CN115859360B - APP personal data security detection scoring device and method - Google Patents
APP personal data security detection scoring device and method Download PDFInfo
- Publication number
- CN115859360B CN115859360B CN202211656180.XA CN202211656180A CN115859360B CN 115859360 B CN115859360 B CN 115859360B CN 202211656180 A CN202211656180 A CN 202211656180A CN 115859360 B CN115859360 B CN 115859360B
- Authority
- CN
- China
- Prior art keywords
- user
- app
- information
- detection
- apk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 60
- 238000000034 method Methods 0.000 title claims abstract description 14
- 230000010354 integration Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000013077 scoring method Methods 0.000 claims description 5
- 238000011156 evaluation Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011158 quantitative evaluation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an APP personal data security detection scoring device and method. The method comprises the following steps: step 1: acquiring an apk packet to be detected; step 2: decompressing and decompiling the apk packet to be detected to obtain forced request conditions of the APP for privacy permission and APP information; the privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number; step 3: acquiring complaint report information aiming at the APP according to the APP information; step 4: taking the forced solicitation condition and complaint report information of each privacy authority as risk factors, and calculating to obtain a risk value of the APP.
Description
Technical Field
The invention relates to the technical field of data security, in particular to an APP personal data security detection scoring device and method.
Background
Most of the existing APP detection systems detect the security of the APP, such as vulnerability security, component security, interface security, communication security, authority control, encryption and decryption, access control and the like, and detect less personal privacy data security in the use process of the APP. Although there is also personal information protection policy evaluation, personal information collection, preservation and use detection, the detection dimension is not comprehensive enough, and analysis and research of APP personal privacy data security risk are lacking, and a qualitative or quantitative evaluation reference value of personal privacy data security risk cannot be provided for users.
Disclosure of Invention
In order to facilitate users to know the risk of the used APP in terms of personal privacy data security, the invention provides an APP personal data security detection scoring device and method.
In one aspect, the invention provides an APP personal data security detection scoring method, comprising:
step 1: acquiring an apk packet to be detected;
Step 2: decompressing and decompiling the apk packet to be detected to obtain forced request conditions of the APP for privacy permission and APP information; the privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number;
Step 3: acquiring complaint report information aiming at the APP according to the APP information;
step 4: taking the forced solicitation condition and complaint report information of each privacy authority as risk factors, and calculating to obtain a risk value of the APP.
Further, the step 1 specifically includes:
receiving apk packets manually uploaded by a user in batches; or alternatively
Automatically downloading the apk packet according to the download address of the apk packet configured by the user; or alternatively
And automatically downloading apk packages of the top N APP in the application store according to the application store configured by the user.
Further, the step 2 specifically includes: acquiring forced solicitation conditions of the APP on privacy rights and APP information by analyzing the android management file; and acquiring SDK information.
Further, step 2 further includes: circularly traversing the file directory, performing collision matching on file directory data and built-in SDK dictionary library data, and obtaining integrated related SDK information according to the matching result and SDK information obtained by analyzing the android management.
Correspondingly, step 4 further includes: the SDK information related to integration is used as a risk factor.
Further, the method further comprises the following steps: detecting the deployment number of the detection engines; if the single machine is deployed, distributing apk packets to be detected to the single detection engine one by one; if the cluster is deployed, the apk packet to be detected is dynamically distributed to each detection engine.
Further, after step 4, the method further comprises: and generating a detection report, and sending the detection report to a user or displaying the detection report by adopting a corresponding sending mode according to the type of the user.
In another aspect, the present invention provides an APP personal data security detection scoring apparatus, comprising:
The apk packet acquisition module is used for acquiring an apk packet to be detected;
The apk packet analysis module is used for decompressing and decompiling the apk packet to be detected to acquire the forced request condition of the APP for privacy permission and APP information; the privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number;
The complaint report information inquiry module is used for acquiring complaint report information aiming at the APP according to the APP information;
The detection module is used for taking the forced solicitation condition and complaint report information of each privacy authority as risk factors and calculating to obtain a risk value of the APP.
The invention has the beneficial effects that:
(1) The user can input the target APP to the detection device through a mode of designating the downloading link of the target APP, or applying a store address or directly uploading an apk packet, so that the detection device is convenient and quick to use, and can send a detailed detection report to a user designated mailbox.
(2) The forced asking conditions of each privacy authority and the related complaint reporting information are collected APPP to be used as risk factors for calculating the risk values, and the obtained risk values can intuitively enable a user to know personal information security risks existing in the APP, and can provide professional and effective authoritative reference information for the user on the APP use decision, so that the risk of personal privacy disclosure is reduced.
Drawings
Fig. 1 is a schematic flow chart of an APP personal data security detection scoring method provided by an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, an embodiment of the present invention provides an APP personal data security detection scoring method, including the following steps:
S101: after the user logs in, the user type is judged, namely: judging whether the user is an individual user or an enterprise user;
Specifically, if the user is an individual user, the user is prompted to fill out the mailbox address for receiving the detection report, and the enterprise user can skip the filling-out step.
S102: acquiring an apk packet to be detected;
specifically, the present embodiment provides the following three ways to obtain the apk packet to be detected:
(1) Receiving apk packets manually uploaded by a user in batches; or alternatively
(2) Automatically downloading the apk packet according to the download address of the apk packet configured by the user; or alternatively
(3) The apk packages of the top N (e.g., n=1000) APPs within the application store are automatically downloaded according to the user-configured application store.
It will be appreciated that different ways of obtaining rights for apk packages may be set for different user types, e.g. way (3) may be set to be exclusive to enterprise users.
S103: detecting the deployment number of the detection engines;
Specifically, if the single-machine deployment is performed, distributing apk packets to be detected to the single detection engine one by one; if the cluster is deployed, the apk packet to be detected is dynamically allocated to each detection engine, specifically, an allocation algorithm is pre-configured, and then the allocation algorithm is called to carry out dynamic allocation when needed. As for the allocation algorithm, an existing algorithm may be employed, and it is sufficient to ensure uniform allocation to the respective detection engines.
S104: after receiving an apk packet to be detected, a detection engine decompresses and decompiles the apk packet to be detected to acquire forced request conditions of the APP for privacy rights and APP information; the privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number; APP information such as icon, package size, md5 value and the like can also be collected.
Specifically, obtaining forced solicitation conditions of the APP on privacy rights and APP information by analyzing an android management.xml file; and acquiring SDK information.
Preferably, the step further comprises: and circularly traversing the file directory, performing collision matching on file directory data and built-in SDK dictionary library data, and obtaining integrated related SDK information according to the matching result and the SDK information obtained by analyzing the android management file.
S105: acquiring complaint report information aiming at the APP according to the APP information;
specifically, a query interface provided by an APP special treatment work group complaint reporting platform is called to query complaint reporting information aiming at the APP through the APP name and version number.
S106: and taking the forced solicited condition of each privacy authority, the SDK information related to integration and the complaint reporting information as risk factors, and calculating to obtain a risk value of the APP.
Specifically, after the risk elements are summarized, a risk evaluation method for APP personal data security disclosed by CN 113672914A may be used to calculate the risk value.
S107: and generating a detection report, and sending the detection report to a user or displaying the detection report by adopting a corresponding sending mode according to the type of the user.
Specifically, if the user is an enterprise user, the detection information of each dimension of the apk packet can be directly displayed on a screen; if the user is an individual user, sending a detection report to a mailbox address pre-filled by the user.
Example 2
Corresponding to the method, the embodiment of the invention also provides an APP personal data security detection scoring device, which comprises: the system comprises an apk packet acquisition module, an apk packet analysis module, a complaint report information query module and a detection module;
the apk packet acquisition module is used for acquiring an apk packet to be detected; the apk packet analysis module is used for decompressing and decompiling the apk packet to be detected to acquire the forced request condition of the APP for privacy permission and APP information; the privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number; the complaint report information inquiry module is used for acquiring complaint report information aiming at the APP according to the APP information; the detection module is used for taking the forced solicitation condition and complaint report information of each privacy authority as risk factors and calculating to obtain a risk value of the APP.
It should be noted that, the device provided in the embodiment of the present invention is for implementing the above method embodiment, and the function thereof may specifically refer to the above method embodiment, which is not described herein again.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (3)
1. An APP personal data security detection scoring method, comprising:
Step 1: after the user logs in, judging whether the user type is a personal user or an enterprise user; if the user is a personal user, prompting the user to fill out a mailbox address for receiving the detection report, and if the user is an enterprise user, directly executing the next step;
Step 2: acquiring apk packets to be detected in batches;
Step 3: detecting the deployment number of the detection engines; if the single machine is deployed, distributing apk packets to be detected to a single detection engine one by one; if the cluster is deployed, dynamically distributing apk packets to be detected to each detection engine so as to enable the detection engines to execute subsequent steps;
Step 4: decompressing and decompiling the apk packet to be detected, obtaining forced solicited conditions of privacy rights by the APP and APP information, and obtaining SDK information related to integration; the method specifically comprises the following steps: acquiring forced solicitation conditions of the APP on privacy rights and APP information by analyzing the android management file; circularly traversing the file directory, performing collision matching on file directory data and built-in SDK dictionary library data, and obtaining SDK information related to integration according to the SDK information obtained by analyzing the android management. The privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number;
Step 5: acquiring complaint report information aiming at the APP according to the APP information;
step 6: taking the forced solicited condition, complaint report information and SDK information related to integration of each privacy authority as risk factors, and calculating to obtain a risk value of the APP;
Step 7: generating a detection report, and sending the detection report to a user or displaying the detection report by adopting a corresponding sending mode according to the user type; if the user is a personal user, sending a detection report to a mailbox address pre-filled by the user, and if the user is an enterprise user, directly displaying detection information of each dimension of the apk package on a screen.
2. The APP personal data security detection scoring method of claim 1, wherein step 1 specifically comprises:
receiving apk packets manually uploaded by a user in batches; or alternatively
Automatically downloading the apk packet according to the download address of the apk packet configured by the user; or alternatively
And automatically downloading apk packages of the top N APP in the application store according to the application store configured by the user.
3. An APP personal data security detection scoring device, comprising:
the login module is used for enabling the user to log in and judging whether the user type is a personal user or an enterprise user after the user logs in; if the user is a personal user, prompting the user to fill out a mailbox address for receiving the detection report;
the apk packet acquisition module is used for acquiring apk packets to be detected in batches;
The engine detection module is used for detecting the deployment quantity of the detection engines; if the single machine is deployed, distributing apk packets to be detected to a single detection engine one by one; if the cluster is deployed, dynamically distributing apk packets to be detected to each detection engine;
The apk packet analysis module is used for decompressing and decompiling the apk packet to be detected, obtaining forced request conditions of the APP for privacy permission and APP information, and obtaining SDK information related to integration; the method is particularly used for acquiring the forced request condition of the APP for the privacy permission and the APP information by analyzing the android management file; circularly traversing the file directory, performing collision matching on file directory data and built-in SDK dictionary library data, and obtaining SDK information related to integration according to the SDK information obtained by analyzing the android management. The privacy permission comprises one permission or more permissions in address book access, short message access, camera access, file operation/album access, recording access, identity card information acquisition and information pushing; the APP information comprises a name and a version number;
The complaint report information inquiry module is used for acquiring complaint report information aiming at the APP according to the APP information;
The detection module is used for taking the forced solicitation condition, complaint report information and SDK information related to integration of each privacy authority as risk factors and calculating to obtain a risk value of the APP;
The feedback module is used for generating a detection report and sending the detection report to a user or displaying the detection report by adopting a corresponding sending mode according to the user type; if the user is a personal user, sending a detection report to a mailbox address pre-filled by the user, and if the user is an enterprise user, directly displaying detection information of each dimension of the apk package on a screen.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211656180.XA CN115859360B (en) | 2022-12-22 | 2022-12-22 | APP personal data security detection scoring device and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211656180.XA CN115859360B (en) | 2022-12-22 | 2022-12-22 | APP personal data security detection scoring device and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115859360A CN115859360A (en) | 2023-03-28 |
| CN115859360B true CN115859360B (en) | 2024-05-10 |
Family
ID=85653833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211656180.XA Active CN115859360B (en) | 2022-12-22 | 2022-12-22 | APP personal data security detection scoring device and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115859360B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107705124A (en) * | 2017-09-14 | 2018-02-16 | 华中科技大学 | Mobile payment Environmental security check and evaluation system and method based on threat diagram |
| CN108090359A (en) * | 2018-01-05 | 2018-05-29 | 广东小天才科技有限公司 | Application program monitoring method and application server |
| CN110008687A (en) * | 2019-02-19 | 2019-07-12 | 阿里巴巴集团控股有限公司 | The processing method and processing device of risk application |
| CN112073584A (en) * | 2019-08-27 | 2020-12-11 | 烟台中科网络技术研究所 | Risk assessment method for App to collect personal sensitive information of user |
| CN112884258A (en) * | 2019-11-29 | 2021-06-01 | 中国电信股份有限公司 | Method and device for detecting application risk |
| CN113157210A (en) * | 2021-04-16 | 2021-07-23 | 深圳季连科技有限公司 | Privacy permission transfer method based on APP function |
| CN113672914A (en) * | 2021-08-23 | 2021-11-19 | 郑州云智信安安全技术有限公司 | Risk assessment method and device for APP personal data security |
| WO2021237075A1 (en) * | 2020-05-21 | 2021-11-25 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
| CN114021142A (en) * | 2021-11-03 | 2022-02-08 | 广州链安科技有限公司 | Android application program vulnerability detection method |
| CN114386018A (en) * | 2022-01-19 | 2022-04-22 | 平安科技(深圳)有限公司 | Permission prompting method and device, computer equipment and medium |
-
2022
- 2022-12-22 CN CN202211656180.XA patent/CN115859360B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107705124A (en) * | 2017-09-14 | 2018-02-16 | 华中科技大学 | Mobile payment Environmental security check and evaluation system and method based on threat diagram |
| CN108090359A (en) * | 2018-01-05 | 2018-05-29 | 广东小天才科技有限公司 | Application program monitoring method and application server |
| CN110008687A (en) * | 2019-02-19 | 2019-07-12 | 阿里巴巴集团控股有限公司 | The processing method and processing device of risk application |
| CN112073584A (en) * | 2019-08-27 | 2020-12-11 | 烟台中科网络技术研究所 | Risk assessment method for App to collect personal sensitive information of user |
| CN112884258A (en) * | 2019-11-29 | 2021-06-01 | 中国电信股份有限公司 | Method and device for detecting application risk |
| WO2021237075A1 (en) * | 2020-05-21 | 2021-11-25 | OneTrust, LLC | Data processing systems and methods for automatic discovery and assessment of mobile software development kits |
| CN113157210A (en) * | 2021-04-16 | 2021-07-23 | 深圳季连科技有限公司 | Privacy permission transfer method based on APP function |
| CN113672914A (en) * | 2021-08-23 | 2021-11-19 | 郑州云智信安安全技术有限公司 | Risk assessment method and device for APP personal data security |
| CN114021142A (en) * | 2021-11-03 | 2022-02-08 | 广州链安科技有限公司 | Android application program vulnerability detection method |
| CN114386018A (en) * | 2022-01-19 | 2022-04-22 | 平安科技(深圳)有限公司 | Permission prompting method and device, computer equipment and medium |
Non-Patent Citations (6)
| Title |
|---|
| Android 应用程序个人信息安全量化评估模型研究;赵波 等;通信技术;第53卷(第08期);第2019-2025页 * |
| 基于Android安全机制的权限检测系统;闫梅;彭新光;;计算机工程与设计(第03期);第854-858页 * |
| 基于模糊神经网络的恶意APP软件动态检测技术研究;彭守镇;;现代电子技术(第02期);第49-52页 * |
| 基于静态分析的APK安全检测系统的设计与实现;曹勇;李军虎;陈晓升;;计算机与数字工程(第10期);第2146-2150页 * |
| 基于静态污点分析的Android隐私泄露检测方法研究;胡英杰;中国优秀硕士学位论文全文数据库(第07期);I138-6 * |
| 移动互联网APP应用安全评估模型;岳倩;;沈阳航空航天大学学报(第05期);第68-73页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115859360A (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107729352B (en) | Page resource loading method and terminal equipment | |
| US9860263B2 (en) | System and method for assessing data objects on mobile communications devices | |
| KR101558715B1 (en) | System and Method for Server-Coupled Malware Prevention | |
| US7770785B2 (en) | Apparatus and methods for detection and management of unauthorized executable instructions on a wireless device | |
| US9344431B2 (en) | System and method for assessing an application based on data from multiple devices | |
| US9258320B2 (en) | System for testing computer application | |
| JP6916818B2 (en) | Detecting vulnerable applications | |
| US9294500B2 (en) | System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects | |
| CN104484599B (en) | A kind of behavior treating method and apparatus based on application program | |
| US9740852B2 (en) | System and method for assessing an application to be installed on a mobile communications device | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| JP2015092374A5 (en) | ||
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| US11375378B2 (en) | Wireless carrier network-enabled protection of high value data | |
| JP2015092374A (en) | Apparatus and methods for managing firmware verification on wireless device | |
| WO2015124017A1 (en) | Method and apparatus for application installation based on intelligent terminal device | |
| KR20120136126A (en) | Method and apparatus for treating malicious action in mobile terminal | |
| JP5478390B2 (en) | Log extraction system and program | |
| CN113961936A (en) | Trusted white list construction method, system and device and computer equipment | |
| CN111431957A (en) | File processing method, device, equipment and system | |
| CN115859360B (en) | APP personal data security detection scoring device and method | |
| Gamba | " Do Android Dream of Electric Sheep?" On Privacy in the Android Supply Chain | |
| WO2011114308A1 (en) | Method of and system for installing client protection software on a mobile device | |
| CN107066874A (en) | Method and device for interactively verifying information between container systems | |
| CN116961993A (en) | Service configuration method, system, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Building 9, No. 186 Heyang Road, High tech Industrial Development Zone, Zhengzhou City, Henan Province, 450001 Applicant after: Zhengzhou Yunzhi Xin'an Security Technology Co.,Ltd. Address before: 450001 Floor 3, Building A, Building 2, No. 186 Heyang Road, Zhengzhou Hi tech Industrial Development Zone, Henan Province Applicant before: Zhengzhou Yunzhi Xin'an Security Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |