CN112560022B - Method and device for detecting system interface call - Google Patents
Method and device for detecting system interface call Download PDFInfo
- Publication number
- CN112560022B CN112560022B CN202011398294.XA CN202011398294A CN112560022B CN 112560022 B CN112560022 B CN 112560022B CN 202011398294 A CN202011398294 A CN 202011398294A CN 112560022 B CN112560022 B CN 112560022B
- Authority
- CN
- China
- Prior art keywords
- interface
- call
- information
- target application
- detection result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 81
- 238000001514 detection method Methods 0.000 claims abstract description 141
- 238000009434 installation Methods 0.000 claims abstract description 42
- 230000006870 function Effects 0.000 claims description 343
- 238000012544 monitoring process Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 28
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 9
- 230000006872 improvement Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 238000012216 screening Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
One or more embodiments of the present disclosure provide a method and an apparatus for detecting a system interface call, where the method includes: acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the service function module when the target application is in an operating state; acquiring interface declaration information determined by binary files in an application installation package based on a target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration; and generating a risk detection result of the interface call request aiming at the system interface based on the acquired interface call information and interface declaration information.
Description
Technical Field
The present document relates to the field of internet technologies, and in particular, to a method and an apparatus for detecting system interface call.
Background
At present, with the advent of the internet era, the internet has been widely used in daily study, work and life of people. Various daily transactions for people can be handled and presented through the internet. Meanwhile, with the rapid development of the mobile internet, each internet service provider provides a corresponding service for a user by developing respective application programs, and the user can install the corresponding application programs, such as a game application, a video application, a chat application, a shopping application, a payment application, and the like, in the smart phone according to respective actual demands.
However, the application program installed on the user terminal has a requirement of calling the system interface to acquire the required information, however, there may be a case of privately calling the private interface of the operating system to steal the user privacy information, which would tend to cause the user privacy information to be revealed or abused, and in order to protect the security of the user privacy information, the operating system would take corresponding control measures for the application program, and even take the application program called by the private interface off-shelf.
Disclosure of Invention
It is an object of one or more embodiments of the present specification to provide a method of detecting a system interface call. The method for detecting the system interface call comprises the following steps:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface call information is generated based on the interface call request of the service function module when the target application is in a running state. Acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration. And generating a risk detection result of the interface call request based on the interface call information and the interface statement information.
It is an object of one or more embodiments of the present specification to provide a detection apparatus for system interface calls. The detection device for system interface call comprises:
the call information acquisition module acquires interface call information of a service function module in the target application aiming at a system interface; the interface call information is generated based on the interface call request of the service function module when the target application is in a running state. A declaration information acquisition module that acquires interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration. And the detection result generation module is used for generating a risk detection result of the interface calling request based on the interface calling information and the interface statement information.
It is an object of one or more embodiments of the present specification to provide a detection device for system interface calls, comprising: a processor; and a memory arranged to store computer executable instructions.
The computer executable instructions, when executed, cause the processor to obtain interface call information for a system interface by a business function module in a target application; the interface call information is generated based on the interface call request of the service function module when the target application is in a running state. Acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration. And generating a risk detection result of the interface call request based on the interface call information and the interface statement information.
It is an object of one or more embodiments of the present description to provide a storage medium for storing computer-executable instructions. The executable instructions, when executed by the processor, acquire interface call information of a business function module in the target application for a system interface; the interface call information is generated based on the interface call request of the service function module when the target application is in a running state. Acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration. And generating a risk detection result of the interface call request based on the interface call information and the interface statement information.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are only some of the embodiments described in one or more of the present description, from which other drawings can be obtained, without inventive faculty, for a person skilled in the art.
FIG. 1 is a first flow diagram of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
FIG. 2 is a second flow diagram of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
FIG. 3 is a third flow diagram of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
FIG. 4 is a fourth flow diagram of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
FIG. 5 is a schematic diagram illustrating an implementation of a method for detecting a system interface call according to one or more embodiments of the present disclosure;
FIG. 6 is a schematic diagram illustrating a module composition of a system interface call detection apparatus according to one or more embodiments of the present disclosure;
fig. 7 is a schematic structural diagram of a detection device for system interface call provided in one or more embodiments of the present disclosure.
Detailed Description
In order for those skilled in the art to better understand the solutions in one or more embodiments of the present specification, the solutions in one or more embodiments of the present specification will be clearly and completely described below with reference to the drawings in one or more embodiments of the present specification, and it is apparent that the described embodiments are only a part of one or more embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one or more of the embodiments described herein without undue effort by one of ordinary skill in the art, are intended to be within the scope of the present disclosure.
It should be noted that, without conflict, one or more embodiments and features of the embodiments in the present specification may be combined with each other. One or more embodiments of the present specification will be described in detail below with reference to the attached drawings and in conjunction with the embodiments.
One or more embodiments of the present disclosure provide a method and an apparatus for detecting a system interface call, by acquiring interface call information for a system interface in real time during an operation process of a target application, and detecting a risk call for an interface call request of a service function module in the target application by means of interface declaration information determined based on a binary file in an application installation package of the target application, so as to intercept the interface call request with risk in time, improve interface call security of the target application, and avoid private call for a system interface of an operating system to acquire user privacy data, thereby improving security of user privacy data.
Fig. 1 is a first flowchart of a method for detecting a system interface call according to one or more embodiments of the present disclosure, where the method in fig. 1 can be executed by a client, or may be executed by a server, or may be executed by a client and a server in cooperation, as shown in fig. 1, and the method at least includes the following steps:
S102, acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface calling information is generated based on an interface calling request of the service function module when the target application is in an operating state;
the target application is an application program APP to be detected, the service function module may be an internal function module for implementing a specific service function in the target application, or a three-party function module in an integrated third party software development kit SDK, and the system interface includes: a public system interface or an unpublished system interface (i.e., a private interface) of an operating system of a client running the target application;
the application scenario of detection for system interface call can be the condition that a client detects whether a target application calls a private interface of an operating system or not, or the condition that the target application detects whether an integrated third party SDK calls the private interface of the operating system or not, namely, the target application performs risk interface call self-checking in the running process;
specifically, for detecting whether a private interface of an operating system is called in a third-party SDK integrated in a target application, a detection code for executing system interface call is written in an application installation package of the target application in advance, so that when the target application is in an operating state, the target application automatically runs the detection code for system interface call to detect whether an interface call request sent from the target application is a call request of the third-party SDK for the private interface of the operating system or not, so that the target application can intercept and process the call request of the third-party SDK for the private interface of the operating system in time, and the situation that the target application is automatically limited to be installed or taken off from an application mall by the operating system due to the call action of the third-party SDK for the private interface of the operating system is avoided.
S104, acquiring interface declaration information determined by binary files in an application installation package based on the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
specifically, before an application installation package of a target application is obtained and the target application is installed to a client, the application installation package is parsed to obtain a callable interface function name declared by the target application, where the callable interface function name includes: realizing interface function name and introducing interface function name.
S106, based on the acquired interface call information and interface statement information, generating a risk detection result of the interface call request.
Wherein, the risk detection result includes: the interface to be called is an interface declared by the target application, or the interface to be called is a private interface of the operating system, and the call is derived from at least one of the third party SDKs; the risk detection result may further include: call source information of the interface call request; if the risk detection result is that the interface to be called is a private interface of the operating system, determining that the interface call request is a risk call request, or if the risk detection result is that the interface to be called is a private interface of the operating system and the call originates from a third party SDK, determining that the interface call request is a risk call request; when the interface call request is a risk call request, the interface call request needs to be controlled according to a preset control mode, wherein the preset control mode corresponds to a risk detection result, and specifically, different control modes can be adopted to control the interface call request according to different risk detection results.
Specifically, considering that the target application calls the private interface of the operating system through the system reflection function in a reflection call mode, the preset proxy function intercepts an interface call request aiming at the system interface through the system reflection function, generates corresponding interface call information based on the interface call request, and performs risk identification on the interface call request based on the interface call information and predetermined interface statement information.
In one or more embodiments of the present disclosure, by acquiring interface call information for a system interface in real time during a running process of a target application, and performing risk call detection on an interface call request of a service function module in the target application by means of interface declaration information determined based on a binary file in an application installation package of the target application, an interception process on the interface call request with risk is implemented in time, so that interface call security of the target application is improved, private call on a system interface of an operating system is avoided to acquire user privacy data, and security of the user privacy data is further improved.
Wherein, the interface calling information includes: function name of interface to be called; correspondingly, considering that the third party SDK is generally provided to the integrating party in the process of integrating the third party SDK into the target application in a binary integration manner, therefore, a developer of the target application does not know the code implementation of the third party SDK, and there may be a private call problem of the third party SDK to the private interface of the operating system of the user terminal, so that there is a possibility that the target application is automatically limited or put on shelf by the operating system due to the possibility that the private interface is called by the private interface, based on this, when performing risk call detection on the interface call request, it is detected whether there is a call to the private interface of the operating system, and it is detected whether the call to the private interface is derived from the third party SDK, so as to purposefully manage the abnormal third party SDK, and ensure the normal operation of the target application, specifically, as shown in fig. 2, the above S106 generates the risk detection result of the interface call request based on the obtained interface call information and the interface statement information, specifically including:
S1062, generating a calling interface type detection result based on the function name of the interface to be called in the interface calling information and the function name of the callable interface in the interface declaration information;
the call interface type detection result is used for representing whether an interface to be called aimed at by an interface call request is a private interface of an operating system running a target application, and the function names of the interface to be called can include class names and method names of functions of the interface to be called, which are captured by proxy functions.
S1064, if the interface to be called is a private interface of the operating system, generating a call source detection result based on the acquired interface call information;
the call source detection result is used for characterizing whether an interface call request originates from a third party SDK integrated into a target application, namely determining whether the call request for a private interface of an operating system comes from a service function module of the third party SDK integrated in the target application, but not from a service function module of the target application itself;
correspondingly, if the interface to be called is not a private interface of the operating system, determining that the interface call request is not a risk call request, and at the moment, normally responding to the interface call request, namely returning a function pointer corresponding to the interface to be called to the service function module.
S1066, generating a risk detection result of the interface call request based on the call interface type detection result and the call source detection result.
The risk detection result may include: the detection result used for representing whether the interface call request is a risk call request or not can also comprise at least one item of identification information, call source information and call timestamp information of the interface to be called;
specifically, if the interface to be called is a private interface of the operating system, the interface call request can be directly determined as a risk call request, and the interface call request is managed and controlled in a first management and control mode; the interface calling information can be continuously based on the interface calling information, a calling source detection result is generated, namely, the source of an interface calling request is determined, if the interface to be called is a private interface of an operating system and the interface calling request is derived from a third party SDK, the interface calling request is determined to be a risk calling request, and the interface calling request is controlled in a second control mode; correspondingly, if the interface to be called is a private interface of the operating system and the call source of the interface call request is not a third party SDK, the interface call request is also determined to be a risk call request, and the interface call request is controlled according to a third control mode, wherein the first control mode, the second control mode and the third control mode are different, and each preset control mode can be set according to an actual application scene.
Further, after determining a corresponding risk detection result for the currently monitored interface call request, determining whether the currently monitored interface call request is a risk call request based on the risk detection result, and then performing interception processing or normal response processing on the interface call request, based on this, after generating the risk detection result of the interface call request based on the obtained interface call information and interface declaration information in S106, the method further includes:
judging whether the interface call request is a risk call request or not based on the risk detection result;
if yes, the preset feedback information is returned to the service function module so as to intercept an interface to be called, which is aimed at by the service function module for calling the interface call request;
the preset feedback information can be a preset null value or other preset character strings, so that the service function module cannot acquire corresponding user privacy information from the interface to be called based on the preset feedback information, and the purpose of intercepting the risk call request is achieved.
If not, returning a function pointer corresponding to the interface to be called to the service function module so as to allow the service function module to call the interface to be called for which the interface call request is directed based on the function pointer;
And when the interface call request is determined not to be a risk call request, a function pointer of the interface to be called needs to be returned to the service function module according to a conventional call request response mode, so that the service function module can acquire corresponding information from the interface to be called based on the function pointer, and further provide corresponding service functions for a user based on the information.
Specifically, for the case that an interface call request sent to a system reflection function by a service function module in a target application is intercepted by a proxy function, determining interface call information corresponding to the interface call request by the proxy function based on the intercepted interface call request, wherein the interface call information comprises: at least one of function name, call stack information and call environment information of the interface to be called;
after a risk detection result of an interface call request is generated based on the interface call information and the predetermined interface declaration information, if the interface call request is determined to be the risk call request, the agent function directly returns preset feedback information to the corresponding service function module, or the agent function sends the preset feedback information to the system reflection function, and the system reflection function returns the preset feedback information to the corresponding service function module;
Correspondingly, if the interface call request is not the risk call request, triggering the system reflection function by the proxy function to acquire the function pointer of the interface to be called from the interface to be called, namely, returning the code execution right to the system reflection function by the proxy function, acquiring the function pointer of the interface to be called by the system reflection function, returning the function pointer to the proxy function by the system reflection function, and returning the function pointer to the corresponding service function module by the proxy function, or directly returning the function pointer to the corresponding service function module by the system reflection function.
In the determining process for the interface call information when the target application is in the running state by the client, as shown in fig. 3, S102 described above, the obtaining the interface call information of the service function module in the target application for the system interface specifically includes:
s1022, monitoring an interface call request of a service function module in the target application aiming at a system reflection function; the interface calling request carries the function name of the interface to be called;
in order to implement some special functions, the system reflection function is called by the corresponding service function module to trigger the system reflection function to acquire a corresponding function pointer from the interface to be called and return the function pointer to the service function module, so that the service function module acquires corresponding information based on the function pointer, for example, if the service function corresponding to the service function module is to acquire the mac address of the client, the function name of the interface to be called is the interface name for acquiring the mac address.
S1024, the interface call request is routed to a preset proxy function by using a programming mode facing to the tangent plane;
the preset proxy function is a function implementation in the target application, and the calling logic for the system reflection function is called to another function (namely the preset proxy function) through a tangent plane means to serve as a function carrier for monitoring the calling logic for the system reflection function; in specific implementation, the call of the system reflection function (NSClassFromString, NSSelectorFromString, @ performSelecter:, @ selector (privateApiName)) can be transferred to a preset proxy function in a function replacement mode; the function replacement mode can be realized through method_exchange implementations or fishook; specifically, because the system reflection function is replaced by the preset proxy function in the process of calling the system reflection function by the service function module, the preset proxy function can record that the interface call request carries the function name of the interface to be called, namely, the acquisition capability of the reflection call function information is realized through the tangent plane capability, and then the call behavior of the three-party library in the target application aiming at the private interface of the system is detected in real time by combining the function name of the callable interface declared by the target application, so that the risk call request is intercepted and blocked dynamically.
S1026, acquiring call link information corresponding to the interface call request through a preset proxy function; wherein the call link information includes: call stack information and/or call context information;
s1028, generating interface calling information of a service function module in the target application aiming at a system interface based on the function name and the calling link information of the interface to be called; the interface calling information at least comprises: the method comprises the steps of determining the type of a calling interface of an interface calling request to be detected currently and determining calling source information of the interface calling request to be detected currently.
The determining process for the interface declaration information of the target application before the application installation package of the target application is obtained and the target application is installed to the client, before obtaining the interface declaration information determined based on the binary file in the application installation package of the target application in S104, further includes:
s108, acquiring an application installation package of the target application;
s110, extracting a binary file for controlling global configuration of a target application from the obtained application installation package; specifically, extracting info.plist from the obtained application installation package, and determining the name of a binary file for controlling the global configuration of the target application based on the info.plist;
S112, determining interface declaration information declared for a target application based on an implementation interface function name corresponding to an implementation function section and an introduction interface function name corresponding to an introduction function section in the extracted binary file; wherein the implementation function section and the introduction function section may include: __ obj c_classt, __ obj c_classname, __ obj c_methname.
In the implementation, the info.plist can be extracted from the application installation package, then the name of the required binary file is obtained through the Executable file field of the info.plist, and then the function name stated by the binary file is quickly obtained by adopting an open source tool classdump.
The process of determining the interface declaration information of the target application based on the application installation package of the target application can be executed by a client or a server; correspondingly, the process of comparing the function name of the interface to be called, which is obtained when the target application is in the running state, with the function name of the callable interface in the predetermined interface declaration information can be executed by the client or the server;
specifically, for the case that the client performs comparison between the function name of the interface to be called and the function name of the callable interface, and the server determines the interface declaration information of the target application, the server sends the interface declaration information to the client after determining the interface declaration information of the target application, and the client stores the interface declaration information locally in the client, so that the interface declaration information of the target application is directly obtained from the local in the subsequent process of managing and controlling the call request of the client.
Correspondingly, in the case that the client side compares the function name of the interface to be called with the function name of the callable interface and determines the interface declaration information of the target application, after receiving the application installation package of the target application, the client side determines the interface declaration information of the target application based on the application installation package, and the client side stores the interface declaration information in the local of the client side, so that the interface declaration information of the target application can be directly obtained from the local in the subsequent process of managing the call request of the client side.
Correspondingly, aiming at the condition that the server side compares the function name of the interface to be called with the function name of the callable interface and determines the interface declaration information of the target application, the server side determines and stores the interface declaration information of the target application based on the application installation package after acquiring the application installation package of the target application; after receiving interface call information determined by an interface call request to be detected currently sent by a client, the server compares the interface call information with interface statement information of a target application to obtain a corresponding interface comparison result, and sends the interface comparison result to the client so that the client generates a risk detection result of the interface call request based on the interface comparison result; or the server generates a risk detection result of the interface call request based on the interface comparison result, and sends the risk detection result to the client.
It should be noted that, the deformable manner of implementing steps related to the risk detection process for the interface call request by the client or the server is within the protection scope of one or more embodiments of the present disclosure, which is not described herein again.
Specifically, in order to improve the control accuracy and control pertinence of private interface call of the operating system, after an interface call request is routed from a system reflection function to a preset proxy function, the preset proxy function not only analyzes the function name of an interface to be called from the interface call request, but also obtains interface call link information corresponding to the currently detected interface call request from a corresponding system interface, and determines the function name of the interface to be called and the interface call link information as interface call information, based on this, the interface call information further includes: interface call link information, which is used for determining call source information of an interface call request;
correspondingly, as shown in fig. 4, in S1064, if the interface to be invoked is a private interface of the operating system, the generating a detection result of the invocation source based on the obtained interface invocation information specifically includes:
S10642, if the interface to be called is a private interface of the operating system, determining the function module identification information of the service function module based on the interface call link information in the acquired interface call information;
s10644, judging whether the service function module belongs to a third party SDK integrated into the target application based on the determined function module identification information;
if the judgment result is yes, S10646, a call source detection result used for representing that the interface call request originates from a third party SDK integrated into the target application is generated;
if the determination result is no, S10648, a call source detection result for characterizing that the call source of the interface call request is not the third party SDK of the target application is generated.
Specifically, in the process of determining the function module identification information of the service function module, call stack information and call environment information can be introduced at the same time, so that on one hand, the accuracy of determining the function module identification information can be improved, and on the other hand, the situation that a call source detection result cannot be generated correctly due to the fact that the identification information determined based on the call stack information or the call environment information is wrong can be avoided, and based on the fact, the interface call link information comprises: call stack information and call environment information;
Correspondingly, the step S10642 of determining the function module identification information of the service function module based on the interface call link information in the obtained interface call information includes:
determining a first call source identifier for initially sending the interface call request based on the call stack information; specifically, when a target application calls a certain interface, the function calls downwards layer by layer, and when the current layer is called, corresponding call stack information is formed, and further, the call stack information is analyzed, so that the topmost call source of the interface call request can be determined.
Determining a second calling source identifier corresponding to the service page where the target application is located based on the calling environment information; specifically, considering that the call link information belongs to a function call sequence of a technical layer, an operation page where the target application is currently located cannot be determined, so that call stack information and call environment information can be simultaneously introduced, a first call source identifier is determined based on the function call sequence, a second call source identifier is determined based on the operation page where the target application is currently located, and further function module identifier information of a service function module is determined;
Determining function module identification information of the service function module based on the first call source identification and the second call source identification;
specifically, the first call source identifier includes an initial call sequence determined based on a function call sequence; the second call source identifier includes a page identifier of an operation page where the target application is currently located, and determines identification information of a service function module corresponding to the initial call sequence determined based on the call stack information and the operation page where the target application is currently located as function module identification information of the service function module.
Further, in order to improve the detection efficiency of system interface call, after determining that the interface call request is a risk call request each time, determining and storing an interface call interception rule corresponding to the risk call request, so that a corresponding interface call interception rule can be generated based on interface call information corresponding to the risk call request identified in advance, after monitoring the interface call request to be detected, firstly matching the interface call information corresponding to the interface call request with the prestored interface call interception rule, thereby implementing preliminary screening for the interface call request, if the preliminary screening result indicates that the interface call request is not a risk call request, then performing secondary risk identification for the interface call request based on the interface call information and the interface statement information, if the preliminary screening interface indicates that the interface call request is a risk call request, directly performing risk management on the interface call request, and based on this, after generating a call source detection result for characterizing that the interface call request is derived from a third party SDK integrated into a target application in step 10646, further includes:
Generating an interface call interception rule based on the function name of the interface to be called and the interface call link information;
adding the interface call interception rules to a call interception rule set established for a target application; specifically, the call interception rule set is used as a preliminary screening basis for risk detection of the next interface call request of the target application.
The generation process of the interface call interception rule can be executed by the client or the server, and aiming at the condition of being executed by the server, the server is required to issue the interface call interception rule to the client so that the client adds the interface call interception rule to a call interception rule set established aiming at a target application; for the case of execution by the client, the client directly adds the interface call interception rules to the set of call interception rules established for the target application, so as to perform preliminary risk identification for the next monitored interface call request.
After determining that the interface call request is a risk call request each time, determining and storing an interface call interception rule corresponding to the risk call request, and after monitoring the interface call request to be detected, matching interface call information corresponding to the interface call request with a prestored interface call interception rule, thereby implementing preliminary screening for the interface call request, specifically, S1062, generating a call interface type detection result based on a function name of an interface to be called in the interface call information and a function name of an callable interface in the interface declaration information, including:
Step one, matching the acquired interface call information with interface call interception rules in a call interception rule set corresponding to a target application to obtain a corresponding interception rule matching result;
step two, if the interception rule matching result is that the interface call interception rule matched with the interface call information does not exist, comparing the function name of the interface to be called with the function name of the callable interface to obtain a corresponding function name comparison result;
step three, generating a calling interface type detection result according to the function name comparison result; specifically, if the function name of the callable interface includes: the method comprises the steps that a symbol A and a symbol B, if the function name of an interface to be called is symbol A or symbol B, the interface to be called aimed at by an interface call request is determined not to be a private interface of an operating system running a target application, namely safe interface call; if the function name of the interface to be called is the symbol C, determining that the interface to be called aimed at by the interface call request is a private interface of an operating system running the target application, namely unsafe interface call;
specifically, for the case that the call interception rule set does not have an interface call interception rule matched with the interface call request to be detected currently, the function name of the interface to be called needs to be continuously compared with the function name of the callable interface, and whether the interface call request is a risk call request or not is further determined, namely, the call interface type and the call interface source identification are continuously carried out on the interface call request.
Specifically, for the determining process of the calling interface type detection result, the third step generates the calling interface type detection result according to the function name comparison result, which specifically includes:
if the function name comparison result is that the function name of the interface to be called does not belong to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called aimed at by the interface calling request is a private interface of an operating system of the running target application;
and if the function name comparison result is that the function name of the interface to be called belongs to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called aimed at by the interface calling request is not a private interface of an operating system of the running target application.
Further, for the case that the call interception rule set has an interface call interception rule matched with the interface call request to be detected currently, a risk detection result indicating that the interface call request is determined as a risk call request can be directly generated, and then the interface call request is intercepted and controlled, specifically, in the step one, the obtained interface call information is matched with the interface call interception rule in the call interception rule set corresponding to the target application, and after a corresponding interception rule matching result is obtained, the method further includes:
And if the interception rule matching result is that the interface call interception rule matched with the interface call information exists, determining that the interface call request is a risk call request.
Specifically, if the interface call information is matched with any original interface call interception rule or interface call interception rules obtained by combining the interface call information with any original interface call interception rule in the previously stored call interception rule set, determining that the monitored interface call request is a risk call request;
correspondingly, if the interface call information is not matched with any original interface call interception rule in the previously stored call interception rule set and the interface call interception rule obtained by combination, determining that the monitored interface call request is not a risk call request.
In the implementation, aiming at the conditions that the interface call information comprises the function name and the call link information of the interface to be called, the interface call interception rule comprises the function name of the private interface aimed at by the risk call request and the risk call link information corresponding to the risk call request, and if the function name of the interface to be called is the same as the function name of the private interface and the call link information corresponding to the interface call request to be detected is the same as the risk call link information, the interception rule matching result is determined to be the interface call interception rule matched with the interface call information. Correspondingly, the interface call interception rule obtained by combining the function name of the private interface in the first interception rule and the risk call link information in the second interception rule may be an interface call interception rule obtained by combining the function name of the private interface in the first interception rule and the risk call link information in the second interception rule, where the first interception rule and the second interception rule are different interface call interception rules in a call interception rule set corresponding to the target application.
In a specific embodiment, as shown in fig. 5, the specific process of the detection method for system interface call is:
monitoring an interface call request of a service function module in a target application aiming at a system reflection function; the interface calling request carries the function name of the interface to be called; the service function module can be any one of the service function module 1 to the service function module n, the interface to be called can be any one of the system interface 1 to the system interface m, and any one of the system interfaces 1 to m can be a system public interface or a system private interface;
routing the interface call request to a preset proxy function by using a programming mode facing to a tangent plane;
acquiring call link information corresponding to the interface call request through a preset proxy function; wherein the call link information includes: call stack information and/or call context information;
matching the function name and the calling link information of the interface to be called with the interface calling interception rules in the calling interception rule set corresponding to the target application;
if the interface call interception rule matched with the interface call request exists, determining that the interface call request is a risk call request, and returning a character string representing a null value to the service function module through a preset proxy function;
If the interface call interception rule matched with the interface call request does not exist, comparing the function name of the interface to be called with the function name of the preset callable interface;
if the function name of the interface to be called does not belong to the function name of the callable interface, namely the interface to be called is a system private interface, determining whether the interface call request is derived from a third party SDK integrated into the target application or not based on the call link information, if the call source is the third party SDK, determining that the interface call request is a risk call request, and returning a character string representing a null value to the service function module through a preset proxy function; correspondingly, if the call source is not the third party SDK, a character string representing the null value or abnormal call prompt information is returned to the service function module through a preset proxy function;
if the function name of the interface to be called belongs to the function name of the callable interface, namely the interface to be called is not a system private interface, a reflection function of the system is called by a preset proxy function to obtain a function pointer of the interface to be called, and the function pointer is returned to the service function module through the preset reflection function or the proxy function so that the service function module can obtain the required information based on the function pointer.
According to the detection method for system interface call in one or more embodiments of the present disclosure, interface call information of a service function module in a target application for a system interface is obtained; the interface calling information is generated based on an interface calling request of the service function module when the target application is in an operating state; acquiring interface declaration information determined by binary files in an application installation package based on a target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration; and generating a risk detection result of the interface call request aiming at the system interface based on the acquired interface call information and interface declaration information. Interface call information aiming at a system interface is obtained in real time in the running process of a target application, and interface call requests of business function modules in the target application are subjected to risk call detection by means of interface statement information determined based on binary files in an application installation package of the target application, so that interface call requests with risks are intercepted timely, interface call safety of the target application is improved, private call of a system interface of an operating system is avoided to obtain user privacy data, and safety of the user privacy data is further improved.
Corresponding to the method for detecting a system interface call described in fig. 1 to 5, based on the same technical concept, one or more embodiments of the present disclosure further provide a device for detecting a system interface call, and fig. 6 is a schematic block diagram of the device for detecting a system interface call provided in one or more embodiments of the present disclosure, where the device is configured to execute the method for detecting a system interface call described in fig. 1 to 5, as shown in fig. 6, where the device includes:
a call information acquisition module 602, which acquires interface call information of a service function module in a target application for a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state;
a declaration information acquisition module 604 that acquires interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
and a detection result generation module 606, which generates a risk detection result of the interface call request based on the interface call information and the interface declaration information.
The detection device for system interface call in one or more embodiments of the present disclosure obtains interface call information of a service function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of the service function module when the target application is in an operating state; acquiring interface declaration information determined by binary files in an application installation package based on a target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration; and generating a risk detection result of the interface call request aiming at the system interface based on the acquired interface call information and interface declaration information. Interface call information aiming at a system interface is obtained in real time in the running process of a target application, and interface call requests of business function modules in the target application are subjected to risk call detection by means of interface statement information determined based on binary files in an application installation package of the target application, so that interface call requests with risks are intercepted timely, interface call safety of the target application is improved, private call of a system interface of an operating system is avoided to obtain user privacy data, and safety of the user privacy data is further improved.
It should be noted that, in the present specification, the embodiment of the detection device related to the system interface call and the embodiment of the detection method related to the system interface call in the present specification are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the foregoing corresponding detection method related to the system interface call, and the repetition is not repeated.
Further, according to the method shown in fig. 1 to 5, based on the same technical concept, one or more embodiments of the present disclosure further provide a system interface call detection device, where the device is configured to perform the method for detecting a system interface call as shown in fig. 7.
The detection device for system interface call may be relatively different due to different configurations or performances, and may include one or more processors 701 and a memory 702, where the memory 702 may store one or more storage applications or data. Wherein the memory 702 may be transient storage or persistent storage. The application programs stored in memory 702 may include one or more modules (not shown in the figures), each of which may include a series of computer-executable instructions in the detection device for system interface calls. Still further, the processor 701 may be configured to communicate with the memory 702 and execute a series of computer executable instructions in the memory 702 on a detection device called for by the system interface. The detection device for system interface invocation may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input/output interfaces 705, one or more keyboards 706, and the like.
In a particular embodiment, a detection device for a system interface call includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions in the detection device for a system interface call, and configured to be executed by one or more processors the one or more programs including computer-executable instructions for:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
and generating a risk detection result of the interface call request based on the interface call information and the interface statement information.
The detection device for system interface call in one or more embodiments of the present disclosure obtains interface call information of a service function module in a target application for a system interface; the interface calling information is generated based on an interface calling request of the service function module when the target application is in an operating state; acquiring interface declaration information determined by binary files in an application installation package based on a target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration; and generating a risk detection result of the interface call request aiming at the system interface based on the acquired interface call information and interface declaration information. Interface call information aiming at a system interface is obtained in real time in the running process of a target application, and interface call requests of business function modules in the target application are subjected to risk call detection by means of interface statement information determined based on binary files in an application installation package of the target application, so that interface call requests with risks are intercepted timely, interface call safety of the target application is improved, private call of a system interface of an operating system is avoided to obtain user privacy data, and safety of the user privacy data is further improved.
It should be noted that, in the present specification, the embodiment of the detection device related to the system interface call and the embodiment of the detection method related to the system interface call in the present specification are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the foregoing corresponding detection method for the system interface call, and the repetition is not repeated.
Further, according to the method shown in fig. 1 to 5, based on the same technical concept, one or more embodiments of the present disclosure further provide a storage medium, which is used to store computer executable instructions, and in a specific embodiment, the storage medium may be a U disc, an optical disc, a hard disk, etc., where the computer executable instructions stored in the storage medium can implement the following flow when executed by a processor:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
And generating a risk detection result of the interface call request based on the interface call information and the interface statement information.
The computer executable instructions stored by the storage medium in one or more embodiments of the present disclosure, when executed by the processor, obtain interface call information for a system interface by a business function module in a target application; the interface calling information is generated based on an interface calling request of the service function module when the target application is in an operating state; acquiring interface declaration information determined by binary files in an application installation package based on a target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration; and generating a risk detection result of the interface call request aiming at the system interface based on the acquired interface call information and interface declaration information. Interface call information aiming at a system interface is obtained in real time in the running process of a target application, and interface call requests of business function modules in the target application are subjected to risk call detection by means of interface statement information determined based on binary files in an application installation package of the target application, so that interface call requests with risks are intercepted timely, interface call safety of the target application is improved, private call of a system interface of an operating system is avoided to obtain user privacy data, and safety of the user privacy data is further improved.
It should be noted that, in the present specification, the embodiment about the storage medium and the embodiment about the detection method of the system interface call in the present specification are based on the same inventive concept, so the specific implementation of this embodiment may refer to the implementation of the foregoing corresponding detection method of the system interface call, and the repetition is omitted.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when one or more of the present description are implemented.
One skilled in the relevant art will recognize that one or more of the embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more of the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
One or more of the present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to one or more embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
One skilled in the relevant art will recognize that one or more of the embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more of the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
One or more of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more of the present description may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing description is merely illustrative of one or more embodiments of the present disclosure and is not intended to limit the one or more embodiments of the present disclosure. Various modifications and alterations to one or more of this description will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of one or more of the present description, are intended to be included within the scope of the claims of one or more of the present description.
Claims (22)
1. A method for detecting a system interface call, comprising:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state; the interface call information includes: function name of interface to be called;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
generating a calling interface type detection result based on the function name of the interface to be called and the function name of the callable interface, wherein the calling interface type detection result is used for representing whether the interface to be called for the interface calling request is a private interface of an operating system running the target application;
if the interface to be called is a private interface of the operating system, generating a call source detection result based on the interface call information, wherein the call source detection result is used for representing whether the interface call request originates from a third party SDK integrated into the target application;
And generating a risk detection result of the interface call request based on the call interface type detection result and the call source detection result.
2. The method of claim 1, wherein after generating the risk detection result of the interface call request based on the call interface type detection result and the call source detection result, further comprising:
judging whether the interface call request is a risk call request or not based on the risk detection result;
if yes, the preset feedback information is returned to the service function module so as to intercept an interface to be called, for which the interface call request is called by the service function module;
and if not, returning a function pointer corresponding to the interface to be called to the service function module so as to allow the service function module to call the interface to be called for which the interface call request is directed based on the function pointer.
3. The method of claim 1, wherein the obtaining interface call information of the service function module in the target application for the system interface comprises:
monitoring an interface call request of a service function module in a target application aiming at a system reflection function; the interface calling request carries the function name of the interface to be called;
Routing the interface call request to a preset proxy function by using a programming mode facing to a tangent plane;
acquiring call link information corresponding to the interface call request through the preset proxy function;
and generating interface calling information of the service function module aiming at a system interface based on the function name of the interface to be called and the calling link information.
4. The method of claim 1, wherein prior to obtaining interface declaration information determined based on the binary file in the application installation package of the target application, further comprising:
acquiring an application installation package of the target application;
extracting a binary file for controlling global configuration of the target application from the application installation package;
and determining interface declaration information declared for the target application based on the realization interface function name corresponding to the realization function section and the introduction interface function name corresponding to the introduction function section in the binary file.
5. The method of claim 1, wherein the interface call information further comprises: the interface calls link information;
the generating a call source detection result based on the interface call information includes:
Determining the function module identification information of the service function module based on the interface call link information;
judging whether the service function module belongs to a third party SDK integrated into the target application or not based on the function module identification information;
and if the interface call request is from the third party SDK integrated into the target application, generating a call source detection result for representing the interface call request.
6. The method of claim 5, wherein after generating a call source detection result characterizing that the interface call request originates from a third party SDK integrated into the target application, further comprising:
generating an interface call interception rule based on the function name of the interface to be called and the interface call link information;
and adding the interface call interception rules to a call interception rule set established for the target application.
7. The method of claim 1, wherein the generating a call interface type detection result based on the function name of the interface to be called and the function name of the callable interface comprises:
matching the interface call information with interface call interception rules in a call interception rule set corresponding to the target application to obtain a corresponding interception rule matching result;
If the interception rule matching result is that the interface call interception rule matched with the interface call information does not exist, comparing the function name of the interface to be called with the function name of the callable interface to obtain a corresponding function name comparison result;
and generating a call interface type detection result according to the function name comparison result.
8. The method of claim 7, wherein the generating the call interface type detection result according to the function name comparison result comprises:
if the function name comparison result is that the function name of the interface to be called does not belong to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called for which the interface calling request is aimed is a private interface of an operating system running the target application;
and if the function name comparison result is that the function name of the interface to be called belongs to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called aimed at by the interface calling request is not a private interface of an operating system running the target application.
9. The method of claim 7, wherein after the interface call information is matched with the interface call interception rule in the call interception rule set corresponding to the target application, obtaining a corresponding interception rule matching result, further comprising:
and if the interception rule matching result is that the interface call interception rule matched with the interface call information exists, determining that the interface call request is a risk call request.
10. The method of claim 5, wherein the interface invoking link information comprises: call stack information and call environment information;
the determining the function module identification information of the service function module based on the interface call link information includes:
determining a first call source identification for initially sending the interface call request based on the call stack information;
determining a second calling source identifier corresponding to the service page where the target application is located based on the calling environment information;
and determining the function module identification information of the service function module based on the first call source identification and the second call source identification.
11. A detection apparatus for system interface calls, comprising:
The call information acquisition module acquires interface call information of a service function module in the target application aiming at a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state; the interface call information includes: function name of interface to be called;
a declaration information acquisition module that acquires interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
the detection result generation module is used for generating a calling interface type detection result based on the function name of the interface to be called and the function name of the callable interface, wherein the calling interface type detection result is used for representing whether the interface to be called aimed at by the interface calling request is a private interface of an operating system running the target application; if the interface to be called is a private interface of the operating system, generating a call source detection result based on the interface call information, wherein the call source detection result is used for representing whether the interface call request originates from a third party SDK integrated into the target application; and generating a risk detection result of the interface call request based on the call interface type detection result and the call source detection result.
12. The apparatus of claim 11, wherein the apparatus further comprises: a call request response module that:
judging whether the interface call request is a risk call request or not based on the risk detection result;
if yes, the preset feedback information is returned to the service function module so as to intercept an interface to be called, for which the interface call request is called by the service function module;
and if not, returning a function pointer corresponding to the interface to be called to the service function module so as to allow the service function module to call the interface to be called for which the interface call request is directed based on the function pointer.
13. The apparatus of claim 11, wherein the call information acquisition module is to:
monitoring an interface call request of a service function module in a target application aiming at a system reflection function; the interface calling request carries the function name of the interface to be called;
routing the interface call request to a preset proxy function by using a programming mode facing to a tangent plane;
acquiring call link information corresponding to the interface call request through the preset proxy function;
and generating interface calling information of the service function module aiming at a system interface based on the function name of the interface to be called and the calling link information.
14. The apparatus of claim 11, wherein the apparatus further comprises: a declaration information determination module that:
acquiring an application installation package of the target application;
extracting a binary file for controlling global configuration of the target application from the application installation package;
and determining interface declaration information declared for the target application based on the realization interface function name corresponding to the realization function section and the introduction interface function name corresponding to the introduction function section in the binary file.
15. The apparatus of claim 11, wherein the interface call information further comprises: the interface calls link information;
the detection result generation module is used for:
determining the function module identification information of the service function module based on the interface call link information;
judging whether the service function module belongs to a third party SDK integrated into the target application or not based on the function module identification information;
and if the interface call request is from the third party SDK integrated into the target application, generating a call source detection result for representing the interface call request.
16. The apparatus of claim 15, wherein the apparatus further comprises: an interception rule storage module that:
Generating an interface call interception rule based on the function name of the interface to be called and the interface call link information;
and adding the interface call interception rules to a call interception rule set established for the target application.
17. The apparatus of claim 11, wherein the detection result generation module is to:
matching the interface call information with interface call interception rules in a call interception rule set corresponding to the target application to obtain a corresponding interception rule matching result;
if the interception rule matching result is that the interface call interception rule matched with the interface call information does not exist, comparing the function name of the interface to be called with the function name of the callable interface to obtain a corresponding function name comparison result;
and generating a call interface type detection result according to the function name comparison result.
18. The apparatus of claim 17, wherein the detection result generation module is to:
if the function name comparison result is that the function name of the interface to be called does not belong to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called for which the interface calling request is aimed is a private interface of an operating system running the target application;
And if the function name comparison result is that the function name of the interface to be called belongs to the function name of the callable interface, generating a calling interface type detection result for representing that the interface to be called aimed at by the interface calling request is not a private interface of an operating system running the target application.
19. The apparatus of claim 17, wherein the detection result generation module is to:
and if the interception rule matching result is that the interface call interception rule matched with the interface call information exists, determining that the interface call request is a risk call request.
20. The apparatus of claim 15, wherein the interface invoking link information comprises: call stack information and call environment information;
the detection result generation module is used for:
determining a first call source identification for initially sending the interface call request based on the call stack information;
determining a second calling source identifier corresponding to the service page where the target application is located based on the calling environment information;
and determining the function module identification information of the service function module based on the first call source identification and the second call source identification.
21. A detection device for system interface calls, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state; the interface call information includes: function name of interface to be called;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
generating a calling interface type detection result based on the function name of the interface to be called and the function name of the callable interface, wherein the calling interface type detection result is used for representing whether the interface to be called for the interface calling request is a private interface of an operating system running the target application;
if the interface to be called is a private interface of the operating system, generating a call source detection result based on the interface call information, wherein the call source detection result is used for representing whether the interface call request originates from a third party SDK integrated into the target application;
And generating a risk detection result of the interface call request based on the call interface type detection result and the call source detection result.
22. A storage medium storing computer executable instructions that when executed by a processor implement the method of:
acquiring interface calling information of a service function module in a target application aiming at a system interface; the interface call information is generated based on an interface call request of the service function module when the target application is in an operation state; the interface call information includes: function name of interface to be called;
acquiring interface declaration information determined based on a binary file in an application installation package of the target application; the interface declaration information is used for representing the function name of the callable interface of the target application declaration;
generating a calling interface type detection result based on the function name of the interface to be called and the function name of the callable interface, wherein the calling interface type detection result is used for representing whether the interface to be called for the interface calling request is a private interface of an operating system running the target application;
If the interface to be called is a private interface of the operating system, generating a call source detection result based on the interface call information, wherein the call source detection result is used for representing whether the interface call request originates from a third party SDK integrated into the target application;
and generating a risk detection result of the interface call request based on the call interface type detection result and the call source detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011398294.XA CN112560022B (en) | 2020-12-03 | 2020-12-03 | Method and device for detecting system interface call |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011398294.XA CN112560022B (en) | 2020-12-03 | 2020-12-03 | Method and device for detecting system interface call |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112560022A CN112560022A (en) | 2021-03-26 |
| CN112560022B true CN112560022B (en) | 2024-03-12 |
Family
ID=75047880
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011398294.XA Active CN112560022B (en) | 2020-12-03 | 2020-12-03 | Method and device for detecting system interface call |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560022B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948824B (en) * | 2021-03-31 | 2022-04-26 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
| CN113221099A (en) * | 2021-05-06 | 2021-08-06 | 支付宝(杭州)信息技术有限公司 | Processing method and device for interface call request |
| CN113221098A (en) * | 2021-05-06 | 2021-08-06 | 支付宝(杭州)信息技术有限公司 | Processing method and device for interface call request |
| CN113536319B (en) * | 2021-07-07 | 2022-12-13 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663320A (en) * | 2012-04-12 | 2012-09-12 | 福建联迪商用设备有限公司 | Method for terminal identification developers and dividing developers with different permissions |
| CN106096394A (en) * | 2016-06-16 | 2016-11-09 | 北京奇虎科技有限公司 | A kind of Ad blocking method and apparatus of Android application |
| CN106446672A (en) * | 2016-07-25 | 2017-02-22 | 中国科学院大学 | Privilege isolation method and device of Android third-party class library |
| CN107169320A (en) * | 2017-04-20 | 2017-09-15 | 北京小米移动软件有限公司 | Method of calibration and device |
| EP3495978A1 (en) * | 2017-12-07 | 2019-06-12 | Virtual Forge GmbH | Method for detecting vulnerabilities in software |
-
2020
- 2020-12-03 CN CN202011398294.XA patent/CN112560022B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663320A (en) * | 2012-04-12 | 2012-09-12 | 福建联迪商用设备有限公司 | Method for terminal identification developers and dividing developers with different permissions |
| CN106096394A (en) * | 2016-06-16 | 2016-11-09 | 北京奇虎科技有限公司 | A kind of Ad blocking method and apparatus of Android application |
| CN106446672A (en) * | 2016-07-25 | 2017-02-22 | 中国科学院大学 | Privilege isolation method and device of Android third-party class library |
| CN107169320A (en) * | 2017-04-20 | 2017-09-15 | 北京小米移动软件有限公司 | Method of calibration and device |
| EP3495978A1 (en) * | 2017-12-07 | 2019-06-12 | Virtual Forge GmbH | Method for detecting vulnerabilities in software |
Non-Patent Citations (2)
| Title |
|---|
| Protel99SE与产品数据管理系统(PDM)的集成;段立东, 何永熹, 史阿云;计算机辅助设计与制造(09);全文 * |
| 基于有向信息流的Android隐私泄露类恶意应用检测方法;吴敬征;武延军;武志飞;杨牧天;罗天悦;王永吉;;中国科学院大学学报(06);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112560022A (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112560022B (en) | Method and device for detecting system interface call | |
| US10713109B2 (en) | Method and system for predicting failure events | |
| EP3886403B1 (en) | Block chain service acceptance and consensus method and device | |
| US20140245448A1 (en) | Apparatus and method for analyzing permission of application for mobile devices and detecting risk | |
| CN109032825B (en) | Fault injection method, device and equipment | |
| CN115378735B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN116405554B (en) | Network communication method and device, storage medium and electronic equipment | |
| CN115185777A (en) | Abnormity detection method and device, readable storage medium and electronic equipment | |
| CN114547024A (en) | SQL statement risk detection method, device, equipment and medium | |
| CN111741120A (en) | Traffic mirroring method, device and equipment | |
| CN112948824B (en) | Program communication method, device and equipment based on privacy protection | |
| CN114546639A (en) | Service call processing method and device | |
| US10628188B2 (en) | Disabling just-in-time translation for application functions | |
| CN110245166B (en) | Data checking method and device | |
| CN111078435A (en) | Service processing method and device and electronic equipment | |
| CN116361755A (en) | Application program login verification method, device, equipment and storage medium | |
| CN111190692A (en) | Monitoring method and system based on Roc processor and readable medium | |
| CN115495343A (en) | Safety maintenance method and device, storage medium and electronic equipment | |
| CN115185847A (en) | Fault testing method and device, storage medium and electronic equipment | |
| EP3702921B1 (en) | Clipboard listener detector | |
| CN110009389B (en) | Equipment identification method and device | |
| CN111538722B (en) | Service processing method, device, equipment and service system | |
| CN110569644A (en) | Call request processing method, call request processing device, call function calling device and call request calling equipment | |
| CN116560879B (en) | Method and device for calling face recognition service, terminal equipment and storage medium | |
| US20240103818A1 (en) | Annotation driven just in time and state-based rbac policy control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |