WO2020192179A1 - Security detection method, device and system based on ios application - Google Patents

Security detection method, device and system based on ios application Download PDF

Info

Publication number
WO2020192179A1
WO2020192179A1 PCT/CN2019/123870 CN2019123870W WO2020192179A1 WO 2020192179 A1 WO2020192179 A1 WO 2020192179A1 CN 2019123870 W CN2019123870 W CN 2019123870W WO 2020192179 A1 WO2020192179 A1 WO 2020192179A1
Authority
WO
WIPO (PCT)
Prior art keywords
target application
type
application
target
evaluation result
Prior art date
Application number
PCT/CN2019/123870
Other languages
French (fr)
Chinese (zh)
Inventor
汪德嘉
邵根波
钱潇龄
孟啸龙
Original Assignee
江苏通付盾信息安全技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江苏通付盾信息安全技术有限公司 filed Critical 江苏通付盾信息安全技术有限公司
Publication of WO2020192179A1 publication Critical patent/WO2020192179A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Definitions

  • the invention relates to the technical field of computer software, in particular to a security detection method, device and system based on iOS applications.
  • the methods for jailbreaking iPhone devices are becoming easier and easier, and mobile applications on the iOS platform are increasingly threatened. Big. Therefore, it is required to conduct various security tests on iOS applications, and developers are required to perform various security protections on iOS applications. At this stage, there is a large gap in the security testing market for iOS applications.
  • the present invention is proposed in order to provide a security detection method, device and system based on iOS applications that overcome the above problems or at least partially solve the above problems.
  • a security detection method for iOS applications including:
  • the first evaluation result and the second evaluation result determine whether the target application is safe.
  • a security detection device for iOS applications including:
  • the first evaluation result determination module obtains the application symbol table corresponding to the target application, and matches the obtained type keyword corresponding to the preset detection type with the application symbol table, and according to the target keywords that are successfully matched Quantity and/or character weight, determine the first evaluation result corresponding to the target application;
  • the second evaluation result determination module sends the dynamic test instruction corresponding to the preset function to the target application, and according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected responses corresponding to the dynamic test instruction As a result, the second evaluation result corresponding to the target application is determined;
  • the target application safety judgment module judges whether the target application is safe according to the first evaluation result and the second evaluation result.
  • a security detection system for iOS applications including the above-mentioned security detection device.
  • an electronic device including: a processor, a memory, a communication interface, and a communication bus.
  • the processor, the memory, and the communication interface communicate with each other through the communication bus;
  • the memory is used to store at least one executable instruction, and the executable instruction causes the processor to perform operations corresponding to the above-mentioned fault location method based on multi-level network nodes.
  • a computer storage medium is provided, and at least one executable instruction is stored in the storage medium.
  • the executable instruction causes a processor to perform operations corresponding to the above-mentioned fault location method based on multi-level network nodes.
  • an application symbol table corresponding to the target application is acquired, and the acquired type keywords and application symbols corresponding to the preset detection types are obtained According to the number of successfully matched target keywords and/or character weight, the first evaluation result corresponding to the target application is determined; the dynamic test instruction corresponding to the preset function is sent to the target application. Determine the second evaluation result corresponding to the target application based on the test response result returned by the dynamic test instruction and the pre-configured at least two expected response results corresponding to the dynamic test instruction; judge according to the first evaluation result and the second evaluation result Whether the target application is safe, which can improve the accuracy of the evaluation results.
  • Fig. 1 shows a flowchart of a security detection method for an iOS application according to the first embodiment
  • FIG. 2 shows a flowchart of a security detection method for iOS applications according to the second embodiment
  • FIG. 3 shows a structural diagram of an iOS application security detection device according to the third embodiment
  • Fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
  • Fig. 1 shows a flowchart of a method for security detection of a target application according to the first embodiment. As shown in Figure 1, the method includes the following steps:
  • Step S110 Obtain an application symbol table corresponding to the target application, and match the acquired type keyword corresponding to the preset detection type with the application symbol table, according to the number of successfully matched target keywords and/or The character weight determines the first evaluation result corresponding to the target application.
  • the execution subject of the present invention can be multiple, for example, it can be a security software client installed inside the mobile terminal where the target application is located, or a security test terminal or security test that can communicate with the mobile terminal where the target application is located. server.
  • the target application is the application to be detected, and the application is an iOS application.
  • the application file of the target application is obtained, the application file of the target application is decompiled to obtain the decompiled code, and various types of application symbol tables are extracted from the decompiled code.
  • the application symbol table specifically includes: a static symbol table, a dynamic symbol table, and/or a character table.
  • the preset keyword data table specifically includes: the mapping relationship between the detection type and the type keyword and the priority between the detection types.
  • the corresponding type keywords are NSLog, print, printf, write.
  • the type keyword is extracted as the target keyword and stored in the type collection in the background database.
  • a corresponding type set is set for each detection type, and each extracted target keyword is stored in a type set corresponding to the detection type of the target keyword.
  • the type set can be through the list, File, data package, type collection package and other methods are implemented.
  • the type keywords NSLog, print, printf, write corresponding to the leak detection type are obtained, and the type keywords NSLog, print, printf, write are matched with the application symbol table, and the application symbols are found in the type keywords NSLog and print
  • the type keywords NSLog and print are stored in the type set corresponding to the anti-leak detection type in the background database.
  • the type set is empty, and the number of type keywords in the type set is 0.
  • the type weight determines the first evaluation result score of the target application.
  • the first evaluation result of the target application is divided into 3 levels. When the first evaluation result score of the target application is between 0 and 3 (excluding 3 points), the first evaluation result of the target application is low; When the first evaluation result score of the target application is between 3 and 7 (excluding 7 points), the first evaluation result of the target application is medium; when the first evaluation result score of the target application is between 7 and 1, the target application The first evaluation result is high.
  • Step S120 Send the dynamic test instruction corresponding to the preset function to the target application, and determine the corresponding test response result according to the test response result returned by the target application for the dynamic test instruction and the pre-configured at least two expected response results corresponding to the dynamic test instruction.
  • the dynamic test instruction is used to configure the preset function of the target application to realize the test of the preset function.
  • the specific type and implementation mode of the dynamic test instruction can be flexibly set according to different types of preset functions.
  • the dynamic test instruction may be various instructions such as an anti-reverse test instruction.
  • the preset reverse test instruction table is obtained from the background database, and the types and/or types of anti-reverse test instructions corresponding to each anti-reverse function and each anti-reverse function stored in the preset reverse test instruction table are The priority between the various anti-reverse test instructions is to send each anti-reverse test instruction stored in the reverse test instruction table to the target application.
  • the test response result corresponding to each anti-reverse test instruction is obtained, and the test response result is stored in the test response set in the background database.
  • the test response result specifically includes: the device where the target application is located makes a test response to the operation corresponding to each anti-reverse test instruction.
  • the test response collection can be implemented in various ways such as lists, files, data packets, and test response collections.
  • the anti-debugging operation corresponding to the anti-debugging and anti-reverse test instruction is executed, and the terminal command line of the device where the target application is located runs "debugserver*: 12349 -a application process number" command, and the device where the target application is located performs the anti-debugging operation Test response.
  • the expected response result corresponding to the anti-reverse test instruction is pre-stored in the background database, and at least two types of expected response results corresponding to the anti-reverse test instruction are queried. Among them, the corresponding expected response results are set for the anti-reverse test.
  • the pre-configured at least two expected response results corresponding to the anti-reverse test command include: anti-debugging used to indicate that the target application has the anti-debugging function Class expected response results, and non-anti-debugging expected response results used to indicate that the target application does not have anti-debugging capabilities.
  • the test response result is matched with at least two expected response results, and the second evaluation result corresponding to the target application is determined according to the matching result.
  • the test response result is matched with the anti-debugging expected response result indicating that the target application has the anti-debugging function, and the non-anti-debugging expected response result indicating that the target application does not have the anti-debugging function.
  • the anti-debugging and anti-reverse test response result is an expected anti-debugging response result indicating that the target application has anti-debugging functions, and the target application has anti-debugging anti-reverse functions, the second evaluation result of the target application is high;
  • the reverse test response result is an anti-debugging expected response result indicating that the target application does not have the anti-debugging function, and the second evaluation result of the target application is low.
  • Step S130 Judging the security level of the target application according to the first evaluation result and the second evaluation result.
  • the first evaluation result is used to reflect the static security of the application from the perspective of static testing
  • the second evaluation result is used to reflect the dynamic security of the application from the perspective of dynamic testing.
  • the specific connotations and acquisition methods of the first evaluation result and the second evaluation result can be flexibly configured by those skilled in the art. According to the combination of the first evaluation result and the second evaluation result, it is judged whether the target application is safe, and the safety of the application can be more comprehensively evaluated , The result is more accurate. For example, when the first evaluation result and the second evaluation result are both high, the security level of the target application is high; when one of the first evaluation result and the second evaluation result is low, the security level of the target application is low ; In other cases, the security level of the target application is medium.
  • the first evaluation result corresponding to the static test and the second evaluation result corresponding to the dynamic test in this embodiment can fully evaluate the safety of the application, avoid the drawbacks caused by the single-dimensional evaluation method, and make the evaluation result More accurate.
  • Fig. 2 shows a flowchart of a security detection method for iOS applications according to the second embodiment.
  • This embodiment implements comprehensive security detection of the target application from two dimensions of static testing and dynamic testing.
  • the detection types of detection tools for iOS applications on the market are not comprehensive. They do not fully consider the security testing of the target application’s anti-reverse function, data protection level, and application operating environment security.
  • security testing is performed purely from the perspective of static code. The test results obtained are not accurate. Therefore, it is necessary to conduct anti-debugging, anti-hooking, anti-injection, data security protection, and security testing of all aspects of operating environment security from both static and dynamic dimensions.
  • the method includes the following steps:
  • Step S210 Obtain an application symbol table corresponding to the target application, so as to match the acquired type keyword corresponding to the preset detection type with the application symbol table.
  • the application file of the target application is obtained, the application file of the target application is decompiled to obtain the decompiled code, and various types of application symbol tables are extracted from the decompiled code.
  • the application symbol table specifically includes: a static symbol table, a dynamic symbol table, and/or a character table. Get the preset keyword data table in the back-end database, traverse and query the preset keyword data table, get each detection type stored in the keyword data table and the type keyword corresponding to each detection type, and get The type keyword of is matched with the application symbol table.
  • the preset keyword data table specifically includes: the mapping relationship between the detection type and the type keyword and the priority between the detection types.
  • the preset detection type is at least one of the following ten types as an example for description:
  • the first detection type is the leak-proof type:
  • the anti-leakage type is used to detect whether the target application has the function of preventing log leakage.
  • the NSLog, print, printf, and write keywords are used to detect whether the target application has the function of preventing log leakage.
  • the keywords NSLog, print, printf, and write all have the meaning of printing logs. The more the NSLog, print, printf, and write keywords appear, the higher the risk of log leakage of the target application, and the worse the function of preventing log leakage of the target application. Therefore, the NSLog, print, printf, and write keywords are preset as type keywords corresponding to the leak-proof type.
  • the second detection type is the sensitive word type:
  • the sensitive word type is used to detect the function of preventing key information leakage of the target application.
  • the keywords of encrypt, decrypt, login, password, title, and name are used to detect whether the target application is prevented.
  • the functional aspects of key information leakage are targeted.
  • the keywords encrypt, decrypt, login, password, title, and name represent the meanings of encryption, decryption, login, password, title, and name respectively.
  • the more the keywords encrypt, decrypt, login, password, title, and name appear the higher the risk of key information leakage of the target application and the worse the function of preventing key information leakage of the target application. Therefore, the keywords encrypt, decrypt, login, password, title, and name are preset as the type keywords corresponding to the sensitive word types.
  • the third detection type is the code obfuscation type:
  • the code obfuscation type is used to detect whether the application file of the target application has code obfuscation.
  • the didFinishLaunchingWithOptions and viewDidLoad keywords are used to detect whether the application file of the target application has code obfuscation.
  • the phenomenon is pertinent. The more the didFinishLaunchingWithOptions and viewDidLoad keywords appear, the greater the possibility of code confusion in the application files of the target application. Therefore, the didFinishLaunchingWithOptions and viewDidLoad keywords are preset as the type keywords corresponding to the code obfuscation type.
  • the fourth detection type is the jailbreak detection type:
  • the jailbreak detection type is used to detect whether the device where the target application is located is jailbroken.
  • Applications/Cydia.app, /etc/ssh/sshd_config, /usr/libexec/ssh- keysign, /usr/sbin/sshd, /bin/sh, /bin/bash, /etc/apt, /Applications/Cydia.app, /Library/MobileSubstrate/MobileSubstrate.dylib keywords are used to detect whether the device where the target application is The escape situation is targeted.
  • set Applications/Cydia.app, /etc/ssh/sshd_config, /usr/libexec /ssh-keysign, /usr/sbin/sshd, /bin/sh, /bin/bash, /etc/apt, /Applications/Cydia.app, /Library/MobileSubstrate/MobileSubstrate.dylib keywords are preset to the jailbreak detection type The corresponding type keyword.
  • the fifth detection type is the proxy detection type:
  • the proxy detection type is used to detect whether there is a network proxy during the operation of the target application.
  • the kCFProxyTypeNone keyword is useful in detecting whether there is a network proxy during the operation of the target application.
  • the presence of the kCFProxyTypeNone keyword indicates that the network proxy phenomenon is more likely to exist during the operation of the target application. Therefore, the kCFProxyTypeNone keyword is preset as the type keyword corresponding to the proxy detection type.
  • the sixth detection type is the package protection type:
  • the packaging protection type is used to detect whether the application file of the target application has secondary code packaging.
  • the inventor found that CFBundleIdentifier, com.apple.developer.team-identifier, and application-identifier
  • the keyword is pertinent in detecting whether the application file of the target application has secondary code packaging.
  • the seventh detection type is string protection type:
  • the string protection type is used to detect whether the target application has the phenomenon of string confusion.
  • the keywords encrypt, decrypt, login, password, title, and name are used to detect whether the target application exists
  • the phenomenon of string confusion is pertinent.
  • the keywords encrypt, decrypt, login, password, title, and name represent the meanings of encryption, decryption, login, password, title, and name respectively.
  • the more the keywords encrypt, decrypt, login, password, title, and name appear the more likely the string is to be changed, and the greater the possibility of string confusion. Therefore, the keywords encrypt, decrypt, login, password, title, and name are preset as the type keywords corresponding to the string protection type.
  • the eighth detection type is URL matching type:
  • the URL matching type is used to detect the degree of protection of the network address of the device where the target application is located.
  • the keywords http and https are specific in detecting the degree of protection of the network address of the device where the target application is located. .
  • the ninth detection type is anti-debugging type:
  • the anti-debugging type is used to detect whether the target application has an anti-debugging function.
  • the ptrace keyword is pertinent in detecting whether the target application has an anti-debugging function.
  • the ptrace keyword appears, indicating that the target application's anti-debugging function is worse. Therefore, the ptrace keyword is preset as the type keyword corresponding to the anti-debugging type.
  • the tenth detection type is the anti-hook type:
  • the anti-hook type is used to detect whether the target application has an anti-hook function.
  • the keywords libcycript.dylib, libReveal.dylib, and SnoopiTweak.dylib are used to detect whether the target application has an anti-hook function.
  • libcycript.dylib, libReveal.dylib, and SnoopiTweak.dylib keywords are preset as the type keywords corresponding to the anti-hook type.
  • Step S220 Match the acquired type keyword with the application symbol table.
  • each detection type and the type keyword corresponding to each detection type stored in the preset keyword data table are traversed, and the obtained type
  • the keywords are matched with the application symbol table.
  • the detection types specifically include 10 detection types, and the priority between the detection types is preset among the 10 detection types. According to the pre-set priority between the detection types, the 10 detection types are arranged from high to low as leak prevention type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, package protection type, string protection Type, URL matching type, anti-debugging type, and/or anti-hooking type. For example, in specific implementation, according to the priority between the detection types, traverse and query the anti-leak detection type stored in the preset keyword data table and the type keywords corresponding to the anti-leak detection type NSLog, print, printf, write , And match the obtained type keywords NSLog, print, printf, write with the application symbol table.
  • the detection type corresponding to the type keyword determines the detection type corresponding to the type keyword. Match the type detection area, extract the target area corresponding to the type detection area from the application symbol table, and match the obtained type keyword with the target area.
  • the detection type is a sensitive word detection type
  • the type detection area corresponding to the sensitive word detection type includes: a type detection area containing a class name and/or a type detection area containing a method name. According to the determined type detection area containing the class name and/or the type detection area containing the method name, the target area corresponding to the type detection area is extracted from the application symbol table, and the obtained type keyword is matched with the target area.
  • Step S230 Extract the successfully matched type keywords as target keywords.
  • the obtained type keyword is matched with the application symbol table. If the type keyword appears in the application symbol table, the type keyword is extracted as the target keyword and stored in the background database In the collection of types. Among them, a corresponding type set is set for each detection type, and each extracted target keyword is stored in a type set corresponding to the detection type of the target keyword.
  • the type set can be through the list, File, data package, type collection package and other methods are implemented.
  • the type keywords NSLog, print, printf, and write corresponding to the leak detection type are obtained, and the type keywords NSLog, print, printf, and write are matched with the application symbol table, and the type keywords NSLog, If print appears in the application symbol table, the type keywords NSLog and print are stored in the type set corresponding to the leak detection type in the background database.
  • the type set is empty, and the number of type keywords in the type set is 0.
  • the detection processes for multiple different types can be executed in sequence according to the priority order of each type.
  • the next detection type of the anti-leak detection type in the preset keyword data table is the sensitive word detection type.
  • Get the type keyword of the sensitive word detection type in the preset keyword data table match the obtained type keyword with the application symbol table, extract the successfully matched type keyword as the target keyword, and set the target key
  • the words are stored in the type set corresponding to the sensitive word detection type in the background. Perform the above operations in sequence for code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, and anti-hook type.
  • each detection type can also execute the above-mentioned various types of detection processes simultaneously through multiple parallel execution threads.
  • the specific implementation of the multiple types of detection processes in the present invention The order is not limited.
  • Step S240 Determine the first evaluation result corresponding to the target application according to the number of target keywords and/or character weights that are successfully matched.
  • the type evaluation score corresponding to the type set is determined according to the number of target keywords contained in the type set and/or the character weight of the target keywords; according to the type corresponding to each type set
  • the evaluation score and the type weight corresponding to each type set determine the first evaluation result score of the target application.
  • the type evaluation score corresponding to the type set is determined according to the number of target keywords contained in the type set and/or the character weight of the target keywords.
  • the type evaluation score of any one of the 10 detection types is a total of 10 points. When any keyword corresponding to a certain detection type is detected, 1 point is deducted from the type evaluation score, and the upper limit of deduction is 10 points.
  • the type keywords corresponding to the leak prevention type are NSLog, print, printf, write, and accordingly, the target keywords contained in the type set corresponding to the leak prevention type are NSLog, print, these two Each target keyword appears once.
  • the target keyword refers to the keyword that successfully matches the type keyword.
  • the security evaluation score of the target application is determined according to the type evaluation score corresponding to each type set and the type weight corresponding to each type set. For example, according to the importance of the detection type, the anti-leakage type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, anti-hook type
  • the type weight distribution corresponding to the 10 type sets is 0.1, 0.1, 0.1, 0.15, 0.05, 0.1, 0.1, 0.15, 0.05, 0.1.
  • Anti-leakage type sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, and anti-hook type.
  • the type evaluation scores of the 10 types are respectively 4, 5, 3, 6, 7, 4, 5, 3, 6, 7.
  • When calculating the safety evaluation score of the target application it is calculated based on the type evaluation score and the type weight.
  • the total score of the first evaluation result of the target application is 10 points. The higher the first evaluation result score of the target application, the better the first evaluation result of the target application.
  • the first evaluation result of the target application is divided into 3 levels. When the first evaluation result score of the target application is between 0 and 3 (excluding 3 points), the first evaluation result of the target application is low; When the first evaluation result score of the target application is between 3 and 7 (excluding 7 points), the first evaluation result of the target application is medium; when the first evaluation result score of the target application is between 7 and 1, the target application The first evaluation result is high.
  • Step S250 Send a dynamic test instruction corresponding to the preset function to the target application.
  • the preset function in this embodiment includes an anti-reverse function
  • the dynamic test instruction includes an anti-reverse test instruction. Accordingly, an anti-reverse test instruction corresponding to the preset anti-reverse function is sent to the target application.
  • the preset reverse test instruction table is obtained from the back-end database, and the types and types of anti-reverse test instructions corresponding to each anti-reverse function are stored in the preset reverse test instruction table. / Or the priority between each anti-reverse test instruction, send each anti-reverse test instruction stored in the reverse test instruction table to the target application.
  • the anti-reverse function specifically includes: anti-debugging function, anti-hook function, and anti-injection function.
  • the reverse test instruction table specifically includes: the mapping relationship between the anti-reverse function and the anti-reverse test command, and the priority between the anti-reverse function and the anti-reverse function. Priority between test instructions. For example, during specific implementation, the anti-reverse functions stored in the reverse test instruction table are sorted from high to low in order of the anti-reverse function priority as anti-debugging function, anti-hook function, and anti-injection function. Obtain the anti-debugging anti-reverse function and the anti-debugging anti-reverse test command corresponding to the anti-debugging anti-reverse function according to the priority of the anti-reverse function, and send the anti-debugging anti-reverse test instruction to the target application.
  • the anti-reverse function stored in the reverse test instruction table may not set the priority, that is, the priority of each function They are equal, and accordingly, the anti-debugging function, anti-hook function, and anti-injection function are implemented in parallel.
  • the anti-reverse test instruction sending process corresponding to multiple different types of anti-reverse functions can be executed in sequence according to the priority order of each type. For example, in specific implementation, after sending the anti-debugging anti-reverse test command corresponding to the anti-debugging anti-reverse function to the target application, the anti-reverse function and the anti-reverse function of the anti-hook anti-reverse function are obtained according to the preset priority of the anti-reverse function The corresponding anti-hook anti-reverse test instruction, and the anti-hook anti-reverse test instruction is sent to the target application.
  • each anti-reverse function detection can also simultaneously execute the above-mentioned various anti-reverse function detection processes through multiple parallel execution threads.
  • the specific execution order is not limited.
  • the second terminal device wirelessly connected to the first terminal device where the target application is installed is sent to the target application an anti-reverse test instruction corresponding to the preset anti-reverse function;
  • One terminal device and the second terminal device are in the same wireless network.
  • the Mac computer device and the iPhone mobile phone device are connected to the same wireless device to make them in the same network segment.
  • the Mac computer device uses ssh to automatically log in to the iPhone mobile device to realize the wireless connection of the Mac computer device to the iPhone mobile device.
  • the device sends an anti-reverse test instruction corresponding to the preset anti-reverse function to the target application on the iPhone mobile device.
  • Step S260 Determine a second evaluation result corresponding to the target application according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected response results corresponding to the dynamic test instruction.
  • this step includes at least one of the following three implementation manners:
  • Method 1 In the first implementation of this step, directly based on the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected response results corresponding to the dynamic test instruction, determine the corresponding The corresponding second evaluation result.
  • This implementation mode performs security detection on the target application from the perspective of anti-reverse of the target application.
  • debugging of application source code, intercepting application running process, and injecting dynamic libraries are serious.
  • the application of anti-reverse function detection can evaluate the strength of application anti-reverse function and find defects in application anti-reverse function early.
  • the test response result corresponding to each anti-reverse test instruction is obtained, and the test response result is stored in the test response set in the background database.
  • the test response result specifically includes: the device where the target application is located makes a test response to the operation corresponding to each anti-reverse test instruction.
  • the test response collection can be implemented in various ways such as lists, files, data packets, and test response collections.
  • the target application receives an anti-debugging anti-reverse test instruction, an anti-hook anti-reverse test instruction, an anti-injection anti-reverse test instruction, and the target application receives an anti-debug anti-reverse test instruction, an anti-hook anti-reverse test instruction, and anti-injection
  • the priority of the anti-reverse test command, the anti-debug operation corresponding to the anti-debug anti-reverse test command is executed first. Run the "debugserver*:12349 -a application process number" command on the terminal command line of the device where the target application is located.
  • the anti-debugging operation makes a test response.
  • the target application executes the anti-hook operation corresponding to the anti-reverse test instruction, and runs the "cycript -p application process number" command on the terminal command line of the device where the target application is located.
  • the device where the target application is located realizes a test response to the anti-hook operation.
  • the target application executes the anti-injection operation corresponding to the anti-reverse test instruction, and run "optool install -c load -p "application dynamic library" -t application in the terminal view of the device where the target application is located Binary file" command.
  • the device where the target application is located realizes the test response to the reverse injection operation.
  • the expected response results respectively set for the anti-reverse test are pre-stored in the background database, and at least two types of expected response results corresponding to the anti-reverse test instructions are queried.
  • the preset anti-reverse function is the anti-debugging function
  • the pre-configured at least two expected response results corresponding to the anti-reverse test command include: anti-debugging expected response results used to indicate that the target application has the anti-debugging function , And a non-anti-debugging expected response result used to indicate that the target application does not have the anti-debugging function.
  • the anti-debugging expected response result includes a preset anti-debugging target field.
  • the preset anti-debugging target field is Segmentation fault: 11.
  • the pre-configured at least two expected response results corresponding to the anti-reverse test command include: the anti-hook class expected response result used to indicate that the target application has the anti-hook function, and It is used to indicate the expected response result of the non-anti-hook class that the target application does not have the anti-hook function.
  • the anti-hook class expected response result contains a preset anti-hook target field.
  • the preset anti-debugging target field is error.
  • execute the anti-hook operation corresponding to the anti-hook anti-reverse test instruction and run the "cycript –p application process number" command on the terminal command line of the device where the target application is located. If an error appears in the return message, it means that the target application has a reverse The anti-reverse function of the hook; if there is no error in the returned information, it means that the target application has the anti-reverse function of the anti-hook.
  • the pre-configured at least two expected response results corresponding to the anti-reverse test command include: the anti-injection type expected response result used to indicate that the target application has the anti-injection function, and Non-anti-injection expected response results used to indicate that the target application does not have the anti-injection function.
  • the expected response result of the back injection type includes: the response result of the flashback type. For example, during specific implementation, run "optool install -c load-p"application dynamic library" -t application binary file” command, and then compress the target application and install it. If a response result of the crash type appears, the target application It has the anti-reverse function of back injection; if there is no response result of the flashback type, it means that the target application has the anti-reverse function of back injection.
  • the expected response results corresponding to the anti-debugging and anti-reverse function test specifically include the anti-debugging expected response results used to indicate that the target application has anti-debugging functions, and the non-reverse anti-debugging results used to indicate that the target application does not have anti-debugging functions.
  • the expected response result of the debugging class is matched with the anti-debugging expected response result used to indicate that the target application has the anti-debugging function, and the non-anti-debugging expected response result used to indicate that the target application does not have the anti-debugging function.
  • the target application has anti-debugging anti-reverse function; if the anti-debugging and anti-reverse test response result indicates that the target application does not have anti-reverse function If the anti-debugging type of the debugging function expects the response result, the target application does not have the anti-debugging anti-reverse function.
  • the anti-reverse function score of the anti-hook anti-reverse function is 1, and if the target application does not have the anti-hook anti-reverse function, the anti-reverse function score is 0. If the target application has a back-injection and anti-reverse function, the score of the back-injection and anti-reverse function is 1, and if the target application does not have the back-injection and anti-reverse function, the score is 0.
  • the second evaluation result score of the target application is the sum of the anti-debugging and anti-reverse function score, the anti-hook anti-reverse function score, and the anti-injection anti-reverse function score.
  • the second evaluation result is evaluated according to the second evaluation result score. If the second evaluation result score is 0, the anti-reverse security level of the target application is low, and the second evaluation result is low; if the second evaluation result score is 1, the target application If the second evaluation result score is 2, the anti-reverse security level of the target application is medium-high, and the second evaluation result is medium-high; if the second evaluation result is 3, Then the anti-reverse level of the target application is high, and the second evaluation result is high.
  • each anti-reverse function detection can also simultaneously execute the above-mentioned various anti-reverse function detection processes through multiple parallel execution threads.
  • the specific execution order is not limited.
  • the anti-reverse test instruction corresponding to one anti-reverse function is divided into multiple anti-reverse test instructions according to key fields.
  • the number of anti-reverse test commands corresponding to one anti-reverse function is multiple, and the priority is preset among multiple anti-reverse test commands corresponding to one anti-reverse function.
  • the anti-reverse test instructions corresponding to the anti-debug and anti-reverse function are divided into anti-debug anti-reverse test instructions 1, anti-debug anti-reverse test instructions 2, and anti-debug anti-reverse test instructions 3 according to key fields.
  • the device where the target application is located sequentially executes the commands corresponding to the anti-debugging and anti-reverse test instructions 1, the anti-debugging and anti-reverse test instructions 2, and the anti-debugging and anti-reverse test instructions 3.
  • Step 1 Mac computer equipment integrates ideviceinstaller (device installation) tool to allow Mac computer equipment to connect to iPhone mobile device remotely, enabling Mac computer equipment to manage iPhone mobile device.
  • ideviceinstaller device installation
  • the Mac computer device integrates the ideviceinstaller tool to realize remote connection to the iPhone mobile device, and manage and operate the iOS application on the iPhone mobile device. Enter the "ideviceinstaller -i xxx.ipa" command in the terminal of the Mac computer device and run it, where "xxx.ipa” is the IPA (Apple Program Application File) file name of the target application.
  • IPA Apple Program Application File
  • Step 2 The remotely connected iPhone device integrates the frida environment, so that it can call the application program inside the iPhone.
  • Step 3 Compare the home page of the application after startup and the home page when the application is normally opened. If the home page is the same, the application starts normally in the operating environment; if the application crashes or fails to load, the application starts in the operating environment unusual.
  • Step 4 Use the ideviceinstaller tool to uninstall the installed applications.
  • the target application on the iPhone device side can be automatically installed, started, and uninstalled without manual installation, startup, and uninstallation. It gets rid of the traditional security detection method, realizes automatic security detection, and can more quickly Realize security detection in various operating environments, greatly improving the efficiency of security detection, and meet the increasing demand for iOS security detection.
  • Method 2 In the second implementation of this step, decompile the obtained binary file of the target application to obtain the decompiled code corresponding to the target application obtained after decompilation; extract the decompiled code The included target code corresponding to the preset target area is determined, whether the target code contains content that matches the preset obfuscated identifier, and the second evaluation result corresponding to the target application is determined based on the determination result.
  • the implementation manner determines the second evaluation result corresponding to the target application according to the combination of the two types of judgment results, the anti-reverse security level of the target application and the data security level of the target application.
  • This implementation mode performs security detection on the target application from the data security perspective of the target application.
  • the data protection safety inspection of the target application can detect the defects of the target application data protection function as soon as possible.
  • a decompilation tool is used to decompile the obtained binary file of the target application.
  • the decompilation tool specifically includes: a first decompilation tool and a second decompilation tool.
  • the obtained binary file of the target application is decompiled through the first decompilation tool to obtain the first decompiled code; and/or the obtained binary file of the target application is obtained through the second decompilation tool Perform decompilation to obtain the second decompiled code.
  • the first decompilation tool and the second decompilation tool can be used at the same time, or one of them can be used.
  • the first decompilation tool is MachOView decompilation tool
  • the second decompilation tool is Hopper Disassembler decompilation tool.
  • decompiled codes are preset with priorities, and the decompiled codes are obtained according to the priority of the decompiled codes.
  • the first decompiled code is better than the second decompiled code, where the first decompiled code is the MachOView decompiled code, and the second decompiled code is the Hopper Disassembler decompiled code.
  • the MachOView decompiled code is given priority.
  • the decompiled code specifically includes: a first decompiled code and a second decompiled code; the target code corresponding to the preset target area contained in the first decompiled code includes: dynamic library information and/or header files Information; the target code corresponding to the preset target area contained in the second decompiled code includes: a preset function and/or a preset character.
  • the first decompiled code is MachOView decompiled code
  • the second decompiled code is Hopper Disassembler decompiled code.
  • the dynamic library information and/or header file information is set for the first reverse compiled code
  • the first reverse compiled code and dynamic library information and/or header file information are obtained from the background database
  • the dynamic library information and/or Or compare the header file information with the first decompiled code extract the object code containing dynamic library information and/or header file information in the decompiled code, and store the object code containing dynamic library information and/or header file information In the background database.
  • the first decompiled code is MachOView decompiled code.
  • the MachOView decompilation tool analyzes the structure of the target application, and can see the dynamic library information and header file information in the target application binary file.
  • MachOView decompiled code obtain MachOView decompiled code and dynamic library information and/or header file information from the background database, and combine dynamic library information and/or header file information with MachOView Reverse compiled code comparison, extract the object code containing dynamic library information and/or header file information in the reverse compiled code, and store the object code containing dynamic library information and/or header file information in the backend database.
  • the second decompiled code is Hopper Disassembler decompiled code.
  • the Hopper Disassembler decompilation tool can see the functions and characters in the target application binary file and the logic code in the method. Set preset functions and/or preset characters for Hopper Disassembler reverse compiled code.
  • the first decompiled code is MachOView decompiled code
  • the second decompiled code is Hopper Disassembler decompiled code.
  • the MachOView decompilation tool put the binary file of the target application into the MachOView decompilation tool, check the Objc CFStrings character table, and match the decompiled code corresponding to the Objc CFStrings character table with the preset obfuscated identifier. If Objc CFStrings characters If the decompiled code of the table is displayed as an identifier, it means that the program characters of the target application are confused. If the decompiled code of the Objc CFStrings character table normally displays the character string of the target application, it means that the program characters of the target application are not confused.
  • the binary file of the target application into the Hopper Disassembler v4 decompilation tool, randomly select a method function, and match the decompiled code corresponding to the method function with the preset obfuscation identifier. If the method function If garbled codes appear in the decompiled code of the method, it means that the program code of the target application has been obfuscated. If there are no garbled codes in the decompiled code of the method function, it means that the program code of the target application is not obfuscated.
  • the first judgment result is that the first decompiled code contains the preset obfuscated identifier
  • the first judgment result is recorded as 0, and if the first judgment result is that the first decompiled code If the preset obfuscated identifier is not included, the first judgment result is recorded as 1; if the second judgment result is that the second decompiled code contains the preset obfuscated identifier, the second judgment result is recorded as 0, If the second judgment result is that the second decompiled code does not contain the preset obfuscated identifier, the second judgment result is recorded as 1.
  • weights are assigned to the first judgment result and the second judgment result respectively. The weight of the first judgment result is 0.5, the weight of the second judgment result is 0.5, the first judgment result is 0, and the second judgment result is 1.
  • the data protection security level of the target application is divided into four levels. If the data protection security score of the target application is 0, the data protection security level of the target application is low; if the data protection security score of the target application is 1, The data protection security level of the target application is high; if the data protection security score of the target application is 0-0.5 (excluding 0 and 0.5), the data protection security level of the target application is medium-low; if the data protection security score of the target application If it is 0.5 to 1 (not including 1), the data protection security level of the target application is medium to high. Specifically in this example, the data protection security score of the target application is 0.5, and the data protection security level of the target application is medium to high.
  • different types of decompiled codes are preset with priority, and the target code of the decompiled code is obtained according to the priority of the decompiled code.
  • the decompilation tool in order to select the target code including logical operators, use the decompilation tool to the greatest extent to obtain each method function contained in the decompiled code, and extract the method function containing the logical operator from each method function as the target function.
  • the code corresponding to the target function is determined to be the target code corresponding to the preset target area.
  • Method 3 In the third implementation method of this step, when a startup instruction corresponding to the target application is detected, the application operating environment corresponding to the target application is determined according to the startup instruction; the target application is obtained to start in the application operating environment After the program startup page is displayed; query the preset environment startup page associated with the application operating environment corresponding to the target application; determine whether the program startup page matches the environment startup page, and determine the second corresponding to the target application based on the judgment result Evaluation results.
  • the implementation manner determines the second evaluation result corresponding to the target application according to the combination of the two types of judgment results, the anti-reverse security level of the target application and the application operating environment security of the target application.
  • This implementation mode performs security detection on the target application from the perspective of the operating environment of the target application. Since iOS applications can run on a variety of different iOS systems and different iPhone devices, but the iOS system version of iOS applications and different iPhone device models are updated quickly, it is necessary to ensure that iOS applications can run normally in various operating environments.
  • the startup instruction sent by the target application is received, the environment field contained in the startup instruction contains the current operating environment of the target application, the startup instruction is parsed, the environment field in the startup instruction is extracted, and the environment included in the startup instruction is The field determines the application operating environment corresponding to the target application. For example, the target application A is launched in the iOS system C of the iPhone device B.
  • the startup instruction is received and the startup instruction is analyzed.
  • the environment field in the parsed startup instruction includes the iPhone device model and the iOS system Category keywords, directly read the iPhone device model and iOS system category keywords and the iPhone device model and iOS system category information under the keyword list.
  • the startup instruction sent by the target application is received, and the startup instruction is analyzed.
  • the application operating environment corresponding to the target application is determined.
  • the structure of the parsed instruction format of the startup instruction includes a first part and a second part.
  • the first part represents the iPhone device model in the application running environment
  • the second part represents the iOS system version in the application running environment.
  • the iPhone device model is indicated by different device identification codes
  • the iOS system version is indicated by different version identification codes.
  • the startup instruction is analyzed, the identification codes of the first part and the second part are obtained from the analysis instruction, and the iPhone device model and iOS system version category corresponding to the identification code are determined according to the instruction rules.
  • the instruction rules specifically include: the mapping relationship between the iPhone device model and the model identification code, and the mapping relationship between the iOS system version and the version identification code.
  • the program launch page After the target application is launched in the current operating environment, the program launch page will be displayed after a preset time. Specifically, in this step, the program startup page displayed after a preset time after the target application is started in the application execution environment is acquired.
  • the startup environment matching table specifically includes: the mapping relationship between the target application, the application running environment, and the environment startup page.
  • the program startup page that is displayed after the target application is started in the application operating environment sent by the target application is acquired, and the environment startup page associated with the application operating environment corresponding to the target application is queried from the startup environment matching table. Compare the program startup page with the environment startup page to determine the difference between the program startup page and the environment startup page. If there is no difference between the program startup page and the environment startup page, that is, the two match, the target application is safe in the running environment; if there is a difference between the program startup page and the environment startup page, the two do not match , The target application is not safe in the operating environment.
  • the environment function page specifically includes: for each type of application operating environment, obtain the corresponding operating interface when the target application runs the preset function in this type of application operating environment and the operating result is successful, and will obtain The running interface is stored in a preset function environment matching table as an environment function page associated with this type of application running environment.
  • the function environment matching table specifically includes: target application, application running environment, preset function, and environment function page The four mapping relationships and the priority of the preset functions corresponding to each environmental function page.
  • the target application is obtained after running various types of preset functions in the application running environment.
  • the program function page displayed obtains the environment function page associated with the target application, application operating environment and preset functions from the function environment matching table, overlaps the program function page with the environment function page, and compares the program function page with the environment function The difference between the two pages.
  • the target application has preset function operation safety in the operating environment, and the operating environment security level of the target application preset function is high; if the program function page and the environmental function page There is a difference between the two, the target application is not safe to operate in the operating environment, and the operating environment of the target application has a low security level.
  • the anti-reverse security level of the target application in mode one and the operating environment security level in mode three When the anti-reverse security level and the operating environment security level are both high, the second evaluation result of the target application is high; anti-reverse When one of the safety level and the operating environment safety level is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium.
  • the functions corresponding to the target application in various types of application operating environments are determined in advance.
  • the number of preset functions is multiple, and each preset function There is a priority between.
  • the priority between each preset function is stored in the function environment matching table.
  • the priority of the preset functions in the function environment matching table is sorted from high to low, and the order of each preset function is preset function 1, preset function 2, preset function 3.
  • the target application runs the preset function 1 in the application running environment, obtains the program function page of the preset function 1 and the environment function page, and compares the program function page of the preset function 1 with the environment function page. Perform the above operations on preset function 2 and preset function 3 in sequence.
  • the operating environment security detection process of each preset function may also be executed simultaneously through multiple parallel execution threads.
  • the present invention does not limit the specific execution sequence of the operating environment safety detection process of each preset function.
  • Step 1 Mac computer equipment integrates ideviceinstaller (device installation) tool to allow Mac computer equipment to connect to iPhone mobile device remotely, enabling Mac computer equipment to manage iPhone mobile device.
  • ideviceinstaller device installation
  • the Mac computer device integrates the ideviceinstaller tool to realize remote connection to the iPhone mobile device, and manage and operate the iOS application on the iPhone mobile device. Enter the "ideviceinstaller -i xxx.ipa" command in the terminal of the Mac computer device and run it, where "xxx.ipa” is the IPA (Apple Program Application File) file name of the target application.
  • IPA Apple Program Application File
  • Step 2 The remotely connected iPhone device integrates the frida environment, so that it can call the application program inside the iPhone.
  • Step 3 Compare the home page of the application after startup and the home page when the application is normally opened. If the home page is the same, the application starts normally in the operating environment; if the application crashes or fails to load, the application starts in the operating environment unusual.
  • Step 4 Use the ideviceinstaller tool to uninstall the installed applications.
  • the target application on the iPhone device side in this embodiment can be automatically installed, started, and uninstalled, without manual installation, startup, and uninstallation. It gets rid of the traditional security detection method, realizes automatic security detection, and can be faster Realize security detection in various operating environments, greatly improving the efficiency of security detection, and meeting the increasing demand for iOS security detection.
  • the above three implementation methods can be used alone or in combination.
  • the three implementation methods are combined to determine the second evaluation result, that is, the second evaluation result is based on the target application.
  • the combination of the three aspects of the anti-reverse functional security level, the data protection security level of the target application, and the operating environment security of the target application are determined.
  • Step S270 Determine the security level of the target application according to the first evaluation result and the second evaluation result.
  • the security level of the target application is judged. Specifically, when the first evaluation result and the second evaluation result are both high, the security level of the target application is high; when one of the first evaluation result and the second evaluation result is low, the security level of the target application is Low; In other cases, the security level of the target application is medium.
  • the second evaluation result in this embodiment is determined based on the combination of the judgment results of the three implementation modes. The second evaluation result is determined based on the combination of the anti-reverse security level of the target application and the data protection security level.
  • the second evaluation result of the target application is high; the anti-reverse security level and When one of the data protection security levels is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium. And/or the second evaluation result is determined based on the combination of the anti-reverse security level of the target application and the operating environment security level.
  • the second evaluation result of the target application is high; When one of the safety level and the operating environment safety level is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium.
  • This embodiment comprehensively utilizes the first evaluation result reflecting the static test result of the target application and the second evaluation result reflecting the dynamic test result of the target application to comprehensively evaluate the safety of the application, avoid the drawbacks caused by the single-dimensional evaluation method, and make The evaluation result is more accurate.
  • the static test mainly evaluates the application installation files of the target application, using the type keywords commonly used in the iOS application development process to achieve specific functions, and fuzzy matching the type keywords corresponding to each detection type with the application symbol table. Taking into account the weight of each detection type and each type of keyword, the security of the target application is quantitatively evaluated, and a comprehensive and intuitive static detection of the target application is performed.
  • detection types namely: anti-leakage type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, and/or Anti-hook type.
  • Dynamic testing evaluates the security of the target application from the perspective of anti-reverse security, data protection security, and operating environment security of the target application's dynamic running process.
  • the anti-reverse function test in the dynamic test comprehensively evaluates the anti-reverse function of the target application from three aspects: anti-debugging, anti-hook, and anti-injection.
  • the test response result is matched with at least two expected response results, and the target application anti-reverse function is determined according to the matching result.
  • the data protection security test compares the target code with the preset obfuscated identifier, and determines whether the program code and program characters in the target application are obfuscated according to the comparison result, so as to realize the detection of the degree of data security protection of the target application;
  • the environmental security test obtains the program startup page of the target application in the application runtime environment, and compares the program startup page with the preset environment startup page to determine whether the target application starts normally in the application runtime environment, so as to achieve the target application Safety inspection of operating environment.
  • the target application is comprehensively tested from both static and dynamic dimensions, fully considering the static code of the target application and the anti-reverse, data protection and security of the operating environment during the dynamic operation. Find out the defects of the target application early, and help developers modify the target application in a targeted manner before the target application is put on the market.
  • Fig. 3 shows a structural diagram of an iOS application security detection device according to the third embodiment, the device includes:
  • the first evaluation result determining module 31 obtains the application symbol table corresponding to the target application, and matches the obtained type keyword corresponding to the preset detection type with the application symbol table, and according to the successfully matched target keyword The number and/or character weight of the characters to determine the first evaluation result corresponding to the target application;
  • the second evaluation result determination module 32 sends a dynamic test instruction corresponding to the preset function to the target application, and according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expectations corresponding to the dynamic test instruction In response to the results, determine the second evaluation result corresponding to the target application;
  • the target application safety judgment module 33 judges whether the target application is safe according to the first evaluation result and the second evaluation result.
  • the first evaluation result determining module 31 is adapted to:
  • determining the first evaluation result corresponding to the target application includes:
  • For each type set determine the type evaluation score corresponding to the type set according to the number of target keywords contained in the type set and/or the character weight of the target keywords;
  • the first evaluation result corresponding to the target application is determined.
  • the first evaluation result determining module 31 is adapted to:
  • the target area corresponding to the type detection area is extracted from the application symbol table, and the obtained type keyword is matched with the target area.
  • the first evaluation result determining module 31 is adapted to:
  • the application symbol table further includes: a static symbol table, a dynamic symbol table, and/or a character table.
  • the second evaluation result determining module 32 is adapted to:
  • the second evaluation result determining module 32 is adapted to:
  • the second evaluation result determining module 32 is adapted to:
  • the target code contains content that matches the preset obfuscated identifier, and the second evaluation result corresponding to the target application is determined in combination with the determination result.
  • the second evaluation result determining module 32 is adapted to:
  • the application operating environment corresponding to the target application is determined according to the startup instruction
  • a security detection system for iOS applications including the above-mentioned security detection device.
  • the embodiment of the present application provides a non-volatile computer storage medium, the computer storage medium stores at least one executable instruction, and the computer executable instruction can execute any of the above-mentioned method embodiments, an iOS application-based security detection method .
  • FIG. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
  • the electronic device may include: a processor (processor) 402, a communication interface (Communications Interface) 404, a memory (memory) 406, and a communication bus 408.
  • processor processor
  • communication interface Communication Interface
  • memory memory
  • the processor 402, the communication interface 404, and the memory 406 communicate with each other through the communication bus 408.
  • the communication interface 404 is used to communicate with network elements of other devices, such as clients or other servers.
  • the processor 402 is configured to execute the program 410, and specifically can execute the relevant steps in the foregoing embodiment of the fault location method based on multi-level network nodes.
  • the program 410 may include program code, and the program code includes computer operation instructions.
  • the processor 402 may be a central processing unit CPU, or an ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present invention.
  • the one or more processors included in the electronic device may be processors of the same type, such as one or more CPUs; or processors of different types, such as one or more CPUs and one or more ASICs.
  • the memory 406 is used to store the program 410.
  • the memory 406 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the program 410 may be specifically used to enable the processor 402 to perform various operations in the foregoing method embodiments.
  • modules or units or components in the embodiments can be combined into one module or unit or component, and in addition, they can be divided into multiple sub-modules or sub-units or sub-components. Except that at least some of such features and/or processes or units are mutually exclusive, any combination can be used to compare all features disclosed in this specification (including the accompanying claims, abstract and drawings) and any method or methods disclosed in this manner or All the processes or units of the equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including the accompanying claims, abstract and drawings) may be replaced by providing the same, equivalent or similar items, alternative features.
  • the various component embodiments of the present invention may be implemented by hardware, or by software modules running on one or more processors, or by their combination.
  • a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all of the functions of some or all components in the device according to the embodiments of the present invention.
  • DSP digital signal processor
  • the present invention can also be implemented as a device or device program (for example, a computer program and a computer program product) for executing part or all of the methods described herein.
  • Such a program for realizing the present invention may be stored on a computer-readable medium, or may have the form of one or more signals. Such signals can be downloaded from Internet websites, or provided on carrier signals, or provided in any other form.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a security detection method, device and system based on an iOS application. The method comprises: obtaining an application symbol table corresponding to a target application, matching an obtained type keyword corresponding to a preset detection type with the application symbol table, and determining a first evaluation result; sending a dynamic test instruction corresponding to a preset function to the target application, and determining a second evaluation result according to a test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected response results corresponding to the dynamic test instruction; and determining whether the target application is secure according to the first evaluation result and the second evaluation result. According to the method, security detection is performed on two aspects of a static code and a dynamic running process of the target application, the first evaluation result aiming at the static code and the second evaluation result aiming at the dynamic running process are obtained, and comprehensive security determination is performed on the target application by integrating the first evaluation result and the second evaluation result.

Description

一种基于iOS应用的安全检测方法、装置及系统Safety detection method, device and system based on iOS application 技术领域Technical field
本发明涉及计算机软件技术领域,具体涉及一种基于iOS应用的安全检测方法、装置及系统。The invention relates to the technical field of computer software, in particular to a security detection method, device and system based on iOS applications.
背景技术Background technique
随着网络技术的快速发展,互联网用户的数量呈指数级增长,智能手机的销量大幅度地增加。在高端市场领域,iOS平台的移动端业务市场占有率很大。基于iOS平台的移动应用设计日益复杂,开发规模日益庞大,应用质量也越来越重要。尤其是支付类相关应用的数量在迅速增长,而支付类相关应用应用的安全性在应用的整个生命周期内都至关重要。With the rapid development of network technology, the number of Internet users has increased exponentially, and the sales of smart phones have increased substantially. In the high-end market, the mobile terminal business of the iOS platform has a large market share. The design of mobile applications based on the iOS platform is becoming increasingly complex, the scale of development is growing, and the quality of applications is becoming more and more important. In particular, the number of payment-related applications is growing rapidly, and the security of payment-related applications is of paramount importance in the entire life cycle of the application.
但是,发明人在实现本发明的过程中发现,由于iOS平台的应用的开发技术参差不齐,进而导致应用的安全性等级参差不齐。同时,由于iOS平台的自我保护性较高,而市场上针对iOS平台的移动应用的攻击技术越来越成熟,对iPhone设备越狱的方法也逐渐简易,iOS平台的移动应用受到的威胁越来越大。因此要求对iOS应用进行多方面的安全检测,要求开发人员对iOS应用做多方面的安全保护,目前阶段针对iOS平台的应用的安全性检测市场空缺较大。However, the inventor found in the process of implementing the present invention that the unevenness of the application development technology of the iOS platform results in uneven application security levels. At the same time, due to the high level of self-protection of the iOS platform, and the market’s increasingly sophisticated attack technology for mobile applications on the iOS platform, the methods for jailbreaking iPhone devices are becoming easier and easier, and mobile applications on the iOS platform are increasingly threatened. Big. Therefore, it is required to conduct various security tests on iOS applications, and developers are required to perform various security protections on iOS applications. At this stage, there is a large gap in the security testing market for iOS applications.
由此可见,目前市场上没有针对iOS平台的应用的标准的安全性检测工具,对应用的安全性检测也无法实现自动化,同时iOS应用的检测较多的是静态检测,即从静态代码的角度对关键字符串进行比较,检测不全面。因此iOS平台的移动应用无法在投放市场前进行全面的安全性检测,开发人员无法提前有针对性地对移动应用的功能做出修改,带来后续使用中的各种问题,严重伤害了用户的使用体验。It can be seen that there is currently no standard security detection tool for iOS platform applications, and the security detection of applications cannot be automated. At the same time, the detection of iOS applications is mostly static detection, that is, from the perspective of static code. The key string is compared, and the detection is not comprehensive. Therefore, mobile applications on the iOS platform cannot be fully tested for security before being put on the market, and developers cannot modify the functions of mobile applications in a targeted manner in advance, which will cause various problems in subsequent use and seriously harm users’ Use experience.
发明内容Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的一种基于iOS应用的安全检测方法、装置及系统。In view of the above problems, the present invention is proposed in order to provide a security detection method, device and system based on iOS applications that overcome the above problems or at least partially solve the above problems.
依据本发明的一个方面,提供了一种iOS应用的安全检测方法,包括:According to one aspect of the present invention, there is provided a security detection method for iOS applications, including:
获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与目标应用相对应的第一评价结果;Obtain the application symbol table corresponding to the target application, and match the obtained type keyword corresponding to the preset detection type with the application symbol table, according to the number of successfully matched target keywords and/or character weights, Determine the first evaluation result corresponding to the target application;
向目标应用发送与预设功能相对应的动态测试指令,根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果,确定与目标应用相对应的第二评价结果;Send the dynamic test instruction corresponding to the preset function to the target application, and determine the corresponding test response result to the target application according to the test response result returned by the target application for the dynamic test instruction and the pre-configured at least two expected response results corresponding to the dynamic test instruction. The corresponding second evaluation result;
根据第一评价结果以及第二评价结果,判断目标应用是否安全。According to the first evaluation result and the second evaluation result, determine whether the target application is safe.
依据本发明的一个方面,提供了一种iOS应用的安全检测装置,包括:According to one aspect of the present invention, there is provided a security detection device for iOS applications, including:
第一评价结果确定模块,获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与目标应用相对应的第一评价结果;The first evaluation result determination module obtains the application symbol table corresponding to the target application, and matches the obtained type keyword corresponding to the preset detection type with the application symbol table, and according to the target keywords that are successfully matched Quantity and/or character weight, determine the first evaluation result corresponding to the target application;
第二评价结果确定模块,向目标应用发送与预设功能相对应的动态测试指令,根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果, 确定与目标应用相对应的第二评价结果;The second evaluation result determination module sends the dynamic test instruction corresponding to the preset function to the target application, and according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected responses corresponding to the dynamic test instruction As a result, the second evaluation result corresponding to the target application is determined;
目标应用安全性判断模块,根据第一评价结果以及第二评价结果,判断目标应用是否安全。The target application safety judgment module judges whether the target application is safe according to the first evaluation result and the second evaluation result.
依据本发明的再一方面,提供了一种iOS应用的安全检测系统,包括上述安全检测装置。According to another aspect of the present invention, there is provided a security detection system for iOS applications, including the above-mentioned security detection device.
根据本发明的再一方面,提供了一种电子设备,包括:处理器、存储器、通信接口和通信总线,处理器、存储器和通信接口通过通信总线完成相互间的通信;According to another aspect of the present invention, there is provided an electronic device including: a processor, a memory, a communication interface, and a communication bus. The processor, the memory, and the communication interface communicate with each other through the communication bus;
存储器用于存放至少一可执行指令,可执行指令使处理器执行上述基于多级网络节点的故障定位方法对应的操作。The memory is used to store at least one executable instruction, and the executable instruction causes the processor to perform operations corresponding to the above-mentioned fault location method based on multi-level network nodes.
根据本发明的再一方面,提供了一种计算机存储介质,存储介质中存储有至少一可执行指令,可执行指令使处理器执行如上述基于多级网络节点的故障定位方法对应的操作。According to another aspect of the present invention, a computer storage medium is provided, and at least one executable instruction is stored in the storage medium. The executable instruction causes a processor to perform operations corresponding to the above-mentioned fault location method based on multi-level network nodes.
在本发明提供的一种iOS应用的安全检测方法、装置及系统中,获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与目标应用相对应的第一评价结果;向目标应用发送与预设功能相对应的动态测试指令,根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果,确定与目标应用相对应的第二评价结果;根据第一评价结果以及第二评价结果,判断目标应用是否安全,由此能够提升评价结果的准确性。In a security detection method, device and system for iOS applications provided by the present invention, an application symbol table corresponding to the target application is acquired, and the acquired type keywords and application symbols corresponding to the preset detection types are obtained According to the number of successfully matched target keywords and/or character weight, the first evaluation result corresponding to the target application is determined; the dynamic test instruction corresponding to the preset function is sent to the target application. Determine the second evaluation result corresponding to the target application based on the test response result returned by the dynamic test instruction and the pre-configured at least two expected response results corresponding to the dynamic test instruction; judge according to the first evaluation result and the second evaluation result Whether the target application is safe, which can improve the accuracy of the evaluation results.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to understand the technical means of the present invention more clearly, it can be implemented in accordance with the content of the description, and in order to make the above and other objectives, features and advantages of the present invention more obvious and understandable. In the following, specific embodiments of the present invention are specifically cited.
附图说明Description of the drawings
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:By reading the detailed description of the preferred embodiments below, various other advantages and benefits will become clear to those of ordinary skill in the art. The drawings are only used for the purpose of illustrating the preferred embodiments, and are not considered as a limitation to the present invention. Also, throughout the drawings, the same reference symbols are used to denote the same components. In the attached picture:
图1示出了依据实施例一的一种iOS应用的安全检测方法的流程图;Fig. 1 shows a flowchart of a security detection method for an iOS application according to the first embodiment;
图2示出了依据实施例二的一种iOS应用的安全检测方法的流程图;FIG. 2 shows a flowchart of a security detection method for iOS applications according to the second embodiment;
图3示出了依据实施例三的一种iOS应用的安全检测装置的结构图;FIG. 3 shows a structural diagram of an iOS application security detection device according to the third embodiment;
图4示出了根据本发明实施例的一种电子设备的结构示意图。Fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Hereinafter, exemplary embodiments of the present disclosure will be described in more detail with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited by the embodiments set forth herein. On the contrary, these embodiments are provided to enable a more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
实施例一Example one
图1示出了依据实施例一的一种目标应用的安全检测方法的流程图。如图1所示,该方法包括以下步骤:Fig. 1 shows a flowchart of a method for security detection of a target application according to the first embodiment. As shown in Figure 1, the method includes the following steps:
步骤S110:获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与目标应 用相对应的第一评价结果。Step S110: Obtain an application symbol table corresponding to the target application, and match the acquired type keyword corresponding to the preset detection type with the application symbol table, according to the number of successfully matched target keywords and/or The character weight determines the first evaluation result corresponding to the target application.
本发明的执行主体可以为多种,例如,既可以是安装在目标应用所在的移动终端内部的安全软件客户端,也可以是能够与目标应用所在的移动终端进行通信的安全测试终端或安全测试服务器。其中,目标应用为待检测的应用,该应用为iOS应用。The execution subject of the present invention can be multiple, for example, it can be a security software client installed inside the mobile terminal where the target application is located, or a security test terminal or security test that can communicate with the mobile terminal where the target application is located. server. Among them, the target application is the application to be detected, and the application is an iOS application.
具体地,在本步骤中,获取目标应用的应用程序文件,对目标应用的应用程序文件进行反编译,得到反编译代码,并从反编译代码中提取各种类型的应用符号表。其中,应用符号表具体包括:静态符号表、动态符号表、和/或字符表。Specifically, in this step, the application file of the target application is obtained, the application file of the target application is decompiled to obtain the decompiled code, and various types of application symbol tables are extracted from the decompiled code. Wherein, the application symbol table specifically includes: a static symbol table, a dynamic symbol table, and/or a character table.
获取后台数据库中的预设的关键字数据表,遍历查询预设的关键字数据表,获取关键字数据表中存储的各个检测类型以及分别与各个检测类型相对应的类型关键字,将获取到的类型关键字与应用符号表进行匹配。其中,预设的关键字数据表具体包括:检测类型与类型关键字映射关系以及检测类型之间的优先级。例如,检测类型为防泄漏类型时,对应的类型关键字为NSLog、print、printf、write。获取关键字数据表中存储的与防泄漏类型相对应的类型关键字NSLog、print、printf、write,将类型关键字NSLog、print、printf、write与应用符号表匹配。Get the preset keyword data table in the back-end database, traverse and query the preset keyword data table, get each detection type stored in the keyword data table and the type keyword corresponding to each detection type, and get The type keyword of is matched with the application symbol table. Among them, the preset keyword data table specifically includes: the mapping relationship between the detection type and the type keyword and the priority between the detection types. For example, when the detection type is a leak-proof type, the corresponding type keywords are NSLog, print, printf, write. Obtain the type keywords NSLog, print, printf, and write corresponding to the anti-leakage type stored in the keyword data table, and match the type keywords NSLog, print, printf, and write with the application symbol table.
若类型关键字出现在应用符号表中,则将该类型关键字提取为目标关键字,存储在后台数据库中的类型集合中。其中,分别针对每个检测类型设置对应的类型集合,将提取出的各个目标关键字分别存储到与该目标关键字的检测类型相对应的类型集合中,具体实施时,类型集合可以通过列表、文件、数据包、类型集合包等各种方式实现。例如,获取到与防泄漏检测类型相对应的类型关键字NSLog、print、printf、write,将类型关键字NSLog、print、printf、write与应用符号表匹配,发现类型关键字NSLog、print出现应用符号表中,则将类型关键字NSLog、print存储在后台数据库中的与防泄漏检测类型相对应的类型集合中。其中,当类型关键字未出现在应用符号表中时,类型集合为空,类型集合中的类型关键字个数为0。If the type keyword appears in the application symbol table, the type keyword is extracted as the target keyword and stored in the type collection in the background database. Among them, a corresponding type set is set for each detection type, and each extracted target keyword is stored in a type set corresponding to the detection type of the target keyword. In specific implementation, the type set can be through the list, File, data package, type collection package and other methods are implemented. For example, the type keywords NSLog, print, printf, write corresponding to the leak detection type are obtained, and the type keywords NSLog, print, printf, write are matched with the application symbol table, and the application symbols are found in the type keywords NSLog and print In the table, the type keywords NSLog and print are stored in the type set corresponding to the anti-leak detection type in the background database. Among them, when the type keyword does not appear in the application symbol table, the type set is empty, and the number of type keywords in the type set is 0.
根据该类型集合中包含的目标关键字的数量和/或目标关键字的字符权重,确定与该类型集合相对应的类型评价得分;根据各个类型集合所对应的类型评价得分以及各个类型集合所对应的类型权重,确定目标应用的第一评价结果得分。Determine the type evaluation score corresponding to the type set according to the number of target keywords contained in the type set and/or the character weight of the target keywords; according to the type evaluation score corresponding to each type set and the corresponding type set The type weight determines the first evaluation result score of the target application.
将目标应用的第一评价结果分为3个等级,当目标应用的第一评价结果得分在0~3(不含3分)之间时,目标应用的第一评价结果为低;当目标应用的第一评价结果得分在3~7(不含7分)之间时,目标应用的第一评价结果为中;当目标应用的第一评价结果得分在7~1之间时,目标应用的第一评价结果为高。The first evaluation result of the target application is divided into 3 levels. When the first evaluation result score of the target application is between 0 and 3 (excluding 3 points), the first evaluation result of the target application is low; When the first evaluation result score of the target application is between 3 and 7 (excluding 7 points), the first evaluation result of the target application is medium; when the first evaluation result score of the target application is between 7 and 1, the target application The first evaluation result is high.
步骤S120:向目标应用发送与预设功能相对应的动态测试指令,根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果,确定与目标应用相对应的第二评价结果。Step S120: Send the dynamic test instruction corresponding to the preset function to the target application, and determine the corresponding test response result according to the test response result returned by the target application for the dynamic test instruction and the pre-configured at least two expected response results corresponding to the dynamic test instruction. The second evaluation result corresponding to the target application.
其中,动态测试指令用于针对目标应用的预设功能进行配置,以实现针对预设功能的测试。具体地,动态测试指令的具体类型以及实现方式可以根据预设功能的种类不同而灵活设置。例如,动态测试指令可以为防逆向测试指令等各类指令。相应的,从后台数据库中获取预设的逆向测试指令表,根据预设的逆向测试指令表中存储的各个防逆向功能以及与各个防逆向功能相对应的各个防逆向测试指令的种类和/或各个防逆向测试指令之间的优先级,向目标应用发送逆向测试指令表中存储的各个防逆向测试指令。Among them, the dynamic test instruction is used to configure the preset function of the target application to realize the test of the preset function. Specifically, the specific type and implementation mode of the dynamic test instruction can be flexibly set according to different types of preset functions. For example, the dynamic test instruction may be various instructions such as an anti-reverse test instruction. Correspondingly, the preset reverse test instruction table is obtained from the background database, and the types and/or types of anti-reverse test instructions corresponding to each anti-reverse function and each anti-reverse function stored in the preset reverse test instruction table are The priority between the various anti-reverse test instructions is to send each anti-reverse test instruction stored in the reverse test instruction table to the target application.
获取到各个防逆向测试指令对应的测试响应结果,并将测试响应结果存储在后台数据库中的测试响应集合中。其中,测试响应结果具体包括:目标应用所在的设备对各个防逆向测试指令对应的操作 做出测试响应。测试响应集合可以通过列表、文件、数据包、测试响应集合等各种方式实现。例如,具体实施时,执行反调试防逆向测试指令对应的反调试操作,目标应用所在设备的终端命令行运行“debugserver*:12349 –a应用进程号”命令,目标应用所在设备对反调试操作做出测试响应。The test response result corresponding to each anti-reverse test instruction is obtained, and the test response result is stored in the test response set in the background database. Among them, the test response result specifically includes: the device where the target application is located makes a test response to the operation corresponding to each anti-reverse test instruction. The test response collection can be implemented in various ways such as lists, files, data packets, and test response collections. For example, during specific implementation, the anti-debugging operation corresponding to the anti-debugging and anti-reverse test instruction is executed, and the terminal command line of the device where the target application is located runs "debugserver*: 12349 -a application process number" command, and the device where the target application is located performs the anti-debugging operation Test response.
与防逆向测试指令相对应的预期响应结果预先存储在后台数据库中,查询预先配置的与防逆向测试指令相对应的至少两种预期响应结果。其中,分别针对防逆向测试设置对应的预期响应结果。例如,具体实施时,当预设的防逆向功能为反调试功能时,预先配置的与防逆向测试指令相对应的至少两种预期响应结果包括:用于指示目标应用具备反调试功能的反调试类预期响应结果,以及用于指示目标应用不具备反调试功能的非反调试类预期响应结果。The expected response result corresponding to the anti-reverse test instruction is pre-stored in the background database, and at least two types of expected response results corresponding to the anti-reverse test instruction are queried. Among them, the corresponding expected response results are set for the anti-reverse test. For example, in specific implementation, when the preset anti-reverse function is the anti-debugging function, the pre-configured at least two expected response results corresponding to the anti-reverse test command include: anti-debugging used to indicate that the target application has the anti-debugging function Class expected response results, and non-anti-debugging expected response results used to indicate that the target application does not have anti-debugging capabilities.
将测试响应结果与至少两种预期响应结果进行匹配,根据匹配结果确定与目标应用相对应的第二评价结果。例如,具体实施时,将测试响应结果与用于指示目标应用具备反调试功能的反调试类预期响应结果,以及用于指示目标应用不具备反调试功能的非反调试类预期响应结果匹配。若反调试防逆向测试响应结果为指示目标应用具备反调试功能的反调试类预期响应结果,则目标应用具有反调试的防逆向功能,则目标应用的第二评价结果为高;若反调试防逆向测试响应结果为指示目标应用不具备反调试功能的反调试类预期响应结果,则目标应用的第二评价结果为低。The test response result is matched with at least two expected response results, and the second evaluation result corresponding to the target application is determined according to the matching result. For example, during specific implementation, the test response result is matched with the anti-debugging expected response result indicating that the target application has the anti-debugging function, and the non-anti-debugging expected response result indicating that the target application does not have the anti-debugging function. If the anti-debugging and anti-reverse test response result is an expected anti-debugging response result indicating that the target application has anti-debugging functions, and the target application has anti-debugging anti-reverse functions, the second evaluation result of the target application is high; The reverse test response result is an anti-debugging expected response result indicating that the target application does not have the anti-debugging function, and the second evaluation result of the target application is low.
步骤S130:根据第一评价结果以及第二评价结果,判断目标应用的安全性等级。Step S130: Judging the security level of the target application according to the first evaluation result and the second evaluation result.
其中,第一评价结果用于从静态测试的角度反映应用的静态安全性,第二评价结果用于从动态测试的角度反映应用的动态安全性。第一评价结果以及第二评价结果的具体内涵和获取方式可由本领域技术人员灵活配置,根据第一评价结果以及第二评价结果的结合判断目标应用是否安全,能够更全面地评估应用的安全性,结果更加准确。例如,当第一评价结果和第二评价结果都为高时,目标应用的安全性等级为高;第一评价结果和第二评价结果其中之一为低时,目标应用的安全性等级为低;其余情况,目标应用的安全性等级为中。Among them, the first evaluation result is used to reflect the static security of the application from the perspective of static testing, and the second evaluation result is used to reflect the dynamic security of the application from the perspective of dynamic testing. The specific connotations and acquisition methods of the first evaluation result and the second evaluation result can be flexibly configured by those skilled in the art. According to the combination of the first evaluation result and the second evaluation result, it is judged whether the target application is safe, and the safety of the application can be more comprehensively evaluated , The result is more accurate. For example, when the first evaluation result and the second evaluation result are both high, the security level of the target application is high; when one of the first evaluation result and the second evaluation result is low, the security level of the target application is low ; In other cases, the security level of the target application is medium.
由此可见,本实施例通过静态测试所对应的第一评价结果以及动态测试所对应的第二评价结果,能够全面评价应用的安全性,避免单一维度的评价方式所导致的弊端,使评价结果更为准确。It can be seen that the first evaluation result corresponding to the static test and the second evaluation result corresponding to the dynamic test in this embodiment can fully evaluate the safety of the application, avoid the drawbacks caused by the single-dimensional evaluation method, and make the evaluation result More accurate.
实施例二Example two
图2示出了依据实施例二的一种iOS应用的安全检测方法的流程图。本实施例从静态测试和动态测试两个维度实现对目标应用的全面安全性检测。目前市场上针对iOS应用的检测工具检测类型不全面,未充分考虑目标应用的防逆向功能、数据保护程度、应用运行环境安全性方面的安全测试,同时单纯从静态代码的角度对进行安全测试,得到的测试结果不精确。因此有必要从静态和动态两个维度进行反调试、反钩子、反注入、数据安全保护以及运行环境安全性各个方面的安全测试。Fig. 2 shows a flowchart of a security detection method for iOS applications according to the second embodiment. This embodiment implements comprehensive security detection of the target application from two dimensions of static testing and dynamic testing. At present, the detection types of detection tools for iOS applications on the market are not comprehensive. They do not fully consider the security testing of the target application’s anti-reverse function, data protection level, and application operating environment security. At the same time, security testing is performed purely from the perspective of static code. The test results obtained are not accurate. Therefore, it is necessary to conduct anti-debugging, anti-hooking, anti-injection, data security protection, and security testing of all aspects of operating environment security from both static and dynamic dimensions.
如图2所示,该方法包括以下步骤:As shown in Figure 2, the method includes the following steps:
步骤S210:获取与目标应用相对应的应用符号表,以便将获取到的与预设的检测类型相对应的类型关键字与应用符号表进行匹配。Step S210: Obtain an application symbol table corresponding to the target application, so as to match the acquired type keyword corresponding to the preset detection type with the application symbol table.
具体的,在本步骤中,获取目标应用的应用程序文件,对目标应用的应用程序文件进行反编译,得到反编译代码,并从反编译代码中提取各种类型的应用符号表。其中,应用符号表具体包括:静态符号表、动态符号表、和/或字符表。获取后台数据库中的预设的关键字数据表,遍历查询预设的关键字数据表,获取关键字数据表中存储的各个检测类型以及分别与各个检测类型相对应的类型关键字,将获取到的类型关键字与应用符号表进行匹配。其中,预设的关键字数据表具体包括:检测类型与类型关键字映射关系以及检测类型之间的优先级。Specifically, in this step, the application file of the target application is obtained, the application file of the target application is decompiled to obtain the decompiled code, and various types of application symbol tables are extracted from the decompiled code. Wherein, the application symbol table specifically includes: a static symbol table, a dynamic symbol table, and/or a character table. Get the preset keyword data table in the back-end database, traverse and query the preset keyword data table, get each detection type stored in the keyword data table and the type keyword corresponding to each detection type, and get The type keyword of is matched with the application symbol table. Among them, the preset keyword data table specifically includes: the mapping relationship between the detection type and the type keyword and the priority between the detection types.
在本实施例中,以预设的检测类型为如下十种类型中的至少一种为例进行说明:In this embodiment, the preset detection type is at least one of the following ten types as an example for description:
(1)第一种检测类型为防泄漏类型:(1) The first detection type is the leak-proof type:
具体地,防泄漏类型用于检测目标应用是否有防止日志泄露的功能,发明人在实现本发明的过程中发现,NSLog、print、printf、write关键字在检测目标应用是否有防止日志泄露的功能方面有针对性。NSLog、print、printf、write关键字都有打印日志的含义。NSLog、print、printf、write关键字出现次数越多,说明目标应用的日志泄露的危险性越高,目标应用的防止日志泄露的功能越差。因此将NSLog、print、printf、write关键字预设为防泄漏类型对应的类型关键字。Specifically, the anti-leakage type is used to detect whether the target application has the function of preventing log leakage. During the process of implementing the present invention, the inventor found that the NSLog, print, printf, and write keywords are used to detect whether the target application has the function of preventing log leakage. There are specific aspects. The keywords NSLog, print, printf, and write all have the meaning of printing logs. The more the NSLog, print, printf, and write keywords appear, the higher the risk of log leakage of the target application, and the worse the function of preventing log leakage of the target application. Therefore, the NSLog, print, printf, and write keywords are preset as type keywords corresponding to the leak-proof type.
(2)第二种检测类型为敏感词类型:(2) The second detection type is the sensitive word type:
具体地,敏感词类型用于检测目标应用的防止关键信息泄露的功能,发明人在实现本发明的过程中发现,encrypt、decrypt、login、password、title、name关键字在检测目标应用是否有防止关键信息泄露的功能方面有针对性。encrypt、decrypt、login、password、title、name关键字代表的含义分别为加密、解密、登陆、密码、标题、名称。encrypt、decrypt、login、password、title、name关键字出现次数越多,说明目标应用的关键信息泄露的危险性越高,目标应用的防止关键信息泄露的功能越差。因此将encrypt、decrypt、login、password、title、name关键字预设为敏感词类型对应的类型关键字。Specifically, the sensitive word type is used to detect the function of preventing key information leakage of the target application. In the process of implementing the present invention, the inventor found that the keywords of encrypt, decrypt, login, password, title, and name are used to detect whether the target application is prevented. The functional aspects of key information leakage are targeted. The keywords encrypt, decrypt, login, password, title, and name represent the meanings of encryption, decryption, login, password, title, and name respectively. The more the keywords encrypt, decrypt, login, password, title, and name appear, the higher the risk of key information leakage of the target application and the worse the function of preventing key information leakage of the target application. Therefore, the keywords encrypt, decrypt, login, password, title, and name are preset as the type keywords corresponding to the sensitive word types.
(3)第三种检测类型为代码混淆类型:(3) The third detection type is the code obfuscation type:
具体地,代码混淆类型用于检测目标应用的应用程序文件是否有代码混淆的现象,发明人在实现本发明的过程中发现,didFinishLaunchingWithOptions、viewDidLoad关键字在检测目标应用的应用程序文件是否有代码混淆的现象方面有针对性。didFinishLaunchingWithOptions、viewDidLoad关键字出现次数越多,说明目标应用的应用程序文件出现代码混淆的现象的可能性越大。因此将didFinishLaunchingWithOptions、viewDidLoad关键字预设为代码混淆类型对应的类型关键字。Specifically, the code obfuscation type is used to detect whether the application file of the target application has code obfuscation. During the process of implementing the present invention, the inventor found that the didFinishLaunchingWithOptions and viewDidLoad keywords are used to detect whether the application file of the target application has code obfuscation. The phenomenon is pertinent. The more the didFinishLaunchingWithOptions and viewDidLoad keywords appear, the greater the possibility of code confusion in the application files of the target application. Therefore, the didFinishLaunchingWithOptions and viewDidLoad keywords are preset as the type keywords corresponding to the code obfuscation type.
(4)第四种检测类型为越狱检测类型:(4) The fourth detection type is the jailbreak detection type:
具体地,越狱检测类型用于检测目标应用所在的设备是否有越狱情况,发明人在实现本发明的过程中发现,Applications/Cydia.app、/etc/ssh/sshd_config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/Applications/Cydia.app、/Library/MobileSubstrate/MobileSubstrate.dylib关键字在检测目标应用所在的设备是否有越狱情况方面有针对性。Applications/Cydia.app、/etc/ssh/sshd_config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/Applications/Cydia.app、/Library/MobileSubstrate/MobileSubstrate.dylib关键字出现次数越多,说明目标应用所在的设备存在越狱情况的可能性越高,因此将Applications/Cydia.app、/etc/ssh/sshd_config、/usr/libexec/ssh-keysign、/usr/sbin/sshd、/bin/sh、/bin/bash、/etc/apt、/Applications/Cydia.app、/Library/MobileSubstrate/MobileSubstrate.dylib关键字预设为越狱检测类型对应的类型关键字。Specifically, the jailbreak detection type is used to detect whether the device where the target application is located is jailbroken. During the process of implementing the present invention, the inventor found that Applications/Cydia.app, /etc/ssh/sshd_config, /usr/libexec/ssh- keysign, /usr/sbin/sshd, /bin/sh, /bin/bash, /etc/apt, /Applications/Cydia.app, /Library/MobileSubstrate/MobileSubstrate.dylib keywords are used to detect whether the device where the target application is The escape situation is targeted. Applications/Cydia.app, /etc/ssh/sshd_config, /usr/libexec/ssh-keysign, /usr/sbin/sshd, /bin/sh, /bin/bash, /etc/apt, /Applications/Cydia.app The more the /Library/MobileSubstrate/MobileSubstrate.dylib keyword appears, the higher the possibility of jailbreaking the device where the target application is located. Therefore, set Applications/Cydia.app, /etc/ssh/sshd_config, /usr/libexec /ssh-keysign, /usr/sbin/sshd, /bin/sh, /bin/bash, /etc/apt, /Applications/Cydia.app, /Library/MobileSubstrate/MobileSubstrate.dylib keywords are preset to the jailbreak detection type The corresponding type keyword.
(5)第五种检测类型为代理检测类型:(5) The fifth detection type is the proxy detection type:
具体地,代理检测类型用于检测目标应用运行过程中是否存在网络代理的现象,发明人在实现本发明的过程中发现,kCFProxyTypeNone关键字在检测目标应用运行过程中是否存在网络代理的现象方面有针对性。出现kCFProxyTypeNone关键字说明目标应用运行过程中存在网络代理的现象的可能性越大。因此将kCFProxyTypeNone关键字预设为代理检测类型对应的类型关键字。Specifically, the proxy detection type is used to detect whether there is a network proxy during the operation of the target application. In the process of implementing the present invention, the inventor found that the kCFProxyTypeNone keyword is useful in detecting whether there is a network proxy during the operation of the target application. Targeted. The presence of the kCFProxyTypeNone keyword indicates that the network proxy phenomenon is more likely to exist during the operation of the target application. Therefore, the kCFProxyTypeNone keyword is preset as the type keyword corresponding to the proxy detection type.
(6)第六种检测类型为打包保护类型:(6) The sixth detection type is the package protection type:
具体地,打包保护类型用于检测目标应用的应用程序文件是否存在代码二次打包的情况,发明人 在实现本发明的过程中发现,CFBundleIdentifier、com.apple.developer.team-identifier、application-identifier关键字在检测目标应用的应用程序文件是否存在代码二次打包的情况方面有针对性。CFBundleIdentifier、com.apple.developer.team-identifier、application-identifier关键字出现次数越多,说明目标应用存在代码二次打包的情况的可能性越大。因此将CFBundleIdentifier、com.apple.developer.team-identifier、application-identifier关键字预设为打包保护类型对应的类型关键字。Specifically, the packaging protection type is used to detect whether the application file of the target application has secondary code packaging. In the process of implementing the present invention, the inventor found that CFBundleIdentifier, com.apple.developer.team-identifier, and application-identifier The keyword is pertinent in detecting whether the application file of the target application has secondary code packaging. The more the CFBundleIdentifier, com.apple.developer.team-identifier, and application-identifier keywords appear, the more likely it is that the target application will have secondary code packaging. Therefore, the CFBundleIdentifier, com.apple.developer.team-identifier, and application-identifier keywords are preset as the type keywords corresponding to the packaging protection type.
(7)第七种检测类型为字符串保护类型:(7) The seventh detection type is string protection type:
具体地,字符串保护类型用于检测目标应用是否存在字符串混淆的现象,发明人在实现本发明的过程中发现,encrypt、decrypt、login、password、title、name关键字在检测目标应用是否存在字符串混淆的现象方面有针对性。encrypt、decrypt、login、password、title、name关键字代表的含义分别为加密、解密、登陆、密码、标题、名称。encrypt、decrypt、login、password、title、name关键字出现次数越多,说明字符串被更改的可能性越大,存在字符串混淆的现象的可能性越大。因此将encrypt、decrypt、login、password、title、name关键字预设为字符串保护类型对应的类型关键字。Specifically, the string protection type is used to detect whether the target application has the phenomenon of string confusion. In the process of implementing the present invention, the inventor found that the keywords encrypt, decrypt, login, password, title, and name are used to detect whether the target application exists The phenomenon of string confusion is pertinent. The keywords encrypt, decrypt, login, password, title, and name represent the meanings of encryption, decryption, login, password, title, and name respectively. The more the keywords encrypt, decrypt, login, password, title, and name appear, the more likely the string is to be changed, and the greater the possibility of string confusion. Therefore, the keywords encrypt, decrypt, login, password, title, and name are preset as the type keywords corresponding to the string protection type.
(8)第八种检测类型为URL匹配类型:(8) The eighth detection type is URL matching type:
具体地,URL匹配类型用于检测目标应用所在设备的网络地址保护程度,发明人在实现本发明的过程中发现,http、https关键字在检测目标应用所在设备的网络地址保护程度方面有针对性。http、https关键字出现次数越多,说明目标应用所在设备的网络地址保护程度越低。因此将http、https关键字预设为URL匹配类型对应的类型关键字。Specifically, the URL matching type is used to detect the degree of protection of the network address of the device where the target application is located. During the process of implementing the present invention, the inventor found that the keywords http and https are specific in detecting the degree of protection of the network address of the device where the target application is located. . The more the http and https keywords appear, the lower the protection degree of the network address of the device where the target application is located. Therefore, the http and https keywords are preset as the type keywords corresponding to the URL matching type.
(9)第九种检测类型为反调试类型:(9) The ninth detection type is anti-debugging type:
具体地,反调试类型用于检测目标应用是否具有反调试功能,发明人在实现本发明的过程中发现,ptrace关键字在检测目标应用是否有检测目标应用是否具有反调试功能方面有针对性。出现ptrace关键字,说明目标应用反调试功能越差。因此将ptrace关键字预设为反调试类型对应的类型关键字。Specifically, the anti-debugging type is used to detect whether the target application has an anti-debugging function. In the process of implementing the present invention, the inventor found that the ptrace keyword is pertinent in detecting whether the target application has an anti-debugging function. The ptrace keyword appears, indicating that the target application's anti-debugging function is worse. Therefore, the ptrace keyword is preset as the type keyword corresponding to the anti-debugging type.
(10)第十种检测类型为反钩子类型:(10) The tenth detection type is the anti-hook type:
具体地,反钩子类型用于检测目标应用是否具有反钩子功能,发明人在实现本发明的过程中发现,libcycript.dylib、libReveal.dylib、SnoopiTweak.dylib关键字在检测目标应用是否具有反钩子功能方面有针对性。ibcycript.dylib、libReveal.dylib、SnoopiTweak.dylib关键字出现次数越多,说明目标应用反钩子功能越差。因此将,libcycript.dylib、libReveal.dylib、SnoopiTweak.dylib关键字预设为反钩子类型对应的类型关键字。Specifically, the anti-hook type is used to detect whether the target application has an anti-hook function. During the process of implementing the present invention, the inventor found that the keywords libcycript.dylib, libReveal.dylib, and SnoopiTweak.dylib are used to detect whether the target application has an anti-hook function. There are specific aspects. The more the ibcycript.dylib, libReveal.dylib, and SnoopiTweak.dylib keywords appear, the worse the anti-hook function of the target application is. Therefore, libcycript.dylib, libReveal.dylib, SnoopiTweak.dylib keywords are preset as the type keywords corresponding to the anti-hook type.
步骤S220:将获取到的类型关键字与应用符号表进行匹配。Step S220: Match the acquired type keyword with the application symbol table.
具体地,在本步骤中,按照检测类型之间的优先级,遍历查询预设的关键字数据表中存储的各个检测类型以及与各个检测类型相对应的类型关键字,并将获取到的类型关键字与应用符号表进行匹配。Specifically, in this step, according to the priority between the detection types, each detection type and the type keyword corresponding to each detection type stored in the preset keyword data table are traversed, and the obtained type The keywords are matched with the application symbol table.
检测类型具体包括10种检测类型,10种检测类型之间预先设有检测类型之间的优先级。按照预先设有的检测类型之间的优先级,10种检测类型由高到低排列为防泄漏类型、敏感词类型、代码混淆类型、越狱检测类型、代理检测类型、打包保护类型、字符串保护类型、URL匹配类型、反调试类型、和/或反钩子类型。例如,具体实施时,按照检测类型之间的优先级,遍历查询预设的关键字数据表中存储的防泄漏检测类型以及与防泄漏检测类型相对应的类型关键字NSLog、print、printf、write,并将获取的类型关键字NSLog、print、printf、write与应用符号表匹配。The detection types specifically include 10 detection types, and the priority between the detection types is preset among the 10 detection types. According to the pre-set priority between the detection types, the 10 detection types are arranged from high to low as leak prevention type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, package protection type, string protection Type, URL matching type, anti-debugging type, and/or anti-hooking type. For example, in specific implementation, according to the priority between the detection types, traverse and query the anti-leak detection type stored in the preset keyword data table and the type keywords corresponding to the anti-leak detection type NSLog, print, printf, write , And match the obtained type keywords NSLog, print, printf, write with the application symbol table.
进一步地,为了实现类型关键字和应用符号表的精准比对,提高类型关键字和应用符号表的比对速度,针对待匹配的类型关键字,确定与该类型关键字所对应的检测类型相匹配的类型检测区域,并从应用符号表中提取与类型检测区域相对应的目标区域,将获取到的类型关键字与目标区域进行匹配。例如,当检测类型为敏感词检测类型时,针对获取的类型关键字encrypt、decrypt、login、password、title、name,确定与该类型关键字所对应的检测类型相匹配的类型检测区域。具体地,与敏感词检测类型相对应的类型检测区域包括:含有类名的类型检测区域和/或含有方法名的类型检测区域。根据确定的含有类名的类型检测区域和/或含有方法名的类型检测区域,从应用符号表中提取与类型检测区域相对应的目标区域,将获取到的类型关键字与目标区域进行匹配。Further, in order to achieve accurate comparison between the type keyword and the application symbol table, and to improve the comparison speed between the type keyword and the application symbol table, for the type keyword to be matched, determine the detection type corresponding to the type keyword. Match the type detection area, extract the target area corresponding to the type detection area from the application symbol table, and match the obtained type keyword with the target area. For example, when the detection type is a sensitive word detection type, for the acquired type keywords encrypt, decrypt, login, password, title, and name, determine the type detection area that matches the detection type corresponding to the type of keyword. Specifically, the type detection area corresponding to the sensitive word detection type includes: a type detection area containing a class name and/or a type detection area containing a method name. According to the determined type detection area containing the class name and/or the type detection area containing the method name, the target area corresponding to the type detection area is extracted from the application symbol table, and the obtained type keyword is matched with the target area.
步骤S230:将匹配成功的类型关键字提取为目标关键字。Step S230: Extract the successfully matched type keywords as target keywords.
具体地,在本步骤中,将获取到的类型关键字与应用符号表进行匹配,若类型关键字出现在应用符号表中,则将该类型关键字提取为目标关键字,存储在后台数据库中的类型集合中。其中,分别针对每个检测类型设置对应的类型集合,将提取出的各个目标关键字分别存储到与该目标关键字的检测类型相对应的类型集合中,具体实施时,类型集合可以通过列表、文件、数据包、类型集合包等各种方式实现。例如,具体实施时,获取到与防泄漏检测类型相对应的类型关键字NSLog、print、printf、write,将类型关键字NSLog、print、printf、write与应用符号表匹配,发现类型关键字NSLog、print出现于应用符号表中,则将类型关键字NSLog、print存储在后台数据库中的与防泄漏检测类型相对应的类型集合中。其中,当类型关键字未出现在应用符号表中时,类型集合为空,类型集合中的类型关键字个数为0。Specifically, in this step, the obtained type keyword is matched with the application symbol table. If the type keyword appears in the application symbol table, the type keyword is extracted as the target keyword and stored in the background database In the collection of types. Among them, a corresponding type set is set for each detection type, and each extracted target keyword is stored in a type set corresponding to the detection type of the target keyword. In specific implementation, the type set can be through the list, File, data package, type collection package and other methods are implemented. For example, during specific implementation, the type keywords NSLog, print, printf, and write corresponding to the leak detection type are obtained, and the type keywords NSLog, print, printf, and write are matched with the application symbol table, and the type keywords NSLog, If print appears in the application symbol table, the type keywords NSLog and print are stored in the type set corresponding to the leak detection type in the background database. Among them, when the type keyword does not appear in the application symbol table, the type set is empty, and the number of type keywords in the type set is 0.
进一步,为了确保重要类型的检测类型优先检测,针对多个不同类型的检测过程可以按照各个类型的优先级顺序依次执行。例如,按照检测类型的优先级,预设的关键字数据表中防泄漏检测类型的下一检测类型为敏感词检测类型。获取预设的关键字数据表中的敏感词检测类型的类型关键字,将获取到的类型关键字与应用符号表进行匹配,将匹配成功的类型关键字提取为目标关键字,并将目标关键字存储到后台与敏感词检测类型相对应的类型集合中。对代码混淆类型、越狱检测类型、代理检测类型、打包保护类型、字符串保护类型、URL匹配类型、反调试类型、反钩子类型依次执行以上操作。Further, in order to ensure the priority detection of important types of detection types, the detection processes for multiple different types can be executed in sequence according to the priority order of each type. For example, according to the priority of the detection type, the next detection type of the anti-leak detection type in the preset keyword data table is the sensitive word detection type. Get the type keyword of the sensitive word detection type in the preset keyword data table, match the obtained type keyword with the application symbol table, extract the successfully matched type keyword as the target keyword, and set the target key The words are stored in the type set corresponding to the sensitive word detection type in the background. Perform the above operations in sequence for code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, and anti-hook type.
另外,为了提高检测效率,在本发明其他的实施例中,各个检测类型也可以通过多个并行执行的线程同时执行上述各种类型的检测过程,本发明对多个类型的检测过程的具体执行顺序不做限定。In addition, in order to improve the detection efficiency, in other embodiments of the present invention, each detection type can also execute the above-mentioned various types of detection processes simultaneously through multiple parallel execution threads. The specific implementation of the multiple types of detection processes in the present invention The order is not limited.
步骤S240:根据匹配成功的目标关键字的数量和/或字符权重,确定与目标应用相对应的第一评价结果。Step S240: Determine the first evaluation result corresponding to the target application according to the number of target keywords and/or character weights that are successfully matched.
具体的,在本步骤中,根据该类型集合中包含的目标关键字的数量和/或目标关键字的字符权重,确定与该类型集合相对应的类型评价得分;根据各个类型集合所对应的类型评价得分以及各个类型集合所对应的类型权重,确定目标应用的第一评价结果得分。具体实施时,首先,根据该类型集合中包含的目标关键字的数量和/或目标关键字的字符权重,确定与该类型集合相对应的类型评价得分。例如,具体实施时,10个检测类型中的任一项检测类型的类型评价得分总分为10分。当检测出某一检测类型对应的任意一个关键字时,从类型评价得分中扣除1分,扣分上限为10分。以防泄漏类型举例而言,防泄漏类型对应的类型关键字为NSLog、print、printf、write,相应地,防泄漏类型所对应的类型集合中包含的目标关键字为NSLog、print,这两个目标关键字各出现一次。其中,目标关键字是指:与类型关键字匹配成功的关键字。在计算与该类型集合相对应的类型评价得分时,根据目标关键字的数量进行计算。当检测出某一检测类型对应的任意一个关键字时,从类型评价得分中扣除1 分,则防泄漏类型对应的类型评价得分为8分。Specifically, in this step, the type evaluation score corresponding to the type set is determined according to the number of target keywords contained in the type set and/or the character weight of the target keywords; according to the type corresponding to each type set The evaluation score and the type weight corresponding to each type set determine the first evaluation result score of the target application. During specific implementation, first, the type evaluation score corresponding to the type set is determined according to the number of target keywords contained in the type set and/or the character weight of the target keywords. For example, in a specific implementation, the type evaluation score of any one of the 10 detection types is a total of 10 points. When any keyword corresponding to a certain detection type is detected, 1 point is deducted from the type evaluation score, and the upper limit of deduction is 10 points. Take the leak prevention type as an example, the type keywords corresponding to the leak prevention type are NSLog, print, printf, write, and accordingly, the target keywords contained in the type set corresponding to the leak prevention type are NSLog, print, these two Each target keyword appears once. Among them, the target keyword refers to the keyword that successfully matches the type keyword. When calculating the type evaluation score corresponding to the type set, the calculation is performed according to the number of target keywords. When any keyword corresponding to a certain detection type is detected, 1 point is deducted from the type evaluation score, and the type evaluation score corresponding to the anti-leakage type is 8 points.
然后,当确定与各个类型集合相对应的类型评价得分之后,根据各个类型集合所对应的类型评价得分以及各个类型集合所对应的类型权重,确定目标应用的安全评价得分。例如,根据检测类型的重要性,将防泄漏类型、敏感词类型、代码混淆类型、越狱检测类型、代理检测类型、打包保护类型、字符串保护类型、URL匹配类型、反调试类型、反钩子类型10个类型集合所对应的类型权重分配为0.1、0.1、0.1、0.15、0.05、0.1、0.1、0.15、0.05、0.1。防泄漏类型、敏感词类型、代码混淆类型、越狱检测类型、代理检测类型、打包保护类型、字符串保护类型、URL匹配类型、反调试类型、反钩子类型10个类型集合的类型评价得分分别为4、5、3、6、7、4、5、3、6、7。在计算目标应用的安全评价得分时,根据类型评价得分以及类型权重进行计算。目标应用的安全评价得分为0.1*4+0.1*5+0.1*3+0.15*6+0.05*7+0.1*4+0.1*5+0.15*3+0.05*6+0.1*7=4.8。Then, after determining the type evaluation score corresponding to each type set, the security evaluation score of the target application is determined according to the type evaluation score corresponding to each type set and the type weight corresponding to each type set. For example, according to the importance of the detection type, the anti-leakage type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, anti-hook type The type weight distribution corresponding to the 10 type sets is 0.1, 0.1, 0.1, 0.15, 0.05, 0.1, 0.1, 0.15, 0.05, 0.1. Anti-leakage type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, and anti-hook type. The type evaluation scores of the 10 types are respectively 4, 5, 3, 6, 7, 4, 5, 3, 6, 7. When calculating the safety evaluation score of the target application, it is calculated based on the type evaluation score and the type weight. The safety evaluation score of the target application is 0.1*4+0.1*5+0.1*3+0.15*6+0.05*7+0.1*4+0.1*5+0.15*3+0.05*6+0.1*7=4.8.
目标应用的第一评价结果得分总分为10分,目标应用的第一评价结果得分越高,说明目标应用的第一评价结果越好。将目标应用的第一评价结果分为3个等级,当目标应用的第一评价结果得分在0~3(不含3分)之间时,目标应用的第一评价结果为低;当目标应用的第一评价结果得分在3~7(不含7分)之间时,目标应用的第一评价结果为中;当目标应用的第一评价结果得分在7~1之间时,目标应用的第一评价结果为高。The total score of the first evaluation result of the target application is 10 points. The higher the first evaluation result score of the target application, the better the first evaluation result of the target application. The first evaluation result of the target application is divided into 3 levels. When the first evaluation result score of the target application is between 0 and 3 (excluding 3 points), the first evaluation result of the target application is low; When the first evaluation result score of the target application is between 3 and 7 (excluding 7 points), the first evaluation result of the target application is medium; when the first evaluation result score of the target application is between 7 and 1, the target application The first evaluation result is high.
步骤S250:向目标应用发送与预设功能相对应的动态测试指令。Step S250: Send a dynamic test instruction corresponding to the preset function to the target application.
其中,本实施例中的预设功能包括防逆向功能,且动态测试指令包括防逆向测试指令,相应的,向目标应用发送与预设的防逆向功能相对应的防逆向测试指令。具体实施时,获取从后台数据库中获取预设的逆向测试指令表,根据预设的逆向测试指令表中存储的各个防逆向功能以及与各个防逆向功能相对应的各个防逆向测试指令的种类和/或各个防逆向测试指令之间的优先级,向目标应用发送逆向测试指令表中存储的各个防逆向测试指令。其中,防逆向功能具体包括:反调试功能、反钩子功能、反注入功能,逆向测试指令表具体包括:防逆向功能与防逆向测试指令的映射关系以及防逆向功能之间的优先级和防逆向测试指令之间的优先级。例如,具体实施时,逆向测试指令表中存储的防逆向功能按防逆向功能优先级由高到低排序依次为反调试功能、反钩子功能、反注入功能。根据防逆向功能的优先级获取反调试防逆向功能以及与反调试防逆向功能相对应的反调试防逆向测试指令,并将反调试防逆向测试指令发送给目标应用。当然,针对逆向测试指令表中存储的防逆向功能设置优先级的操作为可选的操作,具体实施时,逆向测试指令表中存储的防逆向功能也可以不设置优先级,即:各个功能之间为对等的,相应地,反调试功能、反钩子功能、反注入功能同时并行实施。Wherein, the preset function in this embodiment includes an anti-reverse function, and the dynamic test instruction includes an anti-reverse test instruction. Accordingly, an anti-reverse test instruction corresponding to the preset anti-reverse function is sent to the target application. In specific implementation, the preset reverse test instruction table is obtained from the back-end database, and the types and types of anti-reverse test instructions corresponding to each anti-reverse function are stored in the preset reverse test instruction table. / Or the priority between each anti-reverse test instruction, send each anti-reverse test instruction stored in the reverse test instruction table to the target application. Among them, the anti-reverse function specifically includes: anti-debugging function, anti-hook function, and anti-injection function. The reverse test instruction table specifically includes: the mapping relationship between the anti-reverse function and the anti-reverse test command, and the priority between the anti-reverse function and the anti-reverse function. Priority between test instructions. For example, during specific implementation, the anti-reverse functions stored in the reverse test instruction table are sorted from high to low in order of the anti-reverse function priority as anti-debugging function, anti-hook function, and anti-injection function. Obtain the anti-debugging anti-reverse function and the anti-debugging anti-reverse test command corresponding to the anti-debugging anti-reverse function according to the priority of the anti-reverse function, and send the anti-debugging anti-reverse test instruction to the target application. Of course, setting the priority of the anti-reverse function stored in the reverse test instruction table is an optional operation. In specific implementation, the anti-reverse function stored in the reverse test instruction table may not set the priority, that is, the priority of each function They are equal, and accordingly, the anti-debugging function, anti-hook function, and anti-injection function are implemented in parallel.
进一步,为了确保重要的防逆向功能相对应的防逆向测试指令优先发送,针对多个不同类型的防逆向功能相对应的防逆向测试指令发送过程可以按照各个类型的优先级顺序依次执行。例如,具体实施时,向目标应用发送与反调试防逆向功能相对应的反调试防逆向测试指令后,根据预设的防逆向功能的优先级获取反钩子防逆向功能以及与反钩子防逆向功能相对应的反钩子防逆向测试指令,并将反钩子防逆向测试指令发送给目标应用。Further, in order to ensure that the anti-reverse test instructions corresponding to the important anti-reverse functions are sent preferentially, the anti-reverse test instruction sending process corresponding to multiple different types of anti-reverse functions can be executed in sequence according to the priority order of each type. For example, in specific implementation, after sending the anti-debugging anti-reverse test command corresponding to the anti-debugging anti-reverse function to the target application, the anti-reverse function and the anti-reverse function of the anti-hook anti-reverse function are obtained according to the preset priority of the anti-reverse function The corresponding anti-hook anti-reverse test instruction, and the anti-hook anti-reverse test instruction is sent to the target application.
另外,为了提高检测效率,在本发明其他的实施例中,各个防逆向功能检测也可以通过多个并行执行的线程同时执行上述各个防逆向功能检测过程,本发明对各个防逆向功能检测过程的具体执行顺序不做限定。In addition, in order to improve the detection efficiency, in other embodiments of the present invention, each anti-reverse function detection can also simultaneously execute the above-mentioned various anti-reverse function detection processes through multiple parallel execution threads. The specific execution order is not limited.
进一步,为了实现与目标应用的通信,通过与安装目标应用的第一终端设备无线连接的第二终端设备,向目标应用发送与预设的防逆向功能相对应的防逆向测试指令;其中,第一终端设备与第二终端设备处于相同的无线网络。具体实施时,Mac电脑设备和iPhone手机设备连上同一个无线,使其 处在同一网段,Mac电脑设备使用ssh自动登录iPhone手机设备,实现Mac电脑设备对iPhone手机设备的无线连接,Mac电脑设备向iPhone手机设备上的目标应用发送与预设的防逆向功能相对应的防逆向测试指令。Further, in order to achieve communication with the target application, the second terminal device wirelessly connected to the first terminal device where the target application is installed is sent to the target application an anti-reverse test instruction corresponding to the preset anti-reverse function; One terminal device and the second terminal device are in the same wireless network. In the specific implementation, the Mac computer device and the iPhone mobile phone device are connected to the same wireless device to make them in the same network segment. The Mac computer device uses ssh to automatically log in to the iPhone mobile device to realize the wireless connection of the Mac computer device to the iPhone mobile device. The device sends an anti-reverse test instruction corresponding to the preset anti-reverse function to the target application on the iPhone mobile device.
步骤S260:根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果,确定与目标应用相对应的第二评价结果。Step S260: Determine a second evaluation result corresponding to the target application according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected response results corresponding to the dynamic test instruction.
具体地,本步骤包括如下三种实现方式中的至少一种:Specifically, this step includes at least one of the following three implementation manners:
方式一:在本步骤的第一种实现方式中,直接根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果,确定与目标应用相对应的第二评价结果。Method 1: In the first implementation of this step, directly based on the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expected response results corresponding to the dynamic test instruction, determine the corresponding The corresponding second evaluation result.
本实现方式从目标应用的防逆向角度对目标应用进行安全检测。目前,针对应用的源代码进行调试、拦截应用运行进程、注入动态库的现象严重,对应用进行防逆向功能检测,可以评估应用防逆向功能的强弱,及早发现应用防逆向功能存在的缺陷。This implementation mode performs security detection on the target application from the perspective of anti-reverse of the target application. At present, debugging of application source code, intercepting application running process, and injecting dynamic libraries are serious. The application of anti-reverse function detection can evaluate the strength of application anti-reverse function and find defects in application anti-reverse function early.
具体的,获取到各个防逆向测试指令对应的测试响应结果,并将测试响应结果存储在后台数据库中的测试响应集合中。其中,测试响应结果具体包括:目标应用所在的设备对各个防逆向测试指令对应的操作做出测试响应。测试响应集合可以通过列表、文件、数据包、测试响应集合等各种方式实现。例如,具体实施时,目标应用接收到反调试防逆向测试指令、反钩子防逆向测试指令、反注入防逆向测试指令,目标应用根据反调试防逆向测试指令、反钩子防逆向测试指令、反注入防逆向测试指令的优先级,优先执行反调试防逆向测试指令对应的反调试操作,在目标应用所在设备的终端命令行运行“debugserver*:12349 –a应用进程号”命令,目标应用所在设备对反调试操作做出测试响应。按照防逆向测试指令的优先级,目标应用执行反钩子防逆向测试指令对应的反钩子操作,在目标应用所在设备的终端命令行运行“cycript –p应用进程号”命令。目标应用所在设备对反钩子操作实现测试响应。按照防逆向测试指令的优先级,目标应用执行反注入防逆向测试指令对应的反注入操作,在目标应用所在设备的终端视图下运行“optool install –c load –p“应用动态库”-t应用二进制文件”命令。目标应用所在设备对反注入操作实现测试响应。Specifically, the test response result corresponding to each anti-reverse test instruction is obtained, and the test response result is stored in the test response set in the background database. Among them, the test response result specifically includes: the device where the target application is located makes a test response to the operation corresponding to each anti-reverse test instruction. The test response collection can be implemented in various ways such as lists, files, data packets, and test response collections. For example, during specific implementation, the target application receives an anti-debugging anti-reverse test instruction, an anti-hook anti-reverse test instruction, an anti-injection anti-reverse test instruction, and the target application receives an anti-debug anti-reverse test instruction, an anti-hook anti-reverse test instruction, and anti-injection The priority of the anti-reverse test command, the anti-debug operation corresponding to the anti-debug anti-reverse test command is executed first. Run the "debugserver*:12349 -a application process number" command on the terminal command line of the device where the target application is located. The anti-debugging operation makes a test response. According to the priority of the anti-reverse test instruction, the target application executes the anti-hook operation corresponding to the anti-reverse test instruction, and runs the "cycript -p application process number" command on the terminal command line of the device where the target application is located. The device where the target application is located realizes a test response to the anti-hook operation. According to the priority of the anti-reverse test instruction, the target application executes the anti-injection operation corresponding to the anti-reverse test instruction, and run "optool install -c load -p "application dynamic library" -t application in the terminal view of the device where the target application is located Binary file" command. The device where the target application is located realizes the test response to the reverse injection operation.
分别针对防逆向测试设置的预期响应结果预先存储在后台数据库中,查询预先配置的与防逆向测试指令相对应的至少两种预期响应结果。其中,当预设的防逆向功能为反调试功能时,预先配置的与防逆向测试指令相对应的至少两种预期响应结果包括:用于指示目标应用具备反调试功能的反调试类预期响应结果,以及用于指示目标应用不具备反调试功能的非反调试类预期响应结果。其中,反调试类预期响应结果中包含预设的反调试目标字段。例如,预设的反调试目标字段为Segmentation fault:11。具体实施时,执行反调试防逆向测试指令对应的反调试操作,在目标应用所在设备的终端命令行运行“debugserver*:12349 –a应用进程号”命令,若返回信息中出现Segmentation fault:11,则说明目标应用具有反调试的防逆向功能;若返回信息中未出现Segmentation fault:11,则说明目标应用具有反调试的防逆向功能。The expected response results respectively set for the anti-reverse test are pre-stored in the background database, and at least two types of expected response results corresponding to the anti-reverse test instructions are queried. Wherein, when the preset anti-reverse function is the anti-debugging function, the pre-configured at least two expected response results corresponding to the anti-reverse test command include: anti-debugging expected response results used to indicate that the target application has the anti-debugging function , And a non-anti-debugging expected response result used to indicate that the target application does not have the anti-debugging function. Among them, the anti-debugging expected response result includes a preset anti-debugging target field. For example, the preset anti-debugging target field is Segmentation fault: 11. During specific implementation, execute the anti-debugging operation corresponding to the anti-debugging and anti-reverse test command, and run the "debugserver*:12349 -a application process number" command on the terminal command line of the device where the target application is located. If Segmentation fault: 11 appears in the returned message, It means that the target application has anti-debugging anti-reverse function; if Segmentation fault: 11 does not appear in the returned information, it means that the target application has anti-debugging anti-reverse function.
当预设的防逆向功能为反钩子功能时,预先配置的与防逆向测试指令相对应的至少两种预期响应结果包括:用于指示目标应用具备反钩子功能的反钩子类预期响应结果,以及用于指示目标应用不具备反钩子功能的非反钩子类预期响应结果。其中,反钩子类预期响应结果中包含预设的反钩子目标字段。例如,预设的反调试目标字段为error。具体实施时,执行反钩子防逆向测试指令对应的反钩子操作,在目标应用所在设备的终端命令行运行“cycript –p应用进程号”命令,若返回信息中出现error,则说明目标应用具有反钩子的防逆向功能;若返回信息中未出现error,则说明目标应用具有反钩子 的防逆向功能。When the preset anti-reverse function is the anti-hook function, the pre-configured at least two expected response results corresponding to the anti-reverse test command include: the anti-hook class expected response result used to indicate that the target application has the anti-hook function, and It is used to indicate the expected response result of the non-anti-hook class that the target application does not have the anti-hook function. Among them, the anti-hook class expected response result contains a preset anti-hook target field. For example, the preset anti-debugging target field is error. In specific implementation, execute the anti-hook operation corresponding to the anti-hook anti-reverse test instruction, and run the "cycript –p application process number" command on the terminal command line of the device where the target application is located. If an error appears in the return message, it means that the target application has a reverse The anti-reverse function of the hook; if there is no error in the returned information, it means that the target application has the anti-reverse function of the anti-hook.
当预设的防逆向功能为反注入功能时,预先配置的与防逆向测试指令相对应的至少两种预期响应结果包括:用于指示目标应用具备反注入功能的反注入类预期响应结果,以及用于指示目标应用不具备反注入功能的非反注入类预期响应结果。其中,反注入类预期响应结果包括:闪退类型的响应结果。例如,具体实施时,运行“optool install –c load–p“应用动态库”-t应用二进制文件”命令,再将目标应用压缩后进行安装,若出现闪退类型的响应结果,则说明目标应用具有反注入的防逆向功能;若未出现闪退类型的响应结果,则说明目标应用具有反注入的防逆向功能。When the preset anti-reverse function is the back-injection function, the pre-configured at least two expected response results corresponding to the anti-reverse test command include: the anti-injection type expected response result used to indicate that the target application has the anti-injection function, and Non-anti-injection expected response results used to indicate that the target application does not have the anti-injection function. Among them, the expected response result of the back injection type includes: the response result of the flashback type. For example, during specific implementation, run "optool install -c load-p"application dynamic library" -t application binary file" command, and then compress the target application and install it. If a response result of the crash type appears, the target application It has the anti-reverse function of back injection; if there is no response result of the flashback type, it means that the target application has the anti-reverse function of back injection.
将测试响应结果与至少两种预期响应结果进行匹配。例如,具体实施时,反调试防逆向功能测试对应的预期响应结果具体包括用于指示目标应用具备反调试功能的反调试类预期响应结果,以及用于指示目标应用不具备反调试功能的非反调试类预期响应结果。将测试响应结果与用于指示目标应用具备反调试功能的反调试类预期响应结果,以及用于指示目标应用不具备反调试功能的非反调试类预期响应结果匹配。若反调试防逆向测试响应结果为指示目标应用具备反调试功能的反调试类预期响应结果,则目标应用具有反调试的防逆向功能;若反调试防逆向测试响应结果为指示目标应用不具备反调试功能的反调试类预期响应结果,则目标应用不具有反调试的防逆向功能。Match the test response results with at least two expected response results. For example, during specific implementation, the expected response results corresponding to the anti-debugging and anti-reverse function test specifically include the anti-debugging expected response results used to indicate that the target application has anti-debugging functions, and the non-reverse anti-debugging results used to indicate that the target application does not have anti-debugging functions. The expected response result of the debugging class. The test response result is matched with the anti-debugging expected response result used to indicate that the target application has the anti-debugging function, and the non-anti-debugging expected response result used to indicate that the target application does not have the anti-debugging function. If the anti-debugging and anti-reverse test response result is an expected anti-debugging response result indicating that the target application has an anti-debugging function, the target application has anti-debugging anti-reverse function; if the anti-debugging and anti-reverse test response result indicates that the target application does not have anti-reverse function If the anti-debugging type of the debugging function expects the response result, the target application does not have the anti-debugging anti-reverse function.
按照三种防逆向功能测试响应结果的匹配情况判断目标应用的防逆向功能强弱。设置防逆向功能评分,根据防逆向功能评分,确定目标应用是否具有防逆向功能。其中,分别针对不同防逆向功能设置不同的防逆向功能评分,具体实施时,若目标应用具有反调试防逆向功能,则反调试防逆向功能评分为1,若目标应用不具有反调试防逆向功能,则反调试防逆向功能评分为0。若目标应用具有反钩子防逆向功能,则反钩子防逆向功能评分为1,若目标应用不具有反钩子防逆向功能,则反钩子防逆向功能评分为0。若目标应用具有反注入防逆向功能,则反注入防逆向功能评分为1,若目标应用不具有反注入防逆向功能,则反注入防逆向功能评分为0。目标应用的第二评价结果得分为反调试防逆向功能评分、反钩子防逆向功能评分、反注入防逆向功能评分三者之和。Determine the strength of the anti-reverse function of the target application according to the matching situation of the three anti-reverse function test response results. Set the anti-reverse function score, and determine whether the target application has the anti-reverse function according to the anti-reverse function score. Among them, different anti-reverse function scores are set for different anti-reverse functions. In specific implementation, if the target application has anti-debugging and anti-reverse functions, the anti-debugging and anti-reverse function scores are 1. If the target application does not have anti-debugging and anti-reverse functions , The score of anti-debugging and anti-reverse function is 0. If the target application has the anti-hook anti-reverse function, the anti-reverse function score of the anti-hook anti-reverse function is 1, and if the target application does not have the anti-hook anti-reverse function, the anti-reverse function score is 0. If the target application has a back-injection and anti-reverse function, the score of the back-injection and anti-reverse function is 1, and if the target application does not have the back-injection and anti-reverse function, the score is 0. The second evaluation result score of the target application is the sum of the anti-debugging and anti-reverse function score, the anti-hook anti-reverse function score, and the anti-injection anti-reverse function score.
根据第二评价结果得分评定第二评价结果,若第二评价结果得分为0,则目标应用的防逆向安全等级低,第二评价结果为低;若第二评价结果得分为1,则目标应用的防逆向安全等级中低,第二评价结果为中低;若第二评价结果得分为2,则目标应用的防逆向安全等级中高,第二评价结果为中高;若第二评价结果为3,则目标应用的防逆向等级高,第二评价结果为高。The second evaluation result is evaluated according to the second evaluation result score. If the second evaluation result score is 0, the anti-reverse security level of the target application is low, and the second evaluation result is low; if the second evaluation result score is 1, the target application If the second evaluation result score is 2, the anti-reverse security level of the target application is medium-high, and the second evaluation result is medium-high; if the second evaluation result is 3, Then the anti-reverse level of the target application is high, and the second evaluation result is high.
另外,为了提高检测效率,在本发明其他的实施例中,各个防逆向功能检测也可以通过多个并行执行的线程同时执行上述各个防逆向功能检测过程,本发明对各个防逆向功能检测过程的具体执行顺序不做限定。In addition, in order to improve the detection efficiency, in other embodiments of the present invention, each anti-reverse function detection can also simultaneously execute the above-mentioned various anti-reverse function detection processes through multiple parallel execution threads. The specific execution order is not limited.
进一步地,为了提高防逆向功能检测的效率,将一个防逆向功能相对应的防逆向测试指令防逆向测试指令按关键字段分成多个。一个防逆向功能相对应的防逆向测试指令的数量为多个,一个防逆向功能相对应的多个防逆向测试指令之间预先设置优先级。例如,反调试防逆向功能相对应的防逆向测试指令按关键字段分成反调试防逆向测试指令1、反调试防逆向测试指令2、反调试防逆向测试指令3。按照预先设置的优先级由高到低将反调试防逆向测试指令排列为反调试防逆向测试指令1、反调试防逆向测试指令2、反调试防逆向测试指令3。具体实施时,目标应用所在设备依次执行反调试防逆向测试指令1、反调试防逆向测试指令2、反调试防逆向测试指令3对应的命令。Further, in order to improve the efficiency of anti-reverse function detection, the anti-reverse test instruction corresponding to one anti-reverse function is divided into multiple anti-reverse test instructions according to key fields. The number of anti-reverse test commands corresponding to one anti-reverse function is multiple, and the priority is preset among multiple anti-reverse test commands corresponding to one anti-reverse function. For example, the anti-reverse test instructions corresponding to the anti-debug and anti-reverse function are divided into anti-debug anti-reverse test instructions 1, anti-debug anti-reverse test instructions 2, and anti-debug anti-reverse test instructions 3 according to key fields. Arrange the anti-debugging and anti-reverse test instructions into anti-debugging and anti-reverse test instructions 1, anti-debugging and anti-reverse test instructions 2, and anti-debugging and anti-reverse test instructions 3 according to the preset priority from high to low. During specific implementation, the device where the target application is located sequentially executes the commands corresponding to the anti-debugging and anti-reverse test instructions 1, the anti-debugging and anti-reverse test instructions 2, and the anti-debugging and anti-reverse test instructions 3.
通过上述的各个步骤,获取目标应用在应用运行环境中的程序启动页面,并将程序启动页面与预设的环境启动页面比较,判断目标应用在应用运行环境下是否正常启动,以此实现针对目标应用运行环境的安全检测。为了便于理解,下面以一个具体示例为例详细介绍本方式中的上述方法的具体实现 方式:Through the above steps, obtain the program startup page of the target application in the application runtime environment, and compare the program startup page with the preset environment startup page to determine whether the target application starts normally in the application runtime environment, so as to achieve the target Security detection of application operating environment. For ease of understanding, the following takes a specific example as an example to introduce in detail the specific implementation of the above method in this manner:
步骤一:Mac电脑设备集成ideviceinstaller(设备安装)工具,让Mac电脑设备远程连接iPhone手机设备,能够使Mac电脑设备对iPhone手机设备进行管理。Step 1: Mac computer equipment integrates ideviceinstaller (device installation) tool to allow Mac computer equipment to connect to iPhone mobile device remotely, enabling Mac computer equipment to manage iPhone mobile device.
具体的,Mac电脑设备集成ideviceinstaller工具,实现远程连接iPhone手机设备,对iPhone手机设备上的iOS应用进行管理和操作。在Mac电脑设备的终端输入“ideviceinstaller –i xxx.ipa”命令并运行,其中,“xxx.ipa”是目标应用的IPA(苹果程序应用文件)文件名。Specifically, the Mac computer device integrates the ideviceinstaller tool to realize remote connection to the iPhone mobile device, and manage and operate the iOS application on the iPhone mobile device. Enter the "ideviceinstaller -i xxx.ipa" command in the terminal of the Mac computer device and run it, where "xxx.ipa" is the IPA (Apple Program Application File) file name of the target application.
步骤二:被远程连接的iPhone手机设备集成frida环境,使其调用iPhone内部的应用的程序。Step 2: The remotely connected iPhone device integrates the frida environment, so that it can call the application program inside the iPhone.
具体的,在Mac电脑设备的终端输入“python xxx.py bundleId”命令并运行,其中,“xxx”是目标应用的名称。被远程连接的iPhone手机设备自动启动。Specifically, enter the "python xxx.py bundleId" command on the terminal of the Mac computer device and run it, where "xxx" is the name of the target application. The remotely connected iPhone device starts automatically.
步骤三:将启动后的应用首页和应用正常打开时的首页两者对比,若首页相同则说明应用在该运行环境下启动正常;若应用闪退或者无法加载,则应用在该运行环境下启动不正常。Step 3: Compare the home page of the application after startup and the home page when the application is normally opened. If the home page is the same, the application starts normally in the operating environment; if the application crashes or fails to load, the application starts in the operating environment unusual.
步骤四:利用ideviceinstaller工具对已经安装的应用进行卸载。Step 4: Use the ideviceinstaller tool to uninstall the installed applications.
具体的,在Mac电脑设备的终端输入“ideviceinstaller –U bundleId”命令并运行,其中,“xxx”是目标应用的名称。被远程连接的iPhone手机设备自动卸载。Specifically, enter and run the "ideviceinstaller-U bundleId" command in the terminal of the Mac computer device, where "xxx" is the name of the target application. The remotely connected iPhone device is automatically uninstalled.
综上所述,本方式中iPhone手机设备端的目标应用可以实现自动安装、启动和卸载,无需人工手动安装、启动和卸载,摆脱了传统的安全检测方式,实现了自动安全检测,能够更加快捷地实现各种运行环境下的安全性检测,大大极高了安全检测效率,满足日益增长的iOS安全检测需求。In summary, in this method, the target application on the iPhone device side can be automatically installed, started, and uninstalled without manual installation, startup, and uninstallation. It gets rid of the traditional security detection method, realizes automatic security detection, and can more quickly Realize security detection in various operating environments, greatly improving the efficiency of security detection, and meet the increasing demand for iOS security detection.
方式二:在本步骤的第二种实现方式中,针对获取到的目标应用的二进制文件进行反编译,获取反编译后得到的与目标应用相对应的反向编译代码;提取反向编译代码中包含的与预设目标区域相对应的目标代码,判断目标代码中是否包含与预设的混淆标识符相匹配的内容,结合判断结果确定与目标应用相对应的第二评价结果。Method 2: In the second implementation of this step, decompile the obtained binary file of the target application to obtain the decompiled code corresponding to the target application obtained after decompilation; extract the decompiled code The included target code corresponding to the preset target area is determined, whether the target code contains content that matches the preset obfuscated identifier, and the second evaluation result corresponding to the target application is determined based on the determination result.
该实现方式根据目标应用的防逆向安全等级以及目标应用的数据安全等级这两类判断结果的组合确定与目标应用相对应的第二评价结果。The implementation manner determines the second evaluation result corresponding to the target application according to the combination of the two types of judgment results, the anti-reverse security level of the target application and the data security level of the target application.
本实现方式从目标应用的数据安全角度对目标应用进行安全检测。目前,针对应用的程序代码和程序字符的篡改现象严重,对目标应用进行数据保护安全检测,可以及早发现目标应用数据保护功能存在的缺陷。This implementation mode performs security detection on the target application from the data security perspective of the target application. At present, in view of the serious tampering of the application program code and program characters, the data protection safety inspection of the target application can detect the defects of the target application data protection function as soon as possible.
具体的,利用反编译工具,对获取到的目标应用的二进制文件进行反编译。其中,反编译工具具体包括:第一反编译工具和第二反编译工具。具体实施时,通过第一反编译工具对获取到的目标应用的二进制文件进行反编译,得到第一反向编译代码;和/或,通过第二反编译工具对获取到的目标应用的二进制文件进行反编译,得到第二反向编译代码。第一反编译工具和第二反编译工具可以同时使用,也可以选择其一使用。例如,第一反编译工具为MachOView反编译工具;第二反编译工具为Hopper Disassembler反编译工具。Specifically, a decompilation tool is used to decompile the obtained binary file of the target application. Among them, the decompilation tool specifically includes: a first decompilation tool and a second decompilation tool. During specific implementation, the obtained binary file of the target application is decompiled through the first decompilation tool to obtain the first decompiled code; and/or the obtained binary file of the target application is obtained through the second decompilation tool Perform decompilation to obtain the second decompiled code. The first decompilation tool and the second decompilation tool can be used at the same time, or one of them can be used. For example, the first decompilation tool is MachOView decompilation tool; the second decompilation tool is Hopper Disassembler decompilation tool.
不同类型的反向编译代码预先设置了优先级,按照反向编译代码的优先级获取反向编译代码。例如,第一反向编译代码优于第二反向编译代码,其中,第一反向编译代码为MachOView反向编译代码,第二反向编译代码为Hopper Disassembler反向编译代码。具体实施时,优先获取MachOView反向编译代码。Different types of decompiled codes are preset with priorities, and the decompiled codes are obtained according to the priority of the decompiled codes. For example, the first decompiled code is better than the second decompiled code, where the first decompiled code is the MachOView decompiled code, and the second decompiled code is the Hopper Disassembler decompiled code. During the specific implementation, the MachOView decompiled code is given priority.
反向编译代码具体包括:第一反向编译代码和第二反向编译代码;第一反向编译代码中包含的与预设目标区域相对应的目标代码包括:动态库信息和/或头文件信息;第二反向编译代码中包含的与预设目标区域相对应的目标代码包括:预设函数和/或预设字符。其中,第一反向编译代码为 MachOView反向编译代码,第二反向编译代码为Hopper Disassembler反向编译代码。The decompiled code specifically includes: a first decompiled code and a second decompiled code; the target code corresponding to the preset target area contained in the first decompiled code includes: dynamic library information and/or header files Information; the target code corresponding to the preset target area contained in the second decompiled code includes: a preset function and/or a preset character. Among them, the first decompiled code is MachOView decompiled code, and the second decompiled code is Hopper Disassembler decompiled code.
具体实施时,针对第一反向编译代码设置动态库信息和/或头文件信息,从后台数据库中获取第一反向编译代码和动态库信息和/或头文件信息,将动态库信息和/或头文件信息与第一反向编译代码比对,提取反向编译代码中包含动态库信息和/或头文件信息的目标代码,并将包含动态库信息和/或头文件信息的目标代码存储在后台数据库中。例如,第一反向编译代码为MachOView反向编译代码。MachOView反编译工具解析目标应用的结构,可见目标应用二进制文件内的动态库信息和头文件信息。针对MachOView反向编译代码设置动态库信息和/或头文件信息,从后台数据库中获取MachOView反向编译代码和动态库信息和/或头文件信息,将动态库信息和/或头文件信息与MachOView反向编译代码比对,提取反向编译代码中包含动态库信息和/或头文件信息的目标代码,并将包含动态库信息和/或头文件信息的目标代码存储在后台数据库中。和/或针对第二反向编译代码设置预设函数和/或预设字符,从后台数据库中获取第二反向编译代码和预设函数和/或预设字符,将预设函数和/或预设字符与第二反向编译代码比对,提取反向编译代码中包含预设函数和/或预设字符的目标代码,并将包含预设函数和/或预设字符的目标代码存储在后台数据库中。例如,第二反向编译代码为Hopper Disassembler反向编译代码。Hopper Disassembler反编译工具可见目标应用二进制文件内的函数和字符以及方法内的逻辑代码。针对Hopper Disassembler反向编译代码设置预设函数和/或预设字符。具体实施时,从后台数据库中获取与Hopper Disassembler反编译工具相对应的反向编译代码和预设函数和/或预设字符,将预设函数和/或预设字符与反向编译代码比对,提取反向编译代码中包含预设函数和/或预设字符的目标代码,并将包含预设函数和/或预设字符的目标代码存储在后台数据库中。During specific implementation, the dynamic library information and/or header file information is set for the first reverse compiled code, the first reverse compiled code and dynamic library information and/or header file information are obtained from the background database, and the dynamic library information and/or Or compare the header file information with the first decompiled code, extract the object code containing dynamic library information and/or header file information in the decompiled code, and store the object code containing dynamic library information and/or header file information In the background database. For example, the first decompiled code is MachOView decompiled code. The MachOView decompilation tool analyzes the structure of the target application, and can see the dynamic library information and header file information in the target application binary file. Set dynamic library information and/or header file information for MachOView decompiled code, obtain MachOView decompiled code and dynamic library information and/or header file information from the background database, and combine dynamic library information and/or header file information with MachOView Reverse compiled code comparison, extract the object code containing dynamic library information and/or header file information in the reverse compiled code, and store the object code containing dynamic library information and/or header file information in the backend database. And/or set a preset function and/or preset character for the second decompiled code, obtain the second decompiled code and preset function and/or preset character from the background database, and set the preset function and/or The preset character is compared with the second decompiled code, the decompiled code contains the object code of the preset function and/or the preset character, and the object code containing the preset function and/or the preset character is stored in In the background database. For example, the second decompiled code is Hopper Disassembler decompiled code. The Hopper Disassembler decompilation tool can see the functions and characters in the target application binary file and the logic code in the method. Set preset functions and/or preset characters for Hopper Disassembler reverse compiled code. During specific implementation, obtain the decompiled code and preset function and/or preset character corresponding to the Hopper Disassembler decompilation tool from the backend database, and compare the preset function and/or preset character with the decompiled code , Extract the target code containing the preset function and/or preset character in the reverse compiled code, and store the target code containing the preset function and/or preset character in the background database.
将第一反向编译代码与预设的混淆标识符匹配,判断第一反向编译代码中包含的与预设目标区域相对应的目标代码中是否包含与预设的混淆标识符相匹配的内容,得到第一判断结果;将第二反向编译代码与预设的混淆标识符匹配,判断第二反向编译代码中包含的与预设目标区域相对应的目标代码中是否包含与预设的混淆标识符相匹配的内容,得到第二判断结果。其中,第一反向编译代码为MachOView反向编译代码,第二反向编译代码为Hopper Disassembler反向编译代码。例如,具体实施时,将目标应用的二进制文件放入MachOView反编译工具中,查看Objc CFStrings字符表,将Objc CFStrings字符表对应的反编译代码与预设的混淆标识符相匹配,若Objc CFStrings字符表的反编译代码显示为标识符则表示目标应用的程序字符被混淆,若Objc CFStrings字符表的反编译代码正常显示目标应用的字符串则表示目标应用的程序字符未被混淆。和/或具体实施时,将目标应用的二进制文件放入Hopper Disassembler v4反编译工具中,随机选择一个方法函数,将方法函数对应的反编译代码与预设的混淆标识符相匹配,若方法函数的反编译代码中出现乱码则表示目标应用的程序代码已被混淆,若方法函数的反编译代码中未出现乱码则表示目标应用的程序代码未被混淆。Match the first decompiled code with the preset obfuscated identifier, and determine whether the target code corresponding to the preset target area contained in the first decompiled code contains content that matches the preset obfuscated identifier , Obtain the first judgment result; match the second decompiled code with the preset obfuscated identifier, and judge whether the target code corresponding to the preset target area contained in the second decompiled code contains the preset The content matched by the identifier is confused, and the second judgment result is obtained. Among them, the first decompiled code is MachOView decompiled code, and the second decompiled code is Hopper Disassembler decompiled code. For example, in specific implementation, put the binary file of the target application into the MachOView decompilation tool, check the Objc CFStrings character table, and match the decompiled code corresponding to the Objc CFStrings character table with the preset obfuscated identifier. If Objc CFStrings characters If the decompiled code of the table is displayed as an identifier, it means that the program characters of the target application are confused. If the decompiled code of the Objc CFStrings character table normally displays the character string of the target application, it means that the program characters of the target application are not confused. And/or during specific implementation, put the binary file of the target application into the Hopper Disassembler v4 decompilation tool, randomly select a method function, and match the decompiled code corresponding to the method function with the preset obfuscation identifier. If the method function If garbled codes appear in the decompiled code of the method, it means that the program code of the target application has been obfuscated. If there are no garbled codes in the decompiled code of the method function, it means that the program code of the target application is not obfuscated.
根据第一判断结果和第二判断结果的重要性预先设置第一判断结果和第二判断结果的权重,根据第一判断结果和第二判断结果以及第一判断结果和第二判断结果的权重计算目标应用的数据保护安全评分。例如,具体实施时,若第一判断结果为第一反向编译代码中包含预设的混淆标识符,则将第一判断结果记为0,若第一判断结果为第一反向编译代码中不包含预设的混淆标识符,则将第一判断结果记为1;若第二判断结果为第二反向编译代码中包含预设的混淆标识符,则将第二判断结果记为0,若第二判断结果为第二反向编译代码中不包含预设的混淆标识符,则将第二判断结果记为1。具体到本例中,分别为第一判断结果和第二判断结果分配权重,第一判断结果的权重为0.5,第二判断结果的权重为0.5,第一判断结果为0,第二判断结果为1,则目标应用的数据保护安全评分为0*0.5+1*0.5=0.5。Pre-set the weights of the first judgment result and the second judgment result according to the importance of the first judgment result and the second judgment result, and calculate the weight according to the first judgment result and the second judgment result and the weight of the first judgment result and the second judgment result The data protection security score of the target application. For example, in specific implementation, if the first judgment result is that the first decompiled code contains the preset obfuscated identifier, the first judgment result is recorded as 0, and if the first judgment result is that the first decompiled code If the preset obfuscated identifier is not included, the first judgment result is recorded as 1; if the second judgment result is that the second decompiled code contains the preset obfuscated identifier, the second judgment result is recorded as 0, If the second judgment result is that the second decompiled code does not contain the preset obfuscated identifier, the second judgment result is recorded as 1. Specifically in this example, weights are assigned to the first judgment result and the second judgment result respectively. The weight of the first judgment result is 0.5, the weight of the second judgment result is 0.5, the first judgment result is 0, and the second judgment result is 1. The data protection security score of the target application is 0*0.5+1*0.5=0.5.
具体的,将目标应用的数据保护安全等级划分为四个等级,若目标应用的数据保护安全评分为0,则目标应用的数据保护安全等级为低;若目标应用的数据保护安全评分为1,则目标应用的数据保护安全等级为高;若目标应用数据保护安全评分为0~0.5(不包含0和0.5),则目标应用的数据保护安全等级为中低;若目标应用的数据保护安全评分为0.5~1(不包含1),则目标应用的数据保护安全等级为中高。具体到本例中,目标应用的数据保护安全评分0.5,目标应用的数据保护安全等级为中高。Specifically, the data protection security level of the target application is divided into four levels. If the data protection security score of the target application is 0, the data protection security level of the target application is low; if the data protection security score of the target application is 1, The data protection security level of the target application is high; if the data protection security score of the target application is 0-0.5 (excluding 0 and 0.5), the data protection security level of the target application is medium-low; if the data protection security score of the target application If it is 0.5 to 1 (not including 1), the data protection security level of the target application is medium to high. Specifically in this example, the data protection security score of the target application is 0.5, and the data protection security level of the target application is medium to high.
可选地,在本步骤中,不同类型的反向编译代码预先设置了优先级,按照反向编译代码的优先级获取反向编译代码的目标代码。Optionally, in this step, different types of decompiled codes are preset with priority, and the target code of the decompiled code is obtained according to the priority of the decompiled code.
进一步地,为了选取包括逻辑运算符的目标代码,最大程度利用反编译工具,获取反向编译代码中包含的各个方法函数,从各个方法函数中提取包含逻辑运算符的方法函数作为目标函数,将目标函数对应的代码确定为与预设目标区域相对应的目标代码。Further, in order to select the target code including logical operators, use the decompilation tool to the greatest extent to obtain each method function contained in the decompiled code, and extract the method function containing the logical operator from each method function as the target function. The code corresponding to the target function is determined to be the target code corresponding to the preset target area.
综合考虑方式一中的目标应用的防逆向安全等级和方式二中的数据保护安全等级,当防逆向安全等级和数据保护安全等级都为高时,目标应用的第二评价结果为高;防逆向安全等级和数据保护安全等级其中之一为低时,目标应用的第二评价结果为低;其余情况,目标应用的第二评价结果为中。Comprehensively consider the anti-reverse security level of the target application in mode one and the data protection security level in mode two. When the anti-reverse security level and data protection security level are both high, the second evaluation result of the target application is high; anti-reverse When one of the security level and the data protection security level is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium.
方式三:在本步骤的第三种实现方式中,当检测到与目标应用相对应的启动指令时,根据启动指令确定与目标应用相对应的应用运行环境;获取目标应用在应用运行环境中启动后显示的程序启动页面;查询预设的与目标应用相对应的应用运行环境相关联的环境启动页面;判断程序启动页面与环境启动页面是否匹配,结合判断结果确定与目标应用相对应的第二评价结果。Method 3: In the third implementation method of this step, when a startup instruction corresponding to the target application is detected, the application operating environment corresponding to the target application is determined according to the startup instruction; the target application is obtained to start in the application operating environment After the program startup page is displayed; query the preset environment startup page associated with the application operating environment corresponding to the target application; determine whether the program startup page matches the environment startup page, and determine the second corresponding to the target application based on the judgment result Evaluation results.
该实现方式根据目标应用的防逆向安全等级以及目标应用的应用运行环境安全性这两类判断结果的组合确定与目标应用相对应的第二评价结果。本实现方式从目标应用的运行环境角度对目标应用进行安全检测。由于iOS应用可运行在各种不同iOS系统和不同iPhone设备上,但iOS应用的iOS系统版本和不同iPhone设备机型迭代更新很快,需要保证iOS应用在各种运行环境下均可运行正常。The implementation manner determines the second evaluation result corresponding to the target application according to the combination of the two types of judgment results, the anti-reverse security level of the target application and the application operating environment security of the target application. This implementation mode performs security detection on the target application from the perspective of the operating environment of the target application. Since iOS applications can run on a variety of different iOS systems and different iPhone devices, but the iOS system version of iOS applications and different iPhone device models are updated quickly, it is necessary to ensure that iOS applications can run normally in various operating environments.
具体的,接收到目标应用发送的启动指令,启动指令中包含的环境字段中包含目标应用目前所在的运行环境,对启动指令进行解析,提取启动指令中的环境字段,根据启动指令中包含的环境字段确定与目标应用相对应的应用运行环境。例如,目标应用A在iPhone设备B的iOS系统C中启动,具体实施时,接收到启动指令,并对启动指令进行解析,解析后的启动指令中的环境字段中包含iPhone设备机型和iOS系统类别的关键字,直接读取iPhone设备机型和iOS系统类别的关键字以及关键字名录下的iPhone设备机型和iOS系统类别信息。Specifically, the startup instruction sent by the target application is received, the environment field contained in the startup instruction contains the current operating environment of the target application, the startup instruction is parsed, the environment field in the startup instruction is extracted, and the environment included in the startup instruction is The field determines the application operating environment corresponding to the target application. For example, the target application A is launched in the iOS system C of the iPhone device B. During the specific implementation, the startup instruction is received and the startup instruction is analyzed. The environment field in the parsed startup instruction includes the iPhone device model and the iOS system Category keywords, directly read the iPhone device model and iOS system category keywords and the iPhone device model and iOS system category information under the keyword list.
具体的,接收到目标应用发送的启动指令,并对启动指令进行解析。根据解析后的启动指令的指令格式和/或指令所对应的指令规则,确定与目标应用相对应的应用运行环境。例如,解析后的启动指令的指令格式的结构包括第一部分和第二部分,第一部分表示应用运行环境中的iPhone设备机型,第二部分表示应用运行环境中的iOS系统版本。iPhone设备机型用不同的设备标识码表示,iOS系统版本用不同的版本标识码表示。对启动指令解析,从解析指令中获取第一部分和第二部分的标识码,并根据指令规则确定标识码所对应的iPhone设备机型和iOS系统版本类别。其中,指令规则具体包括:iPhone设备机型与机型标识码的映射关系,iOS系统版本与版本标识码的映射关系。Specifically, the startup instruction sent by the target application is received, and the startup instruction is analyzed. According to the parsed instruction format of the startup instruction and/or the instruction rule corresponding to the instruction, the application operating environment corresponding to the target application is determined. For example, the structure of the parsed instruction format of the startup instruction includes a first part and a second part. The first part represents the iPhone device model in the application running environment, and the second part represents the iOS system version in the application running environment. The iPhone device model is indicated by different device identification codes, and the iOS system version is indicated by different version identification codes. The startup instruction is analyzed, the identification codes of the first part and the second part are obtained from the analysis instruction, and the iPhone device model and iOS system version category corresponding to the identification code are determined according to the instruction rules. Among them, the instruction rules specifically include: the mapping relationship between the iPhone device model and the model identification code, and the mapping relationship between the iOS system version and the version identification code.
目标应用在目前所在的运行环境中启动后,在预设时间后显示程序启动页面。具体地,在本步骤中,获取到目标应用在应用运行环境中启动后预设时间后显示的程序启动页面。After the target application is launched in the current operating environment, the program launch page will be displayed after a preset time. Specifically, in this step, the program startup page displayed after a preset time after the target application is started in the application execution environment is acquired.
获取目标应用在应用运行环境中启动后显示的程序启动页面,并从后台数据库中调取启动环境匹 配表,从启动环境匹配表中查询与该目标应用相对应的应用运行环境的环境启动页面。其中,启动环境匹配表具体包括:目标应用、应用运行环境、环境启动页面三者的映射关系。Obtain the program startup page displayed after the target application is started in the application running environment, retrieve the startup environment matching table from the background database, and query the startup environment matching table for the environment startup page of the application running environment corresponding to the target application. Among them, the startup environment matching table specifically includes: the mapping relationship between the target application, the application running environment, and the environment startup page.
获取到目标应用发送的目标应用在应用运行环境中启动后显示的程序启动页面,并从启动环境匹配表中查询到与目标应用相对应的应用运行环境相关联的环境启动页面。将程序启动页面与环境启动页面进行比对,以确定出程序启动页面与环境启动页面两者之间的差别。若程序启动页面与环境启动页面两者之间不存在差别,即二者匹配,则目标应用在运行环境中安全;若程序启动页面与环境启动页面两者之间存在差别,即二者不匹配,则目标应用在运行环境中不安全。The program startup page that is displayed after the target application is started in the application operating environment sent by the target application is acquired, and the environment startup page associated with the application operating environment corresponding to the target application is queried from the startup environment matching table. Compare the program startup page with the environment startup page to determine the difference between the program startup page and the environment startup page. If there is no difference between the program startup page and the environment startup page, that is, the two match, the target application is safe in the running environment; if there is a difference between the program startup page and the environment startup page, the two do not match , The target application is not safe in the operating environment.
进一步,为了评价目标应用在运行预设功能时的运行环境安全性,获取目标应用在应用运行环境中运行预设功能后显示的程序功能页面;查询预设的与目标应用相对应的应用运行环境相关联的环境功能页面;判断程序功能页面与环境功能页面是否匹配,根据判断结果确定目标应用在预设运行环境中是否安全。Further, in order to evaluate the operating environment security of the target application when running the preset function, obtain the program function page displayed after the target application runs the preset function in the application operating environment; query the preset application operating environment corresponding to the target application Associated environment function page; judge whether the program function page matches the environment function page, and determine whether the target application is safe in the preset operating environment according to the judgment result.
其中,环境功能页面具体包括:分别针对各种类型的应用运行环境,获取目标应用在该种类型的应用运行环境中运行预设功能且运行结果为成功时所对应的运行界面,将获取到的运行界面作为与该种类型的应用运行环境相关联的环境功能页面存储到预设的功能环境匹配表中,其中功能环境匹配表具体包括:目标应用、应用运行环境、预设功能、环境功能页面四者映射关系以及各个环境功能页面所对应的预设功能的优先级。Among them, the environment function page specifically includes: for each type of application operating environment, obtain the corresponding operating interface when the target application runs the preset function in this type of application operating environment and the operating result is successful, and will obtain The running interface is stored in a preset function environment matching table as an environment function page associated with this type of application running environment. The function environment matching table specifically includes: target application, application running environment, preset function, and environment function page The four mapping relationships and the priority of the preset functions corresponding to each environmental function page.
具体地,在本步骤中,根据预设的环境匹配表中存储的各个环境功能页面所对应的预设功能的优先级,分别获取目标应用在应用运行环境中运行各种类型的预设功能后显示的程序功能页面,从功能环境匹配表中获取与目标应用、应用运行环境和预设功能相关联的环境功能页面,将程序功能页面与环境功能页面重叠,比对出程序功能页面与环境功能页面两者之间的差别。若程序功能页面与环境功能页面两者之间不存在差别,则目标应用在运行环境中预设功能运行安全,目标应用预设功能的运行环境安全等级为高;若程序功能页面与环境功能页面两者之间存在差别,则目标应用在运行环境中预设功能运行不安全,目标应用预设功能的运行环境安全等级低。Specifically, in this step, according to the priority of the preset function corresponding to each environmental function page stored in the preset environment matching table, the target application is obtained after running various types of preset functions in the application running environment. The program function page displayed, obtains the environment function page associated with the target application, application operating environment and preset functions from the function environment matching table, overlaps the program function page with the environment function page, and compares the program function page with the environment function The difference between the two pages. If there is no difference between the program function page and the environmental function page, the target application has preset function operation safety in the operating environment, and the operating environment security level of the target application preset function is high; if the program function page and the environmental function page There is a difference between the two, the target application is not safe to operate in the operating environment, and the operating environment of the target application has a low security level.
综合考虑方式一中的目标应用的防逆向安全等级和方式三中的运行环境安全等级,当防逆向安全等级和运行环境安全等级都为高时,目标应用的第二评价结果为高;防逆向安全等级和运行环境安全等级其中之一为低时,目标应用的第二评价结果为低;其余情况,目标应用的第二评价结果为中。可选的,为了确保重要的预设功能优先进行运行环境安全性检测,预先确定目标应用在各种类型的应用运行环境中所对应的功能,预设功能的数量为多个,各个预设功能之间存在优先级。各个预设功能之间的优先级存储在功能环境匹配表中。例如,具体实施时,按功能环境匹配表中预设功能的优先级由高到低排序,各个预设功能的顺序为预设功能1、预设功能2、预设功能3。目标应用在应用运行环境中运行预设功能1,获取预设功能1的程序功能页面与环境功能页面,将取预设功能1的程序功能页面与环境功能页面进行叠加比对。依次对预设功能2和预设功能3执行上述操作。Comprehensively consider the anti-reverse security level of the target application in mode one and the operating environment security level in mode three. When the anti-reverse security level and the operating environment security level are both high, the second evaluation result of the target application is high; anti-reverse When one of the safety level and the operating environment safety level is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium. Optionally, in order to ensure that important preset functions are prioritized for operating environment security testing, the functions corresponding to the target application in various types of application operating environments are determined in advance. The number of preset functions is multiple, and each preset function There is a priority between. The priority between each preset function is stored in the function environment matching table. For example, during specific implementation, the priority of the preset functions in the function environment matching table is sorted from high to low, and the order of each preset function is preset function 1, preset function 2, preset function 3. The target application runs the preset function 1 in the application running environment, obtains the program function page of the preset function 1 and the environment function page, and compares the program function page of the preset function 1 with the environment function page. Perform the above operations on preset function 2 and preset function 3 in sequence.
另外,为了提高检测效率,在本发明其他的实施例中,各个预设功能的运行环境安全性检测也可以通过多个并行执行的线程同时执行上述各个预设功能的运行环境安全性检测过程,本发明对各个预设功能的运行环境安全性检测过程的具体执行顺序不做限定。In addition, in order to improve the detection efficiency, in other embodiments of the present invention, the operating environment security detection process of each preset function may also be executed simultaneously through multiple parallel execution threads. The present invention does not limit the specific execution sequence of the operating environment safety detection process of each preset function.
通过上述的各个步骤,获取目标应用在应用运行环境中的程序启动页面,并将程序启动页面与预设的环境启动页面比较,判断目标应用在应用运行环境下是否正常启动,以此实现针对目标应用运行环境的安全检测。为了便于理解,下面以一个具体示例为例详细介绍本方式中的上述方法的具体实现方式:Through the above steps, obtain the program startup page of the target application in the application runtime environment, and compare the program startup page with the preset environment startup page to determine whether the target application starts normally in the application runtime environment, so as to achieve the target Security detection of application operating environment. For ease of understanding, the following takes a specific example as an example to introduce in detail the specific implementation of the above method in this manner:
步骤一:Mac电脑设备集成ideviceinstaller(设备安装)工具,让Mac电脑设备远程连接iPhone手机设备,能够使Mac电脑设备对iPhone手机设备进行管理。Step 1: Mac computer equipment integrates ideviceinstaller (device installation) tool to allow Mac computer equipment to connect to iPhone mobile device remotely, enabling Mac computer equipment to manage iPhone mobile device.
具体的,Mac电脑设备集成ideviceinstaller工具,实现远程连接iPhone手机设备,对iPhone手机设备上的iOS应用进行管理和操作。在Mac电脑设备的终端输入“ideviceinstaller –i xxx.ipa”命令并运行,其中,“xxx.ipa”是目标应用的IPA(苹果程序应用文件)文件名。Specifically, the Mac computer device integrates the ideviceinstaller tool to realize remote connection to the iPhone mobile device, and manage and operate the iOS application on the iPhone mobile device. Enter the "ideviceinstaller -i xxx.ipa" command in the terminal of the Mac computer device and run it, where "xxx.ipa" is the IPA (Apple Program Application File) file name of the target application.
步骤二:被远程连接的iPhone手机设备集成frida环境,使其调用iPhone内部的应用的程序。Step 2: The remotely connected iPhone device integrates the frida environment, so that it can call the application program inside the iPhone.
具体的,在Mac电脑设备的终端输入“python xxx.py bundleId”命令并运行,其中,“xxx”是目标应用的名称。被远程连接的iPhone手机设备自动启动。Specifically, enter the "python xxx.py bundleId" command on the terminal of the Mac computer device and run it, where "xxx" is the name of the target application. The remotely connected iPhone device starts automatically.
步骤三:将启动后的应用首页和应用正常打开时的首页两者对比,若首页相同则说明应用在该运行环境下启动正常;若应用闪退或者无法加载,则应用在该运行环境下启动不正常。Step 3: Compare the home page of the application after startup and the home page when the application is normally opened. If the home page is the same, the application starts normally in the operating environment; if the application crashes or fails to load, the application starts in the operating environment unusual.
步骤四:利用ideviceinstaller工具对已经安装的应用进行卸载。Step 4: Use the ideviceinstaller tool to uninstall the installed applications.
具体的,在Mac电脑设备的终端输入“ideviceinstaller –U bundleId”命令并运行,其中,“xxx”是目标应用的名称。被远程连接的iPhone手机设备自动卸载。Specifically, enter and run the "ideviceinstaller-U bundleId" command in the terminal of the Mac computer device, where "xxx" is the name of the target application. The remotely connected iPhone device is automatically uninstalled.
综上所述,本实施例中iPhone手机设备端的目标应用可以实现自动安装、启动和卸载,无需人工手动安装、启动和卸载,摆脱了传统的安全检测方式,实现了自动安全检测,能够更加快捷地实现各种运行环境下的安全性检测,大大极高了安全检测效率,满足日益增长的iOS安全检测需求。In summary, the target application on the iPhone device side in this embodiment can be automatically installed, started, and uninstalled, without manual installation, startup, and uninstallation. It gets rid of the traditional security detection method, realizes automatic security detection, and can be faster Realize security detection in various operating environments, greatly improving the efficiency of security detection, and meeting the increasing demand for iOS security detection.
具体实施时,上述三种实现方式既可以单独使用,也可以结合使用,在本实施例中,为了提升准确性,结合三种实现方式确定第二评价结果,即第二评价结果是根据目标应用的防逆向功能安全等级、目标应用的数据保护安全等级、目标应用的运行环境安全性这三个方面的判断结果的组合进行确定。In specific implementation, the above three implementation methods can be used alone or in combination. In this embodiment, in order to improve accuracy, the three implementation methods are combined to determine the second evaluation result, that is, the second evaluation result is based on the target application. The combination of the three aspects of the anti-reverse functional security level, the data protection security level of the target application, and the operating environment security of the target application are determined.
步骤S270:根据第一评价结果第一评价结果以及第二评价结果,判断目标应用安全性等级。Step S270: Determine the security level of the target application according to the first evaluation result and the second evaluation result.
根据第一评价结果以及第二评价结果,判断目标应用安全性等级。具体的,当第一评价结果和第二评价结果都为高时,目标应用的安全性等级为高;第一评价结果和第二评价结果其中之一为低时,目标应用的安全性等级为低;其余其余情况,目标应用的安全性等级为中。其中,本实施例中的第二评价结果根据三种实现方式的判断结果结合确定。第二评价结果根据目标应用的防逆向安全等级和数据保护安全等级结合确定,当防逆向安全等级和数据保护安全等级都为高时,目标应用的第二评价结果为高;防逆向安全等级和数据保护安全等级其中之一为低时,目标应用的第二评价结果为低;其余情况,目标应用的第二评价结果为中。和/或第二评价结果根据目标应用的防逆向安全等级和运行环境安全等级结合确定,当防逆向安全等级和运行环境安全等级都为高时,目标应用的第二评价结果为高;防逆向安全等级和运行环境安全等级其中之一为低时,目标应用的第二评价结果为低;其余情况,目标应用的第二评价结果为中。According to the first evaluation result and the second evaluation result, the security level of the target application is judged. Specifically, when the first evaluation result and the second evaluation result are both high, the security level of the target application is high; when one of the first evaluation result and the second evaluation result is low, the security level of the target application is Low; In other cases, the security level of the target application is medium. Wherein, the second evaluation result in this embodiment is determined based on the combination of the judgment results of the three implementation modes. The second evaluation result is determined based on the combination of the anti-reverse security level of the target application and the data protection security level. When the anti-reverse security level and the data protection security level are both high, the second evaluation result of the target application is high; the anti-reverse security level and When one of the data protection security levels is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium. And/or the second evaluation result is determined based on the combination of the anti-reverse security level of the target application and the operating environment security level. When the anti-reverse security level and the operating environment security level are both high, the second evaluation result of the target application is high; When one of the safety level and the operating environment safety level is low, the second evaluation result of the target application is low; in other cases, the second evaluation result of the target application is medium.
本实施例综合利用反映目标应用的静态测试结果的第一评价结果和反映目标应用的动态测试结果的第二评价结果,全面评价应用的安全性,避免单一维度的评价方式所导致的弊端,使评价结果更为准确。其中,静态测试主要评价目标应用的应用安装文件中,利用iOS应用开发过程中在实现特定的功能时常用的类型关键字,将各个检测类型相对应的类型关键字与应用符号表模糊匹配,充分考虑了各个检测类型以及各个类型关键字的权重,对目标应用的安全性进行量化评估,对目标应用进行了全面和直观的静态检测。其中检测类型共10项,分别为:防泄漏类型、敏感词类型、代码混淆类型、越狱检测类型、代理检测类型、打包保护类型、字符串保护类型、URL匹配类型、反调试类型、和/或反钩子类型。This embodiment comprehensively utilizes the first evaluation result reflecting the static test result of the target application and the second evaluation result reflecting the dynamic test result of the target application to comprehensively evaluate the safety of the application, avoid the drawbacks caused by the single-dimensional evaluation method, and make The evaluation result is more accurate. Among them, the static test mainly evaluates the application installation files of the target application, using the type keywords commonly used in the iOS application development process to achieve specific functions, and fuzzy matching the type keywords corresponding to each detection type with the application symbol table. Taking into account the weight of each detection type and each type of keyword, the security of the target application is quantitatively evaluated, and a comprehensive and intuitive static detection of the target application is performed. There are 10 detection types, namely: anti-leakage type, sensitive word type, code obfuscation type, jailbreak detection type, proxy detection type, packaging protection type, string protection type, URL matching type, anti-debugging type, and/or Anti-hook type.
动态测试从目标应用动态运行过程的防逆向安全性、数据保护安全性、运行环境安全性的角度评 价目标应用的安全性。动态测试中的防逆向功能测试从反调试、反钩子、反注入三个方面综合评价目标应用的防逆向功能,将测试响应结果与至少两种预期响应结果进行匹配,根据匹配结果确定目标应用防逆向功能等级;数据保护安全性测试将目标代码与预设的混淆标识符对比,根据对比结果判定目标应用中的程序代码和程序字符是否被混淆,以此实现目标应用数据安全保护程度检测;运行环境安全性测试通过获取目标应用在应用运行环境中的程序启动页面,并将程序启动页面与预设的环境启动页面比较,判断目标应用在应用运行环境下是否正常启动,以此实现针对目标应用运行环境的安全检测。Dynamic testing evaluates the security of the target application from the perspective of anti-reverse security, data protection security, and operating environment security of the target application's dynamic running process. The anti-reverse function test in the dynamic test comprehensively evaluates the anti-reverse function of the target application from three aspects: anti-debugging, anti-hook, and anti-injection. The test response result is matched with at least two expected response results, and the target application anti-reverse function is determined according to the matching result. Reverse functional level; the data protection security test compares the target code with the preset obfuscated identifier, and determines whether the program code and program characters in the target application are obfuscated according to the comparison result, so as to realize the detection of the degree of data security protection of the target application; The environmental security test obtains the program startup page of the target application in the application runtime environment, and compares the program startup page with the preset environment startup page to determine whether the target application starts normally in the application runtime environment, so as to achieve the target application Safety inspection of operating environment.
通过静态测试和动态测试的结合,从静态和动态两个维度对目标应用进行全面检测,充分考虑了目标应用的静态代码和动态运行过程中的防逆向、数据保护以及运行环境的安全性,能提早发现目标应用的缺陷,在目标应用投放市场前帮助开发人员有针对性对目标应用进行修改。Through the combination of static testing and dynamic testing, the target application is comprehensively tested from both static and dynamic dimensions, fully considering the static code of the target application and the anti-reverse, data protection and security of the operating environment during the dynamic operation. Find out the defects of the target application early, and help developers modify the target application in a targeted manner before the target application is put on the market.
实施例三Example three
图3示出了依据实施例三的一种iOS应用的安全检测装置的结构图,所述装置包括:Fig. 3 shows a structural diagram of an iOS application security detection device according to the third embodiment, the device includes:
第一评价结果确定模块31,获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与目标应用相对应的第一评价结果;The first evaluation result determining module 31 obtains the application symbol table corresponding to the target application, and matches the obtained type keyword corresponding to the preset detection type with the application symbol table, and according to the successfully matched target keyword The number and/or character weight of the characters to determine the first evaluation result corresponding to the target application;
第二评价结果确定模块32,向目标应用发送与预设功能相对应的动态测试指令,根据目标应用针对动态测试指令返回的测试响应结果以及预先配置的与动态测试指令相对应的至少两种预期响应结果,确定与目标应用相对应的第二评价结果;The second evaluation result determination module 32 sends a dynamic test instruction corresponding to the preset function to the target application, and according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expectations corresponding to the dynamic test instruction In response to the results, determine the second evaluation result corresponding to the target application;
目标应用安全性判断模块33,根据第一评价结果以及第二评价结果,判断目标应用是否安全。The target application safety judgment module 33 judges whether the target application is safe according to the first evaluation result and the second evaluation result.
可选的,当第一评价结果确定模块31适于:Optionally, when the first evaluation result determining module 31 is adapted to:
分别针对每个检测类型设置对应的类型集合,将提取出的各个目标关键字分别存储到与该目标关键字的检测类型相对应的类型集合中;Set a corresponding type set for each detection type, and store each extracted target keyword in a type set corresponding to the detection type of the target keyword;
则根据匹配成功的目标关键字的数量和/或字符权重,确定与该目标应用相对应的第一评价结果包括:Then, according to the number of successfully matched target keywords and/or character weights, determining the first evaluation result corresponding to the target application includes:
分别针对每个类型集合,根据该类型集合中包含的目标关键字的数量和/或目标关键字的字符权重,确定与该类型集合相对应的类型评价得分;For each type set, determine the type evaluation score corresponding to the type set according to the number of target keywords contained in the type set and/or the character weight of the target keywords;
根据各个类型集合所对应的类型评价得分以及各个类型集合所对应的类型权重,确定与目标应用相对应的第一评价结果。According to the type evaluation score corresponding to each type set and the type weight corresponding to each type set, the first evaluation result corresponding to the target application is determined.
可选的,第一评价结果确定模块31适于:Optionally, the first evaluation result determining module 31 is adapted to:
针对待匹配的类型关键字,确定与该类型关键字所对应的检测类型相匹配的类型检测区域;For the type keyword to be matched, determine the type detection area that matches the detection type corresponding to the type keyword;
从应用符号表中提取与类型检测区域相对应的目标区域,将获取到的类型关键字与目标区域进行匹配。The target area corresponding to the type detection area is extracted from the application symbol table, and the obtained type keyword is matched with the target area.
可选的,第一评价结果确定模块31适于:Optionally, the first evaluation result determining module 31 is adapted to:
获取目标应用的应用程序文件;Obtain the application file of the target application;
针对应用程序文件进行反编译,得到与目标应用相对应的应用符号表;Decompile the application file to obtain the application symbol table corresponding to the target application;
其中,应用符号表进一步包括:静态符号表、动态符号表、和/或字符表。Wherein, the application symbol table further includes: a static symbol table, a dynamic symbol table, and/or a character table.
可选的,第二评价结果确定模块32适于:Optionally, the second evaluation result determining module 32 is adapted to:
向目标应用发送与预设的防逆向功能相对应的防逆向测试指令。Send the anti-reverse test instruction corresponding to the preset anti-reverse function to the target application.
可选的,第二评价结果确定模块32适于:Optionally, the second evaluation result determining module 32 is adapted to:
根据预设的逆向测试指令表中存储的各个防逆向功能以及与各个防逆向功能相对应的各个防逆向测试指令的种类和/或各个防逆向测试指令之间的优先级信息,向目标应用发送逆向测试指令表中存储的各个防逆向测试指令。Send to the target application according to each anti-reverse function stored in the preset reverse test instruction table and the type of each anti-reverse test instruction corresponding to each anti-reverse function and/or the priority information between each anti-reverse test instruction Each anti-reverse test instruction stored in the reverse test instruction table.
可选的,第二评价结果确定模块32适于:Optionally, the second evaluation result determining module 32 is adapted to:
针对获取到的目标应用的二进制文件进行反编译,获取反编译后得到的与目标应用相对应的反向编译代码;Decompile the obtained binary file of the target application, and obtain the decompiled code corresponding to the target application obtained after decompilation;
提取反向编译代码中包含的与预设目标区域相对应的目标代码,Extract the target code corresponding to the preset target area contained in the decompiled code,
判断目标代码中是否包含与预设的混淆标识符相匹配的内容,结合判断结果确定与目标应用相对应的第二评价结果。It is determined whether the target code contains content that matches the preset obfuscated identifier, and the second evaluation result corresponding to the target application is determined in combination with the determination result.
可选的,第二评价结果确定模块32适于:Optionally, the second evaluation result determining module 32 is adapted to:
当检测到与目标应用相对应的启动指令时,根据启动指令确定与目标应用相对应的应用运行环境;When the startup instruction corresponding to the target application is detected, the application operating environment corresponding to the target application is determined according to the startup instruction;
获取目标应用在应用运行环境中启动后显示的程序启动页面;Obtain the program startup page displayed after the target application is started in the application runtime environment;
查询预设的与目标应用相对应的应用运行环境相关联的环境启动页面;Query the preset environment startup page associated with the application operating environment corresponding to the target application;
判断程序启动页面与环境启动页面是否匹配,结合判断结果确定与目标应用相对应的第二评价结果。It is determined whether the program startup page matches the environment startup page, and the second evaluation result corresponding to the target application is determined based on the determination result.
依据本发明的再一方面,提供了一种iOS应用的安全检测系统,包括上述安全检测装置。According to another aspect of the present invention, there is provided a security detection system for iOS applications, including the above-mentioned security detection device.
本申请实施例提供了一种非易失性计算机存储介质,计算机存储介质存储有至少一可执行指令,该计算机可执行指令可执行上述任意方法实施例中的一种基于iOS应用的安全检测方法。The embodiment of the present application provides a non-volatile computer storage medium, the computer storage medium stores at least one executable instruction, and the computer executable instruction can execute any of the above-mentioned method embodiments, an iOS application-based security detection method .
图4示出了根据本发明实施例的一种电子设备的结构示意图,本发明具体实施例并不对电子设备的具体实现做限定。FIG. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
如图4所示,该电子设备可以包括:处理器(processor)402、通信接口(Communications Interface)404、存储器(memory)406、以及通信总线408。As shown in FIG. 4, the electronic device may include: a processor (processor) 402, a communication interface (Communications Interface) 404, a memory (memory) 406, and a communication bus 408.
其中:among them:
处理器402、通信接口404、以及存储器406通过通信总线408完成相互间的通信。The processor 402, the communication interface 404, and the memory 406 communicate with each other through the communication bus 408.
通信接口404,用于与其它设备比如客户端或其它服务器等的网元通信。The communication interface 404 is used to communicate with network elements of other devices, such as clients or other servers.
处理器402,用于执行程序410,具体可以执行上述基于多级网络节点的故障定位方法实施例中的相关步骤。The processor 402 is configured to execute the program 410, and specifically can execute the relevant steps in the foregoing embodiment of the fault location method based on multi-level network nodes.
具体地,程序410可以包括程序代码,该程序代码包括计算机操作指令。Specifically, the program 410 may include program code, and the program code includes computer operation instructions.
处理器402可能是中央处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。电子设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor 402 may be a central processing unit CPU, or an ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present invention. The one or more processors included in the electronic device may be processors of the same type, such as one or more CPUs; or processors of different types, such as one or more CPUs and one or more ASICs.
存储器406,用于存放程序410。存储器406可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。The memory 406 is used to store the program 410. The memory 406 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
程序410具体可以用于使得处理器402执行上述方法实施例中的各项操作。The program 410 may be specifically used to enable the processor 402 to perform various operations in the foregoing method embodiments.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays provided here are not inherently related to any particular computer, virtual system or other equipment. Various general-purpose systems can also be used with the teaching based on this. From the above description, the structure required to construct this type of system is obvious. In addition, the present invention is not directed to any specific programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of a specific language is to disclose the best embodiment of the present invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the instructions provided here, a lot of specific details are explained. However, it can be understood that the embodiments of the present invention can be practiced without these specific details. In some instances, well-known methods, structures and technologies are not shown in detail, so as not to obscure the understanding of this specification.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be understood that in order to simplify the present disclosure and help understand one or more of the various inventive aspects, in the above description of the exemplary embodiments of the present invention, the various features of the present invention are sometimes grouped together into a single embodiment, Figure, or its description. However, the disclosed method should not be interpreted as reflecting the intention that the claimed invention requires more features than those explicitly stated in each claim. More precisely, as reflected in the following claims, the inventive aspect lies in less than all the features of a single embodiment disclosed previously. Therefore, the claims following the specific embodiment are thus explicitly incorporated into the specific embodiment, wherein each claim itself serves as a separate embodiment of the present invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目,替代特征来代替。Those skilled in the art can understand that it is possible to adaptively change the modules in the device in the embodiment and set them in one or more devices different from the embodiment. The modules or units or components in the embodiments can be combined into one module or unit or component, and in addition, they can be divided into multiple sub-modules or sub-units or sub-components. Except that at least some of such features and/or processes or units are mutually exclusive, any combination can be used to compare all features disclosed in this specification (including the accompanying claims, abstract and drawings) and any method or methods disclosed in this manner or All the processes or units of the equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including the accompanying claims, abstract and drawings) may be replaced by providing the same, equivalent or similar items, alternative features.
此外,本领域的技术人员能够理解,尽管在此的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art can understand that although some embodiments herein include certain features included in other embodiments but not other features, the combination of features of different embodiments means that they fall within the scope of the present invention. And form different embodiments. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented by hardware, or by software modules running on one or more processors, or by their combination. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all of the functions of some or all components in the device according to the embodiments of the present invention. The present invention can also be implemented as a device or device program (for example, a computer program and a computer program product) for executing part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may have the form of one or more signals. Such signals can be downloaded from Internet websites, or provided on carrier signals, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate the present invention rather than limit the present invention, and those skilled in the art can design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses should not be constructed as a limitation to the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "an" preceding an element does not exclude the presence of multiple such elements. The invention can be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the unit claims enumerating several devices, several of these devices may be embodied by the same hardware item. The use of the words first, second, and third, etc. do not indicate any order. These words can be interpreted as names.

Claims (19)

  1. 一种iOS应用的安全检测方法,包括:A security detection method for iOS applications, including:
    获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与所述应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与所述目标应用相对应的第一评价结果;Obtain the application symbol table corresponding to the target application, and match the obtained type keywords corresponding to the preset detection type with the application symbol table, according to the number and/or characters of the target keywords that are successfully matched Weight, determining the first evaluation result corresponding to the target application;
    向所述目标应用发送与预设功能相对应的动态测试指令,根据所述目标应用针对所述动态测试指令返回的测试响应结果以及预先配置的与所述动态测试指令相对应的至少两种预期响应结果,确定与所述目标应用相对应的第二评价结果;Send a dynamic test instruction corresponding to a preset function to the target application, and according to the test response result returned by the target application for the dynamic test instruction and at least two pre-configured expectations corresponding to the dynamic test instruction In response to the result, determine a second evaluation result corresponding to the target application;
    根据所述第一评价结果以及所述第二评价结果,判断所述目标应用是否安全。According to the first evaluation result and the second evaluation result, it is determined whether the target application is safe.
  2. 根据权利要求1所述的方法,其中,当所述预设的检测类型包括多个时,所述将获取到的与预设的检测类型相对应的类型关键字与所述应用符号表进行匹配具体包括:The method according to claim 1, wherein, when the preset detection types include multiple, the acquired type keywords corresponding to the preset detection types are matched with the application symbol table Specifically:
    分别针对每个检测类型设置对应的类型集合,将提取出的各个目标关键字分别存储到与该目标关键字的检测类型相对应的类型集合中;Set a corresponding type set for each detection type, and store each extracted target keyword in a type set corresponding to the detection type of the target keyword;
    则所述根据匹配成功的目标关键字的数量和/或字符权重,确定与该目标应用相对应的第一评价结果包括:Then, determining the first evaluation result corresponding to the target application according to the number of successfully matched target keywords and/or character weight includes:
    分别针对每个类型集合,根据该类型集合中包含的目标关键字的数量和/或目标关键字的字符权重,确定与该类型集合相对应的类型评价得分;For each type set, determine the type evaluation score corresponding to the type set according to the number of target keywords contained in the type set and/or the character weight of the target keywords;
    根据各个类型集合所对应的类型评价得分以及各个类型集合所对应的类型权重,确定与所述目标应用相对应的第一评价结果。According to the type evaluation score corresponding to each type set and the type weight corresponding to each type set, the first evaluation result corresponding to the target application is determined.
  3. 根据权利要求1所述的方法,其中,所述将获取到的与预设的检测类型相对应的类型关键字与所述应用符号表进行匹配包括:The method according to claim 1, wherein the matching the acquired type keyword corresponding to the preset detection type with the application symbol table comprises:
    针对待匹配的类型关键字,确定与该类型关键字所对应的检测类型相匹配的类型检测区域;For the type keyword to be matched, determine the type detection area that matches the detection type corresponding to the type keyword;
    从所述应用符号表中提取与所述类型检测区域相对应的目标区域,将获取到的类型关键字与所述目标区域进行匹配。Extracting a target area corresponding to the type detection area from the application symbol table, and matching the obtained type keyword with the target area.
  4. 根据权利要求1所述的方法,其中,所述获取与目标应用相对应的应用符号表包括:The method according to claim 1, wherein said obtaining the application symbol table corresponding to the target application comprises:
    获取所述目标应用的应用程序文件;Obtaining the application file of the target application;
    针对所述应用程序文件进行反编译,得到所述与目标应用相对应的应用符号表;Decompiling the application file to obtain the application symbol table corresponding to the target application;
    其中,所述应用符号表进一步包括:静态符号表、动态符号表、和/或字符表。Wherein, the application symbol table further includes: a static symbol table, a dynamic symbol table, and/or a character table.
  5. 根据权利要求1所述的方法,所述预设功能包括防逆向功能,且所述动态测试指令包括防逆向测试指令,则所述向所述目标应用发送与预设功能相对应的动态测试指令包括:The method according to claim 1, wherein the preset function includes an anti-reverse function, and the dynamic test instruction includes an anti-reverse test instruction, then the dynamic test instruction corresponding to the preset function is sent to the target application include:
    向目标应用发送与预设的防逆向功能相对应的防逆向测试指令。Send the anti-reverse test instruction corresponding to the preset anti-reverse function to the target application.
  6. 根据权利要求5所述的方法,其中,所述向目标应用发送与预设的防逆向功能相对应的防逆向测试指令包括:The method according to claim 5, wherein the sending an anti-reverse test instruction corresponding to a preset anti-reverse function to the target application comprises:
    根据预设的逆向测试指令表中存储的各个防逆向功能以及与各个防逆向功能相对应的各个防逆向测试指令的种类和/或各个防逆向测试指令之间的优先级信息,向目标应用发送所述逆向测试指令表中存储的各个防逆向测试指令。Send to the target application according to each anti-reverse function stored in the preset reverse test instruction table and the type of each anti-reverse test instruction corresponding to each anti-reverse function and/or the priority information between each anti-reverse test instruction Each anti-reverse test instruction stored in the reverse test instruction table.
  7. 根据权利要求1所述的方法,其中,所述确定与所述目标应用相对应的第二评价结果具体包括:The method according to claim 1, wherein the determining the second evaluation result corresponding to the target application specifically comprises:
    针对获取到的目标应用的二进制文件进行反编译,获取反编译后得到的与所述目标应用相对应的 反向编译代码;Decompile the obtained binary file of the target application, and obtain the decompiled decompiled code corresponding to the target application;
    提取所述反向编译代码中包含的与预设目标区域相对应的目标代码;Extracting the target code corresponding to the preset target area contained in the reverse compiled code;
    判断所述目标代码中是否包含与预设的混淆标识符相匹配的内容,结合判断结果确定与所述目标应用相对应的第二评价结果。It is determined whether the target code contains content that matches the preset confusion identifier, and the second evaluation result corresponding to the target application is determined in combination with the determination result.
  8. 根据权利要求1所述的方法,其中,所述确定与所述目标应用相对应的第二评价结果具体包括:The method according to claim 1, wherein the determining the second evaluation result corresponding to the target application specifically comprises:
    当检测到与目标应用相对应的启动指令时,根据所述启动指令确定与所述目标应用相对应的应用运行环境;When a startup instruction corresponding to the target application is detected, determine an application running environment corresponding to the target application according to the startup instruction;
    获取所述目标应用在所述应用运行环境中启动后显示的程序启动页面;Acquiring a program startup page displayed after the target application is started in the application running environment;
    查询预设的与所述目标应用相对应的应用运行环境相关联的环境启动页面;Query a preset environment startup page associated with the application running environment corresponding to the target application;
    判断所述程序启动页面与所述环境启动页面是否匹配,结合判断结果确定与所述目标应用相对应的第二评价结果。It is determined whether the program startup page matches the environment startup page, and the second evaluation result corresponding to the target application is determined in combination with the determination result.
  9. 一种iOS应用的安全检测装置,包括:A security detection device for iOS applications, including:
    第一评价结果确定模块,获取与目标应用相对应的应用符号表,并将获取到的与预设的检测类型相对应的类型关键字与所述应用符号表进行匹配,根据匹配成功的目标关键字的数量和/或字符权重,确定与所述目标应用相对应的第一评价结果;The first evaluation result determination module obtains the application symbol table corresponding to the target application, and matches the obtained type keyword corresponding to the preset detection type with the application symbol table, according to the target key of successful matching The number of words and/or the weight of the characters determine the first evaluation result corresponding to the target application;
    第二评价结果确定模块,向所述目标应用发送与预设功能相对应的动态测试指令,根据所述目标应用针对所述动态测试指令返回的测试响应结果以及预先配置的与所述动态测试指令相对应的至少两种预期响应结果,确定与所述目标应用相对应的第二评价结果;The second evaluation result determination module sends a dynamic test instruction corresponding to a preset function to the target application, and according to the test response result returned by the target application for the dynamic test instruction and a pre-configured dynamic test instruction Corresponding to at least two expected response results, determining a second evaluation result corresponding to the target application;
    目标应用安全性判断模块,根据所述第一评价结果以及所述第二评价结果,判断所述目标应用是否安全。The target application safety judgment module judges whether the target application is safe according to the first evaluation result and the second evaluation result.
  10. 根据权利要求9所述的装置,其中,当所述第一评价结果确定模块适于:The device according to claim 9, wherein when the first evaluation result determining module is adapted to:
    分别针对每个检测类型设置对应的类型集合,将提取出的各个目标关键字分别存储到与该目标关键字的检测类型相对应的类型集合中;Set a corresponding type set for each detection type, and store each extracted target keyword in a type set corresponding to the detection type of the target keyword;
    则所述根据匹配成功的目标关键字的数量和/或字符权重,确定与该目标应用相对应的第一评价结果包括:Then, determining the first evaluation result corresponding to the target application according to the number of successfully matched target keywords and/or character weight includes:
    分别针对每个类型集合,根据该类型集合中包含的目标关键字的数量和/或目标关键字的字符权重,确定与该类型集合相对应的类型评价得分;For each type set, determine the type evaluation score corresponding to the type set according to the number of target keywords contained in the type set and/or the character weight of the target keywords;
    根据各个类型集合所对应的类型评价得分以及各个类型集合所对应的类型权重,确定与所述目标应用相对应的第一评价结果。According to the type evaluation score corresponding to each type set and the type weight corresponding to each type set, the first evaluation result corresponding to the target application is determined.
  11. 根据权利要求9所述的装置,其中,所述第一评价结果确定模块适于:The device according to claim 9, wherein the first evaluation result determining module is adapted to:
    针对待匹配的类型关键字,确定与该类型关键字所对应的检测类型相匹配的类型检测区域;For the type keyword to be matched, determine the type detection area that matches the detection type corresponding to the type keyword;
    从所述应用符号表中提取与所述类型检测区域相对应的目标区域,将获取到的类型关键字与所述目标区域进行匹配。Extracting a target area corresponding to the type detection area from the application symbol table, and matching the obtained type keyword with the target area.
  12. 根据权利要求9所述的装置,其中,所述第一评价结果确定模块适于:The device according to claim 9, wherein the first evaluation result determining module is adapted to:
    获取所述目标应用的应用程序文件;Obtaining the application file of the target application;
    针对所述应用程序文件进行反编译,得到所述与目标应用相对应的应用符号表;Decompiling the application file to obtain the application symbol table corresponding to the target application;
    其中,所述应用符号表进一步包括:静态符号表、动态符号表、和/或字符表。Wherein, the application symbol table further includes: a static symbol table, a dynamic symbol table, and/or a character table.
  13. 根据权利要求9所述的装置,所述第二评价结果确定模块适于:The device according to claim 9, wherein the second evaluation result determining module is adapted to:
    向目标应用发送与预设的防逆向功能相对应的防逆向测试指令。Send the anti-reverse test instruction corresponding to the preset anti-reverse function to the target application.
  14. 根据权利要求13所述的装置,其中,所述第二评价结果确定模块适于:The device according to claim 13, wherein the second evaluation result determining module is adapted to:
    根据预设的逆向测试指令表中存储的各个防逆向功能以及与各个防逆向功能相对应的各个防逆向测试指令的种类和/或各个防逆向测试指令之间的优先级信息,向目标应用发送所述逆向测试指令表中存储的各个防逆向测试指令。Send to the target application according to each anti-reverse function stored in the preset reverse test instruction table and the type of each anti-reverse test instruction corresponding to each anti-reverse function and/or the priority information between each anti-reverse test instruction Each anti-reverse test instruction stored in the reverse test instruction table.
  15. 根据权利要求9所述的装置,其中,所述第二评价结果确定模块适于:The device according to claim 9, wherein the second evaluation result determining module is adapted to:
    针对获取到的目标应用的二进制文件进行反编译,获取反编译后得到的与所述目标应用相对应的反向编译代码;Decompile the obtained binary file of the target application, and obtain the decompiled code corresponding to the target application obtained after decompilation;
    提取所述反向编译代码中包含的与预设目标区域相对应的目标代码;Extracting the target code corresponding to the preset target area contained in the reverse compiled code;
    判断所述目标代码中是否包含与预设的混淆标识符相匹配的内容,结合判断结果确定与所述目标应用相对应的第二评价结果。It is determined whether the target code contains content that matches the preset confusion identifier, and the second evaluation result corresponding to the target application is determined in combination with the determination result.
  16. 根据权利要求9所述的装置,其中,所述第二评价结果确定模块适于:The device according to claim 9, wherein the second evaluation result determining module is adapted to:
    当检测到与目标应用相对应的启动指令时,根据所述启动指令确定与所述目标应用相对应的应用运行环境;When a startup instruction corresponding to the target application is detected, determine an application running environment corresponding to the target application according to the startup instruction;
    获取所述目标应用在所述应用运行环境中启动后显示的程序启动页面;Acquiring a program startup page displayed after the target application is started in the application running environment;
    查询预设的与所述目标应用相对应的应用运行环境相关联的环境启动页面;Query a preset environment startup page associated with the application running environment corresponding to the target application;
    判断所述程序启动页面与所述环境启动页面是否匹配,结合判断结果确定与所述目标应用相对应的第二评价结果。It is determined whether the program startup page matches the environment startup page, and the second evaluation result corresponding to the target application is determined in combination with the determination result.
  17. 一种iOS应用的安全检测系统,其特征在于,包括上述权利要求9-16中任一项所述的安全检测装置。A security detection system for iOS applications, characterized in that it comprises the security detection device according to any one of claims 9-16.
  18. 一种电子设备,包括:处理器、存储器、通信接口和通信总线,所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信;An electronic device, comprising: a processor, a memory, a communication interface, and a communication bus. The processor, the memory, and the communication interface communicate with each other through the communication bus;
    所述存储器用于存放至少一可执行指令,所述可执行指令使所述处理器执行如权利要求1-8中任一项所述的一种基于iOS应用的安全检测方法对应的操作。The memory is used to store at least one executable instruction, and the executable instruction causes the processor to perform an operation corresponding to an iOS application-based security detection method according to any one of claims 1-8.
  19. 一种计算机存储介质,所述存储介质中存储有至少一可执行指令,所述可执行指令使处理器执行如权利要求1-8中任一项所述的一种基于iOS应用的安全检测方法对应的操作。A computer storage medium in which at least one executable instruction is stored, and the executable instruction causes a processor to execute the security detection method based on an iOS application according to any one of claims 1-8 The corresponding operation.
PCT/CN2019/123870 2019-03-28 2019-12-09 Security detection method, device and system based on ios application WO2020192179A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910245705.2 2019-03-28
CN201910245705.2A CN110110521A (en) 2019-03-28 2019-03-28 It is a kind of based on iOS application safety detection method, apparatus and system

Publications (1)

Publication Number Publication Date
WO2020192179A1 true WO2020192179A1 (en) 2020-10-01

Family

ID=67484812

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/123870 WO2020192179A1 (en) 2019-03-28 2019-12-09 Security detection method, device and system based on ios application

Country Status (2)

Country Link
CN (1) CN110110521A (en)
WO (1) WO2020192179A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110110521A (en) * 2019-03-28 2019-08-09 江苏通付盾信息安全技术有限公司 It is a kind of based on iOS application safety detection method, apparatus and system
CN110764773A (en) * 2019-09-03 2020-02-07 北京字节跳动网络技术有限公司 APP generation method, device, medium and electronic equipment
CN114328203A (en) * 2021-12-22 2022-04-12 支付宝(杭州)信息技术有限公司 Applet detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200155A (en) * 2014-08-12 2014-12-10 中国科学院信息工程研究所 Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)
CN105653947A (en) * 2014-11-11 2016-06-08 中国移动通信集团公司 Method and device for assessing application data security risk
CN107122666A (en) * 2016-12-05 2017-09-01 招商银行股份有限公司 The methods of risk assessment and device of financial application
CN110110521A (en) * 2019-03-28 2019-08-09 江苏通付盾信息安全技术有限公司 It is a kind of based on iOS application safety detection method, apparatus and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104715200A (en) * 2012-05-04 2015-06-17 北京奇虎科技有限公司 Method and device for identifying viral APK (Android application package file)
US9519774B2 (en) * 2014-01-20 2016-12-13 Prevoty, Inc. Systems and methods for SQL query constraint solving
CN104933362B (en) * 2015-06-15 2017-10-20 福州大学 Android application software API misapplies class leak automated detection method
CN107798242A (en) * 2017-11-13 2018-03-13 南京大学 A kind of malice Android application automatic checkout system of quiet dynamic bind

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200155A (en) * 2014-08-12 2014-12-10 中国科学院信息工程研究所 Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)
CN105653947A (en) * 2014-11-11 2016-06-08 中国移动通信集团公司 Method and device for assessing application data security risk
CN107122666A (en) * 2016-12-05 2017-09-01 招商银行股份有限公司 The methods of risk assessment and device of financial application
CN110110521A (en) * 2019-03-28 2019-08-09 江苏通付盾信息安全技术有限公司 It is a kind of based on iOS application safety detection method, apparatus and system

Also Published As

Publication number Publication date
CN110110521A (en) 2019-08-09

Similar Documents

Publication Publication Date Title
US11750626B2 (en) Systems and techniques for guiding a response to a cybersecurity incident
US9582668B2 (en) Quantifying the risks of applications for mobile devices
US10846402B2 (en) Security scanning method and apparatus for mini program, and electronic device
US11086983B2 (en) System and method for authenticating safe software
US20160057159A1 (en) Semantics-aware android malware classification
CN109376078B (en) Mobile application testing method, terminal equipment and medium
CN103679031B (en) A kind of immune method and apparatus of file virus
US11861006B2 (en) High-confidence malware severity classification of reference file set
WO2020192179A1 (en) Security detection method, device and system based on ios application
US8732587B2 (en) Systems and methods for displaying trustworthiness classifications for files as visually overlaid icons
US8572007B1 (en) Systems and methods for classifying unknown files/spam based on a user actions, a file's prevalence within a user community, and a predetermined prevalence threshold
Hu et al. Migdroid: Detecting app-repackaging android malware via method invocation graph
US20160094574A1 (en) Determining malware based on signal tokens
CN103368957A (en) Method, system, client and server for processing webpage access behavior
CN111259403A (en) Penetration testing method and device, computer equipment and storage medium
WO2020019485A1 (en) Simulator identification method, identification device, and computer readable medium
CN110135163B (en) Security detection method, device and system based on target application
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method
US20190377874A1 (en) Grouping application components for classification and malware detection
Drakonakis et al. Rescan: A middleware framework for realistic and robust black-box web application scanning
JP5613000B2 (en) Application characteristic analysis apparatus and program
CN108959931B (en) Vulnerability detection method and device, information interaction method and equipment
US20220237289A1 (en) Automated malware classification with human-readable explanations
CN109492392B (en) Detection method and system of kernel function
CN110147654B (en) Security detection method, device and system based on iOS application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19921515

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19921515

Country of ref document: EP

Kind code of ref document: A1