CN112733145B - Android application detection and analysis method, electronic equipment and storage medium - Google Patents
Android application detection and analysis method, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112733145B CN112733145B CN202110365195.XA CN202110365195A CN112733145B CN 112733145 B CN112733145 B CN 112733145B CN 202110365195 A CN202110365195 A CN 202110365195A CN 112733145 B CN112733145 B CN 112733145B
- Authority
- CN
- China
- Prior art keywords
- local
- function
- java
- instruction
- abstract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The invention provides an Android application detection and analysis method, electronic equipment and a storage medium, which can support local codes to carry out comprehensive and accurate detection and analysis on target applications, and are comprehensive, robust and efficient. The method comprises the following steps: the method comprises the steps of obtaining basic information of Java codes and local codes, converting Java code instructions and local code instructions into Java abstract instructions and local abstract instructions, carrying out function analysis based on the abstract instructions to determine Java function information and local function information, determining respective function module structures and function connection relations of the Java codes and the local codes, and finally constructing a global control flow graph, so that detection analysis can be carried out on target Android applications by using the Java basic information, the local basic information, the Java function information, the local function information, the function module structures of the Java codes, the function module structures of the local codes, the function connection relations and the global control flow graph. The electronic device and the storage medium are used for realizing the method.
Description
Technical Field
The present disclosure relates to the field of computer security technologies, and in particular, to an Android application detection analysis method, an electronic device, and a storage medium.
Background
In recent years, mobile intelligent equipment is rapidly developed, Android operating systems and applications are more and more widely used, various Android applications provide rich functions and services such as instant messaging, mobile payment and video sharing, convenience is brought to life and work of people, and even the Android operating systems and the applications become an indispensable part in life of users. However, there may be some problems in the Android application, such as that the counterfeit application may cause property loss of the user, the application with a security hole may cause privacy leakage of the user, the application with compatibility problem may cause a program crash to affect the use, and so on.
Disclosure of Invention
In view of the above, an object of the present disclosure is to provide an Android application detection analysis method, an electronic device, and a storage medium.
Based on the above purpose, a first aspect of the present disclosure provides an Android application detection and analysis method, including:
acquiring a bytecode file and a local executable file of a target Android application, performing decompiling on the bytecode file and the local executable file respectively to determine Java codes and local codes, and acquiring corresponding Java basic information and local basic information;
converting Java instructions in the Java codes into Java abstract instructions according to the Java basic information, and converting local instructions in the local codes into local abstract instructions according to the local basic information, wherein the Java abstract instructions and the local abstract instructions are based on a common abstract base class;
performing function analysis on the Java code according to the Java abstract instruction to determine Java function information of the Java code, and determining a functional module structure of the Java code according to the Java function information;
performing function analysis on the local code according to the local abstract instruction to determine local function information of the local code, and determining a functional module structure of the local code according to the local function information;
performing cross-language analysis according to the Java function information and the local function information to determine a function connection relation between the Java code and the local code;
constructing a global control flow graph of the target Android application according to the function module structure of the Java code, the function module structure of the local code and the function connection relation;
and detecting and analyzing the target Android application by using a static analysis tool according to the Java basic information, the local basic information, the Java function information, the local function information, the functional module structure of the Java code, the functional module structure of the local code, the function connection relation and the global control flow graph.
In a second aspect of the present disclosure, an electronic device is provided, which comprises a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to implement the method of the first aspect.
In a third aspect of the disclosure, a non-transitory computer-readable storage medium is provided, which stores a set of instructions of an electronic device for causing the electronic device to perform the method of the first aspect.
As can be seen from the above, according to the Android application detection and analysis method, the electronic device and the storage medium provided by the disclosure, the bytecode file of the target Android application and the local executable file are preprocessed to obtain Java basic information and local basic information, so that the Java instruction and the local instruction are converted into a Java abstract instruction and a local abstract instruction based on a common abstract base class, and thus, the difference between two architectures, namely a Java layer and a local layer, in the Android application can be ignored, and the mining of hidden feature information in the local code is facilitated; then, performing function analysis on the Android application based on the Java abstract instruction and the local abstract instruction, determining function information of the Java code and the local code, including function entries, function boundaries and call relations among functions of a plurality of functions, and further determining respective function module structures of the Java code and the local code; and then, cross-language analysis is carried out according to the Java code and the function information of the local code to determine the function connection relation between the Java code and the local code, a global control flow graph of the Android application is constructed according to the respective function module structures of the Java code and the local code and the cross-language function connection relation, and further the target Android application can be analyzed and detected from multiple layers of basic information, function module structures, function connection relations and the global control flow graph of a Java layer and a local layer so as to determine the problems possibly existing in the target Android application. The Android application detection and analysis method, the electronic equipment and the storage medium can analyze complex Android applications, extract the basic program characteristics of Java codes and local codes, and connect the two codes according to cross-language calling, so that the Android applications are detected and analyzed more comprehensively, and the applicable coverage rate is higher;
and effective implementation of the whole technical scheme cannot be influenced after the local code is converted into an abstract instruction aiming at a plurality of complex code segments which are difficult to analyze, so that the robustness is stronger, and the scheme implementation is more convenient.
Drawings
In order to more clearly illustrate the technical solutions in the present disclosure or related technologies, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present disclosure, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating an Android application detection and analysis method provided by the embodiment of the present disclosure;
fig. 2 is a schematic diagram of a method for function analysis in an Android application detection analysis method according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a method for analyzing an operand in an Android application detection analysis method according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of a cross-language analysis method in an Android application detection analysis method according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a method for constructing a global control flow graph in an Android application detection analysis method provided by the embodiment of the disclosure;
fig. 6 is a schematic diagram of an Android application detection and analysis electronic device according to an embodiment of the disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that technical terms or scientific terms used in the embodiments of the present disclosure should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In recent years, mobile intelligent equipment is rapidly developed, Android operating systems and applications are more and more widely used, various Android applications provide rich functions and services such as instant messaging, mobile payment and video sharing, convenience is brought to life and work of people, and even the Android operating systems and the applications become an indispensable part in life of users. However, there may be some problems in the Android application, such as that the counterfeit application may cause property loss of the user, the application with a security hole may cause privacy leakage of the user, the application with compatibility problem may cause a program crash to affect the use, and so on. In order to solve the problems, a plurality of Android application analysis tools, such as a malicious application analysis detection tool, a third-party library detection tool, an application vulnerability analysis tool, an application clone detection tool, and the like, are developed in the related art.
Malicious behavior analysis and detection tools in some related technologies only support detection of Java code portions of Android applications, but mostly do not support local codes, and cannot detect malicious applications which execute malicious behaviors only in the local codes; the third-party library detection tool can normally detect the Java third-party library but does not support the detection of local codes, cannot realize the simultaneous detection of the third-party libraries of two codes by the same algorithm, and cannot acquire a comprehensive detection result; most taint tracking tools do not support native code and cannot find all sensitive data leakage paths. In practical application, the Android application mostly uses native codes to realize main functions, and meanwhile, a third-party library of some Java codes is included, and a repackaging detection tool in the related technology cannot support native code detection, so that the application cannot be analyzed correctly and comprehensively.
Because the native code format is complex in Android application, key code information is hidden and cannot be directly acquired, different code characteristics exist between the Java code and the native code due to different architectures, and the Java code and the native code which are related to each other cannot be independently analyzed when the Android application is analyzed, the whole framework of the Android application is comprehensively analyzed by the related technology.
In view of this, the present disclosure converts Java code and native code into an abstract instruction based on a common abstract base class in a unified manner for a code architecture difference between the Java layer and the native layer, realizes unified overall analysis of an Android application framework while maintaining respective code function information, performs function analysis on the Java code and the native code respectively on the basis of the abstract instruction to determine respective function information and a function connection relationship, and further determines an overall control flow graph of the Android application, and finally realizes comprehensive analysis and detection of the Android application from multiple levels of the basic information, the abstract instruction, the function information, the function module and the overall control flow graph, so that detection and analysis are more comprehensive, the coverage rate of the application is higher, the robustness is higher, and the implementation of the scheme is more convenient.
Based on the above thought, in a first aspect of the disclosure, a method for detecting and analyzing Android application is provided.
As shown in fig. 1, some optional embodiments of the present disclosure provide an Android application detection analysis method, including:
s1: acquiring a bytecode file (. dex file) and a local executable file (. ELF file) of a target Android application, respectively performing decompiling on the bytecode file and the local executable file to determine Java codes and local codes, and acquiring corresponding Java basic information and local basic information;
when the bytecode file is decompiled to obtain the Java code, Java basic information corresponding to the Java code may be obtained, where the Java basic information includes: the names of a plurality of classes in the Java code and the inheritance relationship of the classes; names of a plurality of methods in Java code, corresponding parameter tables, affiliations between the methods and classes, method entries corresponding to the methods, and method endpoints; domain names and types of multiple domains in Java code; operators and operands of a plurality of Java instructions in the Java point;
when the local executable file is decompiled to obtain the local code, local basic information corresponding to the local code can be obtained, wherein the local basic information comprises function names and corresponding function entries of partial functions in the local code, and operators and operands of a plurality of local instructions in the local code.
S2: converting Java instructions in the Java codes into Java abstract instructions according to the Java basic information, and converting local instructions in the local codes into local abstract instructions according to the local basic information, wherein the Java abstract instructions and the local abstract instructions are based on a common abstract base class;
the Java code and the native code of the Android application use different instruction sets, the architectures of the two codes are different, and the Java code and the native code can be converted into an abstract instruction based on a common abstract base class according to the Java basic information and the native basic information;
in some optional embodiments of the present disclosure, corresponding Java instruction information and local instruction information may be first obtained according to the Java basic information and the local basic information, and then corresponding Java instructions and local instructions are converted according to the Java instruction information and the local execution information, respectively. For a Java instruction in a Java code, the Java instruction can be converted into a Java abstract instruction based on a DexInst abstract column according to the Java instruction information, and for a native instruction in a native code, the native instruction can be converted into the native abstract instruction based on an ArmInst abstract class according to the native instruction information;
wherein the DexInst abstract class and the ArmInst abstract class are based on a common Inst abstract base class. And describing Java instructions in the Java code and native instructions in the native code based on the common Inst abstract base class, and extracting common points of the Java code and the native code and neglecting the difference of the Java code and the native code architecture so as to perform uniform analysis operation on the whole Android application on the basis of the common base class.
S3: performing function analysis on the Java code according to the Java abstract instruction to determine Java function information of the Java code, and determining a functional module structure of the Java code according to the Java function information;
the Java function information comprises function entry information, function boundary information and a plurality of function call relations among Java functions in the Java code;
the Java code can be divided into a plurality of functional modules according to the Java function information in combination with the Java basic information, the plurality of functional modules are combined to determine a corresponding functional module structure, and for the Java code, the functional modules can be organized into a tree structure according to the Java basic information and the Java function information;
s4: performing function analysis on the local code according to the local abstract instruction to determine local function information of the local code, and determining a functional module structure of the local code according to the local function information;
the local function information comprises function entry information, function boundary information and a plurality of function calling relations among a plurality of local functions in the local code;
the native code can be divided into a plurality of functional modules according to the native function information and the native basic information, and the plurality of functional modules are combined to determine the functional module structure of the native code;
s5: performing cross-language analysis according to the Java function information and the local function information to determine a function connection relation between the Java code and the local code;
determining a calling relation of the Java function to a local function and a response relation of the local function to the Java function according to the Java function information and the local function information, wherein the function connection relation comprises the calling relation of the Java function to the local function and the response relation of the local function to the Java function;
s6: constructing a global control flow graph of the target Android application according to the function module structure of the Java code, the function module structure of the local code and the function connection relation;
determining a Java control flow graph corresponding to the Java code according to a functional module structure of the Java code, determining a local control flow graph corresponding to the local code according to a functional module structure of the local code, and then connecting the Java control flow graph and the local control flow graph according to the functional connection relationship to construct the global control flow graph;
s7: detecting and analyzing the target Android application by using a static analysis tool according to the Java basic information, the local basic information, the Java function information, the local function information, the functional module structure of the Java code, the functional module structure of the local code, the function connection relation and the global control flow graph;
the method comprises the steps of sequentially obtaining Java basic information, local basic information, Java function information, local function information, a function module structure of the Java code, a function module structure of the local code, a function connection relation and a global control flow graph through code instruction conversion, function analysis and cross-language analysis of the Java code and the local code, wherein the information can reflect characteristic information of different layers of the target Android application on an overall frame, and according to the characteristic information, a static analysis tool can be used for detecting and analyzing the target Android application to determine problems possibly existing in the Android application.
As can be seen from the above, according to the Android application detection and analysis method, the electronic device and the storage medium provided by the disclosure, the bytecode file of the target Android application and the local executable file are preprocessed to obtain Java basic information and local basic information, so that the Java instruction and the local instruction are converted into a Java abstract instruction and a local abstract instruction based on a common abstract base class, and thus, the difference between two architectures, namely a Java layer and a local layer, in the Android application can be ignored, and the mining of hidden feature information in the local code is facilitated; then, performing function analysis on the Android application based on the Java abstract instruction and the local abstract instruction, determining function information of the Java code and the local code, including function entries, function boundaries and call relations among functions of a plurality of functions, and further determining respective function module structures of the Java code and the local code; and then, cross-language analysis is carried out according to the Java code and the function information of the local code to determine the function connection relation between the Java code and the local code, a global control flow graph of the Android application is constructed according to the respective function module structures of the Java code and the local code and the cross-language function connection relation, and further the target Android application can be analyzed and detected from multiple layers of basic information, function module structures, function connection relations and the global control flow graph of a Java layer and a local layer so as to determine the problems possibly existing in the target Android application. The Android application detection and analysis method, the electronic equipment and the storage medium can analyze complex Android applications, extract the basic program characteristics of Java codes and local codes, and connect the two codes according to cross-language calling, so that the Android applications are detected and analyzed more comprehensively, and the applicable coverage rate is higher;
and effective implementation of the whole technical scheme cannot be influenced after the local code is converted into an abstract instruction aiming at a plurality of complex code segments which are difficult to analyze, so that the robustness is stronger, and the scheme implementation is more convenient.
As shown in fig. 2, in an Android application detection analysis method provided in some optional embodiments of the present disclosure, the performing a function analysis on the native code according to the local abstract instruction to determine native function information S4 of the native code further includes:
s201: performing instruction analysis on the local abstract instruction to determine a plurality of local functions in the local code and corresponding local function entries;
a plurality of local abstract instructions in the local instructions can be traversed to perform instruction analysis so as to determine a plurality of local functions and corresponding local function inlets;
in some optional embodiments, performing instruction analysis on the native abstract instructions further comprises:
analyzing an operand in the native abstract instruction to determine whether the native abstract instruction performs a function call;
responding to the local abstract instruction to execute a function call, wherein a function called by the local abstract instruction is the local function, and determining the local function entry corresponding to the local function according to the operand in the local abstract instruction;
the above method can be used for traversing and analyzing a plurality of local abstract instructions in the local code, so that a plurality of local functions and corresponding local function entries in the local code can be determined;
further, when performing instruction analysis on the local abstract instruction to determine a plurality of local functions and corresponding local function entries in the local code, the instruction analysis may not be performed on all local abstract instructions in the local code, but the instruction analysis range may be first narrowed, that is, a part of abstract instructions which may call functions in the local abstract instruction is selected to perform analysis;
part of abstract instructions which may call functions in a plurality of local abstract instructions in the local code comprise function call instructions and pseudo function call instructions, wherein the pseudo function call instructions refer to the local abstract instructions which conform to the format of the function call instructions;
the range of traversal analysis can be narrowed down to the function call instruction and the pseudo function call instruction;
in some optional embodiments, the analyzing an operand in the native abstraction instruction to determine whether the native abstraction instruction performs a function call further comprises:
analyzing an operand in the function call instruction to determine whether the function call instruction performs a function call;
analyzing an operand in the pseudo function call instruction to determine whether the pseudo function call instruction executes a function call;
analyzing the operands of the function call instructions in the native code can ensure the accuracy of the determined local functions, and analyzing the operands of the pseudo function call instructions in the native code can ensure the recall rate of the determined local functions;
when analyzing the plurality of function call instructions, analyzing the entry function of the local code by using a breadth first algorithm as a starting point to determine a plurality of local functions directly or indirectly called by the entry function, wherein the entry function can be determined according to corresponding local basic information of the local code;
by adopting the mode, the instruction analysis range is firstly reduced, the workload of instruction analysis can be greatly reduced, and the local function and the corresponding local function entry information can be accurately determined, so that the overall execution efficiency of the scheme is improved;
s202: determining a local function boundary corresponding to the local function according to the execution sequence of the local abstract instruction in the local function from the local function inlet;
after the local function entrance is determined, dividing a basic block according to the execution sequence of a plurality of local abstract instructions by taking the local function entrance as a starting point, and determining a local function boundary of the local function according to the corresponding basic block;
s203: determining function call relations of the local functions according to the local function inlets and the local function boundaries of the local functions;
the local function information includes the local function entries, the local function boundaries, and the function call relations of the plurality of local functions.
When the operand in the local abstract instruction is directed to a certain target address, it needs to be determined whether the target address directed by the operand is used for calling a new function, that is, whether the target address is directed to a target function.
As shown in fig. 3, in an Android application detection analysis method according to some optional embodiments of the present disclosure, the analyzing an operation in the local abstract instruction to determine whether the local abstract instruction executes a function call further includes:
s301: analyzing the addressing mode and the data type of the operand in the local abstract instruction to determine whether the operand is a target address;
s302: in response to the operand being a target address, analyzing the target address to determine whether the operand points to a target function;
s303: in response to the operand pointing to a target function, determining that the local abstract instruction performs a function call, the called function being the target function;
analyzing the addressing mode and the data type of the operand in the local abstract instruction to determine whether the operand is a target address S301, further comprising:
analyzing the addressing mode of the operand;
responding to the addressing mode of the operand being register addressing, indicating that the operand may store a target address, and further judging, namely analyzing the data type of the operand;
the analysis of the data type of the operand is actually a constant analysis of the data of the operand, and the operation is executed by depending on the basic block division result of the native code;
therefore, in some alternative embodiments, when analyzing the data type of the operand, the basic block information of the native code may be first determined according to the execution order of the plurality of native abstract instructions of the native code, and then the data type of the operand may be determined according to the basic block information;
in response to the data type of the operand being a constant, determining the operand to be a target address, and determining the target address according to the numerical value of the operand;
in response to the data type of the operand being a semi-constant, determining the operand as a target address, determining a plurality of corresponding target addresses according to a plurality of selectable values of the operand;
after determining that the operand points to a target address, further analyzing the target address to determine whether the target address points to a target function;
in some optional embodiments, the analyzing the target address to determine whether the operand points to a target function S302 further comprises:
determining whether the target address points to the local abstract instruction in the local code;
in response to the target address not pointing to the native abstract instruction, i.e., the location pointed to by the target address is not in the native code, determining that the target address does not point to a target function;
responding to the target address pointing to the local abstract instruction, acquiring an abstract instruction segment from the target address, and analyzing the abstract instruction segment;
in response to an illegal instruction in the abstract instruction segment, determining that the target address does not point to a target function;
responding to a plurality of local abstract instructions of the abstract instruction segment to execute data push operation or processing stack pointer operation, and then determining that the target address points to a target function;
the abstract instruction segment is an instruction segment composed of a plurality of local abstract instructions from a local abstract instruction pointed by the target address to a result return instruction (return instruction), and in some optional embodiments, the instruction length of the abstract instruction segment may be set according to an actual situation, for example, 10 local abstract instructions may be taken from a position pointed by the target address to analyze the 10 local abstract instructions.
After determining the Java function information, the local function information, and the corresponding functional module structures of the Java code and the local code, cross-language analysis needs to be performed on the Java code and the local code to determine a functional connection relationship between the Java code and the local code, so as to construct a completed global control flow graph later.
As shown in fig. 4, in an Android application detection analysis method according to some optional embodiments of the present disclosure, the performing cross-language analysis according to the Java function information and the local function information to determine a function connection relationship between the Java code and the local code further includes:
s401: in the Java code, a Java local interface function is selected according to the Java function information, and a local target function called by the Java local interface function is determined in the local code according to a function calling instruction in the Java local interface function;
s402: in the local code, screening out the local target function from a plurality of local functions by tracking the transfer condition of an android _ app pointer in a starting function among the plurality of local functions;
for cross-language function call of the Java local Interface function (JNI, Java native Interface), corresponding Application Programming Interface (API) therein may be obtained, such as function call instructions of GetMethodID and CallTypeMethod, and a called local target function is determined in the local code according to a character string constant parameter of the function call instruction;
s403: determining a Java callback function corresponding to the local target function in the Java code according to callback function information of the android _ app pointer;
s404: and determining the Java local interface function responded by the local target function in the Java code according to the Java callback function.
For a local function called by a JNI function in a Java code in a local code, executing function callback in response to the JNI function, namely returning the local function to call a Java callback function in the Java code;
for the local function call-back, a parameter android _ app pointer in an entry function android _ main in the local code can be regarded as a special constant, and the transfer condition of the parameter android _ app pointer among a plurality of local functions is tracked. Once finding that the structural body member bias used by a certain local function conforms to a callback function member in android _ app, determining that the local function is a local target function called by a JNI function across languages, and further determining a corresponding Java callback function in the Java code according to callback function information of an android _ app pointer; the local target function and the Java callback function have a corresponding relationship, the local target function and the JNI function to be responded also have a corresponding relationship, and the Java local interface function to which the local target function responds can be determined in the Java code according to the Java callback function.
Therefore, the calling relation between the Java local interface function in the Java code and the local target function in the local code and the response relation between the local target function in the local code and the Java local interface function in the Java code can be determined, and the function connection relation between the Java code and the local code comprises the calling relation and the response relation.
After determining the function connection relation between the Java code and the local code, the respective functional module structures of the Java code and the local code can be combined to construct a global control flow graph of the target Android application.
As shown in fig. 5, in an Android application detection analysis method according to some optional embodiments of the present disclosure, the constructing a global control flow graph of the target Android application according to the functional module structure of the Java code, the functional module structure of the local code, and the function connection relationship further includes:
s501: constructing a Java control flow graph according to the functional module structure of the Java code, wherein the Java control flow graph comprises Java local interface function nodes corresponding to the Java local interface functions;
each functional module in the functional module structure of the Java code can be used as a graph node in a control flow graph, and a control call relationship among a plurality of functional modules is determined according to the Java function information to complete directed connection among a plurality of graph nodes, so that the Java control flow graph is constructed;
s502: constructing a local control flow graph according to the functional module structure of the local code, wherein the local control flow graph comprises local target function nodes corresponding to the local target function;
the same idea as that of constructing a Java control flow graph can be adopted, each functional module in the functional module structure of the local code is used as a graph node of the control flow graph, and the control call relation between different functional modules is determined by combining local function information, so that the corresponding graph nodes are directionally connected to obtain the local control flow graph;
s503: connecting the Java local interface function node with the local target function node according to the function connection relation to determine the global control flow graph;
performing cross-language analysis according to the Java function information and the local function information to determine a function connection relationship between the Java code and the local code, specifically including a call relationship between a Java local interface function in the Java code and a local target function in the local code, and a response relationship between the local target function in the local code and the Java local interface function in the Java code, and performing directed connection between the Java local interface function node and the local target function node according to the call relationship and the response relationship;
in some optional embodiments, the connecting the Java local interface function node with the local target function node according to the function connection relationship further includes:
according to a local target function called by the Java local interface function, directionally connecting the Java local interface function node in the Java control flow graph with the local target function node in the local control flow graph, wherein the connection direction is that the Java local interface function node points to the local target function node;
and according to the Java local interface function responded by the local target function, directionally connecting the local target function node in the local control flow graph with the Java local interface function node in the Java control flow graph, wherein the connection direction is that the local target function node points to the Java local interface function node.
It should be noted that the method of the embodiments of the present disclosure may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may only perform one or more steps of the method of the embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above describes some embodiments of the disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same inventive concept, corresponding to the method of any embodiment, the present disclosure further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor executes the program to implement the Android application detection analysis method of any embodiment.
Fig. 6 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the embodiment is used for implementing the Android application detection and analysis method corresponding to any one of the embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, corresponding to any of the above embodiments, the present disclosure further provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to execute the Android application detection analysis method according to any of the above embodiments.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiment are used to enable the computer to execute the Android application detection analysis method according to any embodiment, and have the beneficial effects of the corresponding method embodiment, which are not described herein again.
It should be noted that the embodiments of the present disclosure can be further described in the following ways:
an Android application detection analysis method, the method comprising:
acquiring a bytecode file and a local executable file of a target Android application, performing decompiling on the bytecode file and the local executable file respectively to determine Java codes and local codes, and acquiring corresponding Java basic information and local basic information;
converting Java instructions in the Java codes into Java abstract instructions according to the Java basic information, and converting local instructions in the local codes into local abstract instructions according to the local basic information, wherein the Java abstract instructions and the local abstract instructions are based on a common abstract base class;
performing function analysis on the Java code according to the Java abstract instruction to determine Java function information of the Java code, and determining a functional module structure of the Java code according to the Java function information;
performing function analysis on the local code according to the local abstract instruction to determine local function information of the local code, and determining a functional module structure of the local code according to the local function information;
performing cross-language analysis according to the Java function information and the local function information to determine a function connection relation between the Java code and the local code;
constructing a global control flow graph of the target Android application according to the function module structure of the Java code, the function module structure of the local code and the function connection relation;
and detecting and analyzing the target Android application by using a static analysis tool according to the Java basic information, the local basic information, the Java function information, the local function information, the functional module structure of the Java code, the functional module structure of the local code, the function connection relation and the global control flow graph.
Optionally, the converting the Java instruction in the Java code into a Java abstract instruction according to the Java basic information further includes:
determining instruction information of the Java instruction according to the Java basic information;
converting the Java instruction into the Java abstract instruction based on a DexInst abstract class according to the instruction information of the Java instruction;
the converting the native instruction in the native code into a native abstract instruction according to the native basic information further includes:
determining instruction information of the local instruction according to the local basic information;
converting the local instruction into the local abstract instruction based on an ArmInst abstract class according to the instruction information of the local instruction;
wherein the DexInst abstract class and the ArmInst abstract class are based on a common Inst abstract base class.
Optionally, the performing, according to the local abstract instruction, a function analysis on the local code to determine local function information of the local code further includes:
performing instruction analysis on the local abstract instruction to determine a plurality of local functions in the local code and corresponding local function entries;
determining a local function boundary corresponding to the local function according to the execution sequence of the local abstract instruction in the local function from the local function inlet;
determining function call relations of the local functions according to the local function inlets and the local function boundaries of the local functions;
the local function information includes the local function entries, the local function boundaries, and the function call relations of the plurality of local functions.
Optionally, the performing instruction analysis on the local abstract instruction to determine a plurality of local functions in the local code and corresponding local function entries further includes:
analyzing an operand in the native abstract instruction to determine whether the native abstract instruction performs a function call;
responding to the local abstract instruction to execute a function call, wherein a function called by the local abstract instruction is the local function, and determining the local function entry corresponding to the local function according to the operand in the local abstract instruction;
the local abstract instruction comprises a function call instruction and a pseudo function call instruction, wherein the pseudo function call instruction refers to the local abstract instruction which accords with the format of the function call instruction;
the analyzing the operands in the native abstract instruction to determine whether the native abstract instruction performs a function call further comprises:
analyzing an operand in the function call instruction to determine whether the function call instruction performs a function call;
and analyzing an operand in the pseudo function call instruction to determine whether the pseudo function call instruction executes a function call.
Optionally, the analyzing the operation in the local abstract instruction to determine whether the local abstract instruction executes a function call further includes:
analyzing the addressing mode and the data type of the operand in the local abstract instruction to determine whether the operand is a target address;
in response to the operand being a target address, analyzing the target address to determine whether the operand points to a target function;
in response to the operand pointing to a target function, determining that the local abstract instruction performs a function call, the called function being the target function;
wherein analyzing the addressing mode and data type of the operand in the native abstract instruction to determine whether the operand is a target address further comprises:
analyzing the addressing mode of the operand;
analyzing the data type of the operand in response to the addressing mode of the operand being register addressing;
in response to the data type of the operand being a constant, determining the operand to be a target address, and determining the target address according to the numerical value of the operand;
in response to the data type of the operand being a semi-constant, determining the operand as a target address, determining a plurality of corresponding target addresses according to a plurality of selectable values of the operand;
wherein the analyzing the data type of the operand further comprises:
determining basic block information of the native code according to an execution sequence of a plurality of native abstract instructions of the native code;
and determining the data type of the operand according to the basic block information.
Optionally, the analyzing the target address to determine whether the operand points to a target function further includes:
determining whether the target address points to the local abstract instruction in the local code;
in response to the target address not pointing to the local abstract instruction, determining that the target address does not point to a target function;
responding to the target address pointing to the local abstract instruction, acquiring an abstract instruction segment from the target address, and analyzing the abstract instruction segment;
in response to an illegal instruction in the abstract instruction segment, determining that the target address does not point to a target function;
responding to a plurality of local abstract instructions of the abstract instruction segment to execute data push operation or processing stack pointer operation, and then determining that the target address points to a target function;
the abstract instruction segment is an instruction segment which is composed of a plurality of local abstract instructions from the local abstract instruction pointed by the target address to a result returning instruction.
Optionally, the performing cross-language analysis according to the Java function information and the local function information to determine a function connection relationship between the Java code and the local code further includes:
in the Java code, selecting a Java local interface function according to the Java function information;
determining a local target function called by the Java local interface function in the local code according to a function calling instruction in the Java local interface function;
in the local code, screening out the local target function from a plurality of local functions by tracking the transfer condition of an android _ app pointer in a starting function among the plurality of local functions;
determining a Java callback function corresponding to the local target function in the Java code according to callback function information of the android _ app pointer;
and determining the Java local interface function responded by the local target function in the Java code according to the Java callback function.
Optionally, the constructing a global control flow graph of the target Android application according to the function module structure of the Java code, the function module structure of the local code, and the function connection relationship further includes:
constructing a Java control flow graph according to the functional module structure of the Java code, wherein the Java control flow graph comprises Java local interface function nodes corresponding to the Java local interface functions;
constructing a local control flow graph according to the functional module structure of the local code, wherein the local control flow graph comprises local target function nodes corresponding to the local target function;
connecting the Java local interface function node with the local target function node according to the function connection relation to determine the global control flow graph;
wherein the connecting the Java local interface function node with the local target function node according to the function connection relationship further comprises:
according to a local target function called by the Java local interface function, directionally connecting the Java local interface function node in the Java control flow graph with the local target function node in the local control flow graph, wherein the connection direction is that the Java local interface function node points to the local target function node;
and according to the Java local interface function responded by the local target function, directionally connecting the local target function node in the local control flow graph with the Java local interface function node in the Java control flow graph, wherein the connection direction is that the local target function node points to the Java local interface function node.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the present disclosure, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present disclosure as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures for simplicity of illustration and discussion, and so as not to obscure the embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring embodiments of the present disclosure, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present disclosure are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that the embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The disclosed embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalents, improvements, and the like that may be made within the spirit and principles of the embodiments of the disclosure are intended to be included within the scope of the disclosure.
Claims (10)
1. An Android application detection analysis method, the method comprising:
acquiring a bytecode file and a local executable file of a target Android application, performing decompiling on the bytecode file and the local executable file respectively to determine Java codes and local codes, and acquiring corresponding Java basic information and local basic information;
converting Java instructions in the Java codes into Java abstract instructions according to the Java basic information, and converting local instructions in the local codes into local abstract instructions according to the local basic information, wherein the Java abstract instructions and the local abstract instructions are based on a common abstract base class;
performing function analysis on the Java code according to the Java abstract instruction to determine Java function information of the Java code, and determining a functional module structure of the Java code according to the Java function information;
performing function analysis on the local code according to the local abstract instruction to determine local function information of the local code, and determining a functional module structure of the local code according to the local function information;
performing cross-language analysis according to the Java function information and the local function information to determine a function connection relation between the Java code and the local code;
constructing a global control flow graph of the target Android application according to the function module structure of the Java code, the function module structure of the local code and the function connection relation;
and detecting and analyzing the target Android application by using a static analysis tool according to the Java basic information, the local basic information, the Java function information, the local function information, the functional module structure of the Java code, the functional module structure of the local code, the function connection relation and the global control flow graph.
2. The method of claim 1, wherein the converting Java instructions in the Java code into Java abstract instructions according to the Java base information, further comprises:
determining instruction information of the Java instruction according to the Java basic information;
converting the Java instruction into the Java abstract instruction based on a DexInst abstract class according to the instruction information of the Java instruction;
the converting the native instruction in the native code into a native abstract instruction according to the native basic information further includes:
determining instruction information of the local instruction according to the local basic information;
converting the local instruction into the local abstract instruction based on an ArmInst abstract class according to the instruction information of the local instruction;
wherein the DexInst abstract class and the ArmInst abstract class are based on a common Inst abstract base class.
3. The method of claim 1, wherein the performing a function analysis on the native code according to the native abstraction instruction to determine native function information of the native code, further comprises:
performing instruction analysis on the local abstract instruction to determine a plurality of local functions in the local code and corresponding local function entries;
determining a local function boundary corresponding to the local function according to the execution sequence of the local abstract instruction in the local function from the local function inlet;
determining function call relations of the local functions according to the local function inlets and the local function boundaries of the local functions;
the local function information includes the local function entries, the local function boundaries, and the function call relations of the plurality of local functions.
4. The method of claim 3, wherein the instruction analyzing the native abstract instructions to determine a plurality of native functions in the native code and corresponding native function entries, further comprises:
analyzing an operand in the native abstract instruction to determine whether the native abstract instruction performs a function call;
responding to the local abstract instruction to execute a function call, wherein a function called by the local abstract instruction is the local function, and determining the local function entry corresponding to the local function according to the operand in the local abstract instruction;
the local abstract instruction comprises a function call instruction and a pseudo function call instruction, wherein the pseudo function call instruction refers to the local abstract instruction which accords with the format of the function call instruction;
the analyzing the operands in the native abstract instruction to determine whether the native abstract instruction performs a function call further comprises:
analyzing an operand in the function call instruction to determine whether the function call instruction performs a function call;
and analyzing an operand in the pseudo function call instruction to determine whether the pseudo function call instruction executes a function call.
5. The method of claim 4, wherein the analyzing operands in the native abstract instruction to determine whether the native abstract instruction performs a function call further comprises:
analyzing the addressing mode and the data type of the operand in the local abstract instruction to determine whether the operand is a target address;
in response to the operand being a target address, analyzing the target address to determine whether the operand points to a target function;
in response to the operand pointing to a target function, determining that the local abstract instruction performs a function call, the called function being the target function;
wherein analyzing the addressing mode and data type of the operand in the native abstract instruction to determine whether the operand is a target address further comprises:
analyzing the addressing mode of the operand;
analyzing the data type of the operand in response to the addressing mode of the operand being register addressing;
in response to the data type of the operand being a constant, determining the operand to be a target address, and determining the target address according to the numerical value of the operand;
in response to the data type of the operand being a semi-constant, determining the operand as a target address, determining a plurality of corresponding target addresses according to a plurality of selectable values of the operand;
wherein the analyzing the data type of the operand further comprises:
determining basic block information of the native code according to an execution sequence of a plurality of native abstract instructions of the native code;
and determining the data type of the operand according to the basic block information.
6. The method of claim 5, wherein the analyzing the target address to determine whether the operand points to a target function further comprises:
determining whether the target address points to the local abstract instruction in the local code;
in response to the target address not pointing to the local abstract instruction, determining that the target address does not point to a target function;
responding to the target address pointing to the local abstract instruction, acquiring an abstract instruction segment from the target address, and analyzing the abstract instruction segment;
in response to an illegal instruction in the abstract instruction segment, determining that the target address does not point to a target function;
responding to a plurality of local abstract instructions of the abstract instruction segment to execute data push operation or processing stack pointer operation, and then determining that the target address points to a target function;
the abstract instruction segment is an instruction segment which is composed of a plurality of local abstract instructions from the local abstract instruction pointed by the target address to a result returning instruction.
7. The method of claim 1, wherein the performing cross-language analysis according to the Java function information and the native function information to determine a functional connection relationship of the Java code and the native code further comprises:
in the Java code, selecting a Java local interface function according to the Java function information;
determining a local target function called by the Java local interface function in the local code according to a function calling instruction in the Java local interface function;
in the local code, screening out the local target function from a plurality of local functions by tracking the transfer condition of an android _ app pointer in a starting function among the plurality of local functions;
determining a Java callback function corresponding to the local target function in the Java code according to callback function information of the android _ app pointer;
and determining the Java local interface function responded by the local target function in the Java code according to the Java callback function.
8. The method of claim 7, wherein the constructing a global control flow graph of the target Android application according to the functional module structure of the Java code, the functional module structure of the native code and the function connection relation further comprises:
constructing a Java control flow graph according to the functional module structure of the Java code, wherein the Java control flow graph comprises Java local interface function nodes corresponding to the Java local interface functions;
constructing a local control flow graph according to the functional module structure of the local code, wherein the local control flow graph comprises local target function nodes corresponding to the local target function;
connecting the Java local interface function node with the local target function node according to the function connection relation to determine the global control flow graph;
wherein the connecting the Java local interface function node with the local target function node according to the function connection relationship further comprises:
according to a local target function called by the Java local interface function, directionally connecting the Java local interface function node in the Java control flow graph with the local target function node in the local control flow graph, wherein the connection direction is that the Java local interface function node points to the local target function node;
and according to the Java local interface function responded by the local target function, directionally connecting the local target function node in the local control flow graph with the Java local interface function node in the Java control flow graph, wherein the connection direction is that the local target function node points to the Java local interface function node.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 8 when executing the program.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110365195.XA CN112733145B (en) | 2021-04-06 | 2021-04-06 | Android application detection and analysis method, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110365195.XA CN112733145B (en) | 2021-04-06 | 2021-04-06 | Android application detection and analysis method, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112733145A CN112733145A (en) | 2021-04-30 |
| CN112733145B true CN112733145B (en) | 2021-06-08 |
Family
ID=75596513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110365195.XA Active CN112733145B (en) | 2021-04-06 | 2021-04-06 | Android application detection and analysis method, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112733145B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104504337A (en) * | 2014-12-31 | 2015-04-08 | 中国人民解放军理工大学 | Method for detecting malicious application disclosing Android data |
| CN105677574A (en) * | 2016-03-10 | 2016-06-15 | 南京邮电大学 | Android application vulnerability detection method and system based on function control flow |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN106055479A (en) * | 2016-06-01 | 2016-10-26 | 中国科学院信息工程研究所 | Android application software test method based on compulsory execution |
| CN107623738A (en) * | 2017-09-28 | 2018-01-23 | 中南大学 | A kind of WebView bridge joint mouth stain mappings and analysis method towards Android application |
| CN109902487A (en) * | 2017-12-08 | 2019-06-18 | 南京理工大学 | Android based on application behavior applies malicious detection method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
-
2021
- 2021-04-06 CN CN202110365195.XA patent/CN112733145B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104504337A (en) * | 2014-12-31 | 2015-04-08 | 中国人民解放军理工大学 | Method for detecting malicious application disclosing Android data |
| CN105677574A (en) * | 2016-03-10 | 2016-06-15 | 南京邮电大学 | Android application vulnerability detection method and system based on function control flow |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN106055479A (en) * | 2016-06-01 | 2016-10-26 | 中国科学院信息工程研究所 | Android application software test method based on compulsory execution |
| CN107623738A (en) * | 2017-09-28 | 2018-01-23 | 中南大学 | A kind of WebView bridge joint mouth stain mappings and analysis method towards Android application |
| CN109902487A (en) * | 2017-12-08 | 2019-06-18 | 南京理工大学 | Android based on application behavior applies malicious detection method |
Non-Patent Citations (3)
| Title |
|---|
| A Review of Android Malware Detection Approaches based on Machine Learning;KAIJUN LIU等;《IEEE》;20201231;第1-30页 * |
| 一种基于Native 层的Android 恶意代码检测机制;孙炳林 等;《计算机与现代化》;20190531;第1-6、12页 * |
| 一种基于本地代码特征的Android恶意代码检测方法;何平 等;《信息安全研究》;20181231;第511-517页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112733145A (en) | 2021-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2727063C1 (en) | Service processing method and device | |
| US9495543B2 (en) | Method and apparatus providing privacy benchmarking for mobile application development | |
| US10474479B1 (en) | Preventing framework conflicts for multi-OS applications | |
| CN112733158B (en) | Android system vulnerability detection method, electronic equipment and storage medium | |
| CN109471697B (en) | Method, device and storage medium for monitoring system call in virtual machine | |
| WO2016135002A1 (en) | Fine-grained user control over usages of sensitive system resources having private data with applications in privacy enforcement | |
| CN113961919B (en) | Malicious software detection method and device | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| US20130239223A1 (en) | Method and apparatus for detecting leak of information resource of device | |
| CN113312618A (en) | Program vulnerability detection method and device, electronic equipment and medium | |
| CN111506500A (en) | Memory leak detection method and device, electronic equipment and readable storage medium | |
| US8769498B2 (en) | Warning of register and storage area assignment errors | |
| CN115618363B (en) | Vulnerability path mining method and related equipment | |
| CN112733145B (en) | Android application detection and analysis method, electronic equipment and storage medium | |
| CN112527302B (en) | Error detection method and device, terminal and storage medium | |
| CN112632551B (en) | Third-party library information leakage detection method and device | |
| CN113805861B (en) | Code generation method based on machine learning, code editing system and storage medium | |
| CN111475148A (en) | Third-party dependent library isolation method and device, electronic equipment and storage medium | |
| CN112632423B (en) | URL extraction method and device | |
| CN111124627A (en) | Method, device, terminal and storage medium for determining application program caller | |
| CN115168235A (en) | Link index acquisition method and related equipment | |
| CN114780952A (en) | Method, system and storage medium for detecting sensitive application calling scene | |
| US20080005160A1 (en) | Assembly Sensitive Dynamic Classloading Of .Net Types in J# | |
| CN116738432A (en) | Digital currency wallet security detection method and device and electronic equipment | |
| CN115757159A (en) | Call graph generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |