CN110110521A - It is a kind of based on iOS application safety detection method, apparatus and system - Google Patents
It is a kind of based on iOS application safety detection method, apparatus and system Download PDFInfo
- Publication number
- CN110110521A CN110110521A CN201910245705.2A CN201910245705A CN110110521A CN 110110521 A CN110110521 A CN 110110521A CN 201910245705 A CN201910245705 A CN 201910245705A CN 110110521 A CN110110521 A CN 110110521A
- Authority
- CN
- China
- Prior art keywords
- target application
- type
- application
- evaluation result
- reversing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of safety detection methods based on iOS application, apparatus and system, this method comprises: obtaining corresponding with target application using symbol table, and the type keyword corresponding with preset detection type that will acquire is matched with using symbol table, determines the first evaluation result;Dynamic test instruction corresponding with preset function is sent to target application, according to target application for the test response results of dynamic test instruction return and preconfigured at least two intended response corresponding with dynamic test instruction as a result, determining the second evaluation result;According to the first evaluation result and the second evaluation result, judge whether target application is safe.Which carries out safety detection for two aspects of static code and dynamic running process of target application, the second evaluation result for the first evaluation result of static code and for dynamic running process is obtained, comprehensive first evaluation result and the second evaluation result carry out comprehensive safe sex determination to target application.
Description
Technical field
The present invention relates to computer software technical fields, and in particular to it is a kind of based on iOS application safety detection method, dress
It sets and system.
Background technique
With the fast development of network technology, the quantity of Internet user exponentially increases, and the sales volume of smart phone is big
Increase to amplitude.In high-end market field, the mobile terminal Service Market occupation rate of iOS platform is very big.Movement based on iOS platform
Increasingly complicated using design, exploitation scale is increasingly huge, and application quality is also more and more important.Especially pay class related application
Quantity is increasing rapidly, and the safety for paying the application of class related application is crucial in the whole life cycle of application.
But inventor has found in the implementation of the present invention, since the development technique of the application of iOS platform is irregular not
Together, and then cause the safety grades of application irregular.Simultaneously as the self-protection of iOS platform is higher, and in the market
More and more mature for the attack technology of the mobile application of iOS platform, the method escaped from prison to iPhone equipment is also gradually simple,
The threat that the mobile application of iOS platform is subject to is increasing.Therefore it is required that carrying out various safety detections to iOS application,
Developer is asked to do various safeguard protections, safety detection city of the current stage for the application of iOS platform to iOS application
Field vacancy is larger.
It can be seen that currently on the market without the safety detection tool of the standard of the application for iOS platform, to application
Safety detection also cannot achieve automation, while iOS application detection it is more be static detection, i.e., from static code
Angle is compared key-strings, detects not comprehensive.Therefore the mobile application of iOS platform can not be carried out before launch
Comprehensive safety detection, developer targetedly can not make modification to the function of mobile application in advance, bring subsequent
Various problems in use, the grievous injury usage experience of user.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State a kind of safety detection method based on iOS application, the apparatus and system of problem.
According to one aspect of the present invention, a kind of safety detection method of iOS application is provided, comprising:
Acquisition is corresponding with target application to apply symbol table, and will acquire corresponding with preset detection type
Type keyword is matched with using symbol table, according to the quantity of the target keywords of successful match and/or character weight, really
Fixed the first evaluation result corresponding with target application;
Dynamic test instruction corresponding with preset function is sent to target application, is tested according to target application for dynamic
Instruct the test response results returned and preconfigured at least two intended responses knot corresponding with dynamic test instruction
Fruit determines the second evaluation result corresponding with target application;
According to the first evaluation result and the second evaluation result, judge whether target application is safe.
According to one aspect of the present invention, a kind of safety detection device of iOS application is provided, comprising:
First evaluation result determining module, obtain it is corresponding with target application using symbol table, and will acquire with
The corresponding type keyword of preset detection type is matched with using symbol table, according to the target keywords of successful match
Quantity and/or character weight, determine corresponding with target application the first evaluation result;
Second evaluation result determining module sends dynamic test instruction corresponding with preset function, root to target application
Testing according to target application for dynamic instructs the test response results of return and preconfigured test with dynamic to instruct relatively
At least two intended responses answered are as a result, determine the second evaluation result corresponding with target application;
Target application safety judgment module judges target application according to the first evaluation result and the second evaluation result
It is whether safe.
According to the present invention in another aspect, providing a kind of safety detecting system of iOS application, including above-mentioned safety detection
Device.
In accordance with a further aspect of the present invention, provide a kind of electronic equipment, comprising: processor, memory, communication interface and
Communication bus, processor, memory and communication interface complete mutual communication by communication bus;
For memory for storing an at least executable instruction, it is above-mentioned based on multistage network that executable instruction executes processor
The corresponding operation of the Fault Locating Method of node.
In accordance with a further aspect of the present invention, a kind of computer storage medium is provided, at least one is stored in storage medium
Executable instruction, executable instruction make processor execute such as the corresponding behaviour of the above-mentioned Fault Locating Method based on multistage network node
Make.
In the safety detection method, apparatus and system of a kind of iOS application provided by the invention, obtain and target application phase
It is corresponding apply symbol table, and the type keyword corresponding with preset detection type that will acquire and application symbol table into
Row matching determines corresponding with target application first according to the quantity of the target keywords of successful match and/or character weight
Evaluation result;Dynamic test instruction corresponding with preset function is sent to target application, is surveyed according to target application for dynamic
The test response results and preconfigured at least two intended response corresponding with dynamic test instruction that examination instruction returns
As a result, determining the second evaluation result corresponding with target application;According to the first evaluation result and the second evaluation result, judgement
Whether target application is safe, and thus, it is possible to promote the accuracy of evaluation result.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows the flow chart according to a kind of iOS of embodiment one safety detection method applied;
Fig. 2 shows a kind of flow charts of iOS of foundation embodiment two safety detection method applied;
Fig. 3 shows the structure chart according to a kind of iOS of embodiment three safety detection device applied;
Fig. 4 shows the structural schematic diagram of a kind of electronic equipment according to an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Embodiment one
Fig. 1 shows a kind of flow chart of the safety detection method of target application according to embodiment one.As shown in Figure 1,
Method includes the following steps:
Step S110: it obtains corresponding with target application using symbol table and will acquire with preset detection class
The corresponding type keyword of type is matched with using symbol table, according to the quantity of the target keywords of successful match and/or
Character weight determines the first evaluation result corresponding with target application.
Executing subject of the invention can be to be a variety of, for example, either mobile terminal where being mounted on target application
Internal security software client is also possible to the safety test that can be communicated with the mobile terminal where target application end
End or safety test server.Wherein, target application is application to be detected, which is that iOS is applied.
Specifically, in this step, the application file for obtaining target application, to the application file of target application
Decompiling is carried out, decompiling code is obtained, and is extracted from decompiling code various types of using symbol table.Wherein, it applies
Symbol table specifically includes: static symbol table, dynamic symbol table, and/or character list.
The preset key data table in background data base is obtained, the preset key data table of traversal queries obtains
Each detection type for storing in key data table and respectively type keyword corresponding with each detection type, will obtain
The type keyword got is matched with using symbol table.Wherein, preset key data table specifically includes: detection type
With the priority between type keyword mapping relations and detection type.For example, when detection type is anti-leak type, it is corresponding
Type keyword be NSLog, print, printf, write.Obtain key data table in store with anti-leak type phase
Corresponding type keyword NSLog, print, printf, write, by type keyword NSLog, print, printf, write
It is matched with using symbol table.
If type keyword is appeared in using in symbol table, it is target keywords by the type keyword extraction, stores
In type set in background data base.Wherein, corresponding type set is set for each detection type respectively, will extracts
Each target keywords out are respectively stored into type set corresponding with the detection type of the target keywords, specific real
Shi Shi, type set can be embodied in various ways by list, file, data packet, type set packet etc..For example, get with
Anti-leak detection type corresponding type keyword NSLog, print, printf, write, by type keyword NSLog,
Print, printf, write are matched with using symbol table, and applying in symbol table occur in discovery type keyword NSLog, print,
The type set corresponding with anti-leak detection type being then stored in type keyword NSLog, print in background data base
In.Wherein, when type keyword is not appeared in using in symbol table, set of types is combined into sky, and the type in type set is crucial
Word number is 0.
According to the quantity for the target keywords for including in the type set and/or the character weight of target keywords, determine
Types Assessment score corresponding with the type set;According to Types Assessment score corresponding to each type set and each
Type weight corresponding to type set determines the first evaluation result score of target application.
First evaluation result of target application is divided into 3 grades, when target application the first evaluation result score 0~
When between 3 (being free of 3 points), the first evaluation result of target application is low;When target application the first evaluation result score 3~
When between 7 (being free of 7 points), during the first evaluation result of target application is;When target application the first evaluation result score 7~
When between 1, the first evaluation result of target application is height.
Step S120: dynamic test instruction corresponding with preset function is sent to target application, according to target application needle
To dynamic test instruction return test response results and it is preconfigured with dynamic test instruction corresponding at least two
Intended response is as a result, determine the second evaluation result corresponding with target application.
Wherein, preset function of the dynamic test instruction for for target application is configured, to realize for default function
The test of energy.Specifically, the concrete type and implementation of dynamic test instruction can be different according to the type of preset function
And flexible setting.For example, dynamic test instruction can be all kinds of instructions such as anti-reversing test instruction.Correspondingly, from back-end data
Preset negative test instruction catalogue is obtained in library, according to each anti-reversing function of being stored in preset negative test instruction catalogue with
And between the type and/or the test instruction of each anti-reversing of each anti-reversing test instruction corresponding with each anti-reversing function
Priority, to target application send negative test instruction catalogue in store each anti-reversing test instruction.
It gets each anti-reversing test and instructs corresponding test response results, and test response results are stored in backstage
In test response sets in database.Wherein, test response results specifically include: the equipment where target application is to each anti-
Test response is made in the corresponding operation of negative test instruction.Test response sets can pass through list, file, data packet, test
Response sets etc. are embodied in various ways.For example, when it is implemented, executing the test of anti-debug anti-reversing instructs corresponding anti-debug behaviour
Make, terminal command line operation " debugserver*:12349-a application process number " order of equipment where target application, target
Test response is made to anti-debug operation using place equipment.
Intended response result corresponding with anti-reversing test instruction is stored in advance in background data base, and inquiry is matched in advance
At least two intended responses result corresponding with anti-reversing test instruction set.Wherein, it is directed to anti-reversing test setting respectively
Corresponding intended response result.For example, when it is implemented, being pre-configured with when preset anti-reversing function is anti-debug function
Include: to be used to indicate target application to have anti-debug with the corresponding at least two intended responses result of anti-reversing test instruction
The anti-debug class intended response of function as a result, and be used to indicate target application do not have anti-debug function non-anti-debug class it is pre-
Phase response results.
Test response results are matched at least two intended response results, is determined according to matching result and is answered with target
With corresponding second evaluation result.For example, when it is implemented, test response results and target application will be used to indicate having instead
The anti-debug class intended response of debugging function is as a result, and be used to indicate the non-anti-debug that target application does not have anti-debug function
The matching of class intended response result.If anti-debug anti-reversing test response results are that instruction target application has the anti-of anti-debug function
Class intended response is debugged as a result, then target application has the function of the anti-reversing of anti-debug, then the second evaluation result of target application
For height;If anti-debug anti-reversing test response results are to indicate that target application does not have the expected sound of anti-debug class of anti-debug function
It answers as a result, then the second evaluation result of target application is low.
Step S130: according to the first evaluation result and the second evaluation result, judge the safety grades of target application.
Wherein, the first evaluation result is used for the static security from the reflection application of the angle of static test, the second evaluation knot
Fruit is used for the dynamic security from the angle reflection application of dynamic test.First evaluation result and the second evaluation result it is specific
Intension and acquisition modes can be by those skilled in the art's flexible configurations, according to the knot of the first evaluation result and the second evaluation result
Conjunction judges whether target application is safe, can more fully assess the safety of application, as a result more accurate.For example, when first
When evaluation result and the second evaluation result are all high, the safety grades of target application are height;First evaluation result and second is commented
When one of valence result is low, the safety grades of target application are low;The safety grades of remaining situation, target application are
In.
It can be seen that the present embodiment passes through corresponding to the first evaluation result corresponding to static test and dynamic test
Second evaluation result is capable of the safety of thoroughly evaluating application, avoids drawback caused by the evaluation method of single dimension, make to comment
Valence result is more accurate.
Embodiment two
Fig. 2 shows a kind of flow charts of iOS of foundation embodiment two safety detection method applied.The present embodiment is from quiet
State test and dynamic are tested two dimensions realizations and are detected to the comprehensive security of target application.It is applied currently on the market for iOS
Detection instrument detection type it is not comprehensive, do not fully consider the anti-reversing function of target application, data protection degree, using operation
Safety test in terms of environmental safety, while merely from the angle of static code to progress safety test, obtained test knot
Fruit is inaccurate.It is therefore desirable to carry out anti-debug, anti-hook, anti-injection, data security protecting from static and two dimensions of dynamic
And the safety test of running environment safety various aspects.
As shown in Fig. 2, method includes the following steps:
Step S210: obtain it is corresponding with target application using symbol table, so as to will acquire with preset detection
The corresponding type keyword of type is matched with using symbol table.
Specifically, in this step, the application file of target application is obtained, to the application file of target application
Decompiling is carried out, decompiling code is obtained, and is extracted from decompiling code various types of using symbol table.Wherein, it applies
Symbol table specifically includes: static symbol table, dynamic symbol table, and/or character list.Obtain the preset key in background data base
Digital data table, the preset key data table of traversal queries, obtain in key data table each detection type for storing and
Type keyword corresponding with each detection type respectively, the type keyword that will acquire and application symbol table progress
Match.Wherein, preset key data table specifically includes: detection type and type keyword mapping relations and detection type it
Between priority.
In the present embodiment, it is illustrated so that preset detection type is at least one of following ten seed type as an example:
(1) the first detection type is anti-leak type:
Specifically, anti-leak type is used to detect whether target application has the function of preventing log from revealing, and inventor is in reality
It is found during the existing present invention, whether NSLog, print, printf, write keyword prevent day in detection target application
In terms of the function of will leakage targetedly.NSLog, print, printf, write keyword have the meaning of print log.
NSLog, print, printf, write keyword frequency of occurrence are more, illustrate that the risk of the log leakage of target application is got over
The function of preventing log from revealing of height, target application is poorer.Therefore NSLog, print, printf, write keyword are preset
For the corresponding type keyword of anti-leak type.
(2) second of detection type are sensitive word type:
Specifically, sensitive word type is used to detect the function of preventing key message from revealing of target application, and inventor is in reality
It is found during the existing present invention, encrypt, decrypt, login, password, title, name keyword are in detection mesh
Whether mark application has the function aspect for preventing key message from revealing targetedly.encrypt,decrypt,login,
The meaning of password, title, name key representations be respectively encrypt, decrypt, logging in, password, title, title.
Encrypt, decrypt, login, password, title, name keyword frequency of occurrence are more, illustrate the pass of target application
The risk of key information leakage is higher, and the function of preventing key message from revealing of target application is poorer.Therefore by encrypt,
Decrypt, login, password, title, name keyword are preset as the corresponding type keyword of sensitive word type.
(3) the third detection type is Code obfuscation type:
Specifically, whether the application file that Code obfuscation type is used to detect target application has showing for Code obfuscation
As inventor has found in the implementation of the present invention, and didFinishLaunchingWithOptions, viewDidLoad are closed
Key word is targeted in terms of whether the application file of detection target application has the phenomenon that Code obfuscation.
DidFinishLaunchingWithOptions, viewDidLoad keyword frequency of occurrence are more, illustrate answering for target application
It is bigger to there is a possibility that the phenomenon that Code obfuscation with program file.Therefore by didFinishLaunchingWithOptions,
ViewDidLoad keyword is preset as the corresponding type keyword of Code obfuscation type.
(4) the 4th kinds of detection types are detection type of escaping from prison:
Specifically, whether the equipment where detection type of escaping from prison is used to detect target application escapes from prison situation, and inventor exists
It is found during realizing the present invention, Applications/Cydia.app ,/etc/ssh/sshd_config ,/usr/
libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/Applications/
Cydia.app ,/Library/MobileSubstrate/MobileSubstrate.dylib keyword are in detection target application
Whether the equipment at place escapes from prison situation aspect targetedly.Applications/Cydia.app,/etc/ssh/sshd_
config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/
Applications/Cydia.app ,/Library/MobileSubstrate/MobileSubstrate.dylib keyword go out
Occurrence number is more, and it is higher to illustrate that the equipment where target application has a possibility that escaping from prison situation, therefore by Applications/
Cydia.app、/etc/ssh/sshd_config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/
sh、/bin/bash、/etc/apt、/Applications/Cydia.app、/Library/MobileSubstrate/
MobileSubstrate.dylib keyword is preset as the corresponding type keyword of detection type of escaping from prison.
(5) the 5th kinds of detection types are to act on behalf of detection type:
Specifically, the phenomenon that detection type is for detecting in target application operational process with the presence or absence of network agent is acted on behalf of,
Inventor has found that kCFProxyTypeNone keyword is in detection target application operational process in the implementation of the present invention
In terms of the phenomenon that with the presence or absence of network agent targetedly.There is kCFProxyTypeNone keyword and illustrates that target application is run
It is bigger to there is a possibility that the phenomenon that network agent in the process.Therefore kCFProxyTypeNone keyword is preset as agency's inspection
Survey the corresponding type keyword of type.
(6) the 6th kinds of detection types are to be packaged protection type:
Specifically, it is packaged protection type and is used to detect the application file of target application with the presence or absence of the secondary packing of code
The case where, inventor has found in the implementation of the present invention, CFBundleIdentifier,
Com.apple.developer.team-identifier, application-identifier keyword are answered in detection target
The case where application file is with the presence or absence of code secondary packing aspect is targetedly.CFBundleIdentifier,
Com.apple.developer.team-identifier, application-identifier keyword frequency of occurrence are more,
A possibility that the case where illustrating target application secondary there are code packing, is bigger.Therefore by CFBundleIdentifier,
Com.apple.developer.team-identifier, application-identifier keyword are preset as being packaged and protect
Protect the corresponding type keyword of type.
(7) the 7th kinds of detection types are that character string protects type:
Specifically, character string protection type is for detecting the phenomenon that target application is obscured with the presence or absence of character string, inventor
It finds in the implementation of the present invention, encrypt, decrypt, login, password, title, name keyword are being examined
Survey the phenomenon that target application is obscured with the presence or absence of character string aspect targetedly.encrypt,decrypt,login,
The meaning of password, title, name key representations be respectively encrypt, decrypt, logging in, password, title, title.
Encrypt, decrypt, login, password, title, name keyword frequency of occurrence are more, illustrate that character string is modified
A possibility that it is bigger, a possibility that the phenomenon that obscuring there are character string, is bigger.Therefore by encrypt, decrypt, login,
Password, title, name keyword are preset as the corresponding type keyword of character string protection type.
(8) the 8th kinds of detection types are URL match-type:
Specifically, the network address degree of protection of equipment, inventor exist where URL match-type is used to detect target application
It is found during realizing the present invention, http, https keyword protect journey in the network address for detecting equipment where target application
Degree aspect is targetedly.Http, https keyword frequency of occurrence are more, and the network address of equipment is protected where illustrating target application
Shield degree is lower.Therefore http, https keyword are preset as the corresponding type keyword of URL match-type.
(9) the 9th kinds of detection types are anti-debug type:
Specifically, for anti-debug type for detecting whether target application has the function of anti-debug, inventor is realizing this hair
It is found in bright process, whether ptrace keyword has whether detection target application has the function of anti-debug in detection target application
Aspect is targeted.There is ptrace keyword, illustrates that target application anti-debug function is poorer.Therefore ptrace keyword is pre-
It is set as the corresponding type keyword of anti-debug type.
(10) the tenth kinds of detection types are anti-hook type:
Specifically, for anti-hook type for detecting whether target application has the function of anti-hook, inventor is realizing this hair
It is found in bright process, libcycript.dylib, libReveal.dylib, SnoopiTweak.dylib keyword are detecting
Whether target application has the function of anti-hook aspect targetedly.ibcycript.dylib,libReveal.dylib,
SnoopiTweak.dylib keyword frequency of occurrence is more, illustrates that the anti-hook function of target application is poorer.Therefore will,
It is corresponding that libcycript.dylib, libReveal.dylib, SnoopiTweak.dylib keyword are preset as anti-hook type
Type keyword.
Step S220: the type keyword that will acquire is matched with using symbol table.
Specifically, in this step, according to the priority between detection type, the preset key data table of traversal queries
Each detection type of middle storage and type keyword corresponding with each detection type, and the type that will acquire is crucial
Word is matched with using symbol table.
Detection type specifically includes 10 kinds of detection types, is previously provided between 10 kinds of detection types excellent between detection type
First grade.According to the priority between the detection type being previously provided with, 10 kinds of detection types be arranged as from high to low anti-leak type,
Sensitive word type, detection type of escaping from prison, acts on behalf of detection type, is packaged protection type, character string protection class Code obfuscation type
Type, URL match-type, anti-debug type, and/or anti-hook type.For example, when it is implemented, according between detection type
Priority, the anti-leak detection type stored in the preset key data table of traversal queries and with anti-leak detection type phase
Corresponding type keyword NSLog, print, printf, write, and will acquire type keyword NSLog, print,
Printf, write are matched with using symbol table.
Further, it for the accurate comparison of implementation type keyword and application symbol table, improves type keyword and answers
With the comparison speed of symbol table, for type keyword to be matched, determination and detection type corresponding to the type keyword
The type detection region to match, and target area corresponding with type detection region is extracted from application symbol table, it will obtain
The type keyword got is matched with target area.For example, when detection type is sensitive word detection type, for acquisition
Type keyword encrypt, decrypt, login, password, title, name, it is determining with the type keyword it is right
The type detection region that the detection type answered matches.Specifically, type detection corresponding with sensitive word detection type region
It include: the type detection region containing class name and/or the type detection region containing method name.According to determining containing class name
Type detection region and/or type detection region containing method name, are extracted and type detection region phase from application symbol table
Corresponding target area, the type keyword that will acquire are matched with target area.
Step S230: being target keywords by the type keyword extraction of successful match.
Specifically, in this step, the type keyword that will acquire is matched with using symbol table, if type is crucial
Word is appeared in using in symbol table, then is target keywords, the class being stored in background data base by the type keyword extraction
In type set.Wherein, corresponding type set, each target keywords that will be extracted are set for each detection type respectively
It is respectively stored into type set corresponding with the detection type of the target keywords, when it is implemented, type set can be with
It is embodied in various ways by list, file, data packet, type set packet etc..For example, when it is implemented, getting and anti-leak
Detection type corresponding type keyword NSLog, print, printf, write, by type keyword NSLog, print,
Printf, write are matched with using symbol table, and discovery type keyword NSLog, print come across using in symbol table, then will
Type keyword NSLog, print are stored in the type set corresponding with anti-leak detection type in background data base.
Wherein, when type keyword is not appeared in using in symbol table, set of types is combined into sky, the type keyword in type set
Number is 0.
Further, in order to ensure the detection type of important kind preferentially detects, for the detection process of multiple and different types
It can successively be executed according to the priority orders of each type.For example, according to the priority of detection type, preset number of keyword
Next detection type according to anti-leak detection type in table is sensitive word detection type.It obtains in preset key data table
The type keyword of sensitive word detection type, the type keyword that will acquire are matched with using symbol table, will matching at
The type keyword extraction of function is target keywords, and target keywords storage is corresponding with sensitive word detection type to backstage
Type set in.To Code obfuscation type, detection type of escaping from prison, act on behalf of detection type, packing protection type, character string protection
Type, URL match-type, anti-debug type, anti-hook type successively execute the above operation.
In addition, in other embodiments of the invention, each detection type can also be by more in order to improve detection efficiency
A thread executed parallel is performed simultaneously above-mentioned various types of detection process, tool of the present invention to the detection process of multiple types
Body execution sequence is without limitation.
Step S240: according to the quantity of the target keywords of successful match and/or character weight, determination and target application phase
Corresponding first evaluation result.
Specifically, in this step, according to the quantity and/or target critical of the target keywords for including in the type set
The character weight of word determines Types Assessment score corresponding with the type set;According to class corresponding to each type set
Type evaluates type weight corresponding to score and each type set, determines the first evaluation result score of target application.Tool
When body is implemented, firstly, being weighed according to the character of the quantity for the target keywords for including in the type set and/or target keywords
Weight determines Types Assessment score corresponding with the type set.For example, when it is implemented, any in 10 detection types
The Types Assessment score total score of item detection type is 10 points.When detecting any one corresponding keyword of a certain detection type
When, 1 point is deducted from Types Assessment score, the deduction of points upper limit is 10 points.For example to prevent leak type, anti-leak type is corresponding
Type keyword be NSLog, print, printf, write correspondingly wrapped in type set corresponding to anti-leak type
The target keywords contained are NSLog, print, the two target keywords respectively occur once.Wherein, target keywords refer to: with
The successful keyword of type keyword match.When calculating Types Assessment score corresponding with the type set, according to target
The quantity of keyword is calculated.When detecting corresponding any one keyword of a certain detection type, obtained from Types Assessment
1 point is deducted in point, then the corresponding Types Assessment of anti-leak type is scored at 8 points.
Then, after determining Types Assessment score corresponding with each type set, according to each type set institute
Type weight corresponding to corresponding Types Assessment score and each type set, determines that the safety evaluation of target application obtains
Point.For example, by anti-leak type, sensitive word type, Code obfuscation type, escaping from prison according to the importance of detection type and detecting class
Type acts on behalf of detection type, is packaged protection type, character string protection type, URL match-type, anti-debug type, anti-hook type
Type weight corresponding to 10 type set is assigned as 0.1,0.1,0.1,0.15,0.05,0.1,0.1,0.15,0.05,
0.1.Anti-leak type, Code obfuscation type, detection type of escaping from prison, acts on behalf of detection type, is packaged protection class sensitive word type
Type, character string protect type, URL match-type, anti-debug type, the Types Assessment score of 0 type set of anti-hook Class1
Respectively 4,5,3,6,7,4,5,3,6,7.When calculating the safety evaluation score of target application, according to Types Assessment score and
Type weight is calculated.The safety evaluation of target application is scored at 0.1*4+0.1*5+0.1*3+0.15*6+0.05*7+0.1*
4+0.1*5+0.15*3+0.05*6+0.1*7=4.8.
First evaluation result score total score of target application is 10 points, and the first evaluation result score of target application is higher,
Illustrate that the first evaluation result of target application is better.First evaluation result of target application is divided into 3 grades, works as target application
The first evaluation result score (be free of 3 points) 0~3 between when, the first evaluation result of target application is low;Work as target application
The first evaluation result score (be free of 7 points) 3~7 between when, during the first evaluation result of target application is;Work as target application
The first evaluation result score between 7~1 when, the first evaluation result of target application is height.
Step S250: dynamic test instruction corresponding with preset function is sent to target application.
Wherein, the preset function in the present embodiment includes anti-reversing function, and dynamic test instruction includes that anti-reversing is tested
Instruction, correspondingly, sending anti-reversing test instruction corresponding with preset anti-reversing function to target application.Specific implementation
When, acquisition obtains preset negative test instruction catalogue from background data base, stores according in preset negative test instruction catalogue
Each anti-reversing function and the type of each anti-reversing corresponding with each anti-reversing function test instruction and/or each
Priority between anti-reversing test instruction sends each anti-reversing test stored in negative test instruction catalogue to target application
Instruction.Wherein, anti-reversing function specifically includes: anti-debug function, anti-hook function, anti-function of injecting, negative test instruction catalogue
It specifically includes: the priority and anti-reverse between anti-reversing function and the mapping relations and anti-reversing function of anti-reversing test instruction
Priority between test instruction.For example, when it is implemented, the anti-reversing function of storing in negative test instruction catalogue is by anti-reverse
It sorts from high to low to function priority and is followed successively by anti-debug function, anti-hook function, anti-function of injecting.According to anti-reversing function
Priority obtain anti-debug anti-reversing function and anti-debug anti-reversing corresponding with anti-debug anti-reversing function test refer to
It enables, and the test instruction of anti-debug anti-reversing is sent to target application.Certainly, anti-reverse for being stored in negative test instruction catalogue
Operation to function setting priority is optional operation, when it is implemented, the anti-reversing function stored in negative test instruction catalogue
Can also be not provided with priority, it may be assumed that be between each function it is reciprocity, it is correspondingly, anti-debug function, anti-hook function, anti-
Function of injecting while parallel practice.
Further, it is sent in order to ensure the important corresponding anti-reversing test instruction of anti-reversing function is preferential, for more
The corresponding anti-reversing test instruction transmission process of a different types of anti-reversing function can be according to the priority of each type
Sequence successively executes.For example, preventing when it is implemented, sending anti-debug corresponding with anti-debug anti-reversing function to target application
After negative test instruction, anti-hook anti-reversing function is obtained according to the priority of preset anti-reversing function and is prevented with anti-hook
The corresponding anti-hook anti-reversing test instruction of inverting function, and the test instruction of anti-hook anti-reversing is sent to target application.
In addition, in order to improve detection efficiency, in other embodiments of the invention, each anti-reversing Function detection can also be with
It is performed simultaneously above-mentioned each anti-reversing Function detection process by multiple threads executed parallel, the present invention is to each anti-reversing function
The specific execution sequence of energy detection process is without limitation.
Further, wireless by the first terminal equipment applied with installation targets in order to realize the communication with target application
The second terminal equipment of connection sends anti-reversing test instruction corresponding with preset anti-reversing function to target application;Its
In, first terminal equipment and second terminal equipment are in identical wireless network.When it is implemented, Mac computers equipment and
IPhone cell phone apparatus connects same wireless, so that it is in same network segment, Mac computers equipment uses ssh automated log on
IPhone cell phone apparatus realizes Mac computers equipment to the wireless connection of iPhone cell phone apparatus, and Mac computers equipment is to iPhone
Target application on cell phone apparatus sends anti-reversing test instruction corresponding with preset anti-reversing function.
Step S260: the test response results and preconfigured returned according to target application for dynamic test instruction
At least two intended response corresponding with dynamic test instruction is as a result, determine that the second evaluation corresponding with target application is tied
Fruit.
Specifically, this step includes at least one of following three kinds of implementations:
Mode one: it in the first implementation of this step, is directly returned according to target application for dynamic test instruction
The test response results returned and preconfigured at least two intended response corresponding with dynamic test instruction are as a result, determine
The second evaluation result corresponding with target application.
This implementation carries out safety detection to target application from the anti-reversing angle of target application.Currently, for application
Source code debugged, intercept using operation process, injection dynamic base the phenomenon that it is serious, to application carry out the inspection of anti-reversing function
It surveys, it can be estimated that using the power of anti-reversing function, discovery is using defect existing for anti-reversing function early.
Specifically, getting each anti-reversing test instructs corresponding test response results, and test response results are deposited
It stores up in the test response sets in background data base.Wherein, test response results specifically include: the equipment where target application
Test response is made to the corresponding operation of each anti-reversing test instruction.Test response sets can pass through list, file, data
Packet, test response sets etc. are embodied in various ways.For example, when it is implemented, target application receives the test of anti-debug anti-reversing
Instruction, anti-hook anti-reversing test instruction, anti-injection anti-reversing test instruction, target application refer to according to the test of anti-debug anti-reversing
It enables, the priority of anti-hook anti-reversing test instruction, anti-injection anti-reversing test instruction, it is preferential to execute the test of anti-debug anti-reversing
Corresponding anti-debug is instructed to operate, the terminal command line of equipment runs " debugserver*:12349-a where target application
Application process number " order, equipment where target application make test response to anti-debug operation.According to anti-reversing test instruction
Priority, target application execute the corresponding anti-hook operation of anti-hook anti-reversing test instruction, the equipment where target application
Terminal command line runs " cycript-p application process number " order.Equipment operates anti-hook and realizes test where target application
Response.According to the priority of anti-reversing test instruction, target application executes anti-injection anti-reversing test and instructs corresponding anti-injection
Operation runs " optool install-c load-p " under the end elevation of equipment where target application and applies dynamic base "-t
Application binary file " order.Equipment where target application realizes test response to anti-implant operation.
It is stored in advance in background data base for the intended response result of anti-reversing test setting respectively, inquiry is matched in advance
At least two intended responses result corresponding with anti-reversing test instruction set.Wherein, when preset anti-reversing function is anti-
When debugging function, preconfigured at least two intended responses result corresponding with anti-reversing test instruction includes: for referring to
Show that target application has the anti-debug class intended response of anti-debug function as a result, and being used to indicate target application and not having anti-tune
Try the non-anti-debug class intended response result of function.It wherein, include preset anti-debug mesh in anti-debug class intended response result
Marking-up section.For example, preset anti-debug aiming field is Segmentation fault:11.When it is implemented, executing anti-debug
Anti-reversing test instructs corresponding anti-debug operation, the terminal command line operation of equipment where target application
" debugserver*:12349-a application process number " order, if occurring Segmentation fault:11 in return information,
Illustrate that target application has the function of the anti-reversing of anti-debug;If not occurring Segmentation fault:11 in return information,
Illustrate that target application has the function of the anti-reversing of anti-debug.
It is preconfigured corresponding extremely with anti-reversing test instruction when preset anti-reversing function is anti-hook function
Few two kinds of intended response results include: be used to indicate target application have anti-hook function anti-hook class intended response as a result,
And it is used to indicate the non-anti-hook class intended response result that target application does not have anti-hook function.Wherein, anti-hook class is pre-
It include preset anti-hook aiming field in phase response results.For example, preset anti-debug aiming field is error.It is specific real
Shi Shi executes the corresponding anti-hook operation of anti-hook anti-reversing test instruction, the terminal command line of equipment where target application
" cycript-p application process number " order is run, if occurring error in return information, illustrates that target application has anti-hook
Anti-reversing function;If not occurring error in return information, illustrate that target application has the function of the anti-reversing of anti-hook.
It is preconfigured corresponding extremely with anti-reversing test instruction when preset anti-reversing function is anti-function of injecting
Few two kinds of intended response results include: be used to indicate target application have anti-function of injecting anti-injection class intended response as a result,
And it is used to indicate the non-anti-injection class intended response result that target application does not have anti-function of injecting.Wherein, anti-injection class is pre-
Phase response results include: to dodge the response results for moving back type.For example, when it is implemented, operation " optool install-c load-
P " applying dynamic base "-t application binary file " order, then installed after target application is compressed, type is moved back if occurring dodging
Response results, then illustrate that target application has the function of the anti-anti-reversing injected;If not occurring dodging the response results for moving back type,
Illustrate that target application has the function of the anti-anti-reversing injected.
Test response results are matched at least two intended response results.For example, when it is implemented, anti-debug is anti-
Inverting function, which is tested corresponding intended response result and specifically included, is used to indicate the anti-debug that target application has anti-debug function
Class intended response is as a result, and be used to indicate the non-anti-debug class intended response result that target application does not have anti-debug function.
Test response results had into the anti-debug class intended response of anti-debug function as a result, and being used for target application is used to indicate
Indicate that target application does not have the non-anti-debug class intended response result matching of anti-debug function.If the test of anti-debug anti-reversing is rung
Should result be indicate target application have anti-debug function anti-debug class intended response as a result, then target application have anti-debug
Anti-reversing function;If anti-debug anti-reversing test response results are to indicate that target application does not have the anti-debug of anti-debug function
Class intended response is not as a result, then target application has the anti-reversing function of anti-debug.
Judge that the anti-reversing function of target application is strong and weak according to the match condition of three kinds of anti-reversing functional test response results.
Anti-reversing function score is set and determines whether target application has the function of anti-reversing according to anti-reversing function score.Wherein, divide
Safety pin different preventing inverting function is arranged different anti-reversing function scores, when it is implemented, if target application has anti-debug
Anti-reversing function, then anti-debug anti-reversing function score is 1, if target application does not have anti-debug anti-reversing function, is demodulated
Trying anti-reversing function score is 0.If target application has the function of anti-hook anti-reversing, anti-hook anti-reversing function score is 1,
If target application does not have anti-hook anti-reversing function, anti-hook anti-reversing function score is 0.If target application has anti-note
Enter anti-reversing function, then anti-injection anti-reversing function score is 1, if target application does not have anti-injection anti-reversing function, instead
Injecting anti-reversing function score is 0.Second evaluation result of target application is scored at anti-debug anti-reversing function score, anti-hook
The sum of anti-reversing function score, anti-injection anti-reversing function score three.
The second evaluation result, if the second evaluation result is scored at 0, target application are evaluated according to the second evaluation result score
Anti-reversing security level it is low, the second evaluation result be it is low;If the second evaluation result is scored at 1, the anti-reversing of target application
It is low in security level, the second evaluation result be in it is low;If the second evaluation result is scored at 2, the anti-reversing safety of target application
High in grade, the second evaluation result is middle height;If the second evaluation result is 3, the anti-reversing grade of target application is high, and second comments
Valence result is height.
In addition, in order to improve detection efficiency, in other embodiments of the invention, each anti-reversing Function detection can also be with
It is performed simultaneously above-mentioned each anti-reversing Function detection process by multiple threads executed parallel, the present invention is to each anti-reversing function
The specific execution sequence of energy detection process is without limitation.
Further, in order to improve the efficiency of anti-reversing Function detection, by the corresponding anti-reversing of an anti-reversing function
Test instruction anti-reversing test instruction according to keywords section be divided into it is multiple.The corresponding anti-reversing test instruction of one anti-reversing function
Quantity be it is multiple, presets priority between the corresponding multiple anti-reversing test instruction of an anti-reversing function.For example,
According to keywords section is divided into anti-debug anti-reversing test instruction 1, anti-for anti-debug anti-reversing function corresponding anti-reversing test instruction
Debug anti-reversing test instruction 2, anti-debug anti-reversing test instruction 3.It will be demodulated from high to low according to pre-set priority
Examination anti-reversing test instruction is arranged as the test of anti-debug anti-reversing and instructs 1, anti-debug anti-reversing test instruction 2, anti-debug anti-reverse
To test instruction 3.When it is implemented, equipment where target application successively executes anti-debug anti-reversing test instruction 1, anti-debug is prevented
Negative test instruction 2, the test 3 corresponding orders of instruction of anti-debug anti-reversing.
It by above-mentioned each step, obtains program of the target application in application runtime environment and starts the page, and by journey
Sequence starts the page compared with the preset environment starting page, judges whether target application normally starts under application runtime environment,
The safety detection for target application running environment is realized with this.In order to make it easy to understand, below by taking a specific example as an example in detail
Carefully introduce the specific implementation of the above method in the method:
Step 1: Mac computers integration of equipments ideviceinstaller (equipment installation) tool makes Mac computers equipment remote
Journey connects iPhone cell phone apparatus, and Mac computers equipment can be made to be managed iPhone cell phone apparatus.
Specifically, Mac computers integration of equipments ideviceinstaller tool, realizes that long-range connection iPhone mobile phone is set
It is standby, the iOS application on iPhone cell phone apparatus is managed and is operated.It is inputted in the terminal of Mac computers equipment
" ideviceinstaller-i xxx.ipa " is ordered and is run, wherein " xxx.ipa " is IPA (the apple program of target application
Application file) filename.
Step 2: the iPhone cell phone apparatus remotely connected integrates frida environment, it is made to call answering inside iPhone
Program.
Specifically, the terminal input " python xxx.py bundleId " in Mac computers equipment is ordered and is run,
In, " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected starts automatically.
Step 3: both homepages when opening using homepage and application are normal after starting are compared, if homepage is identical
Illustrate to apply and start normally under the running environment;If moving back or can not load using dodging, applies and opened under the running environment
It moves abnormal.
Step 4: installed application is unloaded using ideviceinstaller tool.
Specifically, the terminal input " ideviceinstaller-U bundleId " in Mac computers equipment is ordered and is transported
Row, wherein " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected unloads automatically.
In conclusion the target application at iPhone cell phone apparatus end may be implemented to install, start and unload automatically in the method
It carries, without manually installing, starting and unloading, gets rid of traditional safety detection mode, realize automatic safe detection, energy
Enough safety detections more quickly realized under various running environment, significantly high safety detection efficiency, satisfaction increasingly increase
Long iOS safety detection demand.
Mode two: in second of implementation of this step, for the target application got binary file into
Row decompiling obtains the reversed compiled code corresponding with target application obtained after decompiling;It extracts in reversed compiled code
Whether the object code corresponding with goal-selling region for including judges in object code comprising according with preset confounding
The content to match determines the second evaluation result corresponding with target application in conjunction with judging result.
The implementation according to the data safety grade of the anti-reversing security level of target application and target application this two
The combination of class judging result determines the second evaluation result corresponding with target application.
This implementation carries out safety detection to target application from the data safety angle of target application.Currently, for answering
Program code and program character to distort phenomenon serious, data protection safety detection is carried out to target application, can be early
It was found that defect existing for target application data protection function.
Specifically, carrying out decompiling to the binary file of the target application got using decompiling instrument.Wherein,
Decompiling instrument specifically includes: the first decompiling instrument and the second decompiling instrument.When it is implemented, passing through the first decompiling work
Have and decompiling is carried out to the binary file of the target application got, obtains the first reversed compiled code;And/or pass through
Two decompiling instruments carry out decompiling to the binary file of the target application got, obtain the second reversed compiled code.The
One decompiling instrument and the second decompiling instrument can use simultaneously, also can choose one use.For example, the first decompiling work
Tool is MachOView decompiling instrument;Second decompiling instrument is Hopper Disassembler decompiling instrument.
Different types of reversed compiled code pre-sets priority, obtains according to the priority of reversed compiled code anti-
To compiled code.For example, the first reversed compiled code is better than the second reversed compiled code, wherein the first reversed compiled code is
The reversed compiled code of MachOView, the second reversed compiled code are the reversed compiled code of Hopper Disassembler.Specifically
It is preferential to obtain the reversed compiled code of MachOView when implementation.
Reversed compiled code specifically includes: the first reversed compiled code and the second reversed compiled code;First reversed compiling
The object code corresponding with goal-selling region for including in code includes: dynamic base information and/or header file information;Second
The object code corresponding with goal-selling region for including in reversed compiled code includes: preset function and/or preset characters.
Wherein, the first reversed compiled code is the reversed compiled code of MachOView, and the second reversed compiled code is Hopper
The reversed compiled code of Disassembler.
When it is implemented, for the first reversed compiled code setting dynamic base information and/or header file information, from rear number of units
According to the first reversed compiled code and dynamic base information and/or header file information is obtained in library, by dynamic base information and/or header file
Information is compared with the first reversed compiled code, and extracting in reversed compiled code includes dynamic base information and/or header file information
Object code, and the object code comprising dynamic base information and/or header file information is stored in background data base.For example,
First reversed compiled code is the reversed compiled code of MachOView.The knot of MachOView decompiling instrument parsing target application
Structure, it is seen that dynamic base information and header file information in target application binary file.For the reversed compiled code of MachOView
Dynamic base information and/or header file information are set, the reversed compiled code of MachOView and dynamic base are obtained from background data base
Dynamic base information and/or header file information are compared with the reversed compiled code of MachOView, are mentioned by information and/or header file information
Negate the object code into compiled code comprising dynamic base information and/or header file information, and will comprising dynamic base information and/
Or the object code of header file information is stored in background data base.And/or default letter is set for the second reversed compiled code
Several and/or preset characters obtain the second reversed compiled code and preset function and/or preset characters from background data base, will
Preset function and/or preset characters are compared with the second reversed compiled code, extract in reversed compiled code comprising preset function and/
Or the object code of preset characters, and the object code comprising preset function and/or preset characters is stored in background data base
In.For example, the second reversed compiled code is the reversed compiled code of Hopper Disassembler.Hopper Disassembler
The logical code in function and character and method in decompiling instrument visual target application binary file.For Hopper
The reversed compiled code setting preset function of Disassembler and/or preset characters.When it is implemented, being obtained from background data base
Reversed compiled code corresponding with Hopper Disassembler decompiling instrument and preset function and/or preset characters are taken,
Preset function and/or preset characters are compared with reversed compiled code, extract in reversed compiled code comprising preset function and/or
The object code of preset characters, and the object code comprising preset function and/or preset characters is stored in background data base.
First reversed compiled code and preset confounding symbol are matched, judge include in the first reversed compiled code
Whether comprising according with the content that matches with preset confounding in object code corresponding with goal-selling region, the is obtained
One judging result;Second reversed compiled code is matched with preset confounding symbol, judges to wrap in the second reversed compiled code
Whether comprising according with the content to match with preset confounding in the object code corresponding with goal-selling region contained, obtain
To the second judging result.Wherein, the first reversed compiled code is the reversed compiled code of MachOView, the second reversed compiled code
For the reversed compiled code of Hopper Disassembler.For example, when it is implemented, the binary file of target application is put into
In MachOView decompiling instrument, Objc CFStrings character list is checked, Objc CFStrings character list is corresponding anti-
Compiled code matches with preset confounding symbol, if the decompiling code of Objc CFStrings character list is shown as identifying
Fu Ze indicates that the program character of target application is confused, if the decompiling code of Objc CFStrings character list normally shows mesh
The character string of mark application then indicates that the program character of target application is not confused.And/or when it is implemented, by the two of target application
Binary file is put into Hopper Disassembler v4 decompiling instrument, randomly chooses a method function, by method letter
The corresponding decompiling code of number matches with preset confounding symbol, if there is messy code in the decompiling code of method function
It indicates that the program code of target application has been confused, indicates that target is answered if not appearing garbled in the decompiling code of method function
Program code is not confused.
The first judging result and the second judgement are preset according to the importance of the first judging result and the second judging result
As a result weight, according to the weight of the first judging result and the second judging result and the first judging result and the second judging result
The data protection for calculating target application is scored safely.For example, when it is implemented, if the first judging result was the first reversed compiling generation
It is accorded in code comprising preset confounding, then the first judging result is denoted as 0, if the first judging result was the first reversed compiling generation
Do not include preset confounding in code to accord with, then the first judging result is denoted as 1;If the second judging result is the second reversed compiling
It is accorded in code comprising preset confounding, then the second judging result is denoted as 0, if the second judging result is the second reversed compiling
Do not include preset confounding in code to accord with, then the second judging result is denoted as 1.Specific in this example, respectively first sentences
Disconnected result and the second judging result distribute weight, and the weight of the first judging result is 0.5, and the weight of the second judging result is 0.5,
First judging result is 0, and the second judging result is 1, then scoring is 0*0.5+1*0.5=safely for the data protection of target application
0.5。
Specifically, being four grades by the data protection safety status classification of target application, if the data of target application are protected
Shield safety scoring is 0, then the data protection security level of target application is low;If scoring is safely for the data protection of target application
1, then the data protection security level of target application is height;If scoring is 0~0.5 (not comprising 0 safely for target application data protection
With 0.5), then the data protection security level of target application be in it is low;If the data protection of target application safely scoring for 0.5~
1 (not including 1), then the data protection security level of target application is middle height.Specific in this example, the data protection of target application
Safety scoring 0.5, the data protection security level of target application are middle height.
Optionally, in this step, different types of reversed compiled code pre-sets priority, according to reversed compiling
The priority of code obtains the object code of reversed compiled code.
Further, in order to choose the object code including logical operator, decompiling instrument is utmostly utilized, is obtained
The each method function for including in reversed compiled code, extracts the method function comprising logical operator from each method function
As objective function, the corresponding code of objective function is determined as object code corresponding with goal-selling region.
Comprehensively consider the data protection safety etc. in the anti-reversing security level and mode two of the target application in mode one
Grade, when anti-reversing security level and data protection security level are all high, the second evaluation result of target application is height;It is anti-reverse
When to one of security level and data protection security level being low, the second evaluation result of target application is low;Remaining feelings
Condition, during the second evaluation result of target application is.
Mode three: in the third implementation of this step, when detecting enabled instruction corresponding with target application
When, application runtime environment corresponding with target application is determined according to enabled instruction;Target application is obtained in application runtime environment
The program starting page shown after middle starting;Inquire the associated ring of preset application runtime environment corresponding with target application
Border starts the page;Determining program starts whether the page matches with the environment starting page, in conjunction with judging result determination and target application
Corresponding second evaluation result.
The implementation is according to the anti-reversing security level of target application and the application runtime environment safety of target application
Property these two types judging result combination determine corresponding with target application the second evaluation result.This implementation is from target application
Running environment angle to target application carry out safety detection.Since iOS application may operate at various different iOS systems and difference
In iPhone equipment, but the iOS system version of iOS application and different iPhone equipment type iteration update quickly, need to guarantee
IOS is applied can normal operation under various running environment.
Specifically, the enabled instruction of target application transmission is received, comprising mesh in the context field for including in enabled instruction
Running environment where mark application at present, parses enabled instruction, the context field in enabled instruction is extracted, according to starting
The context field for including in instruction determines application runtime environment corresponding with target application.For example, target application A is in iPhone
Start in the iOS system C of equipment B, when it is implemented, receiving enabled instruction, and enabled instruction is parsed, after parsing
Include the keyword of iPhone equipment type and iOS system classification in context field in enabled instruction, directly reads iPhone
The keyword and iPhone equipment type and iOS system classification letter under keyword register of equipment type and iOS system classification
Breath.
Specifically, receiving the enabled instruction of target application transmission, and enabled instruction is parsed.After parsing
Instruction rule corresponding to the instruction format and/or instruction of enabled instruction, determines that application corresponding with target application runs ring
Border.For example, the structure of the instruction format of the enabled instruction after parsing includes first part and second part, first part indicates to answer
With the iPhone equipment type in running environment, second part indicates the iOS system version in application runtime environment.IPhone is set
Standby host type indicates that iOS system version is indicated with different version identifier codes with different equipment mark codes.To enabled instruction solution
Analysis analytically obtains the identification code of first part and second part, and is determined corresponding to identification code according to instruction rule in instruction
IPhone equipment type and iOS system version classification.Wherein, instruction rule specifically includes: iPhone equipment type and type
The mapping relations of identification code, the mapping relations of iOS system version and version identifier code.
After target application starts in the running environment where current, show that program starts the page after preset time.Tool
Body, in this step, get the program starting shown after preset time after target application starts in application runtime environment
The page.
The program starting page shown after target application starts in application runtime environment is obtained, and from background data base
Startup environment matching list is transferred, the ring of application runtime environment corresponding with the target application is inquired from startup environment matching list
Border starts the page.Wherein, startup environment matching list specifically includes: target application, application runtime environment, environment start page three
Mapping relations.
The program starting page shown after the target application that target application is sent starts in application runtime environment is got,
And the associated environment starting page of corresponding with target application application runtime environment is inquired from startup environment matching list.
The program starting page and environment the starting page is compared, with determine the program starting page and environment start both pages it
Between difference.If difference is not present in the program starting page and the environment starting page between the two, i.e., the two matches, then target application
The safety in running environment;If the program starting page and the environment starting page have difference between the two, i.e., the two mismatches, then
Target application is dangerous in running environment.
Further, in order to which evaluation goal applies the running environment safety when running preset function, target application is obtained
The program function page shown after preset function is run in application runtime environment;It inquires preset corresponding with target application
The associated environmental functional page of application runtime environment;Whether determining program function pages match with the environmental functional page, according to
Judging result determines whether target application is safe in default running environment.
Wherein, the environmental functional page specifically includes: being directed to various types of application runtime environments respectively, obtains target application
Runnable interface corresponding when preset function and operation result are successfully is run in the application runtime environment of this type, will be obtained
The runnable interface got is stored as the environmental functional page associated with the application runtime environment of this type to preset function
In energy environments match table, wherein function environment matching list is specifically included: target application, application runtime environment, preset function, environment
The priority of preset function corresponding to function pages mapping relations and each environmental functional page.
Specifically, in this step, according to corresponding to each environmental functional page stored in preset environments match table
Preset function priority, obtain target application respectively and run in application runtime environment and show after various types of preset functions
The program function page shown obtains related to target application, application runtime environment and preset function from function environment matching list
The environmental functional page of connection, the program function page is Chong Die with the environmental functional page, compare out the program function page and environment function
It can the difference of the page between the two.If difference is not present in the program function page and the environmental functional page between the two, target is answered
The preset function operational safety in running environment, the running environment security level of target application preset function are height;If program
There is difference in function pages and the environmental functional page, then target application preset function operation in running environment is uneasy between the two
Entirely, the running environment security level of target application preset function is low.
Comprehensively consider the running environment safety etc. in the anti-reversing security level and mode three of the target application in mode one
Grade, when anti-reversing security level and running environment security level are all high, the second evaluation result of target application is height;It is anti-reverse
When to one of security level and running environment security level being low, the second evaluation result of target application is low;Remaining feelings
Condition, during the second evaluation result of target application is.Optionally, in order to ensure important preset function preferentially carries out running environment peace
Full property detection, predefines target application function corresponding in various types of application runtime environments, the number of preset function
It is multiple for measuring, and there are priority between each preset function.Priority between each preset function is stored in function environment
With in table.For example, when it is implemented, sort from high to low by the priority of preset function in function environment matching list, it is each pre-
If the sequence of function is preset function 1, preset function 2, preset function 3.Target application runs default in application runtime environment
Function 1 obtains the program function page and the environmental functional page of preset function 1, will take the program function page of preset function 1 with
The environmental functional page is overlapped comparison.Aforesaid operations successively are executed to preset function 2 and preset function 3.
In addition, in other embodiments of the invention, the running environment of each preset function is pacified in order to improve detection efficiency
Full property detection can also be performed simultaneously the running environment safety of above-mentioned each preset function by multiple threads executed parallel
Detection process, the present invention to the specific execution sequence of the running environment safety detection process of each preset function without limitation.
It by above-mentioned each step, obtains program of the target application in application runtime environment and starts the page, and by journey
Sequence starts the page compared with the preset environment starting page, judges whether target application normally starts under application runtime environment,
The safety detection for target application running environment is realized with this.In order to make it easy to understand, below by taking a specific example as an example in detail
Carefully introduce the specific implementation of the above method in the method:
Step 1: Mac computers integration of equipments ideviceinstaller (equipment installation) tool makes Mac computers equipment remote
Journey connects iPhone cell phone apparatus, and Mac computers equipment can be made to be managed iPhone cell phone apparatus.
Specifically, Mac computers integration of equipments ideviceinstaller tool, realizes that long-range connection iPhone mobile phone is set
It is standby, the iOS application on iPhone cell phone apparatus is managed and is operated.It is inputted in the terminal of Mac computers equipment
" ideviceinstaller-i xxx.ipa " is ordered and is run, wherein " xxx.ipa " is IPA (the apple program of target application
Application file) filename.
Step 2: the iPhone cell phone apparatus remotely connected integrates frida environment, it is made to call answering inside iPhone
Program.
Specifically, the terminal input " python xxx.py bundleId " in Mac computers equipment is ordered and is run,
In, " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected starts automatically.
Step 3: both homepages when opening using homepage and application are normal after starting are compared, if homepage is identical
Illustrate to apply and start normally under the running environment;If moving back or can not load using dodging, applies and opened under the running environment
It moves abnormal.
Step 4: installed application is unloaded using ideviceinstaller tool.
Specifically, the terminal input " ideviceinstaller-U bundleId " in Mac computers equipment is ordered and is transported
Row, wherein " xxx " is the title of target application.The iPhone cell phone apparatus remotely connected unloads automatically.
In conclusion in the present embodiment the target application at iPhone cell phone apparatus end may be implemented automatically install, starting and
Unloading without manually installation, starts and unloads, gets rid of traditional safety detection mode, realize automatic safe detection,
It can more quickly realize the safety detection under various running environment, significantly high safety detection efficiency meets increasingly
The iOS safety detection demand of growth.
When it is implemented, above-mentioned three kinds of implementations both can be used alone, can also be used in combination, in the present embodiment
In, in order to promote accuracy, the second evaluation result is determined in conjunction with three kinds of implementations, i.e. the second evaluation result is answered according to target
Anti-reversing functional safety grade, the data protection security level of target application, target application running environment safety this
The combination of the judging result of three aspects is determined.
Step S270: according to first the first evaluation result of evaluation result and the second evaluation result, judge that target application is pacified
Full property grade.
According to the first evaluation result and the second evaluation result, target application safety grades are judged.Specifically, when first
When evaluation result and the second evaluation result are all high, the safety grades of target application are height;First evaluation result and second is commented
When one of valence result is low, the safety grades of target application are low;Remaining remaining situation, the safety etc. of target application
Grade is.Wherein, the second evaluation result in the present embodiment is combined according to the judging result of three kinds of implementations and is determined.Second comments
Valence result is combined according to the anti-reversing security level and data protection security level of target application and is determined, when anti-reversing security level
When with data protection security level being all high, the second evaluation result of target application is height;Anti-reversing security level and data are protected
When one of shield security level is low, the second evaluation result of target application is low;Remaining situation, the second of target application are commented
During valence result is.And/or second evaluation result according to the anti-reversing security level and running environment security level knot of target application
It closes and determines, when anti-reversing security level and running environment security level are all high, the second evaluation result of target application is height;
When one of anti-reversing security level and running environment security level are low, the second evaluation result of target application is low;Its
Remaining situation, during the second evaluation result of target application is.
The first evaluation result and reflection target of the static test result of the present embodiment comprehensive utilization reflection target application are answered
Second evaluation result of the result of dynamic test, the safety of thoroughly evaluating application, avoids the evaluation method institute of single dimension
The drawbacks of causing, keeps evaluation result more accurate.Wherein, in the application installation file of static test primary evaluation target application,
Using in iOS application development process when realizing specific function common type keyword, each detection type is corresponding
Type keyword and apply symbol table fuzzy matching, fully considered the power of each detection type and each type keyword
Weight carries out quantitative evaluation to the safety of target application, has carried out comprehensive and intuitive static detection to target application.Wherein examine
Type totally 10 are surveyed, anti-leak type, sensitive word type, Code obfuscation type, detection type of escaping from prison, agency's detection are respectively as follows:
Type is packaged protection type, character string protection type, URL match-type, anti-debug type, and/or anti-hook type.
Anti-reversing safety, data protection safety, running environment of the dynamic test from target application dynamic running process
The safety of the angle evaluation goal application of safety.Anti-reversing functional test in dynamic test is from anti-debug, anti-hook, anti-
The anti-reversing function of injecting three aspect overall merit target applications, by test response results and at least two intended response results
It is matched, target application anti-reversing Performance Level is determined according to matching result;Data protection security test is by object code
It accords with and comparing with preset confounding, determine whether program code and program character in target application are mixed according to comparing result
Confuse, target application data security protecting degree detecting is realized with this;Running environment security test is existed by obtaining target application
Program in application runtime environment starts the page, and the program starting page is judged mesh compared with the preset environment starting page
Mark applies whether normally start under application runtime environment, realizes the safety detection for target application running environment with this.
By the combination of static test and dynamic test, target application is examined comprehensively from static and two dimensions of dynamic
It surveys, has fully considered anti-reversing, data protection and the running environment in the static code and dynamic running process of target application
Safety, can ahead of time find target application defect, target application launch before help developer it is targetedly right
Target application is modified.
Embodiment three
Fig. 3 shows the structure chart according to a kind of iOS of embodiment three safety detection device applied, described device packet
It includes:
First evaluation result determining module 31, acquisition is corresponding with target application to apply symbol table, and will acquire
Type keyword corresponding with preset detection type is matched with using symbol table, according to the target critical of successful match
The quantity and/or character weight of word determine the first evaluation result corresponding with target application;
Second evaluation result determining module 32 sends dynamic test instruction corresponding with preset function to target application,
The test response results of instruction return are tested for dynamic according to target application and preconfigured test with dynamic instructs phase
Corresponding at least two intended response is as a result, determine the second evaluation result corresponding with target application;
Target application safety judgment module 33 judges that target is answered according to the first evaluation result and the second evaluation result
With whether safely.
Optionally, when the first evaluation result determining module 31 is suitable for:
Corresponding type set is set for each detection type respectively, each target keywords extracted are deposited respectively
It stores up in type set corresponding with the detection type of the target keywords;
Then according to the quantity of the target keywords of successful match and/or character weight, determination is corresponding with the target application
The first evaluation result include:
It is directed to each type set respectively, according to the quantity and/or target of the target keywords for including in the type set
The character weight of keyword determines Types Assessment score corresponding with the type set;
According to type weight corresponding to Types Assessment score corresponding to each type set and each type set,
Determine the first evaluation result corresponding with target application.
Optionally, the first evaluation result determining module 31 is suitable for:
For type keyword to be matched, the determining type to match with detection type corresponding to the type keyword
Detection zone;
Target area corresponding with type detection region, the type keyword that will acquire are extracted from application symbol table
It is matched with target area.
Optionally, the first evaluation result determining module 31 is suitable for:
Obtain the application file of target application;
Decompiling is carried out for application file, is obtained corresponding with target application using symbol table;
Wherein, further comprise using symbol table: static symbol table, dynamic symbol table, and/or character list.
Optionally, the second evaluation result determining module 32 is suitable for:
Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.
Optionally, the second evaluation result determining module 32 is suitable for:
According to each anti-reversing function of being stored in preset negative test instruction catalogue and with each anti-reversing function phase
Precedence information between the type and/or the test instruction of each anti-reversing of corresponding each anti-reversing test instruction, to target
It is instructed using each anti-reversing stored in negative test instruction catalogue test is sent.
Optionally, the second evaluation result determining module 32 is suitable for:
Decompiling is carried out for the binary file of the target application got, what is obtained after acquisition decompiling answers with target
With corresponding reversed compiled code;
The object code corresponding with goal-selling region for including in reversed compiled code is extracted,
Judge to determine whether comprising according with the content to match with preset confounding in conjunction with judging result in object code
The second evaluation result corresponding with target application.
Optionally, the second evaluation result determining module 32 is suitable for:
It is corresponding with target application according to enabled instruction determination when detecting enabled instruction corresponding with target application
Application runtime environment;
Obtain the program starting page shown after target application starts in application runtime environment;
Inquire preset application runtime environment corresponding with the target application associated environment starting page;
Determining program starts whether the page matches with the environment starting page, opposite with target application in conjunction with judging result determination
The second evaluation result answered.
According to the present invention in another aspect, providing a kind of safety detecting system of iOS application, including above-mentioned safety detection
Device.
The embodiment of the present application provides a kind of nonvolatile computer storage media, and computer storage medium is stored at least
One executable instruction, the computer executable instructions can be performed what one of above-mentioned any means embodiment was applied based on iOS
Safety detection method.
Fig. 4 shows the structural schematic diagram of a kind of electronic equipment according to an embodiment of the present invention, the specific embodiment of the invention
The specific implementation of electronic equipment is not limited.
As shown in figure 4, the electronic equipment may include: processor (processor) 402, communication interface
(Communications Interface) 404, memory (memory) 406 and communication bus 408.
Wherein:
Processor 402, communication interface 404 and memory 406 complete mutual communication by communication bus 408.
Communication interface 404, for being communicated with the network element of other equipment such as client or other servers etc..
Processor 402 can specifically execute the above-mentioned fault location based on multistage network node for executing program 410
Correlation step in embodiment of the method.
Specifically, program 410 may include program code, which includes computer operation instruction.
Processor 402 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that electronic equipment includes can be same type of processor, such as one or more CPU;It can also
To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 406, for storing program 410.Memory 406 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 410 specifically can be used for so that processor 402 executes the operations in above method embodiment.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments
Including certain features rather than other feature, but the combination of the feature of different embodiment means in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it
One can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize some or all portions in device according to an embodiment of the present invention
The some or all functions of part.The present invention is also implemented as a part or complete for executing method as described herein
The device or device program (for example, computer program and computer program product) in portion.It is such to realize program of the invention
It can store on a computer-readable medium, or may be in the form of one or more signals.Such signal can be with
It downloads from internet website, is perhaps provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The invention also discloses a kind of safety detection methods of iOS application of A1., comprising:
Acquisition is corresponding with target application to apply symbol table, and will acquire corresponding with preset detection type
Type keyword is matched with the application symbol table, is weighed according to the quantity of the target keywords of successful match and/or character
Weight determines the first evaluation result corresponding with the target application;
Dynamic test instruction corresponding with preset function is sent to the target application, is directed to according to the target application
Test response results that dynamic test instruction returns and preconfigured with the dynamic to test instruction corresponding extremely
Few two kinds of intended responses are as a result, determine the second evaluation result corresponding with the target application;
According to first evaluation result and second evaluation result, judge whether the target application is safe.
A2. the method according to claim A1, wherein described when the preset detection type includes multiple
The type keyword corresponding with preset detection type that will acquire match specifically including with the application symbol table:
Corresponding type set is set for each detection type respectively, each target keywords extracted are deposited respectively
It stores up in type set corresponding with the detection type of the target keywords;
The then quantity and/or character weight of the target keywords according to successful match, determination and the target application phase
Corresponding first evaluation result includes:
It is directed to each type set respectively, according to the quantity and/or target of the target keywords for including in the type set
The character weight of keyword determines Types Assessment score corresponding with the type set;
According to type weight corresponding to Types Assessment score corresponding to each type set and each type set,
Determine the first evaluation result corresponding with the target application.
A3. the method according to claim A1, wherein described will acquire corresponding with preset detection type
Type keyword match with the application symbol table include:
For type keyword to be matched, the determining type to match with detection type corresponding to the type keyword
Detection zone;
Target area corresponding with the type detection region, the class that will acquire are extracted from the application symbol table
Type keyword is matched with the target area.
A4. the method according to claim A1, wherein the acquisition is corresponding with target application to apply symbol table
Include:
Obtain the application file of the target application;
Decompiling is carried out for the application file, is obtained described corresponding with target application using symbol table;
Wherein, the application symbol table further comprises: static symbol table, dynamic symbol table, and/or character list.
A5. the method according to claim A1, the preset function includes anti-reversing function, and the dynamic is tested
Instruction includes anti-reversing test instruction, then described to send dynamic test instruction corresponding with preset function to the target application
Include:
Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.
A6. the method according to claim A5, wherein described to be sent and preset anti-reversing function to target application
Corresponding anti-reversing test, which instructs, includes:
According to each anti-reversing function of being stored in preset negative test instruction catalogue and with each anti-reversing function phase
Precedence information between the type and/or the test instruction of each anti-reversing of corresponding each anti-reversing test instruction, to target
It is instructed using each anti-reversing stored in the negative test instruction catalogue test is sent.
A7. the method according to claim A1, wherein the determination corresponding with the target application second is commented
Valence result specifically includes:
Decompiling is carried out for the binary file of the target application got, is obtained obtaining with the mesh after decompiling
Mark applies corresponding reversed compiled code;
The object code corresponding with goal-selling region for including in the reversed compiled code is extracted,
Judge whether comprising according with the content to match with preset confounding in the object code, in conjunction with judging result
Determine the second evaluation result corresponding with the target application.
A8. the method according to claim A1, wherein the determination corresponding with the target application second is commented
Valence result specifically includes:
When detecting enabled instruction corresponding with target application, is determined according to the enabled instruction and answered with the target
With corresponding application runtime environment;
Obtain the program starting page shown after the target application starts in the application runtime environment;
Inquire preset application runtime environment corresponding with the target application associated environment starting page;
Judge whether the described program starting page and the environment starting page matches, in conjunction with judging result determine with it is described
Corresponding second evaluation result of target application.
B9. a kind of safety detection device of iOS application, comprising:
First evaluation result determining module, obtain it is corresponding with target application using symbol table, and will acquire with
The corresponding type keyword of preset detection type is matched with the application symbol table, is closed according to the target of successful match
The quantity and/or character weight of key word determine the first evaluation result corresponding with the target application;
Second evaluation result determining module, Xiang Suoshu target application send dynamic test corresponding with preset function and refer to
Enable, according to the target application for the dynamic test instruction return test response results and it is preconfigured with it is described
Dynamic test instructs corresponding at least two intended response as a result, determining the second evaluation knot corresponding with the target application
Fruit;
Target application safety judgment module, according to first evaluation result and second evaluation result, judgement
Whether the target application is safe.
B10. the device according to claim B9, wherein when the first evaluation result determining module is suitable for:
Corresponding type set is set for each detection type respectively, each target keywords extracted are deposited respectively
It stores up in type set corresponding with the detection type of the target keywords;
The then quantity and/or character weight of the target keywords according to successful match, determination and the target application phase
Corresponding first evaluation result includes:
It is directed to each type set respectively, according to the quantity and/or target of the target keywords for including in the type set
The character weight of keyword determines Types Assessment score corresponding with the type set;
According to type weight corresponding to Types Assessment score corresponding to each type set and each type set,
Determine the first evaluation result corresponding with the target application.
B11. the device according to claim B9, wherein the first evaluation result determining module is suitable for:
For type keyword to be matched, the determining type to match with detection type corresponding to the type keyword
Detection zone;
Target area corresponding with the type detection region, the class that will acquire are extracted from the application symbol table
Type keyword is matched with the target area.
B12. the device according to claim B9, wherein the first evaluation result determining module is suitable for:
Obtain the application file of the target application;
Decompiling is carried out for the application file, is obtained described corresponding with target application using symbol table;
Wherein, the application symbol table further comprises: static symbol table, dynamic symbol table, and/or character list.
B13. the device according to claim B9, the second evaluation result determining module are suitable for:
Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.
B14. the device according to claim B13, wherein the second evaluation result determining module is suitable for:
According to each anti-reversing function of being stored in preset negative test instruction catalogue and with each anti-reversing function phase
Precedence information between the type and/or the test instruction of each anti-reversing of corresponding each anti-reversing test instruction, to target
It is instructed using each anti-reversing stored in the negative test instruction catalogue test is sent.
B15. the device according to claim B9, wherein the second evaluation result determining module is suitable for:
Decompiling is carried out for the binary file of the target application got, is obtained obtaining with the mesh after decompiling
Mark applies corresponding reversed compiled code;
The object code corresponding with goal-selling region for including in the reversed compiled code is extracted,
Judge whether comprising according with the content to match with preset confounding in the object code, in conjunction with judging result
Determine the second evaluation result corresponding with the target application.
B16. the device according to claim B9, wherein the second evaluation result determining module is suitable for:
When detecting enabled instruction corresponding with target application, is determined according to the enabled instruction and answered with the target
With corresponding application runtime environment;
Obtain the program starting page shown after the target application starts in the application runtime environment;
Inquire preset application runtime environment corresponding with the target application associated environment starting page;
Judge whether the described program starting page and the environment starting page matches, in conjunction with judging result determine with it is described
Corresponding second evaluation result of target application.
C17. a kind of safety detecting system of iOS application, which is characterized in that including any institute of the claims B9-B16
The safety detection device stated.
D18. a kind of electronic equipment, comprising: processor, memory, communication interface and communication bus, the processor, institute
It states memory and the communication interface completes mutual communication by the communication bus;
The memory executes the processor as weighed for storing an at least executable instruction, the executable instruction
Benefit requires a kind of corresponding operation of safety detection method based on iOS application described in any one of A1-A8.
E19. a kind of computer storage medium is stored with an at least executable instruction in the storage medium, described to hold
Row instruction makes processor execute a kind of safety detection method based on iOS application as described in any one of claim A1-A8
Corresponding operation.
Claims (10)
1. a kind of safety detection method of iOS application, comprising:
Acquisition is corresponding with target application to apply symbol table, and the type corresponding with preset detection type that will acquire
Keyword is matched with the application symbol table, according to the quantity of the target keywords of successful match and/or character weight, really
Fixed the first evaluation result corresponding with the target application;
Dynamic test instruction corresponding with preset function is sent to the target application, according to the target application for described
The test response results and the preconfigured test instruction corresponding at least two with the dynamic that dynamic test instruction returns
Kind intended response is as a result, determine the second evaluation result corresponding with the target application;
According to first evaluation result and second evaluation result, judge whether the target application is safe.
2. described to will acquire when the preset detection type includes multiple according to the method described in claim 1, wherein
To type keyword corresponding with preset detection type match specifically including with the application symbol table:
Corresponding type set is set for each detection type respectively, each target keywords extracted are respectively stored into
In type set corresponding with the detection type of the target keywords;
The then quantity and/or character weight of the target keywords according to successful match, determination are corresponding with the target application
The first evaluation result include:
It is directed to each type set respectively, according to the quantity and/or target critical of the target keywords for including in the type set
The character weight of word determines Types Assessment score corresponding with the type set;
According to type weight corresponding to Types Assessment score corresponding to each type set and each type set, determine
The first evaluation result corresponding with the target application.
3. according to the method described in claim 1, wherein, the type corresponding with preset detection type will acquire
Keyword match with the application symbol table
For type keyword to be matched, the determining type detection to match with detection type corresponding to the type keyword
Region;
Target area corresponding with the type detection region is extracted from the application symbol table, the type that will acquire is closed
Key word is matched with the target area.
It is described to obtain application symbol table corresponding with target application and include: 4. according to the method described in claim 1, wherein
Obtain the application file of the target application;
Decompiling is carried out for the application file, is obtained described corresponding with target application using symbol table;
Wherein, the application symbol table further comprises: static symbol table, dynamic symbol table, and/or character list.
5. according to the method described in claim 1, the preset function includes anti-reversing function, and dynamic test instruction is wrapped
Include anti-reversing test instruction, then it is described to include: to target application transmission dynamic test instruction corresponding with preset function
Anti-reversing test instruction corresponding with preset anti-reversing function is sent to target application.
6. according to the method described in claim 5, wherein, it is described sent to target application it is corresponding with preset anti-reversing function
Anti-reversing test instruction include:
According to each anti-reversing function for being stored in preset negative test instruction catalogue and corresponding with each anti-reversing function
Each anti-reversing test instruction type and/or each anti-reversing test instruction between precedence information, to target application
Send each anti-reversing test instruction stored in the negative test instruction catalogue.
7. a kind of safety detection device of iOS application, comprising:
First evaluation result determining module, obtain it is corresponding with target application apply symbol table, and will acquire with preset
The corresponding type keyword of detection type matched with the application symbol table, according to the target keywords of successful match
Quantity and/or character weight, determine corresponding with the target application the first evaluation result;
Second evaluation result determining module, Xiang Suoshu target application send dynamic test instruction corresponding with preset function, root
The test response results and the preconfigured and dynamic returned according to the target application for dynamic test instruction
Test instructs corresponding at least two intended response as a result, determining the second evaluation result corresponding with the target application;
Target application safety judgment module, according to first evaluation result and second evaluation result, described in judgement
Whether target application is safe.
8. a kind of safety detecting system of iOS application, which is characterized in that filled including safety detection described in the claims 7
It sets.
9. a kind of electronic equipment, comprising: processor, memory, communication interface and communication bus, the processor, the storage
Device and the communication interface complete mutual communication by the communication bus;
The memory executes the processor as right is wanted for storing an at least executable instruction, the executable instruction
Ask a kind of corresponding operation of safety detection method based on iOS application described in any one of 1-6.
10. a kind of computer storage medium, an at least executable instruction, the executable instruction are stored in the storage medium
Execute processor such as a kind of corresponding behaviour of safety detection method based on iOS application of any of claims 1-6
Make.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910245705.2A CN110110521A (en) | 2019-03-28 | 2019-03-28 | It is a kind of based on iOS application safety detection method, apparatus and system |
PCT/CN2019/123870 WO2020192179A1 (en) | 2019-03-28 | 2019-12-09 | Security detection method, device and system based on ios application |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910245705.2A CN110110521A (en) | 2019-03-28 | 2019-03-28 | It is a kind of based on iOS application safety detection method, apparatus and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110110521A true CN110110521A (en) | 2019-08-09 |
Family
ID=67484812
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910245705.2A Pending CN110110521A (en) | 2019-03-28 | 2019-03-28 | It is a kind of based on iOS application safety detection method, apparatus and system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110110521A (en) |
WO (1) | WO2020192179A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110764773A (en) * | 2019-09-03 | 2020-02-07 | 北京字节跳动网络技术有限公司 | APP generation method, device, medium and electronic equipment |
WO2020192179A1 (en) * | 2019-03-28 | 2020-10-01 | 江苏通付盾信息安全技术有限公司 | Security detection method, device and system based on ios application |
CN114328203A (en) * | 2021-12-22 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Applet detection method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104715200A (en) * | 2012-05-04 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for identifying viral APK (Android application package file) |
CN104933362A (en) * | 2015-06-15 | 2015-09-23 | 福州大学 | Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software |
US9519774B2 (en) * | 2014-01-20 | 2016-12-13 | Prevoty, Inc. | Systems and methods for SQL query constraint solving |
CN107122666A (en) * | 2016-12-05 | 2017-09-01 | 招商银行股份有限公司 | The methods of risk assessment and device of financial application |
CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104200155A (en) * | 2014-08-12 | 2014-12-10 | 中国科学院信息工程研究所 | Monitoring device and method for protecting user privacy based on iPhone operating system (iOS) |
CN105653947B (en) * | 2014-11-11 | 2019-09-13 | 中国移动通信集团公司 | The method and device of data safety risk is applied in a kind of assessment |
CN110110521A (en) * | 2019-03-28 | 2019-08-09 | 江苏通付盾信息安全技术有限公司 | It is a kind of based on iOS application safety detection method, apparatus and system |
-
2019
- 2019-03-28 CN CN201910245705.2A patent/CN110110521A/en active Pending
- 2019-12-09 WO PCT/CN2019/123870 patent/WO2020192179A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104715200A (en) * | 2012-05-04 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for identifying viral APK (Android application package file) |
US9519774B2 (en) * | 2014-01-20 | 2016-12-13 | Prevoty, Inc. | Systems and methods for SQL query constraint solving |
CN104933362A (en) * | 2015-06-15 | 2015-09-23 | 福州大学 | Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software |
CN107122666A (en) * | 2016-12-05 | 2017-09-01 | 招商银行股份有限公司 | The methods of risk assessment and device of financial application |
CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
Non-Patent Citations (1)
Title |
---|
王东海等: "《信息安全仿真验证技术》", 31 December 2015 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020192179A1 (en) * | 2019-03-28 | 2020-10-01 | 江苏通付盾信息安全技术有限公司 | Security detection method, device and system based on ios application |
CN110764773A (en) * | 2019-09-03 | 2020-02-07 | 北京字节跳动网络技术有限公司 | APP generation method, device, medium and electronic equipment |
CN114328203A (en) * | 2021-12-22 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Applet detection method and device |
Also Published As
Publication number | Publication date |
---|---|
WO2020192179A1 (en) | 2020-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103632096B (en) | A kind of method and apparatus that safety detection is carried out to equipment | |
Rajab et al. | Trends in circumventing web-malware detection | |
US8561021B2 (en) | Test code qualitative evaluation | |
US10380349B2 (en) | Security analysis using relational abstraction of data structures | |
CN105630463B (en) | For detecting the method and device of JAR packet conflict | |
Karami et al. | Behavioral analysis of android applications using automated instrumentation | |
Pradel et al. | EventBreak: Analyzing the responsiveness of user interfaces through performance-guided test generation | |
CN110110521A (en) | It is a kind of based on iOS application safety detection method, apparatus and system | |
US20130290786A1 (en) | Automated testing of applications with scripting code | |
US20050204343A1 (en) | Automated test system for testing an application running in a windows-based environment and related methods | |
CN104462985A (en) | Detecting method and device of bat loopholes | |
JP6142705B2 (en) | Iterative generation of symbolic test drivers for object-oriented languages | |
CN103581185A (en) | Cloud searching and killing method, device and system for resisting anti-antivirus test | |
CN110135163A (en) | A kind of safety detection method based on target application, apparatus and system | |
CN106682513A (en) | Detection method for target sample file and device | |
CN109388946A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
EP3029595B1 (en) | Apparatuses, mobile devices, methods and computer programs for evaluating runtime information of an extracted set of instructions based on at least a part of a computer program | |
CN103713945B (en) | The recognition methods of game and device | |
Mouzarani et al. | Smart fuzzing method for detecting stack‐based buffer overflow in binary codes | |
Bhardwaj et al. | Reverse engineering-a method for analyzing malicious code behavior | |
US11868465B2 (en) | Binary image stack cookie protection | |
CN108958890A (en) | Container microscope testing method, apparatus and electronic equipment | |
US10275595B2 (en) | System and method for characterizing malware | |
CN106650439A (en) | Suspicious application program detection method and device | |
CN110889116A (en) | Advertisement blocking method and device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190809 |