CN112560090A - Data detection method and device - Google Patents
Data detection method and device Download PDFInfo
- Publication number
- CN112560090A CN112560090A CN202011483767.6A CN202011483767A CN112560090A CN 112560090 A CN112560090 A CN 112560090A CN 202011483767 A CN202011483767 A CN 202011483767A CN 112560090 A CN112560090 A CN 112560090A
- Authority
- CN
- China
- Prior art keywords
- pages
- traversal
- application program
- sensitive information
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Abstract
The invention discloses a data detection method and device, and relates to the technical field of computers. A specific implementation mode of the method comprises the steps of acquiring a data detection event, configuring control parameters of automatic traversal of an application program corresponding to the event, starting an ApPCrawler, and traversing all pages of the application program and controls on the pages based on the control parameters; judging whether the traversal result covers all pages of the application program, if so, calling a preset local analysis engine, detecting sensitive information of the traversal result, and sending alarm information based on the detection result; if not, pulling up the lacking page to traverse the control by a forced call command, calling a preset local analysis engine when the traversal result covers all the pages, and detecting the sensitive information of the traversal result so as to send alarm information based on the detection result. Therefore, the implementation mode of the invention can solve the problems of high cost and low efficiency of the existing artificial penetration test; the probe invasion modification amount is large.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a data detection method and device.
Background
Under the background of the mobile internet era, mobile financial APP becomes a main channel for connecting business banks with customers. When the version quickly and iteratively preempts market first opportunity, the APP product quality needs to be strictly ensured, and the client fund and transaction safety are ensured. The condition of personal information leakage caused by various mobile phones APP is quite serious at present, and personal information is collected without permission by many applications or information leakage is caused by weak consciousness and insufficient measures of safety development. Personal financial information is stolen by the social grey black products through the APP channel to gain profit illegally, and the problem becomes a serious network security problem.
In order to guarantee the safety quality of the APP, the existing developers usually adopt a safety penetration test to carry out special detection on the APP product before the product is on line. For the detection of leakage of personal sensitive information, there are two main methods:
the method comprises the following steps: the method of artificial penetration test is adopted. I.e. traverse each function page, fill in parameters to initiate a transaction. According to preset detection keywords, performing characteristic matching scanning on contents such as source codes, files and network messages locally stored in a corresponding program, checking whether plaintext transmission exists or whether stored customer sensitive data such as card numbers and certificate numbers exist, and further judging whether information leakage exists.
The second method comprises the following steps: and a probe technology is adopted, functions such as embedding in an APP, Hook network, file storage, log printing and the like are adopted, the processed content is intercepted and analyzed, and report sensitive data is identified.
In the process of implementing the invention, the following problems are found in the prior art at least:
by adopting a manual infiltration mode, the implementation cost is high, namely sensitive information is generated, and generally in the APP use process, if page transaction of leaked information is not triggered, the local file naturally has no content of the sensitive information. To test fully, a tester must know about the APP business architecture and page design, otherwise, the omission of pages is easily caused. In addition, some pages can be reached only by specific service preconditions, and the implementation efficiency is low. Safety information leakage detection is carried out manually, and the missing of pages is possibly caused to cause insufficient testing.
By adopting a probe mode with intrusion to the APP, the workload is large, new defects are possibly introduced, the intrusion to the original application possibly causes that the application cannot be started, or the test result is inaccurate because the software structure is damaged. Let APP development team cooperation embedding probe, development and transformation work load is big to probably cause the omission. In addition, some non-mechanism-developed APPs cannot be used in such a way.
Disclosure of Invention
In view of this, embodiments of the present invention provide a data detection method and apparatus, which can solve the problems of high cost and low efficiency of the existing artificial penetration test; the probe invasion modification amount is large.
In order to achieve the above object, according to an aspect of the embodiments of the present invention, a data detection method is provided, including acquiring a data detection event, configuring a control parameter for automatic traversal of an application corresponding to the event, further starting an AppCrawler, and traversing all pages of the application and controls on the pages based on the control parameter; judging whether the traversal result covers all pages of the application program, if so, calling a preset local analysis engine, detecting sensitive information of the traversal result, and sending alarm information based on the detection result; if not, pulling up the lacking page to traverse the control by a forced call command, calling a preset local analysis engine when the traversal result covers all the pages, and detecting the sensitive information of the traversal result so as to send alarm information based on the detection result.
Optionally, traversing all pages of the application program and the controls on the pages based on the control parameter includes:
and identifying the control as an inputtable text box, randomly selecting a stain value of a corresponding type from a sensitive information stain value database according to an injection sensitive value type configured in the control parameter, and injecting the stain value into the text box.
Optionally, determining whether the traversal result covers all pages of the application program includes:
and obtaining the Activity tag for comparison by decompiling the application program so as to judge whether all pages of the application program are covered.
Optionally, invoking a preset local analysis engine, and performing sensitive information detection on the traversal result, including:
and calling a preset local analysis engine, starting a local file analyzer, and detecting the full-scale file to identify the dirty point value.
Optionally, invoking a preset local analysis engine, and performing sensitive information detection on the traversal result, including:
and calling a preset local analysis engine, starting a local database analyzer, detecting a target file under the application program installation directory, and retrieving a database table and a field to identify a dirty point value.
Optionally, the method further comprises:
and in the process of traversing all the pages of the application program and the controls on the pages based on the control parameters, starting a network bypass monitor to monitor the application program and external network interaction messages, and performing real-time dirty point value text retrieval and rule matching on the message contents.
Optionally, sending the warning information includes:
and sending alarm information to the designated position in a preset notification mode through an alarm interface.
In addition, the invention also provides a data detection device, which comprises a traversal crawler module, a first search module and a second search module, wherein the traversal crawler module is used for acquiring a data detection event, configuring control parameters for automatic traversal of an application program corresponding to the event, further starting an AppCrawler, and traversing all pages of the application program and controls on the pages based on the control parameters; judging whether the traversal result covers all pages of the application program, if so, executing a sensitive information detection module; if not, pulling up the lacking page to traverse the control by a forced call command, and executing the sensitive information detection module when the traversal result covers all the pages; the sensitive information detection module is used for calling a preset local analysis engine and detecting the sensitive information of the traversal result; and the alarm module is used for sending alarm information based on the detection result.
One embodiment of the above invention has the following advantages or benefits: the invention automatically traverses each page of the APP, identifies the input text box therein, fills in taint value and initiates transaction, identifies sensitive data from network messages, storage logs and local databases and gives an alarm. Therefore, the full-automatic page-lifting and sensitive data marker automatic filling system realizes full-automatic page lifting, automatic filling and automatic message capturing and analyzing without manual intervention. And no invasion is caused to the measured object, and no modification workload is caused. In addition, through an AppCrawler automatic testing technology based on the Apium, each functional page is automatically traversed to carry out safety information leakage detection. And for the page module which is not covered, modifying the definition corresponding to the activity in the file, and forcibly calling up the activity in an adb shell command am start-n package (package) name/package name-activity mode. And aiming at the text box in the APP page, a taint value in a personal sensitive information base is randomly and automatically selected to be filled and a transaction is initiated. A database of sensitive informational taint values is created, including predefined classes and customer-defined classes. And a network bypass detection technology is adopted to monitor the network flow generated by the APP and carry out matching analysis on the taint value. And performing dirty point value matching analysis on the files and the database stored locally by adopting a file comparison and analysis technology.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of a data detection method according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of the main flow of a data detection method according to a second embodiment of the present invention;
FIG. 3 is a schematic diagram of the main blocks of a data detection apparatus according to a first embodiment of the present invention;
FIG. 4 is a schematic diagram of the main blocks of a data detection apparatus according to a second embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 6 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a data detection method according to a first embodiment of the present invention, as shown in fig. 1, the data detection method includes:
step S101, acquiring a data detection event, configuring control parameters of automatic traversal of an application program corresponding to the event, further starting an AppCrawler, and traversing all pages of the application program and controls on the pages based on the control parameters.
And traversing all pages of the application program and controls on the pages based on the control parameters by the AppCrawler based on the Apdium. The Appium is an open source test automation framework that can be used for native, hybrid, and mobile Web application testing. The AppCrawler is an open source tool for automatically traversing an APP interface based on an Apium, supports Android and iOS, supports a real machine and a simulator, has the greatest characteristic of flexibility, and can set a traversal rule through configuration. The APP is an application program.
In some embodiments, traversing all pages of the application and controls on the pages based on the control parameters includes identifying the controls as text boxes that can be input, randomly selecting taint values of corresponding types from a sensitive information taint value database according to injection sensitive value types configured in the control parameters, and injecting the taint values into the text boxes. The sensitive information is various information which is recorded in an electronic or other mode and can identify the identity of a specific natural person or reflect the activity condition of the specific natural person alone or in combination with other information. Including name, date of birth, identification document number, address, communication records and content, account number and password, property information, credit investigation information, track, accommodation information, health and physiological information, transaction information and the like. According to the personal financial information category definition of JRT0171-2020 personal financial information protection technical specification, personal financial information is divided into three categories of C3, C2 and C1 according to the sensitivity degree from high to low. The C3 category information is mainly user authentication information such as bank card magnetic track information, account transaction password, etc. The C2 category information is mainly information that can identify a specific individual financial information subject and financial condition, such as payment account number, transaction flow, etc. The C1 category is organization internal information assets such as account opening organization and time, payment tag information, etc. Of course, the predefined classes in the sensitive information taint value database according to the embodiment of the present invention may be obtained in other manners, and are not limited to the above classes.
It is worth mentioning that the control parameters of the automatic traversal of the application corresponding to the event are configured, including but not limited to traversal depth, traversal control type list, traversal priority, traversal control white list/black list, timeout time, and injected sensitive value type. Preferably, the crawler invokes the APP according to the parameters and starts traversing each page of the APP through the AppCrawler.
Step S102, judging whether the traversal result covers all pages of the application program, if so, calling a preset local analysis engine, detecting sensitive information of the traversal result, and sending alarm information based on the detection result; if not, pulling up the lacking page to traverse the control by a forced call command, calling a preset local analysis engine when the traversal result covers all the pages, and detecting the sensitive information of the traversal result so as to send alarm information based on the detection result.
In some embodiments, determining whether the traversal result covers all pages of the application includes decompiling the application and obtaining the Activity tag for comparison to determine whether to cover all pages of the application. That is to say, the information of the traversed pages is recorded in the traversal process, and after the traversal is finished, whether all the pages in the APP configuration file are covered is compared. The APP configuration file may be obtained through decompilation. And for the missing page, the page is pulled to traverse the control by forcing a call command.
In other embodiments, invoking a preset local analysis engine and performing sensitive information detection on the traversal result includes invoking the preset local analysis engine, starting a local file analyzer, and detecting a full file to identify the dirty point value. In a further embodiment, the full-scale file retrieval can be performed by performing ROOT (ROOT refers to a super user existing in UNIX system, Linux system and Android) on the client or directly entering a system directory after the client breaks a prison and performing a find command. Or, the backup client system analyzes and searches the backup file in full text.
In some embodiments, invoking a preset local analysis engine and performing sensitive information detection on the traversal result includes invoking the preset local analysis engine, starting a local database analyzer, detecting a target file in the application installation directory, and retrieving database tables and fields to identify a dirty point value. Preferably, a local database analyzer is started, target files under the application installation directory are detected, an SQLite database is created locally, database tables and fields are retrieved, and whether a dirty point value is included is checked. Wherein SQLite is a lightweight database.
It is worth mentioning that in the process of traversing all the pages of the application program and the controls on the pages based on the control parameters, a network bypass monitor is started to monitor the application program and the external network interaction messages, and the message content is subjected to the dirty point value text retrieval and the rule matching in real time. The network bypass monitor is deployed on a proxy server in the same network segment with the APP network.
Also, as an embodiment, the alert information may be transmitted to the designated location through the alert interface based on a preset notification form (e.g., a notification form through mail, a short message, a phone call, etc.). In addition, the detection result may be stored.
Fig. 2 is a schematic main flow chart of a data detection method according to a second embodiment of the present invention, as shown in fig. 2, the data detection method includes:
step S201, acquiring a data detection event, and configuring control parameters of automatic traversal of an application program corresponding to the event.
Step S202, starting an AppCrawler, and traversing all pages of the application program and controls on the pages based on the control parameters.
Step S203, starting a network bypass monitor to monitor the interactive messages of the application program and the external network, and performing real-time dirty point value text retrieval and rule matching on the message contents.
And S204, identifying the control as an inputtable text box, randomly selecting a taint value of a corresponding type from a sensitive information taint value database according to an injection sensitive value type configured in the control parameters, and injecting the taint value into the text box.
It should be noted that step S203 and step S204 may be executed simultaneously, or step S203 and step S204 may be executed first, or step S204 and step S203 may be executed first.
Step S205, all traversed Activity tags are recorded.
And step S206, obtaining the Activity tag and comparing the Activity tag with the traversed Activity tag by decompiling the application program.
Step S207, determining whether all pages of the application are covered, if yes, performing step S209, otherwise, performing step S208.
And step S208, pulling up the lacking page to traverse the control by a forced call command, randomly selecting a taint value of a corresponding type from the sensitive information taint value database, injecting the taint value into the text box, and performing step S209.
Step S209, call a preset local analysis engine, start a local file analyzer, and detect the full file to identify the dirty point value.
Step S210, a preset local analysis engine is called, a local database analyzer is started, a target file in the application installation directory is detected, and a database table and a field are retrieved to identify a dirty point value.
It should be noted that the steps S209 and S210 may be executed simultaneously, or the step S209 and then the step S210 may be executed first, or the step S210 and then the step S209 may be executed first.
And S211, storing the identified stain value and the corresponding data information, and sending alarm information to a specified position based on a preset notification form through an alarm interface.
Fig. 3 is a schematic diagram of main modules of a data detection apparatus according to a first embodiment of the present invention, and as shown in fig. 3, the data detection apparatus includes a traversal crawler module 301, a sensitive information detection module 302, and an alarm module 303. The traversal crawler module 301 obtains a data detection event, configures a control parameter for automatic traversal of an application program corresponding to the event, further starts an AppCrawler, and traverses all pages of the application program and controls on the pages based on the control parameter; judging whether the traversal result covers all pages of the application program, if so, executing a sensitive information detection module; if not, pulling up the lacking page to traverse the control by a forced call command, and executing the sensitive information detection module when the traversal result covers all the pages; the sensitive information detection module 302 calls a preset local analysis engine to detect the sensitive information of the traversal result; the alarm module 303 transmits alarm information based on the detection result.
In some embodiments, the traversal crawler module 301 traverses all pages of the application and controls on the pages based on the control parameters, including identifying the controls as text boxes that can be input, randomly selecting a corresponding type of taint value from a sensitive information taint value database according to an injection sensitive value type configured in the control parameters, and injecting the taint value into the text boxes.
In some embodiments, the traversal crawler module 301 determines whether the traversal result covers all pages of the application program, including by decompiling the application program, obtaining the Activity tag for comparison, so as to determine whether to cover all pages of the application program.
In some embodiments, the sensitive information detection module 302 invokes a preset local analysis engine to perform sensitive information detection on the traversal result, including: and calling a preset local analysis engine, starting a local file analyzer, and detecting the full-scale file to identify the dirty point value.
In some embodiments, the sensitive information detection module 302 invokes a preset local analysis engine to perform the sensitive information detection on the traversal result, including invoking the preset local analysis engine, starting a local database analyzer, detecting a target file in the application installation directory, and retrieving database tables and fields to identify the dirty point value.
In some embodiments, the sensitive information detection module 302 is further configured to:
and in the process of traversing all the pages of the application program and the controls on the pages based on the control parameters, starting a network bypass monitor to monitor the application program and external network interaction messages, and performing real-time dirty point value text retrieval and rule matching on the message contents.
In some embodiments, the alarm module 303 sends the alarm information, including sending the alarm information to the specified location in a predetermined notification form through the alarm interface.
It should be noted that the data detection method and the data detection apparatus of the present invention have corresponding relation in the specific implementation content, and therefore, the repeated content is not described again.
FIG. 4 is a schematic diagram of the main modules of a data detection apparatus according to a second embodiment of the present invention, which includes a traversal crawler module S1, a sensitive information taint value database S2, a sensitive information detection module S3, and an alarm module S4, as shown in FIG. 4.
The traversal crawler module S1 configures control parameters for automatic traversal of the application corresponding to the event, including but not limited to traversal depth, traversal control type list, traversal priority, traversal control whitelist/blacklist, timeout time, and injected sensitive value type.
In the traversal process of the AppCrawler, some pages can be reached only by certain business preposition transactions, for example, a credit card signing relationship is needed, and then a credit card repayment page can be entered. Some page modules may be missed while the traversal operation is in progress. Therefore, a page sufficiency comparison checking and forced invoking mechanism is introduced, pages which are omitted in the traversing process are supplemented and covered, and the traversing effect is ensured. Specifically, the crawler invokes the APP according to the control parameters, and starts to traverse each page of the APP through the AppCrawler. And recording the traversed page information in the traversal process, and checking and comparing whether all pages in the APP configuration file are covered after the traversal is finished. The APP configuration file may be obtained through decompilation. And for the missing page module, pulling up the page to traverse the control by forcing a call command. The AppCrawler is a UI automation tool based on the Apdium packaging, sets execution parameters by configuring a yaml file, drives the Apdium to automatically traverse the page of the APP according to traversal parameters configured by a user, and clicks or inputs values to each control. Specifically, firstly, a page source code of each page is acquired through the getPageSource, and the control dom structure is read from the page. And adding each control into the list to be traversed. And traversing the controls in sequence and circularly according to the list sequence, positioning according to the xpath of the controls, and executing clicking or inputting operation. If a new page is found to be entered, the process loops until the traversal is complete.
As an example, by decompiling the application, the Activity tag is obtained for comparison, for example: using an aapt decompilation tool in the Android official SDK development suite, using a command 'aapt dump apk-path Android manifest.xml' to extract an Android manifest.xml file, viewing an < Activity > tag, and comparing and checking the difference from a traversed Activity list. Recording the uncovered Activity list, and adding an attribute android for each uncovered Activity in android Manifest. After the APK file is generated by repacking, forcibly calling an uncovered Activity page by using adb shell am start-n { package name }/{ package name. class name }, traversing and injecting a sensitive information dirty point value into a text box.
The sensitive information taint value database S2 includes predefined sensitive data classes (e.g., three classes C3, C2 and C1) and custom class data.
The sensitive information detection module S3 includes a network bypass listener, a local file analyzer, and a local database analyzer. After traversal starts, a network bypass monitor is started, the device is deployed on a proxy server in the same network segment with the APP network, messages are interacted between the APP and the external network through bypass monitoring, and dirty point value text retrieval and rule matching (namely sensitive data types corresponding to dirty point value matching) are carried out on the message contents in real time. The local file parser is started to check if the full file includes a dirty value. Starting a local database analyzer, checking an SQLite database created locally after the APP is installed, checking files of a db/. db3/. SQLite suffix under an APP installation catalog, searching database tables and fields, and detecting whether a dirty point value is included.
The alarm module S4 stores the received hit information (i.e., the identified dirty point value and the corresponding data information) in the hit record storage device, and sends the alarm information to the designated location through the alarm interface.
Therefore, the method and the device realize automatic and non-invasive detection of the sensitive information leakage of the application program client, save a large amount of manual participation workload, do not need to invade the application, and greatly improve the implementation feasibility. The advantages of the invention are particularly evident in the case of large-scale detection of sensitive information to APP.
Fig. 5 illustrates an exemplary system architecture 500 to which the data detection method or data detection apparatus of embodiments of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 serves to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 501, 502, 503 to interact with a server 505 over a network 504 to receive or send messages or the like. The terminal devices 501, 502, 503 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 501, 502, 503 may be various electronic devices having data detection screens and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 501, 502, 503. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the data detection method provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the computing device is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks, and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a block diagram of a computer system 600 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the computer system 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output section 607 including a display such as a Cathode Ray Tube (CRT), a liquid crystal data detector (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor comprises a traversal crawler module, a sensitive information detection module and an alarm module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium bears one or more programs, and when the one or more programs are executed by one device, the device comprises a data acquisition detection event, configures control parameters for automatic traversal of an application program corresponding to the event, further starts an AppCrawler, and traverses all pages of the application program and controls on the pages based on the control parameters; judging whether the traversal result covers all pages of the application program, if so, calling a preset local analysis engine, detecting sensitive information of the traversal result, and sending alarm information based on the detection result; if not, pulling up the lacking page to traverse the control by a forced call command, calling a preset local analysis engine when the traversal result covers all the pages, and detecting the sensitive information of the traversal result so as to send alarm information based on the detection result.
According to the technical scheme of the embodiment of the invention, the problems of high cost and low efficiency of the existing artificial penetration test can be solved; the probe invasion modification amount is large.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for data detection, comprising:
acquiring a data detection event, configuring control parameters of automatic traversal of an application program corresponding to the event, further starting an AppCrawler, and traversing all pages of the application program and controls on the pages based on the control parameters;
judging whether the traversal result covers all pages of the application program, if so, calling a preset local analysis engine, detecting sensitive information of the traversal result, and sending alarm information based on the detection result; if not, pulling up the lacking page to traverse the control by a forced call command, calling a preset local analysis engine when the traversal result covers all the pages, and detecting the sensitive information of the traversal result so as to send alarm information based on the detection result.
2. The method of claim 1, wherein traversing all pages of the application and controls on pages based on the control parameters comprises:
and identifying the control as an inputtable text box, randomly selecting a stain value of a corresponding type from a sensitive information stain value database according to an injection sensitive value type configured in the control parameter, and injecting the stain value into the text box.
3. The method of claim 1, wherein determining whether the traversal result covers all pages of the application comprises:
and obtaining the Activity tag for comparison by decompiling the application program so as to judge whether all pages of the application program are covered.
4. The method of claim 1, wherein invoking a preset local analysis engine to perform sensitive information detection on the traversal result comprises:
and calling a preset local analysis engine, starting a local file analyzer, and detecting the full-scale file to identify the dirty point value.
5. The method of claim 1, wherein invoking a preset local analysis engine to perform sensitive information detection on the traversal result comprises:
and calling a preset local analysis engine, starting a local database analyzer, detecting a target file under the application program installation directory, and retrieving a database table and a field to identify a dirty point value.
6. The method of claim 1, further comprising:
and in the process of traversing all the pages of the application program and the controls on the pages based on the control parameters, starting a network bypass monitor to monitor the application program and external network interaction messages, and performing real-time dirty point value text retrieval and rule matching on the message contents.
7. The method of any of claims 1-6, wherein sending the alert message comprises:
and sending alarm information to the designated position in a preset notification mode through an alarm interface.
8. A data detection apparatus, comprising:
the traversal crawler module is used for acquiring a data detection event, configuring control parameters for automatic traversal of an application program corresponding to the event, further starting an AppCrawler, and traversing all pages of the application program and controls on the pages based on the control parameters; judging whether the traversal result covers all pages of the application program, if so, executing a sensitive information detection module; if not, pulling up the lacking page to traverse the control by a forced call command, and executing the sensitive information detection module when the traversal result covers all the pages;
the sensitive information detection module is used for calling a preset local analysis engine and detecting the sensitive information of the traversal result;
and the alarm module is used for sending alarm information based on the detection result.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011483767.6A CN112560090B (en) | 2020-12-15 | 2020-12-15 | Data detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011483767.6A CN112560090B (en) | 2020-12-15 | 2020-12-15 | Data detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112560090A true CN112560090A (en) | 2021-03-26 |
| CN112560090B CN112560090B (en) | 2023-01-24 |
Family
ID=75063969
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011483767.6A Active CN112560090B (en) | 2020-12-15 | 2020-12-15 | Data detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560090B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113326539A (en) * | 2021-06-23 | 2021-08-31 | 支付宝(杭州)信息技术有限公司 | Method, device and system for private data leakage detection aiming at applet |
| CN113360373A (en) * | 2021-05-26 | 2021-09-07 | 上海蛮犀科技有限公司 | Test method for full traversal of Activity page of mobile application |
| CN114006765A (en) * | 2021-11-02 | 2022-02-01 | 中国工商银行股份有限公司 | Method and device for detecting sensitive information in message and electronic equipment |
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1093269A2 (en) * | 1999-10-15 | 2001-04-18 | Seiko Epson Corporation | Data transfer control device and electronic equipment |
| CN103019937A (en) * | 2012-12-13 | 2013-04-03 | 广东欧珀移动通信有限公司 | Human-machine interaction interface traverse test method |
| CN105468529A (en) * | 2015-12-15 | 2016-04-06 | 北京奇虎科技有限公司 | Accurate traversal method and apparatus for UI controls of android application |
| CN105868105A (en) * | 2016-03-24 | 2016-08-17 | 厦门美图移动科技有限公司 | Application traversal testing method and device, and mobile terminal |
| CN108256323A (en) * | 2016-12-29 | 2018-07-06 | 武汉安天信息技术有限责任公司 | A kind of detection method and device for phishing application |
| CN109246107A (en) * | 2018-09-17 | 2019-01-18 | 深圳市华汇数据服务有限公司 | A kind of IT application system user experience management method and management system |
| CN111158881A (en) * | 2019-12-31 | 2020-05-15 | 北京字节跳动网络技术有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
| US20200357007A1 (en) * | 2018-04-12 | 2020-11-12 | Boe Technology Group Co., Ltd. | Page data acquisition method, apparatus, server, electronic device and computer readable medium |
-
2020
- 2020-12-15 CN CN202011483767.6A patent/CN112560090B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1093269A2 (en) * | 1999-10-15 | 2001-04-18 | Seiko Epson Corporation | Data transfer control device and electronic equipment |
| CN103019937A (en) * | 2012-12-13 | 2013-04-03 | 广东欧珀移动通信有限公司 | Human-machine interaction interface traverse test method |
| CN105468529A (en) * | 2015-12-15 | 2016-04-06 | 北京奇虎科技有限公司 | Accurate traversal method and apparatus for UI controls of android application |
| CN105868105A (en) * | 2016-03-24 | 2016-08-17 | 厦门美图移动科技有限公司 | Application traversal testing method and device, and mobile terminal |
| CN108256323A (en) * | 2016-12-29 | 2018-07-06 | 武汉安天信息技术有限责任公司 | A kind of detection method and device for phishing application |
| US20200357007A1 (en) * | 2018-04-12 | 2020-11-12 | Boe Technology Group Co., Ltd. | Page data acquisition method, apparatus, server, electronic device and computer readable medium |
| CN109246107A (en) * | 2018-09-17 | 2019-01-18 | 深圳市华汇数据服务有限公司 | A kind of IT application system user experience management method and management system |
| CN111158881A (en) * | 2019-12-31 | 2020-05-15 | 北京字节跳动网络技术有限公司 | Data processing method and device, electronic equipment and computer readable storage medium |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113360373A (en) * | 2021-05-26 | 2021-09-07 | 上海蛮犀科技有限公司 | Test method for full traversal of Activity page of mobile application |
| CN113326539A (en) * | 2021-06-23 | 2021-08-31 | 支付宝(杭州)信息技术有限公司 | Method, device and system for private data leakage detection aiming at applet |
| CN113326539B (en) * | 2021-06-23 | 2022-05-17 | 支付宝(杭州)信息技术有限公司 | Method, device and system for private data leakage detection aiming at applet |
| CN114006765A (en) * | 2021-11-02 | 2022-02-01 | 中国工商银行股份有限公司 | Method and device for detecting sensitive information in message and electronic equipment |
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114244599B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112560090B (en) | 2023-01-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112560090B (en) | Data detection method and device | |
| CN110413908B (en) | Method and device for classifying uniform resource locators based on website content | |
| US8621613B1 (en) | Detecting malware in content items | |
| CN108595952A (en) | A kind of detection method and system of electric power mobile application software loophole | |
| CN111783096B (en) | Method and device for detecting security hole | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| US10491629B2 (en) | Detecting sensitive data sent from client device to third-party | |
| CN110417718B (en) | Method, device, equipment and storage medium for processing risk data in website | |
| US10129278B2 (en) | Detecting malware in content items | |
| CN114024764A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| CN104182681A (en) | Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof | |
| CN113177205A (en) | Malicious application detection system and method | |
| CN113469866A (en) | Data processing method and device and server | |
| CN113051613A (en) | Privacy policy detection method and device, electronic equipment and readable storage medium | |
| CN109657462B (en) | Data detection method, system, electronic device and storage medium | |
| CN113162937A (en) | Application safety automatic detection method, system, electronic equipment and storage medium | |
| CN113904828B (en) | Method, apparatus, device, medium and program product for detecting sensitive information of interface | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| CN112532734B (en) | Method and device for detecting message sensitive information | |
| CN114153703A (en) | Micro-service exception positioning method and device, electronic equipment and program product | |
| CN116450533B (en) | Security detection method and device for application program, electronic equipment and medium | |
| CN112948830B (en) | File risk identification method and device | |
| CN112364346B (en) | Leakage data detection method, device, equipment and medium | |
| CN117195204B (en) | Abnormal data detection method, device, electronic equipment and computer readable medium | |
| CN113535568B (en) | Verification method, device, equipment and medium for application deployment version |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |