found in the implementation of the present invention, and didFinishLaunchingWithOptions, viewDidLoad are closed Key word is targeted in terms of whether the application file of detection target application has the phenomenon that Code obfuscation. DidFinishLaunchingWithOptions, viewDidLoad keyword frequency of occurrence are more, illustrate answering for target application It is bigger to there is a possibility that the phenomenon that Code obfuscation with program file.Therefore by didFinishLaunchingWithOptions, ViewDidLoad keyword is preset as the corresponding type keyword of Code obfuscation type.

(4) the 4th kinds of detection types are detection type of escaping from prison:

Specifically, whether the equipment where detection type of escaping from prison is used to detect target application escapes from prison situation, and inventor exists It is found during realizing the present invention, Applications/Cydia.app ,/etc/ssh/sshd_config ,/usr/ libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/Applications/ Cydia.app ,/Library/MobileSubstrate/MobileSubstrate.dylib keyword are in detection target application Whether the equipment at place escapes from prison situation aspect targetedly.Applications/Cydia.app,/etc/ssh/sshd_ config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/ Applications/Cydia.app ,/Library/MobileSubstrate/MobileSubstrate.dylib keyword go out Occurrence number is more, and it is higher to illustrate that the equipment where target application has a possibility that escaping from prison situation, therefore by Applications/ Cydia.app、/etc/ssh/sshd_config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/ sh、/bin/bash、/etc/apt、/Applications/Cydia.app、/Library/MobileSubstrate/ MobileSubstrate.dylib keyword is preset as the corresponding type keyword of detection type of escaping from prison.

(5) the 5th kinds of detection types are to act on behalf of detection type:

Specifically, the phenomenon that detection type is for detecting in target application operational process with the presence or absence of network agent is acted on behalf of, Inventor has found that kCFProxyTypeNone keyword is in detection target application operational process in the implementation of the present invention In terms of the phenomenon that with the presence or absence of network agent targetedly.There is kCFProxyTypeNone keyword and illustrates that target application is run It is bigger to there is a possibility that the phenomenon that network agent in the process.Therefore kCFProxyTypeNone keyword is preset as agency's inspection Survey the corresponding type keyword of type.

(6) the 6th kinds of detection types are to be packaged protection type:

Specifically, it is packaged protection type and is used to detect the application file of target application with the presence or absence of the secondary packing of code The case where, inventor has found in the implementation of the present invention, CFBundleIdentifier, Com.apple.developer.team-identifier, application-identifier keyword are answered in detection target The case where application file is with the presence or absence of code secondary packing aspect is targetedly.CFBundleIdentifier, Com.apple.developer.team-identifier, application-identifier keyword frequency of occurrence are more, A possibility that the case where illustrating target application secondary there are code packing, is bigger.Therefore by CFBundleIdentifier, Com.apple.developer.team-identifier, application-identifier keyword are preset as being packaged and protect Protect the corresponding type keyword of type.

(7) the 7th kinds of detection types are that character string protects type:

Specifically, character string protection type is for detecting the phenomenon that target application is obscured with the presence or absence of character string, inventor It finds in the implementation of the present invention, encrypt, decrypt, login, password, title, name keyword are being examined Survey the phenomenon that target application is obscured with the presence or absence of character string aspect targetedly.encrypt,decrypt,login, The meaning of password, title, name key representations be respectively encrypt, decrypt, logging in, password, title, title. Encrypt, decrypt, login, password, title, name keyword frequency of occurrence are more, illustrate that character string is modified A possibility that it is bigger, a possibility that the phenomenon that obscuring there are character string, is bigger.Therefore by encrypt, decrypt, login, Password, title, name keyword are preset as the corresponding type keyword of character string protection type.

(8) the 8th kinds of detection types are URL match-type:

Specifically, the network address degree of protection of equipment, inventor exist where URL match-type is used to detect target application It is found during realizing the present invention, http, https keyword protect journey in the network address for detecting equipment where target application Degree aspect is targetedly.Http, https keyword frequency of occurrence are more, and the network address of equipment is protected where illustrating target application Shield degree is lower.Therefore http, https keyword are preset as the corresponding type keyword of URL match-type.

(9) the 9th kinds of detection types are anti-debug type:

Specifically, for anti-debug type for detecting whether target application has the function of anti-debug, inventor is realizing this hair It is found in bright process, whether ptrace keyword has whether detection target application has the function of anti-debug in detection target application Aspect is targeted.There is ptrace keyword, illustrates that target application anti-debug function is poorer.Therefore ptrace keyword is pre- It is set as the corresponding type keyword of anti-debug type.

(10) the tenth kinds of detection types are anti-hook type:

Specifically, for anti-hook type for detecting whether target application has the function of anti-hook, inventor is realizing this hair It is found in bright process, libcycript.dylib, libReveal.dylib, SnoopiTweak.dylib keyword are detecting Whether target application has the function of anti-hook aspect targetedly.ibcycript.dylib,libReveal.dylib, SnoopiTweak.dylib keyword frequency of occurrence is more, illustrates that the anti-hook function of target application is poorer.Therefore will, It is corresponding that libcycript.dylib, libReveal.dylib, SnoopiTweak.dylib keyword are preset as anti-hook type Type keyword.

Step S220: the type keyword that will acquire is matched with using symbol table.

Specifically, in this step, according to the priority between detection type, the preset key data table of traversal queries Each detection type of middle storage and type keyword corresponding with each detection type, and the type that will acquire is crucial Word is matched with using symbol table.

Detection type specifically includes 10 kinds of detection types, is previously provided between 10 kinds of detection types excellent between detection type First grade.According to the priority between the detection type being previously provided with, 10 kinds of detection types be arranged as from high to low anti-leak type, Sensitive word type, detection type of escaping from prison, acts on behalf of detection type, is packaged protection type, character string protection class Code obfuscation type Type, URL match-type, anti-debug type, and/or anti-hook type.For example, when it is implemented, according between detection type Priority, the anti-leak detection type stored in the preset key data table of traversal queries and with anti-leak detection type phase Corresponding type keyword NSLog, print, printf, write, and will acquire type keyword NSLog, print, Printf, write are matched with using symbol table.

Further, it for the accurate comparison of implementation type keyword and application symbol table, improves type keyword and answers With the comparison speed of symbol table, for type keyword to be matched, determination and detection type corresponding to the type keyword The type detection region to match, and target area corresponding with type detection region is extracted from application symbol table, it will obtain The type keyword got is matched with target area.For example, when detection type is sensitive word detection type, for acquisition Type keyword encrypt, decrypt, login, password, title, name, it is determining with the type keyword it is right The type detection region that the detection type answered matches.Specifically, type detection corresponding with sensitive word detection type region It include: the type detection region containing class name and/or the type detection region containing method name.According to determining containing class name Type detection region and/or type detection region containing method name, are extracted and type detection region phase from application symbol table Corresponding target area, the type keyword that will acquire are matched with target area.

Step S230: being target keywords by the type keyword extraction of successful match.

Specifically, in this step, the type keyword that will acquire is matched with using symbol table, if type is crucial Word is appeared in using in symbol table, then is target keywords, the class being stored in background data base by the type keyword extraction In type set.Wherein, corresponding type set, each target keywords that will be extracted are set for each detection type respectively It is respectively stored into type set corresponding with the detection type of the target keywords, when it is implemented, type set can be with It is embodied in various ways by list, file, data packet, type set packet etc..For example, when it is implemented, getting and anti-leak Detection type corresponding type keyword NSLog, print, printf, write, by type keyword NSLog, print, Printf, write are matched with using symbol table, and discovery type keyword NSLog, print come across using in symbol table, then will Type keyword NSLog, print are stored in the type set corresponding with anti-leak detection type in background data base. Wherein, when type keyword is not appeared in using in symbol table, set of types is combined into sky, the type keyword in type set Number is 0.

Further, in order to ensure the detection type of important kind preferentially detects, for the detection process of multiple and different types It can successively be executed according to the priority orders of each type.For example, according to the priority of detection type, preset number of keyword Next detection type according to anti-leak detection type in table is sensitive word detection type.It obtains in preset key data table The type keyword of sensitive word detection type, the type keyword that will acquire are matched with using symbol table, will matching at The type keyword extraction of function is target keywords, and target keywords storage is corresponding with sensitive word detection type to backstage Type set in.To Code obfuscation type, detection type of escaping from prison, act on behalf of detection type, packing protection type, character string protection Type, URL match-type, anti-debug type, anti-hook type successively execute the above operation.

In addition, in other embodiments of the invention, each detection type can also be by more in order to improve detection efficiency A thread executed parallel is performed simultaneously above-mentioned various types of detection process, tool of the present invention to the detection process of multiple types Body execution sequence is without limitation.

Step S240: according to the quantity of the target keywords of successful match and/or character weight, determination and target application phase Corresponding first evaluation result.

Specifically, in this step, according to the quantity and/or target critical of the target keywords for including in the type set The character weight of word determines Types Assessment score corresponding with the type set；According to class corresponding to each type set Type evaluates type weight corresponding to score and each type set, determines the first evaluation result score of target application.Tool When body is implemented, firstly, being weighed according to the character of the quantity for the target keywords for including in the type set and/or target keywords Weight determines Types Assessment score corresponding with the type set.For example, when it is implemented, any in 10 detection types The Types Assessment score total score of item detection type is 10 points.When detecting any one corresponding keyword of a certain detection type When, 1 point is deducted from Types Assessment score, the deduction of points upper limit is 10 points.For example to prevent leak type, anti-leak type is corresponding Type keyword be NSLog, print, printf, write correspondingly wrapped in type set corresponding to anti-leak type The target keywords contained are NSLog, print, the two target keywords respectively occur once.Wherein, target keywords refer to: with The successful keyword of type keyword match.When calculating Types Assessment score corresponding with the type set, according to target The quantity of keyword is calculated.When detecting corresponding any one keyword of a certain detection type, obtained from Types Assessment 1 point is deducted in point, then the corresponding Types Assessment of anti-leak type is scored at 8 points.

Then, after determining Types Assessment score corresponding with each type set, according to each type set institute Type weight corresponding to corresponding Types Assessment score and each type set, determines that the safety evaluation of target application obtains Point.For example, by anti-leak type, sensitive word type, Code obfuscation type, escaping from prison according to the importance of detection type and detecting class Type acts on behalf of detection type, is packaged protection type, character string protection type, URL match-type, anti-debug type, anti-hook type Type weight corresponding to 10 type set is assigned as 0.1,0.1,0.1,0.15,0.05,0.1,0.1,0.15,0.05, 0.1.Anti-leak type, Code obfuscation type, detection type of escaping from prison, acts on behalf of detection type, is packaged protection class sensitive word type Type, character string protect type, URL match-type, anti-debug type, the Types Assessment score of 0 type set of anti-hook Class1 Respectively 4,5,3,6,7,4,5,3,6,7.When calculating the safety evaluation score of target application, according to Types Assessment score and Type weight is calculated.The safety evaluation of target application is scored at 0.1*4+0.1*5+0.1*3+0.15*6+0.05*7+0.1* 4+0.1*5+0.15*3+0.05*6+0.1*7=4.8.

First evaluation result score total score of target application is 10 points, and the first evaluation result score of target application is higher, Illustrate that the first evaluation result of target application is better.First evaluation result of target application is divided into 3 grades, works as target application The first evaluation result score (be free of 3 points) 0~3 between when, the first evaluation result of target application is low；Work as target application The first evaluation result score (be free of 7 points) 3~7 between when, during the first evaluation result of target application is；Work as target application The first evaluation result score between 7~1 when, the first evaluation result of target application is height.

Step S250: dynamic test instruction corresponding with preset function is sent to target application.

Wherein, the preset function in the present embodiment includes anti-reversing function, and dynamic test instruction includes that anti-reversing is tested Instruction, correspondingly, sending anti-reversing test instruction corresponding with preset anti-reversing function to target application.Specific implementation When, acquisition obtains preset negative test instruction catalogue from background data base, stores according in preset negative test instruction catalogue Each anti-reversing function and the type of each anti-reversing corresponding with each anti-reversing function test instruction and/or each Priority between anti-reversing test instruction sends each anti-reversing test stored in negative test instruction catalogue to target application Instruction.Wherein, anti-reversing function specifically includes: anti-debug function, anti-hook function, anti-function of injecting, negative test instruction catalogue It specifically includes: the priority and anti-reverse between anti-reversing function and the mapping relations and anti-reversing function of anti-reversing test instruction Priority between test instruction.For example, when it is implemented, the anti-reversing function of storing in negative test instruction catalogue is by anti-reverse It sorts from high to low to function priority and is followed successively by anti-debug function, anti-hook function, anti-function of injecting.According to anti-reversing function Priority obtain anti-debug anti-reversing function and anti-debug anti-reversing corresponding with anti-debug anti-reversing function test refer to It enables, and the test instruction of anti-debug anti-reversing is sent to target application.Certainly, anti-reverse for being stored in negative test instruction catalogue Operation to function setting priority is optional operation, when it is implemented, the anti-reversing function stored in negative test instruction catalogue Can also be not provided with priority, it may be assumed that be between each function it is reciprocity, it is correspondingly, anti-debug function, anti-hook function, anti- Function of injecting while parallel practice.

Further, it is sent in order to ensure the important corresponding anti-reversing test instruction of anti-reversing function is preferential, for more The corresponding anti-reversing test instruction transmission process of a different types of anti-reversing function can be according to the priority of each type Sequence successively executes.For example, preventing when it is implemented, sending anti-debug corresponding with anti-debug anti-reversing function to target application After negative test instruction, anti-hook anti-reversing function is obtained according to the priority of preset anti-reversing function and is prevented with anti-hook The corresponding anti-hook anti-reversing test instruction of inverting function, and the test instruction of anti-hook anti-reversing is sent to target application.

In addition, in order to improve detection efficiency, in other embodiments of the invention, each anti-reversing Function detection can also be with It is performed simultaneously above-mentioned each anti-reversing Function detection process by multiple threads executed parallel, the present invention is to each anti-reversing function The specific execution sequence of energy detection process is without limitation.

Further, wireless by the first terminal equipment applied with installation targets in order to realize the communication with target application The second terminal equipment of connection sends anti-reversing test instruction corresponding with preset anti-reversing function to target application；Its In, first terminal equipment and second terminal equipment are in identical wireless network.When it is implemented, Mac computers equipment and IPhone cell phone apparatus connects same wireless, so that it is in same network segment, Mac computers equipment uses ssh automated log on IPhone cell phone apparatus realizes Mac computers equipment to the wireless connection of iPhone cell phone apparatus, and Mac computers equipment is to iPhone Target application on cell phone apparatus sends anti-reversing test instruction corresponding with preset anti-reversing function.

Step S260: the test response results and preconfigured returned according to target application for dynamic test instruction At least two intended response corresponding with dynamic test instruction is as a result, determine that the second evaluation corresponding with target application is tied Fruit.

Specifically, this step includes at least one of following three kinds of implementations:

Mode one: it in the first implementation of this step, is directly returned according to target application for dynamic test instruction The test response results returned and preconfigured at least two intended response corresponding with dynamic test instruction are as a result, determine The second evaluation result corresponding with target application.

This implementation carries out safety detection to target application from the anti-reversing angle of target application.Currently, for application Source code debugged, intercept using operation process, injection dynamic base the phenomenon that it is serious, to application carry out the inspection of anti-reversing function It surveys, it can be estimated that using the power of anti-reversing function, discovery is using defect existing for anti-reversing function early.

Specifically, getting each anti-reversing test instructs corresponding test response results, and test response results are deposited It stores up in the test response sets in background data base.Wherein, test response results specifically include: the equipment where target application Test response is made to the corresponding operation of each anti-reversing test instruction.Test response sets can pass through list, file, data Packet, test response sets etc. are embodied in various ways.For example, when it is implemented, target application receives the test of anti-debug anti-reversing Instruction, anti-hook anti-reversing test instruction, anti-injection anti-reversing test instruction, target application refer to according to the test of anti-debug anti-reversing It enables, the priority of anti-hook anti-reversing test instruction, anti-injection anti-reversing test instruction, it is preferential to execute the test of anti-debug anti-reversing Corresponding anti-debug is instructed to operate, the terminal command line of equipment runs " debugserver*:12349-a where target application Application process number " order, equipment where target application make test response to anti-debug operation.According to anti-reversing test instruction Priority, target application execute the corresponding anti-hook operation of anti-hook anti-reversing test instruction, the equipment where target application Terminal command line runs " cycript-p application process number " order.Equipment operates anti-hook and realizes test where target application Response.According to the priority of anti-reversing test instruction, target application executes anti-injection anti-reversing test and instructs corresponding anti-injection Operation runs " optool install-c load-p " under the end elevation of equipment where target application and applies dynamic base "-t Application binary file " order.Equipment where target application realizes test response to anti-implant operation.

It is stored in advance in background data base for the intended response result of anti-reversing test setting respectively, inquiry is matched in advance At least two intended responses result corresponding with anti-reversing test instruction set.Wherein, when preset anti-reversing function is anti- When debugging function, preconfigured at least two intended responses result corresponding with anti-reversing test instruction includes: for referring to Show that target application has the anti-debug class intended response of anti-debug function as a result, and being used to indicate target application and not having anti-tune Try the non-anti-debug class intended response result of function.It wherein, include preset anti-debug mesh in anti-debug class intended response result Marking-up section.For example, preset anti-debug aiming field is Segmentation fault:11.When it is implemented, executing anti-debug Anti-reversing test instructs corresponding anti-debug operation, the terminal command line operation of equipment where target application " debugserver*:12349-a application process number " order, if occurring Segmentation fault:11 in return information, Illustrate that target application has the function of the anti-reversing of anti-debug；If not occurring Segmentation fault:11 in return information, Illustrate that target application has the function of the anti-reversing of anti-debug.

It is preconfigured corresponding extremely with anti-reversing test instruction when preset anti-reversing function is anti-hook function Few two kinds of intended response results include: be used to indicate target application have anti-hook function anti-hook class intended response as a result, And it is used to indicate the non-anti-hook class intended response result that target application does not have anti-hook function.Wherein, anti-hook class is pre- It include preset anti-hook aiming field in phase response results.For example, preset anti-debug aiming field is error.It is specific real Shi Shi executes the corresponding anti-hook operation of anti-hook anti-reversing test instruction, the terminal command line of equipment where target application " cycript-p application process number " order is run, if occurring error in return information, illustrates that target application has anti-hook Anti-reversing function；If not occurring error in return information, illustrate that target application has the function of the anti-reversing of anti-hook.

It is preconfigured corresponding extremely with anti-reversing test instruction when preset anti-reversing function is anti-function of injecting Few two kinds of intended response results include: be used to indicate target application have anti-function of injecting anti-injection class intended response as a result, And it is used to indicate the non-anti-injection class intended response result that target application does not have anti-function of injecting.Wherein, anti-injection class is pre- Phase response results include: to dodge the response results for moving back type.For example, when it is implemented, operation " optool install-c load- P " applying dynamic base "-t application binary file " order, then installed after target application is compressed, type is moved back if occurring dodging Response results, then illustrate that target application has the function of the anti-anti-reversing injected；If not occurring dodging the response results for moving back type, Illustrate that target application has the function of the anti-anti-reversing injected.

Test response results are matched at least two intended response results.For example, when it is implemented, anti-debug is anti- Inverting function, which is tested corresponding intended response result and specifically included, is used to indicate the anti-debug that target application has anti-debug function Class intended response is as a result, and be used to indicate the non-anti-debug class intended response result that target application does not have anti-debug function. Test response results had into the anti-debug class intended response of anti-debug function as a result, and being used for target application is used to indicate Indicate that target application does not have the non-anti-debug class intended response result matching of anti-debug function.If the test of anti-debug anti-reversing is rung Should result be indicate target application have anti-debug function anti-debug class intended response as a result, then target application have anti-debug Anti-reversing function；If anti-debug anti-reversing test response results are to indicate that target application does not have the anti-debug of anti-debug function Class intended response is not as a result, then target application has the anti-reversing function of anti-debug.

Judge that the anti-reversing function of target application is strong and weak according to the match condition of three kinds of anti-reversing functional test response results. Anti-reversing function score is set and determines whether target application has the function of anti-reversing according to anti-reversing function score.Wherein, divide Safety pin different preventing inverting function is arranged different anti-reversing function scores, when it is implemented, if target application has anti-debug Anti-reversing function, then anti-debug anti-reversing function score is 1, if target application does not have anti-debug anti-reversing function, is demodulated Trying anti-reversing function score is 0.If target application has the function of anti-hook anti-reversing, anti-hook anti-reversing function score is 1, If target application does not have anti-hook anti-reversing function, anti-hook anti-reversing function score is 0.If target application has anti-note Enter anti-reversing function, then anti-injection anti-reversing function score is 1, if target application does not have anti-injection anti-reversing function, instead Injecting anti-reversing function score is 0.Second evaluation result of target application is scored at anti-debug anti-reversing function score, anti-hook The sum of anti-reversing function score, anti-injection anti-reversing function score three.

The second evaluation result, if the second evaluation result is scored at 0, target application are evaluated according to the second evaluation result score Anti-reversing security level it is low, the second evaluation result be it is low；If the second evaluation result is scored at 1, the anti-reversing of target application It is low in security level, the second evaluation result be in it is low；If the second evaluation result is scored at 2, the anti-reversing safety of target application High in grade, the second evaluation result is middle height；If the second evaluation result is 3, the anti-reversing grade of target application is high, and second comments Valence result is height.

In addition, in order to improve detection efficiency, in other embodiments of the invention, each anti-reversing Function detection can also be with It is performed simultaneously above-mentioned each anti-reversing Function detection process by multiple threads executed parallel, the present invention is to each anti-reversing function The specific execution sequence of energy detection process is without limitation.

Further, in order to improve the efficiency of anti-reversing Function detection, by the corresponding anti-reversing of an anti-reversing function Test instruction anti-reversing test instruction according to keywords section be divided into it is multiple.The corresponding anti-reversing test instruction of one anti-reversing function Quantity be it is multiple, presets priority between the corresponding multiple anti-reversing test instruction of an anti-reversing function.For example, According to keywords section is divided into anti-debug anti-reversing test instruction 1, anti-for anti-debug anti-reversing function corresponding anti-reversing test instruction Debug anti-reversing test instruction 2, anti-debug anti-reversing test instruction 3.It will be demodulated from high to low according to pre-set priority Examination anti-reversing test instruction is arranged as the test of anti-debug anti-reversing and instructs 1, anti-debug anti-reversing test instruction 2, anti-debug anti-reverse To test instruction 3.When it is implemented, equipment where target application successively executes anti-debug anti-reversing test instruction 1, anti-debug is prevented Negative test instruction 2, the test 3 corresponding orders of instruction of anti-debug anti-reversing.

It by above-mentioned each step, obtains program of the target application in application runtime environment and starts the page, and by journey Sequence starts the page compared with the preset environment starting page, judges whether target application normally starts under application runtime environment, The safety detection for target application running environment is realized with this.In order to make it easy to understand, below by taking a specific example as an example in detail Carefully introduce the specific implementation of the above method in the method:

Step 1: Mac computers integration of equipments ideviceinstaller (equipment installation) tool makes Mac computers equipment remote Journey connects iPhone cell phone apparatus, and Mac computers equipment can be made to be managed iPhone cell phone apparatus.

Specifically, Mac computers integration of equipments ideviceinstaller tool, realizes that long-range connection iPhone mobile phone is set It is standby, the iOS application on iPhone cell phone apparatus is managed and is operated.It is inputted in the terminal of Mac computers equipment " ideviceinstaller-i xxx.ipa " is ordered and is run, wherein " xxx.ipa " is IPA (the apple program of target application Application file) filename.

Step 2: the iPhone cell phone apparatus remotely connected integrates frida environment, it is made to call answering inside iPhone Program.

Specifically, the terminal input " python xxx.py bundleId " in Mac computers equipment is ordered and is run, In, " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected starts automatically.

Step 3: both homepages when opening using homepage and application are normal after starting are compared, if homepage is identical Illustrate to apply and start normally under the running environment；If moving back or can not load using dodging, applies and opened under the running environment It moves abnormal.

Step 4: installed application is unloaded using ideviceinstaller tool.

Specifically, the terminal input " ideviceinstaller-U bundleId " in Mac computers equipment is ordered and is transported Row, wherein " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected unloads automatically.

In conclusion the target application at iPhone cell phone apparatus end may be implemented to install, start and unload automatically in the method It carries, without manually installing, starting and unloading, gets rid of traditional safety detection mode, realize automatic safe detection, energy Enough safety detections more quickly realized under various running environment, significantly high safety detection efficiency, satisfaction increasingly increase Long iOS safety detection demand.

Mode two: in second of implementation of this step, for the target application got binary file into Row decompiling obtains the reversed compiled code corresponding with target application obtained after decompiling；It extracts in reversed compiled code Whether the object code corresponding with goal-selling region for including judges in object code comprising according with preset confounding The content to match determines the second evaluation result corresponding with target application in conjunction with judging result.

The implementation according to the data safety grade of the anti-reversing security level of target application and target application this two The combination of class judging result determines the second evaluation result corresponding with target application.

This implementation carries out safety detection to target application from the data safety angle of target application.Currently, for answering Program code and program character to distort phenomenon serious, data protection safety detection is carried out to target application, can be early It was found that defect existing for target application data protection function.

Specifically, carrying out decompiling to the binary file of the target application got using decompiling instrument.Wherein, Decompiling instrument specifically includes: the first decompiling instrument and the second decompiling instrument.When it is implemented, passing through the first decompiling work Have and decompiling is carried out to the binary file of the target application got, obtains the first reversed compiled code；And/or pass through Two decompiling instruments carry out decompiling to the binary file of the target application got, obtain the second reversed compiled code.The One decompiling instrument and the second decompiling instrument can use simultaneously, also can choose one use.For example, the first decompiling work Tool is MachOView decompiling instrument；Second decompiling instrument is Hopper Disassembler decompiling instrument.

Different types of reversed compiled code pre-sets priority, obtains according to the priority of reversed compiled code anti- To compiled code.For example, the first reversed compiled code is better than the second reversed compiled code, wherein the first reversed compiled code is The reversed compiled code of MachOView, the second reversed compiled code are the reversed compiled code of Hopper Disassembler.Specifically It is preferential to obtain the reversed compiled code of MachOView when implementation.

Reversed compiled code specifically includes: the first reversed compiled code and the second reversed compiled code；First reversed compiling The object code corresponding with goal-selling region for including in code includes: dynamic base information and/or header file information；Second The object code corresponding with goal-selling region for including in reversed compiled code includes: preset function and/or preset characters. Wherein, the first reversed compiled code is the reversed compiled code of MachOView, and the second reversed compiled code is Hopper The reversed compiled code of Disassembler.

When it is implemented, for the first reversed compiled code setting dynamic base information and/or header file information, from rear number of units According to the first reversed compiled code and dynamic base information and/or header file information is obtained in library, by dynamic base information and/or header file Information is compared with the first reversed compiled code, and extracting in reversed compiled code includes dynamic base information and/or header file information Object code, and the object code comprising dynamic base information and/or header file information is stored in background data base.For example, First reversed compiled code is the reversed compiled code of MachOView.The knot of MachOView decompiling instrument parsing target application Structure, it is seen that dynamic base information and header file information in target application binary file.For the reversed compiled code of MachOView Dynamic base information and/or header file information are set, the reversed compiled code of MachOView and dynamic base are obtained from background data base Dynamic base information and/or header file information are compared with the reversed compiled code of MachOView, are mentioned by information and/or header file information Negate the object code into compiled code comprising dynamic base information and/or header file information, and will comprising dynamic base information and/ Or the object code of header file information is stored in background data base.And/or default letter is set for the second reversed compiled code Several and/or preset characters obtain the second reversed compiled code and preset function and/or preset characters from background data base, will Preset function and/or preset characters are compared with the second reversed compiled code, extract in reversed compiled code comprising preset function and/ Or the object code of preset characters, and the object code comprising preset function and/or preset characters is stored in background data base In.For example, the second reversed compiled code is the reversed compiled code of Hopper Disassembler.Hopper Disassembler The logical code in function and character and method in decompiling instrument visual target application binary file.For Hopper The reversed compiled code setting preset function of Disassembler and/or preset characters.When it is implemented, being obtained from background data base Reversed compiled code corresponding with Hopper Disassembler decompiling instrument and preset function and/or preset characters are taken, Preset function and/or preset characters are compared with reversed compiled code, extract in reversed compiled code comprising preset function and/or The object code of preset characters, and the object code comprising preset function and/or preset characters is stored in background data base.

First reversed compiled code and preset confounding symbol are matched, judge include in the first reversed compiled code Whether comprising according with the content that matches with preset confounding in object code corresponding with goal-selling region, the is obtained One judging result；Second reversed compiled code is matched with preset confounding symbol, judges to wrap in the second reversed compiled code Whether comprising according with the content to match with preset confounding in the object code corresponding with goal-selling region contained, obtain To the second judging result.Wherein, the first reversed compiled code is the reversed compiled code of MachOView, the second reversed compiled code For the reversed compiled code of Hopper Disassembler.For example, when it is implemented, the binary file of target application is put into In MachOView decompiling instrument, Objc CFStrings character list is checked, Objc CFStrings character list is corresponding anti- Compiled code matches with preset confounding symbol, if the decompiling code of Objc CFStrings character list is shown as identifying Fu Ze indicates that the program character of target application is confused, if the decompiling code of Objc CFStrings character list normally shows mesh The character string of mark application then indicates that the program character of target application is not confused.And/or when it is implemented, by the two of target application Binary file is put into Hopper Disassembler v4 decompiling instrument, randomly chooses a method function, by method letter The corresponding decompiling code of number matches with preset confounding symbol, if there is messy code in the decompiling code of method function It indicates that the program code of target application has been confused, indicates that target is answered if not appearing garbled in the decompiling code of method function Program code is not confused.

The first judging result and the second judgement are preset according to the importance of the first judging result and the second judging result As a result weight, according to the weight of the first judging result and the second judging result and the first judging result and the second judging result The data protection for calculating target application is scored safely.For example, when it is implemented, if the first judging result was the first reversed compiling generation It is accorded in code comprising preset confounding, then the first judging result is denoted as 0, if the first judging result was the first reversed compiling generation Do not include preset confounding in code to accord with, then the first judging result is denoted as 1；If the second judging result is the second reversed compiling It is accorded in code comprising preset confounding, then the second judging result is denoted as 0, if the second judging result is the second reversed compiling Do not include preset confounding in code to accord with, then the second judging result is denoted as 1.Specific in this example, respectively first sentences Disconnected result and the second judging result distribute weight, and the weight of the first judging result is 0.5, and the weight of the second judging result is 0.5, First judging result is 0, and the second judging result is 1, then scoring is 0*0.5+1*0.5=safely for the data protection of target application 0.5。

Specifically, being four grades by the data protection safety status classification of target application, if the data of target application are protected Shield safety scoring is 0, then the data protection security level of target application is low；If scoring is safely for the data protection of target application 1, then the data protection security level of target application is height；If scoring is 0~0.5 (not comprising 0 safely for target application data protection With 0.5), then the data protection security level of target application be in it is low；If the data protection of target application safely scoring for 0.5~ 1 (not including 1), then the data protection security level of target application is middle height.Specific in this example, the data protection of target application Safety scoring 0.5, the data protection security level of target application are middle height.

Optionally, in this step, different types of reversed compiled code pre-sets priority, according to reversed compiling The priority of code obtains the object code of reversed compiled code.

Further, in order to choose the object code including logical operator, decompiling instrument is utmostly utilized, is obtained The each method function for including in reversed compiled code, extracts the method function comprising logical operator from each method function As objective function, the corresponding code of objective function is determined as object code corresponding with goal-selling region.

Comprehensively consider the data protection safety etc. in the anti-reversing security level and mode two of the target application in mode one Grade, when anti-reversing security level and data protection security level are all high, the second evaluation result of target application is height；It is anti-reverse When to one of security level and data protection security level being low, the second evaluation result of target application is low；Remaining feelings Condition, during the second evaluation result of target application is.

Mode three: in the third implementation of this step, when detecting enabled instruction corresponding with target application When, application runtime environment corresponding with target application is determined according to enabled instruction；Target application is obtained in application runtime environment The program starting page shown after middle starting；Inquire the associated ring of preset application runtime environment corresponding with target application Border starts the page；Determining program starts whether the page matches with the environment starting page, in conjunction with judging result determination and target application Corresponding second evaluation result.

The implementation is according to the anti-reversing security level of target application and the application runtime environment safety of target application Property these two types judging result combination determine corresponding with target application the second evaluation result.This implementation is from target application Running environment angle to target application carry out safety detection.Since iOS application may operate at various different iOS systems and difference In iPhone equipment, but the iOS system version of iOS application and different iPhone equipment type iteration update quickly, need to guarantee IOS is applied can normal operation under various running environment.

Specifically, the enabled instruction of target application transmission is received, comprising mesh in the context field for including in enabled instruction Running environment where mark application at present, parses enabled instruction, the context field in enabled instruction is extracted, according to starting The context field for including in instruction determines application runtime environment corresponding with target application.For example, target application A is in iPhone Start in the iOS system C of equipment B, when it is implemented, receiving enabled instruction, and enabled instruction is parsed, after parsing Include the keyword of iPhone equipment type and iOS system classification in context field in enabled instruction, directly reads iPhone The keyword and iPhone equipment type and iOS system classification letter under keyword register of equipment type and iOS system classification Breath.

Specifically, receiving the enabled instruction of target application transmission, and enabled instruction is parsed.After parsing Instruction rule corresponding to the instruction format and/or instruction of enabled instruction, determines that application corresponding with target application runs ring Border.For example, the structure of the instruction format of the enabled instruction after parsing includes first part and second part, first part indicates to answer With the iPhone equipment type in running environment, second part indicates the iOS system version in application runtime environment.IPhone is set Standby host type indicates that iOS system version is indicated with different version identifier codes with different equipment mark codes.To enabled instruction solution Analysis analytically obtains the identification code of first part and second part, and is determined corresponding to identification code according to instruction rule in instruction IPhone equipment type and iOS system version classification.Wherein, instruction rule specifically includes: iPhone equipment type and type The mapping relations of identification code, the mapping relations of iOS system version and version identifier code.

After target application starts in the running environment where current, show that program starts the page after preset time.Tool Body, in this step, get the program starting shown after preset time after target application starts in application runtime environment The page.

The program starting page shown after target application starts in application runtime environment is obtained, and from background data base Startup environment matching list is transferred, the ring of application runtime environment corresponding with the target application is inquired from startup environment matching list Border starts the page.Wherein, startup environment matching list specifically includes: target application, application runtime environment, environment start page three Mapping relations.

The program starting page shown after the target application that target application is sent starts in application runtime environment is got, And the associated environment starting page of corresponding with target application application runtime environment is inquired from startup environment matching list. The program starting page and environment the starting page is compared, with determine the program starting page and environment start both pages it Between difference.If difference is not present in the program starting page and the environment starting page between the two, i.e., the two matches, then target application The safety in running environment；If the program starting page and the environment starting page have difference between the two, i.e., the two mismatches, then Target application is dangerous in running environment.

Further, in order to which evaluation goal applies the running environment safety when running preset function, target application is obtained The program function page shown after preset function is run in application runtime environment；It inquires preset corresponding with target application The associated environmental functional page of application runtime environment；Whether determining program function pages match with the environmental functional page, according to Judging result determines whether target application is safe in default running environment.

Wherein, the environmental functional page specifically includes: being directed to various types of application runtime environments respectively, obtains target application Runnable interface corresponding when preset function and operation result are successfully is run in the application runtime environment of this type, will be obtained The runnable interface got is stored as the environmental functional page associated with the application runtime environment of this type to preset function In energy environments match table, wherein function environment matching list is specifically included: target application, application runtime environment, preset function, environment The priority of preset function corresponding to function pages mapping relations and each environmental functional page.

Specifically, in this step, according to corresponding to each environmental functional page stored in preset environments match table Preset function priority, obtain target application respectively and run in application runtime environment and show after various types of preset functions The program function page shown obtains related to target application, application runtime environment and preset function from function environment matching list The environmental functional page of connection, the program function page is Chong Die with the environmental functional page, compare out the program function page and environment function It can the difference of the page between the two.If difference is not present in the program function page and the environmental functional page between the two, target is answered The preset function operational safety in running environment, the running environment security level of target application preset function are height；If program There is difference in function pages and the environmental functional page, then target application preset function operation in running environment is uneasy between the two Entirely, the running environment security level of target application preset function is low.

Comprehensively consider the running environment safety etc. in the anti-reversing security level and mode three of the target application in mode one Grade, when anti-reversing security level and running environment security level are all high, the second evaluation result of target application is height；It is anti-reverse When to one of security level and running environment security level being low, the second evaluation result of target application is low；Remaining feelings Condition, during the second evaluation result of target application is.Optionally, in order to ensure important preset function preferentially carries out running environment peace Full property detection, predefines target application function corresponding in various types of application runtime environments, the number of preset function It is multiple for measuring, and there are priority between each preset function.Priority between each preset function is stored in function environment With in table.For example, when it is implemented, sort from high to low by the priority of preset function in function environment matching list, it is each pre- If the sequence of function is preset function 1, preset function 2, preset function 3.Target application runs default in application runtime environment Function 1 obtains the program function page and the environmental functional page of preset function 1, will take the program function page of preset function 1 with The environmental functional page is overlapped comparison.Aforesaid operations successively are executed to preset function 2 and preset function 3.

In addition, in other embodiments of the invention, the running environment of each preset function is pacified in order to improve detection efficiency Full property detection can also be performed simultaneously the running environment safety of above-mentioned each preset function by multiple threads executed parallel Detection process, the present invention to the specific execution sequence of the running environment safety detection process of each preset function without limitation.

It by above-mentioned each step, obtains program of the target application in application runtime environment and starts the page, and by journey Sequence starts the page compared with the preset environment starting page, judges whether target application normally starts under application runtime environment, The safety detection for target application running environment is realized with this.In order to make it easy to understand, below by taking a specific example as an example in detail Carefully introduce the specific implementation of the above method in the method:

Step 1: Mac computers integration of equipments ideviceinstaller (equipment installation) tool makes Mac computers equipment remote Journey connects iPhone cell phone apparatus, and Mac computers equipment can be made to be managed iPhone cell phone apparatus.

Specifically, Mac computers integration of equipments ideviceinstaller tool, realizes that long-range connection iPhone mobile phone is set It is standby, the iOS application on iPhone cell phone apparatus is managed and is operated.It is inputted in the terminal of Mac computers equipment " ideviceinstaller-i xxx.ipa " is ordered and is run, wherein " xxx.ipa " is IPA (the apple program of target application Application file) filename.

Step 2: the iPhone cell phone apparatus remotely connected integrates frida environment, it is made to call answering inside iPhone Program.

Specifically, the terminal input " python xxx.py bundleId " in Mac computers equipment is ordered and is run, In, " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected starts automatically.

Step 3: both homepages when opening using homepage and application are normal after starting are compared, if homepage is identical Illustrate to apply and start normally under the running environment；If moving back or can not load using dodging, applies and opened under the running environment It moves abnormal.

Step 4: installed application is unloaded using ideviceinstaller tool.

Specifically, the terminal input " ideviceinstaller-U bundleId " in Mac computers equipment is ordered and is transported Row, wherein " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected unloads automatically.

In conclusion in the present embodiment the target application at iPhone cell phone apparatus end may be implemented automatically install, starting and Unloading without manually installation, starts and unloads, gets rid of traditional safety detection mode, realize automatic safe detection, It can more quickly realize the safety detection under various running environment, significantly high safety detection efficiency meets increasingly The iOS safety detection demand of growth.

When it is implemented, above-mentioned three kinds of implementations both can be used alone, can also be used in combination, in the present embodiment In, in order to promote accuracy, the second evaluation result is determined in conjunction with three kinds of implementations, i.e. the second evaluation result is answered according to target Anti-reversing functional safety grade, the data protection security level of target application, target application running environment safety this The combination of the judging result of three aspects is determined.

Step S270: according to first the first evaluation result of evaluation result and the second evaluation result, judge that target application is pacified Full property grade.

According to the first evaluation result and the second evaluation result, target application safety grades are judged.Specifically, when first When evaluation result and the second evaluation result are all high, the safety grades of target application are height；First evaluation result and second is commented When one of valence result is low, the safety grades of target application are low；Remaining remaining situation, the safety etc. of target application Grade is.Wherein, the second evaluation result in the present embodiment is combined according to the judging result of three kinds of implementations and is determined.Second comments Valence result is combined according to the anti-reversing security level and data protection security level of target application and is determined, when anti-reversing security level When with data protection security level being all high, the second evaluation result of target application is height；Anti-reversing security level and data are protected When one of shield security level is low, the second evaluation result of target application is low；Remaining situation, the second of target application are commented During valence result is.And/or second evaluation result according to the anti-reversing security level and running environment security level knot of target application It closes and determines, when anti-reversing security level and running environment security level are all high, the second evaluation result of target application is height； When one of anti-reversing security level and running environment security level are low, the second evaluation result of target application is low；Its Remaining situation, during the second evaluation result of target application is.

The first evaluation result and reflection target of the static test result of the present embodiment comprehensive utilization reflection target application are answered Second evaluation result of the result of dynamic test, the safety of thoroughly evaluating application, avoids the evaluation method institute of single dimension The drawbacks of causing, keeps evaluation result more accurate.Wherein, in the application installation file of static test primary evaluation target application, Using in iOS application development process when realizing specific function common type keyword, each detection type is corresponding Type keyword and apply symbol table fuzzy matching, fully considered the power of each detection type and each type keyword Weight carries out quantitative evaluation to the safety of target application, has carried out comprehensive and intuitive static detection to target application.Wherein examine Type totally 10 are surveyed, anti-leak type, sensitive word type, Code obfuscation type, detection type of escaping from prison, agency's detection are respectively as follows: Type is packaged protection type, character string protection type, URL match-type, anti-debug type, and/or anti-hook type.

Anti-reversing safety, data protection safety, running environment of the dynamic test from target application dynamic running process The safety of the angle evaluation goal application of safety.Anti-reversing functional test in dynamic test is from anti-debug, anti-hook, anti- The anti-reversing function of injecting three aspect overall merit target applications, by test response results and at least two intended response results It is matched, target application anti-reversing Performance Level is determined according to matching result；Data protection security test is by object code It accords with and comparing with preset confounding, determine whether program code and program character in target application are mixed according to comparing result Confuse, target application data security protecting degree detecting is realized with this；Running environment security test is existed by obtaining target application Program in application runtime environment starts the page, and the program starting page is judged mesh compared with the preset environment starting page Mark applies whether normally start under application runtime environment, realizes the safety detection for target application running environment with this.

By the combination of static test and dynamic test, target application is examined comprehensively from static and two dimensions of dynamic It surveys, has fully considered anti-reversing, data protection and the running environment in the static code and dynamic running process of target application Safety, can ahead of time find target application defect, target application launch before help developer it is targetedly right Target application is modified.

Embodiment three

Fig. 3 shows the structure chart according to a kind of iOS of embodiment three safety detection device applied, described device packet It includes:

First evaluation result determining module 31, acquisition is corresponding with target application to apply symbol table, and will acquire Type keyword corresponding with preset detection type is matched with using symbol table, according to the target critical of successful match The quantity and/or character weight of word determine the first evaluation result corresponding with target application；

Second evaluation result determining module 32 sends dynamic test instruction corresponding with preset function to target application, The test response results of instruction return are tested for dynamic according to target application and preconfigured test with dynamic instructs phase Corresponding at least two intended response is as a result, determine the second evaluation result corresponding with target application；

Target application safety judgment module 33 judges that target is answered according to the first evaluation result and the second evaluation result With whether safely.

Optionally, when the first evaluation result determining module 31 is suitable for:

Corresponding type set is set for each detection type respectively, each target keywords extracted are deposited respectively It stores up in type set corresponding with the detection type of the target keywords；

Then according to the quantity of the target keywords of successful match and/or character weight, determination is corresponding with the target application The first evaluation result include:

It is directed to each type set respectively, according to the quantity and/or target of the target keywords for including in the type set The character weight of keyword determines Types Assessment score corresponding with the type set；

According to type weight corresponding to Types Assessment score corresponding to each type set and each type set, Determine the first evaluation result corresponding with target application.

Optionally, the first evaluation result determining module 31 is suitable for:

For type keyword to be matched, the determining type to match with detection type corresponding to the type keyword Detection zone；

Target area corresponding with type detection region, the type keyword that will acquire are extracted from application symbol table It is matched with target area.

Optionally, the first evaluation result determining module 31 is suitable for:

Obtain the application file of target application；

Decompiling is carried out for application file, is obtained corresponding with target application using symbol table；

Wherein, further comprise using symbol table: static symbol table, dynamic symbol table, and/or character list.

Optionally, the second evaluation result determining module 32 is suitable for:

Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.

Optionally, the second evaluation result determining module 32 is suitable for:

According to each anti-reversing function of being stored in preset negative test instruction catalogue and with each anti-reversing function phase Precedence information between the type and/or the test instruction of each anti-reversing of corresponding each anti-reversing test instruction, to target It is instructed using each anti-reversing stored in negative test instruction catalogue test is sent.

Optionally, the second evaluation result determining module 32 is suitable for:

Decompiling is carried out for the binary file of the target application got, what is obtained after acquisition decompiling answers with target With corresponding reversed compiled code；

The object code corresponding with goal-selling region for including in reversed compiled code is extracted,

Judge to determine whether comprising according with the content to match with preset confounding in conjunction with judging result in object code The second evaluation result corresponding with target application.

Optionally, the second evaluation result determining module 32 is suitable for:

It is corresponding with target application according to enabled instruction determination when detecting enabled instruction corresponding with target application Application runtime environment；

Obtain the program starting page shown after target application starts in application runtime environment；

Inquire preset application runtime environment corresponding with the target application associated environment starting page；

Determining program starts whether the page matches with the environment starting page, opposite with target application in conjunction with judging result determination The second evaluation result answered.

According to the present invention in another aspect, providing a kind of safety detecting system of iOS application, including above-mentioned safety detection Device.

The embodiment of the present application provides a kind of nonvolatile computer storage media, and computer storage medium is stored at least One executable instruction, the computer executable instructions can be performed what one of above-mentioned any means embodiment was applied based on iOS Safety detection method.

Fig. 4 shows the structural schematic diagram of a kind of electronic equipment according to an embodiment of the present invention, the specific embodiment of the invention The specific implementation of electronic equipment is not limited.

As shown in figure 4, the electronic equipment may include: processor (processor) 402, communication interface (Communications Interface) 404, memory (memory) 406 and communication bus 408.

Wherein:

Processor 402, communication interface 404 and memory 406 complete mutual communication by communication bus 408.

Communication interface 404, for being communicated with the network element of other equipment such as client or other servers etc..

Processor 402 can specifically execute the above-mentioned fault location based on multistage network node for executing program 410 Correlation step in embodiment of the method.

Specifically, program 410 may include program code, which includes computer operation instruction.

Processor 402 may be central processor CPU or specific integrated circuit ASIC (Application Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention Road.The one or more processors that electronic equipment includes can be same type of processor, such as one or more CPU；It can also To be different types of processor, such as one or more CPU and one or more ASIC.

Memory 406, for storing program 410.Memory 406 may include high speed RAM memory, it is also possible to further include Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.

Program 410 specifically can be used for so that processor 402 executes the operations in above method embodiment.

Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments Including certain features rather than other feature, but the combination of the feature of different embodiment means in the scope of the present invention Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it One can in any combination mode come using.

Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) realize some or all portions in device according to an embodiment of the present invention The some or all functions of part.The present invention is also implemented as a part or complete for executing method as described herein The device or device program (for example, computer program and computer program product) in portion.It is such to realize program of the invention It can store on a computer-readable medium, or may be in the form of one or more signals.Such signal can be with It downloads from internet website, is perhaps provided on the carrier signal or is provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

The invention also discloses a kind of safety detection methods of iOS application of A1., comprising:

Acquisition is corresponding with target application to apply symbol table, and will acquire corresponding with preset detection type Type keyword is matched with the application symbol table, is weighed according to the quantity of the target keywords of successful match and/or character Weight determines the first evaluation result corresponding with the target application；

Dynamic test instruction corresponding with preset function is sent to the target application, is directed to according to the target application Test response results that dynamic test instruction returns and preconfigured with the dynamic to test instruction corresponding extremely Few two kinds of intended responses are as a result, determine the second evaluation result corresponding with the target application；

According to first evaluation result and second evaluation result, judge whether the target application is safe.

A2. the method according to claim A1, wherein described when the preset detection type includes multiple The type keyword corresponding with preset detection type that will acquire match specifically including with the application symbol table:

Corresponding type set is set for each detection type respectively, each target keywords extracted are deposited respectively It stores up in type set corresponding with the detection type of the target keywords；

The then quantity and/or character weight of the target keywords according to successful match, determination and the target application phase Corresponding first evaluation result includes:

It is directed to each type set respectively, according to the quantity and/or target of the target keywords for including in the type set The character weight of keyword determines Types Assessment score corresponding with the type set；

According to type weight corresponding to Types Assessment score corresponding to each type set and each type set, Determine the first evaluation result corresponding with the target application.

A3. the method according to claim A1, wherein described will acquire corresponding with preset detection type Type keyword match with the application symbol table include:

For type keyword to be matched, the determining type to match with detection type corresponding to the type keyword Detection zone；

Target area corresponding with the type detection region, the class that will acquire are extracted from the application symbol table Type keyword is matched with the target area.

A4. the method according to claim A1, wherein the acquisition is corresponding with target application to apply symbol table Include:

Obtain the application file of the target application；

Decompiling is carried out for the application file, is obtained described corresponding with target application using symbol table；

Wherein, the application symbol table further comprises: static symbol table, dynamic symbol table, and/or character list.

A5. the method according to claim A1, the preset function includes anti-reversing function, and the dynamic is tested Instruction includes anti-reversing test instruction, then described to send dynamic test instruction corresponding with preset function to the target application Include:

Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.

A6. the method according to claim A5, wherein described to be sent and preset anti-reversing function to target application Corresponding anti-reversing test, which instructs, includes:

According to each anti-reversing function of being stored in preset negative test instruction catalogue and with each anti-reversing function phase Precedence information between the type and/or the test instruction of each anti-reversing of corresponding each anti-reversing test instruction, to target It is instructed using each anti-reversing stored in the negative test instruction catalogue test is sent.

A7. the method according to claim A1, wherein the determination corresponding with the target application second is commented Valence result specifically includes:

Decompiling is carried out for the binary file of the target application got, is obtained obtaining with the mesh after decompiling Mark applies corresponding reversed compiled code；

The object code corresponding with goal-selling region for including in the reversed compiled code is extracted,

Judge whether comprising according with the content to match with preset confounding in the object code, in conjunction with judging result Determine the second evaluation result corresponding with the target application.

A8. the method according to claim A1, wherein the determination corresponding with the target application second is commented Valence result specifically includes:

When detecting enabled instruction corresponding with target application, is determined according to the enabled instruction and answered with the target With corresponding application runtime environment；

Obtain the program starting page shown after the target application starts in the application runtime environment；

Inquire preset application runtime environment corresponding with the target application associated environment starting page；

Judge whether the described program starting page and the environment starting page matches, in conjunction with judging result determine with it is described Corresponding second evaluation result of target application.

B9. a kind of safety detection device of iOS application, comprising:

First evaluation result determining module, obtain it is corresponding with target application using symbol table, and will acquire with The corresponding type keyword of preset detection type is matched with the application symbol table, is closed according to the target of successful match The quantity and/or character weight of key word determine the first evaluation result corresponding with the target application；

Second evaluation result determining module, Xiang Suoshu target application send dynamic test corresponding with preset function and refer to Enable, according to the target application for the dynamic test instruction return test response results and it is preconfigured with it is described Dynamic test instructs corresponding at least two intended response as a result, determining the second evaluation knot corresponding with the target application Fruit；

Target application safety judgment module, according to first evaluation result and second evaluation result, judgement Whether the target application is safe.

B10. the device according to claim B9, wherein when the first evaluation result determining module is suitable for:

Corresponding type set is set for each detection type respectively, each target keywords extracted are deposited respectively It stores up in type set corresponding with the detection type of the target keywords；

The then quantity and/or character weight of the target keywords according to successful match, determination and the target application phase Corresponding first evaluation result includes:

It is directed to each type set respectively, according to the quantity and/or target of the target keywords for including in the type set The character weight of keyword determines Types Assessment score corresponding with the type set；

According to type weight corresponding to Types Assessment score corresponding to each type set and each type set, Determine the first evaluation result corresponding with the target application.

B11. the device according to claim B9, wherein the first evaluation result determining module is suitable for:

For type keyword to be matched, the determining type to match with detection type corresponding to the type keyword Detection zone；

Target area corresponding with the type detection region, the class that will acquire are extracted from the application symbol table Type keyword is matched with the target area.

B12. the device according to claim B9, wherein the first evaluation result determining module is suitable for:

Obtain the application file of the target application；

Decompiling is carried out for the application file, is obtained described corresponding with target application using symbol table；

Wherein, the application symbol table further comprises: static symbol table, dynamic symbol table, and/or character list.

B13. the device according to claim B9, the second evaluation result determining module are suitable for:

Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.

B14. the device according to claim B13, wherein the second evaluation result determining module is suitable for:

According to each anti-reversing function of being stored in preset negative test instruction catalogue and with each anti-reversing function phase Precedence information between the type and/or the test instruction of each anti-reversing of corresponding each anti-reversing test instruction, to target It is instructed using each anti-reversing stored in the negative test instruction catalogue test is sent.

B15. the device according to claim B9, wherein the second evaluation result determining module is suitable for:

Decompiling is carried out for the binary file of the target application got, is obtained obtaining with the mesh after decompiling Mark applies corresponding reversed compiled code；

The object code corresponding with goal-selling region for including in the reversed compiled code is extracted,

Judge whether comprising according with the content to match with preset confounding in the object code, in conjunction with judging result Determine the second evaluation result corresponding with the target application.

B16. the device according to claim B9, wherein the second evaluation result determining module is suitable for:

When detecting enabled instruction corresponding with target application, is determined according to the enabled instruction and answered with the target With corresponding application runtime environment；

Obtain the program starting page shown after the target application starts in the application runtime environment；

Inquire preset application runtime environment corresponding with the target application associated environment starting page；

Judge whether the described program starting page and the environment starting page matches, in conjunction with judging result determine with it is described Corresponding second evaluation result of target application.

C17. a kind of safety detecting system of iOS application, which is characterized in that including any institute of the claims B9-B16 The safety detection device stated.

D18. a kind of electronic equipment, comprising: processor, memory, communication interface and communication bus, the processor, institute It states memory and the communication interface completes mutual communication by the communication bus；

The memory executes the processor as weighed for storing an at least executable instruction, the executable instruction Benefit requires a kind of corresponding operation of safety detection method based on iOS application described in any one of A1-A8.

E19. a kind of computer storage medium is stored with an at least executable instruction in the storage medium, described to hold Row instruction makes processor execute a kind of safety detection method based on iOS application as described in any one of claim A1-A8 Corresponding operation.

Claims (10)

1. a kind of safety detection method of iOS application, comprising:

Acquisition is corresponding with target application to apply symbol table, and the type corresponding with preset detection type that will acquire Keyword is matched with the application symbol table, according to the quantity of the target keywords of successful match and/or character weight, really Fixed the first evaluation result corresponding with the target application；

Dynamic test instruction corresponding with preset function is sent to the target application, according to the target application for described The test response results and the preconfigured test instruction corresponding at least two with the dynamic that dynamic test instruction returns Kind intended response is as a result, determine the second evaluation result corresponding with the target application；

According to first evaluation result and second evaluation result, judge whether the target application is safe.

2. described to will acquire when the preset detection type includes multiple according to the method described in claim 1, wherein To type keyword corresponding with preset detection type match specifically including with the application symbol table:

Corresponding type set is set for each detection type respectively, each target keywords extracted are respectively stored into In type set corresponding with the detection type of the target keywords；

The then quantity and/or character weight of the target keywords according to successful match, determination are corresponding with the target application The first evaluation result include:

It is directed to each type set respectively, according to the quantity and/or target critical of the target keywords for including in the type set The character weight of word determines Types Assessment score corresponding with the type set；

According to type weight corresponding to Types Assessment score corresponding to each type set and each type set, determine The first evaluation result corresponding with the target application.

3. according to the method described in claim 1, wherein, the type corresponding with preset detection type will acquire Keyword match with the application symbol table

For type keyword to be matched, the determining type detection to match with detection type corresponding to the type keyword Region；

Target area corresponding with the type detection region is extracted from the application symbol table, the type that will acquire is closed Key word is matched with the target area.

It is described to obtain application symbol table corresponding with target application and include: 4. according to the method described in claim 1, wherein

Obtain the application file of the target application；

Decompiling is carried out for the application file, is obtained described corresponding with target application using symbol table；

Wherein, the application symbol table further comprises: static symbol table, dynamic symbol table, and/or character list.

5. according to the method described in claim 1, the preset function includes anti-reversing function, and dynamic test instruction is wrapped Include anti-reversing test instruction, then it is described to include: to target application transmission dynamic test instruction corresponding with preset function

Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.

6. according to the method described in claim 5, wherein, it is described sent to target application it is corresponding with preset anti-reversing function Anti-reversing test instruction include:

According to each anti-reversing function for being stored in preset negative test instruction catalogue and corresponding with each anti-reversing function Each anti-reversing test instruction type and/or each anti-reversing test instruction between precedence information, to target application Send each anti-reversing test instruction stored in the negative test instruction catalogue.

7. a kind of safety detection device of iOS application, comprising:

First evaluation result determining module, obtain it is corresponding with target application apply symbol table, and will acquire with preset The corresponding type keyword of detection type matched with the application symbol table, according to the target keywords of successful match Quantity and/or character weight, determine corresponding with the target application the first evaluation result；

Second evaluation result determining module, Xiang Suoshu target application send dynamic test instruction corresponding with preset function, root The test response results and the preconfigured and dynamic returned according to the target application for dynamic test instruction Test instructs corresponding at least two intended response as a result, determining the second evaluation result corresponding with the target application；

Target application safety judgment module, according to first evaluation result and second evaluation result, described in judgement Whether target application is safe.

8. a kind of safety detecting system of iOS application, which is characterized in that filled including safety detection described in the claims 7 It sets.

9. a kind of electronic equipment, comprising: processor, memory, communication interface and communication bus, the processor, the storage Device and the communication interface complete mutual communication by the communication bus；

The memory executes the processor as right is wanted for storing an at least executable instruction, the executable instruction Ask a kind of corresponding operation of safety detection method based on iOS application described in any one of 1-6.

10. a kind of computer storage medium, an at least executable instruction, the executable instruction are stored in the storage medium Execute processor such as a kind of corresponding behaviour of safety detection method based on iOS application of any of claims 1-6 Make.