CN117610021A

CN117610021A - Dynamic and static combined mobile application privacy security analysis method, system and equipment

Info

Publication number: CN117610021A
Application number: CN202311722858.4A
Authority: CN
Inventors: 薛磊; 王世豪; 肖艳; 樊雪丽
Original assignee: Sun Yat Sen University
Current assignee: Sun Yat Sen University
Priority date: 2023-12-14
Filing date: 2023-12-14
Publication date: 2024-02-27

Abstract

The invention discloses a dynamic and static combined mobile application privacy security analysis method, a system and equipment, which comprise the steps of decompiling an APK file of mobile application of the Internet of things by using a decompiling tool to obtain an xml file and a smali file of the APK file; respectively carrying out static analysis on the xml file and the smali file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things; dynamically acquiring a function call stack and a network data packet sent by the mobile application of the Internet of things when the mobile application of the Internet of things runs by using a Hook framework; and respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy by comparing and declaring the use authority with the actual use authority, and judging whether the mobile application of the Internet of things has privacy security risks. According to the dynamic and static combined analysis method, the privacy security condition of the mobile application of the Internet of things can be comprehensively evaluated, and potential data security risks can be found and prevented at an earlier stage.

Description

Dynamic and static combined mobile application privacy security analysis method, system and equipment

Technical Field

The invention relates to the technical field of security of the Internet of things, in particular to a mobile application privacy security analysis method, system and equipment with dynamic and static combination.

Background

In the universal interconnection age today, many internet of things devices support multiple communication modes. In addition to the connection between the internet of things device and its cloud backend, many internet of things devices can also communicate directly with smartphones through point-to-point, local network-based internet of things to mobile communications. The various data communication modes provide certain challenges for the transmission security of data privacy. The smart phone obtains the information of the internet of things equipment through Bluetooth, NFC and the like, wherein privacy such as position information, ambient temperature, personal body data and the like can be carried. On the Android platform, due to the fact that an open ecological system and developers pay insufficient attention to safety, privacy leakage and data safety problems are particularly remarkable.

Traditional security analysis methods, such as static analysis technology, mainly analyze source codes and APK files of application programs; the dynamic detection technology detects privacy disclosure behaviors of the application program by monitoring the running behaviors of the application program, including an API (application program interface) hook technology, a dynamic taint analysis technology, a system call monitoring technology, a network traffic monitoring technology and the like, and the technologies can effectively detect the real behaviors of the application program.

However, static analysis techniques also have some limitations, such as the inability to detect the true behavior of dynamically generated code and applications; dynamic detection techniques, while capable of detecting dynamic behavior characteristics during program execution, have limitations such as the inability to detect code that is not being executed.

Disclosure of Invention

The technical problem to be solved by the invention is how to realize the collaborative acquisition and integration of static information and dynamic information of the mobile application, and the total acquisition of function call stacks and network data packets sent by the mobile application in the running process finally forms systematic analysis. In order to solve the technical problems, the invention provides a mobile application privacy security analysis method, a mobile application privacy security analysis system and mobile application privacy security analysis equipment with dynamic and static combination.

In a first aspect, an embodiment of the present invention provides a dynamic and static combined mobile application privacy security analysis method, including:

decompiling an APK file of the mobile application of the Internet of things by using a decompiling tool to obtain an xml file and a smali file of the APK file;

respectively carrying out static analysis on the xml file and the smali file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things;

dynamically acquiring a function call stack and a network data packet sent by the mobile application of the Internet of things during operation by using a Hook framework;

and comparing the declaration use authority with the actual use authority, and respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy to judge whether the mobile application of the Internet of things has privacy security risks.

Preferably, before the function call stack and the network data packet sent by the mobile application of the internet of things during running are dynamically acquired by using a Hook framework, the method further comprises:

executing a UI automation script to enable the mobile application of the Internet of things to generate data traffic; the data traffic includes at least a function call stack and a network data packet.

Preferably, decompiling the APK file of the mobile application of the internet of things by using a decompiling tool to obtain an xml file and a smali file of the APK file, including:

and decompiling the APK file of the mobile application of the Internet of things by adopting Apktool to obtain an xml file and a smali file of the APK file.

Preferably, the obtaining the declaration use permission and the actual use permission of the mobile application of the internet of things by respectively performing static analysis on the xml file and the smali file includes:

acquiring declaration application rights of the xml file and a smali code of the smali file;

constructing a mapping list of the smali codes and the declaration application authorities;

and traversing the mapping list according to the smali code to obtain the actual use permission of the mobile application of the Internet of things.

Preferably, the dynamically acquiring, by using a Hook framework, a function call stack and a network data packet sent by the mobile application of the internet of things during running includes:

dynamically acquiring a function call stack and a network data packet sent by the mobile application of the Internet of things during operation by adopting a Frida framework;

and saving the function call stack in a text file in txt format and the network data packet in the form of a PCAP data packet for storage in a database.

Preferably, the determining whether the mobile application of the internet of things has privacy security risk by comparing the declaration usage right with the actual usage right and respectively performing data analysis on the function call stack and the network data packet according to a preset policy includes:

comparing whether the declaration use permission and the actual use permission of the mobile application of the Internet of things are the same, if yes, judging that the mobile application of the Internet of things has privacy security risks, otherwise, respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy, and continuously judging whether the mobile application of the Internet of things has privacy security risks.

Preferably, the data analysis is performed on the function call stack and the network data packet according to a preset policy, and whether the mobile application of the internet of things has privacy security risk is continuously judged, including:

constructing an encryption function list based on an API of the Android system, a third party encryption library and keywords; the Android system API at least comprises java, crypto and java, security, the third party encryption library at least comprises Bouncy Castle and Google Tink, and the keywords at least comprise AES, RSA, SHA, DES, MD and Encrypt;

searching the function call stack according to the encryption function list, judging whether the function call stack has an encryption function, and if so, judging that the network data packet is encrypted;

counting the URL in the network data packet, and judging whether the mobile application of the Internet of things has the risk of sending user data to an unsafe or third-party server or not;

based on Android official documents and usage documents of the mobile application of the Internet of things, constructing a sensitive information keyword list;

and carrying out fuzzy matching and searching on the uploading content in the network data packet according to the sensitive information keyword list, and judging whether the mobile application of the Internet of things has the risk of uploading the sensitive information.

In a second aspect, an embodiment of the present invention provides a dynamic and static combined mobile application privacy security analysis system, including:

the decompilation module is used for decompiling the APK file of the mobile application of the Internet of things by using a decompilation tool to obtain an xml file and a smali file of the APK file;

the static analysis module is used for respectively carrying out static analysis on the xml file and the smali file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things;

the dynamic scanning module is used for dynamically acquiring a function call stack and a network data packet which are sent when the mobile application of the Internet of things runs by using a Hook framework;

and the risk assessment module is used for judging whether the mobile application of the Internet of things has privacy security risk or not by comparing the declaration use authority with the actual use authority and respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy.

Preferably, the method further comprises:

the data automatic generation module is used for enabling the mobile application of the Internet of things to generate data traffic by executing a UI automation script; the data traffic includes at least a function call stack and a network data packet.

In a third aspect, an embodiment of the present invention provides a terminal device, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the mobile application privacy security analysis method as described above when executing the computer program.

Compared with the prior art, the mobile application privacy security analysis method, system and equipment with dynamic and static combination provided by the embodiment of the invention have the beneficial effects that: and comprehensive dynamic and static analysis is performed, APK and mobile application running data are obtained by using tools such as Apktool and Frida, and the mobile application running data are stored in a database, so that comprehensive and automatic information collection and safety detection are realized, the accuracy and reliability of detection can be improved, the false alarm rate and the false alarm rate are reduced, and meanwhile, the manual intervention and the cost can be effectively reduced.

Drawings

FIG. 1 is a schematic flow chart of a dynamic and static combined mobile application privacy security analysis method according to an embodiment of the invention;

FIG. 2 is a schematic diagram of rights declaration in an xml file in accordance with an embodiment of the present invention;

FIG. 3 is a schematic diagram of custom rights declaration in an xml file according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart of static analysis according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a mapping list of smali code and declaration of application rights in accordance with an embodiment of the present invention;

FIG. 6 is a schematic flow chart of dynamic scanning according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of a dynamic get function call stack according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of dynamically acquiring network packets according to an embodiment of the present invention;

FIG. 9 is a schematic flow chart of dynamic analysis according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of a keyword list of sensitive information according to an embodiment of the present invention;

FIG. 11 is a schematic structural diagram of a dynamic and static combined mobile application privacy security analysis system according to an embodiment of the present invention;

FIG. 12 is a schematic diagram of a UI design interface of a dynamic and static combined mobile application privacy security analysis system according to an embodiment of the present invention;

FIG. 13 is a schematic diagram showing a UI of a dynamic and static analysis result according to an embodiment of the invention;

fig. 14 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.

Detailed Description

The following describes in further detail the embodiments of the present invention with reference to the drawings and examples. The following examples are illustrative of the invention and are not intended to limit the scope of the invention.

As shown in fig. 1, the embodiment of the invention provides a dynamic and static combined mobile application privacy security analysis method, which comprises the following steps:

s1, decompiling an APK file of mobile application of the Internet of things by using a decompiling tool to obtain an xml file and a smali file of the APK file;

the APK decompilation technology is a method for analyzing the APK of the Android application program, and the source codes and the resource files of the application program are obtained through decompressing and decompiling the APK files so as to further perform static analysis and vulnerability detection. Common decompilation tools include Apktool, dex2jar, jadx, and the like. Apktool can decompil an APK file and finally obtain android management.xml, a resource file and Dalvik byte code information (smali file) of an application program, so that configuration information and codes of the application program can be analyzed conveniently; the dex2jar can convert the dex file of the application program into a Java byte code file, so that static analysis is conveniently carried out on the code of the application program; the Jadx can convert the dex file of the application program into a Java source code file, and provide functions of code highlighting, code structure analysis and the like, so that static analysis of the application program is facilitated. The decompilation tools provide a very effective method for analyzing the Android application program, so that researchers can know the specific logic of the application program through a reverse analysis means in depth, and loopholes and security problems existing in the application program are detected.

Specifically, in this embodiment, apktool is used to decompilate an APK file of a mobile application of the internet of things, so as to obtain an xml file and a smali file of the APK file. The Apktool has the main advantages of good cross-platform performance and can be operated on a plurality of operating systems such as Windows, linux, MAC and the like. Meanwhile, apktool provides flexible configuration options, and customized settings can be performed as required, such as changing codes, reconstructing APK files, adding custom resources and the like. In addition, apktool also supports batch processing operation, batch decompilation and reconstruction operation can be carried out on a plurality of APK files, and execution efficiency is improved.

Further, after the APK file is decompiled by using Apktool, an Android management file in the APK can be obtained, where the file is a manifest file of an Android application program, and is also an xml file that needs to be created by a developer when the application program is developed, and is used for describing contents such as configuration information, component information, rights and the like of the application program.

Some information needs to be emphasized in the androidmanfest. Application package name (for uniquely identifying an application), version information of the application, component information of the application, authority information of the application, a start-up manner of the application, an icon and name of the application, and the like. In an android management. The method designates the authority of system resources and user data which the application program needs to access, and provides a protection mechanism for the application program, so that the application program cannot access unauthorized resources and data when running.

Rights declarations in an android management file are presented in the form of < uses-permission > elements, each element containing an "android. These rights are generally divided into two categories: normal rights and dangerous rights. Normal rights refer to rights that do not involve user privacy or security, and the system will automatically authorize. Dangerous rights refer to rights related to user privacy or security, requiring explicit authorization by the user, such as reading contacts and taking photographs. In addition to the permissions provided by the Android system, the application may also define the custom permissions using the < permission > element, see specifically fig. 3.

In addition, after the APK file is decompiled by using the Apktool, a smali file in the APK can also be obtained. The smali file is an intermediate code format obtained after the Android application program is disassembled, and is also a text representation form of the Dalvik virtual machine instruction. It mainly comprises three parts: header information, constant pool, and instruction stream. The header information includes basic information such as file version, class name, super class name, and implemented interface, which correspond to class definitions in Java code. The constant pool is a data structure for storing constants such as character strings, numbers, and types, and is similar to the constant pool of Java bytecodes. An instruction stream is a code segment that contains a series of instructions, each instruction representing a certain operation or control flow, such as a method call, a branch jump, a variable operation, etc. Instructions in an instruction stream are typically represented in the form of a line of text, each instruction containing an opcode and zero or more operands.

S2, respectively carrying out static analysis on the xml file and the smali file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things;

it can be known from the content of step S1 that in the development process of the Android application, rights that many applications may use are declared in the Android management. These rights statements tell the Android operating system what rights an application might use. However, after the application program is developed, it is necessary to ensure that the rights actually used by the application program are in accordance with the rights declared for use by the application program, so as to ensure the privacy security of the user. Therefore, it is necessary to perform actual usage right extraction for the application.

Specifically, as shown in fig. 4, step S2 includes:

s201, acquiring declaration application rights of an xml file and a smali code of a smali file;

after the android management file is obtained by decompiling the APK file by using the Apktool, the declaration application permission of the android management file can be directly read, and the declaration application permission is the declaration application permission of the mobile application of the Internet of things. Similarly, after the Apktool decompiled APK file is used to obtain the smali file, the instruction stream of the smali file can be directly read, and the instruction stream is the smali code.

S202, constructing a mapping list of smali codes and declaration application rights;

to identify the rights actually used by an application, a mapping list of smali codes and declared application rights needs to be constructed, see fig. 5.

And S203, traversing the mapping list according to the smali codes to obtain the actual use permission of the mobile application of the Internet of things.

By detecting that the smali code traverses the mapping list, specific rights information can be detected.

S3, dynamically acquiring a function call stack and a network data packet which are sent when the mobile application of the Internet of things runs by using a Hook framework;

in mobile application development, a function call stack is a very important concept. A function call stack is a data structure used to track function calls at program runtime. It records the location of each function when called and to which location to return when returned. The use of a function call stack can help developers quickly identify errors and problems with applications and improve code quality. However, in the reverse analysis of Android applications, it is difficult to obtain function call stack information. Conventional methods typically use a locator log to record stack trace information, but such methods require modification of application code and repackaging with some technical difficulty.

Traditional methods for acquiring network data traffic during application program operation are mostly based on man-in-the-middle attack (MITM) to acquire data. The method intercepts and modifies network traffic by inserting an agent between the device and the server, thereby obtaining network data traffic. While this approach may successfully obtain network data traffic for an application, it also has a number of problems. For example, some APPs may have a way to prevent an intermediary from obtaining traffic by SSL binding, and thus for such applications, traditional intermediary means cannot intercept application communication data. In addition, the interception of the man-in-the-middle traffic is based on a network protocol layer only, and specific behaviors and context information of an application program cannot be obtained, so that the difficulty of data analysis and subsequent exploration is often increased. Thus, there is a need for a more efficient dynamic retrieval approach, whether to retrieve function call stacks or network data traffic.

Specifically, as shown in fig. 6, step S3 includes:

s301, dynamically acquiring a function call stack and a network data packet sent by the mobile application of the Internet of things when the mobile application of the Internet of things runs by adopting a Frida framework;

the preferred Hook framework of this embodiment is the Frida framework. The Frida framework is a cross-platform tool that provides flexible, powerful runtime injection and operational capabilities. It supports a variety of operating systems (e.g., windows, macOS, linux, android and iOS) and different architectures (e.g., x86-64, ARM, and ARM 64). The Frida framework is a use scenario including, but not limited to: security research, software debugging, vulnerability discovery, and reverse engineering.

The Frida framework can be used for conveniently acquiring the function call stack information, and also can be used for simultaneously acquiring the function variable, the return value and the like of the application program, and particularly, the method can be seen in fig. 7.

The use of the Frida framework to dynamically acquire network data traffic when the application is running can intercept and modify the behavior of the application without modifying the source code of the application, thereby realizing the acquisition of the network data traffic when the application is running. Compared with the traditional man-in-the-middle attack, the Frida framework can directly acquire the behavior and the context information of the application program, and is more convenient for data analysis and subsequent research. In particular, dynamic acquisition of application traffic using the Frida framework may be achieved by intercepting API calls of the Java layer and Native layer. At the Java layer, the Frida may acquire network data traffic by intercepting APIs related to network requests such as httpurl connection and OkHttp, and at the Native layer, the Frida may acquire network data traffic by intercepting APIs related to networks in a dynamic link library such as libc.

S302, saving the function call stack in a text file in txt format and saving the network data packet in the form of a PCAP data packet to store in a database.

In the process of dynamic scanning, dynamically extracted function call stack information is stored under a designated directory of a database in a text file in txt format; the network data packet intercepted by the Frida is stored in the form of a PCAP data packet to be stored under the appointed mesh of a database, and the PCAP data packet is used for storage, so that a network traffic analysis tool such as Wireshark and the like can be used for directly opening and analyzing, and Python can be used for carrying out data processing.

It should be noted that, in order to obtain as much network data traffic as possible, the embodiment further includes, before step S3:

executing UI automation script to make the mobile application of the Internet of things generate data traffic; the data traffic includes at least a function call stack and a network data packet.

And S4, judging whether the mobile application of the Internet of things has privacy security risks or not by comparing and declaring the use permission with the actual use permission and respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy.

Specifically, in this embodiment, whether the declaration use right and the actual use right of the mobile application of the internet of things are the same is compared, if so, the mobile application of the internet of things is determined to have privacy security risk, otherwise, the function call stack and the network data packet are respectively subjected to data analysis according to a preset policy, and whether the mobile application of the internet of things has privacy security risk is continuously determined.

Further, if the declaration use permission and the actual use permission of the mobile application of the internet of things are the same, respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy, and continuously judging whether the mobile application of the internet of things has privacy security risks or not. The embodiment mainly adopts two main strategies of statistical analysis and keyword search, and aims to deeply analyze a function call stack and a network data packet when a program obtained from dynamic analysis of mobile application is operated from the perspective of the application of the internet of things. The purpose of this analysis is to identify and evaluate the security risks that mobile applications may involve at runtime, in particular potential hazards in terms of data transmission and storage. Specifically, as shown in fig. 9, the method includes the steps of:

s401, constructing an encryption function list based on an Android system API, a third party encryption library and keywords;

the keyword search strategy is more focused on the use of encryption functions in the program. To implement this strategy, the present embodiment constructs a list of cryptographic functions. The list is built based on two-part knowledge: firstly, searching an API list collected from an API of an android system and a third party encryption library, and secondly, searching according to keywords. Comprehensive search and classification are carried out on the APIs of the android system and encryption related APIs in widely used third party encryption libraries to form a comprehensive encryption function database, and deep search is carried out according to specific keywords such as 'encryption' and 'decryption' so as to identify function names related to encryption or decryption possibly occurring in a function call stack during program operation. The method can effectively identify the encryption mechanism adopted by the application program when processing the user data, and evaluate the security of the application program.

The Android system API at least comprises java. Crypta and java. Security, the third party encryption library at least comprises Bouncy Castle and Google Tink, and the keywords at least comprise AES, RSA, SHA, DES, MD and Encrypt.

Specifically, java. Classes for encryption and decryption, such as Cipher, encryptedKey, mac and SecretKey, etc.; java security: security frameworks and utilities are provided, including encryption algorithms such as KeyPairGenerator, messageDigest and Signature, etc.

BouncyCastle: providing extensive encryption algorithm support, such as AESFastEngine, paddedBufferedBlockCipher, RSAEngine and the like; googleTink: encryption libraries provided by Google, including Aead, hybridEncrypt and KeysetHandle, etc.

The keywords comprise common encryption keywords and encryption and decryption general keywords, and the common encryption keywords at least comprise AES: advanced encryption standards, corresponding classes may include aesecryption, AESDecryption, and the like; RSA: public key encryption algorithm, related classes may be RSAEncrypt or RSADecrypt, etc.; SHA: secure hash algorithms, correlation functions including SHA256 and SHA1PRNG, etc.; DES: the data encryption standard, related classes may be DESEncryption, DESDecryption and the like; MD5: the message digest algorithm, the corresponding class may include MD5Checksum, etc.

The encryption and decryption general keywords at least comprise encryptions: encryption related functions such as fileencrypter and dataencrypter, etc.; decrypt: decryption related functions such as FileDecryptor and DataDecrypt.

S402, searching a function call stack according to the encryption function list, judging whether the encryption function exists in the function call stack, and judging that the network data packet is encrypted if the encryption function exists;

s403, counting URL in the network data packet, and judging whether the mobile application of the Internet of things has the risk of sending the user data to an unsafe or third-party server;

specifically, accurate statistics is performed on URLs in network packets. Through the analysis, the URL data interaction method and the URL data interaction system can accurately know which URLs the mobile application has data interaction in the actual running process, and further judge whether the application has the risk of sending user data to an unsafe or third-party server or not.

S404, constructing a sensitive information keyword list based on Android official documents and usage documents of mobile applications of the Internet of things;

specifically, a keyword list covering sensitive information fields is formulated based on comprehensive analysis of Android official documents and usage documents of mobile applications of the internet of things, and particularly, reference can be made to fig. 10.

S405, fuzzy matching and searching are carried out on uploading contents in the network data packet according to the sensitive information keyword list, and whether the mobile application of the Internet of things has the risk of uploading the sensitive information is judged.

Specifically, the complete sensitive information keyword list is utilized to carry out fuzzy matching and searching on uploading contents in the network data packet, so that sensitive information possibly uploaded by an application is effectively identified.

According to the mobile application privacy security analysis method combining dynamic and static, dynamic and static analysis is integrated, APK and mobile application operation time data are obtained by means of tools such as Apktool and Frida, and the mobile application operation time data are stored in a database, so that comprehensive and automatic information collection and security detection are realized, the detection accuracy and reliability can be improved, the false alarm rate and false alarm rate can be reduced, and meanwhile, the manual intervention and cost can be effectively reduced.

Based on the above-mentioned dynamic and static combined mobile application privacy security analysis method, as shown in fig. 11, the embodiment of the invention further provides a dynamic and static combined mobile application privacy security analysis system, which comprises:

the decompilation module 1 is used for decompiling the APK file of the mobile application of the Internet of things by using a decompilation tool to obtain an xml file and a smali file of the APK file;

the static analysis module 2 is used for respectively carrying out static analysis on the xml file and the smali file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things;

the dynamic scanning module 3 is used for dynamically acquiring a function call stack and a network data packet sent by the mobile application of the Internet of things when the mobile application of the Internet of things runs by using a Hook frame;

and the risk assessment module 4 is used for judging whether the mobile application of the Internet of things has privacy security risk or not by comparing and declaring the use permission with the actual use permission and respectively carrying out data analysis on the function call stack and the network data packet according to a preset strategy.

In one embodiment, in order to obtain as much network data traffic as possible, the method further comprises:

the data automatic generation module is used for enabling the mobile application of the Internet of things to generate data traffic by executing the UI automation script; the data traffic includes at least a function call stack and a network data packet.

It should be noted that, each module in the dynamic and static combined mobile application privacy security analysis system may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules. For specific limitation of a dynamic and static combined mobile application privacy security analysis system, refer to the limitation of a dynamic and static combined mobile application privacy security analysis method, and the two have the same functions and roles, which are not described herein.

Because the system functions are realized by Python scripts, the system functions do not have friendly user interaction functions. In order to develop a corresponding UI interface to implement the use of the system function, in a specific embodiment, the principles of brevity and clarity are maintained in the UI design process, and the system detection function is integrated.

Tkiner is a standard GUI library of Python that can be used to develop desktop applications. The use of tklater can conveniently create GUI interfaces, implement the functions of the basic components of buttons, text boxes, menus, progress bars, etc., and combine them to create a complete application. In Tlater, the functions of window creation, layout, event response and the like can be conveniently realized by calling related component classes and methods.

In developing the UI, python multithreading is also used. The techniques may enable multiple tasks in an application to be performed simultaneously. In Python, multiple threads can be conveniently created and managed using a threading library. By creating a plurality of threads, different tasks in one Python program can be run simultaneously, so that the efficiency and response speed of the program are improved. The embodiment combines the use of multithreading and Tlater libraries, so that the GUI application has better performance and response speed. For example, time-consuming operations such as static analysis and dynamic scanning can be performed separately in the thread, so that execution of the main thread is not blocked.

Specifically, the UI design interface, as shown in fig. 12, includes the following buttons:

selecting a file: setting the button selection application program APK file which is to be an object of subsequent event analysis;

rights extraction: clicking a permission extraction button to trigger permission extraction script analysis (static analysis), and displaying the extracted permission information in a text box of the scanning result;

dynamic scanning: after clicking the dynamic scan button, the program will automatically install the APK file in the designated device using the adb tool in the path selected by the user. After the installation is completed, in order to intercept the network data flow information of all the APPs, the tool starts the UI automation script first, starts the UI automation script test after the program is started, and determines the process time of the UI automation test according to the clickable event after the APP is started;

and (3) data processing: the data information in the dynamic scanning process is stored in a database, and the data is analyzed and counted by clicking a data processing button and finally displayed in a scanning result text box. The clicking execution result of the above button can be seen in fig. 13.

The mobile application privacy security analysis system combining dynamic and static is simple to operate, and a subsequent operation system can detect through a simple UI (user interface) only by carrying out simple environment configuration; the system adopts Python modularization development, different modules can be developed according to different functions, and finally integrated deployment can be carried out, so that customized development can be realized; the system has good expandability, can adapt to the requirements of different environments and scales, for example, the project itself adopts multi-thread development, if large-scale data analysis is needed, the corresponding threads are only needed to be added on the basis of the original framework; the system has high efficiency and stability, and can meet the detection requirements of large scale and high concurrency; the system utilizes a multithreading technology, an asynchronous task processing technology and the like, so that the operation efficiency is optimized, and the response time of the system is reduced.

The embodiment of the invention also provides a terminal device, which comprises:

a processor, a memory, and a bus;

the bus is used for connecting the processor and the memory;

the memory is used for storing operation instructions;

the processor is configured to, by invoking the operation instruction, cause the processor to execute an operation corresponding to the dynamic and static combined mobile application privacy security analysis method according to the present application.

In an alternative embodiment, there is provided a terminal device, as shown in fig. 14, the terminal device 5000 shown in fig. 14 includes: a processor 5001 and a memory 5003. The processor 5001 is coupled to the memory 5003, e.g., via bus 5002. Optionally, the terminal device 5000 may also include a transceiver 5004. It should be noted that, in practical applications, the transceiver 5004 is not limited to one, and the structure of the terminal device 5000 is not limited to the embodiment of the present invention.

The processor 5001 may be a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor 5001 may also be a combination of computing functions, e.g., including one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

Bus 5002 may include a path to transfer information between the aforementioned components. Bus 5002 may be a PCI bus or an EISA bus, among others. The bus 5002 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 14, but not only one bus or one type of bus.

The memory 5003 may be, but is not limited to, ROM or other type of static storage device, RAM or other type of dynamic storage device, which can store static information and instructions, EEPROM, CD-ROM or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disc, etc.), magnetic disk storage or other magnetic storage devices, or any other medium capable of carrying or storing desired program code in the form of instructions or data structures and capable of being accessed by a computer.

The memory 5003 is used for storing application program codes for executing the aspects of the present application and is controlled by the processor 5001 for execution. The processor 5001 is operative to execute application code stored in the memory 5003 to implement what has been shown in any of the method embodiments described previously.

Wherein the terminal device includes, but is not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like.

In summary, according to the dynamic and static combined mobile application privacy security analysis method, system and equipment provided by the embodiment of the invention, dynamic and static analysis is integrated, APK and mobile application operation data are obtained by using tools such as Apktool and Frida, and the mobile application operation data are stored in a database, so that comprehensive and automatic information collection and security detection are realized, the detection accuracy and reliability can be improved, the false alarm rate and false alarm rate can be reduced, and meanwhile, the manual intervention and cost can be effectively reduced; the system is simple to operate, and the subsequent operation system can detect through a simple UI (user interface) only by carrying out simple environment configuration; the system adopts Python modularization development, different modules can be developed according to different functions, and finally integrated deployment can be carried out, so that customized development can be realized; the system has good expandability, can adapt to the requirements of different environments and scales, for example, the project itself adopts multi-thread development, if large-scale data analysis is needed, the corresponding threads are only needed to be added on the basis of the original framework; the system has high efficiency and stability, and can meet the detection requirements of large scale and high concurrency; the system utilizes a multithreading technology, an asynchronous task processing technology and the like, so that the operation efficiency is optimized, and the response time of the system is reduced.

In this specification, each embodiment is described in a progressive manner, and all the embodiments are directly the same or similar parts referring to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. It should be noted that, any combination of the technical features of the foregoing embodiments may be used, and for brevity, all of the possible combinations of the technical features of the foregoing embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and substitutions can be made by those skilled in the art without departing from the technical principles of the present invention, and these modifications and substitutions should also be considered as being within the scope of the present invention.

Claims

1. A dynamic and static combined mobile application privacy security analysis method is characterized by comprising the following steps:

decompiling an APK file of the mobile application of the Internet of things by using a decompiling tool to obtain an xml file and a smal i file of the APK file;

respectively carrying out static analysis on the xml file and the smal i file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things;

2. The mobile application privacy security analysis method of claim 1, further comprising, prior to the dynamically acquiring, using a Hook framework, a function call stack and a network data packet sent by the mobile application of the internet of things during runtime:

3. The method for privacy security analysis of mobile applications according to claim 1, wherein decompiling an APK file of a mobile application of the internet of things by using a decompiling tool to obtain an xml file and a smal i file of the APK file, comprises:

and decompiling the APK file of the mobile application of the Internet of things by adopting Apktool to obtain an xml file and a smal i file of the APK file.

4. The method for analyzing privacy security of mobile application according to claim 1, wherein the obtaining the declaration use right and the actual use right of the mobile application of the internet of things by respectively performing static analysis on the xml file and the smal i file includes:

acquiring declaration application rights of the xml file and a smal i code of the smal i file;

constructing a mapping list of the smal i code and the declaration application authority;

and traversing the mapping list according to the smal i code to obtain the actual use permission of the mobile application of the Internet of things.

5. The mobile application privacy security analysis method according to claim 1, wherein the dynamically acquiring, using a Hook framework, a function call stack and a network data packet sent by the mobile application of the internet of things during running comprises:

6. The method of claim 1, wherein determining whether the privacy security risk exists in the mobile application of the internet of things by comparing the declaration usage right with the actual usage right and performing data analysis on the function call stack and the network data packet according to a preset policy, respectively, comprises:

7. The method for analyzing privacy security of mobile application according to claim 6, wherein the data analysis is performed on the function call stack and the network data packet according to a preset policy, and further determining whether the privacy security risk exists in the mobile application of the internet of things comprises:

8. A mobile application privacy security analysis system with dynamic and static combination, comprising:

the decompilation module is used for decompiling the APK file of the mobile application of the Internet of things by using a decompilation tool to obtain an xml file and a smal i file of the APK file;

the static analysis module is used for respectively carrying out static analysis on the xml file and the smal i file to obtain declaration use permission and actual use permission of the mobile application of the Internet of things;

9. The mobile application privacy security analysis system of claim 8, further comprising:

10. A terminal device comprising a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, the processor implementing the mobile application privacy security analysis method according to any of claims 1 to 7 when the computer program is executed.