CN115552401A - Fast application detection method, device, equipment and storage medium - Google Patents

Fast application detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN115552401A
CN115552401A CN202080100497.8A CN202080100497A CN115552401A CN 115552401 A CN115552401 A CN 115552401A CN 202080100497 A CN202080100497 A CN 202080100497A CN 115552401 A CN115552401 A CN 115552401A
Authority
CN
China
Prior art keywords
detection
fast application
application
fast
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202080100497.8A
Other languages
Chinese (zh)
Inventor
汪泽宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Oppo Mobile Telecommunications Corp Ltd
Shenzhen Huantai Technology Co Ltd
Original Assignee
Guangdong Oppo Mobile Telecommunications Corp Ltd
Shenzhen Huantai Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Oppo Mobile Telecommunications Corp Ltd, Shenzhen Huantai Technology Co Ltd filed Critical Guangdong Oppo Mobile Telecommunications Corp Ltd
Publication of CN115552401A publication Critical patent/CN115552401A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

The application discloses a fast application detection method, a fast application detection device, fast application detection equipment and a storage medium, wherein the method comprises the following steps: acquiring an installation package of at least one fast application to be detected; acquiring a detection rule configured for the at least one fast application in advance; based on the detection rule, performing safety detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection. Therefore, the automatic batch detection of the quick application is realized according to the detection rules through the preset detection rules, including the static detection rules and/or the dynamic detection rules, so that the quick application with the security holes is quickly positioned, and the safety detection efficiency of the quick application is improved.

Description

Fast application detection method, device, equipment and storage medium Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for fast application detection.
Background
The quick application is a novel Android application form of which nine major mobile phone manufacturers jointly establish standards, and users can use the quick application by clicking without installation. The fast application is divided into a fast application rpk and a fast application platform, wherein the rpk is a file format of a fast application installation package.
At present, no automatic tool or scheme exists for detecting security loopholes and privacy compliance of fast application, security and privacy compliance of a JS (JavaScript) code file is manually detected only after an rpk is unpacked, or the rpk is installed and operated in a real machine, and security loopholes and privacy compliance detection is performed in a debugging and packet capturing mode, wherein JavaScript is a programming language used by the fast application.
However, automatic batch implementation cannot be achieved through manual static audit codes and a dynamic debugging and packet capturing mode, and the efficiency is low. Both methods basically need to be completed by manual participation, so the quality of the detection result completely depends on the experience and the technical level of detection personnel, and the result may have the problem of missing detection and report.
Disclosure of Invention
In order to solve the foregoing technical problem, embodiments of the present application provide a method, an apparatus, a device, and a storage medium for fast application detection.
In a first aspect, an embodiment of the present application provides a fast application detection method, where the method includes:
acquiring an installation package of at least one fast application to be detected;
acquiring a detection rule configured for the at least one fast application in advance;
based on the detection rule, carrying out safety detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection.
In a second aspect, an embodiment of the present application provides a fast application detection apparatus, where the apparatus includes:
the acquisition part is configured to acquire an installation package of at least one fast application to be detected; acquiring a detection rule configured for the at least one fast application in advance;
the detection part is configured to perform safety detection on the at least one fast application based on the detection rule to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection.
The embodiment of the application provides a fast application detection method, a fast application detection device, fast application detection equipment and a storage medium, wherein the method comprises the following steps: acquiring an installation package of at least one fast application to be detected; acquiring a detection rule configured for the at least one fast application in advance; based on the detection rule, performing safety detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection. Therefore, the automatic batch detection of the quick application is realized according to the detection rules through the preset detection rules, including the static detection rules and/or the dynamic detection rules, so that the quick application with the security holes is quickly positioned, and the safety detection efficiency of the quick application is improved.
Drawings
FIG. 1 is a schematic flow chart of a fast application detection method in an embodiment of the present application;
FIG. 2 is a first flowchart of a fast application static detection method according to an embodiment of the present application;
FIG. 3 is a block diagram of a static detection principle according to an embodiment of the present application;
FIG. 4 is a second flowchart of the fast application static detection method according to the embodiment of the present application;
FIG. 5 is a schematic flow chart illustrating a fast application dynamic detection method according to an embodiment of the present application;
FIG. 6 is a schematic diagram illustrating a structure of a fast application detection apparatus according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of a structure of a fast application detection device in an embodiment of the present application;
fig. 8 is a schematic block diagram of a chip provided in an embodiment of the present application.
Detailed Description
So that the manner in which the features and elements of the present embodiments can be understood in detail, a more particular description of the embodiments, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings.
The embodiment of the application provides a fast application detection method, and as shown in fig. 1, the fast application detection method specifically includes:
step 101: acquiring an installation package of at least one fast application to be detected;
here, fast applications are a new application ecology jointly released by a plurality of mobile terminal manufacturers based on a hardware platform. The user does not need to download and install, namely, the user can use the application point-to-point, and the user can enjoy the performance experience of the native application.
Common Applications (APPs), users need to know the functions of APPs, and for example, food applications such as APP1 and APP2 can search for food, then download and install the APPs in an Application market, open the APPs, and search for pizza. With the 'fast application', after a user takes a new mobile phone, the user does not need to know which App can help the user to search for the food and download the App, and the user can easily obtain corresponding services only by pulling down a desktop to open a search box and inputting 'pizza'.
In practical applications, before the fast application is installed in an application store, the security of the fast application needs to be tested, for example, whether the fast application can resist malicious network attacks, or whether the privacy management of a user is compliant. Therefore, a background detection device is established based on the fast application detection method, and the background detection device acquires the installation package of at least one fast application to be detected and performs batch detection on the fast applications. Here, the installation package of the fast application may be an rpk package, which is a file format of the installation package of the fast application.
In practical applications, the fast application may be run on a mobile terminal, the mobile terminal may be a terminal with a networking function, and the terminal described in this application may include, for example, a mobile phone, a tablet computer, a notebook computer, a palm computer, a Personal Digital Assistant (PDA), a Portable Media Player (PMP), a navigation device, a wearable device, a smart band, a camera, and the like.
Step 102: acquiring a detection rule configured for the at least one fast application in advance;
in practical applications, the detection of the fast application includes static detection and/or dynamic detection, and correspondingly, the detection rule also includes: a first detection rule for static detection and/or a second detection rule for dynamic detection.
In practical application, static detection refers to analysis performed without executing a binary program, such as disassembling analysis, source code analysis, binary statistical analysis, decompiling and the like, and belongs to a reverse engineering analysis method.
The first detection rule may be determined from a security vulnerability known to existing fast applications or other common applications. For example, source code analysis is performed on a fast application or other common applications with a security vulnerability, a key source code and a security vulnerability type causing a security problem are determined, the part of the source code is used as identification information of the security vulnerability, and a first detection rule is established.
In practical application, dynamic detection is to simulate the running process of the fast application, and acquire the known dynamic behavior characteristics causing the security problem by detecting the interactive content between the terminal and the network side or other terminals when the fast application runs. That is, the second detection rule may be a known dynamic operation characteristic determined according to a dynamic operation behavior causing a security problem in an operation process of an existing fast application or other common applications, and the second detection rule is established by using the known dynamic operation characteristic.
Step 103: based on the detection rule, performing safety detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection.
Here, the detection rule is a detection rule preset by a detection person according to an existing security problem, privacy non-compliance problem, and the like, and after the detection device acquires the installation package and the detection rule of the quick application, the detection device selects a corresponding detection rule according to different installation packages or different detection types, and detects the detection package of the quick application.
In some embodiments, upon static detection of the fast application, the detection rule comprises a first detection rule for static detection;
correspondingly, the performing security detection on the at least one fast application based on the detection rule to obtain a detection result includes: analyzing the installation package of the at least one fast application, and extracting a file to be detected of the at least one fast application; based on the first detection rule, simultaneously carrying out static detection on the at least one file to be detected of the fast application to obtain a static detection result; and determining whether the at least one fast application has a security vulnerability or not based on the static detection result of the at least one fast application.
That is to say, the static detection is to perform static scanning on the source code, determine whether the source code matched with the first detection rule exists in the source code, and if so, determine that the fast application has a security vulnerability.
In some embodiments, when the fast application is dynamically detected, the detection rule comprises a second detection rule for dynamic detection;
correspondingly, the performing security detection on the at least one fast application based on the detection rule to obtain a detection result includes:
dynamically running the installation package of the at least one fast application in the virtual machine, and monitoring network request information of the fast application to obtain the dynamic behavior characteristics of the at least one fast application; based on the second detection rule, detecting the dynamic behavior characteristics of the at least one fast application to obtain a dynamic detection result; and determining whether the at least one fast application has a security vulnerability or not based on the dynamic detection result of the at least one fast application.
That is to say, the dynamic detection is to simulate the running process of the fast application, and the dynamic behavior characteristics of the fast application are obtained by detecting the interactive content between the terminal and the network side or other terminals when the fast application runs. And judging whether the dynamic behavior characteristics matched with the second detection rule exist in the dynamic behavior characteristics, and if so, determining that the security vulnerability exists in the fast application.
In some embodiments, the method further comprises: updating the detection rule according to a preset updating strategy; wherein the update policy includes at least one of: delete, add, replace.
In practical applications, with the rapid application of upgraded variants of security threats, embodiments of the present application also include updating detection rules to accommodate the current security threat environment. Specifically, the old detection rule is deleted, the new detection rule is added, and the old detection rule is replaced.
Here, the execution subject of steps 101 to 103 may be a processor of the fast application detection device.
By adopting the technical scheme, the automatic batch detection of the quick application can be realized, including batch static detection and batch dynamic detection, and a large amount of manual operation is omitted, so that the quick application with a security hole is quickly positioned, and the safety detection efficiency of the quick application is improved.
On the basis of the above-described embodiments of the present application, the static detection method for fast application is further exemplified. Fig. 2 is a schematic diagram of a first process of a fast application static detection method in an embodiment of the present application, and as shown in fig. 2, the static detection method specifically includes:
step 201: acquiring an installation package of at least one fast application to be detected;
in practical applications, before the fast application is installed in an application store, the security of the fast application needs to be tested, for example, whether the fast application can resist malicious network attacks, or whether the privacy management of a user is compliant. Therefore, a background detection device is established based on the fast application detection method, and the background detection device acquires the installation package of at least one fast application to be detected. Here, the installation package of the fast application may be an rpk package, which is a file format of the installation package of the fast application.
Step 202: acquiring a first detection rule configured for the at least one fast application in advance;
in practical application, static detection refers to analysis performed without executing a binary program, such as disassembling analysis, source code analysis, binary statistical analysis, decompiling and the like, and belongs to a reverse engineering analysis method.
The first detection rule may be determined from a security vulnerability known to existing fast applications or other common applications. For example, source code analysis is performed on a fast application or other common applications with a security vulnerability, a key source code and a security vulnerability type causing a security problem are determined, the part of the source code is used as identification information of the security vulnerability, and a first detection rule is established.
For example, the first detection rule includes identification information of at least one security vulnerability, and the identification information is used to indicate a static behavior characteristic of the security vulnerability. For example, the identification information includes a single keyword or a logical combination of multiple keywords having a context, if the identification information is a single keyword, it may be indicated that the security vulnerability may be represented by one keyword, and if the identification information is a logical combination of multiple keywords, it is indicated that a certain context needs to exist between multiple lines of codes in the security vulnerability source code, and it can be determined whether the fast application includes the security vulnerability according to the context.
Illustratively, the identification information of the first security vulnerability includes a keyword 1, and the identification information of the second security vulnerability includes: the method comprises the following steps that a keyword combination 1 comprises a keyword 2, a keyword 3 and a keyword 4, and logic relations among the keywords.
Step 203: analyzing the installation package of the at least one fast application, and extracting a file to be detected of the at least one fast application;
in some embodiments, the installation package of the at least one fast application is analyzed, and all files of each fast application and index identifiers of the files to be detected are extracted; and determining the files to be detected from all the files of each fast application based on the index identification of the files to be detected.
It should be noted that the installation package includes a first code file for implementing the fast application function and a second code file inherent in the fast application framework. In practical application, the security loophole only appears in the first type code file, and the security loophole does not appear when the second type code file is operated. Therefore, only the first type code file needs to be statically scanned, and therefore the first type code file needs to be indexed by using the index identifier of the first type code file (i.e., the file to be detected).
In practical application, the JS file and the manifest.xml file in the rpk packet are extracted, the name of the target JS file to be scanned is determined by analyzing the route configuration (namely index information) in the manifest.xml, and then the rule configuration file is loaded and the analyzed first detection rule is obtained.
Step 204: based on the first detection rule, simultaneously carrying out static detection on the at least one file to be detected of the fast application to obtain a static detection result;
in practical application, the first detection rule comprises identification information of at least one security vulnerability;
correspondingly, the performing static detection on the to-be-detected file of the at least one fast application simultaneously based on the first detection rule to obtain a static detection result includes: matching the file to be detected with identification information corresponding to the target security vulnerability; the target security vulnerability is any one of the first detection rules; if so, determining that the target security vulnerability exists in the file to be detected, and acquiring a code line number matched in the file to be detected; and if not, determining that the target security vulnerability does not exist in the file to be detected.
In practical application, the background service equipment issues the rpk packet to the detection engine for detection, and the detection engine is used for detecting the rpk packet to generate a static detection report. Specifically, a detection engine loads a rule configuration file and analyzes a first detection rule, and matches identification information of different security vulnerabilities in the first detection rule with the file to be detected to obtain a matching result; and when the identification information is matched, the detection engine records the matched identification information number and the JS code line number. And after all JS files are scanned, the detection engine outputs a scanning result according to the recorded identification information number and the JS code line number.
Here, the identification information number is used for positioning the security vulnerability type, the JS code line number is used for positioning the code position with the security vulnerability in the rpk packet, the detection personnel can quickly judge the security vulnerability type existing in the fast application, the detection personnel can quickly position the specific code position, the fast application can be upgraded and modified conveniently in the later period, the development efficiency of the fast application is improved, and the period of marketing is shortened.
Fig. 3 is a schematic diagram of a framework forming a static detection principle in the embodiment of the present application, and as shown in fig. 3, before a fast application is installed in an application store, a background detection device acquires an rpk packet of the fast application provided by a fast application developer, a background service device issues the rpk packet to a detection engine for detection, and the detection engine parses the rpk packet and extracts a key JS file in the rpk packet; and reading a detection rule in a configuration file configured in advance, analyzing the detection rule, and statically scanning the extracted JS fast application file by using the analyzed detection rule to generate a detection report. When the quick applications to be detected are contained, the background detection equipment pulls up the detection engines, carries out parallel static scanning on JS code files of the quick applications, generates detection reports and realizes batch static scanning of the quick applications.
It should be noted that, if the identification information is an individual keyword, the code line number is the line number of a line of codes; if the identification information is a logical combination of multiple keys, the code line number may be the line number of multiple lines of code.
Step 205: and determining whether the at least one fast application has a security vulnerability or not based on the static detection result of the at least one fast application.
Specifically, according to a static detection result, target fast applications stored in the security vulnerabilities are determined from at least one fast application, and code positions corresponding to different security vulnerabilities in the target fast applications are determined.
In some embodiments, the method further comprises: updating the first detection rule according to a preset updating strategy; wherein the update policy includes at least one of: delete, add, replace.
In practical applications, with the rapid application of upgraded variants of security threats, embodiments of the present application also include updating detection rules to accommodate the current security threat environment. Specifically, the old detection rule is deleted, the new detection rule is added, and the old detection rule is replaced.
A more specific detection process is provided on the basis of the fast application static detection method, fig. 4 is a schematic diagram of a second process of the fast application static detection method in the embodiment of the present application, and as shown in fig. 4, the static detection method specifically includes:
step 401: starting;
step 402: analyzing the rule;
specifically, the detection engine loads the rule configuration file and analyzes the first detection rule.
Step 403: and (3) analyzing the rpk packet:
step 404: reading a manifest.
The Manifest Android development file name belongs to Android Manifest xml files, provides important information in application of a simple Android system, and can run codes of any application program. Xml files must be available for each android application, in the app/flavors directory. It provides important information in the application of the simple Android system, which must have the code before it can run any application. Manifest names the Java packages of an application, with the package name serving as a unique identifier for the application.
That is, the manifest xml file is index information of the target JS file to be detected, and the name of the target JS file to be scanned is determined by analyzing the route configuration (i.e., index information) in the manifest xml file.
Step 405: extracting a target JS file;
step 406: scanning the target JS file according to the first rule analysis result;
step 407: judging that the end is reached, if so, executing step 410; if not, go to step 408;
step 408: judging whether the matching is performed, if so, executing step 409; if not, go to step 406;
specifically, the detection engine matches identification information of different security vulnerabilities in a first detection rule with the file to be detected to obtain a matching result; and when the identification information is matched, the detection engine records the matched identification information number and the JS code line number. And after all JS files are scanned, the detection engine outputs a scanning result according to the recorded identification information number and the JS code line number.
Step 409: recording a matching result;
here, the matching result includes: an identification information number and a JS code line number.
Step 410: generating a detection report;
that is, if all the target JS files have been scanned in the fast application, a detection result is generated.
Step 411: and (6) ending.
By adopting the technical scheme, automatic batch static detection of quick application can be realized, and a large amount of manual operation is saved, so that quick application with security holes is quickly positioned, and the safety detection efficiency of the quick application is improved.
On the basis of the above embodiments of the present application, the dynamic detection method for fast application is further exemplified. Fig. 5 is a schematic flowchart of a fast application dynamic detection method in an embodiment of the present application, and as shown in fig. 5, the dynamic detection method specifically includes:
step 501: acquiring an installation package of at least one fast application to be detected;
in practical applications, before the fast application is installed in an application store, the security of the fast application needs to be tested, for example, whether the fast application can resist malicious network attacks, whether privacy management for a user is compliant, or the like. Therefore, a background detection device is established based on the fast application detection method, and the background detection device acquires the installation package of at least one fast application to be detected. Here, the installation package of the fast application may be an rpk package, which is a file format of the installation package of the fast application.
Step 502: acquiring a second detection rule configured for the at least one fast application in advance;
the dynamic detection is to simulate the running process of the fast application, and the dynamic behavior characteristics of the fast application are obtained by detecting the interactive content between the terminal and the network side or other terminals when the fast application runs. And judging whether the dynamic behavior characteristics matched with the second detection rule exist in the dynamic behavior characteristics or not, and if so, determining that the security vulnerability exists in the fast application.
Step 503: dynamically running the installation package of the at least one fast application in the virtual machine, and monitoring network request information of the fast application to obtain dynamic behavior characteristics of the at least one fast application;
the dynamic behavior characteristics of the fast application specifically represent at least one of: scanning system state, obtaining system authority, registry operation, self-deleting operation, encryption and decryption, process/thread behavior, file operation and network access behavior.
Step 504: based on the second detection rule, detecting the dynamic behavior characteristics of the at least one fast application to obtain a dynamic detection result;
in practical application, the second detection rule comprises at least one dynamic behavior characteristic of the security vulnerability;
correspondingly, the performing security detection on the at least one fast application based on the detection rule to obtain a detection result includes: matching the dynamic behavior characteristics of the fast application with the dynamic behavior characteristics of the target security vulnerability; the target security vulnerability is any one of the second detection rules; if the target security vulnerability exists, determining that the target security vulnerability exists in the fast application; and if not, determining that the target security vulnerability does not exist in the fast application.
Illustratively, the installation package code is dynamically executed in a Virtual Machine (VM), the state change in the running process is monitored, and the operation of the key event in the system is intercepted by using HOOK. Here, HOOK is an important carrier for Windows system message transfer, and the HOOK function provides an interface for message call, intercepts the call process between events, and forwards the call process to a corresponding API interface after processing. At this time, the user-defined HOOK is set in the operating system, and the system behavior is monitored, thereby realizing dynamic monitoring.
In practical applications, the dynamic behavior characteristics of the security hole specifically represent at least one of the following: scanning system state, obtaining system authority, registry operation, self-deleting operation, encryption and decryption, process/thread behavior, file operation and network access behavior.
Step 505: and determining whether the at least one fast application has a security vulnerability or not based on the dynamic detection result of the at least one fast application.
And when the dynamic detection result represents that the target fast application has the security vulnerability, determining the type and the quantity of the security vulnerability of the target fast application.
In some embodiments, the method further comprises: updating the second detection rule according to a preset updating strategy; wherein the update policy includes at least one of: delete, add, replace.
By adopting the technical scheme, automatic batch dynamic detection of fast application can be realized, and a large amount of manual operation is saved, so that fast application with security holes is quickly positioned, and the safety detection efficiency of the fast application is improved.
In order to implement the method according to the embodiment of the present application, based on the same inventive concept, an embodiment of the present application further provides a fast application detection apparatus, as shown in fig. 6, the apparatus includes:
an acquisition part 601 configured to acquire an installation package of at least one fast application to be detected; acquiring a detection rule configured for the at least one fast application in advance;
a detection part 602 configured to perform security detection on the at least one fast application based on the detection rule to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection.
In some embodiments, upon static detection of the fast application, the detection rule comprises a first detection rule for static detection;
the detection part 602 is specifically configured to analyze the installation package of the at least one fast application and extract a file to be detected of the at least one fast application; based on the first detection rule, simultaneously carrying out static detection on the at least one file to be detected of the fast application to obtain a static detection result; and determining whether the at least one fast application has a security vulnerability or not based on the static detection result of the at least one fast application.
In some embodiments, the detection part 602 is specifically configured to analyze the installation package of the at least one fast application, and extract all files of each fast application and the index identifier of the file to be detected; and determining the files to be detected from all the files of each fast application based on the index identification of the files to be detected.
In some embodiments, the first detection rule includes identification information of at least one security breach;
the detection part 602 is specifically configured to match the file to be detected with identification information corresponding to a target security vulnerability; the target security vulnerability is any one of the first detection rules; if so, determining that the target security vulnerability exists in the file to be detected, and acquiring a code line number matched in the file to be detected; and if not, determining that the target security vulnerability does not exist in the file to be detected.
In some embodiments, when the fast application is dynamically detected, the detection rule comprises a second detection rule for dynamic detection;
a detection part 602, configured to run the installation package of the at least one fast application dynamically in the virtual machine, and monitor the network request information of the fast application to obtain a dynamic behavior characteristic of the at least one fast application; based on the second detection rule, detecting the dynamic behavior characteristics of the at least one fast application to obtain a dynamic detection result; and determining whether the at least one fast application has a security vulnerability or not based on the dynamic detection result of the at least one fast application.
In some embodiments, the second detection rule includes a dynamic behavior signature of at least one security breach;
a detection part 602, which is specifically configured to match the dynamic behavior characteristics of the fast application with the dynamic behavior characteristics of the target security vulnerability; the target security vulnerability is any security vulnerability in the second detection rule; if so, determining that the target security vulnerability exists in the fast application; and if not, determining that the target security vulnerability does not exist in the fast application.
In some embodiments, the apparatus further comprises: the updating part is configured to update the detection rule according to a preset updating strategy; wherein the update policy comprises at least one of: delete, add, replace.
By adopting the technical scheme, the automatic batch detection of the quick application can be realized, the batch static detection and the batch dynamic detection are included, and a large amount of manual operation is saved, so that the quick application with the security hole is quickly positioned, and the safety detection efficiency of the quick application is improved.
Based on the hardware implementation of each part in the fast application detection apparatus, an embodiment of the present application further provides a fast application detection device, as shown in fig. 7, the device includes: a processor 701 and a memory 702 configured to store a computer program capable of running on the processor;
wherein the processor 701 is configured to execute the method steps in the previous embodiments when running the computer program.
Of course, in actual practice, the various components in the device are coupled together by a bus system 703, as shown in FIG. 7. It is understood that the bus system 703 is used to enable communications among the components. The bus system 703 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are labeled in fig. 7 as bus system 703.
The computer storage medium provided by the embodiment of the present application stores computer executable instructions, and the computer executable instructions, when executed, implement the method steps of the first or second embodiment.
The above-mentioned device of the embodiment of the present application, if implemented in the form of a software functional module and sold or used as a standalone product, may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk, and various media capable of storing program codes. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
In the embodiment of the present application, a chip is further provided for implementing the above-mentioned fast application detection method of the present application, and fig. 8 is a schematic structural diagram of the chip in the embodiment of the present application. The chip 800 shown in fig. 8 includes a processor 810, and the processor 810 can call and run a computer program from a memory to implement the method in the embodiment of the present application.
Optionally, as shown in fig. 8, the chip 800 may further include a memory 820. From the memory 820, the processor 810 may call and run a computer program to implement the method in the embodiment of the present application.
The memory 820 may be a separate device from the processor 810 or may be integrated into the processor 810.
Optionally, the chip 800 may further include an input interface 830. The processor 810 may control the input interface 830 to communicate with other devices or chips, and specifically, may obtain information or data transmitted by other devices or chips.
Optionally, the chip 800 may further include an output interface 840. The processor 810 can control the output interface 840 to communicate with other devices or chips, and in particular, can output information or data to other devices or chips.
Optionally, the chip may be applied to the fast application detection device in the embodiment of the present application, and the chip may implement a corresponding process implemented by the network device in each method in the embodiment of the present application, and for brevity, details are not described here again.
It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as a system-on-chip, a system-on-chip or a system-on-chip, etc.
Correspondingly, the embodiment of the present application further provides a computer storage medium, in which a computer program is stored, and the computer program is configured to execute the data scheduling method of the embodiment of the present application.
It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to arrive at new method embodiments.
The features disclosed in the several product embodiments presented in this application can be combined arbitrarily, without conflict, to arrive at new product embodiments.
The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Industrial applicability
The application-fast detection scheme provided by the application realizes automatic batch detection of application-fast according to the detection rules through the preset detection rules, including static detection rules and/or dynamic detection rules, so that application-fast with security holes is quickly positioned, and the safety detection efficiency of application-fast is improved.

Claims (10)

  1. A fast application detection method, wherein the method comprises:
    acquiring an installation package of at least one fast application to be detected;
    acquiring a detection rule configured for the at least one fast application in advance;
    based on the detection rule, carrying out safety detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection.
  2. The method of claim 1, wherein, upon static detection of the fast application, the detection rules comprise a first detection rule for static detection;
    the performing, based on the detection rule, security detection on the at least one fast application to obtain a detection result includes:
    analyzing the installation package of the at least one fast application, and extracting a file to be detected of the at least one fast application;
    based on the first detection rule, simultaneously carrying out static detection on the at least one file to be detected of the fast application to obtain a static detection result;
    and determining whether the at least one fast application has a security vulnerability or not based on the static detection result of the at least one fast application.
  3. The method according to claim 2, wherein the parsing the installation package of the at least one fast application and extracting the file to be detected of the at least one fast application comprises:
    analyzing the installation package of the at least one fast application, and extracting all files of each fast application and index identifications of the files to be detected;
    and determining the file to be detected from all the files of each fast application based on the index identification of the file to be detected.
  4. The method of claim 2, wherein the first detection rule includes identification information of at least one security breach;
    the static detection of the to-be-detected file of the at least one fast application based on the first detection rule to obtain a static detection result includes:
    matching the file to be detected with identification information corresponding to the target security vulnerability; the target security vulnerability is any security vulnerability in the first detection rule;
    if so, determining that the target security vulnerability exists in the file to be detected, and acquiring a code line number matched in the file to be detected;
    and if not, determining that the target security vulnerability does not exist in the file to be detected.
  5. The method of claim 1, wherein, in dynamically detecting the fast application, the detection rule comprises a second detection rule for dynamic detection;
    the performing, based on the detection rule, security detection on the at least one fast application to obtain a detection result includes:
    dynamically running the installation package of the at least one fast application in the virtual machine, and monitoring network request information of the fast application to obtain the dynamic behavior characteristics of the at least one fast application;
    based on the second detection rule, detecting the dynamic behavior characteristics of the at least one fast application to obtain a dynamic detection result;
    and determining whether the at least one fast application has a security vulnerability or not based on the dynamic detection result of the at least one fast application.
  6. The method of claim 5, wherein the second detection rule includes a dynamic behavior characteristic of at least one security breach;
    the detecting the dynamic behavior feature based on the second detection rule to obtain a dynamic detection result includes:
    matching the dynamic behavior characteristics of the fast application with the dynamic behavior characteristics of the target security vulnerability; the target security vulnerability is any one of the second detection rules;
    if the target security vulnerability exists, determining that the target security vulnerability exists in the fast application;
    and if not, determining that the target security vulnerability does not exist in the fast application.
  7. The method of claim 1, wherein the method further comprises:
    updating the detection rule according to a preset updating strategy; wherein the update policy comprises at least one of: delete, add, replace.
  8. A fast-application detection apparatus, wherein the apparatus comprises:
    the acquisition part is configured to acquire an installation package of at least one fast application to be detected; acquiring a detection rule configured for the at least one fast application in advance;
    the detection part is configured to perform safety detection on the at least one fast application based on the detection rule to obtain a detection result; wherein the detection of the fast application comprises static detection and/or dynamic detection.
  9. A fast application detection device, wherein the device comprises: a processor and a memory for storing a computer program capable of running on the processor,
    wherein the memory is adapted to store a computer program and the processor is adapted to call and run the computer program stored in the memory to perform the steps of the method according to any of claims 1-7.
  10. A computer-readable storage medium for storing a computer program which causes a computer to perform the steps of the method according to any one of claims 1-7.
CN202080100497.8A 2020-06-02 2020-06-02 Fast application detection method, device, equipment and storage medium Pending CN115552401A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/093913 WO2021243555A1 (en) 2020-06-02 2020-06-02 Quick application test method and apparatus, device, and storage medium

Publications (1)

Publication Number Publication Date
CN115552401A true CN115552401A (en) 2022-12-30

Family

ID=78831634

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080100497.8A Pending CN115552401A (en) 2020-06-02 2020-06-02 Fast application detection method, device, equipment and storage medium

Country Status (2)

Country Link
CN (1) CN115552401A (en)
WO (1) WO2021243555A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900333B (en) * 2022-04-15 2023-09-08 深圳开源互联网安全技术有限公司 Multi-region safety protection method, device, equipment and readable storage medium
CN116244194A (en) * 2023-02-09 2023-06-09 湖南快乐阳光互动娱乐传媒有限公司 Page test method and device of application program, storage medium and electronic equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3401827A1 (en) * 2017-05-10 2018-11-14 Checkmarx Ltd. Method and system of static and dynamic data flow analysis
CN107885995A (en) * 2017-10-09 2018-04-06 阿里巴巴集团控股有限公司 The security sweep method, apparatus and electronic equipment of small routine
CN109308263B (en) * 2018-09-29 2021-10-22 北京云测信息技术有限公司 Applet testing method, device and equipment
CN109558733A (en) * 2018-11-22 2019-04-02 四川长虹电器股份有限公司 A kind of application code defect inspection method combined based on static detection and dynamic detection
CN110222506A (en) * 2019-06-11 2019-09-10 腾讯科技(深圳)有限公司 Detection method, device, equipment and storage medium are applied fastly

Also Published As

Publication number Publication date
WO2021243555A1 (en) 2021-12-09

Similar Documents

Publication Publication Date Title
Wei et al. Deep ground truth analysis of current android malware
Spreitzenbarth et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques
Malik et al. CREDROID: Android malware detection by network traffic analysis
Yang et al. Droidminer: Automated mining and characterization of fine-grained malicious behaviors in android applications
EP2610776B1 (en) Automated behavioural and static analysis using an instrumented sandbox and machine learning classification for mobile security
US8918882B2 (en) Quantifying the risks of applications for mobile devices
CN103679031B (en) A kind of immune method and apparatus of file virus
US10547626B1 (en) Detecting repackaged applications based on file format fingerprints
Shankar et al. AndroTaint: An efficient android malware detection framework using dynamic taint analysis
KR20110124342A (en) Method and apparatus to vet an executable program using a model
US20220027470A1 (en) Context-based analysis of applications
CN110071924B (en) Big data analysis method and system based on terminal
US10701087B2 (en) Analysis apparatus, analysis method, and analysis program
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
Jia et al. Who leaks my privacy: Towards automatic and association detection with gdpr compliance
Wang et al. Leakdoctor: Toward automatically diagnosing privacy leaks in mobile applications
CN115552401A (en) Fast application detection method, device, equipment and storage medium
CN108932199B (en) Automatic taint analysis system based on user interface analysis
JP5613000B2 (en) Application characteristic analysis apparatus and program
US20240054210A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
Choi et al. Large-scale analysis of remote code injection attacks in android apps
CN112231697A (en) Third-party SDK behavior detection method, device, medium and electronic equipment
Wongwiwatchai et al. Comprehensive detection of vulnerable personal information leaks in android applications
Wassermann et al. BIGMOMAL: Big data analytics for mobile malware detection
Park et al. A-pot: a comprehensive android analysis platform based on container technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination