CN117150482A - Equipment application safety protection method and virtual device - Google Patents

Abstract

The application relates to the technical field of data security, and particularly discloses a device application security protection method and a virtual device, wherein the method comprises the following steps: receiving a user instruction, and determining a target security protection strategy based on the user instruction; based on a target security protection strategy, performing security protection on target data in the equipment to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment; detecting a binary file in a target form and a dynamic link of a target position, and determining whether an attack trace exists in the application or not based on a detection result; if the application exists, stopping the operation of the application, and performing recovery operation to recover the equipment to a state before the operation of the application; if the recovery operation fails, a forced exit or warning is issued. Therefore, the user can realize the safety protection configuration of the equipment application only by simply selecting the safety protection strategy, the operation is simple and easy, and the protection effect can be greatly improved.

Description

Equipment application safety protection method and virtual device

Technical Field

The application relates to the technical field of data security, in particular to a device application security protection method and a virtual device.

Background

Among various devices for installing applications, such as IOS devices, security protection of applications is of great importance to ensure device data security.

In the prior art, as in the iOS application, the existing safety protection cannot prevent attacks of some special means, and the traditional safety protection needs to be configured in various ways, so that the problems of complex operation, unfriendly operation and the like exist; in the aspect of safety protection means, the existing safety protection means are few, cannot effectively prevent special attack means, and cannot effectively ensure the data safety of equipment.

Disclosure of Invention

Therefore, the present application aims to provide a device application security protection method and a virtual device, so as to overcome the problem of poor device application security effect in the prior art.

In order to achieve the above purpose, the application adopts the following technical scheme:

in a first aspect, an embodiment of the present application provides a device application security protection method, including:

receiving a user instruction, and determining a target security protection strategy based on the user instruction;

based on the target security protection policy, performing security protection on target data in the equipment to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment;

detecting the binary file in the target form and the dynamic link of the target position, and determining whether the application has an attack trace or not based on a detection result;

if yes, stopping the running of the application, and performing recovery operation to recover the equipment to a state before the running of the application;

if the recovery operation fails, a forced exit or warning is issued.

Further, the receiving the user instruction and determining the security protection policy based on the user instruction includes:

receiving a user instruction;

determining a target data encryption algorithm in a preset data encryption algorithm based on the user instruction;

determining a target confusion method in a preset confusion method based on the user instruction;

based on the target security protection policy, performing security protection on target data in the device to obtain a binary file in a target form, including:

encrypting and obfuscating the target data through the target data encryption algorithm and the target obfuscation method to obtain a binary file in the target form;

wherein the target data includes configuration data and data storage files in the device.

Further, the detecting the binary file in the target form and detecting the dynamic link of the target position, and determining whether the application has an attack trace based on the detection result, includes:

acquiring dynamic link information;

determining a dynamic library of the application links based on the dynamic link information;

comparing and judging the linked dynamic library with a preset system library, and determining whether the equipment acquires root permission or not;

if the device acquires the root authority, determining that an attack trace exists.

Further, the detecting the binary file in the target form and detecting the dynamic link of the target position, and determining whether the application has an attack trace based on the detection result, further includes:

acquiring description information of the binary file in the target form;

determining whether a re-signature exists on the device based on the description information of the binary file in the target form;

and if the equipment has the re-signature, determining that an attack trace exists.

Further, the step of obtaining the dynamic link information comprises the step of obtaining the dynamic link information in a data embedding point mode;

the method comprises the steps of obtaining description information of the binary file in the target form in a data embedding mode.

Further, the method further comprises the following steps: generating a decrypted key based on the unique identification of the device and the password of the device;

the key is used to determine whether the application can access a file in the device.

In a second aspect, an embodiment of the present application provides a device application security protection virtual apparatus, including:

the receiving module is used for receiving a user instruction and determining a target security protection strategy based on the user instruction;

the protection module is used for carrying out safety protection on target data in equipment based on the target safety protection strategy to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment;

the detection module is used for detecting the binary file in the target form and the dynamic link of the detection target position and determining whether the application has an attack trace or not based on the detection result;

the recovery module is used for stopping the running of the application and performing recovery operation when the attack trace exists so as to recover the equipment to a state before the running of the application;

and the warning module is used for sending out warning when the recovery operation fails.

The technical scheme provided by the application has at least the following beneficial effects:

the application relates to the technical field of data security, and particularly discloses a device application security protection method and a virtual device, wherein the method comprises the following steps: receiving a user instruction, and determining a target security protection strategy based on the user instruction; based on a target security protection strategy, performing security protection on target data in the equipment to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment; detecting a binary file in a target form and a dynamic link of a target position, and determining whether an attack trace exists in the application or not based on a detection result; if the application exists, stopping the operation of the application, and performing recovery operation to recover the equipment to a state before the operation of the application; if the recovery operation fails, a warning is issued. Therefore, the user can realize the safety protection configuration of the equipment application only by simply selecting the safety protection strategy, the operation is simple and easy, and the protection effect can be greatly improved.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a device application security protection method according to an embodiment of the present application;

fig. 2 is a flow chart of a security protection method applied to a device according to another embodiment of the present application;

fig. 3 is a schematic structural diagram of an apparatus application security protection virtual device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail below. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, based on the examples herein, which are within the scope of the application as defined by the claims, will be within the scope of the application as defined by the claims.

In order to solve the technical problems mentioned in the background art at least to a certain extent, the present application provides a device application security protection method according to an exemplary embodiment, and fig. 1 is a schematic flow diagram of the device application security protection method provided by the embodiment of the present application, and as shown in fig. 1, the method may include:

s101, receiving a user instruction, and determining a target security protection strategy based on the user instruction.

Specifically, first, for a device to be protected, such as an IOS device, a virtual device for executing the device application security protection method provided by the present application, such as a security protection module, that is, a device application security protection virtual device, needs to be implanted in advance, and a subsequent method flow is executed through the security protection module.

In some embodiments, the encapsulated security module of the present application may be implanted during application development, for example, for an application within which the module is implanted; the protection module is used for carrying out subsequent custom protection means, initialization configuration, a special encryption algorithm of custom security protection and the like.

It should be noted that the security protection module encapsulated by the present application includes, but is not limited to, a dynamic library, a private library, and a three-party library.

The security policy for determining in the application comprises an encryption algorithm for encrypting various data stored in the module in advance, an application confusion scheme, a local file protection scheme and the like, and a user can select from the encryption algorithm, the application confusion scheme, the local file protection scheme and the like in a self-defining way through an input instruction.

S102, based on a target security protection strategy, performing security protection on target data in the equipment to obtain a binary file in a target form.

The binary file in target form is for execution by an application in the device.

Specifically, after the configuration of the security protection module by the user includes setting the security protection policy, the security protection module may perform data encryption, application confusion, local file protection, and the like based on the determined target security protection policy. For example, static character strings are encrypted, data specific information is not known during engineering compiling, and decryption operation is performed during function running in an application, so that normal running of a program is ensured.

In some embodiments, the user may choose symmetric encryption and asymmetric encryption to custom encrypt and protect the string when configuring the data encryption to prevent the application from being located to the core code by obtaining the key. And when the confusing configuration is applied, the confusing scheme for setting or selecting the code logic is used for confusing the symbols, so that the complexity and the reverse analysis difficulty of the codes are greatly improved while the original logic and the performance are ensured, and the application safety performance is enhanced. When the device is in an unlocking state, only when the device has the key (whether the key is allocated for an event to be carried out by the application or not can be determined) in the actual application, the file can be acquired through the decryption key; when the device is in the locked state, it is not possible to access the file.

In this way, the data to be executed by the application is converted into the binary file in the target form through encryption and confusion principles, the application is executed, and the application can be reinforced through an active protection strategy designed based on the multilayer protection principle in the safety protection module, so that the data security in the application operation process is ensured.

S103, detecting dynamic links of the binary file in the target form and the detection target position, and determining whether the application has an attack trace or not based on the detection result.

In some embodiments of the present application, whether the application has an attack trace on the one hand may be determined by predefining an event identifier and acquiring various operation data information in the device application, such as an executable binary file and a dynamic link of a target location, by a data embedding point acquisition manner, so as to provide a basis for a subsequent procedure, if so, S104 is executed, and if not, S107 is executed. On the other hand, a basis can be provided for each safety protection measure, such as the execution of an active protection strategy mentioned later.

S104, stopping the running of the application, and performing a recovery operation.

And stopping the running of the application program, and recovering the initial state to recover the equipment to the state before the running of the application (such as a preset time node or before the attack).

S105, detecting whether the recovery operation is successful.

If successful, S107 is executed, and if unsuccessful, S106 is executed.

S106, forcedly exiting or giving out a warning.

And S107, enabling the application program to continue to run.

The application relates to the technical field of data security, and particularly discloses a device application security protection method and a virtual device, wherein the method comprises the following steps: receiving a user instruction, and determining a target security protection strategy based on the user instruction; based on a target security protection strategy, performing security protection on target data in the equipment to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment; detecting a binary file in a target form and a dynamic link of a target position, and determining whether an attack trace exists in the application or not based on a detection result; if the application exists, stopping the operation of the application, and performing recovery operation to recover the equipment to a state before the operation of the application; if the recovery operation fails, a warning is issued. Therefore, the user can realize the safety protection configuration of the equipment application only by simply selecting the safety protection strategy, the operation is simple and easy, and the protection effect can be greatly improved.

Further, in some embodiments of the present application, the data burial point may be defined by an event identifier, and the data burial point may be collected and reported to a relevant server for re-signing, dynamic debugging, relevant operations of jail-breaking equipment, etc., and the relevant server may filter and match the event identifier, thereby increasing the experience of the burial point and reducing the maintenance cost, and providing for application reinforcement. Of course, in other embodiments of the present application, the method is also used for inputting related instructions through the security protection module, customizing the data embedded point, and satisfying various actual demands of users.

Based on the above embodiments, in some embodiments of the present application, the specific process of applying reinforcement based on the target security protection policy may include:

firstly, active protection can be performed through an active protection strategy in a safety protection module, and the specific principle comprises that the application safety is improved by adopting a multilayer protection idea, and a protection mechanism is ensured by a mode of protecting a bottom layer by a high layer. The method is mainly used for preventing dynamic debugging. For example, firstly, by requesting a process state and querying an interface sysctl of a kernel state, information of execution of an application program is obtained, then, based on the information of an event type mentioned in the above embodiment, in a current state, a process with corresponding authority is used for setting the kernel state, and an attacker is prevented from changing the kernel state and setting a kernel mark through application, so that the process is protected from being dynamically debugged by the attacker.

Further, in the present application, the encryption mentioned in the above embodiment includes various encryption means, and the user may determine, through the security protection module, that the corresponding algorithm is customized to encrypt the target data, where the encryption includes encrypting the system NSUserDefaults, that is, the configuration data and the data storage file, to obtain the binary data of the encrypted file. Therefore, the encryption is carried out through the self-defined algorithm of the safety protection module, the encrypted data is obtained when the program runs, the binary file is decrypted and executed, and the encrypted data can be effectively prevented from being cracked.

And the confusion is the confusion of engineering codes, and the implementation mode can be that after the method names of the self-definition in the engineering files and the method and key words provided by the system library are obtained, some random character strings in original data in the equipment are replaced through an algorithm or a scheme configured by a safety protection module, so that the safety and the stability of the application are ensured, and meanwhile, the complexity of the codes is improved.

In some embodiments of the present application, keys may be added for data encryption and the relevant files may be saved entirely, as desired. The file records the alternative method names, keywords and corresponding confusion character strings, thereby facilitating the subsequent confusion. It should be noted that, encryption and confusion are performed on the original data in the device, that is, the binary file in the target format for execution of the application is obtained by encrypting, mixing and converting the target data.

Further, in some embodiments of the present application, the specific process of detecting whether an attack trace exists may include:

in the method, after the executable binary file (namely the binary file in the target format) obtained after application reinforcement is adopted, whether the equipment is the equipment for acquiring the root authority and whether a re-signature exists or not can be judged through detecting the application running environment, and if the equipment is the equipment for acquiring the root authority and the re-signature exists, the attack trace is judged to exist, so that corresponding processing is carried out on the attack trace. If all the current environments normally do not have the root acquiring authority and the re-signature, namely no attack trace exists, the program is kept to run continuously.

Specifically, a preset detection method can be used for detecting a dylb file and an executable binary file at a specific position, checking whether the source address of a resource is a system library, listing all linked dynamic libraries, and judging and comparing the state with the system library to judge whether the current equipment acquires root rights. When the connected dynamic library is inconsistent with or more than the system library, determining that the root authority is acquired, and if the dynamic library is consistent with or more than the system library, determining that the root authority is not acquired; further, the anti-re-signature is to obtain the description file information (the description information of the executable binary file), check whether the comparison signature ID is consistent with the description file information in packaging or not at the time of starting engineering, determine that there is no re-signature if the comparison signature ID is consistent with the description file information, and determine that there is a re-signature if the comparison signature ID is inconsistent with the description file information, so as to judge the current environment and mark the current environment.

It can be understood that, because both the root authority and the presence re-signature are obtained as attacks, in the present application, as long as either one of the two exists and both exist, it is determined that an attack trace exists, and only if the corresponding two do not exist, it is determined that no attack trace exists.

The following describes in detail the process of applying the security protection method to the device according to the present application with a complete implementation process, and fig. 2 is a schematic flow chart of applying the security protection method to the device according to another embodiment of the present application, and as shown in fig. 2, may specifically include:

s201, an application implantation safety protection module.

S202, relevant configuration of the safety protection module is carried out by a user.

S203, embedding data points.

S204, reinforcing is applied.

Specifically, application reinforcement is performed based on the security protection policy configured by the user.

S205, performing environment detection and judging whether an attack trace exists.

Specifically, if there is no attack trace, S209 is directly executed, and if there is an attack trace, S206 is executed.

S206, performing automatic recovery operation.

Specifically, when an attack trace exists, a recovery operation is automatically executed, and the program clears all the cache data, newly-added data and the like, and recovers the original state according to the backup.

S207, judging whether the automatic recovery operation is successful.

Specifically, if the operation is successful, S209 is directly executed, and if not, S208 is executed.

S208, forced restarting or warning.

Specifically, if the current application does not succeed in the automatic recovery of the application in S206, the enforcement means is blocked, or the permission control is performed by marking.

Specifically, when the execution application is attacked and cannot be recovered according to the security protection configuration, the application forced crash is selected to restart, so that malicious behaviors of reverse personnel are effectively prevented. Or, the application use permission control is performed, and the environment detection is performed again, at the moment, the current environment is marked in the application global, a developer can judge whether to allow the reverse personnel to continue to use according to the mark, if the reverse personnel are allowed to continue to use, the UI can limit the related sensitive data or functional service, and the UI can prevent the forced prompt at the moment, so that the reverse difficulty is improved.

S209, enabling the program to continue running.

And keeping the current environment safe and stable running program.

According to the equipment application safety protection method provided by the application, the layering and configuration of the iOS equipment application are realized through a complete equipment-based, especially IOS equipment application safety protection scheme. The method has the advantages that related personnel are not required to write complex reinforcement logic codes, meanwhile, a reinforcement mode method, a self-defined algorithm and the like can be self-defined, the running safety and stability of a program are guaranteed, the development cost and the maintenance cost are greatly reduced, meanwhile, the application based on the iOS equipment is effectively prevented from being cracked, core data are revealed, an enterprise server is attacked, the data are tampered and the like.

Based on a general inventive concept, an embodiment of the present application further provides an apparatus application security protection virtual device, and fig. 3 is a schematic structural diagram of the apparatus application security protection virtual device provided by the embodiment of the present application, as shown in fig. 3, where the apparatus application security protection virtual device provided by the embodiment of the present application may specifically include:

a receiving module 31, configured to receive a user instruction, and determine a target security protection policy based on the user instruction;

the protection module 32 is configured to perform security protection on target data in a device based on a target security protection policy, so as to obtain a binary file in a target form, where the binary file in the target form is used for being executed by an application in the device;

a detection module 33, configured to detect a binary file in a target form and detect a dynamic link of a target location, and determine whether an attack trace exists in the application based on a detection result;

a recovery module 34, configured to stop the running of the application and perform a recovery operation when there is an attack trace, so as to recover the device to a state before the running of the application;

and a warning module 35 for issuing a warning when the recovery operation fails.

The specific manner in which the respective modules perform the operations in the virtual devices in the above embodiments has been described in detail in the embodiments related to the method, and will not be described in detail herein.

It is to be understood that the same or similar parts in the above embodiments may be referred to each other, and that in some embodiments, the same or similar parts in other embodiments may be referred to.

It should be noted that in the description of the present application, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Furthermore, in the description of the present application, unless otherwise indicated, the meaning of "plurality" means at least two.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.

It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.

Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.

The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (7)

1. A method for securing a device application, comprising:

receiving a user instruction, and determining a target security protection strategy based on the user instruction;

based on the target security protection policy, performing security protection on target data in the equipment to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment;

detecting the binary file in the target form and the dynamic link of the target position, and determining whether the application has an attack trace or not based on a detection result;

if yes, stopping the running of the application, and performing recovery operation to recover the equipment to a state before the running of the application;

if the recovery operation fails, a forced exit or warning is issued.

2. The device application security method of claim 1, wherein the receiving a user instruction and determining a security policy based on the user instruction comprises:

receiving a user instruction;

determining a target data encryption algorithm in a preset data encryption algorithm based on the user instruction;

determining a target confusion method in a preset confusion method based on the user instruction;

based on the target security protection policy, performing security protection on target data in the device to obtain a binary file in a target form, including:

encrypting and obfuscating the target data through the target data encryption algorithm and the target obfuscation method to obtain a binary file in the target form;

wherein the target data includes configuration data and data storage files in the device.

3. The device application security method of claim 1, wherein detecting the binary file in the target form and detecting the dynamic link of the target location, and determining whether the application has an attack trace based on the detection result, comprises:

acquiring dynamic link information;

determining a dynamic library of the application links based on the dynamic link information;

comparing and judging the linked dynamic library with a preset system library, and determining whether the equipment acquires root permission or not;

if the device acquires the root authority, determining that an attack trace exists.

4. The device application security method of claim 3, wherein detecting the binary file in the target form and detecting the dynamic link of the target location, and determining whether the application has an attack trace based on the detection result, further comprises:

acquiring description information of the binary file in the target form;

determining whether a re-signature exists on the device based on the description information of the binary file in the target form;

and if the equipment has the re-signature, determining that an attack trace exists.

5. The method for protecting equipment application security according to claim 4, wherein the step of obtaining the dynamic link information comprises obtaining the dynamic link information by means of a data embedding point;

the method comprises the steps of obtaining description information of the binary file in the target form in a data embedding mode.

6. The device application security method of claim 1, further comprising: generating a decrypted key based on the unique identification of the device and the password of the device;

the key is used to determine whether the application can access a file in the device.

7. A device application security virtual apparatus, comprising:

the receiving module is used for receiving a user instruction and determining a target security protection strategy based on the user instruction;

the protection module is used for carrying out safety protection on target data in equipment based on the target safety protection strategy to obtain a binary file in a target form, wherein the binary file in the target form is used for being executed by an application in the equipment;

the detection module is used for detecting the binary file in the target form and the dynamic link of the detection target position and determining whether the application has an attack trace or not based on the detection result;

the recovery module is used for stopping the running of the application and performing recovery operation when the attack trace exists so as to recover the equipment to a state before the running of the application;

and the warning module is used for sending out warning when the recovery operation fails.