CN117112340A

CN117112340A - Application operation detection method and device, electronic equipment and storage medium

Info

Publication number: CN117112340A
Application number: CN202211415287.5A
Authority: CN
Inventors: 陈新锴; 王娅丽; 周万富
Original assignee: TCL Mobile Communication Technology Ningbo Ltd
Current assignee: TCL Mobile Communication Technology Ningbo Ltd
Priority date: 2022-11-11
Filing date: 2022-11-11
Publication date: 2023-11-24

Abstract

The embodiment of the invention discloses an application program operation detection method, an application program operation detection device, electronic equipment and a storage medium; in the embodiment of the invention, the target application process information of the target detection application can be acquired, the target detection application is determined from a plurality of application programs installed in the electronic equipment based on application selection operation, a file operation callback function is registered to a kernel static tracking point related to file input and output, the file operation callback function is called in response to file operation, the operation process information corresponding to the file operation is acquired, the operation process information is compared with the target application process information, and the operation detection result of the target detection application is determined based on the comparison result; the embodiment of the invention can improve the accuracy of operation detection of the application program under the condition that the normal operation of the application program and the performance of the operating system equipment are not affected.

Description

Application operation detection method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of security technologies, and in particular, to an application operation detection method, an apparatus, an electronic device, and a storage medium.

Background

With the rapid development of internet technology, users often install various applications in their electronic devices to meet their daily use demands. However, there are some applications that perform operations that pose a risk to the privacy of the user and the security of the electronic device.

Currently, the main method adopted in detecting the risk operation of an application program is to analyze whether a code related to the risk operation exists in the code of the application program by extracting the code of the application program. However, with this approach, it is desirable to be able to accurately analyze the code of the application program, as well as to have sufficient knowledge of the code associated with the risky operation. Thus, this detection method for an application may have a problem that the detection is not accurate enough.

Disclosure of Invention

The embodiment of the invention provides an application operation detection method, an application operation detection device, electronic equipment and a storage medium, which can improve the accuracy of operation detection of an application under the condition that the normal operation of the application and the performance of operating system equipment are not affected.

The embodiment of the invention provides an application program operation detection method, which comprises the following steps:

acquiring target application process information of a target detection application, wherein the target detection application is determined from a plurality of application programs installed in the electronic equipment based on application selection operation;

Registering a file operation callback function with a kernel static tracking point related to file input and output;

responding to file operation, and calling the file operation callback function to obtain operation process information corresponding to the file operation;

comparing the operation process information with the target application process information, and determining an operation detection result of the target detection application based on a comparison result.

Correspondingly, an embodiment of the present invention provides an application operation detection apparatus, including:

the electronic equipment comprises a target information acquisition unit, a target detection unit and a target detection unit, wherein the target information acquisition unit is used for acquiring target application process information of a target detection application, and the target detection application is determined from a plurality of application programs installed in the electronic equipment based on application selection operation;

the callback function registration unit is used for registering a file operation callback function with a kernel static tracking point related to file input and output;

the operation information acquisition unit is used for responding to file operation and calling the file operation callback function to obtain operation process information corresponding to the file operation;

and the detection result determining unit is used for comparing the operation process information with the target application process information and determining an operation detection result of the target detection application based on a comparison result.

In some optional embodiments, the application operation detection apparatus provided in the embodiments of the present invention further includes an application selection unit, configured to obtain application process information of at least one candidate application currently in a running state;

displaying an application selection page based on the application process information, wherein the application selection page comprises at least one application selection control, and one application selection control corresponds to one candidate application program;

and responding to application selection operation aiming at least one application selection control, and taking the candidate application program corresponding to the application selection control as a target detection application.

In some optional embodiments, the application selection unit is configured to determine, based on each piece of application process information, application program prompt information corresponding to each piece of application process information;

and generating and displaying an application selection page according to the application prompt information, wherein the application selection page comprises the application prompt information.

In some optional embodiments, the detection result determining unit is configured to compare the operation process information with the target application process information, record an operation parameter of the file operation if the operation process information is the same as the target application process information, and determine that an operation detection result of the target detection application is a risk operation;

The application program operation detection device provided by the embodiment of the invention further comprises a prompt page display unit, wherein the prompt page display unit is used for displaying a risk operation prompt page based on the operation parameters, and the risk operation prompt page comprises application identification information of the target detection application.

In some optional embodiments, the application operation detection apparatus provided by the embodiment of the present invention further includes an application management unit, configured to manage the target detection application in response to an application management operation for the application management control.

In some optional embodiments, the application program operation detection device provided by the embodiment of the present invention further includes an operation management unit, configured to determine, if an operation detection result of the target detection application is that there is a risk operation, a risk degree of the file operation based on operation authority information preset for the target detection application;

and managing the file operation according to the risk degree.

In some optional embodiments, the application operation detection apparatus provided by the embodiments of the present invention further includes an installation prompting unit, configured to generate, based on the operation parameter, application prompting information of the target detection application;

And sending the application prompt information to a server so that the server stores the application prompt information corresponding to the target detection application, and sending the application prompt information to electronic equipment corresponding to the installation request for display when the installation request for the target detection application is received.

Correspondingly, the embodiment of the invention also provides electronic equipment, which comprises a memory and a processor; the memory stores an application program, and the processor is configured to run the application program in the memory, so as to execute any step in the application program operation detection method provided by the embodiment of the invention.

Correspondingly, the embodiment of the invention also provides a computer readable storage medium, which stores a plurality of instructions, wherein the instructions are suitable for being loaded by a processor to execute the steps in any application program operation detection method provided by the embodiment of the invention.

In addition, the embodiment of the invention also provides a computer program product, which comprises a computer program or instructions, wherein the computer program or instructions realize the steps in any application program operation detection method provided by the embodiment of the invention when being executed by a processor.

By adopting the scheme of the embodiment of the invention, the target application process information of the target detection application can be acquired, the target detection application is determined from a plurality of application programs installed in the electronic equipment based on application selection operation, a file operation callback function is registered to a kernel static tracking point related to file input and output, the file operation callback function is called in response to file operation, operation process information corresponding to the file operation is acquired, the operation process information is compared with the target application process information, and an operation detection result of the target detection application is determined based on a comparison result; in the embodiment of the invention, the operation process information corresponding to the file operation can be acquired through the callback function when the file operation occurs to the target detection application, so that whether the operation of the target detection application is a risk operation or not can be determined, and the accuracy of the operation detection of the application can be improved under the condition that the normal operation of the application program and the performance of the operating system equipment are not influenced.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic view of a scenario of an application operation detection method according to an embodiment of the present invention;

FIG. 2 is a flowchart of an application operation detection method according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of an application operation detection device according to an embodiment of the present invention;

FIG. 4 is another schematic diagram of an application operation detection apparatus according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.

The embodiment of the invention provides an application program operation detection method, an application program operation detection device, electronic equipment and a computer readable storage medium. Specifically, the embodiment of the invention provides an application operation detection method suitable for an application operation detection device, and the application operation detection device can be integrated in electronic equipment.

The electronic device may be a terminal or the like, including but not limited to a mobile terminal and a fixed terminal, for example, a mobile terminal including but not limited to a smart phone, a smart watch, a tablet computer, a notebook computer, a smart car, etc., wherein the fixed terminal includes but not limited to a desktop computer, a smart television, etc.

The electronic device may be a server, which may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network ), and basic cloud computing services such as big data and artificial intelligence platform, but is not limited thereto.

The application program operation detection method of the embodiment of the invention can be realized by a server or a terminal and the server together.

The method for detecting the operation of the application program is implemented by the terminal and the server together, and will be described below.

As shown in fig. 1, an application operation detection system provided by an embodiment of the present invention includes a terminal 10, a server 20, and the like; the terminal 10 and the server 20 are connected through a network, for example, a wired or wireless network connection, wherein the terminal 10 may exist as a terminal of a user to which the object detection application is installed.

The terminal 10 may be configured to obtain target application process information of a target detection application, where the target detection application is determined from a plurality of application programs installed in the electronic device based on an application selection operation, registers a file operation callback function with a kernel static tracking point related to file input and output, and calls the file operation callback function in response to the file operation, so as to obtain operation process information corresponding to the file operation.

The terminal 10 may send the operation progress information to the server 20, and the server 20 may be configured to compare the operation progress information with the target application progress information, and determine an operation detection result of the target detection application based on the comparison result.

It will be appreciated that in some embodiments, the steps performed by the server 20 to compare the operation process information with the target application process information may also be performed by the terminal 10, which is not limited by the embodiment of the present invention.

The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.

The embodiments of the present invention will be described in terms of an application operation detection apparatus, which may be integrated in a server or a terminal in particular.

As shown in fig. 2, the specific flow of the application operation detection method of the present embodiment may be as follows:

201. and acquiring target application process information of a target detection application, wherein the target detection application is determined from a plurality of application programs installed in the electronic equipment based on application selection operation.

Specifically, the object detection application may be an application program installed in the user's electronic device. The object detection application may be an instant messaging application, a game application, or the like, and the embodiment of the present invention does not limit the type of the object detection application.

The target application process information may be identification information of a process of the target detection application. For example, the target application Process information may include, but is not limited to, a Process name of the target detection application, a Process ID of the Process of the target detection application, and the like.

In some alternative embodiments, the object detection application may be all applications running in the electronic device.

In other alternative embodiments, the user may select several applications from among the applications in the electronic device as the target detection application. That is, before the step of "acquiring the application process information of the target detection application", the method for detecting the operation of the application program provided in the embodiment of the present invention may further include:

Acquiring application process information of at least one candidate application program in a running state at present;

For example, the user may start an application operation detection program (for example, may be named as io_monitor_prog), and the io_monitor_prog obtains application process information (mainly including a process id and a process name of a process) corresponding to all application programs currently running in the system by reading a system directory/proc/, and generates a list to be displayed on a user interface, that is, an application selection page is displayed.

The user may designate a process to be monitored (e.g., process_2) through the application selection page, with candidate applications for the selected process as target detection applications.

In some examples, to facilitate a user's determination of which processes or applications to select specifically for detection, application process information may be converted into a form more familiar to the user, e.g., converting process names into application names, etc. That is, the step of displaying an application selection page based on each of the application process information may specifically include:

Determining application program prompt information corresponding to each piece of application process information based on each piece of application process information;

The application program prompt information can be a desktop icon, a Chinese character name and the like of the application program.

202. Registering a file operation callback function with a kernel static tracking point related to file input and output.

The kernel static tracking point may be a tracepoint, the tracepoint is a stub inserted in an insertion point of a function in advance, when the insertion point of the function is executed, the stub inserted function is executed, and then a probe function pre-bound with the insertion point is triggered, the probe function may be one or more, and the probe function may be defined as any behavior, so that an effect of observing the interior of the function can be played.

In particular, the file operation callback function may be a callback function that responds to file operations. A callback function is a function called by a function pointer. If a pointer (address) of a function is passed as a parameter to another function, this is said to be a callback function when this pointer is used to call the function to which it points. The callback function is not directly called by the implementer of the function, but is called by another party when a specific event or condition occurs, for responding to the event or condition.

For example, io_monitor_prog may register callback functions with tracepoint of file IO in the kernel through the LinuxeBPF framework.

The eBPF is an extendedBerkeley PacketFilter, an extended Berkeley packet filter and a framework for LINUX kernel event processing.

203. And responding to the file operation, and calling the file operation callback function to obtain the operation process information corresponding to the file operation.

Specifically, the file operation may be operations of reading, modifying, deleting, creating, etc. a file in the electronic device. For example, the file operation may be an operation of creating a shortcut in the electronic device.

The operation Process information may include, but is not limited to, information such as a specific file operation type, a Process ID of a corresponding Process, and the like.

For example, when a file opening and a read-write operation occur in the system, the kernel triggers a callback function call of the corresponding tracepoint, and notifies information such as the type of the io_monitor_prog file operation event, the ProcessID of the corresponding process, and the like.

There are a large number of applications on the market, and some of these software package system security risks include reading and writing files related to user privacy (such as photos, video files, documents, etc.) and maliciously reading and even modifying system files under unauthorized conditions.

The current security detection method for application software comprises static detection and dynamic detection. Static detection utilizes a corresponding reverse (decompilation) tool to extract static characteristics of an application program, such as characteristics of feature assembly codes, signatures and the like, to analyze, and evaluate software security. In dynamic analysis techniques, applications are deployed on virtual machines or on modified devices for simulation and monitoring of the runtime.

However, both static detection methods and dynamic detection methods have some drawbacks in detecting the security risk behavior of software:

the static detection method does not directly run software, and the detection accuracy is limited by the accuracy of decompilation code semantic analysis and the number of malicious software samples; the dynamic method needs a virtual machine environment, the virtual machine consumes more system resources, and many virtual machines are operated on a PC (personal computer) instead of a mobile phone of an android system, so that the universality is poor.

The embodiment of the invention does not modify the codes of the application program file and the operating system of the electronic equipment, does not carry out static analysis on the program file corresponding to the monitored application program, does not create a virtual running environment, and directly runs the application program on the operating system of the electronic equipment.

204. Comparing the operation process information with the target application process information, and determining an operation detection result of the target detection application based on a comparison result.

For example, io_monitor_prog may compare the ProcessID of the tracepoint notification to the ProcessID of the monitored process, if the same, to indicate that the file operation is triggered by the detected application process.

In some optional embodiments, the step of comparing the operation progress information with the target application progress information, and determining the operation detection result of the target detection application based on the comparison result may specifically include:

comparing the operation progress information with the target application progress information, if the operation progress information is the same as the target application progress information, recording operation parameters of the file operation, and determining an operation detection result of the target detection application as risk operation.

The operation parameters of the file operation may include, but are not limited to, a time stamp of the file operation and related parameters of the file operation.

Correspondingly, the method for detecting the operation of the application program provided by the embodiment of the invention can further comprise the following steps:

And displaying a risk operation prompt page based on the operation parameters, wherein the risk operation prompt page comprises application identification information of the target detection application.

For example, the risk operation prompt page may prompt the target detection application that a risk operation is in progress, or which risk operation or operations the target detection application performed, and so on.

In some examples, the risk operation prompt page may include an application management control, and the application operation detection method provided by the embodiment of the present invention may further include:

and managing the target detection application in response to an application management operation for the application management control.

The application management control may be a control that may be triggered by a user to manage the target detection application.

In particular, the application management operation may be to allow the object detection application to continue to run, or may be to interrupt the running of the object detection application, or the like. For example, if the application management operation is to interrupt the execution of the object detection application, the process of the object detection application may be ended.

Alternatively, the application management operation may also be to uninstall the object detection application, or to restrict certain rights of the object detection application, and so on.

In the actual application process, the file operation can be automatically processed according to the risk degree of the file operation of the target detection application, that is, the application program operation detection method provided by the embodiment of the invention can further comprise the following steps:

if the operation detection result of the target detection application is that risk operation exists, determining the risk degree of the file operation based on operation authority information preset for the target detection application;

and managing the file operation according to the risk degree.

The operation authority information may be information about authority of an operation that can be performed in the device set by the user or the technician to the object detection application. For example, the operation authority information may be information of an operation that the object detection application may or may not perform, such as allowing reading of an image file in the device, not allowing acquisition of location information of the device, and the like.

For example, if the object detection application is set in advance to allow reading of a file but not deletion of a file, if the file operation of the object detection application is reading of a file, at this time, the risk level of the file operation may be considered to be low, and management of the file operation may be to allow execution of the file operation; if the file operation of the target detection application is to delete the file, the risk of the file operation may be considered to be high, and the management of the file operation may be to terminate the file operation.

In some optional embodiments, in order to facilitate other users to notice risks caused by operations performed by the target detection application and improve security of the device, the application operation detection method provided by the embodiment of the present invention may further include:

generating application prompt information of the target detection application based on the operation parameters;

For example, if an electronic device sends an installation request of a target detection application to a server, at this time, the server may send application prompt information of the target detection application to the electronic device, so that a user of the electronic device selects whether to continue installing the target detection application.

In particular, the application hint information may include, but is not limited to, file operations that the target detection application may perform, the risk level of the file operations, and so forth.

As can be seen from the foregoing, in the embodiment of the present invention, target application process information of a target detection application may be obtained, where the target detection application is determined from a plurality of application programs installed in an electronic device based on application selection operations, registers a file operation callback function with a kernel static tracking point related to file input and output, calls the file operation callback function in response to a file operation, obtains operation process information corresponding to the file operation, compares the operation process information with the target application process information, and determines an operation detection result of the target detection application based on a comparison result; in the embodiment of the invention, the operation process information corresponding to the file operation can be acquired through the callback function when the file operation occurs to the target detection application, so that whether the operation of the target detection application is a risk operation or not can be determined, and the accuracy of the operation detection of the application can be improved under the condition that the normal operation of the application program and the performance of the operating system equipment are not influenced.

In order to better implement the above method, correspondingly, the embodiment of the invention also provides an application operation detection device.

Referring to fig. 3, the apparatus includes:

the target information obtaining unit 301 may be configured to obtain target application process information of a target detection application, where the target detection application is determined from a plurality of application programs installed in the electronic device based on an application selection operation;

a callback function registration unit 302, configured to register a file operation callback function with a kernel static tracking point related to file input and output;

the operation information obtaining unit 303 may be configured to call the file operation callback function in response to a file operation, so as to obtain operation process information corresponding to the file operation;

the detection result determining unit 304 may be configured to compare the operation progress information with the target application progress information, and determine an operation detection result of the target detection application based on a comparison result.

In some optional embodiments, as shown in fig. 4, the application operation detection apparatus provided in the embodiments of the present invention may further include an application selection unit 305, configured to obtain application process information of at least one candidate application currently in a running state;

Displaying an application selection page based on the application process information, wherein the application selection page can comprise at least one application selection control, and one application selection control corresponds to one candidate application program;

In some optional embodiments, the application selection unit 305 may be configured to determine, based on each piece of application process information, application program prompt information corresponding to each piece of application process information;

and generating and displaying an application selection page according to the application prompt information, wherein the application prompt information can be included in the application selection page.

In some optional embodiments, the detection result determining unit 304 may be configured to compare the operation process information with the target application process information, record an operation parameter of the file operation if the operation process information is the same as the target application process information, and determine that an operation detection result of the target detection application is a risk operation;

The application operation detection device provided by the embodiment of the invention may further include a prompt page display unit 306, which may be configured to display a risk operation prompt page based on the operation parameter, where the risk operation prompt page may include application identification information of the target detection application.

In some optional embodiments, the application operation detection apparatus provided by the embodiments of the present invention may further include an application management unit 307, configured to manage the target detection application in response to an application management operation for the application management control.

In some optional embodiments, the application operation detection apparatus provided in the embodiments of the present invention may further include an operation management unit 308, configured to determine, if an operation detection result of the target detection application is that there is a risk operation, a risk degree of the file operation based on operation authority information preset for the target detection application;

and managing the file operation according to the risk degree.

In some optional embodiments, the application operation detection apparatus provided by the embodiments of the present invention may further include an installation prompting unit, which may be configured to generate, based on the operation parameter, application prompting information of the target detection application;

As can be seen from the above, the application program operation detection device may obtain target application process information of a target detection application, where the target detection application determines from a plurality of application programs installed in the electronic device based on application selection operations, registers a file operation callback function with a kernel static tracking point related to file input and output, calls the file operation callback function in response to file operation, obtains operation process information corresponding to the file operation, compares the operation process information with the target application process information, and determines an operation detection result of the target detection application based on a comparison result; in the embodiment of the invention, the operation process information corresponding to the file operation can be acquired through the callback function when the file operation occurs to the target detection application, so that whether the operation of the target detection application is a risk operation or not can be determined, and the accuracy of the operation detection of the application can be improved under the condition that the normal operation of the application program and the performance of the operating system equipment are not influenced.

In addition, the embodiment of the present invention further provides an electronic device, which may be a terminal or a server, as shown in fig. 5, and shows a schematic structural diagram of the electronic device according to the embodiment of the present invention, specifically:

the electronic device may include Radio Frequency (RF) circuitry 501, memory 502 including one or more computer readable storage media, an input unit 503, a display unit 504, a sensor 505, audio circuitry 506, a wireless fidelity (WiFi, wireless Fidelity) module 507, a processor 508 including one or more processing cores, and a power supply 509. It will be appreciated by those skilled in the art that the electronic device structure shown in fig. 5 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

Wherein:

the RF circuit 501 may be configured to receive and send information or signals during a call, and in particular, after receiving downlink information of a base station, the downlink information is processed by one or more processors 508; in addition, data relating to uplink is transmitted to the base station. Typically, RF circuitry 501 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a subscriber identity module (SIM, subscriber Identity Module) card, a transceiver, a coupler, a low noise amplifier (LNA, low Noise Amplifier), a duplexer, and the like. In addition, RF circuitry 501 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol including, but not limited to, global system for mobile communications (GSM, global System of Mobile communication), general packet radio service (GPRS, general Packet Radio Service), code division multiple access (CDMA, code Division Multiple Access), wideband code division multiple access (WCDMA, wideband Code Division Multiple Access), long term evolution (LTE, long Term Evolution), email, short message service (SMS, short Messaging Service), and the like.

The memory 502 may be used to store software programs and modules that the processor 508 performs various functional applications and data processing by executing the software programs and modules stored in the memory 502. The memory 502 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the electronic device (such as audio data, phonebooks, etc.), and the like. In addition, memory 502 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 502 may also include a memory controller to provide access to the memory 502 by the processor 508 and the input unit 503.

The input unit 503 may be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, in one particular embodiment, the input unit 503 may include a touch-sensitive surface, as well as other input devices. The touch-sensitive surface, also referred to as a touch display screen or a touch pad, may collect touch operations thereon or thereabout by a user (e.g., operations thereon or thereabout by a user using any suitable object or accessory such as a finger, stylus, etc.), and actuate the corresponding connection means according to a predetermined program. Alternatively, the touch-sensitive surface may comprise two parts, a touch detection device and a touch controller. The touch detection device detects the touch azimuth of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device and converts it into touch point coordinates, which are then sent to the processor 508, and can receive commands from the processor 508 and execute them. In addition, touch sensitive surfaces may be implemented in a variety of types, such as resistive, capacitive, infrared, and surface acoustic waves. The input unit 503 may comprise other input devices besides a touch-sensitive surface. In particular, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, mouse, joystick, etc.

The display unit 504 may be used to display information entered by a user or provided to a user as well as various graphical user interfaces of the electronic device, which may be composed of graphics, text, icons, video, and any combination thereof. The display unit 504 may include a display panel, which may be optionally configured in the form of a liquid crystal display (LCD, liquid Crystal Display), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch-sensitive surface may overlay a display panel, and upon detection of a touch operation thereon or thereabout, the touch-sensitive surface is passed to the processor 508 to determine the type of touch event, and the processor 508 then provides a corresponding visual output on the display panel based on the type of touch event. Although in fig. 5 the touch sensitive surface and the display panel are implemented as two separate components for input and output functions, in some embodiments the touch sensitive surface may be integrated with the display panel to implement the input and output functions.

The electronic device may also include at least one sensor 505, such as a light sensor, a motion sensor, and other sensors. In particular, the light sensor may include an ambient light sensor that may adjust the brightness of the display panel according to the brightness of ambient light, and a proximity sensor that may turn off the display panel and/or backlight when the electronic device is moved to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the acceleration in all directions (generally three axes), and can detect the gravity and the direction when the mobile phone is stationary, and can be used for applications of recognizing the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and knocking), and the like; other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc. that may also be configured with the electronic device are not described in detail herein.

Audio circuitry 506, speakers, and a microphone may provide an audio interface between the user and the electronic device. The audio circuit 506 may transmit the received electrical signal after audio data conversion to a speaker, where the electrical signal is converted into a sound signal for output; on the other hand, the microphone converts the collected sound signals into electrical signals, which are received by the audio circuit 506 and converted into audio data, which are processed by the audio data output processor 508 for transmission to, for example, another electronic device via the RF circuit 501, or which are output to the memory 502 for further processing. Audio circuitry 506 may also include an ear bud jack to provide communication of the peripheral headphones with the electronic device.

WiFi belongs to a short-distance wireless transmission technology, and the electronic equipment can help a user to send and receive emails, browse webpages, access streaming media and the like through the WiFi module 507, so that wireless broadband Internet access is provided for the user. Although fig. 5 shows a WiFi module 507, it is understood that it does not belong to the necessary constitution of the electronic device, and may be omitted entirely as needed within a range that does not change the essence of the invention.

The processor 508 is a control center of the electronic device that uses various interfaces and lines to connect the various parts of the overall handset, perform various functions of the electronic device and process data by running or executing software programs and/or modules stored in the memory 502, and invoking data stored in the memory 502. Optionally, the processor 508 may include one or more processing cores; preferably, the processor 508 may integrate an application processor that primarily handles operating systems, user interfaces, applications, etc., with a modem processor that primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 508.

The electronic device also includes a power supply 509 (e.g., a battery) for powering the various components, which may be logically connected to the processor 508 via a power management system so as to perform functions such as managing charge, discharge, and power consumption via the power management system. The power supply 509 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

Although not shown, the electronic device may further include a camera, a bluetooth module, etc., which will not be described herein. In particular, in this embodiment, the processor 508 in the electronic device loads executable files corresponding to the processes of one or more application programs into the memory 502 according to the following instructions, and the processor 508 executes the application programs stored in the memory 502, so as to implement various functions as follows:

Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.

To this end, an embodiment of the present invention provides a computer readable storage medium having stored therein a plurality of instructions capable of being loaded by a processor to perform the steps of any one of the application operation detection methods provided by the embodiments of the present invention. For example, the instructions may perform the steps of:

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.

Because the instructions stored in the computer readable storage medium can execute the steps in any application operation detection method provided by the embodiments of the present application, the beneficial effects that any application operation detection method provided by the embodiments of the present application can achieve can be achieved, which are detailed in the previous embodiments and are not described herein.

According to one aspect of the present application, there is also provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium and executes the computer instructions to cause the electronic device to perform the methods provided in the various alternative implementations of the embodiments described above.

The foregoing describes in detail a method, apparatus, electronic device and storage medium for detecting operation of an application program according to embodiments of the present invention, and specific examples are applied to illustrate principles and implementations of the present invention, where the foregoing examples are only for helping to understand the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present invention, the present description should not be construed as limiting the present invention.

Claims

1. An application operation detection method, comprising:

2. The application operation detection method according to claim 1, wherein before the application process information of the target detection application is acquired, the method further comprises:

3. The application operation detection method according to claim 2, wherein displaying an application selection page based on each of the application process information includes:

4. The application operation detection method according to claim 1, wherein comparing the operation progress information with the target application progress information, and determining the operation detection result of the target detection application based on the comparison result, comprises:

Comparing the operation progress information with the target application progress information, if the operation progress information is the same as the target application progress information, recording operation parameters of the file operation, and determining an operation detection result of the target detection application as risk operation;

the method further comprises the steps of:

5. The application operation detection method according to claim 4, wherein the risk operation hint page includes an application management control, the method further comprising:

6. The application operation detection method according to claim 4, characterized in that the method further comprises:

and managing the file operation according to the risk degree.

7. The application operation detection method according to claim 1, characterized in that the method further comprises:

8. An application operation detection apparatus, comprising:

9. An electronic device comprising a memory and a processor; the memory stores an application program, and the processor is configured to execute the application program in the memory to perform the steps in the application program operation detection method according to any one of claims 1 to 7.

10. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the steps in the application operation detection method of any one of claims 1 to 7.

11. A computer program product comprising a computer program or instructions which, when executed by a processor, implement the steps of the application operation detection method according to any one of claims 1 to 7.