KR102226218B1 - Apparatus and method for extracting feature information to identify an application created by cross-platform development framework - Google Patents

Abstract

The present invention is a technology capable of classifying the types of cross-platform development frameworks used for application development by using symbol information of native functions and symbols of main classes inheriting the main classes of WebKit. A device for extracting feature information comprises: an input unit receiving an application to be analyzed for a creation platform; an analysis unit selecting a method symbol that an access flag is a native function from a dex file of the application received from the input unit; and a classification unit classifying a cross-platform development framework used to create the application using the information selected in the analysis unit.

Description

A device and method for extracting feature information to identify an application created with a cross-platform development framework {APPARATUS AND METHOD FOR EXTRACTING FEATURE INFORMATION TO IDENTIFY AN APPLICATION CREATED BY CROSS-PLATFORM DEVELOPMENT FRAMEWORK}

The present invention relates to an apparatus and method for extracting feature information for identifying an application produced by a cross-platform development framework, and in more detail, using symbol information of a native function and symbols of main classes inheriting main classes of WebKit. It is a technology that can classify the types of cross-platform development frameworks used in application development.

Smartphone platforms are diverse, such as Android, iOS, Windows Phone, and BlackBerry OS. Each smartphone platform has different development environments and programming languages, so software (applications) developed by subordinate to a specific platform cannot be used on other platforms as it is. Therefore, developing a native app for a specific platform separately for each different platform greatly increases the development cost. In order to solve this problem, the use of a cross-platform mobile app development framework is increasing recently. Cross-platform mobile app development framework is shortened and referred to as a cross-platform development framework.

Representative cross-platform development frameworks include Unity, Xamarin, Appcelerator Titanium, Apache Cordova, PhoneGap, Sencha, and Cocos2d. These frameworks increase efficiency during the development life cycle of mobile applications. For this reason, a cross-platform development framework independent of a specific platform is attracting attention. Cross-platform development frameworks such as Sencha and PhoneGap use web-based Javascript and HTML5. Unity is an engine used for game development on PC-based platforms such as Windows or MacOS X, and has been used for mobile application development for various smartphone platforms with the release of Unity 3 in 2010. C# programmers can use Unity to instantly develop mobile applications without having to learn a new programming language, and they can reuse their C# code across various platforms. Applications written with these cross-platform development frameworks are referred to as cross-platform applications.

On the other hand, malware writers also use this cross-platform development framework to maximize the effect of attack while minimizing the time and cost of creating malware. This is because attackers can use C# to modify malicious applications faster and spread them to more mobile platforms. Veil-Framework is a set of attack tools that create an executable file that bypasses the vaccine, and the payload was also developed in C#.

If you actually search the Internet, there is a lot of information about creating C#-based malicious codes. You can learn how to write a keylogger in C#, write Crypto-Ransomware using C#, a tutorial for writing a console-based Trojan horse in C#, and Nemesis.Worm based on C#. Actually, Mylonas et al. showed that students can use C# to create malicious applications in two days on Windows Mobile and in one day on Windows Phone. According to research by Lee et al., Android applications written with Unity and PhoneGap are increasing. In addition, many samples of potentially unwanted applications (PUAs) were found among applications written with Unity and Cocos2d, and many malware samples were found in applications written with PhoneGap. As a result, he described that security researchers are facing a big challenge to analyze and detect mobile malware created with a cross-platform development framework. As such, there are many mobile applications written with cross-platform development frameworks, but there are not many studies or interest in malicious applications or illegal applications created with these frameworks.

In the previous study, several classification criteria were proposed according to the mobile application development method and the application execution method. Among them,'Evaluating cross-platform development approaches for mobile applications' are (1) native apps, (2) mobile web apps, and (3) hybrid app roaches of Web and native. components, hereinafter, hybrid apps) and (4) self-contained framework apps run on self-contained runtime environment.

Native apps are apps that are dependent on a specific platform, and because system calls can be called, unique information such as address books and files stored in the device can be used, and hardware such as cameras can also be controlled. While boasting the graphics and performance of the specifications, the operating speed is fast, and it can be used even if there is no internet connection. In general, Android native apps are generally developed using Android Studio, which includes Android SDK (Software Development Kit). The Android SDK includes comprehensive development tools. For example, there are debuggers, libraries, QEMU-based emulators, and various sample codes. In addition, it provides Android.jar (Android 9.0 Pie API level 28 as of June 2019) that matches the API version of the mobile device to resolve dependencies and compile applications in various development environments such as Windows, Linux, and Mac OS. In addition, Android NDK (Native Development Kit), which supports cross-compilation, is provided for optimization of performance, high-performance graphic work, and the use of widely used C/C++ libraries to support the development of Android applications containing C++ code.

Mobile Web Apps are implemented in HTML, CSS, and JavsScript, and use a browser as a runtime environment and utilize the browser support of mobile platforms. As a standard technique, web sites can be accessed in a similar manner using the mobile browser of each platform. However, since it does not contain the execution code dependent on each platform, it is not distributed in the form of an application (Android: .apk, Apple: .ipa) corresponding to each platform, and one mobile web application is a device such as a camera, GPS sensor, and Certain hardware features are not available. Representative examples include JQueryMobile and Sencha Touch.

Hybrid apps (hereinafter referred to as hybrid apps) composed of web and native components can run mobile web applications using a webkit installed in each mobile OS while the external form is a native app. Hybrid apps allow developers to create only platform-dependent functions (controlling devices such as cameras) as a native library and use native functions in HTML and JavaScript. The native part of the application uses the API of each OS to act as a link between the browser and the device API, allowing hybrid apps to take advantage of all the features offered by modern devices. Currently, there are many web-based hybrid development frameworks, including Titanium Mobile, PhoneGap, and Cordova, and are widely used because of their ease of development and distribution. Since hybrid apps use existing web technologies, they may have web-related vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery. When these web-based vulnerabilities are exploited in hybrid apps, sensitive information can be stolen because native APIs, hardware and device information can be accessed through JavaScript, and thus it can be transformed into a more threatening web attack. .

Self-contained framework apps do not reuse any (web) environments existing on the mobile platform, but use their own, separate runtime environment. Representatively, the Mono project is an open source version of the .NET Framework developed by Microsoft. The Mono project is written in C# and made to run in the Mono Runtime environment, which is a compiled common language (CIL), so that the .NET framework can be applied in environments such as Windows, mac OS, and Linux. Mono, which operates in various OS environments, operates as a framework based on mobile development platforms, Xamarin and Unity, and can be developed and applied simultaneously in iOS and Android, which are mobile environments. The characteristics of Jamarin and Unity that utilize Mono are various system calls and a wrapper of the API of the base OS (Android, iOS). Developers can use this to control hardware events such as SQLite DB, file access, and cameras, and they can be applied to various platform environments while driving speed is fast. As a representative example, Xamarin Evolve developed by Jamarin, an application that supports Android and iOS, was written with about 15,000 lines of code.In the case of iOS, 93% of the code was shared, and in the case of Android, 90% appeared as shared code. Demonstrates the advantages of Jamarin's C# code reusability.

Another cross-platform framework is Cocos2d-x. Cocos2d is an open source software framework for 2D game development, and can be used to develop GUI-based interactive software such as games, mobile applications, and responsive e-books, as well as XSS attacks targeting Cordova applications. Cocos2d-x is produced in C++ language and can generate IPA files that can be used in iOS, and APK files for use in Android can be created, and C# wrappers are used because native language C++ is used. It has the advantage of being faster than Unity.

Unlike native applications, standalone framework apps can be exploited by malicious code makers because executable code can exist in dll (dynamic link library) or so (shared object). A typical example is Trojan.Android.Banker. This malicious app was developed in Jamarin, and uses a fake application made similar to the original application on the Google Play Store to trick users. In addition, it steals personal information and card information, such as text records and address books, as well as device information through continuous remote commands. Attacks using cross-platform applications cannot be detected through dex, which is the target of malicious code analysis, because the executable code that performs the malicious action exists in the dll.

Unexamined Patent Publication No. 10-2014-0004819

Accordingly, the present invention has been proposed in order to solve the problems of the related art as described above, and an object of the present invention is to use the symbol information of the native function and the symbols of the main classes inheriting the main classes of the webkit to be used for application development. It is to provide a method and apparatus for classifying types of platform development frameworks.

In order to achieve the above object, a feature information extraction device for identifying an application produced with a cross-platform development framework according to the technical idea of the present invention includes an input unit for receiving an application to be analyzed for a production platform, and a reception unit at the input unit. An analysis unit that selects a method symbol whose access flag is a native function in the dex file of an application, and classifies the cross-platform development framework used for creating the application by using the information selected by the analysis unit. It may include a classification unit.

The classification unit may classify the framework in which the application is created based on Table 2 below according to the native function name of the method symbol selected by the analysis unit.

[Table 2]

The classifier may further use a class name that inherits WebView or WebViewClient.

The classification unit may classify the framework in which the application is created based on Table 5 below according to the native function name of the method symbol selected by the analysis unit.

[Table 5]

The analysis unit includes mono, qtproject, QtNative, unity, Cocos2d, ansca, gdx, vuforia, apache, cordova, titanium, appyet, facebook included in native functions, packages, classes, and methods among dex file formats of the application received from the input unit. , react, tns, rhomobile, select any one keyword as a method symbol,

The classification unit classifies the framework in which the application is created as Xamarin if there is mono among the keywords selected by the analysis unit,

If there is qtproject or QtNative among keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as a Qt project,

If there is unity among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Unity,

If there is Cocos2d among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Cocos2d-x,

If there is ansca or corona among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Corona,

The classification unit classifies the framework in which the application is created as libGDX if there is gdx among the keywords selected by the analysis unit,

If there is vuforia among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Vuforia,

If there is apache or cordova among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Cordova,

If there is titanium among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Titanium,

If there is appyet among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as AppYet,

If there is facebook or react among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as React Native,

If there is tns among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as NativeScript,

The classification unit may classify a framework in which an application is created as RhoMobile if there is rhomobile among keywords selected by the analysis unit.

Receiving an application to be analyzed by the production platform by the input unit, selecting a method symbol whose access flag is a native function from the dex file of the application by the analysis unit, and the classification unit selected by the analysis unit It may include the step of classifying the cross-platform development framework used to create the application by using the information.

The classifier may further use a class name that inherits WebView or WebViewClient.

According to an apparatus and method for extracting feature information for identifying an application produced with a cross-platform development framework according to the present invention,

First, since the present invention can automatically analyze the application development tool, it is possible to help to grasp the development tool and status of normal applications.

Second, since applications created with a cross-platform development framework can be quickly identified, it is possible to contribute to efficient analysis of malicious codes according to application development tools.

Third, when mobile application developers are contemplating which framework to adopt when developing cross-platform applications, it will be able to help solve related concerns.

1 is a block diagram of an apparatus for extracting feature information for identifying an application produced with a cross-platform development framework according to an embodiment of the present invention.
2 is a diagram showing an example of declaring a native function in C++.
3 is a diagram showing registration and calling of a native function in Java.
4 is a diagram showing the inheritance structure of Cordova (Cordova) SystemWebView.
5 is a flow chart of a method for extracting feature information for identifying an application produced with a cross-platform development framework according to an embodiment of the present invention.

An apparatus and a method for extracting feature information for identifying an application produced by a cross-platform development framework according to embodiments of the present invention will be described in detail with reference to the accompanying drawings. Since the present invention can be modified in various ways and has various forms, specific embodiments will be illustrated in the drawings and described in detail in the text. However, this is not intended to limit the present invention to a specific form of disclosure, and it should be understood to include all changes, equivalents, and substitutes included in the spirit and scope of the present invention. In describing each drawing, similar reference numerals have been used for similar elements.

In addition, unless otherwise defined, all terms used herein including technical or scientific terms have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms as defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related technology, and should not be interpreted as an ideal or excessive formal meaning unless explicitly defined in this application. Does not.

The inventors of the present invention analyzed year-by-year trends in applications developed with a cross-platform development framework targeting applications collected on the AndroZoo site. In other words, a study was conducted to determine the yearly ratio of benign apps and malicious apps created with a cross-platform development framework. Embodiments of the present invention can help to grasp development tools and status of normal applications, and can contribute to efficient analysis of malicious codes. In addition, when mobile application developers are contemplating which framework to adopt when developing cross-platform applications, it can be helpful in resolving related concerns.

Referring to FIG. 1, a feature information extraction device for identifying an application produced by a cross-platform development framework according to an embodiment of the present invention includes an input unit 120 and an input unit 120 for receiving an application to be analyzed for a production platform. ) From the dex file of the application received from the analysis unit 140, which selects a method symbol whose access flag is a native function, and uses the information selected by the analysis unit 140 to create the application It includes a classification unit 160 for classifying the developed cross-platform development framework.

Not only normal developers but also attackers write malicious applications using a cross-platform development framework in order to maximize the attack effect while minimizing the malware production time. In order to cope with this attack method, it is necessary to classify the cross-platform development framework used for application creation and to analyze it accordingly. An embodiment of the present invention infers a cross-platform development framework in which an application is produced as a part of preventing copyright infringement and malicious behavior using a cross-platform development framework.

Specifically, the classification unit 160 classifies the application into a native app, a standalone framework app, and a hybrid app. The reason why this embodiment excludes the mobile web applications classified in the prior studies is that it is difficult to directly analyze the mobile web application because the mobile web application is not distributed in the form of an application on the Android platform. In the case of standalone framework apps and hybrid apps, we analyze in detail what framework the application was created using.

Standalone framework apps typically include Xamarin and Unity, which use mono runtimes, and Cocos2d-x uses a game engine called Cocos2d.

In order to build the Mono runtime and Cocos2d in Android to run the application, the native function produced in C/C++ starting with Java code must be registered and called using JNI (Java Native Interface). The shared library (so) used for these engines and machines is built once as important information of the developer, and is not rebuilt in the application development environment. Therefore, symbol information of functions mapped to JNI is difficult to be modulated by obfuscation tools such as Proguard, Dexguard, and DashO. Representatively, an example of using JNI in Android is shown in FIG. 2. 2 shows an example of declaring a native function in C++.

As shown in Fig. 3, in order to register a native function called foo of the First class in Java, a shared library (so) that has the JNIEXPORT property and Java_First_foo (First: class name, foo: method name) symbol using a function called System.loadLibrary. Should be loaded. Therefore, unless the symbol information of the shared library (so) is altered, the symbol information of the native function called in Java code is difficult to be altered by the obfuscation tool. Among the methods referenced in the Android executable file dex, the access flag of the method is used to distinguish the native method.

name Access flag (value) Method access limiter and description PUBLIC 0x1 visible everywhere PRIVATE 0x2 only visible to defining class PROTECTED 0x4 visible to package and subclasses STATIC 0x8 does not take a this(instance) argument FINAL 0x10 not overridable NATIVE 0x100 implemented in native

The main access flags used in the dex file format are shown in Table 1, and among them, the access flags are classified by using the symbol of a method including native(ACC_NATIVE: 0x100) and class descriptor of a self-supporting framework. do.

The framework that allows you to develop hybrid apps is a tool that considers the advantages of both native and web applications, so hybrid apps can use hardware features like native apps, can be registered in the market, and modified if only the web is connected after deployment. And easy to supplement. These web-based hybrid apps generally use WebKit, which is embedded in the device as an API, and in the case of Android, it is designed to inherit and develop the class defined by Webkit embedded in the device's OS. Fig. 4 is a Lorg/apache/cordova/engine/SystemWebView, which is a main class of Cordova, which is a base of a representative web-based hybrid app; It is the inheritance structure of

Most hybrid apps targeting Android OS are Landroid.webkit.WebView; Inherit class and Landroid.webkit.WebViewClient; and overriding main methods of WebKit to increase reusability and additionally implement and use necessary methods. Accordingly, the classifier 160 may identify class names that inherit WebView and WebViewClient, and identify a web-based hybrid app according to the type based on this.

However, in the inherited class, if the symbol is renaming by the obfuscation tool, the analysis may be inaccurate. Also, the symbol of the inherited class may differ depending on the version. As a representative example, there is Native Script. Native Script has a runtime for its own rendering engine, and the class name that inherits WebView is different depending on the version. (Example: WebViewClient_vendor_1_1934982_n;, WebViewClient_vendor_1_1978533_n;) For this reason, when classifying hybrid apps, a native function, which is the information used to classify standalone framework apps, is used. Hybrid apps also use their own rendering engine, and they register and execute native functions to build the runtime. Accordingly, the classification unit 160 utilizes symbol information of a native function in order to further classify the hybrid app.

The classification unit 160 classifies cross-platform applications into standalone framework apps, hybrid apps, and native apps. In addition, applications that do not exhibit the characteristics of a standalone framework app and a hybrid app are classified as native apps or unclassified.

Representative standalone framework apps include Jamarin applications and Unity applications that use mono runtime. There are also applications written with the qt framework that create cross-platform applications using the C++ language by advocating write once, compile anywhere. In addition, game applications require a lot of native work because graphics rendering work and game processing speed need to be improved. There are also game development frameworks such as cocos2dx, libgdx, and Corona, and Vuforia, which facilitates a cross-platform augmented reality (AR) development environment.

If the native function name of the method symbol selected by the analysis unit 140 is Lmono/android/Runtime;init, the classification unit 160 classifies the framework in which the application is created as Xamarin.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lorg/qtproject/qt5/android/QtNative; keyDown or Lorg/qtproject/qt5/android/QtNative; keyUp, the classification unit 160 is the application This created framework is classified as Qt.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/unity3d/player/NativeLoader;load or Lcom/unity3d/player/UnityPlayer; initJni, the classification unit 160 is the framework in which the application is created. Is classified as Unity.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lorg/cocos2dx/lib/Cocos2dxRenderer; nativeInit or Lorg/cocos2dx/lib/Cocos2dxRenderer; nativeOnPause, the classification unit 160 determines the framework in which the application is created. Classified as Cocos2d-x.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is one of Lcom/ansca/corona/CoronaWebView, Lcom/ansca/corona/CoronaWebView$CoronaWebViewClient, Lcom/ansca/corona/JavaToNativeShim; nativeInit, the classification unit (160) classifies the framework in which the application is written as Corona.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/badlogic/gdx/physics/box2d/Body;jniApplyAngularImpulse or Lcom/badlogic/gdx/physics/box2d/Body;jniSetAngularVelocity, then the classification unit 160 ) Classifies the framework in which the application is written as libGDX.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/vuforia/VuforiaJNI;init or Lcom/qualcomm/vuforia/VuforiaJNI;deinit, the classification unit 160 sets the framework in which the application is created as Vuforia. Classify.

Table 2 summarizes the cross-platform development framework classified by native function.

Framework Native function name Xamarin Lmono/android/Runtime;init Qt project Lorg/qtproject/qt5/android/QtNative;keyDown
Lorg/qtproject/qt5/android/QtNative;keyUp Unity Lcom/unity3d/player/NativeLoader;load
Lcom/unity3d/player/UnityPlayer;initJni Cocos2d-x Lorg/cocos2dx/lib/Cocos2dxRenderer;nativeInit
Lorg/cocos2dx/lib/Cocos2dxRenderer;nativeOnPause Corona Lcom/ansca/corona/CoronaWebView;
Lcom/ansca/corona/CoronaWebView$CoronaWebViewClient;
Lcom/ansca/corona/JavaToNativeShim;nativeInit libGDX Lcom/badlogic/gdx/physics/box2d/Body;jniApplyAngularImpulse
Lcom/badlogic/gdx/physics/box2d/Body;jniSetAngularVelocity Vuforia Lcom/vuforia/VuforiaJNI;init
Lcom/qualcomm/vuforia/VuforiaJNI;deinit

Framework Language of development Main features support Xamarin C# (.net) Utilizing the Mono runtime Android, iOS QT project C++ Provides major C++ libraries Android, iOS Unity C# (.net) Utilizing the Mono runtime Android, iOS Cocos2d-x C++,
Lua Script,
JavaScript Open source 2D game engine Android, iOS Ansca Corona Lua Script 2D game engine. Libraries or APIs of C, C++, Obj-C, and Java can be used Android, iOS libGDX Java, C, C++ Provides a Java-based game development environment Android, iOS, BlackBerry Vuforia C++ Augmented Reality Development Framework.
SDK provided for Unity Android, iOS

The frameworks in Table 3 use JNI to register and call native functions in Java code to utilize their own engine. Native functions used in Java are difficult to be altered by obfuscation because the symbols of Java and the symbols of functions written in C++ must match.

The names of the main native functions used by the embodiments of the present invention to classify a standalone framework app are shown in Table 2, and use this information as feature information to determine whether the application is a standalone framework, and specifically, what framework is used. Check if it is a built application.

Meanwhile, the most widely used framework for developing hybrid apps is Apache Cordova. Web-based hybrid development environments derived from Apache Cordova include Onsen UI, PhoneGap, Ionic, framework7, and Kendo UI. Other development environments include Titanium, AppYet, React Native, and Native Script. In the case of AppYet, only Android is supported, but the development method is the same as the existing hybrid apps, and it is widely used on the Android platform, so it is included in the hybrid app classification.

Framework Development language Characteristic support Apache Cordova C#, C++, CSS, HTML, Java, JavaScript, Obj-C Many derivative frameworks exist (Onsen UI, PhoneGap, Ionic, framework7, Kendo UI, etc.) Android, iOS, BlackBerry Appcelerator Titanium Studio JavaScript Using Native UI Component API with JavaScript Android, iOS, BlackBerry, Windows AppYet No programming knowledge required Free distribution and no coding required, easy development Android React Native JavaScript Components written in Swift, Java, and Obj-C can be combined. Use React Android, iOS NativeScript JavaScript, TypeScript After creating a single UI, slightly tweaked to fit the platform. Using Vue.js, Angular, TypeScript Android, iOS RhoMobile CCS3, HTML, JavaScript Rhodes open source based framework Android, iOS, Windows

The characteristics of these web-based hybrid frameworks are shown in Table 4. The analysis unit 140 according to an embodiment of the present invention further checks the name of a class inheriting WebView and WebViewClient in order to classify hybrid apps. The classification unit 160 further classifies the hybrid app by using a class name that inherits WebView or WebViewClient. Since the native script application has a different class name that inherits WebView for each version, the classification unit 160 detects the hybrid app by using the native function information together.

If the native function name of the method symbol selected by the analysis unit 140 is Lorg/apache/cordova/inappbrowser/InAppBrowser$InAppBrowserClient or Lorg/apache/cordova/engine/SystemWebView, the classification unit 160 determines the framework in which the application is created. Classified as Cordova.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lti/modules/titanium/ui/widget/webview/TiUIWebView, the classification unit 160 classifies the framework in which the application is created as Titanium.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/appyet/view/ObservableWebView or Lcom/appyet/view/observablescrollview/ObservableWebView, the classification unit 160 sets the framework in which the application is created as AppYet. Classify.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/facebook/react/views/webview/ReactWebViewManager$ReactWebView or Lcom/facebook/react/views/webview/ReactWebViewManager$ReactWebViewClient, the classification unit 160 ) Classifies the framework in which the application is written as React Native.

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/tns/Runtime;initNativeScript or Lcom/tns/AndroidJsV8Inspector;init, the classification unit 160 classifies the framework in which the application is created as NativeScript. .

In addition, if the native function name of the method symbol selected by the analysis unit 140 is Lcom/rhomobile/rhodes/webview/RhoWebViewClient, the classification unit 160 classifies the framework in which the application is created as RhoMobile.

Table 5 shows classes inheriting WebView and WebViewClient, which are used by the analysis unit 140 as feature information of a hybrid app, and native function names of this embodiment.

Framework Native function name Cordova [class]
Lorg/apache/cordova/inappbrowser/InAppBrowser$InAppBrowserClient;
Lorg/apache/cordova/engine/SystemWebView; Titanium [class]
Lti/modules/titanium/ui/widget/webview/TiUIWebView AppYet [class]
Lcom/appyet/view/ObservableWebView;
Lcom/appyet/view/observablescrollview/ObservableWebView; React Native [class]
Lcom/facebook/react/views/webview/ReactWebViewManager$ReactWebView;
Lcom/facebook/react/views/webview/ReactWebViewManager$ReactWebViewClient; NativeScript [Native function]
Lcom/tns/Runtime;initNativeScript
Lcom/tns/AndroidJsV8Inspector;init RhoMobile [class]
Lcom/rhomobile/rhodes/webview/RhoWebViewClient;

Meanwhile, the analysis unit 140 may further select a specific keyword included in a native function, a package, a class, and a method among the dex file format of the application received from the input unit as a method symbol.

The classification unit 160 classifies the framework in which the application is written as Xamarin if there is mono among the keywords selected by the analysis unit 140.

In addition, if there is qtproject or QtNative among keywords selected by the analysis unit 140, the classification unit 160 classifies the framework in which the application is created as a Qt project.

In addition, the classification unit 160 classifies the framework in which the application is created as Unity if there is unity among the keywords selected by the analysis unit 140.

In addition, if there is Cocos2d among the keywords selected by the analysis unit 140, the classification unit 160 classifies the framework in which the application is created as Cocos2d-x.

In addition, the classification unit 160 classifies the framework in which the application is created as Corona if ansca or corona among keywords selected by the analysis unit 140 is present.

In addition, the classification unit 160 classifies the framework in which the application is created as libGDX if there is gdx among the keywords selected by the analysis unit 140.

In addition, the classification unit 160 classifies the framework in which the application is created as Vuforia if there is vuforia among the keywords selected by the analysis unit 140.

In addition, the classification unit 160 classifies the framework in which the application is created as Cordova if there is apache or cordova among the keywords selected by the analysis unit 140.

In addition, the classification unit 160 classifies the framework in which the application is created as titanium if there is titanium among the keywords selected by the analysis unit 140.

In addition, the classification unit 160 classifies the framework in which the application is created as AppYet if there is appyet among the keywords selected by the analysis unit 140.

In addition, the classification unit 160 classifies the framework in which the application is created as React Native if there is facebook or react among the keywords selected by the analysis unit 140.

In addition, the classification unit 160 classifies the framework in which the application is created as NativeScript if there is tns among the keywords selected by the analysis unit 140.

In addition, if there is rhomobile among the keywords selected by the analysis unit 140, the classification unit 160 classifies the framework in which the application is created as RhoMobile.

Next, a method of extracting feature information for identifying an application produced with a cross-platform development framework according to an embodiment of the present invention will be described.

Referring to FIG. 5, in the method of extracting feature information for identifying an application produced with a cross-platform development framework according to an embodiment of the present invention, the input unit 120 receives an application to be analyzed for a production platform (S120). ), the analysis unit 140 selecting a method symbol whose access flag is a native function from the dex file of the application (S140), and the classification unit 160 is selected by the analysis unit 140 And classifying the cross-platform development framework used to create the application by using the information.

The classification unit 160 may further use a class name that inherits WebView or WebViewClient.

The selection data of the analysis unit 140 used by the classification unit 160 may refer to an embodiment of a feature information extraction device for identifying an application produced by a cross-platform development framework.

Experiment.

In the embodiment of the present invention, data provided by AndroZoo were used to analyze the distribution of cross-platform applications. The data set provided by AndroZoo provides data sets from 2014 to 2018, and malicious applications and normal applications are mixed. A total of 189,800 applications were used in this example, 31,936 (26.8%) malicious applications, and 157,864 (83.2%) normal applications.

Malicious applications that make up the AndroZoo data set were inspected using VirusTotal, and based on this, they were classified as malware (malware applications) and goodware (normal applications). Using the classification technique proposed by this embodiment, the usage trend of the cross-platform framework is analyzed by grasping the frequency of use of the cross-platform application by year. In addition, by grasping how many cross-platform frameworks are used among malicious codes by year, the necessity of cross-platform analysis techniques for malicious codes is confirmed.

As a result of analyzing goodware provided by AndroZoo using an embodiment of the present invention, out of a total of 157,864 applications, 13,036 (8.26%) hybrid apps and 20,284 (16.29%) standalone framework apps are cross-platform. The number of applications was identified as 33,320 (21.10%). The detailed classification results for normal applications are shown in Table 6. In addition, we can see the increasing trend of the use of cross-platform applications. In 2014, the ratio of cross-platform applications was 13.06%, whereas in 2018, it increased to 45.69%. In addition, the proportion of hybrid apps increased from 3.23% in 2014 to 14.37% in 2016 and slightly decreased to 9.95% in 2018.

On the other hand, it can be seen that the proportion of standalone framework apps has gradually increased. The share of apps from 9.93% in 2014 decreased slightly to 9.08% in 2016, but increased to 17.71% in 2017 and 35.75% in 2018, indicating that the proportion of self-contained framework apps increased. In particular, it can be observed that the cases of using the Mono runtime in mobile environments gradually increase.In the case of the Xamarin framework, it increased from 0.74% in 2014 to 6.51% in 2018, and in the case of Unity, from 4.52% in 2014 to 2018. Increased to 23.79%.

As a result of analyzing malicious applications provided by AndroZoo, 909 (2.85%) of hybrid apps and 5,455 (21.33%) of self-supporting framework apps out of a total of 31,936 applications, and the total number of cross-platform applications is 6,364 (19.93%). It was identified as a dog. Table 7 shows the detailed classification results for malicious applications.

Compared to normal applications, it can be seen that the use of cross-platform development frameworks gradually decreases in the case of malicious applications starting in 2014. The ratio of cross-platform applications from 17.29% in 2014 to 4.89% in 2017 and 3.12% in 2018. It can be seen that it has decreased.

Depending on the type of hybrid app and standalone framework app, there is a decrease in trend. It can be seen that the proportion of hybrid apps among malicious applications decreased to 7.00% in 2014, 0.54% in 2017, and 0.52% in 2018. In addition, it can be seen that the proportion of self-supporting framework apps continues to decrease to 17.29% in 2014, 4.32% in 2017, and 2.51% in 2018. However, it can be seen that there are still malicious applications using the cross-platform development framework, and it seems that countermeasures in terms of security and copyright protection are needed.

There have been studies to understand the distribution of cross-platform applications. However, prior studies did not analyze the execution code, but analyzed the distribution of cross-platform applications by analyzing the file name and directory structure inside the APK file distributed in the online market in the form of a compressed file. In the case of cocos2dx, it was confirmed that there existed when moving the libcocos2dcpp.so file and libunity.so file, which can be referred to as the characteristic information inside the APK. In this case, by analyzing the dex file, you can figure out which shared library is actually being used. Accordingly, in the embodiment of the present invention, cross-platform applications are classified by confirming information on a native function and a super class by reverse engineering the bytecode.

theorem.

An embodiment of the present invention is an Android application according to a development framework (1) native apps, (2) hybrid apps of Web and native components, (3) self-contained framework apps. framework apps). When classifying cross-platform applications, in the case of a standalone framework app, the symbol information of the native function is used, in the case of a hybrid app, the symbol information of the native function and the symbols of major classes that inherit the main classes of WebKit are checked to identify the cross-platform application. Identify and classify.

For the experiment, the AndroZoo data set was used. In the case of the data set classified as a normal application, the number identified as cross-platform applications was identified as 33,320 (21.10%) out of the total 157,864, and the data set classified as a malicious application was identified as cross-platform applications. The number of applications identified as platform applications was 6,364 (19.93) out of 31,936.

Although the preferred embodiment of the present invention has been described above, the present invention can use various changes, modifications, and equivalents. It is clear that the present invention can be applied in the same manner by appropriately modifying the above embodiments. Therefore, the above description is not intended to limit the scope of the present invention determined by the limits of the following claims.

120: input
140: analysis unit
160: classification unit

Claims (7)

An input unit for receiving an application to be analyzed for a production platform;
An analysis unit for selecting a method symbol whose access flag is a native function from the dex file of the application received from the input unit;
And a classification unit for classifying a cross-platform development framework used to create the application by using the information selected by the analysis unit. The method of claim 1, wherein the classification unit,
A feature information extraction device for identifying an application made with a cross-platform development framework, characterized in that the framework in which the application is created is classified based on the following Table 2 according to the native function name of the method symbol selected by the analysis unit.
[Table 2]

The method of claim 1,
The device for extracting feature information for identifying an application produced with a cross-platform development framework, characterized in that the classification unit further uses a class name inheriting WebView or WebViewClient. The method of claim 3, wherein the classification unit,
A feature information extraction device for identifying an application made with a cross-platform development framework, characterized in that the framework in which the application is created is classified according to the native function name of the method symbol selected by the analysis unit based on Table 5 below.
[Table 5]

The method of claim 1,
The analysis unit includes mono, qtproject, QtNative, unity, Cocos2d, ansca, gdx, vuforia, apache, cordova, titanium, appyet, facebook included among native functions, packages, classes, and methods among dex file formats of the application received from the input unit. , react, tns, rhomobile, select any one keyword as a method symbol,
The classification unit classifies the framework in which the application is created as Xamarin if there is mono among the keywords selected by the analysis unit,
If there is qtproject or QtNative among keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as a Qt project,
If there is unity among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Unity,
If there is Cocos2d among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Cocos2d-x,
If there is ansca or corona among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Corona,
The classification unit classifies the framework in which the application is created as libGDX if there is gdx among the keywords selected by the analysis unit,
If there is vuforia among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Vuforia,
If there is apache or cordova among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Cordova,
If there is titanium among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as Titanium,
If there is appyet among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as AppYet,
If there is facebook or react among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as React Native,
If there is tns among the keywords selected by the analysis unit, the classification unit classifies the framework in which the application is created as NativeScript,
The classification unit classifies a framework in which the application is created as RhoMobile if there is rhomobile among keywords selected by the analysis unit. Receiving an application that is an input unit to be analyzed for a production platform;
Selecting, by an analysis unit, a method symbol whose access flag is a native function from the dex file of the application;
Extracting feature information for identifying an application created with a cross-platform development framework, characterized in that it comprises the step of classifying a cross-platform development framework used for creating the application by a classification unit using the information selected by the analysis unit. Way. The method of claim 6,
The classification unit further uses a class name that inherits WebView or WebViewClient. Feature information extraction method for identifying an application produced with a cross-platform development framework.

Images