WO2021243555A1 - Quick application test method and apparatus, device, and storage medium - Google Patents

Quick application test method and apparatus, device, and storage medium Download PDF

Info

Publication number
WO2021243555A1
WO2021243555A1 PCT/CN2020/093913 CN2020093913W WO2021243555A1 WO 2021243555 A1 WO2021243555 A1 WO 2021243555A1 CN 2020093913 W CN2020093913 W CN 2020093913W WO 2021243555 A1 WO2021243555 A1 WO 2021243555A1
Authority
WO
WIPO (PCT)
Prior art keywords
detection
application
fast application
fast
detected
Prior art date
Application number
PCT/CN2020/093913
Other languages
French (fr)
Chinese (zh)
Inventor
汪泽宇
Original Assignee
深圳市欢太科技有限公司
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市欢太科技有限公司, Oppo广东移动通信有限公司 filed Critical 深圳市欢太科技有限公司
Priority to PCT/CN2020/093913 priority Critical patent/WO2021243555A1/en
Priority to CN202080100497.8A priority patent/CN115552401A/en
Publication of WO2021243555A1 publication Critical patent/WO2021243555A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • This application relates to the field of computer technology, and in particular to a fast application detection method, device, equipment and storage medium.
  • Quick app is a new type of Android application form jointly formulated by the nine major mobile phone manufacturers. Users do not need to install it, just click and use. Quick application is divided into two parts: quick application rpk and quick application platform, where rpk is a file format of the quick application installation package.
  • embodiments of the present application provide a fast application detection method, device, equipment, and storage medium.
  • an embodiment of the present application provides a fast application detection method, wherein the method includes:
  • an embodiment of the present application provides a fast application detection device, wherein the device includes:
  • An obtaining part configured to obtain an installation package of at least one quick application to be detected; and obtain a detection rule configured for the at least one quick application in advance;
  • the detection part is configured to perform security detection on the at least one fast application to obtain a detection result based on the detection rule; wherein the detection of the fast application includes static detection and/or dynamic detection.
  • the embodiments of the present application provide a fast application detection method, device, device, and storage medium.
  • the method includes: obtaining an installation package of at least one fast application to be detected; obtaining a detection rule configured for the at least one fast application in advance; Based on the detection rule, perform security detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application includes static detection and/or dynamic detection.
  • detection rules including static detection rules and/or dynamic detection rules
  • automatic batch detection of fast applications is realized according to the detection rules, so that fast applications with security vulnerabilities can be quickly located, and the security detection efficiency of fast applications can be improved .
  • FIG. 1 is a schematic flowchart of a fast application detection method in an embodiment of the present application
  • FIG. 2 is a schematic diagram of the first process of the fast application static detection method in an embodiment of this application
  • FIG. 3 is a schematic diagram of the composition framework of the static detection principle in an embodiment of the application.
  • FIG. 4 is a schematic diagram of the second process of the fast application static detection method in an embodiment of the application.
  • FIG. 5 is a schematic flowchart of a fast application dynamic detection method in an embodiment of this application.
  • FIG. 6 is a schematic diagram of the composition structure of a fast application detection device in an embodiment of the application.
  • FIG. 7 is a schematic diagram of the composition structure of a fast application detection device in an embodiment of the application.
  • FIG. 8 is a schematic block diagram of a chip provided by an embodiment of the present application.
  • the fast application detection method specifically includes:
  • Step 101 Obtain an installation package of at least one quick application to be detected
  • fast application is a new application ecosystem jointly launched by multiple mobile terminal manufacturers based on the hardware platform. Users do not need to download and install, click and use, and enjoy the performance experience of native applications.
  • APP For ordinary applications (Application, APP), users first need to know the role of APP. For example, gourmet apps such as APP1 and APP2 can find food, and then they need to download and install these apps in the application market, then open these apps and search for "pizza". With "Quick App”, after you get a new phone, you don't need to know which App can help you find food, and you don't need to download that App. You only need to pull down the desktop to open the search box and enter "Pizza", that is The corresponding services can be easily obtained.
  • KuaiApp needs to test the security of KuaiApp before it is put on the app store, for example, whether KuaiApp can resist malicious network attacks, or whether it is compliant with user privacy management, etc. Therefore, a background detection device is established based on the quick application detection method of the present application, and the background detection device obtains the installation package of at least one quick application to be detected, and performs batch detection on the quick application.
  • the installation package of KuaiApp can be an rpk package, and rpk is a file format of the installation package of KuaiApp.
  • the quick application can run on a mobile terminal, and the mobile terminal can be a terminal with networking functions.
  • the terminals described in this application can include such as mobile phones, tablet computers, notebook computers, handheld computers, and personal digital assistants (Personal Digital Assistant, PDA), Portable Media Player (PMP), navigation devices, wearable devices, smart bracelets, cameras, etc.
  • PDA Personal Digital Assistant
  • PMP Portable Media Player
  • navigation devices wearable devices, smart bracelets, cameras, etc.
  • Step 102 Obtain a detection rule configured for the at least one fast application in advance
  • the fast application detection includes static detection and/or dynamic detection.
  • the detection rules also include: a first detection rule for static detection and/or a second detection rule for dynamic detection.
  • static detection refers to analysis without executing binary programs, such as disassembly analysis, source code analysis, binary statistical analysis, decompilation, etc., which belong to reverse engineering analysis methods.
  • the first detection rule may be determined based on the known security vulnerabilities of the existing quick application or other common applications. For example, perform source code analysis on fast apps or other common apps with security vulnerabilities, determine the key source code that causes security problems and the types of security vulnerabilities, use this part of the source code as the identification information of this type of security vulnerabilities, and establish the first detection rule.
  • dynamic detection is to simulate the running process of a fast application, by detecting the interactive content between the terminal and the network side or other terminals when the fast application is running, to obtain known dynamic behavior characteristics that cause security problems. That is, the second detection rule may be to determine the known dynamic operating characteristics based on the dynamic operating behavior of the existing fast application or other ordinary applications that cause safety issues during the running process, and use the known dynamic operating characteristics to establish the second detection rule.
  • Step 103 Based on the detection rule, perform security detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application includes static detection and/or dynamic detection.
  • the detection rules are the detection rules preset by the detection personnel based on existing security issues, privacy non-compliance issues, etc. After the detection device obtains the installation package and detection rules of Quick App, it can be selected according to different installation packages or different detection types. Corresponding detection rules are used to detect fast-applied detection packets.
  • the detection rule when performing static detection on the fast application, includes a first detection rule for static detection;
  • the performing security detection on the at least one quick application to obtain a detection result based on the detection rule includes: parsing an installation package of the at least one quick application, and extracting the pending detection of the at least one quick application File; based on the first detection rule, static detection is performed on the file to be detected of the at least one fast application at the same time to obtain a static detection result; based on the static detection result of the at least one fast application, it is determined whether the at least one fast application There is a security breach.
  • static detection is to determine whether there is a source code matching the first detection rule in the source code by statically scanning the source code, and if it exists, it is determined that the fast application has a security vulnerability.
  • the detection rule when performing dynamic detection on the fast application, includes a second detection rule for dynamic detection;
  • the performing security detection on the at least one fast application to obtain a detection result based on the detection rule includes:
  • the installation package of the at least one fast application is dynamically run in the virtual machine, the network request information of the fast application is monitored, and the dynamic behavior characteristics of the at least one fast application are obtained; based on the second detection rule, the at least one A dynamic behavior feature of a fast application is detected to obtain a dynamic detection result; based on the dynamic detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
  • dynamic detection is to simulate the running process of the fast application, by detecting the interactive content between the terminal and the network side or other terminals when the fast application is running, to obtain the dynamic behavior characteristics of the fast application. It is determined whether there is a dynamic behavior feature that matches the second detection rule in the dynamic behavior feature, and if it exists, it is determined that the fast application has a security vulnerability.
  • the method further includes: updating the detection rule according to a preset update strategy; wherein the update strategy includes at least one of the following: delete, add, and replace.
  • the embodiments of the present application also include updating detection rules to adapt to the current security threat environment. Specifically, delete old detection rules, add new detection rules, and replace old detection rules.
  • step 101 to step 103 may be the processor of the fast application detection device.
  • automated batch detection of fast applications can be realized, including batch static detection and batch dynamic detection, saving a lot of manual operations, thereby quickly locating fast applications with security vulnerabilities, and improving the efficiency of security detection of fast applications.
  • FIG. 2 is a schematic diagram of the first process of the fast application static detection method in an embodiment of the application.
  • the static detection method specifically includes:
  • Step 201 Obtain an installation package of at least one quick application to be detected
  • KuaiApp needs to test the security of KuaiApp before it is put on the app store, for example, whether KuaiApp can resist malicious network attacks, or whether it is compliant with user privacy management, etc. Therefore, a background detection device is established based on the quick application detection method of the present application, and the background detection device obtains an installation package of at least one quick application to be detected.
  • the installation package of KuaiApp can be an rpk package, and rpk is a file format of the installation package of KuaiApp.
  • Step 202 Obtain a first detection rule configured for the at least one fast application in advance
  • static detection refers to analysis without executing binary programs, such as disassembly analysis, source code analysis, binary statistical analysis, decompilation, etc., which belong to reverse engineering analysis methods.
  • the first detection rule may be determined based on the known security vulnerabilities of the existing quick application or other common applications. For example, perform source code analysis on fast apps or other common apps with security vulnerabilities, determine the key source code that causes security problems and the types of security vulnerabilities, use this part of the source code as the identification information of this type of security vulnerabilities, and establish the first detection rule.
  • the first detection rule includes identification information of at least one security vulnerability, and the identification information is used to indicate static behavior characteristics of the security vulnerability.
  • the identification information includes a single keyword or a logical combination of multiple keywords with a context relationship. If the identification information is a single keyword, it means that the security vulnerability can be represented by one keyword. If the identification information is multiple keys The logical combination of words indicates that there needs to be a certain context relationship between multiple lines of code in the source code of the security vulnerability, and it can be determined whether the fast application contains the security vulnerability according to the context relationship.
  • the identification information of the first type of security vulnerability includes keyword 1
  • the identification information of the second type of security vulnerability includes: keyword combination 1, which includes keyword 2, keyword 3, and keyword 4. And the logical relationship between each keyword.
  • Step 203 parse the installation package of the at least one quick application, and extract the file to be detected of the at least one quick application;
  • the installation package of the at least one quick application is parsed, and all files of each quick application and the index identification of the file to be detected are extracted; based on the index identification of the file to be detected, from each quick application Determine the file to be detected among all the files in.
  • the installation package contains the first-type code files that implement the quick application function and the second-type code files inherent in the quick application framework.
  • security vulnerabilities will only appear in the first type of code files, and no security vulnerabilities will appear when running the second type of code files. Therefore, we only need to perform a static scan on the first type of code file, so it is necessary to use the index mark of the first type of code file (that is, the file to be detected) to index to the first type of code file.
  • extract the JS file and manifest.xml file in the rpk package determine the target JS file name to be scanned by parsing the routing configuration (ie index information) in the manifest.xml, and then load the rule configuration file and parse the first One detection rule.
  • Step 204 Based on the first detection rule, perform static detection on the file to be detected of the at least one fast application at the same time to obtain a static detection result;
  • the first detection rule includes identification information of at least one security vulnerability
  • performing static detection on the file to be detected of the at least one quick application to obtain a static detection result at the same time includes: performing identification information corresponding to the file to be detected with the target security vulnerability Matching; wherein the target security vulnerability is any one of the security vulnerabilities in the first detection rule; if it matches, it is determined that the target security vulnerability exists in the file to be detected, and the matching file in the file to be detected is obtained Code line number; if it does not match, it is determined that the target security vulnerability does not exist in the file to be detected.
  • the background service device delivers the rpk package to the detection engine for detection, and the detection engine is used to detect the rpk package to generate a static detection report.
  • the detection engine loads the rule configuration file and parses the first detection rule, and matches the identification information of the different security vulnerabilities in the first detection rule with the file to be detected to obtain the matching result; when there is a match in the identification information, the detection The engine records the matching identification information number and JS code line number. After all JS files are scanned, the detection engine outputs the scanning results according to the recorded identification information number and JS code line number.
  • the identification information number is used to locate the type of security vulnerability
  • the JS code line number is used to locate the code location that brings the security vulnerability in the rpk package, which not only enables the inspector to quickly determine the type of security vulnerability in the fast application, but also enables the inspector Quickly locate the specific code location to facilitate the later upgrade and rectification of fast applications, improve the development efficiency of fast applications, and shorten the listing cycle.
  • FIG 3 is a schematic diagram of the composition framework of the static detection principle in the embodiment of the application.
  • the background detection device obtains the rpk package of the fast app provided by the fast app developer, and the background service device will The rpk package is sent to the detection engine for detection.
  • the detection engine parses the rpk package and extracts the key JS files in the rpk package; reads the detection rules in the configuration file that has been configured in advance, and parses the detection rules.
  • the extracted fast application JS files are statically scanned, and a detection report is generated.
  • the background detection device pulls up multiple detection engines to perform parallel static scanning of the JS code files of multiple fast applications, generate detection reports, and realize batch static scanning of fast applications.
  • the code line number is the line number of a line of code; if the identification information is a logical combination of multiple keywords, the code line number may be the line number of multiple lines of code.
  • Step 205 Based on the static detection result of the at least one fast application, determine whether the at least one fast application has a security vulnerability.
  • the target fast application stored in the security vulnerability is determined from at least one fast application, and the code positions corresponding to different security vulnerabilities in the target fast application are determined.
  • the method further includes: updating the first detection rule according to a preset update strategy; wherein, the update strategy includes at least one of the following: delete, add, and replace.
  • the embodiments of the present application also include updating detection rules to adapt to the current security threat environment. Specifically, delete old detection rules, add new detection rules, and replace old detection rules.
  • FIG. 4 is a schematic diagram of the second process of the quick application static detection method in an embodiment of this application. As shown in FIG. 4, the static detection method Specifically:
  • Step 401 Start;
  • Step 402 Parse the rules
  • the detection engine loads the rule configuration file and parses the first detection rule.
  • Step 403 Parse the rpk package:
  • Step 404 Read the manifest.xml file
  • the Manifest Android development file name belongs to the AndroidManifest.xml file, which presents important information in a simple Android system application. It can run any application code. Every Android application must have an AndroidManifest.xml file in the app/manifests directory. It presents important information in a simple Android system application, and the information system must have the code before it can run any application.
  • the manifest.xml file is used as the index information of the target JS file to be detected, and the name of the target JS file to be scanned is determined by parsing the routing configuration (ie index information) in the manifest.xml.
  • Step 405 Extract the target JS file
  • Step 406 Scan the target JS file according to the analysis result of the first rule
  • Step 407 Judge it to reach the end, if yes, go to step 410; if not, go to step 408;
  • Step 408 Judge whether it matches, if yes, go to step 409; if not, go to step 406;
  • the detection engine matches the identification information of different security vulnerabilities in the first detection rule with the file to be detected to obtain a matching result; when there is a matching of identification information, the detection engine records the matching identification information number and JS code line No. After scanning all JS files, the detection engine outputs the scanning results according to the recorded identification information number and JS code line number.
  • Step 409 Record the matching result
  • the matching result includes: identification information number and JS code line number.
  • Step 410 Generate a test report
  • Fig. 5 is a schematic flow chart of a fast application dynamic detection method in an embodiment of the application. As shown in Fig. 5, the dynamic detection method specifically includes:
  • Step 501 Obtain an installation package of at least one quick application to be detected
  • KuaiApp needs to test the security of KuaiApp before it is put on the app store, for example, whether KuaiApp can resist malicious network attacks, or whether it is compliant with user privacy management, etc. Therefore, a background detection device is established based on the quick application detection method of the present application, and the background detection device obtains an installation package of at least one quick application to be detected.
  • the installation package of KuaiApp can be an rpk package, and rpk is a file format of the installation package of KuaiApp.
  • Step 502 Obtain a second detection rule configured in advance for the at least one fast application
  • Dynamic detection is to simulate the running process of the fast application, by detecting the interactive content of the terminal and the network side or other terminals when the fast application is running, to obtain the dynamic behavior characteristics of the fast application. It is determined whether there is a dynamic behavior feature that matches the second detection rule in the dynamic behavior feature, and if it exists, it is determined that the fast application has a security vulnerability.
  • Step 503 Dynamically run the installation package of the at least one fast application in the virtual machine, monitor the network request information of the fast application, and obtain the dynamic behavior characteristics of the at least one fast application;
  • the dynamic behavior characteristics of fast apps specifically represent at least one of the following: scanning system status, obtaining system permissions, registry operations, self-deleting operations, encryption and decryption, process/thread behaviors, file operations, and network access behaviors.
  • Step 504 Based on the second detection rule, detect the dynamic behavior feature of the at least one fast application to obtain a dynamic detection result;
  • the second detection rule includes at least one dynamic behavior characteristic of security vulnerabilities
  • the performing security detection on the at least one fast application based on the detection rule to obtain a detection result includes: matching the dynamic behavior feature of the fast application with the dynamic behavior feature of the target security vulnerability; wherein, The target security vulnerability is any security vulnerability in the second detection rule; if it matches, it is determined that the fast application has the target security vulnerability; if it does not match, it is determined that the fast application does not have the target security vulnerability .
  • the installation package code is dynamically executed in a virtual machine (Virtual Machine, VM), the state changes during the running process are monitored, and the operation of key events in the system is intercepted by using HOOK.
  • HOOK is an important carrier of Windows system message transmission.
  • the HOOK function provides an interface for message calling, intercepts the calling process between events, and forwards it to the corresponding API interface after processing. At this time, set user-defined HOOK in the operating system to monitor system behavior and realize dynamic monitoring.
  • the dynamic behavior characteristics of security vulnerabilities also specifically represent at least one of the following: scanning system status, obtaining system permissions, registry operations, self-deleting operations, encryption and decryption, process/thread behaviors, file operations, and network access behaviors.
  • Step 505 Based on the dynamic detection result of the at least one fast application, determine whether the at least one fast application has a security vulnerability.
  • the type and number of the security vulnerabilities of the target fast application are determined.
  • the method further includes: updating the second detection rule according to a preset update strategy; wherein, the update strategy includes at least one of the following: delete, add, and replace.
  • the embodiment of the present application also provides a fast application detection device. As shown in FIG. 6, the device includes:
  • the obtaining part 601 is configured to obtain an installation package of at least one quick application to be detected; and obtain a detection rule configured for the at least one quick application in advance;
  • the detection part 602 is configured to perform security detection on the at least one fast application to obtain a detection result based on the detection rule; wherein the detection of the fast application includes static detection and/or dynamic detection.
  • the detection rule when performing static detection on the fast application, includes a first detection rule for static detection;
  • the detection part 602 is specifically configured to parse the installation package of the at least one quick application, and extract the file to be detected of the at least one quick application; The file is simultaneously subjected to static detection to obtain a static detection result; based on the static detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
  • the detection part 602 is specifically configured to parse the installation package of the at least one quick application, extract all files of each quick application and the index identification of the file to be detected; based on the index of the file to be detected Identification, to determine the file to be detected from all files of each quick application.
  • the first detection rule includes identification information of at least one security vulnerability
  • the detection part 602 is specifically configured to match the identification information corresponding to the target security vulnerability with the file to be detected; wherein the target security vulnerability is any security vulnerability in the first detection rule; if it matches, determine The file to be detected has the target security vulnerability, and the matching code line number in the file to be detected is obtained; if it does not match, it is determined that the file to be detected does not have the target security vulnerability.
  • the detection rule when performing dynamic detection on the fast application, includes a second detection rule for dynamic detection;
  • the detection part 602 is specifically configured to dynamically run the installation package of the at least one fast application in a virtual machine, monitor the network request information of the fast application, and obtain the dynamic behavior characteristics of the at least one fast application; based on the second The detection rule detects the dynamic behavior characteristics of the at least one fast application to obtain a dynamic detection result; based on the dynamic detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
  • the second detection rule includes at least one dynamic behavior characteristic of a security vulnerability
  • the detection part 602 is specifically configured to match the dynamic behavior characteristics of the fast application with the dynamic behavior characteristics of the target security vulnerability; wherein the target security vulnerability is any security vulnerability in the second detection rule; if Matching, it is determined that the fast application has the target security vulnerability; if it does not match, it is determined that the fast application does not have the target security vulnerability.
  • the device further includes: an update part configured to update the detection rule according to a preset update strategy; wherein the update strategy includes at least one of the following: delete, add, and replace.
  • automated batch detection of fast applications can be realized, including batch static detection and batch dynamic detection, saving a lot of manual operations, thereby quickly locating fast applications with security vulnerabilities, and improving the efficiency of security detection of fast applications.
  • an embodiment of the present application also provides a fast application detection device.
  • the device includes a processor 701 and a storage device configured to run on the processor.
  • the processor 701 is configured to execute the method steps in the foregoing embodiment when it is configured to run a computer program.
  • bus system 703 is used to implement connection and communication between these components.
  • the bus system 703 also includes a power bus, a control bus, and a status signal bus.
  • various buses are marked as the bus system 703 in FIG. 7.
  • An embodiment of the present application provides a computer storage medium, where the computer storage medium stores computer-executable instructions, and when the computer-executable instructions are executed, the method steps of the foregoing embodiment 1 or 2 are implemented.
  • the above-mentioned device in the embodiment of the present application is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions for A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, Read Only Memory (ROM, Read Only Memory), magnetic disk or optical disk and other media that can store program codes. In this way, the embodiments of the present application are not limited to any specific combination of hardware and software.
  • FIG. 8 is a schematic structural diagram of the chip of the embodiment of the present application.
  • the chip 800 shown in FIG. 8 includes a processor 810, and the processor 810 can call and run a computer program from the memory to implement the method in the embodiment of the present application.
  • the chip 800 may further include a memory 820.
  • the processor 810 may call and run a computer program from the memory 820 to implement the method in the embodiment of the present application.
  • the memory 820 may be a separate device independent of the processor 810, or may be integrated in the processor 810.
  • the chip 800 may further include an input interface 830.
  • the processor 810 can control the input interface 830 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
  • the chip 800 may further include an output interface 840.
  • the processor 810 can control the output interface 840 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
  • the chip can be applied to the fast application detection device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • the chip can be applied to the fast application detection device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application.
  • chips mentioned in the embodiments of the present application may also be referred to as system-level chips, system-on-chips, system-on-chips, or system-on-chips.
  • an embodiment of the present application further provides a computer storage medium in which a computer program is stored, and the computer program is configured to execute the data scheduling method of the embodiment of the present application.
  • the quick application detection solution provided by this application implements automatic batch detection of quick applications according to the detection rules through preset detection rules, including static detection rules and/or dynamic detection rules, so as to quickly locate fast applications with security vulnerabilities. Improve the safety detection efficiency of fast applications.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed in the present application are a quick application test method and apparatus, a device, and a storage medium. The method comprises: acquiring an installation package of at least one quick application to be tested; acquiring test rules configured for the at least one quick application in advance; and performing security test on the at least one quick application on the basis of the test rules to obtain a test result, wherein the test for the quick application comprises static test and/or dynamic test, such that automatic batch test for quick applications is achieved by means of the preset test rules, which comprise static test rules and/or dynamic test rules, thereby quickly locating quick applications having security vulnerabilities, thus improving quick application security test efficiency.

Description

一种快应用检测方法、装置、设备及存储介质Fast application detection method, device, equipment and storage medium 技术领域Technical field
本申请涉及计算机技术领域,尤其涉及一种快应用检测方法、装置、设备及存储介质。This application relates to the field of computer technology, and in particular to a fast application detection method, device, equipment and storage medium.
背景技术Background technique
快应用是九大手机厂商联合制定标准的一种新型Android应用形态,用户无需安装,点击即用。快应用分为快应用rpk和快应用平台两个部分,其中rpk是快应用安装包的一种文件格式。Quick app is a new type of Android application form jointly formulated by the nine major mobile phone manufacturers. Users do not need to install it, just click and use. Quick application is divided into two parts: quick application rpk and quick application platform, where rpk is a file format of the quick application installation package.
目前针对快应用的安全漏洞和隐私合规检测尚无自动化工具及方案,仅通过解包rpk后人工进行JS(JavaScript)代码文件的安全和隐私合规检测,或者在真机中安装该rpk并运行,通过调试、抓包的方式进行安全漏洞和隐私合规检测,其中JavaScript为快应用使用的一种编程语言。At present, there are no automated tools and solutions for the security vulnerabilities and privacy compliance detection of fast apps. The security and privacy compliance detection of JS (JavaScript) code files are manually performed only by unpacking the rpk, or installing the rpk on the real machine and Run, check security vulnerabilities and privacy compliance through debugging and packet capture. JavaScript is a programming language used by KuaiApp.
然而通过人工静态审计代码和动态调试、抓包的方式无法做到自动化批量实施,效率较低。这两种方式基本上都要靠人工参与完成,所以检测结果的质量完全依赖于检测人员的经验和技术水平,结果也可能会存在漏测漏报问题。However, manual static auditing of code, dynamic debugging, and packet capture cannot be automated batch implementation, and the efficiency is low. These two methods are basically completed by manual participation, so the quality of the test results completely depends on the experience and technical level of the test personnel, and the results may also have the problem of missed test and missed report.
发明内容Summary of the invention
为解决上述技术问题,本申请实施例提供了一种快应用检测方法、装置、设备及存储介质。In order to solve the foregoing technical problems, embodiments of the present application provide a fast application detection method, device, equipment, and storage medium.
第一方面,本申请实施例提供了一种快应用检测方法,其中,所述方法包括:In the first aspect, an embodiment of the present application provides a fast application detection method, wherein the method includes:
获取待检测的至少一个快应用的安装包;Obtain the installation package of at least one quick application to be detected;
获取预先为所述至少一个快应用配置的检测规则;Acquiring a detection rule configured for the at least one fast application in advance;
基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。Based on the detection rule, perform security detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application includes static detection and/or dynamic detection.
第二方面,本申请实施例提供了一种快应用检测装置,其中,所述装置包括:In the second aspect, an embodiment of the present application provides a fast application detection device, wherein the device includes:
获取部分,配置为获取待检测的至少一个快应用的安装包;以及获取预先为所述至少一个快应用配置的检测规则;An obtaining part, configured to obtain an installation package of at least one quick application to be detected; and obtain a detection rule configured for the at least one quick application in advance;
检测部分,配置为基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。The detection part is configured to perform security detection on the at least one fast application to obtain a detection result based on the detection rule; wherein the detection of the fast application includes static detection and/or dynamic detection.
本申请实施例提供了一种快应用检测方法、装置、设备及存储介质,该方法包括:获取待检测的至少一个快应用的安装包;获取预先为所述至少一个快应用配置的检测规则;基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。如此,通过预先设定的检测规则,包括静态检测规则和/或动态检测规则,根据检测规则实现对快应用的自动化批量检测,从而快速定位存在安全漏洞的快应用,提高快应用的安全检测效率。The embodiments of the present application provide a fast application detection method, device, device, and storage medium. The method includes: obtaining an installation package of at least one fast application to be detected; obtaining a detection rule configured for the at least one fast application in advance; Based on the detection rule, perform security detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application includes static detection and/or dynamic detection. In this way, through pre-set detection rules, including static detection rules and/or dynamic detection rules, automatic batch detection of fast applications is realized according to the detection rules, so that fast applications with security vulnerabilities can be quickly located, and the security detection efficiency of fast applications can be improved .
附图说明Description of the drawings
图1是本申请实施例中快应用检测方法的流程示意图;FIG. 1 is a schematic flowchart of a fast application detection method in an embodiment of the present application;
图2为本申请实施例中快应用静态检测方法的第一流程示意图;2 is a schematic diagram of the first process of the fast application static detection method in an embodiment of this application;
图3为本申请实施例中静态检测原理的组成框架示意图;FIG. 3 is a schematic diagram of the composition framework of the static detection principle in an embodiment of the application;
图4为本申请实施例中快应用静态检测方法的第二流程示意图;4 is a schematic diagram of the second process of the fast application static detection method in an embodiment of the application;
图5为本申请实施例中快应用动态检测方法的流程示意图;FIG. 5 is a schematic flowchart of a fast application dynamic detection method in an embodiment of this application;
图6为本申请实施例中快应用检测装置的组成结构示意图;FIG. 6 is a schematic diagram of the composition structure of a fast application detection device in an embodiment of the application;
图7为本申请实施例中快应用检测设备的组成结构示意图;FIG. 7 is a schematic diagram of the composition structure of a fast application detection device in an embodiment of the application;
图8是本申请实施例提供的一种芯片的示意性框图。FIG. 8 is a schematic block diagram of a chip provided by an embodiment of the present application.
具体实施方式detailed description
为了能够更加详尽地了解本申请实施例的特点与技术内容,下面结合附图对本申请实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本申请实施例。In order to have a more detailed understanding of the characteristics and technical content of the embodiments of the present application, the implementation of the embodiments of the present application will be described in detail below with reference to the accompanying drawings. The attached drawings are for reference and description purposes only, and are not used to limit the embodiments of the present application.
本申请实施例提供了一种快应用检测方法,如图1所示,该快应用检测方法具体包括:The embodiment of the present application provides a fast application detection method. As shown in FIG. 1, the fast application detection method specifically includes:
步骤101:获取待检测的至少一个快应用的安装包;Step 101: Obtain an installation package of at least one quick application to be detected;
这里,快应用是多个移动终端厂商基于硬件平台共同推出的新型应用生态。用户无需下载安装,即点即用,享受原生应用的性能体验。Here, fast application is a new application ecosystem jointly launched by multiple mobile terminal manufacturers based on the hardware platform. Users do not need to download and install, click and use, and enjoy the performance experience of native applications.
普通应用程序(Application,APP),首先用户需要知道APP的作用,比如APP1、APP2等美食类应用可以寻找美食,然后需要到应用市场中下载安装这些App,然后打开这些App,搜索“比萨”。而有了“快应用”,你拿到新的手机后,不需要知道哪个App可以帮你寻找美食,也不需要去下载那个App,你只需要下拉桌面打开搜索框,输入“比萨”,即可轻松获取相应的服务。For ordinary applications (Application, APP), users first need to know the role of APP. For example, gourmet apps such as APP1 and APP2 can find food, and then they need to download and install these apps in the application market, then open these apps and search for "pizza". With "Quick App", after you get a new phone, you don't need to know which App can help you find food, and you don't need to download that App. You only need to pull down the desktop to open the search box and enter "Pizza", that is The corresponding services can be easily obtained.
实际应用中,快应用在上架应用商店之前,需要先测试快应用的安全性,比如,快应用是否能够抗击恶意的网络攻击,或者对于用户隐私管理是否合规等。因此,基于本申请快应用检测方法建立一种后台检测设备,后台检测设备获取待检测的至少一个快应用的安装包,对快应用进行批量检测。这里,快应用的安装包可以为rpk包,rpk是快应用的安装包的一种文件格式。In actual applications, KuaiApp needs to test the security of KuaiApp before it is put on the app store, for example, whether KuaiApp can resist malicious network attacks, or whether it is compliant with user privacy management, etc. Therefore, a background detection device is established based on the quick application detection method of the present application, and the background detection device obtains the installation package of at least one quick application to be detected, and performs batch detection on the quick application. Here, the installation package of KuaiApp can be an rpk package, and rpk is a file format of the installation package of KuaiApp.
实际应用中,快应用可运行在移动终端,移动终端可以为具备联网功能的终端,本申请中描述的终端可以包括诸如手机、平板电脑、笔记本电脑、掌上电脑、个人数字助理(Personal Digital Assistant,PDA)、便捷式媒 体播放器(Portable Media Player,PMP)、导航装置、可穿戴设备、智能手环、相机等。In practical applications, the quick application can run on a mobile terminal, and the mobile terminal can be a terminal with networking functions. The terminals described in this application can include such as mobile phones, tablet computers, notebook computers, handheld computers, and personal digital assistants (Personal Digital Assistant, PDA), Portable Media Player (PMP), navigation devices, wearable devices, smart bracelets, cameras, etc.
步骤102:获取预先为所述至少一个快应用配置的检测规则;Step 102: Obtain a detection rule configured for the at least one fast application in advance;
实际应用中,快应用的检测包括静态检测和/或动态检测,相应的,检测规则也包括:用于静态检测的第一检测规则,和/或用于动态检测的第二检测规则。In practical applications, the fast application detection includes static detection and/or dynamic detection. Correspondingly, the detection rules also include: a first detection rule for static detection and/or a second detection rule for dynamic detection.
实际应用中,静态检测是指在不执行二进制程序的条件下进行分析,如反汇编分析、源代码分析、二进制统计分析、反编译等,属于逆向工程分析方法。In practical applications, static detection refers to analysis without executing binary programs, such as disassembly analysis, source code analysis, binary statistical analysis, decompilation, etc., which belong to reverse engineering analysis methods.
第一检测规则可以是根据现有快应用或者其他普通应用已知的安全漏洞确定的。比如,对存在安全漏洞的快应用或者其他普通应用进行源代码分析,确定引起安全问题的关键源代码以及安全漏洞类型,将这部分源代码作为这种类型安全漏洞的标识信息,建立第一检测规则。The first detection rule may be determined based on the known security vulnerabilities of the existing quick application or other common applications. For example, perform source code analysis on fast apps or other common apps with security vulnerabilities, determine the key source code that causes security problems and the types of security vulnerabilities, use this part of the source code as the identification information of this type of security vulnerabilities, and establish the first detection rule.
实际应用中,动态检测是模拟快应用的运行过程,通过检测快应用运行时终端与网络侧或其他终端的交互内容,来获取引起安全问题的已知动态行为特征。即第二检测规则可以是根据现有快应用或者其他普通应用在运行过程中,引起安全问题的动态运行行为确定已知的动态运行特征,利用已知的动态运行特征建立第二检测规则。In practical applications, dynamic detection is to simulate the running process of a fast application, by detecting the interactive content between the terminal and the network side or other terminals when the fast application is running, to obtain known dynamic behavior characteristics that cause security problems. That is, the second detection rule may be to determine the known dynamic operating characteristics based on the dynamic operating behavior of the existing fast application or other ordinary applications that cause safety issues during the running process, and use the known dynamic operating characteristics to establish the second detection rule.
步骤103:基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。Step 103: Based on the detection rule, perform security detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application includes static detection and/or dynamic detection.
这里,检测规则是检测人员根据现有的安全问题、隐私不合规问题等预先设定的检测规则,检测设备获取到快应用的安装包和检测规则后,根据不同安装包或不同检测类型选择对应的检测规则,对快应用的检测包进行检测。Here, the detection rules are the detection rules preset by the detection personnel based on existing security issues, privacy non-compliance issues, etc. After the detection device obtains the installation package and detection rules of Quick App, it can be selected according to different installation packages or different detection types. Corresponding detection rules are used to detect fast-applied detection packets.
在一些实施例中,对所述快应用进行静态检测时,所述检测规则包括 用于静态检测的第一检测规则;In some embodiments, when performing static detection on the fast application, the detection rule includes a first detection rule for static detection;
相应的,所述基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果,包括:对所述至少一个快应用的安装包进行解析,提取所述至少一个快应用的待检测文件;基于所述第一检测规则,对所述至少一个快应用的待检测文件同时进行静态检测得到静态检测结果;基于所述至少一个快应用的静态检测结果,确定所述至少一个快应用是否存在安全漏洞。Correspondingly, the performing security detection on the at least one quick application to obtain a detection result based on the detection rule includes: parsing an installation package of the at least one quick application, and extracting the pending detection of the at least one quick application File; based on the first detection rule, static detection is performed on the file to be detected of the at least one fast application at the same time to obtain a static detection result; based on the static detection result of the at least one fast application, it is determined whether the at least one fast application There is a security breach.
也就是说,静态检测是通过对源代码进行静态扫描,判断源代码中是否存在与第一检测规则所匹配的源代码,如果存在则确定该快应用存在安全漏洞。That is to say, static detection is to determine whether there is a source code matching the first detection rule in the source code by statically scanning the source code, and if it exists, it is determined that the fast application has a security vulnerability.
在一些实施例中,对所述快应用进行动态检测时,所述检测规则包括用于动态检测的第二检测规则;In some embodiments, when performing dynamic detection on the fast application, the detection rule includes a second detection rule for dynamic detection;
相应的,所述基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果,包括:Correspondingly, the performing security detection on the at least one fast application to obtain a detection result based on the detection rule includes:
在虚拟机中动态运行所述至少一个快应用的安装包,对快应用的网络请求信息进行监控,得到所述至少一个快应用的动态行为特征;基于所述第二检测规则,对所述至少一个快应用的动态行为特征进行检测得到动态检测结果;基于所述至少一个快应用的动态检测结果,确定所述至少一个快应用是否存在安全漏洞。The installation package of the at least one fast application is dynamically run in the virtual machine, the network request information of the fast application is monitored, and the dynamic behavior characteristics of the at least one fast application are obtained; based on the second detection rule, the at least one A dynamic behavior feature of a fast application is detected to obtain a dynamic detection result; based on the dynamic detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
也就是说,动态检测是模拟快应用的运行过程,通过检测快应用运行时终端与网络侧或其他终端的交互内容,来获取快应用的动态行为特征。判断动态行为特征中是否存在与第二检测规则所匹配的动态行为特征,如果存在则确定该快应用存在安全漏洞。That is to say, dynamic detection is to simulate the running process of the fast application, by detecting the interactive content between the terminal and the network side or other terminals when the fast application is running, to obtain the dynamic behavior characteristics of the fast application. It is determined whether there is a dynamic behavior feature that matches the second detection rule in the dynamic behavior feature, and if it exists, it is determined that the fast application has a security vulnerability.
在一些实施例中,该方法还包括:根据预设的更新策略,更新所述检测规则;其中,所述更新策略包括一下至少一项:删除、增加、替换。In some embodiments, the method further includes: updating the detection rule according to a preset update strategy; wherein the update strategy includes at least one of the following: delete, add, and replace.
实际应用中,随着快应用安全威胁的升级变种,本申请实施例也包括更新检测规则,以适应当前的安全威胁环境。具体的,删除旧的检测规则,增加新的检测规则,以及替换旧的检测规则。In actual applications, with the escalating variants of fast application security threats, the embodiments of the present application also include updating detection rules to adapt to the current security threat environment. Specifically, delete old detection rules, add new detection rules, and replace old detection rules.
这里,步骤101至步骤103的执行主体可以为快应用检测设备的处理器。Here, the execution subject of step 101 to step 103 may be the processor of the fast application detection device.
采用上述技术方案,能够实现对快应用的自动化批量检测,包括批量化静态检测和批量化动态检测,省去大量人工操作,从而快速定位存在安全漏洞的快应用,提高快应用的安全检测效率。By adopting the above technical solution, automated batch detection of fast applications can be realized, including batch static detection and batch dynamic detection, saving a lot of manual operations, thereby quickly locating fast applications with security vulnerabilities, and improving the efficiency of security detection of fast applications.
在本申请上述实施例的基础上,对快应用的静态检测方法进行进一步的举例说明。图2为本申请实施例中快应用静态检测方法的第一流程示意图,如图2所示,该静态检测方法具体包括:On the basis of the above-mentioned embodiments of the present application, the static detection method of fast application is further exemplified. FIG. 2 is a schematic diagram of the first process of the fast application static detection method in an embodiment of the application. As shown in FIG. 2, the static detection method specifically includes:
步骤201:获取待检测的至少一个快应用的安装包;Step 201: Obtain an installation package of at least one quick application to be detected;
实际应用中,快应用在上架应用商店之前,需要先测试快应用的安全性,比如,快应用是否能够抗击恶意的网络攻击,或者对于用户隐私管理是否合规等。因此,基于本申请快应用检测方法建立一种后台检测设备,后台检测设备获取待检测的至少一个快应用的安装包。这里,快应用的安装包可以为rpk包,rpk是快应用的安装包的一种文件格式。In actual applications, KuaiApp needs to test the security of KuaiApp before it is put on the app store, for example, whether KuaiApp can resist malicious network attacks, or whether it is compliant with user privacy management, etc. Therefore, a background detection device is established based on the quick application detection method of the present application, and the background detection device obtains an installation package of at least one quick application to be detected. Here, the installation package of KuaiApp can be an rpk package, and rpk is a file format of the installation package of KuaiApp.
步骤202:获取预先为所述至少一个快应用配置的第一检测规则;Step 202: Obtain a first detection rule configured for the at least one fast application in advance;
实际应用中,静态检测是指在不执行二进制程序的条件下进行分析,如反汇编分析、源代码分析、二进制统计分析、反编译等,属于逆向工程分析方法。In practical applications, static detection refers to analysis without executing binary programs, such as disassembly analysis, source code analysis, binary statistical analysis, decompilation, etc., which belong to reverse engineering analysis methods.
第一检测规则可以是根据现有快应用或者其他普通应用已知的安全漏洞确定的。比如,对存在安全漏洞的快应用或者其他普通应用进行源代码分析,确定引起安全问题的关键源代码以及安全漏洞类型,将这部分源代码作为这种类型安全漏洞的标识信息,建立第一检测规则。The first detection rule may be determined based on the known security vulnerabilities of the existing quick application or other common applications. For example, perform source code analysis on fast apps or other common apps with security vulnerabilities, determine the key source code that causes security problems and the types of security vulnerabilities, use this part of the source code as the identification information of this type of security vulnerabilities, and establish the first detection rule.
比如,第一检测规则中包括至少一种安全漏洞的标识信息,标识信息用于指示安全漏洞的静态行为特征。比如,标识信息包括单独关键字或具有上下文关系的多个关键字的逻辑组合,若标识信息为单个关键字,说明该安全漏洞的可以用一个关键字即可表示,若标识信息为多个关键字的逻辑组合,说明该安全漏洞源代码中多行代码之间需要有一定上下文关系,根据上下文关系才能确定快应用是否包含该安全漏洞。For example, the first detection rule includes identification information of at least one security vulnerability, and the identification information is used to indicate static behavior characteristics of the security vulnerability. For example, the identification information includes a single keyword or a logical combination of multiple keywords with a context relationship. If the identification information is a single keyword, it means that the security vulnerability can be represented by one keyword. If the identification information is multiple keys The logical combination of words indicates that there needs to be a certain context relationship between multiple lines of code in the source code of the security vulnerability, and it can be determined whether the fast application contains the security vulnerability according to the context relationship.
示例性的,第一种安全漏洞的标识信息包括关键字1,第二种安全漏洞的标识信息包括:关键字组合1,关键字组合1中包括关键字2、关键字3和关键字4,以及各个关键字之间的逻辑关系。Exemplarily, the identification information of the first type of security vulnerability includes keyword 1, and the identification information of the second type of security vulnerability includes: keyword combination 1, which includes keyword 2, keyword 3, and keyword 4. And the logical relationship between each keyword.
步骤203:对所述至少一个快应用的安装包进行解析,提取所述至少一个快应用的待检测文件;Step 203: parse the installation package of the at least one quick application, and extract the file to be detected of the at least one quick application;
在一些实施例中,对所述至少一个快应用的安装包进行解析,提取每个快应用的全部文件和待检测文件的索引标识;基于所述待检测文件的索引标识,从每个快应用的全部文件中确定待检测文件。In some embodiments, the installation package of the at least one quick application is parsed, and all files of each quick application and the index identification of the file to be detected are extracted; based on the index identification of the file to be detected, from each quick application Determine the file to be detected among all the files in.
需要说明的是,安装包里面包含了实现快应用功能的第一类代码文件以及快应用框架下固有的第二类代码文件。实际应用中,安全漏洞只会出现在第一类代码文件中,运行第二类代码文件是不会出现安全漏洞。因此,我们只需对第一类代码文件进行静态扫描即可,所以需要利用第一类代码文件(即待检测文件)的索引标识索引到第一类代码文件。It should be noted that the installation package contains the first-type code files that implement the quick application function and the second-type code files inherent in the quick application framework. In actual applications, security vulnerabilities will only appear in the first type of code files, and no security vulnerabilities will appear when running the second type of code files. Therefore, we only need to perform a static scan on the first type of code file, so it is necessary to use the index mark of the first type of code file (that is, the file to be detected) to index to the first type of code file.
实际应用中,提取rpk包中的JS文件和manifest.xml文件,通过解析manifest.xml中的路由配置(即索引信息)确定需要扫描的目标JS文件名,接下来加载规则配置文件并解析的第一检测规则。In actual applications, extract the JS file and manifest.xml file in the rpk package, determine the target JS file name to be scanned by parsing the routing configuration (ie index information) in the manifest.xml, and then load the rule configuration file and parse the first One detection rule.
步骤204:基于所述第一检测规则,对所述至少一个快应用的待检测文件同时进行静态检测得到静态检测结果;Step 204: Based on the first detection rule, perform static detection on the file to be detected of the at least one fast application at the same time to obtain a static detection result;
实际应用中,所述第一检测规则包括至少一种安全漏洞的标识信息;In practical applications, the first detection rule includes identification information of at least one security vulnerability;
相应的,所述基于所述第一检测规则,对所述至少一个快应用的待检测文件同时进行静态检测得到静态检测结果,包括:将所述待检测文件与目标安全漏洞对应的标识信息进行匹配;其中,所述目标安全漏洞为所述第一检测规则中的任意一种安全漏洞;若匹配,确定所述待检测文件存在所述目标安全漏洞,并获取所述待检测文件中匹配的代码行号;若不匹配,确定所述待检测文件不存在所述目标安全漏洞。Correspondingly, based on the first detection rule, performing static detection on the file to be detected of the at least one quick application to obtain a static detection result at the same time includes: performing identification information corresponding to the file to be detected with the target security vulnerability Matching; wherein the target security vulnerability is any one of the security vulnerabilities in the first detection rule; if it matches, it is determined that the target security vulnerability exists in the file to be detected, and the matching file in the file to be detected is obtained Code line number; if it does not match, it is determined that the target security vulnerability does not exist in the file to be detected.
实际应用中,后台服务设备将rpk包下发至检测引擎进行检测,检测引擎用于对rpk包进行检测生成静态检测报告。具体的,检测引擎加载规则配置文件并解析的第一检测规则,将第一检测规则中不同安全漏洞的标识信息与所述待检测文件进行匹配,得到匹配结果;当有标识信息匹配时,检测引擎记录下匹配的标识信息号、JS代码行号。所有的JS文件扫描完成后,检测引擎根据记录的标识信息号和JS代码行号输出扫描结果。In actual applications, the background service device delivers the rpk package to the detection engine for detection, and the detection engine is used to detect the rpk package to generate a static detection report. Specifically, the detection engine loads the rule configuration file and parses the first detection rule, and matches the identification information of the different security vulnerabilities in the first detection rule with the file to be detected to obtain the matching result; when there is a match in the identification information, the detection The engine records the matching identification information number and JS code line number. After all JS files are scanned, the detection engine outputs the scanning results according to the recorded identification information number and JS code line number.
这里,标识信息号用于定位安全漏洞类型,JS代码行号用于定位rpk包中带来安全漏洞的代码位置,不仅能够使检测人员快速判断快应用存在的安全漏洞类型,还能够使检测人员快速定位具体的代码位置,便于后期对快应用的升级整改,提高快应用的开发效率,缩短上市周期。Here, the identification information number is used to locate the type of security vulnerability, and the JS code line number is used to locate the code location that brings the security vulnerability in the rpk package, which not only enables the inspector to quickly determine the type of security vulnerability in the fast application, but also enables the inspector Quickly locate the specific code location to facilitate the later upgrade and rectification of fast applications, improve the development efficiency of fast applications, and shorten the listing cycle.
图3为本申请实施例中静态检测原理的组成框架示意图,如图3所示,快应用在上架应用商店之前,后台检测设备获取快应用开发商提供的快应用的rpk包,后台服务设备将rpk包下发至检测引擎进行检测,检测引擎将rpk包进行解析,提取rpk包中的关键JS文件;通过读取事先配置完成的配置文件中的检测规则,并对检测规则解析,利用解析后的检测规则对提取的快应用JS文件进行静态扫描,生成检测报告。当包含多个待检测的快应用时,后台检测设备拉起多个检测引擎,对多个快应用的JS代码文件进行并行静态扫描,生成检测报告,实现对快应用的批量静态扫描。Figure 3 is a schematic diagram of the composition framework of the static detection principle in the embodiment of the application. As shown in Figure 3, before the fast app is put on the app store, the background detection device obtains the rpk package of the fast app provided by the fast app developer, and the background service device will The rpk package is sent to the detection engine for detection. The detection engine parses the rpk package and extracts the key JS files in the rpk package; reads the detection rules in the configuration file that has been configured in advance, and parses the detection rules. According to the detection rules, the extracted fast application JS files are statically scanned, and a detection report is generated. When there are multiple fast applications to be detected, the background detection device pulls up multiple detection engines to perform parallel static scanning of the JS code files of multiple fast applications, generate detection reports, and realize batch static scanning of fast applications.
需要说明的是,若标识信息为单独关键字,代码行号为一行代码的行 号;若标识信息为多个关键字的逻辑组合,代码行号可能为多行代码的行号。It should be noted that if the identification information is a single keyword, the code line number is the line number of a line of code; if the identification information is a logical combination of multiple keywords, the code line number may be the line number of multiple lines of code.
步骤205:基于所述至少一个快应用的静态检测结果,确定所述至少一个快应用是否存在安全漏洞。Step 205: Based on the static detection result of the at least one fast application, determine whether the at least one fast application has a security vulnerability.
具体的,根据静态检测结果,从至少一个快应用确定存储在安全漏洞的目标快应用,并确定目标快应用中不同安全漏洞对应的代码位置。Specifically, according to the static detection result, the target fast application stored in the security vulnerability is determined from at least one fast application, and the code positions corresponding to different security vulnerabilities in the target fast application are determined.
在一些实施例中,该方法还包括:根据预设的更新策略,更新所述第一检测规则;其中,所述更新策略包括一下至少一项:删除、增加、替换。In some embodiments, the method further includes: updating the first detection rule according to a preset update strategy; wherein, the update strategy includes at least one of the following: delete, add, and replace.
实际应用中,随着快应用安全威胁的升级变种,本申请实施例也包括更新检测规则,以适应当前的安全威胁环境。具体的,删除旧的检测规则,增加新的检测规则,以及替换旧的检测规则。In actual applications, with the escalating variants of fast application security threats, the embodiments of the present application also include updating detection rules to adapt to the current security threat environment. Specifically, delete old detection rules, add new detection rules, and replace old detection rules.
在上述快应用静态检测方法的基础上提供了一种更为具体的检测过程,图4为本申请实施例中快应用静态检测方法的第二流程示意图,如图4所示,该静态检测方法具体包括:A more specific detection process is provided on the basis of the above-mentioned quick application static detection method. FIG. 4 is a schematic diagram of the second process of the quick application static detection method in an embodiment of this application. As shown in FIG. 4, the static detection method Specifically:
步骤401:开始;Step 401: Start;
步骤402:解析规则;Step 402: Parse the rules;
具体的,检测引擎加载规则配置文件并解析的第一检测规则。Specifically, the detection engine loads the rule configuration file and parses the first detection rule.
步骤403:解析rpk包:Step 403: Parse the rpk package:
步骤404:读取manifest.xml文件;Step 404: Read the manifest.xml file;
Manifest安卓开发文件名,属于AndroidManifest.xml文件,在简单的Android系统的应用中提出了重要的信息,它可以运行任何应用程序的代码。每个安卓应用程序必须有一个AndroidManifest.xml文件,在app/manifests目录中。它在简单的Android系统的应用中提出了重要的信息,信息系统必须具备之前它可以运行任何应用程序的代码。Manifest给应用程序的Java包命名,包的名称作为应用程序的唯一标识符。The Manifest Android development file name belongs to the AndroidManifest.xml file, which presents important information in a simple Android system application. It can run any application code. Every Android application must have an AndroidManifest.xml file in the app/manifests directory. It presents important information in a simple Android system application, and the information system must have the code before it can run any application. Manifest names the Java package of the application, and the package name serves as a unique identifier for the application.
也就是说,manifest.xml文件是作为待检测的目标JS文件的索引信息,通过解析manifest.xml中的路由配置(即索引信息)确定需要扫描的目标JS文件名。In other words, the manifest.xml file is used as the index information of the target JS file to be detected, and the name of the target JS file to be scanned is determined by parsing the routing configuration (ie index information) in the manifest.xml.
步骤405:提取目标JS文件;Step 405: Extract the target JS file;
步骤406:根据第一规则解析结果,扫描目标JS文件;Step 406: Scan the target JS file according to the analysis result of the first rule;
步骤407:判断是够到结尾,如果是,执行步骤410;如果否,执行步骤408;Step 407: Judge it to reach the end, if yes, go to step 410; if not, go to step 408;
步骤408:判断是否匹配,如果是,执行步骤409;如果否,执行步骤406;Step 408: Judge whether it matches, if yes, go to step 409; if not, go to step 406;
具体的,检测引擎将第一检测规则中不同安全漏洞的标识信息与所述待检测文件进行匹配,得到匹配结果;当有标识信息匹配时,检测引擎记录下匹配的标识信息号、JS代码行号。所有的JS文件扫描完成后,检测引擎根据记录的标识信息号和JS代码行号,并输出扫描结果。Specifically, the detection engine matches the identification information of different security vulnerabilities in the first detection rule with the file to be detected to obtain a matching result; when there is a matching of identification information, the detection engine records the matching identification information number and JS code line No. After scanning all JS files, the detection engine outputs the scanning results according to the recorded identification information number and JS code line number.
步骤409:记录匹配结果;Step 409: Record the matching result;
这里,匹配结果包括:识信息号和JS代码行号。Here, the matching result includes: identification information number and JS code line number.
步骤410:生成检测报告;Step 410: Generate a test report;
也就是说,在快应用内所有目标JS文件均已扫描完,则生成检测结果。In other words, if all target JS files in the fast app have been scanned, the detection result will be generated.
步骤411:结束。Step 411: End.
采用上述技术方案,能够实现对快应用的自动化批量静态检测,省去大量人工操作,从而快速定位存在安全漏洞的快应用,提高快应用的安全检测效率。By adopting the above technical solution, it is possible to realize automatic batch static detection of fast applications, save a lot of manual operations, so as to quickly locate fast applications with security vulnerabilities, and improve the safety detection efficiency of fast applications.
在本申请上述实施例的基础上,对快应用的动态检测方法进行进一步的举例说明。图5为本申请实施例中快应用动态检测方法的流程示意图,如图5所示,该动态检测方法具体包括:On the basis of the above-mentioned embodiments of the present application, the dynamic detection method of fast application is further exemplified. Fig. 5 is a schematic flow chart of a fast application dynamic detection method in an embodiment of the application. As shown in Fig. 5, the dynamic detection method specifically includes:
步骤501:获取待检测的至少一个快应用的安装包;Step 501: Obtain an installation package of at least one quick application to be detected;
实际应用中,快应用在上架应用商店之前,需要先测试快应用的安全性,比如,快应用是否能够抗击恶意的网络攻击,或者对于用户隐私管理是否合规等。因此,基于本申请快应用检测方法建立一种后台检测设备,后台检测设备获取待检测的至少一个快应用的安装包。这里,快应用的安装包可以为rpk包,rpk是快应用的安装包的一种文件格式。In actual applications, KuaiApp needs to test the security of KuaiApp before it is put on the app store, for example, whether KuaiApp can resist malicious network attacks, or whether it is compliant with user privacy management, etc. Therefore, a background detection device is established based on the quick application detection method of the present application, and the background detection device obtains an installation package of at least one quick application to be detected. Here, the installation package of KuaiApp can be an rpk package, and rpk is a file format of the installation package of KuaiApp.
步骤502:获取预先为所述至少一个快应用配置的第二检测规则;Step 502: Obtain a second detection rule configured in advance for the at least one fast application;
动态检测是模拟快应用的运行过程,通过检测快应用运行时终端与网络侧或其他终端的交互内容,来获取快应用的动态行为特征。判断动态行为特征中是否存在与第二检测规则所匹配的动态行为特征,如果存在则确定该快应用存在安全漏洞。Dynamic detection is to simulate the running process of the fast application, by detecting the interactive content of the terminal and the network side or other terminals when the fast application is running, to obtain the dynamic behavior characteristics of the fast application. It is determined whether there is a dynamic behavior feature that matches the second detection rule in the dynamic behavior feature, and if it exists, it is determined that the fast application has a security vulnerability.
步骤503:在虚拟机中动态运行所述至少一个快应用的安装包,对快应用的网络请求信息进行监控,得到所述至少一个快应用的动态行为特征;Step 503: Dynamically run the installation package of the at least one fast application in the virtual machine, monitor the network request information of the fast application, and obtain the dynamic behavior characteristics of the at least one fast application;
快应用的动态行为特征具体的表示以下至少一项:扫描系统状态、获取系统权限、注册表操作、自删除操作、加解密、进程/线程行为、文件操作、网络访问行为。The dynamic behavior characteristics of fast apps specifically represent at least one of the following: scanning system status, obtaining system permissions, registry operations, self-deleting operations, encryption and decryption, process/thread behaviors, file operations, and network access behaviors.
步骤504:基于所述第二检测规则,对所述至少一个快应用的动态行为特征进行检测得到动态检测结果;Step 504: Based on the second detection rule, detect the dynamic behavior feature of the at least one fast application to obtain a dynamic detection result;
实际应用中,所述第二检测规则包括至少一种安全漏洞的动态行为特征;In practical applications, the second detection rule includes at least one dynamic behavior characteristic of security vulnerabilities;
相应的,所述基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果,包括:将所述快应用的动态行为特征和目标安全漏洞的动态行为特征进行匹配;其中,所述目标安全漏洞为所述第二检测规则中的任意一种安全漏洞;若匹配,确定所述快应用存在所述目标安全漏洞;若不匹配,确定所述快应用不存在所述目标安全漏洞。Correspondingly, the performing security detection on the at least one fast application based on the detection rule to obtain a detection result includes: matching the dynamic behavior feature of the fast application with the dynamic behavior feature of the target security vulnerability; wherein, The target security vulnerability is any security vulnerability in the second detection rule; if it matches, it is determined that the fast application has the target security vulnerability; if it does not match, it is determined that the fast application does not have the target security vulnerability .
示例性的,在虚拟机(Virtual Machine,VM)中动态执行安装包代码, 监视运行过程中的状态变化,利用HOOK拦截系统中关键事件的操作。这里,HOOK是Windows系统消息传递的重要载体,HOOK函数提供消息调用的接口,拦截事件间的调用过程,处理后转发给对应的API接口。此时,在操作系统中设置用户定义的HOOK,监控系统行为,实现动态监控。Exemplarily, the installation package code is dynamically executed in a virtual machine (Virtual Machine, VM), the state changes during the running process are monitored, and the operation of key events in the system is intercepted by using HOOK. Here, HOOK is an important carrier of Windows system message transmission. The HOOK function provides an interface for message calling, intercepts the calling process between events, and forwards it to the corresponding API interface after processing. At this time, set user-defined HOOK in the operating system to monitor system behavior and realize dynamic monitoring.
实际应用中,安全漏洞的动态行为特征也具体的表示以下至少一项:扫描系统状态、获取系统权限、注册表操作、自删除操作、加解密、进程/线程行为、文件操作、网络访问行为。In practical applications, the dynamic behavior characteristics of security vulnerabilities also specifically represent at least one of the following: scanning system status, obtaining system permissions, registry operations, self-deleting operations, encryption and decryption, process/thread behaviors, file operations, and network access behaviors.
步骤505:基于所述至少一个快应用的动态检测结果,确定所述至少一个快应用是否存在安全漏洞。Step 505: Based on the dynamic detection result of the at least one fast application, determine whether the at least one fast application has a security vulnerability.
动态检测结果表征目标快应用存在安全漏洞时,确定目标快应用的安全漏洞类型和数量。When the dynamic detection result characterizes the security vulnerabilities of the target fast application, the type and number of the security vulnerabilities of the target fast application are determined.
在一些实施例中,该方法还包括:根据预设的更新策略,更新所述第二检测规则;其中,所述更新策略包括一下至少一项:删除、增加、替换。In some embodiments, the method further includes: updating the second detection rule according to a preset update strategy; wherein, the update strategy includes at least one of the following: delete, add, and replace.
采用上述技术方案,能够实现对快应用的自动化批量动态检测,省去大量人工操作,从而快速定位存在安全漏洞的快应用,提高快应用的安全检测效率。By adopting the above technical solution, it is possible to realize automatic batch dynamic detection of fast applications, save a lot of manual operations, so as to quickly locate fast applications with security vulnerabilities, and improve the safety detection efficiency of fast applications.
为实现本申请实施例的方法,基于同一发明构思本申请实施例还提供了一种快应用检测装置,如图6所示,该装置包括:In order to implement the method of the embodiment of the present application, based on the same inventive concept, the embodiment of the present application also provides a fast application detection device. As shown in FIG. 6, the device includes:
获取部分601,配置为获取待检测的至少一个快应用的安装包;以及获取预先为所述至少一个快应用配置的检测规则;The obtaining part 601 is configured to obtain an installation package of at least one quick application to be detected; and obtain a detection rule configured for the at least one quick application in advance;
检测部分602,配置为基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。The detection part 602 is configured to perform security detection on the at least one fast application to obtain a detection result based on the detection rule; wherein the detection of the fast application includes static detection and/or dynamic detection.
在一些实施例中,对所述快应用进行静态检测时,所述检测规则包括用于静态检测的第一检测规则;In some embodiments, when performing static detection on the fast application, the detection rule includes a first detection rule for static detection;
检测部分602,具体配置为对所述至少一个快应用的安装包进行解析,提取所述至少一个快应用的待检测文件;基于所述第一检测规则,对所述至少一个快应用的待检测文件同时进行静态检测得到静态检测结果;基于所述至少一个快应用的静态检测结果,确定所述至少一个快应用是否存在安全漏洞。The detection part 602 is specifically configured to parse the installation package of the at least one quick application, and extract the file to be detected of the at least one quick application; The file is simultaneously subjected to static detection to obtain a static detection result; based on the static detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
在一些实施例中,检测部分602,具体配置为对所述至少一个快应用的安装包进行解析,提取每个快应用的全部文件和待检测文件的索引标识;基于所述待检测文件的索引标识,从每个快应用的全部文件中确定待检测文件。In some embodiments, the detection part 602 is specifically configured to parse the installation package of the at least one quick application, extract all files of each quick application and the index identification of the file to be detected; based on the index of the file to be detected Identification, to determine the file to be detected from all files of each quick application.
在一些实施例中,所述第一检测规则包括至少一种安全漏洞的标识信息;In some embodiments, the first detection rule includes identification information of at least one security vulnerability;
检测部分602,具体配置为将所述待检测文件与目标安全漏洞对应的标识信息进行匹配;其中,所述目标安全漏洞为所述第一检测规则中的任意一种安全漏洞;若匹配,确定所述待检测文件存在所述目标安全漏洞,并获取所述待检测文件中匹配的代码行号;若不匹配,确定所述待检测文件不存在所述目标安全漏洞。The detection part 602 is specifically configured to match the identification information corresponding to the target security vulnerability with the file to be detected; wherein the target security vulnerability is any security vulnerability in the first detection rule; if it matches, determine The file to be detected has the target security vulnerability, and the matching code line number in the file to be detected is obtained; if it does not match, it is determined that the file to be detected does not have the target security vulnerability.
在一些实施例中,对所述快应用进行动态检测时,所述检测规则包括用于动态检测的第二检测规则;In some embodiments, when performing dynamic detection on the fast application, the detection rule includes a second detection rule for dynamic detection;
检测部分602,具体配置为在虚拟机中动态运行所述至少一个快应用的安装包,对快应用的网络请求信息进行监控,得到所述至少一个快应用的动态行为特征;基于所述第二检测规则,对所述至少一个快应用的动态行为特征进行检测得到动态检测结果;基于所述至少一个快应用的动态检测结果,确定所述至少一个快应用是否存在安全漏洞。The detection part 602 is specifically configured to dynamically run the installation package of the at least one fast application in a virtual machine, monitor the network request information of the fast application, and obtain the dynamic behavior characteristics of the at least one fast application; based on the second The detection rule detects the dynamic behavior characteristics of the at least one fast application to obtain a dynamic detection result; based on the dynamic detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
在一些实施例中,所述第二检测规则包括至少一种安全漏洞的动态行为特征;In some embodiments, the second detection rule includes at least one dynamic behavior characteristic of a security vulnerability;
检测部分602,具体配置为将所述快应用的动态行为特征和目标安全漏洞的动态行为特征进行匹配;其中,所述目标安全漏洞为所述第二检测规则中的任意一种安全漏洞;若匹配,确定所述快应用存在所述目标安全漏洞;若不匹配,确定所述快应用不存在所述目标安全漏洞。The detection part 602 is specifically configured to match the dynamic behavior characteristics of the fast application with the dynamic behavior characteristics of the target security vulnerability; wherein the target security vulnerability is any security vulnerability in the second detection rule; if Matching, it is determined that the fast application has the target security vulnerability; if it does not match, it is determined that the fast application does not have the target security vulnerability.
在一些实施例中,该装置还包括:更新部分,配置为根据预设的更新策略,更新所述检测规则;其中,所述更新策略包括以下至少一项:删除、增加、替换。In some embodiments, the device further includes: an update part configured to update the detection rule according to a preset update strategy; wherein the update strategy includes at least one of the following: delete, add, and replace.
采用上述技术方案,能够实现对快应用的自动化批量检测,包括批量化静态检测和批量化动态检测,省去大量人工操作,从而快速定位存在安全漏洞的快应用,提高快应用的安全检测效率。By adopting the above technical solution, automated batch detection of fast applications can be realized, including batch static detection and batch dynamic detection, saving a lot of manual operations, thereby quickly locating fast applications with security vulnerabilities, and improving the efficiency of security detection of fast applications.
基于上述快应用检测装置中各部分的硬件实现,本申请实施例还提供了一种快应用检测设备,如图7所示,该设备包括:处理器701和配置为存储能够在处理器上运行的计算机程序的存储器702;Based on the hardware implementation of each part of the fast application detection device, an embodiment of the present application also provides a fast application detection device. As shown in FIG. 7, the device includes a processor 701 and a storage device configured to run on the processor. Memory 702 of the computer program;
其中,处理器701配置为运行计算机程序时,执行前述实施例中的方法步骤。Wherein, the processor 701 is configured to execute the method steps in the foregoing embodiment when it is configured to run a computer program.
当然,实际应用时,如图7所示,该设备中的各个组件通过总线系统703耦合在一起。可理解,总线系统703用于实现这些组件之间的连接通信。总线系统703除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图7中将各种总线都标为总线系统703。Of course, in actual application, as shown in FIG. 7, the various components in the device are coupled together through the bus system 703. It can be understood that the bus system 703 is used to implement connection and communication between these components. In addition to the data bus, the bus system 703 also includes a power bus, a control bus, and a status signal bus. However, for the sake of clear description, various buses are marked as the bus system 703 in FIG. 7.
本申请实施例提供的一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令,所述计算机可执行指令被执行时实施前述实施例一或二的方法步骤。An embodiment of the present application provides a computer storage medium, where the computer storage medium stores computer-executable instructions, and when the computer-executable instructions are executed, the method steps of the foregoing embodiment 1 or 2 are implemented.
本申请实施例上述装置如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的 部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本申请实施例不限制于任何特定的硬件和软件结合。If the above-mentioned device in the embodiment of the present application is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application can be embodied in the form of a software product in essence or a part that contributes to the prior art. The computer software product is stored in a storage medium and includes several instructions for A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, Read Only Memory (ROM, Read Only Memory), magnetic disk or optical disk and other media that can store program codes. In this way, the embodiments of the present application are not limited to any specific combination of hardware and software.
本申请实施例中还提供了一种芯片,用于实现本申请上述快应用检测方法,图8是本申请实施例的芯片的示意性结构图。图8所示的芯片800包括处理器810,处理器810可以从存储器中调用并运行计算机程序,以实现本申请实施例中的方法。An embodiment of the present application also provides a chip, which is used to implement the above-mentioned fast application detection method of the present application. FIG. 8 is a schematic structural diagram of the chip of the embodiment of the present application. The chip 800 shown in FIG. 8 includes a processor 810, and the processor 810 can call and run a computer program from the memory to implement the method in the embodiment of the present application.
可选地,如图8所示,芯片800还可以包括存储器820。其中,处理器810可以从存储器820中调用并运行计算机程序,以实现本申请实施例中的方法。Optionally, as shown in FIG. 8, the chip 800 may further include a memory 820. The processor 810 may call and run a computer program from the memory 820 to implement the method in the embodiment of the present application.
其中,存储器820可以是独立于处理器810的一个单独的器件,也可以集成在处理器810中。The memory 820 may be a separate device independent of the processor 810, or may be integrated in the processor 810.
可选地,该芯片800还可以包括输入接口830。其中,处理器810可以控制该输入接口830与其他设备或芯片进行通信,具体地,可以获取其他设备或芯片发送的信息或数据。Optionally, the chip 800 may further include an input interface 830. The processor 810 can control the input interface 830 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.
可选地,该芯片800还可以包括输出接口840。其中,处理器810可以控制该输出接口840与其他设备或芯片进行通信,具体地,可以向其他设备或芯片输出信息或数据。Optionally, the chip 800 may further include an output interface 840. The processor 810 can control the output interface 840 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
可选地,该芯片可应用于本申请实施例中的快应用检测设备,并且该芯片可以实现本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the chip can be applied to the fast application detection device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application. For the sake of brevity, details are not described herein again.
应理解,本申请实施例提到的芯片还可以称为系统级芯片,系统芯片, 芯片系统或片上系统芯片等。It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as system-level chips, system-on-chips, system-on-chips, or system-on-chips.
相应地,本申请实施例还提供一种计算机存储介质,其中存储有计算机程序,该计算机程序配置为执行本申请实施例的数据调度方法。Correspondingly, an embodiment of the present application further provides a computer storage medium in which a computer program is stored, and the computer program is configured to execute the data scheduling method of the embodiment of the present application.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and not necessarily used to describe a specific sequence or sequence.
本申请所提供的几个方法实施例中所揭露的方法,在不冲突的情况下可以任意组合,得到新的方法实施例。The methods disclosed in the several method embodiments provided in this application can be combined arbitrarily without conflict to obtain new method embodiments.
本申请所提供的几个产品实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的产品实施例。The features disclosed in the several product embodiments provided in this application can be combined arbitrarily without conflict to obtain new product embodiments.
本申请所提供的几个方法或设备实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的方法实施例或设备实施例。The features disclosed in the several method or device embodiments provided in this application can be combined arbitrarily without conflict to obtain a new method embodiment or device embodiment.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.
工业实用性Industrial applicability
本申请提供的快应用检测方案,通过预先设定的检测规则,包括静态检测规则和/或动态检测规则,根据检测规则实现对快应用的自动化批量检测,从而快速定位存在安全漏洞的快应用,提高快应用的安全检测效率。The quick application detection solution provided by this application implements automatic batch detection of quick applications according to the detection rules through preset detection rules, including static detection rules and/or dynamic detection rules, so as to quickly locate fast applications with security vulnerabilities. Improve the safety detection efficiency of fast applications.

Claims (10)

  1. 一种快应用检测方法,其中,所述方法包括:A fast application detection method, wherein the method includes:
    获取待检测的至少一个快应用的安装包;Obtain the installation package of at least one quick application to be detected;
    获取预先为所述至少一个快应用配置的检测规则;Acquiring a detection rule configured for the at least one fast application in advance;
    基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。Based on the detection rule, perform security detection on the at least one fast application to obtain a detection result; wherein the detection of the fast application includes static detection and/or dynamic detection.
  2. 根据权利要求1所述的方法,其中,对所述快应用进行静态检测时,所述检测规则包括用于静态检测的第一检测规则;The method according to claim 1, wherein, when performing static detection on the fast application, the detection rule includes a first detection rule for static detection;
    所述基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果,包括:The performing security detection on the at least one fast application to obtain a detection result based on the detection rule includes:
    对所述至少一个快应用的安装包进行解析,提取所述至少一个快应用的待检测文件;Parse the installation package of the at least one quick application, and extract the file to be detected of the at least one quick application;
    基于所述第一检测规则,对所述至少一个快应用的待检测文件同时进行静态检测得到静态检测结果;Based on the first detection rule, perform static detection on the file to be detected of the at least one fast application at the same time to obtain a static detection result;
    基于所述至少一个快应用的静态检测结果,确定所述至少一个快应用是否存在安全漏洞。Based on the static detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
  3. 根据权利要求2所述的方法,其中,所述对所述至少一个快应用的安装包进行解析,提取所述至少一个快应用的待检测文件,包括:The method according to claim 2, wherein the parsing the installation package of the at least one quick application and extracting the file to be detected of the at least one quick application comprises:
    对所述至少一个快应用的安装包进行解析,提取每个快应用的全部文件和待检测文件的索引标识;Parse the installation package of the at least one quick application, and extract all the files of each quick application and the index identification of the file to be detected;
    基于所述待检测文件的索引标识,从每个快应用的全部文件中确定待检测文件。Based on the index identification of the file to be detected, the file to be detected is determined from all files of each fast application.
  4. 根据权利要求2所述的方法,其中,所述第一检测规则包括至少一种安全漏洞的标识信息;The method according to claim 2, wherein the first detection rule includes identification information of at least one security vulnerability;
    所述基于所述第一检测规则,对所述至少一个快应用的待检测文件同 时进行静态检测得到静态检测结果,包括:The performing static detection on the file to be detected of the at least one quick application based on the first detection rule to obtain a static detection result at the same time includes:
    将所述待检测文件与目标安全漏洞对应的标识信息进行匹配;其中,所述目标安全漏洞为所述第一检测规则中的任意一种安全漏洞;Matching the identification information corresponding to the target security vulnerability with the file to be detected; wherein the target security vulnerability is any security vulnerability in the first detection rule;
    若匹配,确定所述待检测文件存在所述目标安全漏洞,并获取所述待检测文件中匹配的代码行号;If they match, determine that the target security vulnerability exists in the file to be detected, and obtain the matching code line number in the file to be detected;
    若不匹配,确定所述待检测文件不存在所述目标安全漏洞。If it does not match, it is determined that the target security vulnerability does not exist in the file to be detected.
  5. 根据权利要求1所述的方法,其中,对所述快应用进行动态检测时,所述检测规则包括用于动态检测的第二检测规则;The method according to claim 1, wherein, when the fast application is dynamically detected, the detection rule includes a second detection rule for dynamic detection;
    所述基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果,包括:The performing security detection on the at least one fast application to obtain a detection result based on the detection rule includes:
    在虚拟机中动态运行所述至少一个快应用的安装包,对快应用的网络请求信息进行监控,得到所述至少一个快应用的动态行为特征;Dynamically running the installation package of the at least one fast application in a virtual machine, monitoring the network request information of the fast application, and obtaining the dynamic behavior characteristics of the at least one fast application;
    基于所述第二检测规则,对所述至少一个快应用的动态行为特征进行检测得到动态检测结果;Based on the second detection rule, detecting the dynamic behavior feature of the at least one fast application to obtain a dynamic detection result;
    基于所述至少一个快应用的动态检测结果,确定所述至少一个快应用是否存在安全漏洞。Based on the dynamic detection result of the at least one fast application, it is determined whether the at least one fast application has a security vulnerability.
  6. 根据权利要求5所述的方法,其中,所述第二检测规则包括至少一种安全漏洞的动态行为特征;The method according to claim 5, wherein the second detection rule includes at least one dynamic behavior characteristic of a security vulnerability;
    所述基于所述第二检测规则,对所述动态行为特征进行检测得到动态检测结果,包括:The detecting the dynamic behavior feature based on the second detection rule to obtain a dynamic detection result includes:
    将所述快应用的动态行为特征和目标安全漏洞的动态行为特征进行匹配;其中,所述目标安全漏洞为所述第二检测规则中的任意一种安全漏洞;Matching the dynamic behavior characteristics of the fast application with the dynamic behavior characteristics of the target security vulnerability; wherein the target security vulnerability is any security vulnerability in the second detection rule;
    若匹配,确定所述快应用存在所述目标安全漏洞;If it matches, it is determined that the fast application has the target security vulnerability;
    若不匹配,确定所述快应用不存在所述目标安全漏洞。If it does not match, it is determined that the fast application does not have the target security vulnerability.
  7. 根据权利要求1所述的方法,其中,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    根据预设的更新策略,更新所述检测规则;其中,所述更新策略包括以下至少一项:删除、增加、替换。The detection rule is updated according to a preset update strategy; wherein, the update strategy includes at least one of the following: delete, add, and replace.
  8. 一种快应用检测装置,其中,所述装置包括:A fast application detection device, wherein the device includes:
    获取部分,配置为获取待检测的至少一个快应用的安装包;以及获取预先为所述至少一个快应用配置的检测规则;An obtaining part, configured to obtain an installation package of at least one quick application to be detected; and obtain a detection rule configured for the at least one quick application in advance;
    检测部分,配置为基于所述检测规则,对所述至少一个快应用进行安全检测得到检测结果;其中,所述快应用的检测包括静态检测和/或动态检测。The detection part is configured to perform security detection on the at least one fast application to obtain a detection result based on the detection rule; wherein the detection of the fast application includes static detection and/or dynamic detection.
  9. 一种快应用检测设备,其中,所述设备包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,A fast application detection device, wherein the device includes a processor and a memory for storing a computer program that can run on the processor,
    其中,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求1-7任一项所述方法的步骤。Wherein, the memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the steps of the method according to any one of claims 1-7.
  10. 一种计算机可读存储介质,其中,所述计算机可读存储介质用于存储计算机程序,所述计算机程序使得计算机执行如权利要求1-7任一项所述方法的步骤。A computer-readable storage medium, wherein the computer-readable storage medium is used to store a computer program that enables a computer to execute the steps of the method according to any one of claims 1-7.
PCT/CN2020/093913 2020-06-02 2020-06-02 Quick application test method and apparatus, device, and storage medium WO2021243555A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/093913 WO2021243555A1 (en) 2020-06-02 2020-06-02 Quick application test method and apparatus, device, and storage medium
CN202080100497.8A CN115552401A (en) 2020-06-02 2020-06-02 Fast application detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/093913 WO2021243555A1 (en) 2020-06-02 2020-06-02 Quick application test method and apparatus, device, and storage medium

Publications (1)

Publication Number Publication Date
WO2021243555A1 true WO2021243555A1 (en) 2021-12-09

Family

ID=78831634

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/093913 WO2021243555A1 (en) 2020-06-02 2020-06-02 Quick application test method and apparatus, device, and storage medium

Country Status (2)

Country Link
CN (1) CN115552401A (en)
WO (1) WO2021243555A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900333A (en) * 2022-04-15 2022-08-12 深圳开源互联网安全技术有限公司 Multi-region safety protection method, device, equipment and readable storage medium
CN116244194A (en) * 2023-02-09 2023-06-09 湖南快乐阳光互动娱乐传媒有限公司 Page test method and device of application program, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107885995A (en) * 2017-10-09 2018-04-06 阿里巴巴集团控股有限公司 The security sweep method, apparatus and electronic equipment of small routine
US20180330102A1 (en) * 2017-05-10 2018-11-15 Checkmarx Ltd. Using the Same Query Language for Static and Dynamic Application Security Testing Tools
CN109308263A (en) * 2018-09-29 2019-02-05 北京云测信息技术有限公司 A kind of small routine test method, device and equipment
CN109558733A (en) * 2018-11-22 2019-04-02 四川长虹电器股份有限公司 A kind of application code defect inspection method combined based on static detection and dynamic detection
CN110222506A (en) * 2019-06-11 2019-09-10 腾讯科技(深圳)有限公司 Detection method, device, equipment and storage medium are applied fastly

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180330102A1 (en) * 2017-05-10 2018-11-15 Checkmarx Ltd. Using the Same Query Language for Static and Dynamic Application Security Testing Tools
CN107885995A (en) * 2017-10-09 2018-04-06 阿里巴巴集团控股有限公司 The security sweep method, apparatus and electronic equipment of small routine
CN109308263A (en) * 2018-09-29 2019-02-05 北京云测信息技术有限公司 A kind of small routine test method, device and equipment
CN109558733A (en) * 2018-11-22 2019-04-02 四川长虹电器股份有限公司 A kind of application code defect inspection method combined based on static detection and dynamic detection
CN110222506A (en) * 2019-06-11 2019-09-10 腾讯科技(深圳)有限公司 Detection method, device, equipment and storage medium are applied fastly

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900333A (en) * 2022-04-15 2022-08-12 深圳开源互联网安全技术有限公司 Multi-region safety protection method, device, equipment and readable storage medium
CN114900333B (en) * 2022-04-15 2023-09-08 深圳开源互联网安全技术有限公司 Multi-region safety protection method, device, equipment and readable storage medium
CN116244194A (en) * 2023-02-09 2023-06-09 湖南快乐阳光互动娱乐传媒有限公司 Page test method and device of application program, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN115552401A (en) 2022-12-30

Similar Documents

Publication Publication Date Title
He et al. Dynamic privacy leakage analysis of Android third-party libraries
Gibler et al. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale
US10032026B1 (en) Static and dynamic security analysis of apps for mobile devices
Bagheri et al. Practical, formal synthesis and automatic enforcement of security policies for android
US10547626B1 (en) Detecting repackaged applications based on file format fingerprints
EP3232359B1 (en) Identification device, identification method, and identification program
US12026256B2 (en) Context-based analysis of applications
Liu et al. MR-Droid: A scalable and prioritized analysis of inter-app communication risks
KR20110128632A (en) Method and device for detecting malicious action of application program for smartphone
CN105631312A (en) Method and system for processing rogue programs
WO2021243555A1 (en) Quick application test method and apparatus, device, and storage medium
US10701087B2 (en) Analysis apparatus, analysis method, and analysis program
CN111563015A (en) Data monitoring method and device, computer readable medium and terminal equipment
Wang et al. Leakdoctor: Toward automatically diagnosing privacy leaks in mobile applications
CN112887388A (en) Data processing system based on sandbox environment
Chen et al. Automatic privacy leakage detection for massive android apps via a novel hybrid approach
Jing et al. Checking intent-based communication in android with intent space analysis
JP2012083909A (en) Application characteristic analysis device and program
CN117032894A (en) Container security state detection method and device, electronic equipment and storage medium
Zhang et al. Contextual approach for identifying malicious inter-component privacy leaks in android apps
Blasco et al. Detection of app collusion potential using logic programming
CN114462030A (en) Privacy policy processing and evidence obtaining method, device, equipment and storage medium
Min et al. Android software vulnerability mining framework based on dynamic taint analysis technology
KR20100113802A (en) System and method for protecting against malicious traffic and from hacking
Rodriguez et al. Ntapps: A network traffic analyzer of android applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20939427

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205N DATED 24/01/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20939427

Country of ref document: EP

Kind code of ref document: A1