CN114547604A - Application detection method and device, storage medium and electronic equipment - Google Patents

Abstract

Embodiments of the present application disclose an application detection method, device, storage medium, and electronic device, wherein the method includes: acquiring a target application package and an application benchmark package for an application, and performing a test on the target application package and the application benchmark package. Decompilation and comparison processing is performed to obtain a difference class set for the target application package, and static taint detection is performed on the target application package based on the difference class set to obtain a taint path set for the target application package. By adopting the embodiments of the present application, the application detection efficiency can be improved.

Description

Application detection method, device, storage medium and electronic device

technical field

The present application relates to the field of computer technology, and in particular, to an application detection method, device, storage medium and electronic device.

Background technique

With the rapid development of network technology, users face more and more security threats when using applications, and more and more attention is paid to the issue of application privacy data leakage. The application installation package of the application should at least meet the requirements of security compliance in the development stage; based on this, application detection of the application installation package of the application is usually involved to reduce security risks.

SUMMARY OF THE INVENTION

Embodiments of the present application provide an application detection method, device, storage medium, and electronic device, and the technical solutions are as follows:

In a first aspect, an embodiment of the present application provides an application detection method, the method comprising:

Obtain the target application package and the application benchmark package for the application;

Decompiling and comparing the target application package and the application benchmark package to obtain a set of difference classes for the target application package;

Perform static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package.

In a second aspect, an embodiment of the present application provides an application detection device, and the device includes:

The acquisition module is used to acquire the target application package and the application benchmark package of the application;

a processing module, configured to decompile and compare the target application package and the application benchmark package to obtain a set of difference classes for the target application package;

The detection module is configured to perform static taint detection on the target application package based on the difference class set, and obtain a taint path set for the target application package.

In a third aspect, an embodiment of the present application provides a computer storage medium, where the computer storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor and executing the above method steps.

In a fourth aspect, an embodiment of the present application provides an electronic device, which may include: a processor and a memory; wherein, the memory stores a computer program, and the computer program is adapted to be loaded by the processor and execute the above method steps .

The beneficial effects brought by the technical solutions provided by some embodiments of the present application include at least:

In one or more embodiments of the present application, the electronic device obtains a target application package and an application benchmark package for an application, and then decompiles and compares the target application package and the application benchmark package to obtain a target application package for the target application. The difference class set of the application package, the static taint detection can be performed on the target application package based on the difference class set, and the taint path set for the target application package can be obtained. For the full detection and analysis of the target application package, the electronic device can only perform static taint detection on the difference code indicated by the target application package based on the difference class set, which reduces the application detection processing volume and avoids redundant repetition, which can greatly improve the efficiency of application detection. .

Description of drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

1 is a schematic flowchart of an application detection method provided by an embodiment of the present application;

2 is a schematic flowchart of an application detection method provided by an embodiment of the present application;

3 is a schematic diagram of a file matching scenario involved in an application detection method provided by an embodiment of the present application;

4 is a schematic diagram of a file matching scenario involved in an application detection method provided by an embodiment of the present application;

5 is a schematic flowchart of an application detection method provided by an embodiment of the present application;

FIG. 6 is a schematic diagram of a scenario in which a set of detection entry functions involved in an application detection method provided by an embodiment of the present application is determined;

FIG. 7 is a schematic structural diagram of an application detection system provided by an embodiment of the present application;

8 is a schematic structural diagram of an application detection device provided by an embodiment of the present application;

9 is a schematic structural diagram of a processing module provided by an embodiment of the present application;

10 is a schematic structural diagram of an electronic device provided by an embodiment of the present application;

11 is a schematic structural diagram of an operating system and a user space provided by an embodiment of the present application;

Fig. 12 is the architecture diagram of the Android operating system in Fig. 11;

FIG. 13 is an architectural diagram of the IOS operating system in FIG. 11 .

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

In the description of the present application, it should be understood that the terms "first", "second" and the like are used for descriptive purposes only, and should not be construed as indicating or implying relative importance. In the description of the present application, it should be noted that, unless otherwise expressly specified and defined, "including" and "having" and any modifications thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes unlisted steps or units, or optionally also includes For other steps or units inherent to these processes, methods, products or devices. For those of ordinary skill in the art, the specific meanings of the above terms in the present application can be understood in specific situations. Also, in the description of the present application, unless otherwise specified, "a plurality" means two or more. "And/or", which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects are an "or" relationship.

The present application will be described in detail below with reference to specific embodiments.

In one embodiment, as shown in FIG. 1 , an application detection method is proposed, which can be implemented by relying on a computer program and can be run on an application detection device based on the von Neumann system. The computer program can be integrated into an application or run as a stand-alone utility application. The application detection device may be an electronic device, including but not limited to: a personal computer, a tablet computer, a handheld device, a vehicle-mounted device, a server, a computing device, or other processing devices connected to a wireless modem. Terminal equipment may be called by different names in different networks, for example: user equipment, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication Equipment, User Agent or User Equipment, Cellular Phone, Cordless Phone, Equipment in 5G Network or Future Evolved Network, etc.

Specifically, the application detection method includes:

S101: Acquire a target application package and an application benchmark package for the application.

The application can be understood as the application that some terminals carry with the operating system itself, which can be a third-party application. Developed applications, small programs, plug-ins, etc. In some embodiments, application installation or application update may be performed based on an application installation package (apk) corresponding to the application. In this application, the target application package and the application reference package may be understood as application installation packages for different application versions of the same application.

The target application package is different from the application installation package (apk) version corresponding to the application benchmark package, and usually the apk version of the target application package is larger than the apk version of the application benchmark package.

In one or more embodiments, the target application package may be the application installation package of the current version to be updated for the application; the application reference package may be understood as the historical application installation package released for the application history. The application benchmark package can be set based on the actual application scenario, and the apk version of the target application package may be greater than or earlier than the apk version of the application benchmark package.

It is understandable that in scenarios such as application update and application installation, due to the increasing number of security threats faced by applications, the issue of privacy data leakage in application design is also becoming more and more important. The development of the application's target application package should at least meet security compliance. In the actual application stage, it usually involves application detection of the application installation package of the application, and static taint propagation detection is often involved in application detection. Static taint propagation detection (referred to as static taint detection) refers to Under the premise of running and not modifying the code of the application installation package, by analyzing the data dependencies between application variables to detect whether the data can propagate from the taint source to the taint convergence point. After static taint detection, the corresponding application can be obtained. The tainted path result of the target application package.

In some embodiments, after completing the development of the target application package of the application version of the application, the application development end may upload the target application package to the electronic device (such as a service platform), and then the electronic device can obtain the target application of the application. In addition, the electronic device may save a historical application installation package for the historical version of the application, and the electronic device may obtain an application reference package from it as an application reference package belonging to the same application as the target application package.

S102: Decompile and compare the target application package and the application benchmark package to obtain a difference class set for the target application package.

It can be understood that the decompilation comparison process can be understood as decompiling the application installation package (such as the target application package, the application benchmark package) to obtain its corresponding decompiled file, so as to obtain the corresponding decompiled file by decompiling the application installation package (such as the target application package and the application benchmark package). The decompiled files corresponding to the application benchmark package are compared to determine a set of difference classes for the target application package relative to the application benchmark package.

It can be understood that the set of difference classes includes at least one class (which can also be understood as a method class and a function class) that represents the difference between "the decompiled file of the target application package and the decompiled file corresponding to the application benchmark package"; in some implementations In an example, the set of difference classes may be the set of pruning classes deleted from the decompiled file corresponding to the target application package relative to the application benchmark package; the set of difference classes may be the opposite of the target application package relative to the application benchmark package Incremental set of classes added by the compiled file

In some embodiments, a decompiled file that can be obtained by decompiling an application installation package (such as a target application package, an application benchmark package) can be understood as: performing reverse engineering on the data of the detection object (that is, the application installation package) through reverse engineering Compile, resulting in the decompiled file. In some embodiments, the process of reverse compiling the detection object refers to obtaining corresponding uncompiled files from the compiled files corresponding to the detection object. The application installation package to be detected is reverse compiled, thereby obtaining a decompiled file. The decompiled file may at least be a smali code file. In some embodiments, the decompiled file may also be each xml resource file and an AndroidManifest.xml layout file.

It can be understood that, when the target application package (that is, the object to be detected) of the application obtained by the electronic device is reversely compiled, the target application package can be unpacked in advance and then reverse compiled (which can be understood as reverse compilation). Compilation), take the application installation package as an example of Android (Android) application package for interpretation, the application installation package is usually a file in ".APK file format", and ".APK file format" can be understood as a ZIP format compression file; the electronic device can unpack the application installation package, and the unpacking process can be to obtain classes.dex (compiled code file), resources.arsc (compiled resource file), AndroidManifest from the application installation package file .xml (compiled layout file), and then decompile the above-mentioned compiled files (such as compiled code files, resource files, and layout files) based on the reverse compilation tool in reverse engineering, and you can get the "compiled layout file". The "uncompiled file" before the "file" is compiled, that is, the smali code file, each xml resource file, and the AndroidManifest.xml layout file are obtained. In one or more embodiments, the decompiled file can be at least a smali file tree, a smali file The tree refers to the set of files in the smali directory generated after decompiling the apk. These smali files are named with "package name + class name" and end with ".smali".

Optionally, by obtaining the decompiled files (decompilation files corresponding to the target application package and decompilation files corresponding to the application benchmark package) after decompilation of the target application package and the application benchmark package, so as to decompile the target application package. The file is compared with the decompiled file corresponding to the application benchmark package to determine a set of difference classes for the target application package relative to the application benchmark package.

Optionally, the electronic device may only decompile the target application package by reverse engineering, and obtain the decompiled file of the target application package; and the decompiled file of the application benchmark package may not need to be decompiled, but may be obtained directly. Usually, before the application benchmark package of the application is released, the electronic device has performed the application detection on the application benchmark package. The application detection process will involve generating the decompiled files corresponding to the application benchmark package, such as generating the smali file tree corresponding to the application benchmark package. The decompiled file corresponding to the application benchmark package can be saved. In a specific implementation, when the step of "decompilation and comparison processing is performed on the target application package and the application benchmark package" is involved, the decompiled file corresponding to the application benchmark package can be directly obtained without re-compiling the application benchmark The package is reverse compiled.

S103: Perform static taint detection on the target application package based on the difference class set, to obtain a taint path set for the target application package.

It can be understood that the electronic device obtains the difference class set for the target application package by decompiling and comparing the target application package and the application benchmark package, and the difference class set feeds back the target application package and the application to a certain extent. The code difference of the benchmark package, in order to improve the efficiency of application detection, when the application performs static taint detection on the target application package, it does not use the form of application detection for all the codes corresponding to the target application package, but determines the target application package relative to the target application package. The difference class set of the benchmark application package. Since the electronic device of the benchmark application package has completed the static taint detection in advance to obtain the taint path set, the static taint detection can be performed on the target application package only based on the difference class set. In some embodiments, it can be understood as In the static taint detection, static taint detection can be performed on the difference code indicated by the target application package based on the difference class set, which can greatly improve the efficiency of application detection for the target application package. It also realizes the improvement of the comprehensive scanning and analysis of apk based on the relevant taint analysis tools in application detection in related scenarios, and realizes the targeted static taint detection of the incremental code of the new version corresponding to the target application package, while avoiding The taint detection is redundant and repeated, which can realize the rapid release of the target application package and save the detection resources.

It can be understood that the electronic device determines whether the target application package has incremental code relative to the application benchmark package based on the difference class set. If there is incremental code, the electronic device can call the taint detection tool for static taint detection to detect the difference class set in the target. The incremental code indicated by the application package performs static taint detection, and detects whether the data can be propagated from the taint to the taint convergence point by detecting the data dependencies between the application variables indicated by the incremental code, and then determines whether the taint detection tool is used this time. The first taint path collection. The electronic device may obtain the second taint path set corresponding to the application benchmark package, and then perform data fitting on the first taint path set and the second taint path set according to the difference class set to obtain a taint path set for the target application package.

It is understandable that if there is no incremental code, the difference class set is usually a deletion class set at this time, and the electronic device can check the target application package without calling the taint detection tool, but based on the second taint corresponding to the application benchmark package. The path set is used to determine the taint path set in combination with the deletion class set. Specifically, the target taint path indicated by the deletion class set in the second taint path set is ignored, so as to obtain the first taint path without the target taint path after ignoring and processing the target taint path. The second taint path set is used as the taint path set for the target application package.

In the embodiment of the present application, the electronic device obtains a target application package and an application benchmark package for an application, and then decompiles and compares the target application package and the application benchmark package to obtain the difference for the target application package. class set, static taint detection can be performed on the target application package based on the difference class set, and a taint path set for the target application package can be obtained. For full detection and analysis, the electronic device can only perform static taint detection on the difference code indicated by the target application package based on the difference class set, which reduces the application detection processing load and avoids redundant repetition, which can greatly improve the efficiency of application detection.

Please refer to FIG. 2 , which is a schematic flowchart of another embodiment of an application detection method proposed in the present application. specific:

S201: Obtain a target application package and an application benchmark package for the application.

For details, refer to S101, which will not be repeated here.

S202: Determine a first decompiled file corresponding to the application benchmark package, and determine a second decompiled file corresponding to the target application package;

The first decompilation file can be understood as a decompilation file obtained by the electronic device reversely compiling the application benchmark package to be detected of the application through reverse engineering; the first decompilation file can be at least the smali code corresponding to the application benchmark package. file, in some embodiments, the first decompiled file may be a smali file tree, and the smali file tree refers to a file collection of smali files in the smali directory generated after decompiling the application benchmark package apk. These smali files start with "package name". + classname" and ends with ".smali".

The second decompilation file can be understood as the decompilation file obtained by the electronic device reversely compiling the target application package to be detected of the application through reverse engineering; the second decompilation file may at least be the smali code corresponding to the application benchmark package. file, in some embodiments, the second decompiled file may be a smali file tree, and the smali file tree may be understood as a file collection of smali files in the smali directory generated after the target application package apk is decompiled. These smali files start with " package name + class name" and ends with ".smali".

Optionally, the first decompiled file and the second decompiled file may be obtained by using an apk compilation tool in reverse engineering, such as an apk compilation tool: apktool.

It can be understood that, in terms of time dimension, the installation package version of the application reference package is before the installation package version of the target application package.

It can be understood that, after determining the first decompiled file and the second decompiled file, the electronic device compares the first decompiled file and the second decompiled file, so as to obtain information for the target application. For the difference class set of the package, for details, refer to other method steps involved in the embodiments of the present application.

S203: Using at least one benchmark file included in the first decompiled file as a reference, determine a first file that does not match each of the benchmark files in the second decompiled file, and based on the first file A set of incremental classes for the target application package is determined.

In one or more embodiments, the first decompiled file may be a smail file tree corresponding to the benchmark application package, and the smail file tree may be understood as a file set of smali files in the smali directory generated after decompiling the benchmark application package apk , wherein the benchmark file can be understood as the smali file in the first decompiled file (eg, the decompiled file tree). Further, taking the Android system as the operating system as an example, Smali can understand the disassembly language of the Android virtual machine, and the smali file tree is a tree-shaped directory structure composed of smali files, which is usually regarded as a file collection composed of smali files.

In a specific implementation scenario, the electronic device uses at least one reference file included in the first decompiled file as a reference, and performs file traversal on the second decompiled file to determine in the second decompiled file For a first file that does not match each of the reference files, an incremental class set for the target application package is determined based on a class corresponding to the first file. It can be understood that, if the number of first files is n (n is a natural number), the number of classes of the first file in the incremental class set is n. The first file may be understood as an incremental file corresponding to the first decompiled file, such as an incremental smali file.

In short, by traversing the smali file tree corresponding to the target application file to be analyzed, for each smali file in the smali file tree, the class corresponding to the first smali file does not exist in the benchmark apk, so the first The class of the smali file belongs to the newly added class, so the filename of the first smali file is added to the incremental set.

In a feasible implementation manner, an incremental class set IncrementalList is set, and the first decompiled file is used as the smali file tree T1, and the second decompiled file is used as the smali file tree T2 for interpretation, as follows:

The second decompiled file is that the smali file tree T2 contains N (N is a positive integer) target files, and the electronic device uses the first decompiled file, that is, at least one reference file included in the "smali file tree T1" as a reference, as follows:

1. Obtain "target file 1", perform file traversal on the first decompiled file, that is, "smali file tree T1", and compare the current "target file 1" and each "benchmark file" in "smali file tree T1" Matching is carried out respectively to detect whether "target file 1" does not match each of the reference files, if not, then determine that "target file 1" is the first file; "target file 1" as the first file corresponds to The class is added to the incremental class collection IncrementalList;

2. Obtain the "target file 2", perform file traversal on the first decompiled file, that is, the "smali file tree T1", and compare the current "target file 2" and each "benchmark file" in the "smali file tree T1" Matching is carried out respectively to detect whether "target file 2" does not match each of the reference files, if not, then determine that "target file 2" is the first file; "target file 2" as the first file corresponds to The class is added to the incremental class collection IncrementalList;

....

i. As shown in FIG. 3, FIG. 3 is a schematic diagram of a file matching scenario involved in this application. As shown in FIG. 3, the electronic device can obtain "target file i" (i is an integer greater than 0), and decompile the first The file, that is, the "smali file tree T1", performs file traversal, matches the current "target file i" with each "reference file" in the "smali file tree T1", and detects whether the "target file i" matches each "reference file". Each of the reference files does not match, if it does not match, then determine that "target file i" is the first file; add the class corresponding to "target file i" as the first file to the incremental class set IncrementalList;

And so on, until i is equal to N, the matching ends, and the incremental class collection IncrementalList is obtained.

It is understandable that the first smali file is named with "package name + class name" and ends with ".smali", so by obtaining the file name of the first smali file, the corresponding suffix ".smali" in the file name is removed. Process, and then add the file name after removing ".smali" (that is, as an incremental class) into the incremental class set to complete "adding the class corresponding to the first file to the incremental class set". Further, at least one incremental class (such as a newly added function class) in the incremental class set may be a newly added function class (understandable) equivalent to the newly added function class (understandably Because the incremental function class does not exist in the first decompiled file); in some embodiments, at least one incremental class (eg, incremental function class) in the incremental class set may be equivalent to "the first incremental function class". The reference file included in the decompiled file” is an incremental function class modified (it can be understood that the incremental function class is a modified function class generated after modification on the basis of a certain benchmark file in the first decompiled file).

Optionally, the above-mentioned process of "determining the first file that does not match each of the benchmark files in the second decompiled file" can be performed by detecting at least the benchmark file and the second decompiled file. Whether a target file' is consistent, that is, comparing the data between the reference file and the target file, if a certain reference file is inconsistent with all target files, the "a certain reference file" is usually a newly added smail file, The "a certain reference file" is used as the first file, and the class corresponding to the first file usually belongs to the newly added function class.

Optionally, the above-mentioned process of "determining the first file that does not match each of the benchmark files in the second decompiled file" can be performed by comparing the file names, that is, "in the second decompilation file". Determine the first file name that does not match the reference file name of each of the reference files in the compiled file, and determine the incremental class set for the target application package based on the first file name. The name of a certain object file in the second decompiled file does not match the names of all the benchmark files, then this "a certain object file" is regarded as the first file, and the first file name is also the name of "a certain object file" .

In one or more embodiments, after each determination of the first file, the first file may be marked with an ignore mark from the second decompiled file to which it belongs, and the ignore mark is used to indicate that in the next round of file matching process (the current The "target file i" of the "smali file tree T1" is matched with each "reference file" in the "smali file tree T1"" step) to skip the first file marked with the ignore, and it is not necessary to perform the first file at this time. Matching avoids re-judging the determined first file in each round to save matching computing resources and improve application detection efficiency.

In some embodiments, the first file may be deleted from the second decompiled file after each first file is determined, so as to avoid the next round of "combining the current "reference file i" with the "smali file tree T2" In the step of matching each "target file", it is not necessary to match the first file at this time, so as to avoid re-judging the determined first file in each round to save matching computing resources and improve application detection efficiency .

In a feasible implementation manner, the electronic device may further: use the reference file name of at least one reference file included in the first decompiled file as a reference, and determine in the second decompiled file that the reference file is the same as the at least one reference file included in the second decompiled file. If the name of the fourth file matches the name of the benchmark file, it can be understood that the name of the fourth file matches the name of the benchmark file, the fourth file and the benchmark file may be the same, or the code may be modified on the benchmark file. Or the fourth file obtained by code adjustment; based on this, it is possible to further compare whether the file data of the fourth file and the benchmark file are consistent, and to perform summary calculations on the fourth file and the benchmark file respectively. The summary value of the fourth file and the reference file are compared to determine whether the file data of the fourth file and the reference file are consistent with each other.

It can be understood that a digest algorithm can be used to calculate the digest value of the file (such as the fourth file and the reference file). The digest algorithm includes but is not limited to MD (Message Digest) algorithm, SHA (Secure Hash) algorithm, MAC (Message Authentication) algorithm. code) algorithm, etc., which can be specifically set based on the actual application, which is not specifically limited here.

For example, the digest values corresponding to the fourth file and the reference file can be calculated by the MD5 algorithm in the MD (Message Digest) algorithm. When the digest values of the two are consistent, the fourth file and the reference file are the same; When the values are different, it is the fourth file obtained by performing code modification or code adjustment on the reference file. In this case, the electronic device determines the modification class for the target application package based on the name of the fourth file, and uses the The modified class is added to the incremental class collection. For details, refer to the method for determining the incremental class corresponding to the first file, and the two are similar.

S204: With reference to at least one object file included in the second decompiled file, determine in the first decompiled file a second file that does not match each of the object files and a second file that does not match at least one of the objects For a third file that matches the file, a deletion class set and an incremental class set for the target application package are determined based on the second file and the third file.

In one or more embodiments, the second decompiled file may be a smail file tree corresponding to the benchmark application package, and the smail file tree may be understood as a file set of smali files in the smali directory generated after decompiling the benchmark application package apk , where the target file can be understood as the smali file in the second decompiled file (eg, the decompiled file tree). Further, taking the Android system as the operating system as an example, Smali can understand the disassembly language of the Android virtual machine, and the smali file tree is a tree-shaped directory structure composed of smali files, which is usually regarded as a file collection composed of smali files.

In a specific implementation scenario, the electronic device uses at least one target file included in the second decompiled file as a reference, and performs file traversal on the first decompiled file to determine in the first decompiled file A second file that does not match each of the target files and a third file that matches at least one of the target files, determining a deletion for the target application package based on the second file and the third file Class Collections and Incremental Class Collections.

In short, the second file and the third file are determined by traversing the smali file tree corresponding to the benchmark application file. Since the second file does not match each of the target files in the second decompiled file, then Usually, the function class corresponding to the second file is deleted. In a feasible implementation manner, the electronic device may add the second file name of the second file to the set of deleted classes for the target application package. ;

Optionally, the above-mentioned process of "determining a second file that does not match each of the target files in the first decompiled file" can be performed by detecting the target file and each Whether a benchmark file' is consistent, that is, compare the data between each benchmark file and the target file, if a benchmark file is inconsistent with all target files, the "a benchmark file" is usually the deleted smail file. file, the "a certain reference file" is used as the second file, and the class corresponding to the second file at this time usually belongs to the deleted function class.

Optionally, the above-mentioned process of "determining a second file name that does not match the target file name of each of the target files in the first decompiled file" can be performed by comparing the file names, that is, "in the A second file name that does not match the target file name of each of the target files is determined in the first decompiled file, and a set of pruning classes for the target application package is determined based on the second file name.

Further, the electronic device determines a third file that matches at least one of the target files in the first decompiled file, which can be by comparing the file names, that is, there is a reference file with the same name as the target file, and the same name as the target file. The target file with the same name as the benchmark file (the target file with the same name as the benchmark file can be used as the third file, and the classes corresponding to the two smail files are the same) can be regarded as the third file; if the file names match, the target file with the same name It may be the same file data as the benchmark file, or it may be a third file obtained by code modification or code adjustment on the benchmark file; Calculate the digest values of the third file and the benchmark file. When the two digest values are consistent, the third file and the benchmark file are the same; when the two digest values are different, code modification or The third file obtained by code adjustment. In this case, the electronic device determines a modification class for the target application package based on the name of the third file, and adds the modification class to the incremental class set.

It is understandable that the second smali file is named with "package name + class name" and ends with ".smali", so by obtaining the file name of the second smali file, the corresponding suffix ".smali" in the file name is removed. Process, and then add the file name after removing ".smali" (that is, as an incremental class) into the set of pruned classes to complete "adding the class corresponding to the second file to the set of pruned classes".

It is understandable that the third smali file is named with "package name + class name" and ends with ".smali", so by obtaining the file name of the third smali file, the corresponding suffix ".smali" in the file name is removed. process, and then add the file name after removing ".smali" (that is, as an incremental class) into the set of pruned classes to complete "adding the class corresponding to the third file to the set of incremental classes".

In a feasible implementation manner, the incremental class set IncrementalList is set, and the deletion class set ReducedList is set;

Take the first decompiled file as the smali file tree T1 and the second decompiled file as the smali file tree T2 for interpretation, as follows:

The electronic device refers to N (N is a positive integer) object files contained in the second decompiled file, that is, the "smali file tree T2":

1. Obtain "benchmark file 1", perform file traversal on the second decompiled file, that is, "smali file tree T2", and traverse the current "benchmark file 1" and each "target file" in "smali file tree T2" Matching is performed separately. On the one hand, it is detected whether the "benchmark file 1" does not match each target file. If it does not match, it is determined that the "benchmark file 1" is the second file; the "benchmark file 1" as the second file corresponds to The class is added to the reduced class collection ReducedList, in which the file matching can be done by comparing the file names of each file; on the other hand, it is detected whether the "benchmark file 1" matches at least one target file, and if it matches, determine the "benchmark file". 1" is the third file; then match the file data between the third file and the "reference target file with the same file name as the third file". The reference target file with the same file name" is the third file generated by code modification or code adjustment of the "third file". At this time, the class corresponding to the third file is added to the incremental class set IncrementalList.

2. Obtain the "benchmark file 2", perform file traversal on the second decompiled file, that is, the "smali file tree T2", and compare the current "benchmark file 2" and each "target file" in the "smali file tree T2" Matching is carried out respectively. On the one hand, it is detected whether the "benchmark file 2" does not match each target file. If it does not match, it is determined that the "benchmark file 2" is the second file; the "benchmark file 2" as the second file corresponds to The class is added to the reduced class set ReducedList, in which the file matching can be done by comparing the file names of each file; on the other hand, it is detected whether the "reference file 2" matches at least one target file, and if it matches, determine the "reference file". 2" is the third file; then match the file data between the third file and the "reference target file with the same file name as the third file". The reference target file with the same file name" is the third file generated by code modification or code adjustment of the "third file". At this time, the class corresponding to the third file is added to the incremental class set IncrementalList.

....

i. As shown in Figure 4, Figure 4 is a schematic diagram of another file matching scenario involved in this application. As shown in Figure 3, the electronic device can obtain the "reference file i", and the second decompiled file is also the "smali file tree". T2" performs file traversal, and matches the current "baseline file i" with each "target file" in the "smali file tree T2". On the one hand, it detects whether "baseline file i" does not match each target file , if it does not match, then determine the "reference file i" as the second file; add the class corresponding to the "reference file i" as the second file to the reduced class set ReducedList, where the file matching can be achieved by comparing the File name; on the other hand: check whether "reference file i" matches at least one target file, if it matches, determine "reference file i" as the third file; then compare the third file with "the file name of the third file" The same reference object file” is used to match the file data. If the data of the two files are different, it is explained that the “reference object file with the same file name as the third file” is the code modification or code adjustment for the “third file”. In the generated third file, the class corresponding to the third file is added to the incremental class set IncrementalList at this time.

And so on, until i is equal to N, the incremental class set IncrementalList and the deletion class set ReducedList are obtained.

It is understandable: the above process reads the file name N1 of each smali file by traversing the benchmark smali file tree T1. If the smali file that is the same as N1 does not exist in the smali file tree T2, then determine the second file, the second file If the file name is N1, the suffix ".smali" of N1 will be removed and added to the reduced class set ReducedList; if there is a file name N2 in the smali file tree T2 that is the same as the file name N1, then calculate the MD5 value of the N1 file (recorded is MD5_1) and the MD5 value of the N2 file (denoted as MD5_2), if MD5_1 and MD5_2 are the same, then delete N2 from T2 or mark it to be ignored to save computational processing resources during subsequent matching and improve detection efficiency; if MD5_1 and MD5_2 are identical to If MD5_2 is not the same, the suffix of N1 is removed and added to the incremental class set IncrementalList, and N2 is deleted from T2 to save computing and processing resources during subsequent matching and improve detection efficiency;

In a feasible implementation manner, to further compare whether the file data of the third file and the reference file are consistent, the electronic device may execute "obtain a summary matching result between the third file and the reference file, and based on the summary matching As a result, the third file name of the third file is added to the incremental class set" step.

The digest matching result can be understood as a matching result obtained by using a digest algorithm (such as the MD5 algorithm) to calculate digest values for two files (such as the third file and the benchmark file) respectively, and matching the digest values of the two files. The results are also referred to as digest match results. For example, the digest values of the two files can be compared (check whether the digest values of the two files are consistent) to obtain the comparison result as the digest matching result. The digest matching result includes the digest matching type and the digest mismatching type; the digest matching type The summary results of the two files (such as the third file and the benchmark file) can be understood as matching the summary values of the two files, for example, the summary values of the two files are consistent; the summary results of the summary mismatch type can be understood as the two files (such as the third The digest values of files, benchmark files) do not match, for example, the digest values of the two files are inconsistent;

It is understandable: for example, the MD5 algorithm can be used to calculate the digest values of the third file and the reference file, and the digest values of the third file and the reference file can be matched. When the digest matching result indicates that the digest values of the two are consistent, the digest matching result is usually the digest. When matching the type, it can be understood that the third file and the benchmark file are the same; when the digest matching result indicates that the two digest values are different, usually when the digest matching result is the digest mismatch type, it can be understood that the code is usually performed on the benchmark file. The third file obtained by modification or code adjustment. In this case, the electronic device determines a modification class for the target application package based on the name of the third file, and adds the modification class to the incremental class set.

Further, if the result type of the digest matching result is the digest mismatch type, the third file name of the third file (the third file name can represent the class corresponding to the third file) is added to the increment. class collection.

In one or more embodiments, during the application development process involved in the target application file, if the files in the application installation package released by the historical version are modified, the function classes corresponding to the files before and after the file modification are not changed. However, since the data encapsulated by the substantial function class changes, the electronic device may add the class corresponding to the second file as an incremental function class to the incremental class set.

It can be understood that the process involved in "obtaining the digest matching result between the third file and the reference file" may be: obtain two digest values by calculating the "third file and the reference file" through a relevant digest algorithm, and then compare them. For digest values, get digest matching results. The relevant digest algorithm may be the MD5 algorithm, the "SHA algorithm", the "MAC" algorithm, and so on.

S205: Perform static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package.

It can be understood that the difference class set may be an incremental class set and/or a pruned class set.

For details, reference may be made to the method steps involved in other embodiments involved in this application, which will not be repeated here.

In the embodiment of the present application, the electronic device obtains a target application package and an application benchmark package for an application, and then decompiles and compares the target application package and the application benchmark package to obtain the difference for the target application package. class set, static taint detection can be performed on the target application package based on the difference class set, and a taint path set for the target application package can be obtained. Full detection and analysis, the electronic device can only perform static taint detection on the difference code indicated by the target application package based on the difference class set, which reduces the application detection processing load, avoids redundant repetition, and can greatly improve the efficiency of application detection; and, based on The decompiled file can determine the incremental class set and the deleted class set, and filter out the incremental code components for static taint analysis based on this, which improves the intelligence of application detection.

Please refer to FIG. 5 , which is a schematic flowchart of another embodiment of an application detection method proposed in the present application. specific:

S301: Obtain a target application package and an application benchmark package for the application;

For details, reference may be made to the method steps of other embodiments involved in this application, which will not be repeated here.

S302: Decompile and compare the target application package and the application benchmark package to obtain a set of difference classes for the target application package;

S303: Determine a set class corresponding to the difference class set.

According to one or more embodiments, the set class may be a pruning class, an incremental class, a pruning class and an incremental class based on the actual application situation.

It can be understood that the electronic device can perform static taint detection on the target application package based on the set class, and obtain a set of taint paths for the target application package.

S304: If the collection class is an incremental class, call a taint detection tool to perform static taint detection on the target application package based on the incremental class set, obtain a first taint path set, and use the first taint path set as the target application package. a collection of taint paths of the target application package;

It can be understood that the electronic device obtains the difference class set for the target application package by decompiling and comparing the target application package and the application benchmark package, and the difference class set feeds back the target application package and the application to a certain extent. The code difference of the benchmark package, in order to improve the efficiency of application detection, when the application performs static taint detection on the target application package, it does not use the form of detecting all the codes corresponding to the target application package by the confidant, but determines that the target application package is relative to the target application package. The difference class set of the benchmark application package. Since the electronic device of the benchmark application package has completed the static taint detection in advance to obtain the taint path set, the static taint detection can be performed on the target application package only based on the difference class set. In some embodiments, it can be understood as In the static taint detection, static taint detection can be performed on the difference code indicated by the target application package based on the difference class set, which can greatly save the efficiency of application detection for the target application package.

It can be understood that the incremental class set is used to assist the electronic device to determine that the target application package is equivalent to the incremental code of the application reference package, and then perform taint detection on the incremental code, so as to reduce the taint detection of the entire target application package. Calculate throughput and improve detection efficiency.

In a possible implementation,

1. The electronic device may determine, based on the incremental class set, a set of detection entry functions for the target application package;

1.1 Obtain the inter-procedure call graph of the target application package, and determine the initial entry function set based on the inter-procedure call graph;

Understandable: The electronic device can call the taint detection tool, for example, call the method of generating a control flow graph in the open source code analysis framework soot tool, and call the taint detection tool to parse the binary code of the target application package into intermediate code and generate CFG. Call the method of generating inter-process calls in the taint detection tool, such as the method of generating bidirectional ICFG in the FlowDroid framework, analyze the function call relationship of the target application package and generate the inter-process call graph ICFG, and record the system component life cycle functions and callback functions in ICFG into the set E, which is also the initial entry function set.

In a specific implementation scenario, the electronic device sets the pollution source function source and sink function before generating the inter-process call graph (that is, starting to analyze directly), in specific implementation: usually, the externally exposed function is set as source function, set the function that executes the key logic inside the program as the sink function. If the reachable path from the pollution source function source to the sink function can be obtained after analysis, it means that there is a potential security vulnerability, and a tainted path can be obtained at this time. ;

It can be understood that when analyzing the target application package, the location of the object to be analyzed is searched through the absolute path indicated by the target application package, and the reverse disassembly of the bytecode program is realized through the java open source analysis framework soot, that is, the open source analysis is used. The framework soot generates an intermediate language representation with concise syntax, so that the bytecode variables of all source programs of the target application package correspond to the new data structure represented by the intermediate language, so as to completely express the control flow information and data transfer information of the program.

Further, the electronic device calls the taint detection tool to parse the binary code of the target application package into intermediate code, so as to convert the intermediate language representation corresponding to the intermediate code to obtain a control flow graph (CFG) within the function. The conversion process is to convert the target application package. The binary code indicates that each statement corresponds to a control flow graph node Bi, and saves its predecessor node Bp and successor node Bs on each statement according to the execution order; further to generate a call graph CG: Since most applications (target The execution of the application corresponding to the application package) will involve function calls. When there is a calling relationship between functions, the electronic device can simulate the function calling relationship. The function is mapped, and the mapping relationship is saved in the call statement node with "HashMap data structure", so as to generate the corresponding call graph CG;

Further, the electronic device can combine the call graph CG and the intra-function control flow graph CFG to generate a new graph class, the graph class is called the inter-procedural control flow graph ICFG, and the graph class is used to describe the entire analyzed program; then Record the system component life cycle functions and callback functions in the inter-process control flow graph ICFG, add the system component life cycle functions and callback functions to a reference set (for example, set an empty set E and add it to the set E), and complete the above process After , the obtained reference set is also the initial entry function set.

In some application scenarios, the initial entry function set is used as the total entry point of the inter-procedure control flow graph ICFG, and subsequent static taint detection is equivalent to static taint analysis of all codes corresponding to the target application package. In order to improve the detection efficiency, electronic devices can Perform function node traversal processing on the inter-procedure call graph based on the incremental class set and the initial entry function set to determine at least one target node function, thereby generating a detection entry function set including the at least one target node function . Finally, the set of detection entry functions is obtained, which is equivalent to instructing the electronic device to only call the taint detection tool to perform taint detection on the incremental code.

1.2. The electronic device performs function node traversal processing on the inter-procedure call graph based on the incremental class set and the initial entry function set to determine at least one target node function;

In the specific implementation, the electronic device uses the at least one initial entry function indicated by the initial entry function set as a benchmark, and performs each next function node corresponding to each initial function node in the inter-process control flow graph based on the incremental class set. Node class matching processing to obtain the target node function corresponding to at least one target function node;

The initial function node is the first node corresponding to the initial entry function in the inter-process control flow graph, and the objective function class to which the objective entry function corresponding to the objective function node belongs is in the incremental class set function class.

It can be understood that, assuming that the initial entry function set is set E, it is equivalent to that the electronic device traverses the "inter-procedure call graph ICFG" sequentially from each initial entry function Entry of set E, and for each read "initial entry function Entry" The next node function (such as: NextMethod function), judge whether the class of the next node function (the class of the NextMethod function) is in the incremental class set, if so, add the "next node function" as the target node function to the In the incremental function set, (for example, an incremental function set IncreEntrance is pre-defined, when the class corresponding to the "next node function" belongs to the incremental class set, its "next node function" is added as the target node function. IncreEntrance), when the traversal of the entire inter-process call graph ICFG is completed, a detection entry function set containing at least one target node function can be obtained.

As shown in FIG. 6 , FIG. 6 is a schematic diagram of a scenario in which the set of detection entry functions involved in the present application is determined. Assuming that the set of initial entry functions is set E, the electronic device traverses the (initial) entry functions Entry in set E in sequence, and at each Before a round of traversal of the entry function Entry, determine whether each (initial) entry function Entry in the set E has been traversed (that is, the step corresponding to "traversal has ended" in Figure 6), if not, based on the current "(initial) ) Entry function Entry" traverses the "Inter-procedure call graph ICFG", and for each read "initial entry function Entry" next node function (eg: NextMethod function), determine the class of the next node function (the class of the NextMethod function) ) is located in the incremental class set (that is, as shown in Figure 6: whether the incremental class set has a class with the NextMethod function), if so, add the "next node function" as the target node function to the incremental class set In the function set, (for example, an incremental function set IncreEntrance is pre-defined, when the class corresponding to the "next node function" belongs to the incremental class set, its "next node function" is added as the target node function as shown in the figure. 6), when the last initial entry function Entry traverses the entire inter-process call graph ICFG, the detection entry function set IncreEntrance containing at least one target node function can be obtained.

understandably,

1.3 The electronic device generates a detection entry function set including the at least one target node function.

In some embodiments, after obtaining the detection entry function set, the electronic device completes the control flow analysis process using the taint detection tool.

2. The electronic device then invokes a taint detection tool based on the set of detection entry functions to perform static taint detection on the target application package to obtain a first set of taint paths.

It can be understood that the electronic device can call a taint analysis method in a taint detection tool such as the FlowDroid framework to perform data flow analysis to perform a static taint detection process.

It can be understood that the electronic device can obtain the inter-procedure call graph ICFG corresponding to the target application package, and then perform static taint detection on the inter-procedure call graph based on the detection entry function set, and obtain the No. A collection of tainted paths.

It can be understood that the electronic device traverses all the detection entry functions in the detection entry function set (such as the set IncreEntrance), and for each detection entry function NewEntry, extracts its next node in the ICFG, and determines whether the node belongs to the pollution source function source. If so, call the taint analysis algorithm in the taint detection tool to mark the sensitive data in the system, and then track the propagation path of the marked data in the program, based on the taint detection tool to detect security issues such as confidentiality and integrity of the system, and at the same time The function variable of this node is set as a taint variable, and taint analysis is performed. If the node belongs to the taint function sink and a taint variable is used, the transmission path of the taint variable is a complete taint path. The taint path is added to the taint path set, and so on. After traversing the inter-process control flow graph ICFG, the data flow analysis is completed to complete the static taint detection, and the first taint path set can be obtained.

It can be understood that the first taint path set is the first taint path set generated by the electronic device currently by invoking a taint detection tool to perform taint detection and analysis. The first taint path set feeds back the relevant taint paths in the incremental code components obtained by performing taint detection and analysis on the incremental code components in the target application package based on the detection entry function generated based on the incremental class set. It can be understood that in one or more embodiments, the detection object actually calling the taint detection tool to perform taint detection is not the entire target application package but the incremental code components in the target application package, thereby generating the first taint path set.

S305: If the collection class is a pruning class, obtain a second taint path set corresponding to the application benchmark package, and determine all taint paths for the target application package based on the second taint path set and the pruning class set. Describe the taint path collection;

It is understandable that if the collection classes of the difference class set belong to the pruned class, the difference class set is the pruned class set. At this time, the target application package is relative to the application base package, and usually the application installation package does not contain increments. code components. Considering that the application benchmark package of the package version installed before the target application package has completed taint detection, it can be understood that before the application benchmark package is released, the electronic device has completed the static taint detection of the application benchmark package and generated a second taint path set. , the second taint path set can be understood as the taint path set corresponding to the static taint detection processing of the application reference package. It can be understood that the electronic device can obtain the taint path set for the target application package based on the second taint path set corresponding to the application benchmark package and combining with the deletion class set without calling the taint detection tool again on the target application package to perform taint detection. .

In a specific implementation scenario, the electronic device may determine the taint path set for the target application package from the second taint path set based on the second taint path set and the pruning class set;

It is understandable that the deletion class set contains at least one deletion class. After obtaining the second taint path set corresponding to the application benchmark package, each taint path in the second taint path set can be traversed. The understandable taint path can usually be Map such as taint variables, taint functions corresponding to nodes, and classes corresponding to taint functions. Based on this, the electronic device can determine the taint function class corresponding to each taint path, for example, based on the name of the taint function or taint variable recorded in the taint path. The taint function class, the electronic device only needs to match the deletion class with the taint function class corresponding to each taint path. When the two match, for example, the two are consistent, the electronic device can determine the matching with the deletion class. The reference taint path indicated by the taint function class, and so on, completes the matching of all the pruned classes in the pruned class set to determine at least one reference taint path from the second taint path set; The pruning class set determines at least one reference taint path from the second taint path set" step; after the electronic device determines at least one reference taint path, usually these reference taint paths do not exist in the target application package. Based on this, The electronic device can obtain a taint path set for the target application package by simply deleting the at least one reference taint path in the second taint path set.

S306: If the collection class is an incremental class and a pruned class, determine, based on the first taint path set, the second taint path set, and the pruned class set, all of the target application packages. The set of taint paths described.

It can be understood that if the set class is an incremental class and a subtracted class, that is, the difference class set includes an incremental class set and a subtracted class set, and the incremental class set is used to assist the electronic device in determining the target application. The package is equivalent to the incremental code of the application benchmark package, and then the taint detection is performed on the incremental code, so as to reduce the computational processing amount and improve the detection efficiency when performing taint detection on the entire target application package. The electronic device can obtain a taint path set for the target application package by performing taint path fitting on the first taint path set and the second taint path set, and removing the relevant taint paths in the second taint path set in the pruning class set. Thereby, the detection efficiency is improved and the workload of stain detection is saved.

In a specific implementation scenario, the electronic device may perform the step of "determining at least one reference taint path from the second taint path set based on the pruned class set" (for details, refer to S305), and then obtain the first reference taint path. At least one target taint path in the second taint path set, where the target taint path is a taint path other than the reference taint path in the second taint path set, can be understood as being obtained from the second taint path set A target taint path other than the reference taint path, and then adding the at least one target taint path to the first taint path set, a taint path set for the target application package can be obtained. For the acquisition method of the first taint path set, reference may be made to other method steps, which will not be repeated here.

In the embodiment of the present application, the electronic device obtains a target application package and an application benchmark package for an application, and then decompiles and compares the target application package and the application benchmark package to obtain the difference for the target application package. class set, static taint detection can be performed on the target application package based on the difference class set, and a taint path set for the target application package can be obtained. Full detection and analysis, the electronic device can only perform static taint detection on the difference code indicated by the target application package based on the difference class set, which reduces the application detection processing load, avoids redundant repetition, and can greatly improve the efficiency of application detection; and, based on The decompiled file can determine the incremental class set and the deleted class set, and based on this, the incremental code components for static taint analysis can be screened out, which improves the intelligence of application detection; Implementing taint detection in different ways improves the utilization efficiency of taint analysis results corresponding to historically generated application benchmark packages, and optimizes the process of static taint detection.

Please refer to FIG. 7 , which is a schematic structural diagram of an application detection system provided by an embodiment of the present application. As shown in FIG. 4 , the application detection system 100 includes an electronic device 20 and a target device cluster, and the target device cluster may include multiple target devices, as shown in FIG. 7 , specifically including a target device 1, a target device 2, . . . , the target device n, where n is an integer greater than 0; this embodiment is described by taking the electronic device 20 and the target device 1 in FIG. 7 as an example.

The electronic device 20 has an application detection function. When the electronic device 20 is a server, the electronic device 20 may be a separate server device, such as a rack-type, blade, tower, or cabinet-type server device, or a workstation, A large computer or other hardware device with strong computing power; it can also be a server cluster composed of multiple servers, and each server in the service cluster can be composed in a symmetrical manner, in which each server has functions in the business link, etc. The price and status are equivalent, and each server can independently provide services to the outside world, which can be understood as not requiring the assistance of another server.

Each target device in the target device cluster may be a device with a communication function, and the target device may be a device used to develop application installation packages such as target application packages, application benchmark packages, etc. The target devices include but are not limited to: handheld devices, personal computers , tablet computer, in-vehicle device, smartphone, computing device, or other processing device connected to a wireless modem, etc.

The target device 1 communicates with the electronic device 20 through a network. The network can be a wireless network or a wired network. The wireless network includes but is not limited to a cellular network, a wireless local area network, an infrared network or a Bluetooth network. The wired network includes but is not limited to Ethernet, Universal Serial Bus (USB) or Controller Area Network.

The target device 1 can at least upload the target application package of the application to be detected based on the communication network with the electronic device. It can be understood that the electronic device 20 obtains the target application package for the application, and the electronic device can obtain the application reference package for the application;

The electronic device 20 decompiles and compares the target application package and the application benchmark package to obtain a difference class set for the target application package;

The electronic device 20 performs static taint detection on the target application package based on the difference class set, and obtains a taint path set for the target application package.

In addition, the embodiment of the file detection system provided by the above embodiments and the file detection method in some embodiments belong to the same concept, and the implementation process of the embodiment is detailed in the method embodiment, which will not be repeated here.

The application detection apparatus provided by the embodiment of the present application will be described in detail below with reference to FIG. 8 . It should be noted that the application detection device shown in FIG. 8 is used to execute the methods of the embodiments shown in FIG. 1 to FIG. 7 of the present application. For convenience of description, only the parts related to the embodiments of the present application are shown, and the specific technology For details not disclosed, please refer to the embodiments shown in FIGS. 1 to 7 of the present application.

Please refer to FIG. 8 , which shows a schematic structural diagram of an application detection apparatus according to an embodiment of the present application. The application detection apparatus 1 can be implemented as all or a part of the user terminal through software, hardware or a combination of the two. According to some embodiments, the application detection apparatus 1 includes an acquisition module 11, a processing module 12 and a detection module 13, and is specifically used for:

an acquisition module 11, used to acquire the target application package and the application benchmark package of the application;

a processing module 12, configured to perform decompilation and comparison processing on the target application package and the application benchmark package to obtain a set of difference classes for the target application package;

The detection module 13 is configured to perform static taint detection on the target application package based on the difference class set, and obtain a taint path set for the target application package

Optionally, as shown in FIG. 9 , the processing module 12 includes:

A file determination unit 121, configured to determine a first decompiled file corresponding to the application benchmark package, and determine a second decompiled file corresponding to the target application package;

The set determining unit 122 is configured to perform a comparison process on the first decompiled file and the second decompiled file to obtain a difference class set for the target application package.

Optionally, the set determining unit 122 is specifically configured to:

With reference to at least one benchmark file included in the first decompiled file, a first file that does not match each of the benchmark files is determined in the second decompiled file, and based on the first file, the target file is determined. an incremental class set of the target application package; and/or

Taking at least one object file included in the second decompiled file as a reference, determine in the first decompiled file a second file that does not match each of the object files and a second file that does not match at least one of the object files. For the matched third file, a deletion class set and an incremental class set for the target application package are determined based on the second file and the third file.

Optionally, the set determining unit 122 is specifically configured to:

determining a first file name that does not match the reference file name of each of the reference files in the second decompiled file, and determining an incremental class set for the target application package based on the first file name;

Optionally, the set determining unit 122 is specifically configured to:

A second file name that does not match the object file name of each of the object files and a third file name that matches at least one of the object file names are determined in the first decompiled file, based on the second file name The file name and the third file name determine a set of pruned classes and a set of incremental classes for the target application package.

Optionally, the set determining unit 122 is specifically configured to:

adding the second file name of the second file to the set of abridged classes for the target application package; and,

Obtain the digest matching result between the third file and the reference target file, and add the third file name of the third file to the incremental class set based on the digest matching result, where the file name of the third file is the same as The file names of the reference object files are the same.

Optionally, the set determining unit 122 is specifically configured to:

If the result type of the digest matching result is a digest mismatch type, adding the third file name of the third file to the incremental class set.

Optionally, the detection module 13 is specifically used for:

A collection class corresponding to the set of difference classes is determined, and static taint detection is performed on the target application package based on the collection class to obtain a taint path set for the target application package.

Optionally, the detection module 13 is specifically used for:

If the collection class is an incremental class, call the taint detection tool to perform static taint detection on the target application package based on the incremental class set, obtain a first taint path set, and use the first taint path set as the target application package for the A collection of taint paths of the target application package;

If the collection class is a pruning class, obtain a second taint path set corresponding to the application reference package, and determine the taint for the target application package based on the second taint path set and the pruning class set path collection;

If the set class is an incremental class and a pruned class, determining the taint for the target application package based on the first taint path set, the second taint path set, and the pruned class set Path collection.

Optionally, the detection module 13 is specifically used for:

determining at least one reference taint path from the second set of taint paths based on the set of pruned classes;

acquiring at least one target taint path in the second taint path set, where the target taint path is a taint path other than the reference taint path in the second taint path set;

The at least one target taint path is added to the first taint path set to obtain a taint path set for the target application package.

Optionally, the detection module 13 is specifically used for:

determining at least one reference taint path from the second set of taint paths based on the set of pruned classes;

The at least one reference taint path in the second taint path set is deleted to obtain a taint path set for the target application package.

Optionally, the detection module 13 is specifically used for:

Determine, based on the incremental class set, a set of detection entry functions for the target application package;

Based on the set of detection entry functions, a taint detection tool is called to perform static taint detection on the target application package, and a first set of taint paths is obtained.

Optionally, the detection module 13 is specifically used for:

Obtain an inter-procedure call graph of the target application package, and determine an initial entry function set based on the inter-procedure call graph;

Perform function node traversal processing on the inter-procedure call graph based on the incremental class set and the initial entry function set to determine at least one target node function;

A detection entry function set including the at least one target node function is generated.

Optionally, the detection module 13 is specifically used for:

Taking at least one initial entry function indicated by the initial entry function set as a benchmark, performing node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on the incremental class set, to obtain the target node function corresponding to at least one target function node;

The initial function node is the first node corresponding to the initial entry function in the inter-process control flow graph, and the objective function class to which the objective entry function corresponding to the objective function node belongs is in the incremental class set function class.

Optionally, the detection module 13 is specifically used for:

obtaining an inter-procedure call graph corresponding to the target application package;

Perform static taint detection on the inter-procedure call graph based on the detection entry function set to obtain a first taint path set for the target application package.

It should be noted that, when the application detection apparatus provided in the above embodiment executes the application detection method, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions may be allocated to different functional modules as required. , that is, dividing the internal structure of the device into different functional modules to complete all or part of the functions described above. In addition, the application detection apparatus and the application detection method provided by the above embodiments belong to the same concept, and the implementation process of the application detection device is described in the method embodiment, which will not be repeated here.

The above-mentioned serial numbers of the embodiments of the present application are only for description, and do not represent the advantages or disadvantages of the embodiments.

Embodiments of the present application further provide a computer storage medium, where the computer storage medium can store multiple instructions, and the instructions are suitable for being loaded by a processor and executing the above-described embodiments shown in FIG. 1 to FIG. 6 . For the application detection method and the specific execution process, reference may be made to the specific descriptions of the embodiments shown in FIG. 1 to FIG. 6 , which will not be repeated here.

The present application also provides a computer program product, where the computer program product stores at least one instruction, and the at least one instruction is loaded by the processor to execute the application detection in the embodiments shown in FIG. 1 to FIG. 6 above. For the specific implementation process, reference may be made to the specific descriptions of the embodiments shown in FIG. 1 to FIG. 6 , which will not be repeated here.

Please refer to FIG. 10 , which shows a structural block diagram of an electronic device provided by an exemplary embodiment of the present application. An electronic device in this application may include one or more of the following components: a processor 110 , a memory 120 , an input device 130 , an output device 140 and a bus 150 . The processor 110 , the memory 120 , the input device 130 and the output device 140 may be connected through a bus 150 .

The processor 110 may include one or more processing cores. The processor 110 uses various interfaces and lines to connect various parts in the entire electronic device, and executes the electronic device by running or executing the instructions, programs, code sets or instruction sets stored in the memory 120, and calling the data stored in the memory 120. Various functions of the device 100 and processing data. Optionally, the processor 110 may employ at least one of digital signal processing (digital signal processing, DSP), field-programmable gate array (field-programmable gate array, FPGA), and programmable logic array (programmable logic array, PLA). implemented in hardware. The processor 110 may integrate one or a combination of a central processing unit (CPU), a graphics processing unit (GPU), a modem, and the like. Among them, the CPU mainly handles the operating system, user interface and application programs, etc.; the GPU is used for rendering and drawing of the display content; the modem is used for handling wireless communication. It can be understood that, the above-mentioned modem may not be integrated into the processor 110, and is implemented by a communication chip alone.

The memory 120 may include random access memory (RAM), or may include read-only memory (ROM). Optionally, the memory 120 includes a non-transitory computer-readable storage medium. Memory 120 may be used to store instructions, programs, codes, sets of codes, or sets of instructions. The memory 120 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for implementing at least one function (such as a touch function, a sound playback function, an image playback function, etc.) , instructions for implementing the following method embodiments, etc., the operating system can be an Android (Android) system, including a system based on the deep development of the Android system, an IOS system developed by Apple, including a system based on the deep development of the IOS system or other systems. The storage data area can also store data created by the electronic device in use, such as a phone book, audio and video data, chat record data, and the like.

Referring to FIG. 11 , the memory 120 can be divided into an operating system space and a user space, the operating system runs in the operating system space, and the native and third-party applications run in the user space. In order to ensure that different third-party applications can achieve better running effects, the operating system allocates corresponding system resources to different third-party applications. However, different application scenarios in the same third-party application also have different requirements for system resources. For example, in the local resource loading scenario, the third-party application has higher requirements on the disk read speed; in the animation rendering scenario, the first Third-party applications have higher requirements on GPU performance. The operating system and the third-party application are independent of each other, and the operating system often cannot perceive the current application scenario of the third-party application in time, so that the operating system cannot perform targeted system resource adaptation according to the specific application scenario of the third-party application.

In order to enable the operating system to distinguish the specific application scenarios of third-party applications, it is necessary to open up the data communication between the third-party application and the operating system, so that the operating system can obtain the current scene information of the third-party application at any time, and then perform the operation based on the current scene. Targeted system resource adaptation.

Taking the Android system as the operating system as an example, the programs and data stored in the memory 120 are shown in FIG. 12 . The memory 120 can store the Linux kernel layer 320, the system runtime library layer 340, the application framework layer 360 and the application layer 380, Among them, the Linux kernel layer 320, the system runtime layer 340 and the application framework layer 360 belong to the operating system space, and the application layer 380 belongs to the user space. The Linux kernel layer 320 provides underlying drivers for various hardwares of electronic devices, such as display drivers, audio drivers, camera drivers, Bluetooth drivers, Wi-Fi drivers, power management and the like. The system runtime layer 340 provides main feature support for the Android system through some C/C++ libraries. For example, the SQLite library provides database support, the OpenGL/ES library provides 3D drawing support, and the Webkit library provides browser kernel support. An Android runtime library (Android runtime) is also provided in the system runtime library layer 340, which mainly provides some core libraries, which can allow developers to use Java language to write Android applications. The application framework layer 360 provides various APIs that may be used when building applications. Developers can also build their own applications by using these APIs, such as activity management, window management, view management, notification management, content provider, Package management, call management, resource management, location management. There is at least one application running in the application layer 380, and these applications may be native applications that come with the operating system, such as contact programs, SMS programs, clock programs, camera applications, etc.; they may also be developed by third-party developers Third-party applications, such as game applications, instant messaging programs, photo enhancement programs, etc.

Taking the operating system as the IOS system as an example, the programs and data stored in the memory 120 are shown in FIG. 13 . The IOS system includes: a core operating system layer 420 (Core OS layer), a core service layer 440 (Core Services layer), a media layer 460 (Media layer), touchable layer 480 (Cocoa Touch Layer). The core operating system layer 420 includes the operating system kernel, drivers, and low-level program frameworks, which provide functions closer to hardware for use by the program frameworks located in the core service layer 440 . The core service layer 440 provides system services and/or program frameworks required by application programs, such as a foundation framework, an account framework, an advertisement framework, a data storage framework, a network connection framework, a geographic location framework, a motion framework, and the like. The media layer 460 provides audiovisual interfaces for applications, such as graphics and image related interfaces, audio technology related interfaces, video technology related interfaces, and audio and video transmission technology wireless playback (AirPlay) interfaces. The touchable layer 480 provides various common interface-related frameworks for application development, and the touchable layer 480 is responsible for the user's touch interaction operation on the electronic device. Such as local notification service, remote push service, advertising framework, game tool framework, message user interface interface (User Interface, UI) framework, user interface UIKit framework, map framework and so on.

Among the frameworks shown in FIG. 13 , the frameworks related to most applications include but are not limited to: the basic framework in the core service layer 440 and the UIKit framework in the touchable layer 480 . The basic framework provides many basic object classes and data types, and provides the most basic system services for all applications, regardless of UI. The classes provided by the UIKit framework are the basic UI class libraries for creating touch-based user interfaces. iOS applications can provide UI based on the UIKit framework, so it provides the application's infrastructure for building user interfaces, drawing , handling and user interaction events, responding to gestures, and more.

The method and principle of implementing data communication between a third-party application program and an operating system in the IOS system may refer to the Android system, which will not be repeated in this application.

The input device 130 is used for receiving input instructions or data, and the input device 130 includes but is not limited to a keyboard, a mouse, a camera, a microphone or a touch device. The output device 140 is used for outputting instructions or data, and the output device 140 includes, but is not limited to, a display device, a speaker, and the like. In one example, the input device 130 and the output device 140 may be co-located, and the input device 130 and the output device 140 are a touch display screen, the touch display screen is used to receive any suitable objects such as a user's finger, a touch pen, etc. Nearby touch actions, as well as displaying the user interface of each application. The touch display is usually provided on the front panel of the electronic device. The touch screen can be designed as a full screen, a curved screen or a special-shaped screen. The touch display screen can also be designed to be a combination of a full screen and a curved screen, or a combination of a special-shaped screen and a curved screen, which is not limited in the embodiments of the present application.

In addition, those skilled in the art can understand that the structure of the electronic device shown in the above drawings does not constitute a limitation to the electronic device, and the electronic device may include more or less components than those shown in the drawings, or a combination of certain components may be included. some components, or a different arrangement of components. For example, the electronic device further includes components such as a radio frequency circuit, an input unit, a sensor, an audio circuit, a wireless fidelity (WiFi) module, a power supply, and a Bluetooth module, which will not be repeated here.

In this embodiment of the present application, the execution body of each step may be the electronic device described above. Optionally, the execution subject of each step is an operating system of the electronic device. The operating system may be an Android system, an IOS system, or other operating systems, which are not limited in this embodiment of the present application.

The electronic device according to the embodiment of the present application may also have a display device installed thereon, and the display device may be various devices that can realize a display function, such as a cathode ray tube display (CR for short), a light emitting diode display (light emitting diode display). -emitting diode display, referred to as LED), electronic ink screen, liquid crystal display (liquid crystal display, referred to as LCD), plasma display panel (plasma display panel, referred to as PDP) and so on. The user can use the display device on the electronic device 101 to view the displayed text, image, video and other information. The electronic device may be a smart phone, a tablet computer, a gaming device, an AR (Augmented Reality) device, a car, a data storage device, an audio playback device, a video playback device, a notebook, a desktop computing device, a wearable device such as an electronic device. Watches, electronic glasses, electronic helmets, electronic bracelets, electronic necklaces, electronic clothing and other equipment.

In the electronic device shown in FIG. 10, the electronic device may be a terminal, and the processor 110 may be used to invoke the application program stored in the memory 120, and specifically perform the following operations:

Obtain the target application package and the application benchmark package for the application;

Decompiling and comparing the target application package and the application benchmark package to obtain a set of difference classes for the target application package;

Perform static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package.

In an embodiment, when the processor 110 performs the decompilation and comparison process on the target application package and the application benchmark package to obtain a difference class set for the target application package, the processor 110 specifically performs the following steps: operate:

determining a first decompiled file corresponding to the application benchmark package, and determining a second decompiled file corresponding to the target application package;

The first decompiled file and the second decompiled file are compared to obtain a difference class set for the target application package.

In one embodiment, when the processor 110 performs the comparison process of the first decompiled file and the second decompiled file, the processor 110 specifically performs the following operations:

With reference to at least one benchmark file included in the first decompiled file, a first file that does not match each of the benchmark files is determined in the second decompiled file, and based on the first file, the target file is determined. an incremental class set of the target application package; and/or

Taking at least one object file included in the second decompiled file as a reference, determine in the first decompiled file a second file that does not match each of the object files and a second file that does not match at least one of the object files. For the matched third file, a deletion class set and an incremental class set for the target application package are determined based on the second file and the third file.

In one embodiment, the processor 110 determines, in the second decompiled file, a first file that does not match each of the benchmark files, and determines the target based on the first file. When applying a package's incremental class collection, it does the following:

determining a first file name that does not match the reference file name of each of the reference files in the second decompiled file, and determining an incremental class set for the target application package based on the first file name;

the determining in the first decompiled file a second file that does not match each of the object files and a third file that matches at least one of the object files, based on the second file and the third file The three files determine the set of pruning classes for the target application package, including:

A second file name that does not match the object file name of each of the object files and a third file name that matches at least one of the object file names are determined in the first decompiled file, based on the second file name The file name and the third file name determine a set of pruned classes and a set of incremental classes for the target application package.

In an embodiment, the processor 110 specifically performs the following operations when executing the determining of the pruned class set and the incremental class set for the target application package based on the second file and the third file :

adding the second file name of the second file to the set of abridged classes for the target application package; and,

Obtain the digest matching result between the third file and the reference target file, and add the third file name of the third file to the incremental class set based on the digest matching result, where the file name of the third file is the same as The file names of the reference object files are the same.

In one embodiment, when the processor 110 executes the process of adding the third file name of the third file to the abridged class set based on the digest matching result, the processor 110 specifically performs the following operations:

If the result type of the digest matching result is a digest mismatch type, adding the third file name of the third file to the incremental class set.

In one embodiment, when the processor 110 performs the static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package, the processor 110 specifically performs the following operations:

A collection class corresponding to the set of difference classes is determined, and static taint detection is performed on the target application package based on the collection class to obtain a taint path set for the target application package.

In one embodiment, when the processor 110 performs the static taint detection on the target application package based on the collection class to obtain a taint path set for the target application package, the processor 110 specifically performs the following operations:

If the collection class is an incremental class, call the taint detection tool to perform static taint detection on the target application package based on the incremental class set, obtain a first taint path set, and use the first taint path set as the target application package for the A collection of taint paths of the target application package;

If the collection class is a pruning class, obtain a second taint path set corresponding to the application reference package, and determine the taint for the target application package based on the second taint path set and the pruning class set path collection;

If the set class is an incremental class and a pruned class, determining the taint for the target application package based on the first taint path set, the second taint path set, and the pruned class set Path collection.

In one embodiment, the processor 110 is performing the determining of the taint for the target application package based on the first taint path set, the second taint path set and the pruning class set. When the path collection is performed, the specific operations are as follows:

determining at least one reference taint path from the second set of taint paths based on the set of pruned classes;

acquiring at least one target taint path in the second taint path set, where the target taint path is a taint path other than the reference taint path in the second taint path set;

The at least one target taint path is added to the first taint path set to obtain a taint path set for the target application package.

In one embodiment, when the processor 110 determines the taint path set for the target application package based on the second taint path set and the pruning class set, the processor 110 specifically performs the following operations:

determining at least one reference taint path from the second set of taint paths based on the set of pruned classes;

The at least one reference taint path in the second taint path set is deleted to obtain a taint path set for the target application package.

In one embodiment, when executing the call taint detection tool to perform static taint detection on the target application package based on the incremental class set, and obtain the first taint path set, the processor 110 specifically performs the following operations:

Determine, based on the incremental class set, a set of detection entry functions for the target application package;

Based on the set of detection entry functions, a taint detection tool is called to perform static taint detection on the target application package, and a first set of taint paths is obtained.

In one embodiment, when the processor 1001 executes the determination of the set of detection entry functions for the target application package based on the incremental class set, the processor 1001 specifically performs the following operations:

Obtain an inter-procedure call graph of the target application package, and determine an initial entry function set based on the inter-procedure call graph;

Perform function node traversal processing on the inter-procedure call graph based on the incremental class set and the initial entry function set to determine at least one target node function;

A detection entry function set including the at least one target node function is generated.

In one embodiment, the processor 110 performs the function node traversal processing on the interprocedure call graph based on the incremental class set and the initial entry function set to determine at least one target node function , do the following:

Taking at least one initial entry function indicated by the initial entry function set as a benchmark, performing node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on the incremental class set, to obtain the target node function corresponding to at least one target function node;

The initial function node is the first node corresponding to the initial entry function in the inter-process control flow graph, and the objective function class to which the objective entry function corresponding to the objective function node belongs is in the incremental class set function class.

In one embodiment, the processor 1001 specifically performs the following operations when executing the static taint detection on the target application package by calling the taint detection tool based on the detection entry function set to obtain the first taint path set:

Obtaining an inter-procedure call graph corresponding to the target application package; performing static taint detection on the inter-procedure call graph based on the detection entry function set, to obtain a first taint path set for the target application package.

Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium. During execution, the processes of the embodiments of the above-mentioned methods may be included. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only storage memory or a random storage memory, and the like.

What is disclosed above is only the preferred embodiment of the present application, and of course, it cannot limit the scope of the right of the present application. Therefore, the equivalent changes made according to the claims of the present application are still within the scope of the present application.

Claims (17)

1. an application detection method, is characterized in that, described method comprises: Obtain the target application package and the application benchmark package for the application; Decompiling and comparing the target application package and the application benchmark package to obtain a set of difference classes for the target application package; Perform static taint detection on the target application package based on the difference class set to obtain a taint path set for the target application package. 2. The method according to claim 1, wherein the decompiling and comparison processing is performed on the target application package and the application benchmark package to obtain a difference class set for the target application package, comprising: determining a first decompiled file corresponding to the application benchmark package, and determining a second decompiled file corresponding to the target application package; The first decompiled file and the second decompiled file are compared to obtain a difference class set for the target application package. 3. The method according to claim 2, wherein the first decompiled file and the second decompiled file are compared and processed to obtain a difference class set for the target application package, include: With reference to at least one benchmark file included in the first decompiled file, a first file that does not match each of the benchmark files is determined in the second decompiled file, and based on the first file, the target file is determined. an incremental class set of the target application package; and/or Taking at least one object file included in the second decompiled file as a reference, determine in the first decompiled file a second file that does not match each of the object files and a second file that does not match at least one of the object files. For the matched third file, a deletion class set and an incremental class set for the target application package are determined based on the second file and the third file. 4 . The method according to claim 3 , wherein, determining in the second decompiled file a first file that does not match each of the reference files, determining the first file based on the first file. 5 . A collection of incremental classes for the target application package, including: determining a first file name that does not match the reference file name of each of the reference files in the second decompiled file, and determining an incremental class set for the target application package based on the first file name; the determining in the first decompiled file a second file that does not match each of the object files and a third file that matches at least one of the object files, based on the second file and the third file The three files determine the set of pruning classes for the target application package, including: A second file name that does not match the object file name of each of the object files and a third file name that matches at least one of the object file names are determined in the first decompiled file, based on the second file name The file name and the third file name determine a set of pruned classes and a set of incremental classes for the target application package. 5. The method according to claim 3, characterized in that, determining the set of deletion classes and the set of incremental classes for the target application package based on the second file and the third file, comprising: adding the second file name of the second file to the set of abridged classes for the target application package; and, Obtain the digest matching result between the third file and the reference target file, and add the third file name of the third file to the incremental class set based on the digest matching result, where the file name of the third file is the same as The file names of the reference object files are the same. 6. The method according to claim 5, wherein adding the third file name of the third file to the abridged class set based on the digest matching result, comprising: If the result type of the digest matching result is a digest mismatch type, adding the third file name of the third file to the incremental class set. 7. The method according to claim 1, wherein the static taint detection is performed on the target application package based on the difference class set to obtain a taint path set for the target application package, comprising: A collection class corresponding to the set of difference classes is determined, and static taint detection is performed on the target application package based on the collection class to obtain a taint path set for the target application package. 8 . The method according to claim 7 , wherein the static taint detection is performed on the target application package based on the collection class to obtain a taint path set for the target application package, comprising: 8 . If the collection class is an incremental class, call the taint detection tool to perform static taint detection on the target application package based on the incremental class set, obtain a first taint path set, and use the first taint path set as the target application package for the A collection of taint paths of the target application package; If the collection class is a pruning class, obtain a second taint path set corresponding to the application reference package, and determine the taint for the target application package based on the second taint path set and the pruning class set path collection; If the set class is an incremental class and a pruned class, determining the taint for the target application package based on the first taint path set, the second taint path set, and the pruned class set Path collection. 9 . The method according to claim 8 , wherein, based on the first taint path set, the second taint path set, and the pruning class set, determining all of the target application packages. 10 . The set of taint paths described above, including: determining at least one reference taint path from the second set of taint paths based on the set of pruned classes; acquiring at least one target taint path in the second taint path set, where the target taint path is a taint path other than the reference taint path in the second taint path set; The at least one target taint path is added to the first taint path set to obtain a taint path set for the target application package. 10. The method according to claim 8, wherein the determining the taint path set for the target application package based on the second taint path set and the pruning class set comprises: determining at least one reference taint path from the second set of taint paths based on the set of pruned classes; The at least one reference taint path in the second taint path set is deleted to obtain a taint path set for the target application package. 11. The method according to claim 8, wherein the invoking taint detection tool performs static taint detection on the target application package based on an incremental class set to obtain a first taint path set, comprising: Determine, based on the incremental class set, a set of detection entry functions for the target application package; Based on the set of detection entry functions, a taint detection tool is called to perform static taint detection on the target application package, and a first set of taint paths is obtained. 12. The method according to claim 11, wherein the determining a set of detection entry functions for the target application package based on the incremental class set comprises: Obtain an inter-procedure call graph of the target application package, and determine an initial entry function set based on the inter-procedure call graph; Perform function node traversal processing on the inter-procedure call graph based on the incremental class set and the initial entry function set to determine at least one target node function; A detection entry function set including the at least one target node function is generated. 13 . The method according to claim 12 , wherein the function node traversal processing is performed on the interprocedural call graph based on the incremental class set and the initial entry function set to determine at least one target node. 14 . functions, including: Taking at least one initial entry function indicated by the initial entry function set as a benchmark, performing node class matching processing on each next function node corresponding to each initial function node in the inter-process control flow graph based on the incremental class set, to obtain the target node function corresponding to at least one target function node; The initial function node is the first node corresponding to the initial entry function in the inter-process control flow graph, and the objective function class to which the objective entry function corresponding to the objective function node belongs is in the incremental class set function class. 14. The method according to claim 11, wherein the calling a taint detection tool based on the detection entry function set to perform static taint detection on the target application package to obtain a first taint path set, comprising: obtaining the inter-procedure call graph corresponding to the target application package; Perform static taint detection on the inter-procedure call graph based on the detection entry function set to obtain a first taint path set for the target application package. 15. An application detection device, characterized in that the device comprises: The acquisition module is used to acquire the target application package and the application benchmark package of the application; a processing module, configured to decompile and compare the target application package and the application benchmark package to obtain a set of difference classes for the target application package; The detection module is configured to perform static taint detection on the target application package based on the difference class set, and obtain a taint path set for the target application package. 16. A computer storage medium, characterized in that the computer storage medium stores a plurality of instructions, the instructions are suitable for being loaded by a processor and performing the method steps of any one of claims 1-14. 17. An electronic device, comprising: a processor and a memory; wherein, the memory stores a computer program, and the computer program is adapted to be loaded by the processor and execute any one of claims 1 to 14 method steps for the item.

Images