WO2013137616A1 - Procédé et appareil d'évaluation de permissions requises pour une application - Google Patents

Procédé et appareil d'évaluation de permissions requises pour une application Download PDF

Info

Publication number
WO2013137616A1
WO2013137616A1 PCT/KR2013/001969 KR2013001969W WO2013137616A1 WO 2013137616 A1 WO2013137616 A1 WO 2013137616A1 KR 2013001969 W KR2013001969 W KR 2013001969W WO 2013137616 A1 WO2013137616 A1 WO 2013137616A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
permissions
source code
previously requested
function list
Prior art date
Application number
PCT/KR2013/001969
Other languages
English (en)
Inventor
Ji-Soon Park
Jin-Yung Kim
Yong-ho YOON
Jun-Bum Shin
Kwang-keun YI
Original Assignee
Samsung Electronics Co., Ltd.
Seoul National University R&Db Foundation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd., Seoul National University R&Db Foundation filed Critical Samsung Electronics Co., Ltd.
Publication of WO2013137616A1 publication Critical patent/WO2013137616A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/75Structural analysis for program understanding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators

Definitions

  • the present invention relates to a method and apparatus for evaluating required permissions for an application of a smart device, and more particularly, to a method of evaluating required permissions for an application to be executed in a smart phone, through a static analysis without directly executing the application.
  • smart devices such as smart phones, tablet Personal Computers (PCs), smart TVs, and electronic readers (e.g., a kindle fire).
  • PCs Personal Computers
  • electronic readers e.g., a kindle fire
  • applications use resources, such as location information of a user (or device), to provide a more convenient and useful service than a usual one.
  • an application For an application to access device resources, such as location information, the application needs access permission.
  • applications for smart devices may be largely classified to operate on three platforms: Android of Google, iOS of Apple, and Windows of Microsoft.
  • Android of Google Android of Google
  • iOS of Apple iOS of Apple
  • Windows of Microsoft an application operating on an Android platform will be described as an example.
  • FIG. 1 is a conceptual diagram illustrating an operation of an application on an Android platform.
  • the application on the Android platform operates on a Dalvik virtual machine.
  • a single application is identified using a single user Identification (ID) and operates in a single Sandbox. That is, two or more different applications cannot be theoretically executed on a single Sandbox unless a task for sharing user IDs thereof to be the same is performed.
  • ID user Identification
  • an application executed in a corresponding Sandbox process with no permissions cannot access a system or resources. However, when permissions are properly declared through a manifest file of the application, the application can access resources.
  • an application identified with a user ID 12345 is executed in a first Sandbox 110, and an application identified with a user ID 54321 is executed in a second Sandbox 120.
  • the applications can access resources of which permissions are requested by their corresponding manifest files, respectively.
  • FIG. 2 illustrates a structure of an application 210, and a portion of a manifest file included in the application 210.
  • the application 210 includes a source code file “resources.arcs” and additional information such as “AndroidManifest.xml”.
  • the file “resources.arcs” includes source codes of the application 210, and the file “AndroidManifest.xml” includes additional information such as permission information and active process information.
  • a file “classes.dex” is a file that is format-transformed to byte codes by which class files can operate on a Dalvik virtual machine.
  • a “res” folder includes resources files that are not compiled, and a “META-INF” folder includes signature information of the application 210.
  • the manifest file may include various kinds of information, such as Android version information, source code start position information, and permission information.
  • permissions to be used in the application 210 are requested. That is, the application 210 can use the permissions requested in the manifest file or access resources based on the permissions.
  • the application 210 in FIG. 2 requests for (declares) an Internet access permission and an external storage write permission in the manifest file, so the application 210 can access the Internet and write data in an external storage device.
  • FIG. 3 illustrates an operation of installing and executing an application 310 in a smart device 320.
  • the application 310 e.g., Android application
  • the smart device 320 displays permissions requested by the application 310 by referring to the additional information and allows a user to confirm the permissions.
  • the application 310 requests the smart device 320 for resources required for execution of the application 310 in operation 332, and the smart device 320 determines in operation 334 whether an access permission to the resources is requested (declared) through the manifest file. If the access permission is requested (declared), the application 310 is allowed to access the resources, and if the access permission is not requested (declared), the application 310 is not allowed to access the resources in operation 336.
  • a developer must explicitly request for required permissions for an application one-by-one for the application to operate according to intent. If the application tries to perform a task without a corresponding permission, the task is rejected by a system, so the application may perform an operation that is not intended by the developer, cause an error, be terminated, or cause the system to go down. Thus, the developer must request for all required permissions for the application without omission.
  • the present invention provides a method and apparatus for automatically evaluating and informing of required permissions for an application through a static analysis of the application.
  • the present invention provides a method and apparatus for automatically evaluating and informing of required permissions for an application through a static analysis of the application.
  • FIG. 1 is a conceptual diagram illustrating an operation of an application on an Android platform
  • FIG. 2A illustrates a structure of an application
  • FIG. 2B illustrates a portion of a manifest file
  • FIG. 3 illustrates an operation of installing and executing an application in a smart device
  • FIG. 4 is a block diagram of an apparatus for evaluating required permissions for an application, according to an embodiment of the present invention.
  • FIG. 5 is a conceptual diagram illustrating a process of a permission evaluating unit according to an embodiment of the present invention
  • FIG. 6 is a conceptual diagram illustrating an inclusion relationship among permissions according to an embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a method of evaluating required permissions for an application, according to an embodiment of the present invention.
  • FIG. 8 is a block diagram of a server for statically evaluating required permissions for an application, according to an embodiment of the present invention.
  • FIG. 9 is a flowchart illustrating a method of statically evaluating required permissions for an application in a server, according to another embodiment of the present invention.
  • FIG. 10 is a block diagram of a smart device according to an embodiment of the present invention.
  • FIG. 11 is an example of evaluating permissions actually used by an application installed in a smart device, according to another embodiment of the present invention.
  • FIG. 12 is a flowchart illustrating a method of evaluating permissions for an application installed in a smart device, according to another embodiment of the present invention.
  • the present invention provides a method and apparatus for automatically evaluating and informing of required permissions for an application through a static analysis of the application.
  • a method of evaluating required permissions for an application executed in a device including: acquiring a source code from the application; generating a function list including at least one function included in the source code; and determining permissions required for the function list when the application is executed in the device.
  • the method may further include: further acquiring additional information including previously requested permission information; and comparing the previously requested permission information with the determined permissions and outputting the comparison result.
  • the additional information may further include start location information of the source code, and the function list may include functions determined to be executable based on a control flow of the source code from the start location.
  • the function list may be a function list obtained by filtering functions determined not to be called when the application is executed by determining a condition included in each of the functions or a function list obtained by filtering functions determined not to be called by a virtual call when the application is executed by determining a type of each of the functions, from among the functions determined to be executable.
  • the previously requested permission information may be included in a manifest file, and if the previously requested permission information does not match with the determined permissions, the method may further include generating an updated manifest file based on the determined permissions.
  • an apparatus for evaluating required permissions for an application executed in a device including: an application acquisition unit for acquiring a source code from the application; a control flow analysis unit for generating a function list including at least one function included in the source code; and a permission evaluating unit for determining permissions required for the function list when the application is executed in the device.
  • a method of evaluating required permissions for an application in a server including: receiving the application from a developer device; acquiring a source code of the application and additional information including previously requested permission information from the application; generating a function list including at least one function included in the source code; determining permissions required for the function list when the application is executed; and comparing the previously requested permission information with the determined permissions, registering the application in the server if the previously requested permission information matches with the determined permissions, and transmitting the comparison result to the developer device if the previously requested permission information does not match with the determined permissions.
  • the method may further include updating the additional information based on the determined permissions if the previously requested permission information does not match with the determined permissions.
  • a server for evaluating required permissions for an application including: an application receiver for receiving the application from a developer device; an application acquisition unit for acquiring a source code of the application and additional information including previously requested permission information from the application; a control flow analysis unit for generating a function list including at least one function included in the source code; a permission evaluating unit for determining permissions required for the function list when the application is executed; and an application registering unit for registering the application in the server, wherein the permission evaluating unit transmits a comparison result to the developer device if the previously requested permission information does not match with the determined permissions, and the application registering unit registers the application in the server if the previously requested permission information matches with the determined permissions.
  • a method of evaluating required permissions for an application in a smart device including: calling at least one application installed in the smart device; allowing a user to select at least one application from among the called at least one application; acquiring a source code of each application and additional information including previously requested permission information from the selected at least one application; generating a function list including at least one function included in the source code; determining permissions required for the function list when the application is executed; and comparing the previously requested permission information with the determined permissions and displaying the comparison result on a screen of the smart device.
  • the method may further include transmitting the comparison result to a developer device or an application providing server.
  • a smart device for evaluating required permissions for an application
  • the smart device including: an application calling unit for calling at least one application installed in the smart device and allowing a user to select at least one application from among the called at least one application; an application acquisition unit for acquiring a source code of each application and additional information including previously requested permission information from the selected at least one application; a control flow analysis unit for generating a function list including at least one function included in the source code; a permission evaluating unit for determining permissions required for the function list when the application is executed and comparing the previously requested permission information with the determined permissions; and a display unit for displaying the comparison result on a screen of the smart device.
  • the smart device may further include a transmitter for transmitting the comparison result to a developer device or an application providing server.
  • a computer-readable recording medium storing a computer-readable program for executing the methods.
  • the term "and/or” includes any and all combinations of one or more of the associated listed items. Expressions such as “at least one of,” when preceding a list of elements, modify the entire list of elements and do not modify the individual elements of the list.
  • FIG. 4 is a block diagram of an apparatus 400 for evaluating required permissions for an application, according to an embodiment of the present invention.
  • the apparatus 400 includes an application acquisition unit 410, a control flow analysis unit 420, and a permission evaluating unit 430.
  • an application is provided in a package form including a program source code of the application and additional information of the application, which includes signature information, authentication information, and permission information.
  • the application acquisition unit 410 may extract a source code and additionally acquire additional information from an application.
  • the source code may include “resources.arsc”
  • the additional information may include folders, such as “META-INF”, and the “AndroidManifest .xml” file in which components of the application 210 and an input configuration required for the application 210 are registered.
  • the apparatus 400 may read an application installed in a smart device (not shown) from a storage space of the smart device.
  • the apparatus 400 may receive an application from an external server connected via a wired/wireless network.
  • the apparatus 400 may further include an application receiver (not shown).
  • the apparatus 400 can evaluate required permissions for an application for a smart device by receiving the application from a developer device even though the developer device is not a smart device.
  • the application acquisition unit 410 may transform a source code of an acquired application to an assembly code suitable for a platform on which the application is executed. Alternatively, the application acquisition unit 410 may extract a source code transformed to a proper assembly code from the application. In a case of an Android platform, the application acquisition unit 410 may acquire a source code of an application in a byte code form of a Dalvik virtual machine.
  • the control flow analysis unit 420 may analyze the source code or the assembly code of the application (hereinafter, for convenience of description, referred to as the source code).
  • the source code includes a plurality of functions and/or instructions (hereinafter, referred to as the functions), and each of the functions may call a library function of a virtual machine or a device. Some library functions may need specific permissions.
  • the control flow analysis unit 420 may basically extract the functions included in the source code and generate a list of the extracted functions. In addition, the control flow analysis unit 420 may generate a function list by filtering functions not to be called or executed when the application is executed from among the functions included in the source code.
  • the filtering operation includes control flow analysis, internal state tracking for excluding a dead code, and function type analysis for responding to a virtual call.
  • control flow analysis unit 420 may perceive a start point of the source code of the application by using the additional information such as a manifest file and may analyze an execution order of functions reachable from the start point and whether the functions reachable from the start point are called.
  • control flow analysis unit 420 since it is difficult to correctly perceive functions called when the application is executed without executing the application, the control flow analysis unit 420 subsumes all actual execution results through a static analysis to analyze whether the functions included in the source code are actually called. In this case, to increase the accuracy and efficiency of the analysis, the control flow analysis unit 420 may perform both call path tracking and internal state tracking. That is, although the control flow analysis checks an execution order and all possible paths in executing a single program, since a program source generally includes a conditional jump or a loop syntax, such as goto, if-else, case, switch, for, or while, when a value that a variable may have is traced in a case of a conditional jump, functions that are not actually executed or called exist.
  • control flow analysis unit 420 may ignore this dead code and analyze only codes of conditions 1 and 2 as actual call functions.
  • the source code may include a function to be called, which is determined when the application is executed. For example, when child classes B, C, and D, which have inherited class A having Method M, decide on Method M, which one function of B.M(), C.M(), D.M() is a function to which a Method called A.M() from among codes is transcribed is determined in the execution of the application.
  • the control flow analysis unit 420 may also perform the function type analysis including function inheritance relationship tracking and function type transform tracking to respond to such a virtual call. In the above example, if it is assumed that the Method called A.M() is transcribed to B.M(), the control flow analysis unit 420 may perform the control flow analysis by excluding the functions of C.M() and D.M() from functions to be actually called.
  • the permission evaluating unit 430 may analyze library functions that are called by functions that the application actually reaches based on the analysis result of the control flow analysis unit 420. In addition, the permission evaluating unit 430 may output required permissions for libraries needing specific permissions from among the library functions. The permission evaluating unit 430 will be described in detail with reference to FIG. 5 below.
  • FIG. 5 is a conceptual diagram illustrating a process of the permission evaluating unit 430 according to an embodiment of the present invention.
  • the control flow analysis unit 420 analyzes actually reaching functions 520 from among all functions 510 included in an application and provide the actually reaching functions 520 to the permission evaluating unit 430.
  • Functions 04, 06, and 09 are included in a source code of the application, Functions 04, 06, and 09 correspond to functions that are not actually executed or called.
  • the permission evaluating unit 430 may evaluate library functions 530 called by the actually reaching functions 520 and corresponding permissions 540.
  • library functions Library A to Library F corresponding to Functions 01 to 03, 05, 07, and 08 are analyzed. Then, permissions requested by the functions remaining by excluding Library D that does not request for a specific permission from Library A to Library F are evaluated.
  • permissions of CALL_PHONE, CAMERA, INTERNET, READ_LOGS, and SEND_SMS are used.
  • permissions of DIAGNOSTIC and REBOOT are set in the source code, the permissions of DIAGNOSTIC and REBOOT are not used in actual execution of the application.
  • FIG. 6 is a conceptual diagram illustrating an inclusion relationship among permissions according to an embodiment of the present invention.
  • FIG. 6 shows an inclusion relationship among all permissions 610 previously requested (declared) in additional information, permissions 620 required for functions included in a source code of an application, and permissions 630 determined to be actually necessary in executing the application, which are derived through a control flow analysis and permission evaluation. All the permissions 610 previously requested in the additional information may be permissions requested by a manifest file on an Android platform.
  • FIG. 6 shows that the permissions 610 requested in the additional information include the permissions 620 actually required to execute the application.
  • the apparatus 400 may compare the previously requested permissions 610 with a list of the permissions 630 determined to be necessary in executing the application and inform of a comparison result, i.e., not only unnecessarily requested permissions but also permissions that are required to execute the application but excluded from the additional information.
  • the permission evaluating unit 430 may output all the evaluation results or only a necessary permission list.
  • the permission evaluating unit 430 may output a list of permissions to be deleted from the additional information and/or a list of permissions to be added to the additional information. In addition, the permission evaluating unit 430 may update the additional information based on the evaluation results. In addition, the permission evaluating unit 430 may generate and provide a code corresponding to a permission setup part in a form suitable for a platform on which a corresponding application operates.
  • FIG. 7 is a flowchart illustrating a method of evaluating required permissions for an application, according to an embodiment of the present invention.
  • the application acquisition unit 410 acquires a source code and/or additional information required to analyze an application from the application.
  • the application acquisition unit 410 may transform the source code of the application to an assembly code suitable for a platform on which the application is executed.
  • the control flow analysis unit 420 generates a function list including at least one function from among functions included in the source code.
  • the control flow analysis unit 420 may perceive a start point of the application by using the additional information such as a manifest file and analyze an execution order of reachable functions in execution of the application and whether the reachable functions are called by analyzing a control flow from the start point.
  • the control flow analysis unit 420 may filter functions not to be called through internal state tracking of the source code.
  • control flow analysis unit 420 may filter functions not to be transcribed by analyzing functions that are actually transcribed in a virtual call through a function type analysis.
  • permissions actually required to execute the application are evaluated based on the function list generated in operation 720.
  • the method may further include receiving an application when an application is received from an external server.
  • the permission evaluation result of the application may be displayed using a display unit of a device.
  • required permissions for an application to be executed can be easily perceived through a static analysis of a source code of the application without actually executing the application.
  • an application developer may prevent an outflow of sensitive information, such as personal information, by developing an application with declaring only positively necessary permissions.
  • FIG. 8 is a block diagram of a server 800 for statically evaluating required permissions for an application, according to an embodiment of the present invention.
  • the server 800 may be an online market place/store.
  • the server 800 includes an application receiver 810, an application acquisition unit 820, a control flow analysis unit 830, a permission evaluating unit 840, and an application registering unit 850.
  • the same description as described above in association with the server 800 will be omitted or roughly made.
  • the application receiver 810 receives an application 310 from an application developer device 870.
  • the application acquisition unit 820 acquires a source code and additional information of the application 310 from the application 310.
  • the additional information may include previously requested permission information, and the permission information may be included in a manifest file.
  • the control flow analysis unit 830 analyzes functions included in the source code of the application 310 and a control flow of the source code and generates a function list including at least one function from among the functions included in the source code.
  • the permission evaluating unit 840 determines required permissions for the function list and compares the required permissions with the previously requested permission information.
  • the permission evaluating unit 840 provides the comparison result to the application developer device 870.
  • the application registering unit 850 registers an available application list in a consumer device 880 or registers the application 310 in the market place which is provided by the server 800 if the permissions requested in the additional information matches with a permission list required to actually execute the application 310.
  • the permission evaluating unit 840 may update the permission information included in the additional information of the application 310 and provide the updated application to the application registering unit 850 instead of providing an evaluation result to the application developer device 870.
  • the permissions can be informed to the application developer device 870 or the additional information can be updated to include the permissions.
  • FIG. 9 is a flowchart illustrating a method of statically evaluating required permissions for an application in a server, according to another embodiment of the present invention.
  • an application is received from an application developer device.
  • a source code and additional information are acquired from the application.
  • a function list is generated based on a control flow analysis of the source code.
  • permissions required to execute the application are determined, and the required permissions are compared with previously requested permission information included in the additional information.
  • operation 950 as a result of the comparison, if the permissions required to actually execute the application match with the permissions requested in the additional information, the method proceeds to operation 960. Otherwise, if the permissions required to actually execute the application do not match with the permissions requested in the additional information, the method proceeds to operation 970 or 980.
  • the application is registered in a market place provided by the server, and the method ends.
  • an evaluation result is transmitted to the application developer device.
  • the additional information is updated to include only permissions required to execute the application based on the evaluation result, and the updated application is registered in the market place provided by the server in operation 960.
  • an application providing server may also provide a user with an application for which only positively necessary permissions to execute the application are requested, and the user may also rely on the application providing server and download and use the application.
  • FIG. 10 is a block diagram of a smart device 1000 according to an embodiment of the present invention.
  • the smart device 1000 includes an application calling unit 1010, an application acquisition unit 1020, a control flow analysis unit 1030, a permission evaluating unit 1040, and a display unit 1050.
  • the application calling unit 1010 calls at least one application installed in the smart device 1000.
  • the application calling unit 1010 may call all applications installed in the smart device 1000 or call all applications except for applications evaluated that permissions previously requested in additional information match with permissions actually usable by each application.
  • the application calling unit 1020 acquires a source code and additional information of each of the called at least one application
  • the control flow analysis unit 1030 generates a function list by analyzing a control flow of the application based on the acquired information
  • the permission evaluating unit 1040 determines permissions actually used by the application based on the function list and evaluates whether the permissions actually used by the application with the permissions previously requested in the additional information.
  • the above-described process may be performed for each of all called applications or for only applications selected by a user from among all the called applications.
  • the display unit 1050 displays the evaluation result on a display screen of the smart device 1000.
  • FIG. 11 is an example of evaluating permissions actually used by an application installed in the smart device 1000, according to another embodiment of the present invention.
  • a plurality of applications 1110 such as “KAKAO Talk” and “ChatOn”, are called.
  • an evaluation (verification) result 1120 through a static analysis is displayed. That is, “CAMERA”, “FLASHLIGHT”, and “NFC” are permissions that are not actually used from among permissions declared in additional information.
  • the user may feed the evaluation result 1120 back to a developer or an application providing server or delete the application “ChatOn”.
  • FIG. 12 is a flowchart illustrating a method of evaluating permissions for an application installed in the smart device 1000, according to another embodiment of the present invention.
  • operation 1210 at least one application is called by the smart device 1000.
  • operation 1220 it is allowed for a user to select an application for which permissions are evaluated from among the called at least one application.
  • operation 1230 a source code and additional information of the selected application are acquired, and in operation 1240, a control flow of the application is analyzed using the source code and the additional information, and a function list is generated.
  • permissions required to execute the application are evaluated based on the function list, and in operation 1260, an evaluation result is displayed on a display screen of the smart device 1000.
  • operations 1230 to 1250 may be repeatedly performed for all applications called in operation 1210 or for one or more selected applications from among the called applications.
  • the method may further include feeding the evaluation result back to a developer device or an application providing server or deleting an application.
  • a user can call an application installed in a smart device of the user and easily perceive what permissions the application can actually use and what resources the application can access.
  • the problem that the user can check required permissions for an application only when the application is installed and cannot perceive what permissions the application actually uses or what resources the application accesses when the application is executed is solved.
  • the problem that even permissions unnecessary to execute an application are excessively set can be solved by feeding an evaluation result back to a developer or an application providing server or deleting the application based on the evaluation result.
  • required permissions for an application to be executed can be easily perceived through a static analysis of a source code of the application without actually executing the application.
  • an application developer may prevent an outflow of sensitive information, such as personal information and location information, through an application by developing the application with declaring only positively necessary permissions.
  • contents to be updated from additional information may be informed so that only permissions required to execute the application are requested for in a process of registering the application in a server providing applications, or the server may automatically update the additional information.
  • the application providing server may also provide a user with an application for which only positively necessary permissions to execute the application is requested, and the user may also rely on the application providing server and download and use the application.
  • a user can call an application installed in a smart device of the user and easily perceive what permissions the application can actually use and what resources the application can access.
  • the problem that the user can check required permissions for an application only when the application is installed and cannot perceive what permissions the application actually uses or what resources the application accesses when the application is executed is solved.
  • the problem that even permissions unnecessary to execute an application are excessively set can be solved by feeding an evaluation result back to a developer or an application providing server or deleting the application based on the evaluation result.
  • processors may be provided through the use of not only hardware capable of executing software in association with proper software but also exclusive hardware.
  • the functions may be provided by a single exclusive processor, a single shared processor, or a plurality of individual processors some of which can be shared.
  • the explicit use of the term “processor” or “controller” should not be analyzed to exclusively denote hardware capable of executing software and may implicitly include Digital Signal Processor (DSP) hardware, a Read Only Memory (ROM) for storing software, a Random Access Memory (RAM), and a nonvolatile storage device without any limitation.
  • DSP Digital Signal Processor
  • ROM Read Only Memory
  • RAM Random Access Memory
  • an element represented as a means for performing a specific function generally includes an arbitrary method of performing the specific function, and such an element may include a set of circuit elements for performing a specific function or an arbitrary form of software including firmware and microcode combined with a circuit suitable to perform software for performing the specific function.
  • an embodiment of principles of the present invention and various modifications of this expression indicate that a specific feature, structure, and characteristic associated with the embodiment are included in at least one embodiment of the principles of the present invention.
  • the expression ‘in an embodiment’ and arbitrary other modified embodiments disclosed over all the specification do not necessarily indicate the same embodiment.
  • the expression ‘at least one of’ in a case of ‘at least one of A and B’ is used to generally include only selection of the first option A, only selection of the second option B, or selection of both the options A and B.
  • a case of ‘at least one of A, B, and C’ may generally include only selection of the first option A, only selection of the second option B, only selection of the third option C, only selection of the first and second options A and B, only selection of the second and third options B and C, or selection of all the three options A, B, and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un procédé et un appareil d'évaluation de permissions requises pour une application d'un dispositif intelligent. L'invention concerne un procédé, un appareil et un support d'enregistrement lisible par ordinateur pour acquérir un code source à partir de l'application, générer une liste de fonctions comprenant au moins une fonction incluse dans le code source, et déterminer des permissions requises pour la liste de fonctions lorsque l'application est exécutée dans le dispositif intelligent.
PCT/KR2013/001969 2012-03-12 2013-03-12 Procédé et appareil d'évaluation de permissions requises pour une application WO2013137616A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020120025228A KR101900047B1 (ko) 2012-03-12 2012-03-12 애플리케이션이 필요로 하는 권한을 진단하는 방법 및 장치
KR10-2012-0025228 2012-03-12

Publications (1)

Publication Number Publication Date
WO2013137616A1 true WO2013137616A1 (fr) 2013-09-19

Family

ID=49161453

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/001969 WO2013137616A1 (fr) 2012-03-12 2013-03-12 Procédé et appareil d'évaluation de permissions requises pour une application

Country Status (2)

Country Link
KR (1) KR101900047B1 (fr)
WO (1) WO2013137616A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3057026A1 (fr) * 2015-02-16 2016-08-17 Samsung Electronics Co., Ltd. Dispositif électronique pour l'exécution d'application et procédé de commande de celui-ci
US9679162B2 (en) 2014-02-24 2017-06-13 Google Inc. Application permission settings
US10114973B2 (en) 2014-05-22 2018-10-30 Google Llc Protecting user privacy from intrusive mobile applications
CN111259374A (zh) * 2020-01-08 2020-06-09 苏宁云计算有限公司 权限异常检测方法、装置、计算机设备和存储介质
EP3748494A1 (fr) * 2019-06-06 2020-12-09 BlackBerry Limited Outil d'analyse d'un package de distribution logicielle

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102258915B1 (ko) * 2019-08-28 2021-06-01 한국과학기술원 소프트웨어 정의 네트워크에서 애플리케이션의 최소 권한 판별 장치 및 그 방법
KR20220132945A (ko) * 2021-03-24 2022-10-04 삼성전자주식회사 어플리케이션의 권한 제어 방법 및 이를 지원하는 전자 장치
KR20230040158A (ko) * 2021-09-15 2023-03-22 삼성전자주식회사 설치 파일에 대한 권한을 분석하기 위한 전자 장치 및 그 동작 방법
KR20230075777A (ko) * 2021-11-23 2023-05-31 삼성전자주식회사 애플리케이션 보안을 위한 방법, 및 그 방법을 수행하는 전자 장치

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001098876A2 (fr) * 2000-06-21 2001-12-27 Microsoft Corporation Filtrage d'une serie de permissions au moyen de demandes de permission associees a l'ensemble de codes
WO2006071430A2 (fr) * 2004-12-23 2006-07-06 Motorola, Inc. Gestion dynamique pour autorisations d'acces a une interface
WO2009129535A2 (fr) * 2008-04-18 2009-10-22 Vivotech Inc. Systèmes, procédés, et produits de programme informatique pour supporter de multiples applications sans contact à l’aide de clés de sécurité différentes
EP2163986A2 (fr) * 2001-05-31 2010-03-17 Qualcom Incorporated Distribution d'applications sécurisée et exécution dans un environnement sans fil
US7743407B2 (en) * 2001-08-13 2010-06-22 Qualcomm Incorporated Using permissions to allocate device resources to an application

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4274227B2 (ja) * 2006-10-26 2009-06-03 コニカミノルタビジネステクノロジーズ株式会社 画像処理装置及びプログラム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001098876A2 (fr) * 2000-06-21 2001-12-27 Microsoft Corporation Filtrage d'une serie de permissions au moyen de demandes de permission associees a l'ensemble de codes
EP2163986A2 (fr) * 2001-05-31 2010-03-17 Qualcom Incorporated Distribution d'applications sécurisée et exécution dans un environnement sans fil
US7743407B2 (en) * 2001-08-13 2010-06-22 Qualcomm Incorporated Using permissions to allocate device resources to an application
WO2006071430A2 (fr) * 2004-12-23 2006-07-06 Motorola, Inc. Gestion dynamique pour autorisations d'acces a une interface
WO2009129535A2 (fr) * 2008-04-18 2009-10-22 Vivotech Inc. Systèmes, procédés, et produits de programme informatique pour supporter de multiples applications sans contact à l’aide de clés de sécurité différentes

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9679162B2 (en) 2014-02-24 2017-06-13 Google Inc. Application permission settings
US10114973B2 (en) 2014-05-22 2018-10-30 Google Llc Protecting user privacy from intrusive mobile applications
EP3057026A1 (fr) * 2015-02-16 2016-08-17 Samsung Electronics Co., Ltd. Dispositif électronique pour l'exécution d'application et procédé de commande de celui-ci
US10360375B2 (en) 2015-02-16 2019-07-23 Samsung Electronics Co., Ltd Electronic device for executing application and method of controlling same
EP3748494A1 (fr) * 2019-06-06 2020-12-09 BlackBerry Limited Outil d'analyse d'un package de distribution logicielle
CN111259374A (zh) * 2020-01-08 2020-06-09 苏宁云计算有限公司 权限异常检测方法、装置、计算机设备和存储介质
WO2021139139A1 (fr) * 2020-01-08 2021-07-15 苏宁云计算有限公司 Procédé et appareil de détection d'anomalie d'autorisation, dispositif informatique et support de stockage
CN111259374B (zh) * 2020-01-08 2021-10-12 南京苏宁加电子商务有限公司 权限异常检测方法、装置、计算机设备和存储介质

Also Published As

Publication number Publication date
KR20130116409A (ko) 2013-10-24
KR101900047B1 (ko) 2018-09-18

Similar Documents

Publication Publication Date Title
WO2013137616A1 (fr) Procédé et appareil d'évaluation de permissions requises pour une application
CN109918055B (zh) 一种应用程序的生成方法及设备
KR101456489B1 (ko) CLDC OSGi 환경에서 어플리케이션의 접속 권한을관리하는 방법 및 장치
US9495543B2 (en) Method and apparatus providing privacy benchmarking for mobile application development
US9525706B2 (en) Apparatus and method for diagnosing malicious applications
CN109002297B (zh) 共识机制的部署方法、装置、设备和存储介质
EP2626803A1 (fr) Dispositif et procédé de traitement d'informations destinés à empêcher une coopération d'applications non autorisée
US11726799B2 (en) Preventing framework conflicts for multi-OS applications
US10824410B2 (en) Method and equipment for executing a file
WO2019164205A1 (fr) Dispositif électronique et son procédé de fonctionnement
CN105224869A (zh) 组件测试方法和装置
WO2013165180A1 (fr) Procédé de suivi de journaux, serveur associé et support d'enregistrement
WO2013137615A1 (fr) Procédé et appareil de détection d'une fuite d'une ressource d'informations d'un dispositif
WO2019182335A1 (fr) Dispositif électronique et procédé de commande de mise à jour de dispositif électronique
WO2018199366A1 (fr) Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité
KR102352265B1 (ko) 웹 애플리케이션 개발 플랫폼 제공 시스템 및 방법
WO2019147101A1 (fr) Dispositif électronique de classification de code malveillant et son procédé de fonctionnement
WO2019160323A1 (fr) Procédé de gestion de données associées à une application et dispositif électronique correspondant
WO2020022616A1 (fr) Dispositif électronique et son procédé de fonctionnement
US9953157B2 (en) Method and apparatus for protecting application program
WO2016190485A1 (fr) Procédé de blocage d'accès non autorisé aux données, et dispositif informatique doté de cette fonction
CN110297639A (zh) 用于检测代码的方法和装置
WO2017115976A1 (fr) Procédé et dispositif de blocage d'un site nuisible en utilisant un événement d'accessibilité
WO2016159484A1 (fr) Procédé et appareil permettant de partager un contenu personnalisé à l'aide d'informations d'utilisateur de terminal mobile
WO2020071636A1 (fr) Dispositif électronique fournissant un service en nuage et son procédé de fonctionnement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13760845

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13760845

Country of ref document: EP

Kind code of ref document: A1