CN113672902A - Application program detection method, device, equipment and storage medium - Google Patents
Application program detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113672902A CN113672902A CN202111013803.7A CN202111013803A CN113672902A CN 113672902 A CN113672902 A CN 113672902A CN 202111013803 A CN202111013803 A CN 202111013803A CN 113672902 A CN113672902 A CN 113672902A
- Authority
- CN
- China
- Prior art keywords
- detected
- application
- function
- behavior
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006399 behavior Effects 0.000 claims abstract description 196
- 238000001514 detection method Methods 0.000 claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 27
- 230000006870 function Effects 0.000 claims description 118
- 238000013475 authorization Methods 0.000 claims description 23
- 230000015654 memory Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 230000006872 improvement Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000003702 image correction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Telephone Function (AREA)
Abstract
The application provides an application program detection method, an application program detection device, application program detection equipment and a storage medium, wherein the method comprises the following steps: receiving an operation instruction for the application to be detected, wherein the operation instruction carries a function to be detected; controlling the application to be detected to call the function to be detected; acquiring a call record of the to-be-detected application to a to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information; and detecting whether the application to be detected has malicious information access behaviors or not according to the calling record and a preset malicious behavior library of the function to be detected. According to the method and the device, detection of malicious information access behaviors or illegal calling user permission behaviors in the application program is realized, personal privacy of a user is protected, and more accurate detection and improvement can be conveniently carried out on the application program.
Description
Technical Field
The present application relates to the field of detection technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting an application.
Background
In the prior art, when compliance checking is performed on an application program (app for short), most research and development only aim at application malicious behaviors such as stealing funds, or only aim at detecting whether sensitive permission behaviors are authorized on an application interface manually. With the development of information technology, a plurality of malicious applications illegally calling user permissions appear, so that information security problems such as easy leakage of user privacy information and the like occur, and therefore, how to accurately detect whether a malicious behavior exists in an app becomes a problem to be solved urgently.
Disclosure of Invention
The application provides an application program detection method, an application program detection device and a storage medium, so that malicious information access behaviors or illegal calling user permission behaviors in the application program are detected, the individual privacy of a user is protected, and the application program can be accurately checked and improved conveniently.
A first aspect of an embodiment of the present application provides an application detection method, including: receiving an operation instruction for the application to be detected, wherein the operation instruction carries a function to be detected; controlling the application to be detected to call the function to be detected; acquiring a call record of the to-be-detected application to a to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information; and detecting whether the application to be detected has malicious information access behaviors or not according to the calling record and a preset malicious behavior library of the function to be detected.
In an embodiment, obtaining the call record of the application to be tested to the function to be tested includes obtaining call stack information of the application to be tested to the function to be tested, and taking the call stack information as the call record.
In an embodiment, detecting whether the application to be detected has a malicious information access behavior according to the call record and a preset malicious behavior library of the function to be detected includes: judging whether the access behavior of the application to be detected in the calling record to the user information is in a preset malicious behavior library or not; and when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, the application program detection method further includes receiving authorization information of the user for the application to be checked;
in an embodiment, detecting whether the application to be detected has a malicious information access behavior according to the call record and a preset malicious behavior library of the function to be detected further includes: when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized or not according to the authorization information; when the access behavior of the application to be detected to the user information is not authorized, determining that malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, after detecting whether the application to be detected has malicious information access behavior according to the call record and the preset malicious behavior library of the function to be detected, the method further includes generating detection result information of the application to be detected and outputting the detection result information.
A second aspect of the embodiments of the present application provides an application detection apparatus, including: the first receiving module is used for receiving an operation instruction of the application to be detected, wherein the operation instruction carries a function to be detected; the control module is used for controlling the application to be detected to call the function to be detected; the acquisition module is used for acquiring a call record of the to-be-detected application to the to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information; and the detection module is used for detecting whether the application to be detected has malicious information access behaviors or not according to the call records and the preset malicious behavior library of the function to be detected.
In an embodiment, the obtaining module is configured to obtain call stack information of the to-be-detected application on the to-be-detected function, and use the call stack information as a call record.
In one embodiment, the detection module is configured to determine whether an access behavior of the application to be detected in the call record to the user information is in a preset malicious behavior library; and when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, the apparatus for detecting an application program further includes a second receiving module, configured to receive authorization information of the application to be checked from a user.
In an embodiment, the detection module is further configured to, when the access behavior of the to-be-detected application to the user information is not in the preset malicious behavior library, determine whether the access behavior of the to-be-detected application to the user information is authorized according to the authorization information, and when the access behavior of the to-be-detected application to the user information is not authorized, determine that the malicious information access behavior exists in the call behavior of the to-be-detected application to the to-be-detected function.
In an embodiment, the application program detection apparatus further includes an output module, configured to generate detection result information of the application to be detected after detecting whether the application to be detected has a malicious information access behavior according to the call record and a preset malicious behavior library of the function to be detected, and output the detection result information.
A third aspect of embodiments of the present application provides an electronic device, comprising a memory for storing a computer program; a processor configured to execute the computer program to implement the method of the first aspect and any embodiment of the present application to detect the application.
A fourth aspect of the embodiments of the present application provides a non-transitory electronic device-readable storage medium, which includes a program, and when the program is executed by an electronic device, the program causes the electronic device to execute an application detection method that performs the first aspect of the embodiments of the present application and any embodiment thereof.
According to the application program detection method, the application program detection device, the application program detection equipment and the storage medium, when an operation instruction for the application to be detected is received, the application to be detected is controlled to call the function to be detected and obtain a call record of the application to be detected for the function to be detected, the call record comprises an access record of the application to be detected for user information, and whether malicious information access behaviors exist in the application to be detected or not is detected according to comparison of the call record and a preset malicious application library of the function to be detected. Compared with the prior art that whether the application accesses the personal information is authorized or not or whether the malicious behavior mode of application such as fund stealing is detected or not, the method and the device can detect the behaviors of protecting user information safety and preventing privacy disclosure, detect whether the malicious behavior exists in the application program more accurately and provide a basis for improvement of later-stage application program non-compliance problems.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating an application detection method according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating an application detection method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an application detection apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
As shown in fig. 1, a first aspect of the present embodiment provides an electronic device 1, including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 are connected by a bus 10, and the memory 12 stores instructions executable by the processor 11, and the instructions are executed by the processor 11, so that the electronic device 1 can execute all or part of the flow of the method in the embodiments described below to detect the application program.
In an embodiment, the electronic device 1 may be a mobile phone, a notebook computer, a desktop computer, or the like.
Please refer to fig. 2, which is a flowchart illustrating an application detection method according to an embodiment of the present application. A second aspect of the embodiments of the present application provides an application detection method, including:
s210: and receiving an operation instruction for the application to be detected, wherein the operation instruction carries the function to be detected.
In this step, the application to be checked is an application program that detects the authority of the access behavior, the authority of the call behavior, or the authority of other behaviors of the user information in the program, and further determines whether the program is compliant. In the detection process, the electronic device receives an operation instruction and requires to detect whether malicious behaviors exist in different behavior type authorities called in the running of an application program or judge whether the malicious behaviors are in compliance. For example, when it is required to detect that a certain repair map applies its own call phone authority, call microphone authority, or other own call authority, an operation instruction is sent to the electronic device, where the function to be tested carried in the operation instruction refers to the phone function, the microphone function, or other functions corresponding to the above different authorities, and the number of the functions to be tested may be one or multiple.
S220: and controlling the application to be detected to call the function to be detected.
In this step, the application to be tested is controlled to call the function to be tested, which means that when the electronic device receives the operation instruction, the application to be tested on the electronic device is controlled to start and the own function to be tested is called according to the function to be tested carried in the operation instruction. For example, when a user needs to detect whether a function of calling a camera in a certain payment app is a malicious behavior, a detection instruction carries an instruction for requesting to open the camera for photographing or shooting, and after the instruction is received, the application program is controlled to call the camera function, so that the camera is opened for photographing. The operation instruction is not limited to specifying one calling authority in the application program, and the operation instruction can also instruct the detected application program to call multiple or even all own authority behaviors, and take the corresponding executed related function as the function to be detected.
S230: and acquiring a call record of the to-be-detected application to the to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information.
In the step, a call record of the to-be-detected application to the to-be-detected function is obtained, the call record at least comprises a called name of the to-be-detected function, and the name of the to-be-detected function in the call record represents an access record of the to-be-detected application to user information. For example, after a call function of a chat application is called, the electronic device obtains a call record generated after the call, where the call record at least includes a name of a function to be tested, such as a call function and a function for obtaining contact information, and also represents a record of call behavior in a call process or access behavior of user information such as obtaining contact information after the chat application is started.
In an embodiment, the obtaining of the call record of the to-be-detected application to the to-be-detected function further includes obtaining call stack information of the to-be-detected application to the to-be-detected function, and using the call stack information as the call record, that is, the call record may further include the call stack information, and the main function of the call stack information is to store a return address of the call. For example, when the chat application starts the call function, the call is performed from the start function to the start function, to the interface display contact information function, and finally to the call function, the call stack information is the call function-display function-start function. In the step, the function to be tested can be automatically judged and hooked as a call function through the Hook technology, next step judgment whether malicious information access behaviors exist in the application to be tested is prepared to be executed, meanwhile, call stack information is output as a call log and stored in a call record, so that after the detection is completed completely, a user can trace back all processes of the malicious information access behaviors existing in the application through the record, and a basis can be provided for subsequent users to improve and record the application program according to the malicious behaviors in the application.
S240: and detecting whether the application to be detected has malicious information access behaviors or not according to the calling record and a preset malicious behavior library of the function to be detected.
In this step, the preset malicious behavior library is formulated according to specific requirements in management specifications of related application programs for delivery from a management unit or department. For example, for a pattern-modifying type application, it is not reasonable to invoke a microphone behavior or a short message behavior, and in the case of a function that is not required for modifying a pattern, there is a security risk of a behavior of maliciously accessing personal information. Therefore, in the management specification of the relevant application program, the behavior of calling the microphone or the behavior of calling the short message is defined as the malicious information access behavior of the image modification application program, and the malicious information access behavior is written into a preset malicious behavior library in advance and packaged. With the continuous updating of the management specification of the relevant outbound application program, the content in the preset malicious behavior library is also updated correspondingly, and the corresponding data packet of the preset malicious behavior library is also updated continuously.
Detecting whether malicious information access behaviors exist in the application to be detected, namely judging whether the access behaviors of the application to be detected to user information in the calling record are in a preset malicious behavior library; in the step S230, referring to the content in the preset malicious behavior library, all possible malicious information access behaviors are automatically hooked through the Hook function, and it is determined whether the access behavior of the application to be detected on the user information is in the preset malicious behavior library. And when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected. For example, in the operation of a cropping application, a microphone function is hooked and a photo album function is called. Under the condition of non-image-modifying required functions, the hooked microphone function is just the malicious information access behavior of the image-modifying application program defined in the preset malicious behavior library, namely, the malicious information access behavior of the calling behavior of the to-be-detected application to the to-be-detected function is judged. When the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, for example, the photo album calling function is applied relative to the image correction class, that is, it is determined that the malicious information access behavior does not exist in the call behavior of the application to be detected to the function to be detected.
In an embodiment, before the application detection is started, that is, before step S210, the method may further include: after the application program is researched and developed, the application program is uploaded to an application platform, when the application program needs to be detected according to whether malicious access behaviors exist, the application platform defines the application program as the application to be detected, different users download the application to be detected from the application platform to the electronic equipment, control the starting of the application to be detected through the electronic equipment, send an operation instruction to the application to be detected and start detection.
Please refer to fig. 3, which is a flowchart illustrating an application detection method according to an embodiment of the present application, where the method can be executed by the electronic device 1 shown in fig. 1, and the method includes the following steps:
s310: and receiving an operation instruction for the application to be detected, wherein the operation instruction carries the function to be detected.
S320: and controlling the application to be detected to call the function to be detected.
S330: and acquiring a call record of the to-be-detected application to the to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information.
Steps S310 to S330 are similar to steps S210 to S230 in the above embodiments, and refer to the description in the above embodiments for details, which are not repeated herein.
S340: and receiving authorization information of the user to the application to be checked.
In this step, the electronic device automatically receives all authorization information of the user when using the to-be-checked application, wherein the authorization information is a request authorization permission sent by the to-be-checked application to the user before using the function in the to-be-checked application. For example, in a certain image correction application, a user wants to modify a photo in an album by using a image correction function, an application program sends a request authorization permission of ' whether the application is allowed to call related information of the album ' to the user, the user confirms that clicking is yes, i allows calling ' as approval authorization, otherwise, the application program does not agree with authorization, when the application to be detected is detected, authorization information corresponding to all functions in the application to be detected is collected, the electronic device receives the authorization information and stores the authorization information, and a judgment basis is provided for subsequently determining whether malicious information access behaviors exist in calling of the function to be detected by the application to be detected.
S350: and judging whether the access behavior of the application to be detected in the call record to the user is in a preset malicious behavior library.
If the access behavior of the application to be detected in the call record to the user is judged to be in the preset malicious behavior library, the step S360 is directly carried out; and if the access behavior of the application to be detected in the call record to the user is not in the preset malicious behavior library, the step S351 is performed to perform the next judgment.
S360: determining that the calling behavior of the to-be-detected application to the function to be detected has a malicious information access behavior, where steps S350 and S360 are similar to step S240, and therefore, for the explanation and other contents of the preset malicious behavior library, reference is specifically made to the relevant explanation in step S240, and details are not described here again.
S351: and judging whether the access behavior of the application to be detected to the user information is authorized according to the authorization information, if so, entering step S361, and if not, entering step S360.
S361: and determining that the calling behavior of the to-be-detected application to the to-be-detected function does not have malicious information access behavior.
Referring to step S240 in the above embodiment, according to the call record and the preset malicious behavior library of the function to be detected, it is detected whether the application to be detected has a malicious information access behavior, in this embodiment, after determining whether the access behavior of the application to be detected in the call record to the user is in the preset malicious behavior library, the method further includes step S351: and judging whether the access behavior of the application to be detected to the user information is authorized or not according to the authorization information.
When the access behavior of the application to be detected to the user is in a preset malicious behavior library, determining that the calling behavior of the application to be detected to the function to be detected has malicious information access behavior; when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, whether the access behavior of the application to be detected to the user information is authorized or not needs to be judged according to the authorization information: when the access behavior of the application to be detected to the user information is not authorized, the malicious information access behavior of the application to be detected to the calling behavior of the function to be detected is also determined; and when the access behavior of the application to be detected to the user information is authorized, determining that no malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
The significance of this step is that when the access behavior of the application to be detected to the user is not in the preset malicious behavior library, the application program still needs to be mainly authorized by the user, that is, the access behavior to the user information is designed on the premise of obtaining the consent of the user, otherwise, the access behavior is still defined as the malicious information access behavior.
S370: and generating detection result information of the application to be detected and outputting the detection result information.
After step S360 and step S361, according to the detection result, the electronic device may automatically generate the detection result information of the to-be-detected application, and output the detection result information: if the fact that the application to be detected has malicious information access behaviors to the calling behaviors of the function to be detected is determined, the application program is not in compliance; and if the fact that the calling behavior of the to-be-detected application to the to-be-detected function does not have malicious information access behavior is determined, the application program is in compliance.
In an embodiment, after step S370, the electronic device may package and upload the detection result and the call record to the application platform, and bind with the application program, when the other electronic device downloads the application program, the user may also know whether the application program is compliant through the other electronic device, or the user may also download the application program and improve or refer to the non-compliant application program according to the call record.
Referring to fig. 4, a third aspect of the embodiments of the present application provides an application program detecting apparatus, including: the first receiving module is used for receiving an operation instruction of the application to be detected, wherein the operation instruction carries a function to be detected; the control module is used for controlling the application to be detected to call the function to be detected; the acquisition module is used for acquiring a call record of the to-be-detected application to the to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information; and the detection module is used for detecting whether the application to be detected has malicious information access behaviors or not according to the call records and the preset malicious behavior library of the function to be detected.
In an embodiment, the obtaining module is configured to obtain call stack information of a function to be tested of the application to be tested, and use the call stack information as a call record, where a main function of the call stack information is to store a return address of a call.
In one embodiment, the detection module is configured to determine whether an access behavior of the application to be detected in the call record to the user information is in a preset malicious behavior library; and when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected. The detection module is used for detecting whether the self preset malicious behavior library is the latest version or not before detecting the application to be detected each time, and if not, the detection module sends an updated message to the platform, downloads the preset malicious behavior library data packet of the latest version and replaces the original version so as to judge whether the calling behavior of the application to be detected on the function to be detected has malicious information access behavior or not according to the specific requirements in the management specifications of the latest relevant application program issued by departments of Ministry of industry and telecommunication, Internet letter and the like.
In an embodiment, the application detection apparatus further includes a second receiving module, where the second receiving module is configured to receive authorization information of the application to be checked from a user.
In one embodiment, the detection module is further configured to: and when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized according to the authorization information. When the access behavior of the application to be detected to the user information is not authorized, determining that malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, the application program detection apparatus further includes an output module, configured to generate detection result information of the application to be detected after detecting whether the application to be detected has a malicious information access behavior according to the call record and a preset malicious behavior library of the function to be detected, and output the detection result information. If the fact that the calling behavior of the to-be-detected function has malicious information access behavior is determined, detecting result information that the application program is not in compliance is generated; and if the fact that the calling behavior of the to-be-detected application to the to-be-detected function does not have malicious information access behavior is determined, generating detection result information of the compliance of the application program.
The implementation process of the functions and actions of each module in the device is specifically detailed in the implementation process of the corresponding step in the application detection method, and is not described herein again.
In the embodiments provided in the present application, the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative and, for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
A fourth aspect of the embodiments of the present application provides a non-transitory electronic device-readable storage medium, which includes a program, and when the program is executed by an electronic device, the program causes the electronic device to execute all or part of the processes of the application detection method in the first aspect and any embodiment of the first aspect. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM), a Random Access Memory (RAM), a flash memory (FlashMemory), a hard disk (hard disk drive, abbreviated as HDD), a Solid State Drive (SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application program detection method, the device, the equipment and the storage medium control the application to be detected to call the function to be detected and obtain the call record of the application to be detected to the function to be detected when an operation instruction of the application to be detected is received, the call record comprises the access record of the application to be detected to user information, and according to the comparison between the call record and a preset malicious application library of the function to be detected, whether malicious information access behaviors exist in the application to be detected or not is detected, so that the user information safety can be effectively protected, privacy disclosure behaviors are prevented, whether malicious behaviors exist in the application program or not is detected more accurately, and a basis is provided for improvement of the later-stage application program non-compliance problem.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. An application detection method, comprising:
receiving an operation instruction for an application to be detected, wherein the operation instruction carries a function to be detected;
controlling the application to be tested to call the function to be tested;
acquiring a call record of the to-be-detected application to the to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information;
and detecting whether the application to be detected has malicious information access behaviors or not according to the call records and the preset malicious behavior library of the function to be detected.
2. The method according to claim 1, wherein the obtaining of the call record of the function to be tested by the application to be tested comprises:
and acquiring call stack information of the to-be-detected function by the to-be-detected application, and taking the call stack information as the call record.
3. The method according to claim 1, wherein the detecting whether the application to be detected has malicious information access behaviors according to the call record and the preset malicious behavior library of the function to be detected comprises:
judging whether the access behavior of the application to be detected to the user information in the calling record is in the preset malicious behavior library or not;
and when the access behavior of the to-be-detected application to the user information is in the preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the to-be-detected application to the to-be-detected function.
4. The method of claim 3, further comprising:
receiving authorization information of the user for the application to be detected;
and the step of detecting whether the application to be detected has malicious information access behaviors or not according to the call records and the preset malicious behavior library of the function to be detected further comprises the following steps: when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized according to the authorization information;
and when the access behavior of the application to be detected to the user information is not authorized, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
5. The method according to claim 1, wherein after detecting whether the application to be detected has malicious information access behavior according to the call record and the preset malicious behavior library of the function to be detected, the method further comprises:
and generating the detection result information of the application to be detected and outputting the detection result information.
6. An application detection apparatus, comprising:
the first receiving module is used for receiving an operation instruction for the application to be detected, wherein the operation instruction carries a function to be detected;
the control module is used for controlling the application to be tested to call the function to be tested;
the acquisition module is used for acquiring a call record of the to-be-detected application to the to-be-detected function, wherein the call record comprises an access record of the to-be-detected application to user information;
and the detection module is used for detecting whether the application to be detected has malicious information access behaviors or not according to the call records and the preset malicious behavior library of the function to be detected.
7. The apparatus of claim 6, wherein the detection module is configured to:
judging whether the access behavior of the application to be detected to the user information in the calling record is in the preset malicious behavior library or not;
and when the access behavior of the to-be-detected application to the user information is in the preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the to-be-detected application to the to-be-detected function.
8. The apparatus of claim 7, further comprising:
the second receiving module is used for receiving the authorization information of the user to the application to be detected;
and the detection module is further configured to: when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized according to the authorization information;
and when the access behavior of the application to be detected to the user information is not authorized, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
9. An electronic device, characterized in that the electronic device comprises:
a memory to store a computer program;
a processor to execute the computer program to implement the method of any one of claims 1 to 5.
10. A non-transitory electronic device readable storage medium, comprising: program which, when run by an electronic device, causes the electronic device to perform the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111013803.7A CN113672902A (en) | 2021-08-31 | 2021-08-31 | Application program detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111013803.7A CN113672902A (en) | 2021-08-31 | 2021-08-31 | Application program detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113672902A true CN113672902A (en) | 2021-11-19 |
Family
ID=78547678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111013803.7A Pending CN113672902A (en) | 2021-08-31 | 2021-08-31 | Application program detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113672902A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN104182688A (en) * | 2014-08-26 | 2014-12-03 | 北京软安科技有限公司 | Android malicious code detection device and method based on dynamic activation and behavior monitoring |
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
| CN106845234A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of Android malware detection method based on the monitoring of function flow key point |
| CN107506646A (en) * | 2017-09-28 | 2017-12-22 | 努比亚技术有限公司 | Detection method, device and the computer-readable recording medium of malicious application |
-
2021
- 2021-08-31 CN CN202111013803.7A patent/CN113672902A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186740A (en) * | 2011-12-27 | 2013-07-03 | 北京大学 | Automatic detection method for Android malicious software |
| CN104182688A (en) * | 2014-08-26 | 2014-12-03 | 北京软安科技有限公司 | Android malicious code detection device and method based on dynamic activation and behavior monitoring |
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
| CN106845234A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of Android malware detection method based on the monitoring of function flow key point |
| CN107506646A (en) * | 2017-09-28 | 2017-12-22 | 努比亚技术有限公司 | Detection method, device and the computer-readable recording medium of malicious application |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8112814B2 (en) | Information processing apparatus, access control method, access control program product, recording medium, and image forming apparatus | |
| KR101948721B1 (en) | Method and apparatus for examining forgery of file by using file hash value | |
| CN110490773B (en) | Block chain-based screen recording evidence obtaining method and device and electronic equipment | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| CN108763951B (en) | Data protection method and device | |
| US20130160126A1 (en) | Malware remediation system and method for modern applications | |
| KR20110124342A (en) | Method and apparatus to vet an executable program using a model | |
| US11099889B2 (en) | Method-call-chain tracking method, electronic device, and computer readable storage medium | |
| WO2015109668A1 (en) | Application program management method, device, terminal, and computer storage medium | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| CN110727941B (en) | Privacy data protection method and device, terminal equipment and storage medium | |
| CN104036194A (en) | Vulnerability detection method and device for revealing private data in application program | |
| CN115277143A (en) | Data secure transmission method, device, equipment and storage medium | |
| CN113051613A (en) | Privacy policy detection method and device, electronic equipment and readable storage medium | |
| CN108600259B (en) | Authentication and binding method of equipment, computer storage medium and server | |
| US20160295396A1 (en) | User onboarding for newly enrolled devices | |
| TW201421233A (en) | System and method of testing motherboard | |
| CN111783119A (en) | Form data security control method and device, electronic equipment and storage medium | |
| CN113672902A (en) | Application program detection method, device, equipment and storage medium | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| CN109783156B (en) | Application starting control method and device | |
| CN111026986A (en) | Webpage watermark rendering method and device | |
| CN111625784B (en) | Anti-debugging method of application, related device and storage medium | |
| US9280666B2 (en) | Method and electronic device for protecting data | |
| CN109918122B (en) | White list maintenance method and device and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |