CN111353146A - Method, device, equipment and storage medium for detecting sensitive permission of application program - Google Patents
Method, device, equipment and storage medium for detecting sensitive permission of application program Download PDFInfo
- Publication number
- CN111353146A CN111353146A CN202010445707.9A CN202010445707A CN111353146A CN 111353146 A CN111353146 A CN 111353146A CN 202010445707 A CN202010445707 A CN 202010445707A CN 111353146 A CN111353146 A CN 111353146A
- Authority
- CN
- China
- Prior art keywords
- sensitive
- application program
- calling
- dynamic
- permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The application relates to a method, a device, equipment and a storage medium for detecting sensitive authority of an application program. The method comprises the following steps: acquiring an application program to be detected and an installation file of the application program; dynamically running an application program in a target operating system environment; the source code file of the target operating system comprises a calling marking function; in the dynamic operation process of the application program, a dynamic calling result of the candidate sensitive permission is obtained by calling a marking function; determining dynamic sensitive authority used by the application program according to the dynamic calling result; obtaining a calling relation static analysis result of the taint function, and determining a static sensitive authority corresponding to the application program according to the calling relation static analysis result; and determining a sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission. According to the technical scheme, the detection of the dynamic sensitive permission and the static sensitive permission is fused, and the detection accuracy of the sensitive permission of the application program can be effectively improved.
Description
Technical Field
The present application relates to the field of security detection technologies, and in particular, to a method and an apparatus for detecting application sensitive permissions, a computer device, and a storage medium.
Background
With the development of network technology, the number of various application programs is increased sharply, and these application programs often need to apply for access rights to users and execute corresponding business processes through the applied access rights. The access right applied may include sensitive rights such as location and short message. In fact, some application programs only use the applied part of sensitive rights in the running process, so that the problem of excessive application of sensitive rights occurs. Excessive application of sensitive authority is likely to cause leakage of user information, and hidden dangers are brought to personal and property safety of users. Therefore, it is necessary to accurately detect the sensitive rights actually used by the application program.
Conventionally, the sensitive authority used by the application program is determined by statically analyzing the file of the application program. However, some applications may integrate a third-party plug-in, which may make the sensitive permission determined by static analysis not a real situation, resulting in low detection accuracy of the sensitive permission of the application.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present invention and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, and a storage medium for detecting application sensitive permission, which can improve accuracy of detecting application sensitive permission.
A method for detecting sensitive authority of an application program comprises the following steps: acquiring an application program to be detected and an installation file of the application program; the installation file comprises a taint function corresponding to the candidate sensitive authority; dynamically running the application program in a target operating system environment; the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called; in the dynamic operation process of the application program, acquiring a dynamic calling result of the candidate sensitive permission through the calling marking function; determining candidate sensitive permission used by the application program according to the dynamic calling result, and using the candidate sensitive permission as dynamic sensitive permission; obtaining a calling relation static analysis result of the taint function, and determining a static sensitive permission corresponding to the application program according to the calling relation static analysis result; and determining a sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
An apparatus for detecting sensitive rights of an application, the apparatus comprising: the program acquisition module is used for acquiring an application program to be detected and an installation file of the application program; the installation file comprises a taint function corresponding to the candidate sensitive authority; the program running module is used for dynamically running the application program under the environment of a target operating system; the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called; the calling result acquisition module is used for acquiring a dynamic calling result of the candidate sensitive permission through the calling marking function in the dynamic running process of the application program; the dynamic permission determining module is used for determining candidate sensitive permission used by the application program according to the dynamic calling result and taking the candidate sensitive permission as dynamic sensitive permission; the static permission determining module is used for acquiring a calling relation static analysis result of the taint function and determining the static sensitive permission corresponding to the application program according to the calling relation static analysis result; and the permission detection result determining module is used for determining the sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
In one embodiment, the program execution module includes: the source code file acquisition submodule is used for acquiring a first operating system source code file corresponding to the target operating system; the image file compiling submodule is used for compiling and generating a system image file according to the first operating system source code file; the image file output submodule is used for outputting the system image file to target equipment so as to replace a system source code file configured in advance in the target equipment by the first operating system source code file; and the application program running submodule is used for controlling the application program to dynamically run in the target equipment under the environment of a target operating system according to the source code file of the first operating system.
In one embodiment, the source code file obtaining sub-module includes: a source code file acquiring unit, configured to acquire a second operating system source code file corresponding to the target operating system; the pile inserting instruction receiving unit is used for receiving pile inserting instructions; the instrumentation instruction carries a sensitive authority identifier and a calling mark code; an interface function determining unit, configured to determine, in the second operating system source code file, a target interface function corresponding to the sensitive permission identifier; a code writing unit, configured to perform instrumentation on the target interface function, so as to write the call flag code into the target interface function, and obtain the call flag function; and the source code file determining unit is used for obtaining the source code file of the first operating system according to the calling marking function.
In one embodiment, a dynamic privilege determination module includes: the mapping table acquisition submodule is used for acquiring a mapping table of an interface function and the sensitive permission; the interface function determining submodule is used for determining a called target interface function according to the dynamic calling result; and the calling result conversion submodule is used for converting the dynamic calling result according to the mapping table and the called target interface function to obtain candidate sensitive permission used by the application program and using the candidate sensitive permission as the dynamic sensitive permission.
In one embodiment, a code writing unit includes: a function definition determining subunit, configured to determine a function definition of the target interface function; a code writing subunit, configured to write the call flag code into the function definition; and the calling and marking function determining subunit is used for determining the target interface function containing the calling and marking code in the function definition as the calling and marking function.
In one embodiment, the system image file is a flush file; and the mirror image file output submodule is further used for outputting the flashing file to the target equipment, triggering flashing processing on the target equipment according to the flashing file, and replacing the system source code file configured in advance in the target equipment by the first operating system source code file.
In one embodiment, the call result obtaining module includes: the business process execution submodule is used for controlling the target equipment to execute the business process when receiving operation triggering information for carrying out interactive operation on the application program; the business process comprises a process for calling the candidate sensitive permission; and the calling result determining submodule is used for acquiring the information called by the candidate sensitive permission through the calling mark code in the service flow executing process and taking the information as the dynamic calling result.
In one embodiment, the permission detection result determining module includes: the danger authority determining submodule is used for respectively determining the dynamic danger sensitive authority and the static danger sensitive authority which are excessively applied by the application program according to the dynamic sensitive authority and the static sensitive authority; and the detection result determining submodule is used for determining the sensitive permission detection result of the application program according to the dynamic danger sensitive permission and the static danger sensitive permission.
In one embodiment, the hazard authority determination submodule includes: the to-be-evaluated authority determining unit is used for acquiring sensitive authority application information of the application program and determining the to-be-evaluated sensitive authority applied by the application program according to the sensitive authority application information; the dynamic danger authority determining unit is used for determining the dynamic danger sensitive authority according to the comparison result of the dynamic sensitive authority and the sensitive authority to be evaluated; and the static danger authority determining unit is used for determining the static danger sensitive authority according to the comparison result of the static sensitive authority and the sensitive authority to be evaluated.
In an embodiment, the detection result determining submodule is further configured to supplement the static danger-sensitive permission with the dynamic danger-sensitive permission, so as to obtain a detection result of the sensitive permission of the application program.
In one embodiment, the static permission determination module includes: the taint function determining submodule is used for determining an interface function corresponding to the candidate sensitive permission in the installation file as the taint function; the calling relation determining submodule is used for acquiring called information of each interface function in the installation file and obtaining a function calling relation according to the called information; and the static analysis result determining submodule is used for determining a calling relation static analysis result of the taint function according to the function calling relation.
In one embodiment, the apparatus further comprises: the configuration file acquisition module is used for acquiring a system configuration file of the target operating system; the authority analysis module is used for carrying out sensitive authority analysis on the system configuration file; and the sensitive permission determining module is used for obtaining the candidate sensitive permission according to the sensitive permission analysis result.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program: acquiring an application program to be detected and an installation file of the application program; the installation file comprises a taint function corresponding to the candidate sensitive authority; dynamically running the application program in a target operating system environment; the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called; in the dynamic operation process of the application program, acquiring a dynamic calling result of the candidate sensitive permission through the calling marking function; determining candidate sensitive permission used by the application program according to the dynamic calling result, and using the candidate sensitive permission as dynamic sensitive permission; obtaining a calling relation static analysis result of the taint function, and determining a static sensitive permission corresponding to the application program according to the calling relation static analysis result; and determining a sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of: acquiring an application program to be detected and an installation file of the application program; the installation file comprises a taint function corresponding to the candidate sensitive authority; dynamically running the application program in a target operating system environment; the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called; in the dynamic operation process of the application program, acquiring a dynamic calling result of the candidate sensitive permission through the calling marking function; determining candidate sensitive permission used by the application program according to the dynamic calling result, and using the candidate sensitive permission as dynamic sensitive permission; obtaining a calling relation static analysis result of the taint function, and determining a static sensitive permission corresponding to the application program according to the calling relation static analysis result; and determining a sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
According to the method and the device for detecting the application program sensitive permission, the sensitive permission actually used by the application program in the running process is dynamically and accurately obtained by calling the marking function, in addition, the dynamic sensitive permission and the static sensitive permission are respectively obtained, the sensitive permission detection result of the application program is determined according to the dynamic sensitive permission and the static sensitive permission, the obtained sensitive permission detection result is fused with the dynamic sensitive permission, the defect of static detection is overcome, and the detection accuracy of the application program sensitive permission can be effectively improved.
Drawings
FIG. 1 is a diagram of an application environment in which a method for detecting application sensitive rights is implemented in one embodiment;
FIG. 2 is a flowchart illustrating a method for detecting application sensitive rights in one embodiment;
FIG. 3 is a diagram illustrating a correspondence between sensitive permissions and target interface functions in one embodiment;
FIG. 4 is a flow diagram that illustrates the determination of dynamically sensitive rights, in one embodiment;
FIG. 5 is a schematic flow chart illustrating the determination of static hazard-sensitive rights in one embodiment;
FIG. 6 is a flowchart illustrating a method for detecting sensitive permissions of an application in another embodiment;
FIG. 7 is a block diagram of an apparatus for detecting application-sensitive permissions according to one embodiment;
FIG. 8 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The method for detecting the sensitive permission of the application program can be applied to a cloud security scene. Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms based on Cloud computing business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client. The method for detecting the application program sensitive permission can accurately analyze the sensitive permission actually used by the application program, further determine whether the situation of excessively applying the sensitive permission exists, and effectively guarantee the safety of user privacy.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services provided for users based on a cloud computing platform, such as anti-virus services, anti-sensitive permission over-application and the like.
In one embodiment, the method for detecting the sensitive authority of the application program provided by the application program can be applied to an application environment as shown in fig. 1. The application environment includes the detection device 101 and the target device 102, which may communicate via a network, and may be directly or indirectly connected via a wired or wireless communication manner, which is not limited herein. The detection device 101 controls an application program to be detected to run in the target device 102 under the target operating system environment, and obtains a dynamic sensitive permission of the application program according to a dynamic calling result obtained by calling the marker function, and in addition, the detection device 101 obtains a static sensitive permission and obtains a sensitive permission detection result according to the combination of the dynamic sensitive permission and the static sensitive permission. Both the detection device 101 and the target device 102 may be implemented by a server or a terminal device. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, and a big data and artificial intelligence platform. The terminal device may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like.
In an embodiment, an application environment to which the method for detecting the sensitive permission of the application program provided by the present application is applied may also include only the detection device. The detection device is configured with a target operating system environment and controls an application program to be detected to dynamically run in the detection device, dynamic sensitive permission of the application program is obtained according to a dynamic calling result obtained by calling a marking function, static sensitive permission of the application program is obtained in a static analysis mode, and a sensitive permission detection result of the application program is determined according to the dynamic sensitive permission and the static sensitive permission.
In an embodiment, as shown in fig. 2, a method for detecting application sensitive rights is provided, and this embodiment is illustrated by applying the method to the detection device in fig. 1. The method comprises the following steps:
s201, acquiring an application program to be detected and an installation file of the application program; and the installation file comprises a taint function corresponding to the candidate sensitive authority.
In some cases, the application program will apply for some sensitive rights which are not needed for executing the business process, but only want to obtain sensitive information such as the address, call record, short message, etc. of the user, which will threaten the personal and property safety of the user. Therefore, it is necessary to detect the sensitive rights actually used by the application program in the running process and determine whether the application program excessively applies some unnecessary sensitive rights, so as to take measures to ensure the information security of the user.
The application to be detected (which may be referred to as an application to be detected or an application) may be various types of application programs. Further, there may be more than one application; when the number of the application programs is two or more, the application programs can be respectively operated and triggered to use so as to obtain the dynamic calling result through the corresponding calling mark codes. Furthermore, when the number of the application programs is two or more, the sensitive authority detection results of the application programs can be determined in a parallel processing mode.
The installation file may be referred to as an application package. In the Android system, the installation file may refer to an APK (Android application package) file, which includes codes related to application distribution, installation, operation, and the like.
Sensitive permissions may refer to permissions to access sensitive information such as the user's personal, property security, etc. After the application program applies for the sensitive authority, if the sensitive information is processed illegally, the personal and property safety of the user is possibly threatened. Further, the candidate sensitive permission may be all or part of the sensitive permission involved in the target operating system. Further, the candidate sensitivity rights may be: and the authority of accessing information such as user addresses, call records, short message contents and the like.
The taint function may refer to an interface function in the installation file corresponding to the candidate sensitivity authority. Wherein the interface function is a function related to a network interface involved in the running process of the application program. Further, the network interface may refer to an interface that is capable of accessing the candidate sensitive rights.
After the installation file of the application program is obtained, the application program may be installed in the detection device (or other terminal device independent of the detection device, such as the aforementioned target device) according to the installation file, and then the application program may be run in the detection device (or other terminal device).
S202, dynamically running the application program in a target operating system environment; and the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called.
The target operating system refers to an operating system on which the application program to be detected can run, and may be an android (android), windows, linux operating system, or the like. Further, the source code file of the target operating system can be obtained from the open source code library. The source code file may contain various control source code related to the target operating system, including interface functions of various interfaces (which may be various service interfaces related to the target operating system). The detection device can configure the target operating system environment according to the source code file, and further control the application program to dynamically run in the target operating system environment.
The call marking function may be an interface function having a call marking function in the target operating system, that is, the call log of this time can be marked after being called by another function. The call marking function may be generated by: determining an interface function corresponding to the candidate sensitive permission in a source code file of the target operating system, taking the interface function as a target interface function, writing a calling mark code in the target interface function, and calling the target interface function with the calling mark code. After writing the call flag code in the target interface function, the target interface function may be considered to be pinned, and therefore, the call flag function may also be referred to as a stub function or a stub.
Further, the interface function may include information such as a class name, a function name, and a parameter, and the target interface function corresponding to the candidate sensitive permission may be determined according to the information such as the class name, the function name, and the parameter. Specifically, the target interface function may be in the form of:
Class0 func0(arg0,arg1,...)
Class1 func1(arg0,arg1,...)
Class2 func2(arg0,arg1,...)
wherein, Class0, Class1 and Class2 denote Class names, func0, func1 and func2 denote function names, and arg0 and arg1 denote parameters.
Further, there may be a one-to-one or one-to-many relationship between the candidate sensitive rights and the target interface function. The one-to-many relationship is shown in fig. 3, that is, the candidate sensitive permission corresponds to a plurality of target interface functions: interface function 1/2/3, and so on.
Specifically, taking candidate sensitivity authority of sending a short message, transmission _ SMS as an example, the corresponding target interface function may at least include the following three interface functions:
<api class="Landroid/telephony/SmsManager;" method="sendTextMessage"/>
<api class="Landroid/telephony/SmsManager;" method="divideMessage"/>
<api class="Landroid/telephony/SmsManager;" method="sendMultipartTextMessage"/>
where api class = "… …" indicates a class, and method = "… …" indicates a function code.
In addition to including function code, parameters may also be included in each target interface function. The parameter may include text information (for example, a short message is sent, and the text information may be content of the short message to be sent), a flag bit (for example, a flag bit used for representing whether the short message is sent successfully), and the like.
In addition, the dynamic running of the control application may be that the control application runs in the local terminal (that is, the detection device), or that the control application runs in a terminal device (which may be referred to as a target device) other than the local terminal. The target device may be various types of terminal devices, and the target device may be configured with the target operating system.
S203, in the dynamic running process of the application program, obtaining a dynamic calling result of the candidate sensitive permission through the calling marking function.
The application program may call an interface function in the target operating system during the running process, for example: and calling the interface function for sending the short message when receiving the operation instruction for sending the short message. Further, if a call marking function corresponding to a certain candidate sensitive permission is called, the call marking code in the call marking function is recorded, and then a dynamic call result is generated.
The call flag code may record the call log when the corresponding call flag function is called, and the recording mode may be: the flag is adjusted (e.g., by changing 0 to 1 or by adding 1 to the original flag once per call). When the application finishes running, the call mark code outputs function call information (which may also be referred to as called information). The detection equipment determines the interface function called by the application program in the current operation process according to the function calling information, and can also determine the candidate called sensitive permission so as to generate a dynamic calling result. It should be noted that, in the embodiment of the present invention, the call to the candidate sensitive permission may be understood as a call to an interface function thereof.
Further, the dynamic call result can be realized by the following modes: when determining that a call marking function is called according to the function calling information, adding the called call marking function (or the corresponding candidate sensitive permission) into an interface calling list, and then outputting the interface calling list as a dynamic calling result.
And S204, determining the candidate sensitive permission used by the application program according to the dynamic calling result, and using the candidate sensitive permission as the dynamic sensitive permission.
In S202-S203, the called information called by the call marker function can be acquired only by actually running the application, the process is dynamic, and the acquired called information also dynamically changes according to the actual running condition of the application, so that the candidate sensitive permission determined according to the dynamic call result is referred to as a dynamic sensitive permission in S204.
Furthermore, the called calling marking function can be determined according to the dynamic calling result, and the calling marking function corresponds to the candidate sensitive permission, so that the candidate sensitive permission used in the running process of the application program can be determined according to the dynamic calling result and used as the dynamic sensitive permission. Furthermore, a sensitive permission detection result can be generated according to the determined sensitive permission so as to evaluate the application program.
In some embodiments, if the candidate sensitivity permission and the call flag function are in a one-to-many relationship, as long as the call flag function is called, the corresponding candidate sensitivity permission may be considered to be used. For example: the candidate sensitive permission S corresponds to a calling mark function P1/P2/P3, and if the application calls P2 in the running process, and P1 and P3 are not called, the candidate sensitive permission S can be considered to be actually used. On the other hand, when none of the call flag functions corresponding to a certain sensitive permission is called, the candidate sensitive permission may be considered as not actually used.
S205, obtaining a calling relation static analysis result of the taint function, and determining the static sensitive permission corresponding to the application program according to the calling relation static analysis result.
The static analysis of the calling relationship of the taint function can be to analyze a code corresponding to the taint function, determine the function called by the taint function and the condition that the taint function is called by other functions, and further obtain the function calling relationship. The function call relationship may be used as a static analysis result of the call relationship (in some embodiments, the static analysis result of the call relationship may also refer to the determined static sensitive permission). According to the function call relation, the candidate sensitive permission which is possibly called in the actual operation process of the application program can be predicted, and the static sensitive permission can be obtained.
S206, determining the sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
The sensitive permission detection result may refer to the determined application sensitive permission usage information, for example: which sensitive rights are used by the application. Furthermore, the sensitive permission detection result may also refer to sensitive permission over-application information determined according to the determined use condition of the sensitive permission, so as to obtain which permissions that should not be applied by the application program.
The static analysis result of the calling relationship is a result obtained by performing static analysis on the installation file, if a third-party plug-in is integrated in the installation file, the third-party plug-in needs to access the sensitive permission in the actual operation process, and the code function of the third-party plug-in does not have the corresponding calling relationship, so that the sensitive permission used by the third-party plug-in cannot be detected in the static analysis process, and the determined static sensitive permission is not accurate enough. The dynamic sensitive permission obtained by dynamically operating the application program can obtain the sensitive permission actually used by the application program in the operation process, and can effectively supplement the deficiency of static detection, so that the sensitive permission detection result obtained by dynamic and static combination has higher accuracy.
Further, the implementation process of determining the sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission may include at least the following implementation manners: 1. integrating the dynamic sensitive permission and the static sensitive permission, and taking the candidate sensitive permission appearing in the dynamic sensitive permission or the static sensitive permission as a sensitive permission detection result; 2. taking a candidate sensitive permission shared by the dynamic sensitive permission and the static sensitive permission as a sensitive permission detection result; 3. supplementing the static sensitive permission with the dynamic sensitive permission, for example, taking the candidate sensitive permission which appears in the dynamic sensitive permission but does not appear in the static sensitive permission and the static sensitive permission as a sensitive permission detection result; 4. and correcting the static sensitive permission by using the dynamic sensitive permission, for example, removing candidate sensitive permissions which appear in the static sensitive permission but do not appear in the dynamic sensitive permission, and taking the static sensitive permission subjected to removal processing as a sensitive permission detection result.
In the method for detecting the application program sensitive permission, source code instrumentation is carried out on functions corresponding to candidate sensitive permissions in an operating system source code file by calling the marker codes, the sensitive permission actually used by the application program in the running process can be dynamically and accurately obtained by calling the marker codes, in addition, the dynamic sensitive permission and the static sensitive permission are respectively obtained, the sensitive permission detection result of the application program is determined according to the dynamic sensitive permission and the static sensitive permission, the obtained sensitive permission detection result is fused with the dynamic static sensitive permission, the advantages of the two detection methods are combined, and the detection accuracy of the application program sensitive permission can be effectively improved without being influenced by the integration of a third-party plug-in.
In one embodiment, the step of dynamically running the application program in the target operating system environment comprises: acquiring a first operating system source code file corresponding to the target operating system; compiling according to the first operating system source code file to generate a system image file; outputting the system image file to target equipment so as to replace a system source code file configured in advance in the target equipment by the first operating system source code file; and controlling the application program to dynamically run in the target equipment under the environment of a target operating system according to the source code file of the first operating system.
The first operating system source code file may refer to a source code file of a target operating system. Source code instrumentation can be performed on a source code file of the target operating system to enable the source code file to include a call marking function, and then a first operating system source code file is obtained. After the source code file of the first operating system is configured in the target device, the detection device may control the application program to dynamically run in the target operating system environment according to the source code file of the first operating system. Of course, in some embodiments, the dynamic running of the application program may be controlled by other devices besides the detection device, and may even be the target device itself; it may also be that the dynamic running of the application is triggered by the user by an interactive operation in the target device.
Further, after the source code file of the first operating system is used for replacing the system source code file configured in advance in the target device, the system source code file of the target device comprises a call marking function, and at this time, the application program to be detected can be installed and operated. In the running process of the application program, the target device can obtain a dynamic calling result of the candidate sensitive permission called in the dynamic running process of the application program by means of the calling marking function. The target device can communicate with the detection device and returns the dynamic calling result to the detection device, so that the detection device determines the dynamic sensitive permission of the application program according to the dynamic calling result.
The implementation manner of compiling and generating the system image file according to the first operating system source code file may be as follows: and carrying out format conversion on the source code file of the first operating system to obtain a format convenient for transmission, wherein the format converted file is a system image file. The system image file may include all source codes in the first operating system source code file, so that the target device can recover to operate normally after acquiring the system image file.
Outputting the system image file to the target device can be performed in a wired or wireless data transmission mode. In some embodiments, the system image file may also be copied to the target device by means of a usb disk, a mobile hard disk, or the like.
Furthermore, replacing the system source code file configured in advance in the target device by the system image file can be understood as reinstalling the operating system on the target device, and the reinstalled operating system comprises the code corresponding to the first operating system source code file and the calling marking function, so that not only can all functions before reinstallation be realized, but also calling information of candidate sensitive permission can be acquired.
In one embodiment, the replacement of the source code file may be implemented by flashing. Specifically, the system image file is a flash file; the step of outputting the system image file to a target device to replace a pre-configured system source code file in the target device by the first operating system source code file includes: and outputting the flashing file to the target equipment, triggering flashing processing on the target equipment according to the flashing file, and replacing a system source code file configured in advance in the target equipment by the first operating system source code file.
Wherein, the flash file can be a rom flash package (which can be called as a rom flash file). That is, the implementation process of this embodiment may be: compiling and generating a rom flush file according to a first operating system source code file obtained through source code instrumentation, flushing the rom flush file into target equipment, and triggering flush processing on the target equipment according to the rom flush file to enable the target equipment to be configured with the first operating system source code file.
In the traditional method, a hook technology (hook function) is adopted to acquire the interface calling condition, and the method does not need to modify source codes and only needs to use a related hook frame and install plug-ins into the system. However, the hook technology has limitations, and there may be compatibility problems or the application program may detect the existence of the hook frame, which results in the unavailability of the hook frame. The method for detecting the sensitive permission of the application program provided by the embodiment of the invention modifies the source code in a source code instrumentation manner and configures the modified source code into the target device in a flashing manner to obtain a dynamic calling result in the target device, and the scheme based on the source code instrumentation is to directly process the source code, is not limited by a hook frame, does not have the problem of application unsupported, and is more stable and effective.
In an embodiment, the step of obtaining the source code file of the first operating system corresponding to the target operating system includes: acquiring a second operating system source code file corresponding to the target operating system; receiving a pile inserting instruction; the instrumentation instruction carries a sensitive authority identifier and a calling mark code; determining a target interface function corresponding to the sensitive authority identification in the source code file of the second operating system; performing instrumentation on the target interface function to write the calling mark code into the target interface function to obtain the calling mark function; and obtaining the source code file of the first operating system according to the calling marking function.
The instrumentation instruction can be issued by a user or generated by a processing component in the detection device when a set condition is met. Further, the instrumentation instructions may be determined by a processing component in the detection device by: when an authority detection instruction is received, a processing component determines candidate sensitivity authorities in a first operating system source code file, generates sensitivity authority identifications corresponding to the candidate sensitivity authorities, acquires prestored calling mark codes from a code library, further generates a pile inserting instruction according to the sensitivity authority identifications and the calling mark codes, and sends the pile inserting instruction to a source code pile inserting component in detection equipment, so that the source code pile inserting component completes source code pile inserting (also called source code pile inserting) operation on the first operating system source code file, namely writes the calling mark codes into a target interface function.
In the embodiment of the invention, the calling marking code can mark the calling operation of the calling marking function, and the calling marking code can record the calling log when the calling marking function is called so as to obtain a dynamic calling result of whether the candidate sensitive permission corresponding to the calling marking function is used or not. Further, the calling mark code may be temporarily edited by the user or may be a code stored in advance in a code library. Specifically, the call flag code may be a logger class. In addition, one call tag code may correspond to one call tag function or a plurality of call tag functions (since the candidate sensitivity authority and the call tag function may be in a one-to-many relationship, in some cases, one candidate sensitivity authority may correspond to one call tag code, and at this time, one call tag code corresponds to a plurality of call tag functions, that is, one call tag code may be used to obtain information that a plurality of call tag functions are called).
Furthermore, the first operating system source code file obtained through source code instrumentation can output a dynamic calling result obtained by calling the marker code. After the source code instrumentation process, the target interface function including the call marker code is a call marker function (also called a call marker function or stub). It should be noted that, in the embodiment of the present invention, after the source code instrumentation process, the target interface function becomes the call marking function, and therefore, several concepts of the target interface function, the stub function, and the call marking function that are instrumented by the source code can be understood as the same content.
In the above embodiment, the source code file of the operating system corresponding to the target operating system is acquired, and when the instrumentation instruction is received, the calling tag code is written into the target interface function according to the sensitive permission identifier and the calling tag code in the instrumentation instruction, so that the source code instrumentation processing of the source code file is realized, and the source code file of the first operating system is further acquired. The source code is modified in a source code instrumentation mode, so that the sensitive permission used by the application program can be effectively detected through the modified source code, and meanwhile, the influence of the compatibility of the application program is avoided.
In some embodiments, the step of obtaining the source code file of the first operating system corresponding to the target operating system may also be: and extracting a target interface function from the source code file of the second operating system, writing a calling mark code into the target interface function, rewriting the target interface function containing the calling mark code into the source code file of the second operating system as the calling mark function, and taking the source code file of the second operating system written with the calling mark function as the source code file of the first operating system.
Further, in an embodiment, the step of performing instrumentation on the target interface function to write the call flag code into the target interface function to obtain the call flag function includes: determining a function definition of the target interface function; writing the calling mark code into the function definition; and determining the target interface function containing the calling mark code in the function definition as the calling mark function.
Function definitions of the target interface functions can be found in the source code files of the second operating system through class names, function names, parameters and the like, and calling mark codes are written in the function definitions, so that the source code instrumentation process is realized.
Furthermore, the calling condition of the target interface function is obtained through the calling mark code, and when the application program calls the target interface function, the log of the calling function is output and recorded.
In the embodiment, the function definition of the target interface function is found in the second operating system source code file, and the call marking code is further inserted into the function definition, so that the newly obtained first operating system source code file has the function of obtaining the dynamic call result, and the sensitive permission actually used by the application program is conveniently and dynamically obtained.
In one embodiment, the step of determining the candidate sensitive permission used by the application program as the dynamic sensitive permission according to the dynamic call result includes: acquiring a mapping table of an interface function and a sensitive authority; determining a called target interface function according to the dynamic calling result; and converting the dynamic calling result according to the mapping table and the called target interface function to obtain a candidate sensitive permission used by the application program as the dynamic sensitive permission.
The mapping table may be determined according to the architecture of the first os source code file. The sensitive authority involved by each interface function can be determined according to the architecture of the source code file, and the mapping table can be generated.
The embodiment converts the dynamic calling result according to the mapping table, the conversion process is simple and has a basis, and the determining efficiency and the accuracy of the dynamic sensitive permission can be effectively improved.
In an embodiment, taking an android system as an example, a process of determining a dynamic sensitive permission (i.e., determining a sensitive permission by a dynamic analysis method) may be as shown in fig. 4, where the specific steps include:
s401, obtaining candidate sensitive permission of the android system.
Specifically, the corresponding sensitive permission can be determined by analyzing the android system installation package to serve as a candidate sensitive permission.
In some embodiments, all or part of the sensitive permissions in the android system may be obtained as candidate sensitive permissions.
S402, determining a target interface function corresponding to the candidate sensitive permission in the android system source code file.
Specifically, the target interface function corresponding to the candidate sensitive permission obtained in step S401 may be found according to the mapping table of the interface function and the sensitive permission.
And S403, adding a calling mark code in the target interface function to obtain the instrumented system source code.
Specifically, a source code file of the android system comprises a target interface function, a calling mark code is added to the target interface function of the source code file, instrumentation of a system source code is achieved, and the instrumented target interface function serves as the calling mark function.
S404, compiling the instrumented system source codes to generate a rom flash package and outputting the rom flash package to the target device.
Specifically, the instrumented system source codes are compiled to generate corresponding rom flush packages, and the rom flush packages are flushed into the target equipment in a flush mode to replace pre-matched system source code files in the target equipment.
And S405, controlling the target equipment to perform flashing processing according to the rom flashing package, and triggering the target equipment to dynamically run the application program to be detected in the android system environment.
The step controls the application program to run in the target equipment which finishes the flashing, and the application program can call the interface function according to the service requirement in the running process.
S406, in the dynamic running process of the application program to be detected, a dynamic calling result of the candidate sensitive permission to be called is obtained by calling the mark code.
If the candidate sensitive permission is called (namely the calling marking function is called), the calling marking code can mark, and further, a dynamic calling result of the candidate sensitive permission can be obtained according to the marked calling marking code.
And S407, analyzing the permission use condition according to the dynamic calling result to obtain the dynamic sensitive permission.
And determining the candidate sensitive permission actually used by the application program according to the dynamic calling result and the mapping table, and further obtaining the dynamic sensitive permission.
According to the method for detecting the sensitive permission of the application program, source code instrumentation is carried out on an android source code file in target equipment, a rom flash package is generated according to the instrumented android source code file, the sensitive permission actually used by the application program in the running process can be dynamically obtained through calling mark codes in the rom flash package without being influenced by integration of a third-party plug-in, so that the determined sensitive permission detection result has high accuracy, the condition that the application program does not support the source code file can be avoided, and the stability of the running process of the method is ensured.
In one embodiment, the step of obtaining a dynamic call result of the candidate sensitive permission through the call marking function during the dynamic running of the application program includes: controlling the target equipment to execute a business process when receiving operation triggering information for carrying out interactive operation on the application program; the business process comprises a process for calling the candidate sensitive permission; and in the process of executing the service flow, acquiring the information called by the candidate sensitive permission through the calling mark code as the dynamic calling result.
The operation trigger information may be trigger information for a user to operate an application program; the trigger information generated by simulating the user operation through a certain algorithm can also be used.
In the process of executing the business process by the application program, the use of a user can be simulated, the operations of clicking, sliding and the like of the application program are completed through a certain trigger strategy, more application function points are reached as far as possible, and the system interface calling behavior of the application program is more comprehensively triggered, so that the target device executes the corresponding business process according to the operation trigger information, and further the determined dynamic sensitive permission is consistent with the sensitive permission which is actually used by the application program as far as possible, so that the accuracy of the determined dynamic sensitive permission is ensured, and the determination accuracy of the sensitive permission detection result is improved.
In addition, the business process may be performed according to actual operation trigger information, for example: when the operation trigger information for sending the short message is received, the short message content reading interface can be called to obtain the short message text to be sent, and then the short message text to be sent is sent out through the short message sending interface. It can be seen from the above service flow of sending a short message that, during the service execution process, the target device needs to call some interface functions, and if the called interface function is a call marker function, the call marker code in the call marker function records the call log, so as to obtain a dynamic call result. Furthermore, the business process can be as much as possible so as to determine the sensitive authority actually used by the application program as accurately as possible.
In some embodiments, the sensitive permission that the application program may over-apply may also be analyzed first, and then the corresponding operation trigger information is sent to the application program. For example: when the report information of the short message content excessively applied to the application program is received, the short message information reading authority is determined as the sensitive authority which is possibly excessively applied, so that the short message is edited for many times and is sent to simulate the service process of the application program for sending the short message, whether the problem of excessively applying the short message information reading authority exists is further determined, and then sensitive authority application evaluation information of the application program can be generated.
In the embodiment, the application program is run through the target device, and the operation trigger information is acquired through the target device, so that the dynamic calling result is obtained. In some embodiments, the detection device itself may also run the application program and obtain the operation trigger information, so as to obtain the dynamic call result.
Furthermore, the embodiment performs simulation operation and operation on the application program, and can effectively acquire the sensitive permission which may be used in the actual operation process of the application program, so as to obtain an accurate sensitive permission detection result.
In one embodiment, the step of determining the result of detecting the sensitive permission of the application according to the dynamic sensitive permission and the static sensitive permission includes: respectively determining the dynamic danger sensitive authority and the static danger sensitive authority which are excessively applied by the application program according to the dynamic sensitive authority and the static sensitive authority; and determining a sensitive permission detection result of the application program according to the dynamic dangerous sensitive permission and the static dangerous sensitive permission.
The sensitive authority which is excessively applied can refer to sensitive authority which is not needed by the application program applying to the user but actually running. The dynamic danger sensitive authority is a sensitive authority which is determined by dynamic detection and is excessively applied by the application program, and the static danger sensitive authority is a sensitive authority which is determined by static detection and is excessively applied by the application program.
The static analysis method can predict the sensitive permission which may be used by the application program, but it is unclear which of the sensitive permission will be actually used in the running process and which will not be actually used, so the finally determined sensitive permission detection result has the following problems:
1. some applications integrate third-party plug-ins in the development process, but part of the code is not used in the actual running process of the application program, so that the calling behavior of the interface obtained by static analysis may not be real.
2. The static analysis requires decompiling the application program, and if the application program adopts countermeasure means, the success rate of the static analysis is reduced. The countermeasure may be a strong confusion reinforcement, and specifically, the strong confusion reinforcement includes two concepts: one is confusion and one is reinforcement. The confusion means that normal program codes are converted into codes which are difficult to read and understand, and generally comprises character confusion and logic confusion, the logic confusion means that original simple logic is changed into complex logic, and a common way is to add multiple jumps in the codes; character obfuscation means changing some function names to characters with poor readability, for example: the difficulty of reading is increased by renaming the function download to I1I and upload to 1iIl 1. The other is reinforcement, which means shell addition, and actually compresses resources in an executable file by using a special algorithm, but the compressed file can run independently, and the decompression process is completely hidden and completed in a memory, so that the source code of the application program cannot be obtained by direct decompiling.
3. For dynamically loaded behaviors, false positives may be generated; that is, the applied rights are not used in the current static code, but in the issued code. Specifically, some applications may apply for some rights, but a static code of the right is not available in a source code, but an updated code is loaded through a network in the use process, and in this case, the static analysis cannot detect the code, so that a sensitive right detection result obtained by the static analysis method is inaccurate.
The method for detecting the sensitive permission provided by the embodiment determines the dangerous sensitive permission through a dynamic detection mode and a static detection mode respectively, then determines the sensitive permission detection result of the application program according to the dynamic dangerous sensitive permission and the static dangerous sensitive permission, and can effectively solve the problems existing in the static analysis method through a dynamic and static combination mode. Specifically, the method comprises the following steps: 1. for the third-party plug-in codes which cannot be actually operated are integrated in the application, the third-party plug-in codes cannot be output to the detection result of the dynamic sensitive authority in the scheme of dynamic detection, and only the system interface triggered in the actual operation of the application is recorded, so that the accuracy is greatly ensured; 2. for countermeasures of reverse analysis, the mode of directly running the application program in dynamic detection can be well bypassed; 3. for the behavior of the application program cloud loading code, dynamic detection can be captured, and the problem of missing report can not be caused. Therefore, the embodiment supplements the static analysis result through the dynamic analysis result, realizes the combination of dynamic and static states, and can effectively supplement the deficiency of the static analysis, so that the finally determined sensitive permission over-application result has higher accuracy.
In an embodiment, the step of determining the dynamic danger-sensitive permission and the static danger-sensitive permission that the application program has excessively applied for according to the dynamic sensitive permission and the static sensitive permission respectively includes: acquiring sensitive authority application information of the application program, and determining the sensitive authority to be evaluated, which is applied by the application program, according to the sensitive authority application information; determining the dynamic danger sensitive authority according to the comparison result of the dynamic sensitive authority and the sensitive authority to be evaluated; and determining the static danger sensitive authority according to the comparison result of the static sensitive authority and the sensitive authority to be evaluated.
The application program applies for sensitive authority to the user when running for the first time (or when some condition is triggered) so as to acquire sensitive information of the user. In fact, some application programs may apply for some sensitive authorities which are not needed for realizing the functions thereof, and after the application programs acquire sensitive information corresponding to the sensitive authorities, illegal behaviors such as fraud and the like may be performed, so that the personal and property of users are threatened. Therefore, after the actual sensitive permission detection result of the application program is determined, it is necessary to compare the actually used sensitive permission with the applied sensitive permission to determine whether the application program excessively applies the sensitive permission.
Further, the embodiment compares the dynamic sensitive permission actually used by the application program with the applied sensitive permission to be evaluated, and if it is determined that the sensitive permission to be evaluated is more than the dynamic sensitive permission, it can be considered that the application program has an over-application condition, and the over-applied sensitive permission is the dynamic dangerous sensitive permission; in addition, the static sensitive permission actually used by the application program is compared with the applied sensitive permission to be evaluated, if the fact that the sensitive permission to be evaluated is more than the static sensitive permission is determined, the situation that the application program is excessively applied can be considered, and the excessively applied sensitive permission is the static dangerous sensitive permission. And then determining a sensitive permission detection result of the application program according to the dynamic danger sensitive permission and the static danger sensitive permission.
The embodiment compares the authority used in the actual dynamic running process with the authority applied by the application, so that the authority actually applied by the application program is obtained, the application program can be accurately detected, the alarm information can be timely output when the sensitive authority is excessively applied, and the leakage of user information is effectively prevented.
In some embodiments, the risk level of the application program may be determined according to the amount of the difference between the dynamic sensitive permission (which may also be a static sensitive permission) and the sensitive permission to be evaluated, the amount of the loss of the excessively applied sensitive permission to the personal property of the user, and the like, and the risk level may be light, medium, heavy, and the like. Specifically, if most of the sensitive permissions to be evaluated are not actually used, the application may be considered to be heavily risked.
In one embodiment, the step of determining the result of detecting the sensitive permission of the application according to the dynamic risk sensitive permission and the static risk sensitive permission includes: and supplementing the static danger sensitive permission through the dynamic danger sensitive permission to obtain a sensitive permission detection result of the application program.
The implementation manner of supplementing the static danger-sensitive permission by the dynamic danger-sensitive permission may be as follows: the contents of the following two parts are integrated together: 1. static hazard-sensitive permissions; 2. hazard sensitive permissions that appear in dynamic hazard sensitive permissions and that do not appear in static hazard sensitive permissions. And taking the integrated dangerous sensitive authority as a sensitive authority detection result of the application program.
According to the embodiment, the static danger sensitive authority is supplemented through the dynamic danger sensitive authority, so that the defect of a static analysis method can be effectively made up, and the finally determined sensitive authority detection result has higher accuracy.
In one embodiment, the step of obtaining the result of the static analysis of the call relationship of the taint function includes: determining an interface function corresponding to the candidate sensitive authority in the installation file as the taint function; acquiring called information of each interface function in the installation file, and obtaining a function calling relation according to the called information; and determining a calling relation static analysis result of the taint function according to the function calling relation.
The calling instruction in the installation file can be searched, the called information of each interface function is determined according to the interface function to which the calling instruction is directed, the calling graph of the interface function can be drawn according to the called information, and the calling graph can be used as a function calling relation.
Furthermore, the called path of the taint function (i.e. which function is called and what calling purpose is) can be determined according to the function calling relationship, and which sensitive authorities are used and which sensitive authorities are not used can be determined according to the calling path, so that the function calling relationship can be obtained.
Further, taking the android system as an example, the process of determining the static analysis result of the call relationship and determining the static risk-sensitive permission according to the static analysis result of the call relationship may be as shown in fig. 5, which is described in detail as follows:
s501, obtaining an installation file of the application program.
The installation file is an APK file, which may also be referred to as an application package and includes codes related to application distribution, installation, operation, and the like.
S502, obtaining candidate sensitive permission in the android system by analyzing the android Manifest file.
The android manifest file is an android system configuration file, can declare which permissions an application must have to access protected parts in the API and interact with other applications, and also declares permissions that other applications need to have in interaction with the application component, and may further include other information such as interface information.
S503, finding a corresponding interface function in the installation file according to the candidate sensitive permission, and using the interface function as a taint function.
Specifically, the taint function corresponding to the candidate sensitive permission can be found in the installation file of the application program according to the mapping table of the interface function and the sensitive permission. The taint function may also be referred to as a taint function.
S504, performing static taint analysis on the taint function, outputting a static calling path of the taint function, and obtaining a calling relation static analysis result according to the static calling path.
Specifically, the static calling path of the taint function can be determined according to the calling relationship among the functions in the APK file. And predicting the sensitive authority which is possibly used by the application program actually according to the static calling path, and obtaining a static analysis result of the calling relation.
And S505, acquiring a pollution source function corresponding to the application program.
The pollution source function may refer to an interface function where the application applies for the sensitive authority to the user. Specifically, S505 may be a configuration file for generating a pollution source function corresponding to the application program.
And S506, analyzing and comparing the matching condition of the pollution function and the pollution source function according to the calling relation static analysis result.
Specifically, the implementation process of this step may be: and comparing the sensitive permission corresponding to the pollution function with the candidate sensitive permission according to the calling relation static analysis result.
And S507, determining an authority matching result according to the function matching condition to obtain the static danger sensitive authority.
Specifically, the sensitive permission excessively applied by the application program can be determined according to the matching condition of the two functions, and the static dangerous sensitive permission is obtained.
In one embodiment, before the step of dynamically running the application program in the target operating system environment, the method further comprises: acquiring a system configuration file of the target operating system; carrying out sensitive permission analysis on the system configuration file; and obtaining the candidate sensitive permission according to the sensitive permission analysis result.
The system configuration file may refer to a file configured for parameters and initial settings of the target operating system. Specifically, the system configuration file may be an android system configuration file. Further, the system configuration file may be an android manifest file.
For the android system, the android Manifest file is analyzed in the embodiment, the analysis process can be compiling of file codes, the sensitive permission related to the android system can be obtained in such a way, and the android system needs to be configured with the android Manifest file, so that the sensitive permission detection result provided by the embodiment of the invention can be suitable for various target devices with the android system, and the application range is wide.
In addition, the method for detecting the sensitive permission provided by the embodiment of the invention is also suitable for other operating systems, candidate sensitive permissions are determined through analyzing the configuration file of the operating system, and then the use condition of the sensitive permission of the application program in the corresponding operating system is detected, so that the method can be applied to various types of application programs, and has a wide application range.
In one embodiment, the implementation process of determining the sensitive permission detection result may be: on one hand, the APK file of the application program is subjected to static taint analysis to obtain a static analysis result. And on the other hand, performing dynamic pile point analysis on the APK file of the application program to obtain a dynamic analysis result. And then analyzing and comparing the dynamic and static results to obtain the sensitive authority used by the application program, and further determining whether the application program has the condition of over-application.
Further, as shown in fig. 6, an implementation process of the method for detecting the sensitive permission of the application program may include the following steps:
s601, the detection device acquires a source code file of a second operating system.
S602, the detection equipment acquires the sensitive authority to be evaluated, which is applied by the application program to be detected.
In this step, the detection device obtains the sensitive permission that the application program applies to the user, that is, the sensitive permission to be evaluated. Specifically, the content may be determined by the interface display content of the application program, for example: and if the condition is determined to be met, displaying 'applying for acquiring the following permission' on the interface, and determining that the corresponding sensitive permission is the sensitive permission to be evaluated.
S603, the detection device determines the function definition of the target interface function in the second operating system source code file, and adds the calling mark code to the function definition to obtain the first operating system source code file.
In this step, the detection device determines a target interface function in a second operating system source code file of the target operating system, determines a function definition in the target interface function, and adds a call mark code to the function definition to adjust the function definition of the target interface function, so as to obtain an adjusted second operating system source code file, that is, obtain a first operating system source code file.
S604, the detection device compiles and generates a flashing file corresponding to the target operating system according to the source code file of the first operating system.
In this step, the detection device compiles the source code file of the first operating system, and then generates a flashing file of the target operating system.
And S605, outputting the flashing file to the target equipment by the detection equipment.
Specifically, in this step, the system source code file previously configured in the target device may be replaced by the system source code file in the target device by using the system source code file.
And S606, replacing the configured source code file of the second operating system by the target device through the flash file.
And S607, the target device installs the application program and controls the application program to dynamically run in the target operating system environment.
After the source code file is replaced, the detection device may send an installation instruction (the installation instruction may carry an installation file of the application program to be detected) to the target device to trigger the target device to install the application program to be detected, and then, the detection device may send an operation instruction to the target device to trigger the target device to operate the installed application program.
S608, when the application program runs dynamically, the target device obtains called information of the target interface function by calling the mark code, and obtains a dynamic calling result.
And in the running process of the application program, calling the marking code to mark the called condition of the target interface function so as to obtain a dynamic calling result.
And S609, the target device returns the dynamic calling result to the detection device.
In this step, the target device returns the dynamic call result to the detection device.
S610, the detection device obtains a mapping table of the interface function and the sensitive permission, and converts the dynamic calling result according to the mapping table to obtain the dynamic sensitive permission used by the application program during operation.
After receiving the dynamic calling result, the detection device determines an interface function called by the application program in the running process according to the dynamic calling result, and determines the sensitive permission used by the application program according to a mapping table of the interface function and the sensitive permission, namely the dynamic sensitive permission is obtained.
S611, the detection device determines the dynamic danger sensitive authority excessively applied by the application program according to the comparison result of the dynamic sensitive authority and the sensitive authority to be evaluated.
In the step, the dynamic sensitive permission actually used is compared with the applied sensitive permission to be evaluated, and the sensitive permission which is actually applied by the application program but is not needed for realizing the function of the application program, namely the dynamic dangerous sensitive permission, can be determined according to the comparison result.
S612, the detection equipment determines a taint function corresponding to the candidate sensitive authority in the source code file of the second operating system.
In the step, the detection device determines an interface function corresponding to the candidate sensitive permission in the android system in the source code file of the second operating system to obtain a taint function.
S613, the detection equipment acquires the called information of each interface function in the source code file of the second operating system to obtain a function calling relationship; and determining a called path of the taint function according to the function calling relation.
In this step, the detection device determines the interface functions included in the source code file of the second operating system and determines the called information of the interface functions, and the function calling relationship of the interface functions can be obtained according to the called information. The interface functions comprise taint functions, so that the called information of the taint functions can be determined according to the function calling relation, and then the called paths of the taint functions are determined.
And S614, the detection device determines the static sensitive authority used by the application program according to the called path.
In this step, the detection device determines, from the code function level, a sensitive permission that may be used by the application program in the running process, that is, a static sensitive permission, according to the called path.
S615, the detection device determines the static dangerous sensitive authority excessively applied by the application program according to the comparison result of the static sensitive authority and the sensitive authority to be evaluated.
In this step, the detection device compares the static sensitive permission obtained by the static analysis with the applied sensitive permission to be evaluated, and obtains the static dangerous sensitive permission excessively applied by the code function layer according to the comparison result.
In the actual running process, a third-party plug-in and the like may be involved, so that the calling condition of some sensitive permissions is not reflected in the code function, and therefore, the obtained static sensitive permissions may not be accurate enough, and the application program needs to be supplemented according to the sensitive permissions used in the actual running process.
It should be noted that the detection device executing S612-S615 and the detection device executing S603-S611 may be the same detection device or different detection devices.
S616, the detection device supplements the static danger sensitive permission through the dynamic danger sensitive permission to obtain a sensitive permission detection result of the application program.
In the step, the detection device integrates the dynamic danger sensitive permission and the static danger sensitive permission so that the dynamic danger sensitive permission supplements the static danger sensitive permission, the combination of dynamic detection and static detection is realized, and the obtained excessive application result of the sensitive permission makes up the inaccuracy of static analysis.
In the method for detecting the sensitive permission of the application program, the source code file in the target device is replaced, the sensitive permission actually used in the running process of the application program can be dynamically obtained by calling the mark code without being influenced by the integration of a third-party plug-in, so that the determined sensitive permission detection result has higher accuracy, and the safety of user information is effectively ensured.
The application also provides an application scene, and the application scene applies the method for detecting the sensitive permission of the application program. Specifically, taking the android system as an example, the application of the method for detecting the sensitive permission of the application program in the application scenario is as follows:
the application scenario is divided into two parts, namely static detection and dynamic detection, which are respectively explained as follows:
firstly, static detection is realized through the following steps:
1. and acquiring the application program to be detected and an APK file of the application program.
2. And acquiring candidate sensitive permission in the android system by analyzing the android manifest file.
3. And finding a corresponding taint function in the APK file according to the candidate sensitive permission.
4. And generating a pollution source function corresponding to the application program according to the APK file of the application program.
5. And performing static taint analysis on a taint function in an APK file of the application program, and outputting a static calling path of the taint function.
6. And analyzing and comparing the matching condition of the pollution function and the pollution source function according to the static calling path.
7. And determining an authority matching result according to the function matching condition so as to obtain the static danger sensitive authority.
Secondly, the dynamic detection process can be mainly divided into the following modules:
1. and a system interface function extraction module corresponding to the sensitive authority of the Android system.
2. The system interface function is instrumented into the system source code and compiled rom.
3. And the application program operation and behavior data output module.
4. And the permission comparison and judgment module.
The functions implemented by these several modules are described in detail below:
1) system interface function extraction module corresponding to Android system sensitive permission
The functional module mainly extracts all sensitive authorities of the android system. According to the pre-established association between the sensitive permission and the system interface, the system interface functions (namely the target interface functions in the foregoing embodiment) corresponding to the sensitive permission are found, and the main purpose is to take dotting records on system source codes for the system interface functions to implement source code instrumentation, the system interface functions instrumented by the source codes are called calling mark functions, and the detection of the sensitive permission is implemented by detecting the calling mark functions.
2) System interface function instrumentation to system source code and rom compilation
The functional module mainly finds a system interface function in system source codes, marks and dots the system interface function, compiles the source codes to generate rom, and burns the rom into equipment. The main process is as follows:
a. the definition of a system interface function is found in a system source code through a class name, a function name and a parameter, a mark code is inserted into the function definition, the mark code can mark the calling condition of a calling mark function, and when an application program calls the calling mark function, the log of the calling function can be output and recorded.
b. All system interface functions are added into the android source code, the source code is compiled to generate an rom image file, and then the rom is flushed into the equipment, so that the equipment has the function of recording system interface function calls.
3) Application program operation and behavior data output module
The function module mainly completes the operation of the application program and the output of the system interface calling data. Running an application program through the instrumented equipment, and outputting the calling condition of a system interface, wherein the method mainly comprises the following processes:
a. firstly, an application program is installed in target equipment, and a stake point can output calling conditions in real time;
b. the method includes the steps that the use of a user is simulated, the operations such as clicking and sliding of the application are completed through a certain trigger strategy, more application function points are reached as far as possible, and the system interface calling behavior of the application is triggered more comprehensively;
c. and recording the calling result of the system interface through the stake point (mark code), and finally outputting the calling result of the system interface.
4) Permission comparison and judgment module
The functional module is mainly used for comparing and judging the application permission analyzed from the android manifest file with the permission obtained by dynamic operation, outputting the result of application permission detection through the judging module, and determining whether excessive application causes permission leakage. The method mainly comprises the following steps:
a. and converting the system call interface result output by dynamic operation according to the association of the sensitive permission and the system interface, and outputting the dynamic sensitive permission actually used in the operation process.
b. And comparing the dynamic sensitive authority used in the actual dynamic running process with the authority applied by the application program, thereby obtaining the authority actually applied by the application program.
After the result of the sensitive authority detection of the dynamic detection is obtained, the result of the static detection is compared and analyzed, so that the result of the static analysis can be supplemented and perfected.
The method for detecting the sensitive permission of the application program provided by the embodiment dynamically judges the use condition of the application permission by actually running the application program. The result of the dynamic detection can be used for verifying the result of the static detection, in addition, the problems in the existing static detection scheme are effectively solved, and the accuracy of the application authority detection is effectively improved.
It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the above-mentioned flowcharts may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or the stages is not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a part of the steps or the stages in other steps.
Based on the same idea as the method for detecting the application program sensitive permission in the embodiment, the invention further provides a device for detecting the application program sensitive permission, and the device can be used for executing the method for detecting the application program sensitive permission. For convenience of description, in the schematic structural diagram of the embodiment of the apparatus for detecting the application-sensitive permission, only the part related to the embodiment of the present invention is shown, and those skilled in the art will understand that the illustrated structure does not constitute a limitation to the apparatus, and may include more or less components than those illustrated, or combine some components, or arrange different components.
In one embodiment, as shown in fig. 7, there is provided an apparatus 700 for detecting application-sensitive rights, which may be a part of a detection device using a software module or a hardware module, or a combination of the two modules, and specifically includes: a program obtaining module 701, a program running module 702, a calling result obtaining module 703, a dynamic permission determining module 704, a static permission determining module 705 and a permission detection result determining module 706, wherein:
a program obtaining module 701, configured to obtain an application program to be detected and an installation file of the application program; and the installation file comprises a taint function corresponding to the candidate sensitive authority.
A program running module 702, configured to run the application program dynamically in a target operating system environment; and the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called.
A calling result obtaining module 703, configured to obtain, through the calling tag function, a dynamic calling result of the candidate sensitive permission in a dynamic running process of the application program.
A dynamic permission determining module 704, configured to determine, according to the dynamic call result, a candidate sensitive permission used by the application program as a dynamic sensitive permission.
And a static permission determining module 705, configured to obtain a static analysis result of a call relationship of the taint function, and determine a static sensitive permission corresponding to the application according to the static analysis result of the call relationship.
And an authority detection result determining module 706, configured to determine a sensitivity authority detection result of the application according to the dynamic sensitivity authority and the static sensitivity authority.
In the device for detecting the application program sensitive permission, the sensitive permission actually used by the application program in the running process is dynamically and accurately obtained by calling the marking function, in addition, the dynamic sensitive permission and the static sensitive permission are respectively obtained, the sensitive permission detection result of the application program is determined according to the dynamic sensitive permission and the static sensitive permission, the obtained sensitive permission detection result is fused with the dynamic sensitive permission, the defect of static detection is made up, and the detection accuracy of the application program sensitive permission can be effectively improved.
In one embodiment, the program execution module includes: the source code file acquisition submodule is used for acquiring a first operating system source code file corresponding to the target operating system; the image file compiling submodule is used for compiling and generating a system image file according to the first operating system source code file; the image file output submodule is used for outputting the system image file to target equipment so as to replace a system source code file configured in advance in the target equipment by the first operating system source code file; and the application program running submodule is used for controlling the application program to dynamically run in the target equipment under the environment of a target operating system according to the source code file of the first operating system.
In one embodiment, the source code file obtaining sub-module includes: a source code file acquiring unit, configured to acquire a second operating system source code file corresponding to the target operating system; the pile inserting instruction receiving unit is used for receiving pile inserting instructions; the instrumentation instruction carries a sensitive authority identifier and a calling mark code; an interface function determining unit, configured to determine, in the second operating system source code file, a target interface function corresponding to the sensitive permission identifier; a code writing unit, configured to perform instrumentation on the target interface function, so as to write the call flag code into the target interface function, and obtain the call flag function; and the source code file determining unit is used for obtaining the source code file of the first operating system according to the calling marking function.
In one embodiment, a dynamic privilege determination module includes: the mapping table acquisition submodule is used for acquiring a mapping table of an interface function and the sensitive permission; the interface function determining submodule is used for determining a called target interface function according to the dynamic calling result; and the calling result conversion submodule is used for converting the dynamic calling result according to the mapping table and the called target interface function to obtain candidate sensitive permission used by the application program and using the candidate sensitive permission as the dynamic sensitive permission.
In one embodiment, a code writing unit includes: a function definition determining subunit, configured to determine a function definition of the target interface function; a code writing subunit, configured to write the call flag code into the function definition; and the calling and marking function determining subunit is used for determining the target interface function containing the calling and marking code in the function definition as the calling and marking function.
In one embodiment, the system image file is a flush file; and the mirror image file output submodule is further used for outputting the flashing file to the target equipment, triggering flashing processing on the target equipment according to the flashing file, and replacing the system source code file configured in advance in the target equipment by the first operating system source code file.
In one embodiment, the call result obtaining module includes: the business process execution sub-module is used for receiving operation trigger information through the target equipment and executing a corresponding business process according to the operation trigger information; the operation trigger information is trigger information for carrying out interactive operation on the application program, and the business process comprises a process for calling the candidate sensitive permission; and the calling result determining submodule is used for acquiring the information called by the candidate sensitive permission through the calling mark code in the service flow executing process and taking the information as the dynamic calling result.
In one embodiment, the permission detection result determining module includes: the danger authority determining submodule is used for respectively determining the dynamic danger sensitive authority and the static danger sensitive authority which are excessively applied by the application program according to the dynamic sensitive authority and the static sensitive authority; and the detection result determining submodule is used for determining the sensitive permission detection result of the application program according to the dynamic danger sensitive permission and the static danger sensitive permission.
In one embodiment, the hazard authority determination submodule includes: the to-be-evaluated authority determining unit is used for acquiring sensitive authority application information of the application program and determining the to-be-evaluated sensitive authority applied by the application program according to the sensitive authority application information; the dynamic danger authority determining unit is used for determining the dynamic danger sensitive authority according to the comparison result of the dynamic sensitive authority and the sensitive authority to be evaluated; and the static danger authority determining unit is used for determining the static danger sensitive authority according to the comparison result of the static sensitive authority and the sensitive authority to be evaluated.
In an embodiment, the detection result determining submodule is further configured to supplement the static danger-sensitive permission with the dynamic danger-sensitive permission, so as to obtain a detection result of the sensitive permission of the application program.
In one embodiment, the static permission determination module includes: the taint function determining submodule is used for determining an interface function corresponding to the candidate sensitive permission in the installation file as the taint function; the calling relation determining submodule is used for acquiring called information of each interface function in the installation file and obtaining a function calling relation according to the called information; and the static analysis result determining submodule is used for determining a calling relation static analysis result of the taint function according to the function calling relation.
In one embodiment, the apparatus further comprises: the configuration file acquisition module is used for acquiring a system configuration file of the target operating system; the authority analysis module is used for carrying out sensitive authority analysis on the system configuration file; and the sensitive permission determining module is used for obtaining the candidate sensitive permission according to the sensitive permission analysis result.
For specific limitations of the apparatus for detecting the application sensitive permission, reference may be made to the above limitations of the method for detecting the application sensitive permission, and details are not described herein again. All or part of each module in the device for detecting the sensitive authority of the application program can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, and the computer device may be a server, and the internal structure diagram of the detection device applied in the foregoing embodiments may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing data such as a first operating system source code file, a second operating system source code file, dynamic sensitive permission, static sensitive permission and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method for detecting application-sensitive permissions.
Those skilled in the art will appreciate that the architecture shown in fig. 8 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile memory may include Read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (15)
1. A method for detecting sensitive authority of an application program, the method comprising:
acquiring an application program to be detected and an installation file of the application program; the installation file comprises a taint function corresponding to the candidate sensitive authority;
dynamically running the application program in a target operating system environment; the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called;
in the dynamic operation process of the application program, acquiring a dynamic calling result of the candidate sensitive permission through the calling marking function;
determining candidate sensitive permission used by the application program according to the dynamic calling result, and using the candidate sensitive permission as dynamic sensitive permission;
obtaining a calling relation static analysis result of the taint function, and determining a static sensitive permission corresponding to the application program according to the calling relation static analysis result;
and determining a sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
2. The method of claim 1, wherein the step of dynamically running the application in the target operating system environment comprises:
acquiring a first operating system source code file corresponding to the target operating system;
compiling according to the first operating system source code file to generate a system image file;
outputting the system image file to target equipment so as to replace a system source code file configured in advance in the target equipment by the first operating system source code file;
and controlling the application program to dynamically run in the target equipment under the environment of a target operating system according to the source code file of the first operating system.
3. The method of claim 2, wherein the step of obtaining the source code file of the first operating system corresponding to the target operating system comprises:
acquiring a second operating system source code file corresponding to the target operating system;
receiving a pile inserting instruction; the instrumentation instruction carries a sensitive authority identifier and a calling mark code;
determining a target interface function corresponding to the sensitive authority identification in the source code file of the second operating system;
performing instrumentation on the target interface function to write the calling mark code into the target interface function to obtain the calling mark function;
and obtaining the source code file of the first operating system according to the calling marking function.
4. The method according to claim 3, wherein the step of determining the candidate sensitive permission used by the application program according to the dynamic calling result as the dynamic sensitive permission comprises:
acquiring a mapping table of an interface function and a sensitive authority;
determining a called target interface function according to the dynamic calling result;
and converting the dynamic calling result according to the mapping table and the called target interface function to obtain a candidate sensitive permission used by the application program as the dynamic sensitive permission.
5. The method according to claim 3, wherein the step of performing instrumentation on the target interface function to write the calling tag code into the target interface function to obtain the calling tag function comprises:
determining a function definition of the target interface function;
writing the calling mark code into the function definition;
and determining the target interface function containing the calling mark code in the function definition as the calling mark function.
6. The method of claim 2, wherein the system image file is a flush file;
the step of outputting the system image file to a target device to replace a pre-configured system source code file in the target device by the first operating system source code file includes:
and outputting the flashing file to the target equipment, triggering flashing processing on the target equipment according to the flashing file, and replacing a system source code file configured in advance in the target equipment by the first operating system source code file.
7. The method according to claim 2, wherein the step of obtaining the dynamic call result of the candidate sensitive permission through the call marking function during the dynamic running of the application program comprises:
controlling the target equipment to execute a business process when receiving operation triggering information for carrying out interactive operation on the application program; the business process comprises a process for calling the candidate sensitive permission;
and in the process of executing the service flow, acquiring the information called by the candidate sensitive permission through the calling mark code as the dynamic calling result.
8. The method according to any one of claims 1 to 7, wherein the step of determining the result of detecting the sensitive permission of the application according to the dynamic sensitive permission and the static sensitive permission comprises:
respectively determining the dynamic danger sensitive authority and the static danger sensitive authority which are excessively applied by the application program according to the dynamic sensitive authority and the static sensitive authority;
and determining a sensitive permission detection result of the application program according to the dynamic dangerous sensitive permission and the static dangerous sensitive permission.
9. The method according to claim 8, wherein the step of determining the dynamic and static sensitive-risk rights over-applied by the application according to the dynamic and static sensitive rights, respectively, comprises:
acquiring sensitive authority application information of the application program, and determining the sensitive authority to be evaluated, which is applied by the application program, according to the sensitive authority application information;
determining the dynamic danger sensitive authority according to the comparison result of the dynamic sensitive authority and the sensitive authority to be evaluated;
and determining the static danger sensitive authority according to the comparison result of the static sensitive authority and the sensitive authority to be evaluated.
10. The method of claim 8, wherein the step of determining the result of detecting the privilege of the application according to the dynamic privilege level and the static privilege level comprises:
and supplementing the static danger sensitive permission through the dynamic danger sensitive permission to obtain a sensitive permission detection result of the application program.
11. The method of any one of claims 1 to 7, wherein the step of obtaining the result of the static analysis of the call relationship of the taint function comprises:
determining an interface function corresponding to the candidate sensitive authority in the installation file as the taint function;
acquiring called information of each interface function in the installation file, and obtaining a function calling relation according to the called information;
and determining a calling relation static analysis result of the taint function according to the function calling relation.
12. The method of any of claims 1 to 7, further comprising, prior to the step of dynamically running the application in a target operating system environment:
acquiring a system configuration file of the target operating system;
carrying out sensitive permission analysis on the system configuration file;
and obtaining the candidate sensitive permission according to the sensitive permission analysis result.
13. An apparatus for detecting sensitive permissions of an application, the apparatus comprising:
the program acquisition module is used for acquiring an application program to be detected and an installation file of the application program; the installation file comprises a taint function corresponding to the candidate sensitive authority;
the program running module is used for dynamically running the application program under the environment of a target operating system; the source code file of the target operating system comprises a calling marking function, and the calling marking function is used for marking when the candidate sensitive permission is called;
the calling result acquisition module is used for acquiring a dynamic calling result of the candidate sensitive permission through the calling marking function in the dynamic running process of the application program;
the dynamic permission determining module is used for determining candidate sensitive permission used by the application program according to the dynamic calling result and taking the candidate sensitive permission as dynamic sensitive permission;
the static permission determining module is used for acquiring a calling relation static analysis result of the taint function and determining the static sensitive permission corresponding to the application program according to the calling relation static analysis result;
and the permission detection result determining module is used for determining the sensitive permission detection result of the application program according to the dynamic sensitive permission and the static sensitive permission.
14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method according to any of claims 1 to 12.
15. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010445707.9A CN111353146B (en) | 2020-05-25 | 2020-05-25 | Method, device, equipment and storage medium for detecting sensitive permission of application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010445707.9A CN111353146B (en) | 2020-05-25 | 2020-05-25 | Method, device, equipment and storage medium for detecting sensitive permission of application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111353146A true CN111353146A (en) | 2020-06-30 |
| CN111353146B CN111353146B (en) | 2020-08-25 |
Family
ID=71196668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010445707.9A Active CN111353146B (en) | 2020-05-25 | 2020-05-25 | Method, device, equipment and storage medium for detecting sensitive permission of application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111353146B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112035845A (en) * | 2020-09-01 | 2020-12-04 | 中国银行股份有限公司 | Data security detection method and related equipment thereof |
| CN112199662A (en) * | 2020-12-09 | 2021-01-08 | 江苏东大集成电路系统工程技术有限公司 | Permission verification system based on self-adaptive plug-in |
| CN112612557A (en) * | 2020-12-25 | 2021-04-06 | 平安国际智慧城市科技股份有限公司 | Sensitive data identification method, system, computer equipment and readable storage medium |
| CN112784272A (en) * | 2021-01-26 | 2021-05-11 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
| CN112817603A (en) * | 2021-01-26 | 2021-05-18 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
| CN113656251A (en) * | 2021-08-20 | 2021-11-16 | 中金金融认证中心有限公司 | Method for monitoring application program behavior and related product |
| CN113849852A (en) * | 2021-08-27 | 2021-12-28 | 杭州逗酷软件科技有限公司 | Privacy authority detection method and device, electronic equipment and storage medium |
| CN113946856A (en) * | 2021-12-17 | 2022-01-18 | 杭州海康威视数字技术股份有限公司 | Large-scale dynamic sensitive data auditing method and system capable of arranging plug-ins |
| CN114020278A (en) * | 2020-07-19 | 2022-02-08 | 腾讯科技(深圳)有限公司 | Data processing method, device, equipment and storage medium |
| WO2022062958A1 (en) * | 2020-09-23 | 2022-03-31 | 北京沃东天骏信息技术有限公司 | Privacy detection method and apparatus, and computer readable storage medium |
| CN114528205A (en) * | 2022-01-24 | 2022-05-24 | 山东浪潮科学研究院有限公司 | Android-based application program analysis method, device and medium |
| CN114780952A (en) * | 2022-03-09 | 2022-07-22 | 浙江吉利控股集团有限公司 | Method, system and storage medium for detecting sensitive application calling scene |
| CN115033910A (en) * | 2021-11-12 | 2022-09-09 | 荣耀终端有限公司 | Access record display method and electronic equipment |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103593605A (en) * | 2013-10-24 | 2014-02-19 | 复旦大学 | Android platform applications dynamic analysis system based on permission use behaviors |
| CN103927482A (en) * | 2014-03-24 | 2014-07-16 | 深圳市中兴移动通信有限公司 | Mobile terminal and application sensitivity permission management method thereof |
| CN104732146A (en) * | 2015-04-03 | 2015-06-24 | 上海斐讯数据通信技术有限公司 | Android program bug detection method and system |
| CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
| CN106778254A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Privacy leakage detection method and system |
| CN107832619A (en) * | 2017-10-10 | 2018-03-23 | 电子科技大学 | Vulnerability of application program automatic excavating system and method under Android platform |
| CN108334780A (en) * | 2018-02-06 | 2018-07-27 | 南京航空航天大学 | Privacy leakage detection method based on contextual information |
| CN108681671A (en) * | 2018-05-21 | 2018-10-19 | 中国科学技术大学 | A kind of Android mobile attacks source tracing method |
| CN109902487A (en) * | 2017-12-08 | 2019-06-18 | 南京理工大学 | Android based on application behavior applies malicious detection method |
| CN110162963A (en) * | 2019-04-26 | 2019-08-23 | 肖银皓 | A method of identifying power application program |
-
2020
- 2020-05-25 CN CN202010445707.9A patent/CN111353146B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103593605A (en) * | 2013-10-24 | 2014-02-19 | 复旦大学 | Android platform applications dynamic analysis system based on permission use behaviors |
| CN103927482A (en) * | 2014-03-24 | 2014-07-16 | 深圳市中兴移动通信有限公司 | Mobile terminal and application sensitivity permission management method thereof |
| CN104732146A (en) * | 2015-04-03 | 2015-06-24 | 上海斐讯数据通信技术有限公司 | Android program bug detection method and system |
| CN104866763A (en) * | 2015-05-28 | 2015-08-26 | 天津大学 | Permission-based Android malicious software hybrid detection method |
| CN106778254A (en) * | 2016-11-24 | 2017-05-31 | 四川无声信息技术有限公司 | Privacy leakage detection method and system |
| CN107832619A (en) * | 2017-10-10 | 2018-03-23 | 电子科技大学 | Vulnerability of application program automatic excavating system and method under Android platform |
| CN109902487A (en) * | 2017-12-08 | 2019-06-18 | 南京理工大学 | Android based on application behavior applies malicious detection method |
| CN108334780A (en) * | 2018-02-06 | 2018-07-27 | 南京航空航天大学 | Privacy leakage detection method based on contextual information |
| CN108681671A (en) * | 2018-05-21 | 2018-10-19 | 中国科学技术大学 | A kind of Android mobile attacks source tracing method |
| CN110162963A (en) * | 2019-04-26 | 2019-08-23 | 肖银皓 | A method of identifying power application program |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114020278A (en) * | 2020-07-19 | 2022-02-08 | 腾讯科技(深圳)有限公司 | Data processing method, device, equipment and storage medium |
| CN112035845A (en) * | 2020-09-01 | 2020-12-04 | 中国银行股份有限公司 | Data security detection method and related equipment thereof |
| WO2022062958A1 (en) * | 2020-09-23 | 2022-03-31 | 北京沃东天骏信息技术有限公司 | Privacy detection method and apparatus, and computer readable storage medium |
| CN112199662A (en) * | 2020-12-09 | 2021-01-08 | 江苏东大集成电路系统工程技术有限公司 | Permission verification system based on self-adaptive plug-in |
| CN112199662B (en) * | 2020-12-09 | 2021-02-19 | 江苏东大集成电路系统工程技术有限公司 | Permission verification system based on self-adaptive plug-in |
| CN112612557A (en) * | 2020-12-25 | 2021-04-06 | 平安国际智慧城市科技股份有限公司 | Sensitive data identification method, system, computer equipment and readable storage medium |
| CN112612557B (en) * | 2020-12-25 | 2023-08-15 | 平安国际智慧城市科技股份有限公司 | Sensitive data identification method, system, computer equipment and readable storage medium |
| CN112817603A (en) * | 2021-01-26 | 2021-05-18 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
| CN112784272A (en) * | 2021-01-26 | 2021-05-11 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
| CN113656251A (en) * | 2021-08-20 | 2021-11-16 | 中金金融认证中心有限公司 | Method for monitoring application program behavior and related product |
| CN113849852A (en) * | 2021-08-27 | 2021-12-28 | 杭州逗酷软件科技有限公司 | Privacy authority detection method and device, electronic equipment and storage medium |
| CN115033910A (en) * | 2021-11-12 | 2022-09-09 | 荣耀终端有限公司 | Access record display method and electronic equipment |
| CN113946856A (en) * | 2021-12-17 | 2022-01-18 | 杭州海康威视数字技术股份有限公司 | Large-scale dynamic sensitive data auditing method and system capable of arranging plug-ins |
| CN114528205A (en) * | 2022-01-24 | 2022-05-24 | 山东浪潮科学研究院有限公司 | Android-based application program analysis method, device and medium |
| CN114780952A (en) * | 2022-03-09 | 2022-07-22 | 浙江吉利控股集团有限公司 | Method, system and storage medium for detecting sensitive application calling scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111353146B (en) | 2020-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111353146B (en) | Method, device, equipment and storage medium for detecting sensitive permission of application program | |
| Wermke et al. | A large scale investigation of obfuscation use in google play | |
| US10296437B2 (en) | Framework for efficient security coverage of mobile software applications | |
| Gibler et al. | Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale | |
| US11520901B2 (en) | Detecting firmware vulnerabilities | |
| US20160378989A1 (en) | Apparatus and method for monitoring android platform-based application | |
| CN113569246B (en) | Vulnerability detection method, vulnerability detection device, computer equipment and storage medium | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| US20150220739A1 (en) | Global Variable Security Analysis | |
| CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| CN108769071A (en) | attack information processing method, device and internet of things honey pot system | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| EP2881877A1 (en) | Program execution device and program analysis device | |
| US20160224791A1 (en) | Process testing apparatus, process testing program, and process testing method | |
| US20170185784A1 (en) | Point-wise protection of application using runtime agent | |
| CN104036194A (en) | Vulnerability detection method and device for revealing private data in application program | |
| KR101724412B1 (en) | Apparatus for analysis application using expansion code and method usnig the same | |
| Ascia et al. | Making android apps data-leak-safe by data flow analysis and code injection | |
| KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
| EP3945441A1 (en) | Detecting exploitable paths in application software that uses third-party libraries | |
| CN116737526A (en) | Code segment dynamic measurement method and device and electronic equipment | |
| CN111309311B (en) | Vulnerability detection tool generation method, device, equipment and readable storage medium | |
| Bellizzi et al. | Using Infrastructure-Based Agents to Enhance Forensic Logging of Third-Party Applications. | |
| CN116414722B (en) | Fuzzy test processing method and device, fuzzy test system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40023713 Country of ref document: HK |