CN111767537A - Tamper verification method of application program based on IOS (operating system) and related equipment - Google Patents
Tamper verification method of application program based on IOS (operating system) and related equipment Download PDFInfo
- Publication number
- CN111767537A CN111767537A CN202010585011.6A CN202010585011A CN111767537A CN 111767537 A CN111767537 A CN 111767537A CN 202010585011 A CN202010585011 A CN 202010585011A CN 111767537 A CN111767537 A CN 111767537A
- Authority
- CN
- China
- Prior art keywords
- character string
- app
- preset
- identifier
- packet name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention relates to the technical field of intelligent terminals, and provides a tamper verification method of an application program based on an IOS (input/output system), which comprises the following steps: when detecting that an application program APP based on an IOS (operating system) is started, acquiring an APP packet name identifier of the APP from a hook system; verifying the APP packet name identifier and a stored legal packet name identifier; if the APP packet name identifier is verified to be consistent with the legal packet name identifier, detecting whether a character string exists at a preset first position; if the character string exists at the first position, extracting the character string and decrypting the character string to obtain a decryption time stamp; judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption timestamp; and if the character string belongs to the legally generated character string, determining that the APP is not tampered. The method and the device can identify whether the APP is tampered.
Description
Technical Field
The invention relates to the technical field of intelligent terminals, in particular to a tamper verification method of an application program based on an IOS (input/output system) and related equipment.
Background
With the development of mobile terminal technology, more and more users choose to use various applications downloaded by mobile terminals to complete various items related to daily life and even work, such as paying fees, shopping, scheduling schedules, and the like. During the process of using the application program by the user, the application program can be invaded by malicious codes, and the user can not find the malicious codes and still use the APP continuously, so that adverse effects are generated.
Therefore, how to determine whether the application program is tampered is an urgent technical problem to be solved.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a tamper checking method for an application program based on an IOS operating system and a related device, which can identify whether an APP is tampered.
The first aspect of the present invention provides a tamper verification method for an application program based on an IOS operating system, the method comprising:
when detecting that an application program APP based on an IOS (operating system) is started, acquiring an APP packet name identifier of the APP from a hook system;
verifying the APP packet name identifier and a stored legal packet name identifier;
if the APP packet name identifier is verified to be consistent with the legal packet name identifier, detecting whether a character string exists at a preset first position;
if the character string exists at the first position, extracting the character string and decrypting the character string to obtain a decryption time stamp;
judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption timestamp;
and if the character string belongs to the legally generated character string, determining that the APP is not tampered.
In a possible implementation manner, the tamper checking method for the application based on the IOS operating system further includes:
replacing the system method for acquiring the package name by the system class with a predefined method;
generating a character string according to the current timestamp and a preset identifier by the predefined method, and storing the character string at the first position;
the system method is recalled.
In a possible implementation manner, the generating a character string according to the current timestamp and the preset identifier includes:
encrypting the timestamp and a preset identifier to obtain intermediate encrypted data;
and encrypting the intermediate encrypted data to obtain a character string.
In a possible implementation manner, the determining whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp includes:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, judging whether the decryption timestamp is in the validity period;
and if the decryption time stamp is in the valid period, determining that the character string belongs to the legally generated character string.
In a possible implementation manner, the tamper checking method for the application based on the IOS operating system further includes:
and if the extracted partial character string of the character string at the preset second position is not the preset identifier or the decryption timestamp is not in the validity period, determining that the character string belongs to the illegally generated character string.
In a possible implementation manner, the determining whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp includes:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, calculating a time difference value between a time stamp of the current time and the decryption time stamp;
judging whether the time difference value is within a preset time range or not;
and if the time difference is within a preset time range, determining that the character string belongs to a legally generated character string.
In a possible implementation manner, the tamper checking method for the application based on the IOS operating system further includes:
if the APP packet name identifier is verified to be inconsistent with the legal packet name identifier, or a character string is not detected to exist at the first position, or the character string belongs to an illegally generated character string, determining that the AP is not tampered;
adopting a wind control strategy, wherein the wind control strategy comprises the following steps: and reporting abnormal information to a server, or controlling the APP to exit.
A second aspect of the present invention provides a tamper verification apparatus including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an APP packet name identifier of an APP from a hook system when the APP based on an IOS operating system is detected to start;
the verification module is used for verifying the APP packet name identifier and the stored legal packet name identifier;
the verification module is further used for detecting whether a character string exists at a preset first position if the APP packet name identifier is verified to be consistent with the legal packet name identifier;
the extraction module is used for extracting the character string and decrypting the character string to obtain a decryption time stamp if the character string is detected to exist at the first position;
the judging module is used for judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption timestamp;
and the determining module is used for determining that the APP is not tampered if the character string belongs to a legally generated character string.
A third aspect of the present invention provides an electronic device, which includes a processor and a memory, wherein the processor is configured to implement the tampering checking method for the application program based on the IOS operating system when executing the computer program stored in the memory.
A fourth aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the tamper checking method for an application program based on an IOS operating system.
In the technical scheme, whether the APP is tampered or not can be identified by checking the package name identifier and the character string, meanwhile, a hacker is interfered by a method of replacing a system through a built-in method, the difficulty of tampering operation of the APP is increased, and anti-precaution of tampering of the APP is effectively carried out.
Drawings
FIG. 1 is a flow chart of a tamper verification method for an application based on an IOS operating system according to a preferred embodiment of the present invention.
Fig. 2 is a functional block diagram of a tamper verification device according to a preferred embodiment of the present disclosure.
Fig. 3 is a schematic structural diagram of an electronic device according to a preferred embodiment of the method for verifying tampering of an application program based on an IOS operating system.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first" and "second" in the description and claims of the present application and the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the description relating to "first", "second", etc. in the present invention is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
The electronic device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware thereof includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like. The electronic device may also include a network device and/or a user device. The network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of hosts or network servers. The user device includes, but is not limited to, any electronic product that can interact with a user through a keyboard, a mouse, a remote controller, a touch pad, or a voice control device, for example, a personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), or the like.
Referring to fig. 1, fig. 1 is a flowchart illustrating a tamper checking method for an application based on an IOS operating system according to a preferred embodiment of the present invention. The order of the steps in the flowchart may be changed, and some steps may be omitted.
S11, when detecting that the APP of the application program based on the IOS operating system starts, obtaining the APP package name identification of the APP from the hook system.
And S12, verifying the APP package name identification and the stored legal package name identification.
And S13, if the APP package name identification is verified to be consistent with the legal package name identification, detecting whether a character string exists at a preset first position.
If the first position detection has no character string, the interception method set by the scheme is compiled preferentially, and otherwise, the interception method set by the scheme fails.
Optionally, the method further includes:
replacing the system method for acquiring the package name by the system class with a predefined method;
generating a character string according to the current timestamp and a preset identifier by the predefined method, and storing the character string at the first position;
the system method is recalled.
Specifically, a method switzling technology can be adopted to replace a bundle identifier method for acquiring a package name by an NSBundle system class with a swizzle _ phBundleidentifier method; generating a character string according to a current timestamp and a preset identifier by the swizzle _ phBundleidentifier method, and storing the character string at a first position; and recalling the bundleIdentifier method of the system.
Wherein the alternative embodiment provides a method of anti-interception.
This embodiment takes advantage of the property of the category sort load () method to guard against. When there are multiple classes exchanging the same method in load (), only one is compiled.
Based on this, the interception method adopted in the scheme is as follows: a category classification of NSBundle can be realized internally, and in a load () method in the classification, a method bundleIdentifier for acquiring a packet name of an NSBundle system class is exchanged and replaced by a method of us, namely a swizzle _ phBundleIdentifier method. For the system, only one of the interception method and the interception method of the hacker can be selected for compiling, and if the interception method is successful, the interception method of the hacker cannot be successful, so that the hacker can be prevented from tampering the APP.
In the prior art, the interception method adopted by hackers is as follows: by creating the category classification of the NSBundle, exchanging the method bundleIdentifier for acquiring the packet name of the NSBundle system class in the classified load () method, replacing the method bundleIdentifier with a method of the self, and returning the original packet name of the user.
It can be known from the comparison that the interception method of the hacker completely replaces the packet name acquisition method of the system with the hacker's own method, and the packet name is returned by the hacker's own method, which is illegal. By the anti-interception method, higher anti-precaution can be effectively carried out on the anti-precaution of the high-grade hacker, and the safety of the APP is improved.
Specifically, the generating a character string according to the current timestamp and the preset identifier includes:
performing BASE64 and AES encryption on the timestamp and the preset identifier to obtain intermediate encrypted data;
and carrying out RSA encryption on the intermediate encrypted data to obtain a character string.
For example, the preset identifier is PAHHOOKBUNDLEID and the time stamp is 1578997880.
And S14, if the character string exists at the first position, extracting the character string and decrypting the character string to obtain a decryption time stamp.
The decryption time stamp is the time stamp of the character string generated.
And S15, judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption time stamp.
Specifically, the determining whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp includes:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, judging whether the decryption timestamp is in the validity period;
and if the decryption time stamp is in the valid period, determining that the character string belongs to the legally generated character string.
The second position may be several positions of the character string that are earlier in the reading order, for example, the character string is ABCDEFG, and the second position is 3 positions that are earlier, then the extracted partial character string is ABC.
When the character string is generated, the validity period of the timestamp of the character string can be set, namely, the timestamp is valid in the validity period, and once the validity period is exceeded, the timestamp is invalid.
By means of the timestamp checking mode, a hacker can be prevented from intercepting the last character string, and the last character string is stored in the local to confuse the current check on the character string.
The method further comprises the following steps:
and if the extracted partial character string of the character string at the preset second position is not the preset identifier or the decryption timestamp is not in the validity period, determining that the character string belongs to the illegally generated character string.
Specifically, the determining whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp includes:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, calculating a time difference value between a time stamp of the current time and the decryption time stamp;
judging whether the time difference value is within a preset time range or not;
and if the time difference is within a preset time range, determining that the character string belongs to a legally generated character string.
If the time difference between the timestamp of the current time and the decryption timestamp is within the range of 5s, it is indicated that the interval between the timestamp generated by the character string and the current timestamp is short, the character string is valid, and the character string can be determined to be a legally generated character string.
S16, if the character string belongs to the legally generated character string, determining that the APP is not tampered.
Optionally, the method further includes:
if the APP packet name identifier is verified to be inconsistent with the legal packet name identifier, or a character string is not detected to exist at the first position, or the character string belongs to an illegally generated character string, determining that the AP is not tampered;
adopting a wind control strategy, wherein the wind control strategy comprises the following steps: and reporting abnormal information to a server, or controlling the APP to exit.
The abnormal information may include, but is not limited to, a current geographic location of the electronic device, device information of the electronic device, login information of the user on the APP of the electronic device, and the like. The electronic equipment reports the abnormal information, so that the server can record the related information of the electronic equipment into a blacklist, the follow-up event that hackers invade the APP again is avoided, and the safety of the APP is improved.
In the method flow described in fig. 1, whether the APP is tampered can be identified by checking the packet name identifier and the character string, and meanwhile, a hacker is interfered by a method of replacing a system with a built-in method, so that the difficulty of tampering and running the APP is increased, and the APP is effectively protected against tampering.
The above description is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and it will be apparent to those skilled in the art that modifications may be made without departing from the inventive concept of the present invention, and these modifications are within the scope of the present invention.
Referring to fig. 2, fig. 2 is a functional block diagram of a tamper verification device according to a preferred embodiment of the present disclosure.
In some embodiments, the tamper verification device is run in an electronic device. The tamper checking means may comprise a plurality of functional modules consisting of program code sections. The program codes of the program segments in the tampering checking device may be stored in the memory and executed by at least one processor to perform part or all of the steps in the tampering checking method for the application program based on the IOS operating system described in fig. 1, which please refer to the related description in fig. 1, and are not repeated herein.
In this embodiment, the tamper verification device may be divided into a plurality of functional modules according to the functions executed by the tamper verification device. The functional module may include: the device comprises an acquisition module 201, a verification module 202, an extraction module 203, a judgment module 204 and a determination module 205. The module referred to herein is a series of computer program segments capable of being executed by at least one processor and capable of performing a fixed function and is stored in memory. In some embodiments, the functions of the modules will be described in detail in this embodiment.
An obtaining module 201, configured to obtain an APP package name identifier of an APP from a hook system when detecting that an APP of an application based on an IOS operating system is started.
And the checking module 202 is configured to check the APP package name identifier and the stored legal package name identifier.
The checking module 202 is further configured to detect whether a character string exists at a preset first position if the APP packet name identifier is checked to be consistent with the legal packet name identifier.
If the first position detection has no character string, the interception method set by the scheme is compiled preferentially, and otherwise, the interception method set by the scheme fails.
And the extracting module 203 is configured to, if a character string is detected to exist at the first position, extract the character string and decrypt the character string to obtain a decryption timestamp.
The decryption time stamp is the time stamp of the character string generated.
And the judging module 204 is configured to judge whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp.
Specifically, the determining whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp includes:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, judging whether the decryption timestamp is in the validity period;
and if the decryption time stamp is in the valid period, determining that the character string belongs to the legally generated character string.
The second position may be several positions of the character string that are earlier in the reading order, for example, the character string is ABCDEFG, and the second position is 3 positions that are earlier, then the extracted partial character string is ABC.
When the character string is generated, the validity period of the timestamp of the character string can be set, namely, the timestamp is valid in the validity period, and once the validity period is exceeded, the timestamp is invalid.
By means of the timestamp checking mode, a hacker can be prevented from intercepting the last character string, and the last character string is stored in the local to confuse the current check on the character string.
A determining module 205, configured to determine that the APP has not been tampered with if the character string belongs to a legally generated character string.
The determining module 205 is further configured to determine that the extracted character string belongs to an illegally generated character string if a part of the extracted character string at the preset second position is not the preset identifier, or the decryption timestamp is not within the validity period.
Specifically, the determining whether the character string belongs to a legally generated character string according to the extracted character string and the decryption timestamp includes:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, calculating a time difference value between a time stamp of the current time and the decryption time stamp;
judging whether the time difference value is within a preset time range or not;
and if the time difference is within a preset time range, determining that the character string belongs to a legally generated character string.
If the time difference between the timestamp of the current time and the decryption timestamp is within the range of 5s, it is indicated that the interval between the timestamp generated by the character string and the current timestamp is short, the character string is valid, and the character string can be determined to be a legally generated character string.
Optionally, the determining module 205 is further configured to determine that the AP is not tampered if the APP package name identifier is checked to be inconsistent with the legal package name identifier, or a character string is not detected to exist at the first position, or the character string belongs to an illegally generated character string;
optionally, the tamper verification apparatus further includes:
an adoption module configured to adopt a wind control policy, the wind control policy including: and reporting abnormal information to a server, or controlling the APP to exit.
The abnormal information may include, but is not limited to, a current geographic location of the electronic device, device information of the electronic device, login information of the user on the APP of the electronic device, and the like. The electronic equipment reports the abnormal information, so that the server can record the related information of the electronic equipment into a blacklist, the follow-up event that hackers invade the APP again is avoided, and the safety of the APP is improved.
Optionally, the tamper verification apparatus further includes:
the replacing module is used for replacing the system method for acquiring the package name by the system class with a predefined method;
the generating module is used for generating a character string according to the current timestamp and a preset identifier by the predefined method and storing the character string at the first position;
and the calling module is used for re-calling the system method.
Specifically, a method switzling technology can be adopted to replace a bundle identifier method for acquiring a package name by an NSBundle system class with a swizzle _ phBundleidentifier method; generating a character string according to a current timestamp and a preset identifier by the swizzle _ phBundleidentifier method, and storing the character string at a first position; and recalling the bundleIdentifier method of the system.
Wherein the alternative embodiment provides a method of anti-interception.
This embodiment takes advantage of the property of the category sort load () method to guard against. When there are multiple classes exchanging the same method in load (), only one is compiled.
Based on this, the interception method adopted in the scheme is as follows: a category classification of NSBundle can be realized internally, and in a load () method in the classification, a method bundleIdentifier for acquiring a packet name of an NSBundle system class is exchanged and replaced by a method of us, namely a swizzle _ phBundleIdentifier method. For the system, only one of the interception method and the interception method of the hacker can be selected for compiling, and if the interception method is successful, the interception method of the hacker cannot be successful, so that the hacker can be prevented from tampering the APP.
In the prior art, the interception method adopted by hackers is as follows: by creating the category classification of the NSBundle, exchanging the method bundleIdentifier for acquiring the packet name of the NSBundle system class in the classified load () method, replacing the method bundleIdentifier with a method of the self, and returning the original packet name of the user.
It can be known from the comparison that the interception method of the hacker completely replaces the packet name acquisition method of the system with the hacker's own method, and the packet name is returned by the hacker's own method, which is illegal. By the anti-interception method, higher anti-precaution can be effectively carried out on the anti-precaution of the high-grade hacker, and the safety of the APP is improved.
Specifically, the generating a character string according to the current timestamp and the preset identifier includes:
performing BASE64 and AES encryption on the timestamp and the preset identifier to obtain intermediate encrypted data;
and carrying out RSA encryption on the intermediate encrypted data to obtain a character string.
For example, the preset identifier is PAHHOOKBUNDLEID and the time stamp is 1578997880.
In the device described in fig. 2, whether the APP is tampered or not can be identified by checking the packet name identifier and the character string, and meanwhile, a hacker is interfered by a method of replacing a system with a built-in method, so that the difficulty of tampering and running of the APP is increased, and the counter-protection of tampering the APP is effectively performed.
Fig. 3 is a schematic structural diagram of an electronic device according to a preferred embodiment of the present invention, which implements a tamper checking method for an application based on an IOS operating system. The electronic device 3 comprises a memory 31, at least one processor 32, a computer program 33 stored in the memory 31 and executable on the at least one processor 32, and at least one communication bus 34.
Those skilled in the art will appreciate that the schematic diagram shown in fig. 3 is merely an example of the electronic device 3, and does not constitute a limitation of the electronic device 3, and may include more or less components than those shown, or combine some components, or different components, for example, the electronic device 3 may further include an input/output device, a network access device, and the like.
The at least one Processor 32 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The processor 32 may be a microprocessor or the processor 32 may be any conventional processor or the like, and the processor 32 is a control center of the electronic device 3 and connects various parts of the whole electronic device 3 by various interfaces and lines.
The memory 31 may be used to store the computer program 33 and/or the module/unit, and the processor 32 may implement various functions of the electronic device 3 by running or executing the computer program and/or the module/unit stored in the memory 31 and calling data stored in the memory 31. The memory 31 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data) created according to the use of the electronic device 3, and the like. Further, the memory 31 may include a non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other non-volatile solid state storage device.
With reference to fig. 1, the memory 31 in the electronic device 3 stores a plurality of instructions to implement a tamper checking method for an application program based on an IOS operating system, and the processor 32 can execute the plurality of instructions to implement:
when detecting that an application program APP based on an IOS (operating system) is started, acquiring an APP packet name identifier of the APP from a hook system;
verifying the APP packet name identifier and a stored legal packet name identifier;
if the APP packet name identifier is verified to be consistent with the legal packet name identifier, detecting whether a character string exists at a preset first position;
if the character string exists at the first position, extracting the character string and decrypting the character string to obtain a decryption time stamp;
judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption timestamp;
and if the character string belongs to the legally generated character string, determining that the APP is not tampered.
Specifically, the processor 32 may refer to the description of the relevant steps in the embodiment corresponding to fig. 1 for a specific implementation method of the instruction, which is not described herein again.
In the electronic device 3 described in fig. 3, by checking the packet name identifier and the character string, it can be recognized whether the APP is tampered, and meanwhile, a method of replacing a system by a built-in method interferes with a hacker, so that the difficulty of tampering and running the APP is increased, and the APP is effectively protected against tampering.
The integrated modules/units of the electronic device 3 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, and Read-Only Memory (ROM).
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned. The units or means recited in the system claims may also be implemented by software or hardware.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A tampering check method of an application program based on an IOS (operation operating system), which is characterized by comprising the following steps:
when detecting that an application program APP based on an IOS (operating system) is started, acquiring an APP packet name identifier of the APP from a hook system;
verifying the APP packet name identifier and a stored legal packet name identifier;
if the APP packet name identifier is verified to be consistent with the legal packet name identifier, detecting whether a character string exists at a preset first position;
if the character string exists at the first position, extracting the character string and decrypting the character string to obtain a decryption time stamp;
judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption timestamp;
and if the character string belongs to the legally generated character string, determining that the APP is not tampered.
2. The IOS application based tamper verification method of claim 1, further comprising:
replacing the system method for acquiring the package name by the system class with a predefined method;
generating a character string according to the current timestamp and a preset identifier by the predefined method, and storing the character string at the first position;
the system method is recalled.
3. The method of claim 2, wherein the generating a string according to the current timestamp and the preset identifier comprises:
encrypting the timestamp and a preset identifier to obtain intermediate encrypted data;
and encrypting the intermediate encrypted data to obtain a character string.
4. The method of claim 1, wherein the determining whether the string belongs to a legally generated string according to the extracted string and the decryption timestamp comprises:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, judging whether the decryption timestamp is in the validity period;
and if the decryption time stamp is in the valid period, determining that the character string belongs to the legally generated character string.
5. The IOS application program tamper verification method of claim 4, further comprising:
and if the extracted partial character string of the character string at the preset second position is not the preset identifier or the decryption timestamp is not in the validity period, determining that the character string belongs to the illegally generated character string.
6. The IOS application program-based tamper verification method of claim 4, wherein said determining whether the string belongs to a legally generated string according to the extracted string and the decryption timestamp comprises:
judging whether part of the extracted character string at a preset second position is the preset identifier or not;
if the extracted partial character string of the character string at the preset second position is the preset identifier, calculating a time difference value between a time stamp of the current time and the decryption time stamp;
judging whether the time difference value is within a preset time range or not;
and if the time difference is within a preset time range, determining that the character string belongs to a legally generated character string.
7. The IOS application based tamper verification method of claim 1, further comprising:
if the APP packet name identifier is verified to be inconsistent with the legal packet name identifier, or a character string is not detected to exist at the first position, or the character string belongs to an illegally generated character string, determining that the AP is not tampered;
adopting a wind control strategy, wherein the wind control strategy comprises the following steps: and reporting abnormal information to a server, or controlling the APP to exit.
8. A tamper verification device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an APP packet name identifier of an APP from a hook system when the APP based on an IOS operating system is detected to start;
the verification module is used for verifying the APP packet name identifier and the stored legal packet name identifier;
the verification module is further used for detecting whether a character string exists at a preset first position if the APP packet name identifier is verified to be consistent with the legal packet name identifier;
the extraction module is used for extracting the character string and decrypting the character string to obtain a decryption time stamp if the character string is detected to exist at the first position;
the judging module is used for judging whether the character string belongs to a legally generated character string or not according to the extracted character string and the decryption timestamp;
and the determining module is used for determining that the APP is not tampered if the character string belongs to a legally generated character string.
9. An electronic device, characterized in that the electronic device comprises a processor and a memory, the processor being configured to execute a computer program stored in the memory to implement the tamper checking method of the IOS operating system based application program according to any of claims 1 to 7.
10. A computer-readable storage medium storing at least one instruction which, when executed by a processor, implements a tamper verification method for an IOS operating system based application program according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010585011.6A CN111767537A (en) | 2020-06-23 | 2020-06-23 | Tamper verification method of application program based on IOS (operating system) and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010585011.6A CN111767537A (en) | 2020-06-23 | 2020-06-23 | Tamper verification method of application program based on IOS (operating system) and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111767537A true CN111767537A (en) | 2020-10-13 |
Family
ID=72722328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010585011.6A Pending CN111767537A (en) | 2020-06-23 | 2020-06-23 | Tamper verification method of application program based on IOS (operating system) and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111767537A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112463242A (en) * | 2020-12-17 | 2021-03-09 | 南方电网电力科技股份有限公司 | Starting method and device for electric energy meter operating system, electric energy meter and storage medium |
| CN113609478A (en) * | 2021-07-16 | 2021-11-05 | 浙江吉利控股集团有限公司 | IOS platform application program tampering detection method and device |
| CN114390200A (en) * | 2022-01-12 | 2022-04-22 | 平安科技(深圳)有限公司 | Camera cheating identification method, device, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104199657A (en) * | 2014-08-27 | 2014-12-10 | 百度在线网络技术(北京)有限公司 | Call method and device for open platform |
| CN105471877A (en) * | 2015-12-03 | 2016-04-06 | 小米科技有限责任公司 | Evidence data obtaining method and device |
| CN106020645A (en) * | 2016-05-16 | 2016-10-12 | 北京新美互通科技有限公司 | Application starting method and apparatus |
| CN106096381A (en) * | 2016-06-06 | 2016-11-09 | 北京壹人壹本信息科技有限公司 | The method and system of application file checking |
| CN106548065A (en) * | 2016-10-27 | 2017-03-29 | 海信集团有限公司 | Application program installs detection method and device |
| CN108683712A (en) * | 2018-04-25 | 2018-10-19 | 咪咕文化科技有限公司 | The generation method of application checks and check key, device and storage medium |
| CN110135152A (en) * | 2019-03-28 | 2019-08-16 | 江苏通付盾信息安全技术有限公司 | Application program attack detection method and device |
-
2020
- 2020-06-23 CN CN202010585011.6A patent/CN111767537A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104199657A (en) * | 2014-08-27 | 2014-12-10 | 百度在线网络技术(北京)有限公司 | Call method and device for open platform |
| CN105471877A (en) * | 2015-12-03 | 2016-04-06 | 小米科技有限责任公司 | Evidence data obtaining method and device |
| CN106020645A (en) * | 2016-05-16 | 2016-10-12 | 北京新美互通科技有限公司 | Application starting method and apparatus |
| CN106096381A (en) * | 2016-06-06 | 2016-11-09 | 北京壹人壹本信息科技有限公司 | The method and system of application file checking |
| CN106548065A (en) * | 2016-10-27 | 2017-03-29 | 海信集团有限公司 | Application program installs detection method and device |
| CN108683712A (en) * | 2018-04-25 | 2018-10-19 | 咪咕文化科技有限公司 | The generation method of application checks and check key, device and storage medium |
| CN110135152A (en) * | 2019-03-28 | 2019-08-16 | 江苏通付盾信息安全技术有限公司 | Application program attack detection method and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112463242A (en) * | 2020-12-17 | 2021-03-09 | 南方电网电力科技股份有限公司 | Starting method and device for electric energy meter operating system, electric energy meter and storage medium |
| CN113609478A (en) * | 2021-07-16 | 2021-11-05 | 浙江吉利控股集团有限公司 | IOS platform application program tampering detection method and device |
| CN114390200A (en) * | 2022-01-12 | 2022-04-22 | 平安科技(深圳)有限公司 | Camera cheating identification method, device, equipment and storage medium |
| CN114390200B (en) * | 2022-01-12 | 2023-04-14 | 平安科技(深圳)有限公司 | Camera cheating identification method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110113167B (en) | Information protection method and system of intelligent terminal and readable storage medium | |
| CN108985081B (en) | Watermark encryption method, device, medium and electronic equipment | |
| CN108268354B (en) | Data security monitoring method, background server, terminal and system | |
| CN111767537A (en) | Tamper verification method of application program based on IOS (operating system) and related equipment | |
| CN112217835B (en) | Message data processing method and device, server and terminal equipment | |
| CN109561085B (en) | Identity verification method based on equipment identification code, server and medium | |
| CN105262779B (en) | Identity authentication method, device and system | |
| Allix et al. | A Forensic Analysis of Android Malware--How is Malware Written and How it Could Be Detected? | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| WO2019209630A1 (en) | File processing method and system, and data processing method | |
| CN108763951B (en) | Data protection method and device | |
| CN110830986A (en) | Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card | |
| JP5049185B2 (en) | Information security apparatus, security system, and input information leakage prevention method | |
| CN108763062B (en) | Method for filtering buried point names and terminal equipment | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN112347511A (en) | Permission-based data shielding method and device, computer equipment and storage medium | |
| CN103034810B (en) | A kind of detection method, device and electronic equipment | |
| CN108681671A (en) | A kind of Android mobile attacks source tracing method | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| EP3945696B1 (en) | Blockchain data processing method, apparatus, and device | |
| CN110443039A (en) | Detection method, device and the electronic equipment of plug-in security | |
| CN107948973B (en) | Equipment fingerprint generation method applied to IOS (input/output system) for security risk control | |
| CN109284608B (en) | Method, device and equipment for identifying Legionella software and safety processing method | |
| CN116881979A (en) | Method, device and equipment for detecting data safety compliance | |
| CN111353138A (en) | Abnormal user identification method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |