JP5865180B2 - Portable communication terminal, data communication detection device, data communication detection method, and program - Google Patents

Description

  The present invention relates to a mobile communication terminal, a data communication detection device, a data communication detection method, and a program for detecting data communication that may lead to external leakage of data.

  In recent years, smartphones such as iPhone (registered trademark) and Android (registered trademark) mobile phones are rapidly spreading. Smartphones can be equipped with various functions by installing various applications (hereinafter referred to as “apps” for simplification), and convenience is improved. Therefore, the user freely selects and installs an application from among many provided applications. However, among the provided apps, there are unauthorized apps that appear to be popular apps, which have been increasing in recent years. When a user installs and executes an unauthorized application, privacy data (terminal information, phone book, location information, etc.) stored in the smartphone leaks outside without the user's permission.

  Therefore, for example, Android mobile phones execute different applications on independent Linux (registered trademark) processes based on the concept of sandbox (see, for example, Non-Patent Document 1). Here, the sandbox is a security model that prevents an adverse effect from being exerted outside the area by operating the program within the protected area. Specifically, since the program to be executed enters a protected area and operates without being able to manipulate programs and data outside the area, even if the program runs away or attempts to run a virus, The program and data cannot be affected.

  Therefore, when it is necessary to access a program or data outside the area, it is necessary to declare the authority necessary for the access in the program and obtain permission from the user to add the declared authority. As a result, the privacy data stored in the smartphone can be prevented from being leaked outside by unauthorized users without the permission of the user.

  On the other hand, the app should not be accessed as a system for finding an unauthorized app from the apps provided by the provider providing the app or for determining whether the app installed by the user is an unauthorized app A system that determines whether a target application is an unauthorized application based on a rule that sets a program or data area and a log that records the behavior of the application is proposed (for example, see Patent Document 1).

JP 2012-008777 A

http: // developer. android. com / guide / topics / security / security. html [Search May 17, 2012]

  However, if application sandboxing is strictly performed, cooperation between applications cannot be performed, which causes inconvenience to users. Therefore, for example, in order to use the phone book data stored in the smartphone with a Web browser, a mail client having the authority to access the phone book data stored in the smartphone can store the phone book data in the browser. Allow communication between sandboxed apps, such as allow communication to pass. Therefore, even if the application is sandboxed, if it is allowed to cooperate with another application for the convenience of the user, an unauthorized application will acquire privacy data through cooperation with the other application and leak it to the outside There was a problem that could not be prevented.

  Further, in the system described in Patent Document 1, an unauthorized application is linked with an application that has the authority to access a data area and a program that should not be accessed, which is set in a rule, through the above-described cooperation between applications. It is not possible to detect unauthorized programs that indirectly access programs or data areas that should not be accessed set in the rules. Therefore, there has been a problem in that it is not possible to prevent external leakage of privacy data by an unauthorized application that acquires privacy data stored in a smartphone in cooperation with another application.

  Therefore, the present invention has been made in view of the above-described problems, and based on a log that records the operation of an application in order to prevent external leakage of data stored in a mobile communication terminal such as privacy data, An object of the present invention is to provide a mobile communication terminal, a data communication detection device, a data communication detection method, and a program for detecting data communication that may lead to external leakage of data.

  The present invention proposes the following items in order to solve the above-described problems. In addition, in order to make an understanding easy, although the code | symbol corresponding to embodiment of this invention is attached | subjected and demonstrated, it is not limited to this.

(1) The present invention is a portable communication terminal that detects data communication having an application and an operating system necessary for the operation of the application, and that may lead to external leakage of data in the application, Log storage means (for example, equivalent to the log storage unit 630 in FIG. 1) generated by an installed application and storing an operation log indicating the operation of the application, and a system call log for performing data communication between applications And an operation log related to the use of global variables in the application and connection to hardware connected to the mobile communication terminal, which indicates data communication in the application, in the operation log stored in the log storage unit Depending on whether it is included or not, Proposed is a portable communication terminal characterized by comprising detection means (for example, equivalent to the detection unit 640 in FIG. 1) for detecting the presence or absence of data communication that may lead to external leakage of data.

According to this invention, the log storage means stores an operation log generated by an application already installed in the mobile communication terminal and indicating the operation of the application. The detection means is a system call log for performing data communication between applications, and the use of global variables in the application, indicating data communication in the application, and connection to hardware connected to the mobile communication terminal. operation log, depending on whether included in the operation log stored in the log storage unit, for detecting the presence or absence of the data communication with the potential to lead to the outside leakage of data. Therefore, data communication that may lead to external leakage of data stored in mobile communication terminals depending on the presence or absence of system call logs for data communication between applications and the presence or absence of logs related to data communication within applications. Can be detected. As a result, it is possible to limit the range for performing detailed analysis, to accurately track the flow of data in the application, to reduce the cost for analysis, and to improve the accuracy of verification. Further, for applications in which neither data communication between applications nor data communication within applications is detected, it can be proved that no external leakage of data has occurred.

(2) The present invention relates to the source code of the application when the detection means detects the presence or absence of data communication that may lead to external leakage of the data in the portable communication terminal of (1). First analysis means (e.g., corresponding to the analysis unit 650 in FIG. 10) that performs at least one of dynamic analysis or static analysis at a location where a global variable is used or a location related to connection to the hardware is provided. The mobile communication terminal characterized by this is proposed.

According to the present invention, when the detection means detects the presence or absence of data communication that may lead to external leakage of data, the connection to the location where the global variable is used or the hardware of the application source code At least one of a dynamic analysis or a static analysis is applied to the location. Therefore, in the source code of the application, time and labor can be reduced by analyzing the location that may lead to external leakage of data stored in the mobile communication terminal, including the location related to data communication within the application. Thus, it is possible to specify an application that leaks data to the outside with higher accuracy.

(3) The present invention relates to the source of the application when the detection means detects the presence or absence of data communication that may lead to external leakage of the data in the portable communication terminal of (1) or (2). The code includes second analysis means (for example, corresponding to the analysis unit 650 in FIG. 10) that performs at least one of dynamic analysis and static analysis at a location where the system call log is output. A mobile communication terminal is proposed.

According to the present invention, when the detection unit detects the presence or absence of data communication that may lead to external leakage of data, the analysis unit moves the application source code to the location where the system call log is output. At least one of static analysis or static analysis. Therefore, in the application source code, by analyzing only the locations that may lead to external leakage of data stored in the mobile communication terminal, it is possible to reduce the time and effort and identify the application that leaks data externally. can do.

(4) In the present invention, for the mobile communication terminals of (1) to (3) , data communication between the applications includes data communication using a process, communication using a file system, and communication using a resource. The mobile communication terminal characterized by this is proposed.

According to the present invention, data communication between applications includes data communication using a process, communication using a file system, and communication using resources.

(5) The present invention proposes a mobile communication terminal in which the operating system is an Android (registered trademark) OS for the mobile communication terminals of (1) to (4).

According to the present invention , Android (registered trademark) OS can be used as the operating system of the mobile communication terminal.

(6) The present invention is a data communication detection terminal that detects data communication that may lead to external leakage of data in an application, and provides an execution environment providing unit (for example, FIG. 11) that provides an execution environment of the application. Emulator unit 660), log storage means (for example, corresponding to log storage unit 630 in FIG. 11) generated by an application executed by the execution environment providing unit and storing an operation log indicating the operation of the application; , System call logs for data communication between applications, and use of global variables in the application, indicating data communication in the application, and connection to hardware connected to the data communication detection terminal The operation log is stored in the log storage means. Detecting means (for example, equivalent to the detecting unit 640 in FIG. 11) for detecting the presence or absence of data communication that may lead to external leakage of the data depending on whether it is included in the operation log. It proposes a data communication detection terminal .

According to the present invention, the execution environment providing means provides an application execution environment. The log storage means stores an operation log generated by the application executed by the execution environment providing means and indicating the operation of the application. The detection means is a system call log for data communication between applications, and the use of global variables in the application, indicating the data communication in the application, and the connection to the hardware connected to the data communication detection terminal. The presence / absence of data communication that may lead to external leakage of data is detected depending on whether or not the operation log related to is included in the operation log stored in the log storage unit. Therefore, there is a possibility of acquiring the operation log of the application without executing the application on the mobile communication terminal and leading to external leakage of data stored in the mobile communication terminal when the application is executed on the mobile communication terminal. There can be detected data communication. By performing pre-verification using a data communication detection device, it is not an application that leaks data stored in a mobile communication terminal to an application that detects neither data communication between applications nor data communication within an application. Can be guaranteed at the time of distribution.

(7) In the data communication detection terminal of (6), when the detection unit detects the presence or absence of data communication that may lead to external leakage of the data, the source code of the application Proposing a data communication detection terminal comprising first analysis means for performing at least one of dynamic analysis or static analysis at a location where the global variable is used or a location related to connection to the hardware doing.

According to the present invention, when the detection means detects the presence or absence of data communication that may lead to external leakage of data, the connection to the location where the global variable is used or the hardware of the application source code An analysis means for performing at least one of dynamic analysis or static analysis is provided at a location related to. Therefore, in the data communication detection terminal, in the source code of the application, analyze the location that may lead to external leakage of data stored in the mobile communication terminal, including the location related to data communication within the application. Thus, it is possible to specify an application that reduces the time and labor and leaks data to the outside more accurately.

(8) The present invention relates to the data communication detection terminal of (6) or (7), when the detection means detects the presence or absence of data communication that may lead to external leakage of the data. A data communication detecting terminal is proposed, characterized in that the source code is provided with second analysis means for performing at least one of dynamic analysis and static analysis at a location where the system call log is output .

According to the present invention, when the detection means detects the presence or absence of data communication that may lead to external leakage of data, the application source code is dynamically analyzed or statically output at the location where the system call log is output. Analyzing means for performing at least one of statistical analysis is provided. Therefore, in the data communication detection terminal, time and labor can be reduced by analyzing only the portion of the application source code that may lead to external leakage of data stored in the mobile communication terminal. Can be identified.

(9) The present invention relates to the data communication detection terminal according to (6) to (8), wherein the data communication between the applications includes data communication using a process, communication using a file system, and communication using a resource. The data communication detection terminal characterized by including is proposed.

According to the present invention, data communication between applications includes data communication using a process, communication using a file system, and communication using resources.

(10) The present invention proposes a data communication detection terminal according to (6) to (9), wherein the execution environment of the application has a function of an Android (registered trademark) OS. ing.

According to the present invention, the application execution environment has the function of the Android (registered trademark) OS.

(11) In the present invention, data communication detection in a portable communication terminal that detects data communication that has the possibility of leading to external leakage of data in the application, in which an application and an operating system necessary for the operation of the application have been introduced The mobile communication terminal includes a log storage unit that stores an operation log generated by an installed application and indicates an operation of the application, and a detection unit, and the detection unit is A first step (for example, corresponding to step S1 in FIG. 3) for acquiring an operation log, and a system call for the detection means to perform data communication between applications on the operation log acquired in the first step. Log and data communication within the application 2nd step (for example, step of FIG. 3) which judges whether the operation log regarding the use of the global variable in the said application and the connection to the hardware connected to the said mobile communication terminal is included. Equivalent to S2)
In the operation log acquired in the first step, the detection unit uses a system call log for performing data communication between applications, and uses of global variables in the application indicating data communication in the application. When an operation log related to connection to hardware connected to the mobile communication terminal is included, it is detected that there is data communication that may lead to external leakage of the data, while the first step System call log for performing data communication between applications and the use of global variables in the application and the hardware connected to the mobile communication terminal indicating the data communication within the application If the operation log related to Proposed a data communication detection method characterized by comprising a third step of detecting that there is no data communication with the potential to lead to other external leakage (e.g., corresponding to steps S3, S4 of FIG. 3) and, the doing.

According to this invention, first, in the first step, the detection means acquires an operation log from the log storage means. Next, in the second step, in the application, the detection means indicates the system call log for performing data communication between applications and the data communication in the application in the operation log acquired in the first step. It is determined whether or not an operation log related to the use of the global variable and the connection to the hardware connected to the mobile communication terminal is included. Next, in the third step, in the application, the detection means indicates the system call log for performing data communication between applications and the data communication in the application in the operation log acquired in the first step. If there is an operation log related to the use of global variables or connection to hardware connected to a mobile communication terminal, it is detected that there is data communication that may lead to external leakage of data, The operation log acquired in step 1 is connected to the system call log for performing data communication between applications and the use of global variables in the application and the mobile communication terminal indicating the data communication in the application. If the operation log related to the connection to the hardware is not included, Data communication with the potential to lead to parts leak detects that there is no. Therefore, data communication that may lead to external leakage of data stored in mobile communication terminals depending on the presence or absence of system call logs for data communication between applications and the presence or absence of logs related to data communication within applications. Can be detected. As a result, it is possible to limit the range for performing detailed analysis, to accurately track the flow of data in the application, to reduce the cost for analysis, and to improve the accuracy of verification. Further, for applications in which neither data communication between applications nor data communication within applications is detected, it can be proved that no external leakage of data has occurred.

(12) The present invention provides a data communication detection method in a data communication detection device that detects data communication that may lead to external leakage of data in an application, wherein the data communication detection device sets an execution environment of the application. An execution environment providing means to provide, a log storage means for storing an operation log generated by an application executed by the execution environment providing means and indicating an operation of the application, and a detection means, and the detection means includes the log storage A first step of acquiring an operation log from the means (for example, corresponding to step S1 in FIG. 3), and the detection means for performing data communication between applications to the operation log acquired in the first step The system call log and the application that shows data communication within the application A second step (for example, corresponding to step S2 in FIG. 3) for determining whether or not an operation log related to the use of global variables in the application and the connection to the hardware connected to the data communication detection device is included. ) And a global variable in the application indicating the system call log for performing data communication between applications and the data communication in the application in the operation log acquired in the first step. , And the presence of an operation log related to the connection to the hardware connected to the data communication detection device, it detects that there is data communication that may lead to external leakage of the data, System for performing data communication between applications to the operation log acquired in the first step Log, and the operation log related to the use of global variables in the application and the connection to the hardware connected to the data communication detection device indicating the data communication in the application are not included. Proposing a data communication detection method characterized by including a third step (for example, equivalent to steps S3 and S4 in FIG. 3) for detecting that there is no data communication that may lead to external leakage of data doing.

According to this invention, first, in the first step, the detection means acquires an operation log from the log storage means. Next, in the second step, in the application, the detection means indicates the system call log for performing data communication between applications and the data communication in the application in the operation log acquired in the first step. It is determined whether or not an operation log related to the use of the global variable and the connection to the hardware connected to the data communication detection device is included. Next, in the third step, in the application, the detection means indicates the system call log for performing data communication between applications and the data communication in the application in the operation log acquired in the first step. When there is an operation log related to the use of global variables and connection to hardware connected to a data communication detection device, it detects that there is data communication that may lead to external leakage of data, The operation log acquired in the first step is connected to the system call log for performing data communication between applications and the use of global variables in the application and the data communication detection device indicating the data communication in the application. If the operation log related to the connected hardware is not included Detects that there is no data communication with the potential to lead to the outside leakage of data. Therefore, there is a possibility of acquiring the operation log of the application without executing the application on the mobile communication terminal and leading to external leakage of data stored in the mobile communication terminal when the application is executed on the mobile communication terminal. There can be detected data communication. As a result, by using the data communication detection device, it is possible to perform prior verification as to whether or not the application is an application that externally leaks data stored in the mobile communication terminal before distributing the application to the user. Further, for applications in which neither data communication between applications nor data communication within applications is detected, it can be proved that no external leakage of data has occurred.

(13) The present invention proposes a program for causing a computer to execute the data communication detection method according to (11) or (12) .

According to the present invention, the data communication detection method can be provided as a program for causing a computer to execute the data communication detection method.

  According to the present invention, depending on whether or not the log of system calls for performing data communication between applications is included in the log recording the operation of the application, it leads to external leakage of data stored in the mobile communication terminal. Possible data communication can be detected. As a result, it is possible to limit the range in which detailed analysis is performed, thereby reducing the cost for analysis and improving the accuracy of verification. In addition, it is possible to identify an application that detects data communication that may lead to external leakage of data stored in the mobile communication terminal by using a data communication detection device that can operate the application of the mobile communication terminal.

It is a figure which shows the function structure of the portable communication terminal which concerns on the 1st Embodiment of this invention. It is a figure which shows the data communication between the applications of a general portable communication terminal. It is a figure which shows the data communication detection process flow in the portable communication terminal which concerns on the 1st Embodiment of this invention. It is a function name list which shows data communication between applications in the case of using an intent in an Android application. 5 is a list of function names indicating inter-application data communication when using a service in an Android application. It is a function name list which shows data communication between applications in the case of using file operation in an Android application. It is a function name list which shows data communication between applications in the case of using a database in an Android application. It is a function name list which shows data communication between applications in the case of using an application for Android. It is a function name list which shows the data communication between applications in the case of using an external server in an Android application. It is a figure which shows the function structure of the mobile communication terminal which concerns on the 2nd Embodiment of this invention. It is a figure which shows the function structure of the data communication detection apparatus which concerns on the 3rd Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, the component in this embodiment can have various variations including combinations with existing components as appropriate. Therefore, the content of the invention described in the scope of claims is not limited by the description of the present embodiment.

<First Embodiment>
<Functional configuration of mobile communication terminal>
FIG. 1 is a diagram showing a functional configuration of a mobile communication terminal 10 according to the first embodiment of the present invention. In the present embodiment, it is possible to detect data communication that may lead to external leakage using an operation log generated by an application (hereinafter referred to as an application) executed on the mobile communication terminal 10. As shown in FIG. 1, the mobile communication terminal 10 includes a keyboard and mouse, an input unit 100 that receives input from a user, an output unit 200 that is a display and a speaker and outputs a screen and audio, and other devices and a network. A communication unit 300, an operating system (OS) 400, a program storage unit 500, a CPU 600, an application 610, a log generation unit 620, a log storage unit 630, and a detection unit 640.

  Note that the programs of the OS 400, the application 610, the log generation unit 620, the log storage unit 630, and the detection unit 640 are stored in the program storage unit 500, and the programs stored in the program storage unit 500 are read into the CPU 600. As a result, each unit is activated.

  The OS 400 provides functions necessary for the execution of the application 610 such as control of the input unit 100 and output unit 200 and disk and memory management, and manages the mobile communication terminal 10. An example of the OS 400 is Android OS.

  The application 610 is downloaded to the mobile communication terminal 10 via a network or the like and is installed in the mobile communication terminal 10 to provide various functions to the mobile communication terminal 10. The application 610 calls an API (Application Program Interface) for the OS 400 (system call), receives an execution result from the OS 400, and the like. Thereby, the application 610 executes various specified processes. Although only one application 610 is shown in the mobile communication terminal 10 in FIG.

  When the application 610 is executed, the log generation unit 620 generates an operation log that records the operation of the application. In the generated operation log, at least a log related to API call related to data communication is recorded. For example, a function name of a function included in an API related to data communication is recorded as a log related to API call related to data communication.

  Further, the operation log may include a log related to the use of global variables in the application and a log related to connection to hardware connected to the mobile communication terminal 10. As a log related to the use of global variables in the application, for example, the function executed in the application 610 and the declaration of the used variable are recorded, and the declaration includes the function and variable qualifier, the function name and the variable name. And are included. In addition, as a log relating to connection to hardware, for example, a function name of a function implemented by a native code executed by an application is recorded.

  The log storage unit 630 stores the operation log generated by the log generation unit 620. The stored operation log is desirably deleted when the detection unit 640 finishes detecting the presence or absence of data communication.

  The detection unit 640 determines whether or not the operation log stored in the log storage unit 630 includes a log related to an API call related to data communication, specifically, a function name of a function included in the API related to data communication. Detects data communication between apps. By detecting the presence / absence of data communication between applications, it is possible to detect the presence / absence of data communication that may lead to external leakage of data. In the output unit 200, the detection unit 640 outputs the presence or absence of data communication that may lead to external leakage of data. When the detection unit 640 detects the presence or absence of data communication between applications, the function name of the function included in the API related to data communication included in the operation log stored in the log storage unit 630 is output to the output unit 200. May be output.

  In addition, the detection unit 640 includes, in the operation log stored in the log storage unit 630, a log related to the use of global variables in the application and a log related to connection to hardware connected to the mobile communication terminal 10. Detects the presence or absence of in-app data communication based on whether it contains a function name or variable name with a global modifier, or a function name of a function implemented in native code. . In-app data communication does not directly lead to external leakage of data, so it alone does not pose a fatal threat. However, in order to detect leakage of actual privacy data, it is necessary to accurately track the information flow within the application, so it is desirable to detect this data communication.

  In the output unit 200, the detection unit 640 outputs the presence or absence of data communication that may lead to external leakage of data. When the detection unit 640 detects the presence or absence of data communication between applications, the function name of the function included in the API related to data communication included in the operation log stored in the log storage unit 630 is output to the output unit 200. Function name or variable name with a qualifier indicating globality included in the operation log stored in the log storage unit 630, or a function of a function implemented in native code The name may be output by the output unit 200.

  Here, data communication between applications and data communication within an application will be described in detail with reference to FIG. FIG. 2 is a diagram illustrating data communication between applications of a general mobile communication terminal. Apps A and B installed on the mobile communication terminal are each sandboxed. Activities 1 and 3 indicate constituent elements of the app A, and an activity 2 indicates constituent elements of the app B. There are three types of data communication between applications of a mobile communication terminal: a method 810 using inter-process communication, a method 820 using a file system, and a method 830 using resources.

  First, a method 810 using inter-process communication is a method in which data is exchanged between a plurality of applications using an inter-application cooperation function provided from the OS 400. The presence or absence of an API for using the inter-application cooperation function, that is, the method included in the API for using the inter-application cooperation function is stored in the log storage unit 630. It can be confirmed by whether or not it is included in the stored log.

  Next, a method 820 using a file system is a method of exchanging data between a plurality of applications via a database and a file for setting management of applications in addition to a general file. The presence / absence of data communication between applications using this method is stored in the log storage unit 630 as to whether or not there is an API for writing to and reading from a file, that is, a method included in an API for writing to and reading from a file. It can be confirmed by whether it is included in the log.

  Finally, the resource-based method 830 is a method for exchanging data between a plurality of applications by accessing the resources of other applications beyond the boundary of the sandbox. The presence / absence of data communication between applications using this method is based on the presence / absence of an API for operating a resource, that is, a log stored in the log storage unit 630 by a method included in the API for operating a resource. It can be confirmed by whether or not it is included. Note that data communication between applications using this method requires access by the user because it accesses beyond the boundary of the sandbox.

  In-app data communication 840 is data communication between activities constituting the app, and is realized by a global variable in the function, a function implemented by a native code, or the like. For this reason, the data communication 840 in the application is implemented by a function or variable having a function or variable identifier or a function implemented with native code, that is, a function or variable to which a modifier indicating global is added, or by native code. It can be confirmed by whether or not the function name of the function is included in the log stored in the log storage unit 630.

<Data communication detection processing flow>
FIG. 3 is a diagram showing a data communication detection process flow in the mobile communication terminal according to the present embodiment.

  First, in step S <b> 1, the detection unit 640 acquires an operation log from the log storage unit 630.

  Next, in step S <b> 2, the detection unit 640 detects the presence / absence of data communication between applications depending on whether or not the operation log acquired in step S <b> 1 includes a log related to API call related to data communication. If it is determined that a log related to API call related to data communication is included, the process proceeds to step S3. On the other hand, if it is determined that the log related to the API call related to data communication is not included, the process proceeds to step S4.

  Next, in step S3, if the detection unit 640 determines in step S2 that a log related to API call related to data communication is included, the detection unit 640 outputs to the output unit 200 that data communication between applications is detected. .

  Next, in step S4, if the detection unit 640 determines in step S2 that the log related to the API call related to data communication is not included, the detection unit 640 notifies the output unit 200 that data communication between applications has not been detected. Output.

<Example>
1 is an Android OS, and the application 610 is an Android application that runs on the Android OS. As an example, an API related to data communication, which is a determination element for the presence or absence of data communication between applications in the Android application. Indicates the function name of the function included in. It also shows the qualifiers for variables and functions that are factors that determine the presence or absence of data communication within the app.

  In the Android application, an inter-process data communication method 810 between applications is classified into a case where an intent is used and a case where a service is used. The presence or absence of data communication between applications when using an intent can be verified by checking whether the function name shown in FIG. 4 is included in the operation log. Similarly, when a service is used, it can be verified by whether or not the function name shown in FIG. 5 is included in the operation log.

  In the Android application, a method 820 that uses a file system of a data communication method between applications is classified into three cases: a file operation, a database (SQL Lite), and a preference. The presence / absence of data communication between applications when using a file operation can be verified by checking whether the function name shown in FIG. 6 is included in the operation log. Similarly, the function name shown in FIG. 7 can be verified when the database (SQL Lite) is used, and the function name shown in FIG. 8 can be verified when the preference is used.

  In the Android application, the method 830 using the resource of the data communication method between applications is classified into two cases, that is, the case of using a file operation and the case of using an external server. The case of using an external server can be verified by checking whether or not the function name shown in FIG. 9 is included in the operation log. Note that when file operation is used, permission of permission by the user is required when writing data to an external storage (such as an SD card), so the inter-process communication method 810 and the file system method 820 described above. The function names included in both cases are included in FIGS. 4 to 8 when the file operation is used.

  Next, in the Android application, data communication within the application includes communication using the Application class, communication using the Singleton class, communication using a static field, and communication using a native method.

  In the case of communication using the Application class, the presence / absence of data communication within the application can be verified by whether or not the function “android.app.Activity.getApplication” is included in the operation log.

  In the case of communication using the Singleton class, the presence / absence of data communication within the application is determined based on the call log of the Singleton class field and the call log of the Singleton class function, specifically, the field name and function name of the Singleton class. It can be verified by whether it is included in the action log. Whether the class is Singleton is determined by the fact that the qualifier of the constructor is “private”.

  In the case of communication using a static field, the presence / absence of data communication in the application can be verified based on whether or not a variable to which a modifier including “static” is added is included in the operation log. Specifically, the verification is performed based on whether the qualifier is one of “static”, “static public”, “protected static”, or “protected static public” or whether a static fold is included in the action log. be able to.

  In the case of communication using a native method, the presence or absence of data communication within the app determines whether or not there is a native method in the activity depending on whether or not the function log includes the function name of the function implemented in native code. Can be verified.

  It is proved that the Android application that does not include any function name or qualifier in the operation log does not leak data stored in the mobile communication terminal.

  As described above, according to the present embodiment, the range of detailed analysis is limited by detecting data communication that may lead to external leakage of data stored in the mobile communication terminal 10. Can do. As a result, the cost for analysis can be reduced and the accuracy of verification can be improved. In addition, for applications that have not detected data communication that may lead to external leakage of data stored in the mobile communication terminal 10, the data stored in the mobile communication terminal 10 will not be externally leaked. Can prove.

<Second Embodiment>
A second embodiment of the present invention will be described with reference to FIG. The mobile communication terminal according to the present embodiment is different from the mobile communication terminal according to the first embodiment in that an analysis unit is provided. In addition, about the component which attaches | subjects the same code | symbol as 1st Embodiment, since it has the same function, the detailed description is abbreviate | omitted.

  FIG. 10 is a diagram illustrating a functional configuration of the mobile communication terminal 20 according to the second embodiment of the present invention. As shown in FIG. 10, the mobile communication terminal 20 includes a keyboard and mouse that are an input unit 100 that receives input from a user, a display and speaker that is an output unit 200 that outputs a screen and audio, and other devices and networks. A communication unit 300, an operating system (OS) 400, a program storage unit 500, a CPU 600, an application 610, a log generation unit 620, a log storage unit 630, a detection unit 641, and an analysis unit 650.

  When detecting data communication between applications, the detection unit 641 extracts a function name of a function included in an API related to data communication included in an operation log stored in the log storage unit 630. Similarly, when the detection unit 641 detects data communication within the application, the function name or variable to which a qualifier indicating global is added is included in the operation log stored in the log storage unit 630. Name or the function name of the function implemented in native code.

  The analysis unit 650 adds a function name of a function included in an API related to data communication extracted by the detection unit 641 and a qualifier indicating a global extracted by the detection unit 641 to the source code of the application 610. At least one of static analysis and dynamic analysis is performed on the location specified by the function name and variable name that has been set, or the function name of the function implemented in the native code, and the communication content and communication path are specified. Thereby, it can be detected whether the application 610 is leaking data stored in the mobile communication terminal 20 to the outside.

  As described above, according to the present embodiment, in the source code of the application, by analyzing the location related to the inter-application data communication that may lead to the external leakage of the data stored in the mobile communication terminal 20, You can reduce the time and effort, and identify apps that leak data to the outside. In addition, by analyzing the location related to in-app data communication, it is possible to specify an app that leaks data more accurately.

<Third Embodiment>
A third embodiment of the present invention will be described with reference to FIG. The data communication detection device according to the present embodiment is a device for verifying data communication by executing an application downloaded to a mobile communication terminal without executing the app on the mobile communication terminal. In addition, about the component which attaches | subjects the same code | symbol as 1st Embodiment, since it has the same function, the detailed description is abbreviate | omitted.

  FIG. 11 is a diagram illustrating a functional configuration of a data communication detection device 30 according to the third embodiment of the present invention. As shown in FIG. 11, the data communication detection device 30 includes a keyboard and a mouse that receive an input from the user 100, a display and a speaker that outputs a screen and audio, and other devices and a network Communication unit 300, program storage unit 500, CPU 600, application 610, log generation unit 620, log storage unit 630, detection unit 640, emulator unit 660, and OS 800. Note that the data communication detection device 30 of the present embodiment includes the analysis unit 650 of the mobile communication terminal 20 according to the second embodiment, and performs static analysis and movement at locations related to inter-app data communication and in-app data communication. Analysis may be performed to identify communication contents and communication paths.

  The emulator unit 660 reproduces the function of the OS 400 in the first embodiment and operates the application 610.

  As described above, according to the present embodiment, there is a possibility that the operation log of the app is acquired without executing the app on the mobile communication terminal, and the external leakage of the data stored in the mobile communication terminal is likely to occur. A certain data communication can be detected. By using the data communication detection device 30, before distributing the application to the user, it is possible to perform prior verification as to whether or not the application is an application that externally leaks data stored in the mobile communication terminal.

  The processing of the portable communication terminal or the data communication detection terminal is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into the device and executed, thereby executing the portable communication terminal or data communication of the present invention. A detection terminal can be realized. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

10 mobile communication terminal 100 input unit 200 output unit 300 communication unit 400 OS
500 Program storage unit 600 CPU
610 application 620 log generation unit 630 log storage unit 640 detection unit

Claims (13)

A mobile communication terminal that detects an application and an operating system necessary for the operation of the application, and detects data communication that may lead to external leakage of data in the application,
Log storage means for storing an operation log generated by the installed application and indicating the operation of the application;
System call log for data communication between applications , and operation log related to the use of global variables in the application and connection to hardware connected to the mobile communication terminal, indicating data communication within the application Detecting means for detecting the presence or absence of data communication that may lead to external leakage of the data, depending on whether or not it is included in the operation log stored in the log storage means;
A mobile communication terminal comprising: When the detection means detects the presence or absence of data communication that may lead to external leakage of the data, the source code of the application relates to the location where the global variable is used or the connection to the hardware The mobile communication terminal according to claim 1, further comprising first analysis means for performing at least one of dynamic analysis or static analysis on a location . When the detection means detects the presence or absence of data communication that may lead to external leakage of the data , dynamic analysis or static analysis is performed at the location where the system call log is output for the source code of the application the portable communication terminal according to claim 1 or 2, characterized in that it comprises a second analysis means for performing at least one of. The mobile communication terminal according to any one of claims 1 to 3, wherein the data communication between the applications includes data communication using a process, communication using a file system, and communication using a resource . The mobile communication terminal according to claim 1 , wherein the operating system is an Android (registered trademark) OS . A data communication detection terminal that detects data communication that may lead to external leakage of data in an application,
Execution environment providing means for providing an execution environment of the application;
Log storage means for storing an operation log generated by the application executed by the execution environment providing means and indicating the operation of the application;
System call log for data communication between applications, and operations related to the use of global variables in the application and the connection to the hardware connected to the data communication detection terminal indicating data communication within the application Detecting means for detecting the presence or absence of data communication that may lead to external leakage of the data depending on whether or not the log is included in the operation log stored in the log storage means;
A data communication detection terminal comprising:   When the detection means detects the presence or absence of data communication that may lead to external leakage of the data, the source code of the application relates to the location where the global variable is used or the connection to the hardware The data communication detection terminal according to claim 6, further comprising first analysis means for performing at least one of dynamic analysis and static analysis on a location. When the detection means detects the presence or absence of data communication that may lead to external leakage of the data, dynamic analysis or static analysis is performed at the location where the system call log is output for the source code of the application The data communication detection terminal according to claim 6 or 7, further comprising second analysis means for performing at least one of the following . The data communication detection terminal according to any one of claims 6 to 8, wherein the data communication between the applications includes data communication using a process, communication using a file system, and communication using a resource. . 10. The data communication detection terminal according to claim 6, wherein an execution environment of the application has an Android (registered trademark) OS function . An application and an operating system necessary for the operation of the application have been introduced, and a data communication detection method in a mobile communication terminal that detects data communication that may lead to external leakage of data in the application,
The mobile communication terminal includes a log storage unit that stores an operation log generated by an installed application and indicates an operation of the application, and a detection unit.
A first step in which the detection means acquires an operation log from the log storage means;
In the operation log acquired in the first step, the detection unit uses a system call log for performing data communication between applications, and uses of global variables in the application indicating data communication in the application. A second step of determining whether or not an operation log related to connection to hardware connected to the mobile communication terminal is included;
In the operation log acquired in the first step, the detection unit uses a system call log for performing data communication between applications, and uses of global variables in the application indicating data communication in the application. When an operation log related to connection to hardware connected to the mobile communication terminal is included, it is detected that there is data communication that may lead to external leakage of the data, while the first step System call log for performing data communication between applications and the use of global variables in the application and the hardware connected to the mobile communication terminal indicating the data communication within the application If the operation log related to A third step of detecting that there is no data communication with the potential to lead to other external leakage,
A data communication detection method comprising: A data communication detection method in a data communication detection device for detecting data communication that may lead to external leakage of data in an application,
The data communication detection device includes an execution environment providing unit that provides an execution environment of the application, a log storage unit that stores an operation log generated by an application executed by the execution environment providing unit and indicating an operation of the application, and Equipped with detection means,
A first step in which the detection means acquires an operation log from the log storage means;
In the operation log acquired in the first step, the detection unit uses a system call log for performing data communication between applications, and uses of global variables in the application indicating data communication in the application. A second step of determining whether or not an operation log relating to connection to hardware connected to the data communication detection device is included;
In the operation log acquired in the first step, the detection unit uses a system call log for performing data communication between applications, and uses of global variables in the application indicating data communication in the application. When an operation log relating to connection to hardware connected to the data communication detection device is included, it is detected that there is data communication that may lead to external leakage of the data, while the first In the operation log acquired in step, the system call log for performing data communication between applications and the use of global variables in the application indicating the data communication in the application or connected to the data communication detection device If the operation log related to the connected hardware is not included In a third step of detecting that there is no data communication with the potential to lead to the outside leakage of the data,
A data communication detection method comprising: A program for causing a computer to execute the data communication detection method according to claim 11 or 12.

Images