JP6466234B2 - Application analysis apparatus, application analysis method, and program - Google Patents

Description

  The present invention relates to a technique for analyzing an application.

  As a technique for analyzing the safety of an application, there is a dynamic analysis technique for determining the safety of an application based on the behavior of the application (see, for example, Patent Document 1). In privacy evaluation that evaluates the safety of an application from the viewpoint of privacy, it is important to determine whether or not the content of the privacy policy presented by the application matches the actual behavior of the application. In the privacy policy, information handled by the application, the purpose of handling the information, and the transmission destination of the information are defined. In the dynamic analysis, when the application transmits data including personal information (user information), it is analyzed whether the behavior matches the behavior defined in the privacy policy.

  In the dynamic analysis technology, there are problems related to operations on applications. Unless the user performs an operation on the application, a complete dynamic analysis cannot be performed. If a person performs a manual operation, personnel costs are incurred. For this reason, an automatic operation technique in which a computer performs an operation on an application has been proposed. There is an automatic safety analysis device that uses this automatic operation technology and dynamic analysis technology. As for the automatic operation technique, there is a technique for detecting a program error by executing an application program according to a test case.

  In the automatic operation technology, there is a technology for evaluating how much of the behavior that may appear at the time of executing an application is realized. For example, there are a method for confirming the number of called classes and methods (code coverage), a method for confirming the number of displayed application screens, and the like.

International Publication No. 2010/134325

  In the conventional automatic operation technology, it is evaluated how much of the application behavior is realized. However, in the privacy evaluation, it is important whether or not the processing related to the acquisition of user information is surely executed by an operation on the application. For example, even when 90% of the behavior of the entire application behavior is realized, the privacy evaluation is insufficient if the process related to the acquisition of user information is not executed. Alternatively, even when 10% of the behavior of the entire application behavior is realized, sufficient privacy evaluation is possible as long as the processing related to acquisition of user information is executed. If the privacy evaluation is sufficient, the operation of the application can be terminated without waiting for the realization of an unrealized behavior.

  In view of the above, an object of the present invention is to provide a technique capable of acquiring information useful for privacy evaluation of an application.

  The present invention provides a first function name that is a name of a second function that executes a first function that acquires user information, and a name of a first class in which the second function is defined. The class name of 1 is the name of a static analysis unit that analyzes and acquires an application program, an execution unit that executes the program, and a third function that is called when the program is executed. The execution result of the program includes a second function name and a second class name that is a name of a second class in which the third function is defined. A dynamic analysis unit that determines whether or not the second function has been executed by analyzing whether or not a combination with the function name is included, and information indicating a result of the determination by the dynamic analysis unit An output unit for outputting It is a publication analyzing device.

  In addition, the application analysis apparatus according to the present invention provides the first class name and the first class related to the executed second function with respect to the total number of combinations of the first class name and the first function name. It further includes an evaluation unit that calculates a ratio of the number of combinations with function names, and the output unit outputs the ratio.

  In the application analysis apparatus of the present invention, the program includes a library, and the static analysis unit further includes a first package name that is a name of the first library in which the first class is defined, The dynamic analysis unit is obtained by analyzing the program, and the dynamic analysis unit is a name of the second library in which the second function name, the second class name, and the second class are defined. By analyzing whether the combination of the first class name, the first function name, and the first package name is included in the execution result of the program including two package names, It is determined whether or not the second function has been executed.

  In the application analysis apparatus of the present invention, the static analysis unit further obtains a third package name that is a name of the application in which the first class is defined by analyzing the program, The dynamic analysis unit includes, in the execution result of the program, the second function name, the second class name, and the third package name of the application in which the second class is defined. Determining whether the second function has been executed by analyzing whether a combination of the first class name, the first function name, and the third package name is included. It is characterized by that.

The present invention also provides an application analysis method in an application analysis apparatus having a static analysis unit, an execution unit, a dynamic analysis unit, and an output unit, wherein the static analysis unit acquires user information. The first function name that is the name of the second function that executes the first function to be executed and the first class name that is the name of the first class in which the second function is defined are a first step of acquiring and analyzing program, a second step of the execution unit executes the program, the dynamic analysis section, a third function that is called when the program is executed The first class name is included in the execution result of the program including the second function name that is the name of the second class name and the second class name that is the name of the second class in which the third function is defined. And the first function name combination By analyzing whether include Align, and the second function third determining is whether the execution of the step, the output unit, information indicating the result of the determination by said third step And a fourth step of outputting the application.

  The present invention also provides a first function name that is a name of a second function that executes a first function for obtaining user information, and a name of a first class in which the second function is defined. A first step of obtaining a first class name by analyzing an application program, a second step of executing the program, and a third function called when the program is executed The first class name is included in the execution result of the program including the second function name that is the name of the second class name and the second class name that is the name of the second class in which the third function is defined. And determining whether or not the second function is executed by analyzing whether or not a combination of the first function name and the first function name is included. A fourth step that outputs information indicating the result. Is a program for executing a flop, to the computer.

  According to the present invention, when an application program is executed, it is possible to determine whether or not a second function for executing a first function for obtaining user information has been executed. Therefore, it is possible to acquire information useful for application privacy evaluation.

It is a block diagram which shows the structure of the application analysis apparatus by one Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the application analysis apparatus by one Embodiment of this invention. It is a reference figure which shows the structure of the program of the application in one Embodiment of this invention. In one Embodiment of this invention, it is a reference figure which shows the function which acquires user information. In one Embodiment of this invention, it is a reference figure which shows the content of the file acquired by de-compilation of the program of an application. In one Embodiment of this invention, it is a reference figure which shows the code | symbol of the function which acquires user information. FIG. 15 is a reference diagram illustrating a log output when an application program is executed in an embodiment of the present invention. In one Embodiment of this invention, it is a reference figure which shows the class name and function name which were acquired by static analysis. In one Embodiment of this invention, it is a reference figure which shows the class name and function name which were acquired by the dynamic analysis. FIG. 6 is a reference diagram showing a library list in an embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of an application analysis apparatus 1 according to an embodiment of the present invention. As illustrated in FIG. 1, the application analysis apparatus 1 includes a static analysis unit 10, an execution unit 20, a dynamic analysis unit 30, an evaluation unit 40, an output unit 50, and a storage unit 60.

  The static analysis unit 10 includes a first function name that is a name of a second function that executes a first function that acquires user information, and a name of a first class in which the second function is defined. A certain first class name is obtained by analyzing an application program. The execution unit 20 executes an application program. The dynamic analysis unit 30 is the name of the second function that is the name of the third function that is called when the application program is executed, and the name of the second class in which the third function is defined. The second function is executed by analyzing whether or not the combination of the first class name and the first function name is included in the execution result of the application program including the second class name. It is determined whether or not. The evaluation unit 40 calculates a ratio of the number of combinations of the first class name and the first function name related to the executed second function to the total number of combinations of the first class name and the first function name. calculate. The output unit 50 outputs information indicating the result of determination by the dynamic analysis unit 30. For example, the output unit 50 outputs the ratio calculated by the evaluation unit 40.

  For example, the output unit 50 is a display unit that displays information. Alternatively, the output unit 50 is a transmission unit that transmits information to an external device having a display unit and the like. Alternatively, the output unit 50 is a recording unit that records information in an external storage medium or the storage unit 60.

  The storage unit 60 stores application programs and the like. The storage unit 60 may appropriately store the processing results of the static analysis unit 10, the dynamic analysis unit 30, and the evaluation unit 40. The storage unit 60 may be an external storage medium that can be attached to and detached from the application analysis apparatus 1.

  The computer of the application analysis apparatus 1 reads and reads a program including instructions that define the operations of the static analysis unit 10, the execution unit 20, the dynamic analysis unit 30, the evaluation unit 40, and the output unit 50. You may run the program. That is, the functions of the static analysis unit 10, the execution unit 20, the dynamic analysis unit 30, the evaluation unit 40, and the output unit 50 may be realized by software. This program may be provided by a “computer-readable recording medium” such as a flash memory. The above-described program may be transmitted to the application analysis apparatus 1 from a computer having a storage device or the like in which the program is stored via a transmission medium or by a transmission wave in the transmission medium. A “transmission medium” for transmitting a program is a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may realize a part of the functions described above. Further, the above-described program may be a difference file (difference program) that can realize the above-described function in combination with a program already recorded in the computer.

  Hereinafter, as an example, an analysis of an application that runs on a terminal in which Android (registered trademark) is used in an OS (Operating Systems) will be mainly described. In this specification and drawings, for the sake of convenience, the character string “android (registered trademark)” is substituted with the character string “* andrd *” and the character string “java (registered trademark)” is substituted with the character string “* jv *” as necessary. ing. That is, the character string * andrd * is equivalent to the character string Android (registered trademark), and the character string * jv * is equivalent to the character string Java (registered trademark).

  FIG. 2 shows an operation procedure of the application analysis apparatus 1. The operation of the application analysis apparatus 1 will be described with reference to FIG.

  The static analysis unit 10 performs a static analysis for analyzing a program code obtained by decompiling an application program (step S100). In step S100, the following processing is performed.

  The static analysis unit 10 reads an application program from the storage unit 60. The static analysis unit 10 decompiles the application program and obtains an analyzable code.

  FIG. 3 shows the configuration of the application program. As shown in FIG. 3, the application program 300 includes an execution code 301, a manifest file 302, a library 303, and a parameter 304. The execution code 301 includes an instruction sequence that defines the operation of the application main body. The manifest file 302 includes information such as a package name of the application and a component used by the application. The library 303 includes an execution code that is referred to when the execution code 301 is executed. The parameter 304 is a parameter referred to when the execution code 301 is executed.

  Examples of tools for decompiling the application program 300 include apk-tool, soot, and dex-2-jar. In the description of the present embodiment, apk-tool is used.

  The Android (registered trademark) application is executed in the Dalvik virtual machine. The execution code 301 is a class. It is a binary file called dex. By decompiling the application program 300 using apk-tool, the execution code 301 is converted into an intermediate code of the Dalvik virtual machine. When apk-tool is used, a folder is created for each package, and a small file is created for each class. The static analysis unit 10 analyzes a small file that is an intermediate code.

  The static analysis unit 10 acquires information on a function that acquires user information from the code included in the small file. FIG. 4 shows an example of a function (first function) for acquiring user information. The function shown in FIG. 4 is an API (Application Programming Interface) provided by the OS for realizing basic functions. Each function is defined in a class. In FIG. 4, a getDeviceId function, a getSubscriberId function, a requestLocationUpdates function, a getLatitude function, and a getLongtude function are shown as functions.

  The getDeviceId function is a function that acquires an IMEI (International Mobile Equipment Identity) that is a terminal identifier. The getSubscriberId function is a function that acquires an IMSI (International Mobile Subscriber Identity) that is a subscriber identifier. The requestLocationUpdates function is a function that periodically acquires terminal location information. The getLatitude function is a function for acquiring latitude information at the position of the terminal. The getLongitude function is a function for acquiring longitude information at the position of the terminal. The getDeviceId function and the getSubscriberId function are * andrd *. telephony. Defined in the TelephonyManager class. The requestLocationUpdates function, the getLatitude function, and the getLongitude function are * andrd *. location. It is defined in the LocationManager class. The getDeviceId and the like shown in FIG. 4 are function names (function names). * Andrd *. telephony. TelephonyManager is a class name (class name).

  By executing the function shown in FIG. 4, an application can acquire user information stored in a terminal including the application analysis apparatus 1. The application developer can define a unique function using the function shown in FIG. 4 in the application program.

  A function list including the class name and the function name shown in FIG. The static analysis unit 10 analyzes the small file based on the class name and the function name included in the function list.

  FIG. 5 shows an example of the contents of a small file. In FIG. 5, only some codes included in the small file are shown. In FIG. 5, “...” Indicates a portion where the code is omitted.

  The static analysis unit 10 configures a function name with a character string obtained by converting “.” Into “/” among character strings constituting a class name included in the function list, a character string “;->”, and the like. Search for a character string combined with a character string from the code. For example, when acquiring information related to the getDeviceId function, the static analysis unit 10 uses “* andrd * / telephony / TelephonyManager;-> getDeviceId” as a search character string. In FIG. 5, the character string 500 matches the character string of the search. For this reason, the static analysis unit 10 detects the character string 500. A second function that executes a first function for obtaining user information and is defined by an application developer is included in the sali file.

  The static analysis unit 10 acquires the first function name of the second function that executes the first function for acquiring user information. Specifically, the static analysis unit 10 searches the character string “.method” from the character string above the position of the character string 500. The static analysis unit 10 traces the character string line by line upward from the position of the character string 500, and detects the character string “.method” that appears first. In FIG. 5, since the first character string of the character string 510 matches the character string of the search, the static analysis unit 10 detects the character string 510. In the character string 510, the first character string that appears except for the character string for search and the character string defined by the program is the first function name. Character strings defined by the program are “public”, “private”, “abstract”, and the like. In the character string 510, “private” is a character string defined by the program. The character string “getImei” that appears first, excluding the character string “.method” and the character string “private” from the character string 510 is the first function name. The getImei defined by the application developer executes the getDeviceId function. The static analysis unit 10 acquires the first function name “getImei” from the character string 510.

  The static analysis unit 10 acquires a first class name of a first class in which a second function that executes a first function that acquires user information is defined. Specifically, the static analysis unit 10 acquires the first class name from the character string 520 in the first line of the small file including the character string 500. In the character string 520, the character string “com.example.sample.Mainactivity” obtained by converting the character “/” of the character string between the character “L” and the character “;” into the character “.” Is the first class name. It is. The static analysis unit 10 acquires the first class name “com.example.sample.Mainactivity” from the character string 520. Since it is possible to define a function with the same function name in different classes, the function is identified by a combination of the class name and the function name.

  The static analysis unit 10 performs the same processing as described above for all functions shown in FIG. In step S100, the above processing is performed.

  After the process of step S100 is performed, the execution unit 20 reads the application program from the storage unit 60. The execution unit 20 executes the read application program (step S110). During the execution of the application program, operations on the application are appropriately performed. The operation for the application may be either an automatic operation or a manual operation.

  After the processing of step S110 is performed, the dynamic analysis unit 30 performs dynamic analysis for analyzing the behavior of the application (step S120). In step S120, the following processing is performed.

  The dynamic analysis unit 30 analyzes the execution result of the application program. Specifically, the dynamic analysis unit 30 analyzes a log output when an application program is being executed. In the log that is the execution result of the program of the application, the second function name of the third function called when the program is executed and the second function name of the second class in which the third function is defined are displayed. Class name. The dynamic analysis unit 30 determines whether or not the second function has been executed by analyzing whether or not the log includes a combination of the first class name and the first function name.

  In order to enable log analysis by the dynamic analysis unit 30, the code of the function for obtaining user information defined in the OS is changed in advance. For example, the getDeviceId function for acquiring a terminal identifier is / framework / base / telephony / * jv * / * andrd * / telephony / TelephonyManager. It is defined in the * jv * class. For example, the source code of this class is https: // android. googlesource. com / platform / frameworks / base / + / android-4.4.4_r2.0.1 / telephony / java / android / telephony / TelephonyManager. It can be obtained from Java.

  When the getDeviceId function is called from the application, the function is changed using StackTrace so that the stack frame information is output to the log. The stack frame information is information that records a program execution process. This information includes information on the executed function and class.

  FIG. 6 shows an example of changed code for the getDeviceId function. In FIG. 6, numerals 285 to 293 indicate line numbers. A character string 600 on the 287th line is an added character string. The code has been changed so that stack frame information is output to a log using getStackTraceString, which is a standard log output function. The code of another function for acquiring user information is also changed by adding a character string similar to the character string 600. An OS program including the changed code is built. The application program is executed on the OS changed as described above.

  FIG. 7 shows an example of a log. In FIG. 7, numerals 1 to 16 indicate line numbers. In each line after the second line, a character string including a class name and a function name is recorded after the character string “at”. On the second line, * andrd *. telephony. It is recorded that the getDeviceId function of the TelephonyManager class has been executed. In the third line next to the second line, information on a third function that executes the getDeviceId function is recorded. Specifically, com. example. sample. It is recorded that the getImei function of the MainActivity class has been executed.

  The dynamic analysis unit 30 searches the log for a character string obtained by connecting the first class name and the first function name acquired in the static analysis (step S100) with the character “.”. For example, the dynamic analysis unit 30 searches the log for a character string “com.example.sample.Mainactivity.getImei”. Thereby, the character string 700 is detected. The character string 700 includes a character string “getImei” indicating the second function name of the third function called when the application program is executed, and the second class of the second class in which the third function is defined. 2 including a character string “com.example.sample.Mainactivity” indicating a class name of 2. Therefore, the dynamic analysis unit 30 determines that the getImei function has been executed.

  That is, the dynamic analysis unit 30 determines that the second function has been executed when a character string that matches the search character string is detected from the log. The dynamic analysis unit 30 determines that the second function is not executed when a character string that matches the search character string is not detected from the log. The search character string is a character string in which the first class name acquired in the static analysis (step S100) and the first function name are connected by the character “.”. In step S120, the above processing is performed.

  When the second function is executed, the first function for obtaining user information may not be executed due to a conditional branch defined in the code of the second function. For this reason, the dynamic analysis unit 30 determines whether or not the function name and class name of the second function are recorded in the line next to the line where the function name and class name of the first function are recorded in the log. You may check. Whether or not the second function has been executed under conditions for executing the first function by checking whether or not the information of the first function and the information of the second function are recorded in the log as a set. Can be determined.

  After the process of step S120 is performed, the evaluation unit 40 determines the first class name and the first class related to the executed second function with respect to the total number of combinations of the first class name and the first function name. The ratio of the number of combinations with function names is calculated (step S130). The executed second function is a second function determined by the dynamic analysis unit 30 to be executed. The execution rate is calculated by equation (1).

  FIG. 8 shows an example of a combination of the first class name and the first function name acquired by static analysis. In FIG. 8, a function (user information acquisition function) for acquiring user information, a class (definition class) in which a function (definition function) defined including the user information acquisition function is defined, a definition function, It is shown.

  FIG. 9 shows an example of a combination of the first class name and the first function name detected by the dynamic analysis. FIG. 9 shows a user information acquisition function, a class (execution class) in which a function (execution function) that executes the user information acquisition function is defined, and an execution function.

  In the example shown in FIG. 8, five combinations are acquired in the static analysis. In the example shown in FIG. 9, in the dynamic analysis, four combinations related to the second function executed when the application program is executed are acquired. For this reason, the execution rate is 80%.

  After the process of step S130 is performed, the output unit 50 outputs the execution rate calculated in step S130 (step S140). For example, when the output unit 50 is a display unit, the output unit 50 displays the execution rate. Or when the output part 50 is a communication part, the output part 50 transmits an execution rate to an external device. Alternatively, when the output unit 50 is a recording unit, the output unit 50 records the execution rate in the external storage medium or the storage unit 60.

  The output unit 50 may output the processing result of step S120. For example, the output unit 50 includes the first function name of the second function that executes the first function for acquiring the user information, and the first class name of the first class in which the second function is defined. And information indicating whether or not the second function has been executed when the application program is executed. Therefore, the application analysis apparatus 1 may not include the evaluation unit 40.

  According to the present embodiment, when the application program is executed, it is possible to determine whether or not the second function for executing the first function for obtaining user information has been executed. Therefore, it is possible to acquire information useful for application privacy evaluation. Therefore, it is possible to determine whether or not an operation necessary for privacy evaluation has been performed on the application.

  Next, a modification of this embodiment will be described. As shown in FIG. 3, the application program 300 includes a library 303. As described above, the static analysis unit 10 includes the first function name of the second function that executes the first function for acquiring the user information, and the first class in which the second function is defined. Get the first class name. The static analysis unit 10 further acquires the first package name, which is the name of the first library in which the first class is defined, by analyzing the application program. The execution result of the program includes the second function name of the third function called when the application program is executed, the second class name of the second class in which the third function is defined, And a second package name which is the name of the second library in which the second class is defined. The dynamic analysis unit 30 analyzes whether or not the combination of the first class name, the first function name, and the first package name is included in the execution result of the application program. Determine whether the function has been executed.

  The static analysis unit 10 further acquires the third package name, which is the name of the application in which the first class is defined, by analyzing the application program. The execution result of the program includes the second function name of the third function, the second class name of the second class, and the third package name of the application in which the second class is defined. The dynamic analysis unit 30 analyzes whether or not a combination of the first class name, the first function name, and the third package name is included in the execution result of the application program. Determine whether the function has been executed.

  In general, Android (registered trademark) applications are equipped with two or three libraries. For example, there are an advertisement display library and a game engine library. Library companies publish their library programs. Application developers can embed libraries into their applications as they like. The library package name is basically different from the application package name. The dynamic analysis unit 30 determines whether the package name included in the combination of the class name, the function name, and the package name is the first package name or the third package name. It is possible to identify which class of the application main body and the second function defined by the application body are executed.

  A library list including a first package name of a library that can be installed in the application is stored in the storage unit 60 in advance. FIG. 10 shows an example of a library list. FIG. 10 shows the provider, type, and package name. The provider is the name of the company that provides the library. The type indicates the type of function provided by the library list. The package name is the first package name of the library.

  The manifest file 302 shown in FIG. 3 includes information on the third package name of the application. Specifically, the manifest file 302 includes a character string “<manifest package = XXXX>”. The character string “XXXX” is an arbitrary character string and indicates the third package name of the application.

  The first class name acquired by the static analysis includes the package name of the application or library. For example, in the character string “com.example.sample.Mainactivity” indicating the first class name, the character string “com.example.sample” indicates the third package name of the application. The class name of the class defined in the library includes the first package name of the library. For example, the class name of the class defined in the library provided by the company A shown in FIG. 10 includes the first package name “com.sample.ad”.

  Therefore, the static analysis unit 10 can acquire the package name from the first class name acquired by the static analysis. The static analysis unit 10 compares the package name acquired by the static analysis with the first package name included in the library list. When the package name acquired by the static analysis matches the first package name included in the library list, the package name acquired by the static analysis is the first package name of the library. In addition, the static analysis unit 10 compares the package name acquired by the static analysis with the third package name of the application. When the package name acquired by the static analysis matches the third package name of the application, the package name acquired by the static analysis is the third package name of the application.

  Although the package name of the application exists, the package name may not be recorded in the manifest file 302. When the package name of the application cannot be acquired from the manifest file 302, the package name that does not match the first package name included in the library list among the package names acquired by the static analysis is the third package name of the application. You may judge.

  The second class name recorded in the log includes the package name of the library or application in which the second class is defined. For example, the second class name “com.example.sample.Mainactivity” included in the character string 700 of FIG. 7 includes the third package name “com.example.sample” of the application.

  FIG. 8 shows an example of a combination of the first class name and the first function name acquired by static analysis. In FIG. 8, the first class name “com.sample.ad.main” of the first class in which each of the getId function and the getLoc function is defined is the first package name “com.sample.ad” of the library. "including. Further, the first class name “co.jp.adad.send” of the first class in which the SendLocation function is defined includes the first package name “co.jp.adad” of the library. Further, the first class name “com.example.sample.Mainactivity” of the first class in which each of the getImei function and the getLocation function is defined is changed to the third package name “com.example.sample” of the application. Including.

  The dynamic analysis unit 30 searches the log for a character string including the first class name, the first function name, and the first package name of the library acquired by the static analysis. In addition, the dynamic analysis unit 30 searches the log for a character string including the first class name, the first function name, and the third package name of the application acquired by the static analysis. Since the first class name includes the first package name or the third package name, the dynamic analysis unit 30 should search the log for a character string including the first class name and the first function name. Good.

  The dynamic analysis unit 30 determines that the second function has been executed when a character string that matches the search character string is detected from the log. The dynamic analysis unit 30 determines that the second function is not executed when a character string that matches the search character string is not detected from the log. When the search character string includes the first package name of the library, the dynamic analysis unit 30 determines that the second function defined in the library has been executed. When the search character string includes the third package name of the application, the dynamic analysis unit 30 determines that the second function defined in the application body has been executed.

  The evaluation unit 40 calculates an execution rate for each package name. Specifically, the evaluation unit 40 calculates an execution rate for the combination including the first class name corresponding to the first package name of the library. Further, the evaluation unit 40 calculates an execution rate for the combination including the first class name corresponding to the third package name of the application.

  In FIG. 8, the combination including the first class name “com.sample.ad.main” corresponding to the first package name “com.sample.ad” of the library includes a combination related to the getId function and a combination related to the getLoc function. It is two. In FIG. 9, the combination including the first class name “com.sample.ad.main” corresponding to the first package name “com.sample.ad” of the library is one of the combinations related to the getId function. Therefore, the execution rate for the first package name “com.sample.ad” of the library is 50%.

  In FIG. 8, the combination including the first class name “co.jp.adad.send” corresponding to the first package name “co.jp.adad” of the library is one of the combinations related to the SendLocation function. In FIG. 9, the combination including the first package name “co.jp.adad” of the library and the first class name “co.jp.adad.send” corresponding to the first package name is one of the combinations related to the SendLocation function. For this reason, the execution rate for the first package name “co.jp.adad” of the library is 100%.

  In FIG. 8, a combination including the first package name “com.example.sample.Mainactivity” corresponding to the third package name “com.example.sample” of the application is a combination related to the getImei function and a combination related to the getLocation function. It is two. In FIG. 9, the combination including the first package name “com.example.sample.Mainactivity” corresponding to the third package name “com.example.sample” of the application is a combination related to the getImei function and a combination related to the getLocation function. It is two. For this reason, the execution rate for the third package name “com.example.sample” of the application is 100%.

  Accordingly, all behaviors of the second function defined in the library whose package name is “co.jp.adad” and the second function defined in the application main body are detected by the dynamic analysis. On the other hand, only a part of the behavior by the second function defined in the library whose package name is “com.sample.ad” is detected by the dynamic analysis. That is, it can be seen that the operation for the application for realizing the behavior by the library whose package name is “co.jp.adad” and the application main body is sufficient. On the other hand, it is understood that the operation for the application for realizing the behavior by the library whose package name is “com.sample.ad” is insufficient.

  The output unit 50 outputs the execution rate for each package name. The output unit 50 includes a first function name of a second function that executes a first function for obtaining user information, a first class name of a first class in which the second function is defined, The first package name of the library or the third package name of the application, and information indicating whether or not the second function is executed when the application program is executed may be output.

  According to the modification of the present embodiment, it is possible to determine whether or not the second function defined in the library or the application main body has been executed when the application program is executed. Therefore, it is possible to distinguish between the behavior by the library and the behavior by the application main body. For this reason, it can be judged in detail whether operation required for privacy evaluation was performed.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

  DESCRIPTION OF SYMBOLS 1 Application analysis apparatus, 10 Static analysis part, 20 Execution part, 30 Dynamic analysis part, 40 Evaluation part, 50 Output part, 60 Storage part

Claims (6)

The first function name that is the name of the second function that executes the first function that obtains the user information, and the first class name that is the name of the first class in which the second function is defined And a static analysis unit for analyzing and acquiring an application program,
An execution unit for executing the program;
A second function name that is a name of a third function that is called when the program is executed, and a second class name that is a name of a second class in which the third function is defined. It is determined whether or not the second function has been executed by analyzing whether or not the combination of the first class name and the first function name is included in the execution result of the program A dynamic analysis unit to
An output unit that outputs information indicating a result of determination by the dynamic analysis unit;
An application analysis apparatus characterized by comprising: The ratio of the number of combinations of the first class name and the first function name related to the executed second function to the total number of combinations of the first class name and the first function name. It further has an evaluation unit for calculating,
The application analysis apparatus according to claim 1, wherein the output unit outputs the ratio. The program includes a library,
The static analysis unit further obtains a first package name that is a name of a first library in which the first class is defined by analyzing the program,
The dynamic analysis unit includes the second function name, the second class name, and a second package name that is a name of a second library in which the second class is defined. Whether the second function was executed by analyzing whether or not a combination of the first class name, the first function name, and the first package name is included in the execution result of the program The application analysis apparatus according to claim 1, wherein the application analysis apparatus determines whether or not. The static analysis unit further obtains a third package name that is a name of the application in which the first class is defined by analyzing the program,
The dynamic analysis unit includes the execution result of the program including the second function name, the second class name, and the third package name of the application in which the second class is defined. Whether or not the second function has been executed by analyzing whether or not a combination of the first class name, the first function name, and the third package name is included. The application analysis apparatus according to claim 3, wherein: An application analysis method in an application analysis apparatus having a static analysis unit, an execution unit, a dynamic analysis unit, and an output unit,
A first function name that is a name of a second function that executes a first function for obtaining user information by the static analysis unit, and a name of a first class in which the second function is defined A first class name is obtained by analyzing an application program;
A second step in which the execution unit executes the program;
The dynamic analysis unit is a second function name that is a name of a third function that is called when the program is executed, and a name of a second class in which the third function is defined. By analyzing whether or not the combination of the first class name and the first function name is included in the execution result of the program including the second class name, the second function is A third step of determining whether it has been executed;
A fourth step in which the output unit outputs information indicating a result of the determination in the third step;
An application analysis method characterized by comprising: The first function name that is the name of the second function that executes the first function that obtains the user information, and the first class name that is the name of the first class in which the second function is defined And a first step of analyzing and obtaining an application program;
A second step of executing the program;
A second function name that is a name of a third function that is called when the program is executed, and a second class name that is a name of a second class in which the third function is defined. It is determined whether or not the second function has been executed by analyzing whether or not the combination of the first class name and the first function name is included in the execution result of the program A third step,
A fourth step of outputting information indicating a result of the determination in the third step;
A program that causes a computer to execute.

Images