CN114826732B - Dynamic detection and tracing method for android system privacy stealing behavior - Google Patents
Dynamic detection and tracing method for android system privacy stealing behavior Download PDFInfo
- Publication number
- CN114826732B CN114826732B CN202210436724.5A CN202210436724A CN114826732B CN 114826732 B CN114826732 B CN 114826732B CN 202210436724 A CN202210436724 A CN 202210436724A CN 114826732 B CN114826732 B CN 114826732B
- Authority
- CN
- China
- Prior art keywords
- privacy
- flow
- application
- dynamic
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a dynamic detection and tracing method for android system privacy stealing behaviors, which comprises the following steps: s01, dynamically generating a use case to cover main application behaviors; s02, collecting and extracting HTTP traffic generated by the application; step S03, analyzing the loading condition of the external dynamic code of the application according to the HTTP flow; s04, detecting the privacy data leakage condition corresponding to the external dynamic code party according to HTTP flow, S05, preliminarily screening out suspicious applications according to the flow analysis and detection results, and S06, carrying out cross-domain dynamic analysis on the suspicious applications to carry out system forensics and traceability. The invention provides a set of complete detection method, which can perform preliminary judgment from the outside of equipment according to flow, and then perform system evidence obtaining and tracing according to the result of the preliminary judgment, thereby improving the detection robustness and effect.
Description
Technical Field
The invention relates to the technical field of mobile terminal privacy security, in particular to a dynamic detection and tracing method for android system privacy stealing behaviors.
Background
With the advent of mobile phone operating systems such as android and ios, the smart phone has opened the era of mobile internet. People can use the mobile phone to do shopping, social contact, various entertainment activities and the like. While enjoying convenience, people also bear various privacy disclosure risks brought by mobile phones. The existing mobile terminal equipment bears too much personal information, and the identifiable personal information, media information and the like can be stolen through a mobile phone.
The cell phone WebView is an open source development component used to host web pages, which also provides the capability of rights broker.
For example, for a hybrid application, a developer needs to develop an application with web pages to increase the iteration speed and real-time update capability of the application. Meanwhile, in order to endow the system rights owned by the native application to the webpage part loaded in the WebView, a developer can self-define the rights proxy through the JSbridge technology. But the behavior of the code within the web page container is not visible to the system, i.e., the dynamic web page code loaded into the container is not controllable. Thereby presenting a potential risk of privacy disclosure.
Nowadays, more and more applications integrate external three-party web page code into applications through WebView, and these three-party code are given many privacy-related sensitive permissions through permission proxies, and thereby external dynamic code is able to perform dynamic and unlimited privacy stealing. There are studies showing that there is a serious risk of privacy disclosure in this case and related cases have occurred. On one hand, due to the defect of the realization of the authority proxy mechanism, unexpected privacy authority can be proxied out, and on the other hand, due to the defect of design, the access control strategy of the application to the proxied-out authority can lead to the upgrading of the privilege more or less. Due to irrational authority in the process of acting various authorities, the loaded external three-party webpage codes and the four-party service or codes adopted in the external three-party webpage codes have the opportunity of stealing privacy by using unreasonable implementation or design defects, so that the serious privacy disclosure crisis is caused. However, since the cross-domain interface call from the system native side to the web page side is difficult to monitor in real time, there is no reliable detection and determination for the privacy disclosure behavior of the mobile side brought by the authority agent of the web page technology.
It is therefore desirable to provide an efficient and reliable solution to detect this problem and to forensics and trace the source of the privacy leakage from the detected web page code.
Disclosure of Invention
Aiming at the problem of privacy disclosure by using the authority agent of the webpage technology, in order to discover privacy disclosure behaviors and obtain evidence for tracing, the invention provides a set of complete detection method, solves the privacy disclosure problem caused by real-time monitoring that cross-domain interface calling cannot be carried out from a system original end to a webpage end in the prior art, realizes primary judgment from the outside of equipment according to flow, and carries out system evidence obtaining and tracing according to a pre-judgment result, and improves detection robustness and effect.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a dynamic detection and tracing method for android system privacy stealing behaviors is characterized by comprising the following steps:
s01, dynamically generating a use case to cover main application behaviors;
s02, collecting and extracting HTTP traffic generated by the application;
step S03, analyzing the loading condition of the external dynamic code of the application according to the HTTP flow;
s04, detecting the privacy data leakage condition corresponding to the external dynamic code party according to the HTTP flow, wherein the detecting step comprises the following steps:
step S0401: for each flow source, extracting privacy content carriers, namely URLs, POST request bodies and Cookie contents in HTTP flow as flow privacy characteristics; presetting a group of privacy keywords according to different privacy information types, and detecting whether the privacy information is contained in the flow privacy characteristics through a text fuzzy matching method;
step S0402: matching the flow privacy characteristics according to preset privacy keywords to obtain a matching score;
step S0403: carrying out random character matching on each flow privacy feature to obtain a matching reference score;
step S0404: normalizing the matching score by using the matching reference score, namely normalizing the matching score of each flow privacy feature by using the reference score obtained in S0403;
step S0405: after matching all the flows of a certain application, taking the highest score corresponding to each keyword as the score of a certain privacy keyword;
step S0406: comparing the score of a certain privacy keyword with a set threshold, if the score is smaller than the set threshold, the matching is unsuccessful, and the flow is judged not to contain the privacy information leakage;
if the score is larger than the set threshold value, the matching is successful, and the flow is judged to contain the leakage of the privacy information.
Step S05, preliminarily screening out suspicious applications according to the results of flow analysis and detection, marking the three parties with leaked personal privacy and capable of executing dynamic codes as privacy stealing parties, marking the applications as suspicious applications and entering step S06, otherwise, ending the detection;
and S06, performing cross-domain dynamic analysis on the suspicious application to perform system forensics and traceability.
The further preferable technical scheme of the invention is as follows: the step S03 includes the steps of:
s0301, analyzing the loading content of the HTTP request according to the flow URL, and judging whether a dynamic code carrier or a JavaScript file exists;
s0302, judging the flow source according to the flow domain name and SSL certificate, correlating the domain names by domain name classification technology, correlating the web page sources with the same domain name or common name or organization name, identifying the web page sources as the same source, classifying and analyzing the domain name by an off-line mode, and analyzing the back operation entity;
s0303, according to the flow source and the content, determining that the flow operation entity can operate the dynamic code in the application, identifying the external dynamic code of the non-application as the dynamic webpage code of the external three party, and marking the application.
Preferably, the step S06 includes:
step S0601: dynamically monitoring the running state of the application and acquiring a call chain of the application to the authority interface;
step S0602: acquiring a possible interface for carrying out authority proxy by using a webpage technology, and inserting a calling party capturing module into the interface;
step S0603: recording the interface calling condition, and corresponding the authority interface calling chain with the webpage technical authority proxy interface. Random numbers are inserted into the webpage technical authority proxy interface and the caller capturing module to be used as specific identification IDs to confirm the relevance of the identifiers, and therefore a call chain from the webpage side caller to the webpage technical authority proxy interface is obtained;
step S0604: obtaining a complete calling chain, and obtaining the calling condition of the three-party webpage code in the application to the authority interface; after the complete calling chain is obtained, the calling condition of the permission interface and the calling party at the webpage end are confirmed, namely whether an external three-party dynamic code calls the system permission interface through the permission agent of the webpage to obtain corresponding privacy information is confirmed;
step S0605: and (4) completing evidence obtaining and tracing.
Preferably, in step S0602, the caller capturing module is a code module that acquires a caller by using a web interface in combination with a system characteristic, and obtains a current page URL in a web page by using a front-end interface, and then calls back to the system, and captures a result by using an intrusive system technology.
Preferably, in step S01, the preset application set is automatically detected by using a dynamic test case generated by an automatic dynamic case generation tool.
Preferably, in the step S02, HTTP traffic generated from a specific application is collected and extracted, including URL of the HTTP traffic, POST request, cookie content, or domain, organization, common name item of SSL certificate content of the HTTPs traffic.
The technical scheme of the application has at least the following technical effects or advantages:
1) The method for detecting the privacy disclosure behavior of the mobile terminal can be used for prejudging, detecting and tracing the possible privacy transaction or privacy infringement behavior brought by authority agency by utilizing a webpage technology.
2) The detection method provided by the invention can be used for carrying out preliminary privacy disclosure detection on the application of most operating systems including android through flow analysis and judging the loading condition of external dynamic codes.
3) The invention effectively solves the technical problem that the prior art can not carry out real-time monitoring on cross-domain interface calling from the system primitive end to the webpage end due to the adoption of a cross-domain dynamic analysis method, thereby realizing reliable evidence obtaining and tracing on the calling from the webpage end to the system permission interface.
Drawings
FIG. 1 is a schematic overall flowchart of a detecting and tracing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a system for forensics according to an embodiment of the invention;
FIG. 3 is a diagram illustrating an abstraction of thread correlation techniques according to an embodiment of the present invention.
Detailed Description
In order to better understand the technical solution, the technical solution will be described in detail with reference to the drawings and the specific embodiments.
In this embodiment, an android platform is taken as an example, and a flow analysis and system forensics are combined to implement efficient and reliable dynamic detection and tracing of mobile terminal privacy stealing behaviors for a right broker based on a web page technology.
As shown in fig. 1, fig. 1 is a schematic overall flow chart of the detection and tracing method of the present embodiment, and the specific steps include:
step S01: use cases are dynamically generated to cover the application's primary behavior. On an android platform, an automated test case generation tool DroidPot based on android barrier-free suite capability and a manual tool simulating manual operation are adopted for automated anthropomorphic dynamic test case generation so as to cover as many cases as possible.
Step S02: HTTP traffic generated by the application is collected and extracted. For capturing traffic generated by a certain application, in this embodiment, a network intermediate proxy, mitmprox, is used as a traffic capture tool, and in addition, capturing at a device end or capturing traffic by using other network proxies may also be considered. When the traffic flows out from the system, a corresponding client port flows out, for the android platform, the port corresponds to the UID, and the UID can be regarded as a unique identifier of the application. When using Mitmpproxy to capture traffic, the corresponding UID can also be obtained, so that the HTTP traffic of a specific application can be determined and captured. HTTPS traffic may also be trapped by installing the certificate of the intermediate agent at the client.
When the flow is captured, the corresponding rule can be preset to extract the required flow characteristic. Here, in consideration of the following requirements, it is necessary to extract the URL of traffic, POST request body of HTTP, domain, organization, common name, and the like of Cookie content and SSL certificate content.
Step S03: and analyzing the external dynamic code loading condition of the application according to the HTTP traffic.
The step S03 specifically includes:
step S0301: and analyzing the loading content of the HTTP request according to the flow URL, and judging whether a dynamic code carrier or a JavaScript file exists. A Uniform Resource Locator (URL) is a representation method for specifying information locations on web servers on the internet, and for general dynamic web contents, there is generally a certain type of URL suffix, for example, js is a suffix of URL of Javascript, html is a suffix of html page, etc. Pages such as js files, html/shtml pages, do/action/jsp/php/asp and the like are taken as carriers of dynamic webpage codes.
Step S0302: and judging the flow source according to the flow domain name and the content of the SSL certificate, correlating the domain names by a self-defined domain name classification technology, and analyzing a back operation entity to improve the source reliability. In order to determine whether the web page content is from the application itself or other external parties, its source needs to be determined.
Generally, the source of the URL can be determined by the domain name of the URL, but for many companies at present, there is usually more than one domain name, and in order to improve the accuracy of the source determination, the domain names need to be classified. For the present embodiment, consider associating related domain names in conjunction with the content of SSL certificates. For a general SSL certificate, several items of domain name (domain), common Name (CN), organization name (organization) are usually included, the domain name generally corresponds to a URL domain name, the organization name generally refers to an operator entity behind the domain name, and the common name may be the domain name or the organization name. The domain name classification technology specifically refers to associating web page sources with the same domain name or common name or organization name, identifying the web page sources as the same source, and classifying the domain names in an off-line mode to improve the source reliability.
Step S0303: and determining that the traffic operation entity can run the dynamic code in the application according to the traffic source and the content, and marking the dynamic code. After determining the dynamic webpage code and source loaded by the application, identifying the external dynamic code of the non-application self as the dynamic webpage code of the external three parties, and identifying the application.
Step S04: detecting the privacy data leakage condition corresponding to the external dynamic code party according to the HTTP flow;
the step S04 specifically includes:
step S0401: and for each flow source, extracting a privacy data carrier, namely URL, POST request body and Cookie content in the HTTP flow as the flow privacy characteristics.
Many privacy leaks of the mobile terminal are transmitted through HTTP, and the transmission path includes URL of HTTP, i.e. GET request content, POST request body, and Cookie content. As shown in table 1, some privacy keywords are preset, whether privacy information is included in a privacy data carrier, that is, a traffic privacy feature, is detected in a text fuzzy matching manner, and we define the traffic keywords as S k,j 0 < j < 4,k is the number of keywords of the j-th privacy information, which we reduce to S k 。
TABLE 1
Step S0402: matching the flow privacy characteristics according to preset privacy keywords to obtain a matching score; in this embodiment, the Levenshtein distance is considered as a measure for fuzzy matching. The Levenshtein distance is defined as the minimum number of characters that must be edited (inserted, deleted, or replaced) when one wants to convert one string to another, and can be used to measure semantic distance. The method can be used for fuzzy character string matching in privacy data leakage detection, but the problem is how to determine a detection threshold value, and when the normalized semantic distance, namely the Levenshtein ratio (the matching length minus the Levenshtein distance divided by the matching length) is more than or less than the Levenshtein ratio, the privacy information corresponding to the matching keywords contained in the normalized semantic distance is judged.
Step S0403: due to the randomness of the flow privacy characteristics, namely for the same matching keyword S k Privacy per flow feature S t The matching results are different, and the flow privacy characteristics are provided with certain patterns. Thus, random character matching is carried out on each flow privacy feature, and a matching reference is obtained and used for standardizing a matching result; this exampleIn the above description, it is considered that a reference score is obtained by performing a plurality of matching operations on a matching target (private data carrier) using a random character having the same length as a keyword as a reference keyword, and a reference score is obtained, thereby obtaining a reference value of a matching score based on randomness of each private data carrier.
Specifically, dis (S) k ,S t ) Is defined as S k And S t The Levenshtein ratio between the two is S for all the n flow privacy characteristics of a certain flow source to be applied t And t is more than 0 and less than n. Then for a certain S k And any two different privacy features S t And S t′ Generally 0 ≦ dis (S) k ,S t )≠dis(S k ,S t′ ) < theta 100, theta can be a very small value, which means that even if S is present t And S t′ All of them do not have S k The matching result of the corresponding private information still has difference, mainly because of S t Has certain self-carried modes and influences the result of Levenshtein distance. To cope with this problem, for a certain length | S k Matching keywords of |, taking a random character string S r ,0<r<R,l=|S r |=|S k L, to obtain norm (l, S) t )=∑ 0<r<R dis(S r ,S t ) R, get privacy feature S for a certain flow t And a matching reference value of the keyword with the specific length of 1, wherein R is a random matching number set according to experience.
Step S0404: normalizing the matching score using the matching reference score; the matching score for each private data was normalized using the reference value obtained in S0403.
Specifically, for the present embodiment, dis' (S) k ,S t )=max(0,dis(S k ,S t )-norm(|S k |,S t ) Is the privacy for traffic feature S t And matching the keyword S k The final match score of.
Step S0405: matching all the flows of a certain flow source of a certain application, and then taking the highest score corresponding to each keyword; there will be multiple private data carriers in HTTP traffic from one source, forAnd taking the maximum value of all privacy data carrier scores as the score of a certain privacy keyword for each privacy keyword. For this embodiment, for all traffic from host in application i under test, i.e. App i,host And all matching keywords S k We finally need to find
Step S0406: and determining whether the matching is successful according to a given threshold value. A threshold value is preset according to experience to judge whether the flow contains the leakage of certain privacy data. And determining whether the flow of a certain source contains privacy data or not according to the threshold value and the matching score. In this embodiment, the threshold is set to 50, and the present invention is not limited to this threshold or this empirical threshold determination method. In particular, namely
When the temperature is higher than the set temperature
S for traffic source host exists on behalf of application i k And correspondingly, the leakage condition of the privacy information.
Step S05: and preliminarily screening out suspicious applications according to the results of flow analysis and detection, if the possibility of revealing privacy to the three-party dynamic code exists in a certain application, performing step S06, and if not, ending. And for the detection result, if the application is determined to be loaded with the dynamic webpage code of a certain three-party source and the privacy data transmitted to the three-party source exist, identifying the application as the suspicious application, and performing the next detection on the suspicious application, otherwise, ending the detection.
Step S06: and performing cross-domain dynamic analysis on the suspicious application to perform system forensics and traceability. This embodiment carries out system forensics to android platform. For the above traffic analysis, it is not considered to have too large platform relevance, however, performing system forensics requires the corresponding suite support and systematic work of the platform, and therefore, the introduction of the methodology of forensics and tracing is focused.
Here, the step S06, as shown in fig. 2, specifically includes:
step S0601: dynamically monitoring the running state of the application and acquiring a call chain of the application to the authority interface; for the embodiment, in the android platform, it is considered that a call stack of a certain interface in a single thread is acquired by using a self-contained Java StackTrace, and the call stacks of the interfaces in different threads are spliced by using a thread correlation technique as shown in FIG. 3, so that a complete An Zhuoce call chain is obtained.
Specifically, for multi-threaded tasks, the initiator and the receiver of the task are needed, and different threads can be associated by processing possible task initiators and receivers in various multi-threaded mechanisms.
Step S0602: acquiring a possible interface for carrying out authority proxy by using a webpage technology, and inserting a calling party capturing module into the interface; in this embodiment, different containers are triggered and interfaces of possible rights agents are obtained by an intrusive system technique, and a caller capture module is inserted therein.
In particular, an intrusive system technique (for the android platform, AOSP with Hook technique or custom modification) is used to obtain an interface for system-loaded WebView and its possible rights brokering.
Specifically, the caller capture module refers to obtaining a current page URL in a web page using a front-end interface such as document.
Step S0603: recording interface calling conditions, and corresponding an authority interface calling chain with a webpage technical authority proxy interface; the An Zhuoce call chain is associated with the caller obtained through the caller trap module. Specifically, the association is confirmed by inserting a floating point number between 0 and 1 generated using a random number generator as a specific identification ID between the authority agent interface and the caller capturing module.
Step S0604: obtaining a complete calling chain, and obtaining the calling condition of the three-party webpage code in the application to the authority interface; after the complete calling chain is obtained, the calling condition of the authority interface and the calling party at the webpage end can be confirmed. Namely, whether an external three-party dynamic code calls a system authority interface through an authority proxy of a webpage to obtain privacy data can be confirmed.
The foregoing is only a preferred embodiment of this invention and it should be noted that modifications can be made by those skilled in the art without departing from the principle of the invention and these modifications should also be considered as the protection scope of the invention.
Claims (6)
1. A dynamic detection and tracing method for android system privacy stealing behaviors is characterized by comprising the following steps:
s01, dynamically generating a use case to cover main application behaviors;
s02, collecting and extracting HTTP traffic generated by the application;
step S03, analyzing the loading condition of the external dynamic code of the application according to the HTTP flow;
s04, detecting the privacy data leakage condition corresponding to the external dynamic code party according to the HTTP flow, wherein the detecting step comprises the following steps:
step S0401: for each flow source, extracting privacy content carriers, namely URLs (uniform resource locators), POST (POST position) request bodies and Cookie contents in HTTP (hyper text transport protocol) flow as flow privacy characteristics; presetting a group of privacy keywords according to different privacy information types, and detecting whether the privacy information is contained in the flow privacy characteristics through a text fuzzy matching method;
step S0402: matching the flow privacy characteristics according to preset privacy keywords to obtain matching scores;
step S0403: carrying out random character matching on each flow privacy feature to obtain a matching reference score;
step S0404: normalizing the matching score by using the matching reference score, namely normalizing the matching score of each flow privacy feature by using the reference score obtained in S0403;
step S0405: after matching all the flows of a certain application, taking the highest score corresponding to each keyword as the score of a certain privacy keyword;
step S0406: comparing the score of a certain privacy keyword with a set threshold, if the score is smaller than the set threshold, the matching is unsuccessful, and the flow is judged not to contain the privacy information leakage;
if the score is larger than the set threshold value, matching is successful, and the flow is judged to contain the leakage of the privacy information;
step S05, preliminarily screening out suspicious applications according to the results of flow analysis and detection, marking the three parties with leaked personal privacy and capable of executing dynamic codes as privacy stealing parties, marking the applications as suspicious applications and entering step S06, otherwise, ending the detection;
and S06, performing cross-domain dynamic analysis on the suspicious application to perform system forensics and traceability.
2. The method for dynamically detecting and tracing the privacy stealing behavior of the android system according to claim 1, wherein the step S03 comprises the steps of:
s0301, analyzing the loading content of the HTTP request according to the flow URL, and judging whether a dynamic code carrier or a JavaScript file exists;
s0302, judging traffic sources according to the traffic domain name and SSL certificate, associating the domain names with each other through a domain name classification technology, associating the web page sources with the same domain name or common name or organization name, identifying the web page sources as the same source, performing classification analysis on the domain names in an off-line mode, and analyzing the back operation entity;
s0303, according to the flow source and the content, determining that the flow operation entity can operate the dynamic code in the application, identifying the external dynamic code of the non-application as the dynamic webpage code of the external three party, and marking the application.
3. The dynamic detection and tracing method of android privacy stealing behavior of claim 1, characterized in that: the step S06 includes:
step S0601: dynamically monitoring the running state of the application and acquiring a call chain of the application to the authority interface;
step S0602: acquiring a possible interface for carrying out authority proxy by using a webpage technology, and inserting a calling party capturing module into the interface;
step S0603: recording interface calling conditions, enabling an authority interface calling chain to correspond to a webpage technical authority proxy interface, and inserting random numbers into the webpage technical authority proxy interface and a caller capturing module to serve as specific identification IDs to confirm the relevance of the webpage technical authority proxy interface and the caller capturing module, so that a calling chain from a webpage side caller to the webpage technical authority proxy interface is obtained;
step S0604: obtaining a complete calling chain, and obtaining the calling condition of the three-party webpage code in the application to the authority interface; after the complete calling chain is obtained, the calling condition of the permission interface and the calling party at the webpage end are confirmed, namely whether an external three-party dynamic code calls the system permission interface through the permission agent of the webpage to obtain corresponding privacy information is confirmed;
step S0605: and (4) completing evidence obtaining and tracing.
4. The dynamic detection and tracing method of android privacy stealing behavior of claim 3, characterized in that: in the step S0602, the caller capture module is a code module that acquires a caller by using a web interface in combination with a system characteristic, and acquires a URL of a current page in a web by using a front-end interface, and then calls back the URL to the system, and captures a result by using an invasive system technology.
5. The dynamic detection and tracing method of android privacy stealing behavior of claim 1, characterized in that: in the step S01, a dynamic test case generated by an automated dynamic case generation tool is used to perform automated detection on a preset application set.
6. The dynamic detection and tracing method of android privacy stealing behavior of claim 1, characterized in that: in the step S02, HTTP traffic generated from a specific application is collected and extracted, including URL of HTTP traffic, POST request, cookie content, or domain, organization, common name item of SSL certificate content of HTTPs traffic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210436724.5A CN114826732B (en) | 2022-04-25 | 2022-04-25 | Dynamic detection and tracing method for android system privacy stealing behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210436724.5A CN114826732B (en) | 2022-04-25 | 2022-04-25 | Dynamic detection and tracing method for android system privacy stealing behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826732A CN114826732A (en) | 2022-07-29 |
| CN114826732B true CN114826732B (en) | 2023-01-06 |
Family
ID=82508426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210436724.5A Active CN114826732B (en) | 2022-04-25 | 2022-04-25 | Dynamic detection and tracing method for android system privacy stealing behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826732B (en) |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105787366B (en) * | 2016-02-16 | 2019-01-25 | 上海交通大学 | Android software visualization safety analytical method based on component relation |
| CN107133519B (en) * | 2017-05-15 | 2019-07-05 | 华中科技大学 | Privacy compromise detection method and system in a kind of communication of Android application network |
| CN109508557A (en) * | 2018-10-22 | 2019-03-22 | 中国科学院信息工程研究所 | A kind of file path keyword recognition method of association user privacy |
| CN109522235B (en) * | 2018-11-29 | 2021-04-27 | 南京大学 | Privacy disclosure detection method for android dynamic loading |
| CN110287722B (en) * | 2019-05-13 | 2020-11-24 | 北京邮电大学 | Sensitive permission extraction method for privacy regulation check in iOS application |
| CN111245828A (en) * | 2020-01-09 | 2020-06-05 | 南京航空航天大学 | Defense strategy generation method based on three-party dynamic game |
| CN111464501A (en) * | 2020-03-09 | 2020-07-28 | 南京邮电大学 | Data service-oriented adaptive intrusion response gaming method and system thereof |
| CN113779437A (en) * | 2020-09-23 | 2021-12-10 | 北京沃东天骏信息技术有限公司 | Privacy detection method and device and computer storage medium |
| CN113158251B (en) * | 2021-04-30 | 2022-10-11 | 上海交通大学 | Application privacy disclosure detection method, system, terminal and medium |
-
2022
- 2022-04-25 CN CN202210436724.5A patent/CN114826732B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826732A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113098870B (en) | Phishing detection method and device, electronic equipment and storage medium | |
| CN109598127B (en) | Privacy risk assessment method and device | |
| US20070118528A1 (en) | Apparatus and method for blocking phishing web page access | |
| US20050021791A1 (en) | Communication gateway apparatus, communication gateway method, and program product | |
| Sadeghi et al. | Analysis of android inter-app security vulnerabilities using covert | |
| CN105653947B (en) | The method and device of data safety risk is applied in a kind of assessment | |
| CN107122666A (en) | The methods of risk assessment and device of financial application | |
| CN106569860A (en) | Application management method and terminal | |
| CN105721514A (en) | User device, cloud server and shared link identification method thereof | |
| CN107977305B (en) | Method and apparatus for detecting application | |
| Krupp et al. | An analysis of web tracking domains in mobile applications | |
| Fu et al. | Flowintent: Detecting privacy leakage from user intention to network traffic mapping | |
| CN114826732B (en) | Dynamic detection and tracing method for android system privacy stealing behavior | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN110287722B (en) | Sensitive permission extraction method for privacy regulation check in iOS application | |
| CN115858320A (en) | Operation log recording method, apparatus, medium and product | |
| CN108322912B (en) | Method and device for distinguishing short messages | |
| US20220366048A1 (en) | Ai-powered advanced malware detection system | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| Hashmi et al. | Longitudinal compliance analysis of android applications with privacy policies | |
| CN114428955A (en) | Method and system for judging abnormal risk based on operation information and electronic equipment | |
| CN111291044A (en) | Sensitive data identification method and device, electronic equipment and storage medium | |
| CN112015494A (en) | Third-party API tool calling method, system and device | |
| CN111488580A (en) | Potential safety hazard detection method and device, electronic equipment and computer readable medium | |
| JP2019074893A (en) | Unauthorized login detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |