CN116450533B - Security detection method and device for application program, electronic equipment and medium - Google Patents

Security detection method and device for application program, electronic equipment and medium Download PDF

Info

Publication number
CN116450533B
CN116450533B CN202310705480.0A CN202310705480A CN116450533B CN 116450533 B CN116450533 B CN 116450533B CN 202310705480 A CN202310705480 A CN 202310705480A CN 116450533 B CN116450533 B CN 116450533B
Authority
CN
China
Prior art keywords
function
information
application program
target parameter
page element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310705480.0A
Other languages
Chinese (zh)
Other versions
CN116450533A (en
Inventor
牟天宇
程佩哲
谭桂涛
李沅坷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310705480.0A priority Critical patent/CN116450533B/en
Publication of CN116450533A publication Critical patent/CN116450533A/en
Application granted granted Critical
Publication of CN116450533B publication Critical patent/CN116450533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3624Software debugging by performing operations on the source code, e.g. via a compiler
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program

Abstract

The method, the device, the electronic equipment and the medium for detecting the safety of the application program can be applied to the technical fields of information safety and software testing. The method comprises the following steps: acquiring a first function for assembling a network message in an application program to be detected; the method comprises the steps of inserting piles to a first function, and obtaining target parameter information obtained by the first function when the first function is called; traversing a call chain of the first function to obtain a second function positioned at the user interface layer; the method comprises the steps of performing pile inserting on a second function to obtain page element information on a front-end page of an application program corresponding to the second function; comparing the target parameter information with the page element information; and determining that the security risk exists in the application program in response to the target parameter information not corresponding to the page element information. Through the pile inserting technology and the call chain analysis, the false alarm rate can be effectively reduced under the condition of improving the operability of the detection method, so that the effective detection of the safety risk of the application program is realized.

Description

Security detection method and device for application program, electronic equipment and medium
Technical Field
The present invention relates to the field of information security technology and the field of software testing technology, and more particularly, to a security detection method, apparatus, electronic device, and medium for an application program.
Background
At present, the behavior of the application program for collecting user information is mainly detected by using modes of white box code audit, dynamic sandbox detection and the like.
In the white-box code audit approach, it is checked whether the code logic contains an exception collect information upload, and it is checked whether the application program has unnecessary rights to apply for overages (e.g., a communication class application applies for album rights).
In the dynamic sandbox detection mode, an application program to be detected is put into a sandbox to run, and whether the condition of uploading sensitive information to a background server exists in the running process is checked.
However, the two methods have limited detection effects on the behavior of uploading the abnormal collected user sensitive information of the application program, and have a white box code auditing mode, so that on one hand, the current client reinforcing technology is relatively perfect, the source code is relatively difficult to acquire, and on the other hand, the current application program has more and more complicated functions, and if the behavior of abnormally collecting the sensitive information is judged only through the authority application, a large number of false alarms exist. For the dynamic sandbox detection mode, the abnormal application program has a large number of countermeasure means, such as detecting the sandbox environment, finding out that the sandbox environment is hidden from abnormal behavior when running, carrying out high-intensity encryption on uploading sensitive information, carrying out information abnormal collection only by triggering a specific function, and the like.
The above situation results in the current industry lacking behavior detection capability for applications to collect and upload personal information abnormally.
Disclosure of Invention
In view of the foregoing, according to a first aspect of the present invention, an embodiment of the present invention provides a security detection method for an application program, the method including:
acquiring a first function for assembling a network message in an application program to be detected;
the first function is subjected to pile insertion, so that target parameter information obtained by the first function when the first function is called is obtained;
traversing the call chain of the first function to obtain a second function positioned at the user interface layer;
the second function is subjected to pile inserting, and page element information on the front-end page of the application program corresponding to the second function is obtained;
comparing the target parameter information with the page element information; and
and judging that the application program has security risk according to the fact that the target parameter information does not correspond to the page element information.
According to some exemplary embodiments, the obtaining the first function for assembling the network packet in the application to be detected includes:
determining a development framework of the application program in response to retrieving the characteristics corresponding to the preset application program development framework;
According to the determined development framework, determining the name of a first function for assembling the network message under the development framework; and
and acquiring the first function for assembling the network message according to the name of the first function for assembling the network message under the development framework.
According to some exemplary embodiments, the obtaining the first function for assembling the network packet in the application to be detected includes:
tracking and searching data input by the front end of the user in the memory; and
and responding to the data as parameters of a preset function to carry out grouping, and determining the preset function as a first function for assembling the network message.
According to some exemplary embodiments, the obtaining, by instrumentation of the first function, the target parameter information obtained by the first function when the first function is called specifically includes:
when the first function is called, checking each input parameter of the first function through a instrumentation code according to a sensitive information rule; and
in response to at least one input parameter of the first function relating to sensitive information, determining relevant information relating to at least one input parameter of the sensitive information as the target parameter information.
According to some exemplary embodiments, before the traversing the call chain of the first function, the method further comprises:
pile-plugging is carried out on all running functions of the application program by pile-plugging is carried out on class loaders of the system;
acquiring and recording call information of all the running functions of the instrumented so as to form a call log, wherein the call log comprises call time and call sources when all the running functions are called; and
and acquiring a call chain related to the first function according to the call log.
According to some exemplary embodiments, the obtaining, by instrumentation of the second function, page element information on a front page of an application corresponding to the second function specifically includes:
acquiring a front-end page running the second function and an active name in the front-end page;
obtaining all window objects corresponding to the activity names through the instrumentation codes; and
and acquiring page element information on the front-end page of the application program corresponding to the second function according to the window object.
According to some exemplary embodiments, the target parameter information includes a type of sensitive information;
The determining that the application program has a security risk in response to the target parameter information not corresponding to the page element information specifically includes:
and in response to the type of the sensitive information related to the target parameter information not existing in the page element information, determining that the application program has security risk of collecting the sensitive information abnormally.
According to a second aspect of the present invention there is also provided a security detection device for an application, the device comprising:
the first function acquisition module is used for acquiring a first function for assembling the network message in the application program to be detected;
the target parameter information acquisition module is used for acquiring target parameter information acquired by the first function when the first function is called through inserting piles on the first function;
the second function acquisition module is used for traversing the call chain of the first function so as to acquire a second function positioned at the user interface layer;
the page element information acquisition module is used for acquiring page element information on a front page of the application program corresponding to the second function by inserting the second function;
the comparison module is used for comparing the target parameter information with the page element information; and
And the judging module is used for judging that the application program has security risk in response to the fact that the target parameter information does not correspond to the page element information.
According to a third aspect of the present invention, there is provided an electronic device comprising: one or more processors; and a storage device for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method as described above.
According to a fourth aspect of the present invention there is provided a computer readable storage medium having stored thereon executable instructions which when executed by a processor cause the processor to perform a method as described above.
According to a fifth aspect of the present invention there is provided a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
One or more of the above embodiments have the following advantages or benefits: through the pile inserting technology and the call chain analysis, the false alarm rate can be effectively reduced under the condition of improving the operability of the detection method, so that the effective detection of the safety risk of the application program is realized.
Drawings
The foregoing and other objects, features and advantages of the invention will be apparent from the following description of embodiments of the invention with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a security detection method, apparatus, device, medium according to an embodiment of the present invention.
Fig. 2 schematically shows a flow chart of a security detection method according to an embodiment of the invention.
Fig. 3 is a flowchart of a method for obtaining a function for assembling a network message in an application to be detected in accordance with some example embodiments of the present invention.
Fig. 4 is a flow chart of a function for assembling network messages in an application to be detected in a method according to further exemplary embodiments of the present invention.
Fig. 5 is a flowchart of a method for acquiring target parameter information acquired by the first function when a call occurs to the first function according to some exemplary embodiments of the present invention.
FIG. 6 is a flowchart of a method of retrieving a chain of function calls according to some example embodiments of the invention.
Fig. 7 schematically illustrates a class loader.
Fig. 8 schematically shows a call chain associated with the first function.
Fig. 9 is a flowchart of acquiring page element information in a method according to some exemplary embodiments of the invention.
Fig. 10A schematically shows a block diagram of a security detection device according to an embodiment of the present invention.
FIG. 10B schematically shows a swim lane of the distribution of the individual modules of the security detection device according to an embodiment of the present invention.
Fig. 11 schematically illustrates a block diagram of a first function acquisition module according to some exemplary embodiments of the invention.
Fig. 12 schematically shows a block diagram of a first function acquisition module according to further exemplary embodiments of the present invention.
Fig. 13 schematically illustrates a block diagram of a target parameter information acquisition module according to some exemplary embodiments of the invention.
FIG. 14 schematically illustrates a block diagram of a call chain acquisition module according to some example embodiments of the invention.
Fig. 15 schematically illustrates a block diagram of a page element information acquisition module according to some exemplary embodiments of the invention.
Fig. 16 schematically shows a block diagram of an electronic device adapted to implement a security detection method according to an embodiment of the invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the invention, the acquisition, storage, application and the like of the related personal information of the user accord with the regulations of related laws and regulations, necessary security measures are taken, and the public order harmony is not violated.
First, technical terms described herein are explained and illustrated as follows.
Pile inserting technology: on the basis of ensuring the integrity of original program logic, a probe is inserted in the program (for example, a code segment is inserted at a specific position), and information (for example, a method itself, a method parameter value, a return value and the like) in the code is collected through the probe, so that dynamic context information of the running time of the program is collected.
Sensitive information, also known as sensitive personal information, refers to personal information that, once compromised or abnormally used, easily causes the personal dignity of natural people to be infringed or the personal and property security to be compromised, including information such as biometric identification, specific identity, medical health, financial accounts, and the like.
In the field of software testing, black box, white box, gray box and sand box testing methods are common testing methods. In the black box test method, a tester performing the test may not know the internal structure and source code of the software under test, and need not have in-depth knowledge of the programming language or excellent encoding skills to perform the test. In the black box test method, the goal is not to study the code deeply, traverse the software inside, interact with the user interface, test its function, and ensure that every input and output of the system meets the standard. Thus, the black box test may also be referred to as a functional test or a specification-based test. The goal of the white-box test method is to analyze the internal structure of the software and the logic behind it. Therefore, the white-box test is sometimes referred to as a structural test or a logic drive test. In the white-box test method, the tester is required to have a strong programming capability, a comprehensive understanding of the software being tested, and access to all source code and architecture documents. The gray box test method places emphasis on all layers of the test software regardless of its complexity, thereby increasing the coverage of the test technology. The black box tester ensures that the interface and the function are all normal, the white box tester deeply researches the internal structure of the code and repairs the source code of the software, and the gray box tester simultaneously processes the two conditions in a non-intervention mode. The gray box test is a test technology for designing test cases based on external performance of a program in running and combining with an internal logic structure of the program, executing the program and collecting program path execution information and external user interface results. The sandbox test is also called sandbox test, and refers to a virtual technology in the field of computers, and is mostly used for computer security technology. The principle is that the files generated and modified by the program are directed to the self folder through a redirection technology. When a program tries to function, the security software can first let it run in the sandbox, and if it contains abnormal behavior, further running of the program is prohibited, without this causing any harm to the system. The sandbox environment is also called a test environment and a development environment, and is an environment for development and test by a developer. There is no limitation in the application functions in this environment.
At present, the behavior of collecting user information by an application program is mainly performed by adopting modes of white box code audit, dynamic sandbox detection and the like. In the white-box code audit approach, it is checked whether the code logic contains an exception collect information upload, and it is checked whether the application program has unnecessary rights to apply for overages (e.g., a communication class application applies for album rights). In the dynamic sandbox detection mode, an application program to be detected is put into a sandbox to run, and whether the condition of uploading sensitive information to a background server exists in the running process is checked. However, the two methods have limited detection effects on the behavior of uploading the abnormal collected user sensitive information of the application program, and have a white box code auditing mode, so that on one hand, the current client reinforcing technology is relatively perfect, the source code is relatively difficult to acquire, and on the other hand, the current application program has more and more complicated functions, and if the behavior of abnormally collecting the sensitive information is judged only through the authority application, a large number of false alarms exist. For the dynamic sandbox detection mode, the abnormal application program has a large number of countermeasure means, such as detecting the sandbox environment, finding out that the sandbox environment is hidden from abnormal behavior when running, carrying out high-intensity encryption on uploading sensitive information, carrying out information abnormal collection only by triggering a specific function, and the like. The above situation results in the current industry lacking behavior detection capability for applications to collect and upload personal information abnormally.
Based on this, an embodiment of the present invention provides a security detection method for an application program, the method including: acquiring a first function for assembling a network message in an application program to be detected; the first function is subjected to pile insertion, so that target parameter information obtained by the first function when the first function is called is obtained; traversing the call chain of the first function to obtain a second function positioned at the user interface layer; the second function is subjected to pile inserting, and page element information on the front-end page of the application program corresponding to the second function is obtained; comparing the target parameter information with the page element information; and determining that the application program has security risk in response to the target parameter information not corresponding to the page element information. According to the method provided by the embodiment of the invention, the false alarm rate can be effectively reduced under the condition of improving the operability of the detection method by the pile inserting technology and the call chain analysis, so that the effective detection of the safety risk of the application program is realized.
It should be noted that the security detection method and the security detection device provided by the embodiment of the invention can be used in the technical field of information security and the technical field of software testing.
Fig. 1 schematically illustrates an application scenario diagram of a security detection method, apparatus, device, medium according to an embodiment of the present invention.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the security detection method provided by the embodiment of the present invention may be performed by the terminal devices 101, 102, 103 or the server 105. Accordingly, the security detection device provided by the embodiment of the present invention may be generally disposed in the terminal device 101, 102, 103 or the server 105. The security detection method provided by the embodiment of the present invention may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the security detection apparatus provided by the embodiments of the present invention may also be provided in a server or a server cluster, which is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The security detection method provided by the embodiment of the invention will be described in detail by using fig. 2 to 9 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a security detection method according to an embodiment of the invention.
As shown in fig. 2, the security detection method 200 according to this embodiment may include operations S210 to S260.
In operation S210, a first function for assembling a network message in an application to be detected is obtained.
In applications (abbreviated as APP in english) such as client applications, web applications, etc., a client (i.e., front end) and a server (i.e., back end) may perform data communication through network messages, for example, in an APP client, parameters that the server needs to obtain from the client are assembled, and a network request method is invoked to send to the server. The first function may be a function of assembling and/or transmitting the parameters.
In some exemplary embodiments, the application to be tested is developed using a mainstream development framework. In these mainstream development frameworks, the first functions used to assemble the network messages all have a fixed function name. For example, in a certain mp ass mobile development framework, the adaptation json method in RPC class is responsible for network packet parameters.
Fig. 3 is a flowchart of a method for obtaining a function for assembling a network message in an application to be detected in accordance with some example embodiments of the present invention. In this embodiment, operation S210 may include sub-operations S310 to S330.
In response to retrieving the features corresponding to the preset application development framework, a development framework of the application is determined in sub-operation S310.
For example, the preset application development framework may be at least one of mainstream development frameworks. The unique features of the development framework may be searched for in the APP code segment, data segment and storage space at APP runtime, for example, a certain mp ass mobile development framework may be encrypted and stored as a picture named yw_1222.Jpg, and in response to retrieving the unique features, the development framework employed by the application may be determined.
In sub-operation S320, according to the determined development framework, a name of a first function for assembling the network message under the development framework is determined.
In sub-operation S330, the first function for assembling the network message is obtained according to the name of the first function for assembling the network message under the development framework.
For example, after determining that the development framework of the application program is a certain mp ass mobile development framework, it may be determined that the name of the first function for assembling the network packet under the development framework is an adaptation json method in RPC class.
In this embodiment, by determining the development framework of the application program, the corresponding function name is directly returned according to the corresponding development framework, so that the first function for assembling the network packet can be obtained. In this embodiment, the first function for assembling the network message is quickly determined by the development framework of the application program, so that the calculation amount can be reduced, and the calculation efficiency can be improved.
In other exemplary embodiments, the application to be detected does not use the mainstream development framework to develop or utilize self-coding codes to implement a method for assembling and sending network messages.
Fig. 4 is a flow chart of a function for assembling network messages in an application to be detected in a method according to further exemplary embodiments of the present invention. In this embodiment, operation S210 may include sub-operations S410 to S420.
In sub-operation S410, the data input from the front end of the search user is tracked in the memory.
In sub-operation S420, the grouping is performed in response to the data as a parameter of a preset function, and the preset function is determined as a first function for assembling the network message.
In this embodiment, for the case where the APP developer does not use the mainstream development framework or uses the self-coding code to implement the method of assembling and sending the network packet, the determination may be made by tracking and searching in the memory which functions parameters the data input by the front end of the user finally appears in, for example, the front end of the user inputs a mobile phone number for transmission to the back end, and then the plaintext mobile phone number is finally packaged as the parameters of the functions for assembling the network packet, so as to obtain the function name and the corresponding functions.
In this embodiment, by dynamically tracking the user front-end input parameters, the corresponding function name may be obtained, so that the first function for assembling the network packet may be obtained. In this embodiment, in the case that the application program is not developed by adopting the mainstream development framework, the first function for assembling the network packet may be determined by dynamically tracking the parameters, which is beneficial to expanding the application scenario of the security detection method according to the embodiments of the present disclosure.
Referring back to fig. 2, in operation S220, target parameter information acquired by the first function when the first function is called is acquired by inserting the first function.
Fig. 5 is a flowchart of a method for acquiring target parameter information acquired by the first function when a call occurs to the first function according to some exemplary embodiments of the present invention. In this embodiment, operation S220 may include sub-operations S510 to S520.
In sub-operation S510, when the first function is called, each input parameter of the first function is checked by the instrumentation code according to a rule of sensitive information.
In this embodiment, the sensitive information rule may be understood as a rule for checking whether sensitive information is included in the parameter. For example, the sensitive information may include information such as a personal mobile phone number, an identification card number, a client browsing record, and the like.
In this embodiment, the first function is instrumented so that when the first function is invoked, indicating that a network transmission is initiated, instrumentation code instrumented into the first function may obtain each input parameter of the first function, and then, for each input parameter, may check whether it relates to sensitive information.
In response to the at least one input parameter of the first function relating to sensitive information, related information relating to the at least one input parameter of the sensitive information is determined as the target parameter information in sub-operation S520.
In this embodiment, if the above-described inspection result indicates that: at least one input parameter of the first function relates to sensitive information, for example, information of a personal mobile phone number, an identity card number, a client browsing record and the like, and then relevant information of at least one input parameter related to the sensitive information can be determined as the target parameter information.
In this embodiment, the target parameter information related to the input parameter of the first function is acquired by the instrumentation technique, and the acquisition of the target parameter information can be achieved without invading the source code.
In some exemplary embodiments, the target parameter information may include a type of sensitive information, i.e., a type of sensitive information to which at least one input parameter relates may be recorded.
Referring back to fig. 2, in operation S230, a call chain of the first function is traversed to acquire a second function at the user interface layer.
In an embodiment of the present invention, before the traversing the call chain of the first function, the method may further include obtaining a call chain related to the first function.
FIG. 6 is a flowchart of a method of retrieving a chain of function calls according to some example embodiments of the invention. In this embodiment, the acquiring the call chain related to the first function may include operations S610 to S630.
In operation S610, all running functions of the application are instrumented by instrumentation of class loaders of the system.
Taking java programming language as an example, the java class loader is a bridge between an application program and a java virtual machine. Fig. 7 schematically illustrates a class loader.
As shown in fig. 7, the source file: java is a source file suffix of java and is used for storing functional codes written by programmers, the functional codes are only a text file and cannot be identified by a java virtual machine, but java language has own grammar specification requirements, and java programs which do not meet the specification can report errors during compiling of a compiler.
java bytecode file (.class): the java file can be compiled and generated through the command java, and is essentially a binary file, and the file can be loaded (class loaded) by a java virtual machine and then interpreted and executed by java, namely, a running program. Through java bytecode files, multilingual support can be achieved. The java virtual machine itself only recognizes the class file, so any language (python, go, etc. programming language) can be executed on the java virtual machine as long as there is a suitable interpreter to interpret the class file.
java virtual machine: java Virtual Machine (abbreviated as JVM) only identify the class file, which can be loaded into memory to generate the corresponding java object. And also has the functions of memory management, program optimization, lock management and the like. All java programs finally run on the java virtual machine.
In some exemplary embodiments of the present invention, the class loader of the system may be instrumented by means of a class logging mechanism of a programming language, so as to implement instrumentation of all running functions of the application to be detected.
In operation S620, call information of all the instrumented running functions is obtained and recorded to form a call log, where the call log includes call time and call source when all the running functions call.
In some exemplary embodiments of the present invention, instrumentation is performed on all running functions of an application to be detected by instrumentation on a class loader of the system, so that when each function of the application generates a call, call information of the call can be recorded in a call log, where the call information may include, for example, a call time, a call source, and the like.
In operation S630, a call chain related to the first function is acquired according to the call log.
The call log records call information of all running functions of the application program, so that when a first function is called, each call information related to the first function can be searched in the call log, and a call chain related to the first function is obtained.
In the embodiment, the instrumentation of all running functions of the application program is realized by the instrumentation of the class loader of the system, so that a call chain of the target function can be conveniently acquired.
Fig. 8 schematically shows a call chain associated with the first function. As shown in fig. 8, from the call log, a call chain related to the first function may be acquired as follows: the second function calls a third function, the third function calls a fourth function, the fourth function calls a fifth function, and the fifth function calls the first function. Illustratively, the second function may be a function at a user interface layer (i.e., UI layer). That is, the call chain may recursively trace back to the user interface layer.
Referring back to fig. 2, in operation S240, the page element information on the front page of the application corresponding to the second function is acquired by instrumentation of the second function.
Fig. 9 is a flowchart of acquiring page element information in a method according to some exemplary embodiments of the invention. In this embodiment, the operation S240 may include sub-operations S910 to S930.
In sub-operation S910, a front page running the second function and an active name in the front page are acquired.
In sub-operation S920, all window objects corresponding to the active name are acquired through instrumentation codes.
In sub-operation S930, according to the window object, page element information on the front page of the application program corresponding to the second function is acquired.
Next, taking an application program in the android system as an example, operation S240 will be described in more detail with reference to fig. 9.
As described above, the call chain can recursively trace to the user interface layer, i.e., can recursively trace to a function of the user interface layer, i.e., can locate to a front page from which a request originated, e.g., can locate to a button event (i.e., button event) in an Activity (i.e., activity) of an application, and can locate to an Activity name (i.e., activity name) of the Activity in the front page. Through the obtained front-end page and the active name, all window objects (i.e. view objects) can be obtained through a method of pile-inserting, for example, by means of pile-inserting code reflection getalchildbview, and then element information on the front-end page is obtained, including element information of edittext, textview and the like.
In this embodiment, the acquisition of the page element information related to the second function may be achieved without invading the source code by the instrumentation technique.
That is, in this operation S240, personal information that the application program needs to input by the user on the front page may be acquired. The personal information which needs to be input by the user can be understood as personal information which needs to be collected and clearly shown to the user. It will be appreciated that the acquisition of such personal information requires explicit consent from the user and is in compliance with relevant legal regulations.
Referring back to fig. 2, the target parameter information and the page element information are compared in operation S250.
In operation S260, it is determined that the application program has a security risk in response to the target parameter information not corresponding to the page element information.
In some exemplary embodiments of the invention, the target parameter information includes a type of sensitive information.
Accordingly, the operation S260 may specifically include: and in response to the type of the sensitive information related to the target parameter information not existing in the page element information, determining that the application program has security risk of collecting the sensitive information abnormally.
In this embodiment, whether the application program has a security risk of collecting the sensitive information abnormally is determined by comparing whether the type of the sensitive information involved in the target parameter information exists in the page element information. That is, the types of the sensitive information are compared, and the complete information of the sensitive information is not required to be compared, so that the calculated amount can be reduced, and the judging efficiency is improved.
In the embodiment of the invention, when the input parameter of the first function relates to the sensitive information, the sensitive information related to the input parameter is compared with the page elements input by the user in the front-end page, for example, if the sensitive information related to the input parameter exists synchronously with the page elements input by the user in the front-end page, the collection of the sensitive information is considered to be the functional requirement of the application program and is the normal behavior agreed by the user; if the sensitive information related to the input parameters and the page elements input by the user in the front-end page are not synchronous, the situation that the application program abnormally collects or acquires the sensitive information is considered to exist, the input parameters and the UI page information can be recorded, and related problems are reported.
Fig. 10A schematically shows a block diagram of a security detection device according to an embodiment of the present invention.
As shown in fig. 10A, the security detection device 1000 according to this embodiment includes a first function acquisition module 1010, a target parameter information acquisition module 1020, a second function acquisition module 1030, a page element information acquisition module 1040, a comparison module 1050, and a determination module 1060.
The first function obtaining module 1010 is configured to obtain a first function for assembling a network packet in an application to be detected. In an embodiment, the first function obtaining module 1010 may be configured to perform the operation S210 and its sub-operations described above, which are not described herein.
The target parameter information obtaining module 1020 is configured to obtain target parameter information obtained by the first function when the first function is called by inserting the first function. In an embodiment, the target parameter information obtaining module 1020 may be configured to perform the operation S220 and its sub-operations described above, which are not described herein.
The second function obtaining module 1030 is configured to traverse the call chain of the first function to obtain a second function located at the user interface layer. In an embodiment, the second function obtaining module 1030 may be configured to perform the operation S230 and its sub-operations described above, which are not described herein.
The page element information obtaining module 1040 is configured to obtain page element information on a front page of an application corresponding to the second function by performing instrumentation on the second function. In an embodiment, the page element information obtaining module 1040 may be used to perform the operation S240 and its sub-operations described above, which are not described herein.
The comparison module 1050 is configured to compare the target parameter information and the page element information. In an embodiment, the comparing module 1050 may be configured to perform the operation S250 and its sub-operations described above, which are not described herein.
The determining module 1060 is configured to determine that the application program has a security risk in response to the target parameter information not corresponding to the page element information. In an embodiment, the determining module 1060 may be configured to perform the operation S260 and its sub-operations described above, which are not described herein.
Fig. 11 schematically illustrates a block diagram of a first function acquisition module according to some exemplary embodiments of the invention.
As shown in fig. 11, in some exemplary embodiments, the first function acquisition module 1010 may include a development framework determination submodule 1011, a first function name determination submodule 1012, and a first function acquisition submodule 1013.
The development framework determination submodule 1011 is configured to determine a development framework of the application program in response to retrieving the feature corresponding to the preset application program development framework.
The first function name determining submodule 1012 is used for determining the name of a first function used for assembling the network message under the development framework according to the determined development framework.
The first function obtaining submodule 1013 is configured to obtain a first function for assembling a network packet according to a name of the first function for assembling the network packet under the development framework.
Fig. 12 schematically shows a block diagram of a first function acquisition module according to further exemplary embodiments of the present invention.
As shown in fig. 12, the first function acquisition module 1010 may include a data tracking submodule 1014 and a first function determination submodule 1015.
The data tracking sub-module 1014 is used to track data entered by the search user's front end in memory.
The first function determining submodule 1015 is configured to perform grouping in response to the data as a parameter of a preset function, and determine the preset function as a first function for assembling a network packet.
Fig. 13 schematically illustrates a block diagram of a target parameter information acquisition module according to some exemplary embodiments of the invention.
As shown in fig. 13, in some exemplary embodiments, the target parameter information acquisition module 1020 may include an input parameter checking sub-module 1021 and a target parameter information acquisition sub-module 1022.
The input parameter checking sub-module 1021 is configured to: when the first function is called, checking each input parameter of the first function through the instrumentation code according to the rule of sensitive information.
The target parameter information acquisition submodule 1022 is configured to: in response to at least one input parameter of the first function relating to sensitive information, determining relevant information relating to at least one input parameter of the sensitive information as the target parameter information.
The security detection device 1000 according to this embodiment may further include a call chain acquisition module 1070.
FIG. 14 schematically illustrates a block diagram of a call chain acquisition module according to some example embodiments of the invention.
As shown in fig. 14, in some exemplary embodiments, the call chain acquisition module 1070 may include a system instrumentation submodule 1071, a call log formation submodule 1072, and a call chain acquisition submodule 1073.
The system instrumentation sub-module 1071 is configured to instrumentation all running functions of the application program by instrumentation of class loaders of the system.
The call log forming submodule 1072 is configured to obtain and record call information of all the instrumented running functions to form a call log, where the call log includes call time and call source when all the running functions are called.
The call chain acquisition submodule 1073 is configured to acquire a call chain related to the first function according to the call log.
Fig. 15 schematically illustrates a block diagram of a page element information acquisition module according to some exemplary embodiments of the invention.
As shown in FIG. 15, in some exemplary embodiments, the page element information retrieval module 1040 may include an active name retrieval sub-module 1041, a window object retrieval sub-module 1042, and a page element information retrieval sub-module 1043.
The active name acquisition submodule 1041 is configured to acquire a front-end page running the second function and an active name in the front-end page.
The window object obtaining sub-module 1042 is used for obtaining all window objects corresponding to the active name through the instrumentation code.
The page element information obtaining sub-module 1043 is configured to obtain, according to the window object, page element information on a front page of the application program corresponding to the second function.
In the security detection device provided by the embodiment of the invention, the target parameter information comprises the type of the sensitive information. The determining that the application program has a security risk in response to the target parameter information not corresponding to the page element information may specifically include: and in response to the type of the sensitive information related to the target parameter information not existing in the page element information, determining that the application program has security risk of collecting the sensitive information abnormally.
FIG. 10B schematically shows a swim lane of the distribution of the individual modules of the security detection device according to an embodiment of the present invention.
Referring to fig. 10A, 10B, and 14 in combination, the parameter discovery system may include a first function acquisition module 1010 and a target parameter information acquisition module 1020, the parameter processing system may include a call chain acquisition module 1070, a second function acquisition module 1030, and a page element information acquisition module 1040, and the detection system may include a comparison module 1050 and a determination module 1060.
The first function obtaining module 1010 is configured to obtain a function of assembling a network packet in an application to be detected, i.e. a first function.
The target parameter information obtaining module 1020 obtains the name of the network request function from the first function obtaining module 1010, and in the real running process of the application program, the function is instrumented, where the instrumentation logic is: every time the function is called once, that is, the initiation of network transmission is described, the instrumentation code checks each input parameter of the function according to the sensitive information rule (such as a personal mobile phone number, an identity card number, a client browsing record and other characteristic rules), finds out the parameter hitting the related sensitive information, records the sensitive information type (such as the personal mobile phone number, the identity card number, the client browsing record and the like) related to the parameter, and sends the parameter to the comparison module 1050.
The call chain acquisition module 1070 performs instrumentation on class loaders of a system when an application to be detected is started, so that instrumentation on all running functions of the application is realized, tracking and call information recording of all functions are realized, and the logic of instrumentation is as follows: and acquiring the call relation of each function, and recording the call relation, namely, recording the call time, call source and other call information of the call in a call log when each function of the application program is called.
The second function acquisition module 1030 performs call chain analysis when a call is made to the first function, and recursively trace back the function (i.e., the second function) to the UI layer through the call chain analysis.
The page element information acquisition module 1040 can be located to the front page from which the request originated, for example, can be located to a button event (i.e., button event) in an Activity (i.e., activity) of the application, and can be located to an Activity name (i.e., actyName) of the Activity in the front page. Through the obtained front-end page and the active name, all window objects (i.e. view objects) can be obtained through a method of pile-inserting, for example, by means of pile-inserting code reflection getalchildbview, and then element information on the front-end page is obtained, including element information of edittext, textview and the like.
The detection system may be for: when the input parameter of the first function relates to the sensitive information, comparing the sensitive information related to the input parameter with the page elements input by the user in the front-end page, for example, if the sensitive information related to the input parameter exists synchronously with the page elements input by the user in the front-end page, considering that the collection of the sensitive information is the functional requirement of the application program and is the normal behavior agreed by the user; if the sensitive information related to the input parameters and the page elements input by the user in the front-end page are not synchronous, the situation that the application program abnormally collects or acquires the sensitive information is considered to exist, the input parameters and the UI page information can be recorded, and related problems are reported.
According to the safety detection method and the safety detection device provided by the embodiment of the invention, through the pile inserting technology and the call chain analysis, the false alarm rate can be effectively reduced under the condition of improving the operability of the detection method, so that the effective detection of the safety risk of the application program is realized.
It should be noted that, the security detection method and the security detection device provided by the embodiments of the present invention further have at least one of the following effects and advantages:
(1) The safety detection method and the safety detection device provided by the embodiment of the invention are based on the dynamic analysis of the black box, do not need to acquire source codes, and have higher operability: at present, the detection of abnormal behaviors is not mandatory, in the cooperation of a third party, the cooperation party can not be matched with the provision of related APP source codes, and generally only the APP installation package after compiling is completed and reinforcement is provided, so that the security detection method and the security detection device provided by the embodiment of the invention have stronger operability than the auditing of white box codes.
(2) The security detection method and the security detection device provided by the embodiment of the invention can effectively aim at the sandbox countermeasure of the black production at present, the operation of the security detection method and the security detection device provided by the embodiment of the invention is based on the real machine environment, the detection can be synchronously carried out with the APP function test, and the click trigger is carried out by a real person. And because the pile is inserted at the bottom layer, encryption of all application layers and network layers of the APP is bypassed, and the behavior of uploading user personal information abnormally by the APP can be effectively detected.
(3) The safety detection method and the safety detection device provided by the embodiment of the invention can effectively reduce the false alarm rate of traditional detection. For the discovered sensitive information transmission, the page of the front end sending request is tracked, whether the front end definitely has service requirements or not is judged according to the relevant rules, and compared with the judgment of the client application authority by the white box code audit, the false alarm condition is reduced.
Fig. 16 schematically shows a block diagram of an electronic device adapted to implement a security detection method according to an embodiment of the invention.
As shown in fig. 16, an electronic device 1600 according to an embodiment of the present invention includes a processor 1601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1602 or a program loaded from a storage section 1608 into a Random Access Memory (RAM) 1603. The processor 1601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1601 may also include on-board memory for caching purposes. The processor 1601 may include a single processing unit or multiple processing units for performing the different actions of the method flow according to an embodiment of the invention.
In the RAM 1603, various programs and data necessary for the operation of the electronic device 1600 are stored. The processor 1601, ROM 1602, and RAM 1603 are connected to each other by a bus 1604. The processor 1601 performs various operations of the method flow according to an embodiment of the present invention by executing programs in the ROM 1602 and/or the RAM 1603. Note that the program can also be stored in one or more memories other than the ROM 1602 and the RAM 1603. The processor 1601 may also perform various operations of a method flow according to an embodiment of the present invention by executing programs stored in the one or more memories.
According to an embodiment of the invention, electronic device 1600 may also include an input/output (I/O) interface 1605, with input/output (I/O) interface 1605 also connected to bus 1604. The electronic device 1600 may also include one or more of the following components connected to the I/O interface 1605: an input portion 1606 including a keyboard, a mouse, and the like; an output portion 1607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage section 1608 including a hard disk or the like; and a communication section 1609 including a network interface card such as a LAN card, a modem, or the like. The communication section 1609 performs communication processing via a network such as the internet. The drive 1610 is also connected to the I/O interface 1605 as needed. A removable medium 1611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 1610 so that a computer program read out therefrom is installed into the storage section 1608 as needed.
The present invention also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present invention.
According to embodiments of the present invention, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the invention, the computer-readable storage medium may include ROM 1602 and/or RAM 1603 described above and/or one or more memories other than ROM 1602 and RAM 1603.
Embodiments of the present invention also include a computer program product comprising a computer program containing program code for performing the method shown in the flowcharts. The program code means for causing a computer system to carry out the methods provided by embodiments of the present invention when the computer program product is run on the computer system.
The above-described functions defined in the system/apparatus of the embodiment of the present invention are performed when the computer program is executed by the processor 1601. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the invention.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program can also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication portion 1609, and/or from the removable medium 1611. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 1609, and/or installed from the removable media 1611. The above-described functions defined in the system of the embodiment of the present invention are performed when the computer program is executed by the processor 1601. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the invention.
According to embodiments of the present invention, program code for carrying out computer programs provided by embodiments of the present invention may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or in assembly/machine languages. Programming languages include, but are not limited to, such as java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The embodiments of the present invention are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the invention, and such alternatives and modifications are intended to fall within the scope of the invention.

Claims (9)

1. A security detection method for an application program, the method comprising:
acquiring a first function for assembling a network message in an application program to be detected;
the first function is subjected to pile insertion, so that target parameter information obtained by the first function when the first function is called is obtained;
traversing the call chain of the first function to obtain a second function positioned at the user interface layer;
the second function is subjected to pile inserting, and page element information on the front-end page of the application program corresponding to the second function is obtained;
comparing the target parameter information with the page element information; and
in response to the target parameter information not corresponding to the page element information, determining that the application program has a security risk,
The pile inserting is performed on the first function, so as to obtain the target parameter information obtained by the first function when the first function is called, and the method specifically comprises the following steps:
when the first function is called, checking each input parameter of the first function through a instrumentation code according to a sensitive information rule; and
in response to at least one input parameter of the first function relating to sensitive information, determining relevant information relating to at least one input parameter of the sensitive information as the target parameter information.
2. The method of claim 1, wherein the obtaining a first function for assembling a network message in the application to be detected comprises:
determining a development framework of the application program in response to retrieving the characteristics corresponding to the preset application program development framework;
according to the determined development framework, determining the name of a first function for assembling the network message under the development framework; and
and acquiring the first function for assembling the network message according to the name of the first function for assembling the network message under the development framework.
3. The method of claim 1, wherein the obtaining a first function for assembling a network message in the application to be detected comprises:
Tracking and searching data input by the front end of the user in the memory; and
and responding to the data as parameters of a preset function to carry out grouping, and determining the preset function as a first function for assembling the network message.
4. The method of claim 1, wherein prior to said traversing the call chain of the first function, the method further comprises:
pile-plugging is carried out on all running functions of the application program by pile-plugging is carried out on class loaders of the system;
acquiring and recording call information of all the running functions of the instrumented so as to form a call log, wherein the call log comprises call time and call sources when all the running functions are called; and
and acquiring a call chain related to the first function according to the call log.
5. The method according to any one of claims 1-4, wherein the obtaining, by instrumentation of the second function, page element information on a front page of the application corresponding to the second function specifically includes:
acquiring a front-end page running the second function and an active name in the front-end page;
obtaining all window objects corresponding to the activity names through the instrumentation codes; and
And acquiring page element information on the front-end page of the application program corresponding to the second function according to the window object.
6. The method of claim 1, wherein the target parameter information comprises a type of sensitive information;
the determining that the application program has a security risk in response to the target parameter information not corresponding to the page element information specifically includes:
and in response to the type of the sensitive information related to the target parameter information not existing in the page element information, determining that the application program has security risk of collecting the sensitive information abnormally.
7. A security detection device for an application program, the device comprising:
the first function acquisition module is used for acquiring a first function for assembling the network message in the application program to be detected;
the target parameter information acquisition module is used for acquiring target parameter information acquired by the first function when the first function is called through inserting piles on the first function;
the second function acquisition module is used for traversing the call chain of the first function so as to acquire a second function positioned at the user interface layer;
The page element information acquisition module is used for acquiring page element information on a front page of the application program corresponding to the second function by inserting the second function;
the comparison module is used for comparing the target parameter information with the page element information; and
a judging module, configured to judge that the security risk exists in the application program in response to the target parameter information not corresponding to the page element information,
the pile inserting is performed on the first function, so as to obtain the target parameter information obtained by the first function when the first function is called, and the method specifically comprises the following steps:
when the first function is called, checking each input parameter of the first function through a instrumentation code according to a sensitive information rule; and
in response to at least one input parameter of the first function relating to sensitive information, determining relevant information relating to at least one input parameter of the sensitive information as the target parameter information.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-6.
CN202310705480.0A 2023-06-15 2023-06-15 Security detection method and device for application program, electronic equipment and medium Active CN116450533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310705480.0A CN116450533B (en) 2023-06-15 2023-06-15 Security detection method and device for application program, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310705480.0A CN116450533B (en) 2023-06-15 2023-06-15 Security detection method and device for application program, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN116450533A CN116450533A (en) 2023-07-18
CN116450533B true CN116450533B (en) 2023-09-19

Family

ID=87124071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310705480.0A Active CN116450533B (en) 2023-06-15 2023-06-15 Security detection method and device for application program, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN116450533B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105335655A (en) * 2015-09-22 2016-02-17 南京大学 Android application safety analysis method based on sensitive behavior identification
US20160055336A1 (en) * 2013-03-28 2016-02-25 Mwstory Co., Ltd. System for preventing malicious intrusion based on smart device and method thereof
CN105760777A (en) * 2016-02-16 2016-07-13 上海斐讯数据通信技术有限公司 Safety information management method and system based on intelligent platform

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160055336A1 (en) * 2013-03-28 2016-02-25 Mwstory Co., Ltd. System for preventing malicious intrusion based on smart device and method thereof
CN105335655A (en) * 2015-09-22 2016-02-17 南京大学 Android application safety analysis method based on sensitive behavior identification
CN105760777A (en) * 2016-02-16 2016-07-13 上海斐讯数据通信技术有限公司 Safety information management method and system based on intelligent platform

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"基于性能分析的自适应插桩框架";王子鹏 等;《计算机测量与控制》;第26卷(第9期);全文 *
桑楠 等.《嵌入式系统原理及应用开发技术 第2版》.北京:高等教育出版社,2008,第347-351页. *

Also Published As

Publication number Publication date
CN116450533A (en) 2023-07-18

Similar Documents

Publication Publication Date Title
CN103699480B (en) A kind of WEB dynamic security leak detection method based on JAVA
US8813039B2 (en) Method and system for software defect reporting
Cruz et al. To the attention of mobile software developers: guess what, test your app!
US20160246990A1 (en) Fine-Grained User Control Over Usages Of Sensitive System Resources Having Private Data With Applications In Privacy Enforcement
CN110674506B (en) Method and system for rapidly verifying vulnerability state of application program
Huang et al. Detecting sensitive data disclosure via bi-directional text correlation analysis
CN113114680B (en) Detection method and detection device for file uploading vulnerability
CN106250761B (en) Equipment, device and method for identifying web automation tool
CN112035354A (en) Method, device and equipment for positioning risk code and storage medium
Meng et al. DroidEcho: an in-depth dissection of malicious behaviors in Android applications
CN110502892A (en) A kind of the determination method, apparatus and system of abnormality test process
CN113362173A (en) Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium
US11263115B2 (en) Problem diagnosis technique of memory corruption based on regular expression generated during application compiling
US20230141948A1 (en) Analysis and Testing of Embedded Code
CN116450533B (en) Security detection method and device for application program, electronic equipment and medium
CN116483888A (en) Program evaluation method and device, electronic equipment and computer readable storage medium
CN110348226A (en) A kind of scan method of project file, device, electronic equipment and storage medium
CN113904828B (en) Method, apparatus, device, medium and program product for detecting sensitive information of interface
US10002253B2 (en) Execution of test inputs with applications in computer security assessment
CN112434287A (en) Method, device and equipment for detecting Hook and storage medium
Du et al. Withdrawing is believing? Detecting Inconsistencies between Withdrawal Choices and Third-party Data Collections in Mobile Apps
CN113535568B (en) Verification method, device, equipment and medium for application deployment version
Zhao FProbe: the Flow-centric Detection and a Large-scale Measurement of Browser Fingerprinting
US11354440B1 (en) Analyzing and mitigating privacy issues on a computing device using cookie generation flows
CN110795133B (en) Automatic protection method and device for auxiliary application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant