CN113672902B - Application program detection method, device, equipment and storage medium - Google Patents
Application program detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113672902B CN113672902B CN202111013803.7A CN202111013803A CN113672902B CN 113672902 B CN113672902 B CN 113672902B CN 202111013803 A CN202111013803 A CN 202111013803A CN 113672902 B CN113672902 B CN 113672902B
- Authority
- CN
- China
- Prior art keywords
- detected
- application
- function
- information
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006399 behavior Effects 0.000 claims abstract description 191
- 238000001514 detection method Methods 0.000 claims abstract description 52
- 238000000034 method Methods 0.000 claims abstract description 24
- 230000006870 function Effects 0.000 claims description 123
- 238000013475 authorization Methods 0.000 claims description 24
- 230000015654 memory Effects 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 6
- 230000008439 repair process Effects 0.000 description 4
- 230000006872 improvement Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
- Telephone Function (AREA)
Abstract
The application provides an application program detection method, an application program detection device and a storage medium, wherein the method comprises the following steps: receiving an operation instruction of an application to be detected, wherein the operation instruction carries a function to be detected; controlling an application to be detected to call a function to be detected; acquiring a call record of the application to be detected for the function to be detected, wherein the call record comprises an access record of the application to be detected for user information; and detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected. The application realizes the detection of malicious information access behaviors or illegal invoking user authority behaviors in the application program, protects the personal privacy of the user, and is convenient for more accurately checking and improving the application program.
Description
Technical Field
The present application relates to the field of detection technologies, and in particular, to an application detection method, apparatus, device, and storage medium.
Background
In the prior art, when compliance checking is performed for application programs (app), most research and development is only performed for malicious behavior of applications such as stealing funds, or only for whether people authorize sensitive authority behavior at an application interface. With the development of information technology, a lot of malicious application programs for illegally calling user rights appear, so that information security problems such as easy disclosure of user privacy information and the like are caused, and therefore, how to accurately detect whether an app has malicious behaviors becomes a problem to be solved urgently.
Disclosure of Invention
The application provides an application program detection method, device, equipment and storage medium, which realize detection of malicious information access behaviors or illegal invoking user authority behaviors in an application program, protect personal privacy of a user and facilitate more accurate inspection and improvement of the application program.
An embodiment of the present application provides a method for detecting an application program, including: receiving an operation instruction of an application to be detected, wherein the operation instruction carries a function to be detected; controlling an application to be detected to call a function to be detected; acquiring a call record of the application to be detected for the function to be detected, wherein the call record comprises an access record of the application to be detected for user information; and detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected.
In an embodiment, obtaining the call record of the application to be tested for the function to be tested includes obtaining call stack information of the application to be tested for the function to be tested, and taking the call stack information as the call record.
In an embodiment, according to a call record and a preset malicious behavior library of a function to be tested, detecting whether a malicious information access behavior exists in an application to be tested includes: judging whether the access behavior of the application to be detected to the user information in the call record is in a preset malicious behavior library or not; when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, the application program detection method further includes receiving authorization information of the application to be detected from the user;
In an embodiment, detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected, further includes: when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized or not according to the authorization information; when the access behavior of the application to be detected to the user information is not authorized, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, after detecting whether the application to be detected has malicious information access behaviors according to the call record and the preset malicious behavior library of the function to be detected, the method further includes generating detection result information of the application to be detected, and outputting the detection result information.
A second aspect of an embodiment of the present application provides an application detection apparatus, including: the first receiving module is used for receiving an operation instruction of the application to be detected, wherein the operation instruction carries a function to be detected; the control module is used for controlling the application to be detected to call the function to be detected; the acquisition module is used for acquiring a call record of the application to be detected for the function to be detected, wherein the call record comprises an access record of the application to be detected for the user information; the detection module is used for detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected.
In an embodiment, the obtaining module is configured to obtain call stack information of a function to be tested by the application to be tested, and use the call stack information as a call record.
In an embodiment, the detection module is configured to determine whether an access behavior of the application to be detected in the call record to the user information is in a preset malicious behavior library; when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, the application program detection device further includes a second receiving module, configured to receive authorization information of the application to be detected from the user.
In an embodiment, the detection module is further configured to determine, according to the authorization information, whether the access behavior of the application to be detected to the user information is authorized when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, and determine that the call behavior of the application to be detected to the function to be detected has malicious information access behavior when the access behavior of the application to be detected to the user information is not authorized.
In an embodiment, the application program detection device further includes an output module, configured to generate detection result information of the application to be detected after detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected, and output the detection result information.
A third aspect of an embodiment of the present application provides an electronic device, including a memory to store a computer program; a processor configured to execute a computer program to implement the method of the first aspect of the embodiments of the present application and any of the embodiments thereof, to detect an application program.
A fourth aspect of the embodiments of the present application provides a non-transitory electronic device readable storage medium, including a program that, when executed by an electronic device, causes the electronic device to perform an application detection method that performs the first aspect of the embodiments of the present application and any of the embodiments thereof.
According to the application program detection method, device, equipment and storage medium, when an operation instruction of an application to be detected is received, the application to be detected is controlled to call a function to be detected, a call record of the application to be detected for the function to be detected is obtained, the call record comprises an access record of the application to be detected for user information, and whether malicious information access behaviors exist in the application to be detected is detected according to comparison of the call record and a preset malicious application library of the function to be detected. Compared with the prior art that whether the application accesses personal information to authorize or not or whether the application steals funds and other application malicious behavior modes are detected, the method and the device can detect the user information security and privacy disclosure prevention behaviors, detect whether the application program has malicious behaviors more accurately, and provide basis for improvement of later-stage application program non-compliance problems.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below.
FIG. 1 is a schematic diagram of an electronic device according to an embodiment of the application;
FIG. 2 is a flowchart illustrating an application detection method according to an embodiment of the application;
FIG. 3 is a flowchart illustrating an application detection method according to an embodiment of the application;
Fig. 4 is a schematic structural diagram of an application detection device according to an embodiment of the application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
Like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
As shown in fig. 1, a first aspect of the present embodiment provides an electronic device 1, including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 are connected through the bus 10, and the memory 12 stores instructions executable by the processor 11, so that the electronic device 1 can execute all or part of the flow of the method in the embodiment described below to detect the application.
In an embodiment, the electronic device 1 may be a mobile phone, a notebook computer, a desktop computer, or the like.
Please refer to fig. 2, which is a flowchart illustrating an application detection method according to an embodiment of the present application. A second aspect of an embodiment of the present application provides an application detection method, including:
s210: and receiving an operation instruction of the application to be detected, wherein the operation instruction carries the function to be detected.
In this step, the application to be checked is an application program for detecting the authority of the access behavior, the authority of the calling behavior or the authority of other behaviors of the user information in the program, so as to determine whether the application program is compliant. In the detection process, the electronic equipment receives an operation instruction and is required to detect whether malicious behaviors exist in different behavior type authorities called in the running process of an application program or judge whether the malicious behaviors are compliant or not. For example, when it is required to detect that a repair drawing application itself calls a telephone right, calls a microphone right or other self call rights, an operation instruction is sent to the electronic device, and a function to be tested carried by the operation instruction refers to a telephone function, a microphone function or other functions corresponding to the different rights, where the function to be tested may be one or more.
S220: and controlling the application to be detected to call the function to be detected.
In this step, the to-be-detected application is controlled to call the to-be-detected function, which means that when the electronic device receives the operation instruction, the to-be-detected application on the electronic device is controlled to start and call the own to-be-detected function according to the to-be-detected function carried in the operation instruction. For example, when a user needs to detect whether a call camera function in a payment app is malicious, the detection instruction carries an instruction for opening a camera to take a picture or pick up a picture, and after receiving the instruction, the application program is controlled to call the camera function, so that the camera is opened to take a picture. The operation instruction is not limited to designating a calling authority in the application program, and the operation instruction can also instruct the detected application program to call various or even all authority behaviors of the detected application program, and take the corresponding executed related function as the function to be tested.
S230: and acquiring a call record of the application to be detected for the function to be detected, wherein the call record comprises an access record of the application to be detected for the user information.
In this step, a call record of the application to be detected for the function to be detected is obtained, the call record at least includes the called name of the function to be detected, and the name of the function to be detected in the call record represents the access record of the application to be detected for the user information. For example, after calling a call function of a chat application, the electronic device obtains a call record generated after the call, where the call record at least includes a function name to be tested, for example, a call function and a function for obtaining contact information, and also represents a record of a call behavior in a call process or an access behavior for obtaining user information, such as contact information, after the chat application is started.
In an embodiment, the obtaining the call record of the function to be tested by the application to be tested further includes obtaining call stack information of the function to be tested by the application to be tested, and the call stack information is also used as the call record, that is, the call record may further include call stack information, and a main function of the call stack information is to save a return address of the call. For example, when the chat application starts the call function, the call making process is performed from the start function to the start function, to the interface display contact information function, and finally to the call making function, and then the call stack information is the call making function-display function-start function. In the step, the function to be detected can be automatically judged and hooked to be a call function through the Hook technology, the next step of judging whether the application to be detected has malicious information access behaviors is prepared to be executed, meanwhile, call stack information is output to be used as a call log and stored in the call log, after all detection is completed, a user can trace back all processes of the malicious information access behaviors of the application through the record, and the basis for improving and recording application programs can be provided for subsequent users aiming at the malicious behaviors in the application.
S240: and detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected.
In this step, the preset malicious behavior library is formulated for specific requirements in the management specifications of the related application programs that are exported by the management unit or department. For example, for a map repair type application, it is not reasonable to invoke microphone behavior or invoke text message behavior, and there is a security risk of malicious access to personal information behavior in the case of non-map repair required functions. Therefore, in the related application program management specification, the calling microphone behavior or the calling short message behavior is defined as the malicious information access behavior of the graph repair type application program, and the malicious information access behavior is written into a preset malicious behavior library in advance and packaged. Along with the continuous updating of the management specifications of the related application programs of the outbound, the content in the preset malicious behavior library is correspondingly and continuously updated, and the corresponding preset malicious behavior library data packet is also continuously updated in version.
Detecting whether malicious information access behaviors exist in the application to be detected, namely judging whether the access behaviors of the application to be detected to the user information in the call record are in a preset malicious behavior library; in the step S230, with reference to the content in the preset malicious behavior library, all possible malicious information access behaviors are automatically hooked through the Hook function, and whether the access behaviors of the application to be detected to the user information are in the preset malicious behavior library is determined. When the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected. For example, in the operation of a mapping application, a microphone function is hooked and an album function is called. Under the condition of not requiring functions of repairing the graph, the hooked microphone function is just the malicious information access behavior of the graph repairing application program defined in the preset malicious behavior library, namely, the malicious information access behavior of the application to be detected on the calling behavior of the function to be detected is judged. When the access behavior of the application to be checked to the user information is not in the preset malicious behavior library, for example, the calling album function is compared with the graph repairing application, namely, the condition that the calling behavior of the application to be checked to the function to be checked does not have malicious information access behavior is determined.
In an embodiment, before the application detection starts, i.e. before step S210, the method may further include: after the application program is developed, the application program is uploaded to an application platform, when the application program needs to be detected according to whether malicious access behaviors exist, the application platform defines the application program as an application to be detected, different users download the application to be detected from the application platform to the electronic equipment, the electronic equipment controls the application to be detected to start, and an operation instruction is sent out to the application to be detected to start detection.
Referring to fig. 3, a flowchart of an application detection method according to an embodiment of the application is shown, and the method can be performed by the electronic device 1 shown in fig. 1, and includes the following steps:
s310: and receiving an operation instruction of the application to be detected, wherein the operation instruction carries the function to be detected.
S320: and controlling the application to be detected to call the function to be detected.
S330: and acquiring a call record of the application to be detected for the function to be detected, wherein the call record comprises an access record of the application to be detected for the user information.
Step S310 to step S330 are similar to step S210 to step S230 in the above embodiment, and detailed descriptions in the above embodiment are omitted here.
S340: and receiving authorization information of the application to be inspected from the user.
In the step, the electronic equipment automatically receives all authorization information of a user when the user uses the application to be detected, wherein the authorization information is a request authorization permission sent by the application to be detected to the user before the user uses the function in the application to be detected. For example, in a certain photo repairing application, a user wants to use the photo repairing function to modify photos in an album, an application program sends a request authorization permission of 'whether the application is allowed to call album related information' to the user, the user confirms that the application is selected 'yes, i's permission is permission for authorization, otherwise, the application is not permission for authorization, when the application to be detected detects, authorization information corresponding to all functions in the application to be detected is collected, the electronic equipment receives the authorization information and stores the authorization information, and a judgment basis is provided for subsequently determining whether malicious information access behaviors exist in the call of the application to be detected to the function to be detected.
S350: judging whether the access behavior of the application to be checked to the user in the call record is in a preset malicious behavior library or not.
If the access behavior of the application to be detected in the call record to the user is judged to be in the preset malicious behavior library, directly entering step S360; if it is determined that the access behavior of the application to be detected in the call record to the user is not in the preset malicious behavior library, step S351 is entered to perform the next step of determination.
S360: steps S350 and S360 are similar to the above step S240, so the explanation of the preset malicious behavior library and other contents are specifically referred to the relevant explanation in step S240, and are not repeated herein.
S351: and judging whether the access behavior of the application to be checked to the user information is authorized or not according to the authorization information, if so, entering a step S361, and if not, entering a step S360.
S361: and determining that the calling behavior of the application to be detected on the function to be detected does not have malicious information access behavior.
Referring to step S240 of the above embodiment, according to the call record and the preset malicious behavior library of the function to be tested, whether the application to be tested has malicious information access behavior is detected, in this embodiment, after judging whether the access behavior of the application to be tested to the user in the call record is in the preset malicious behavior library, step S351 is further included: and judging whether the access behavior of the application to be checked to the user information is authorized or not according to the authorization information.
When the access behavior of the application to be detected to the user is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected; when the access behavior of the application to be checked to the user information is not in the preset malicious behavior library, whether the access behavior of the application to be checked to the user information is authorized or not needs to be judged according to the authorization information: when the access behavior of the application to be detected to the user information is not authorized, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected; when the access behavior of the application to be detected to the user information is authorized, determining that the call behavior of the application to be detected to the function to be detected does not have malicious information access behavior.
The method is characterized in that when the access behavior of the application to be detected to the user is not in the preset malicious behavior library, the application program is still designed on the premise of taking the user authorization as the main, namely, the access behavior to the user information is designed on the premise of marking the consent of the user, otherwise, the access behavior is still defined as the malicious information access behavior.
S370: and generating detection result information of the application to be detected, and outputting the detection result information.
After step S360 and step S361, according to the detection result, the electronic device may automatically generate detection result information of the application to be detected, and output the detection result information: if the malicious information access behavior of the application to be detected on the calling behavior of the function to be detected is determined, the application program is not compliant; and if the fact that the calling behavior of the application to be detected on the function to be detected does not have malicious information access behavior is determined, the application program is compliant.
In an embodiment, after step S370, the electronic device may package the detection result together with the call record and upload the package result to the application platform to bind with the application program, and when other electronic devices download the application program, the user may also know whether the application program is compliant through other electronic devices, or the user may also download the application program and modify or refer to the non-compliant application program according to the call record.
Referring to fig. 4, a third aspect of the embodiment of the present application provides an application detection apparatus, including: the first receiving module is used for receiving an operation instruction of the application to be detected, wherein the operation instruction carries a function to be detected; the control module is used for controlling the application to be detected to call the function to be detected; the acquisition module is used for acquiring a call record of the application to be detected for the function to be detected, wherein the call record comprises an access record of the application to be detected for the user information; the detection module is used for detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected.
In an embodiment, the obtaining module is configured to obtain call stack information of a function to be tested of the application to be tested, and use the call stack information as a call record, where a main function of the call stack information is to store a return address of the call.
In an embodiment, the detection module is configured to determine whether an access behavior of the application to be detected in the call record to the user information is in a preset malicious behavior library; when the access behavior of the application to be detected to the user information is in a preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected. Before each detection of the application to be detected, the detection module is further used for detecting whether the own preset malicious behavior library is the latest version or not, if not, the detection module can send updated information to the platform, download the preset malicious behavior library data packet of the latest version and replace the original version, so that whether the calling behavior of the function to be detected has malicious information access behavior or not is judged by the application to be detected according to specific requirements in relevant application program management specifications of the latest work information department, network information office department and the like.
In an embodiment, the application program detection device further includes a second receiving module, where the second receiving module is configured to receive authorization information of the application to be detected from a user.
In an embodiment, the detection module is further configured to: when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized or not according to the authorization information. When the access behavior of the application to be detected to the user information is not authorized, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected.
In an embodiment, the application program detection device further includes an output module, configured to generate detection result information of the application to be detected after detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected, and output the detection result information. If the malicious information access behavior of the application to be detected on the calling behavior of the function to be detected is determined, generating detection result information of the non-compliance of the application program; and if the fact that the calling behavior of the application to be detected on the function to be detected does not have malicious information access behavior is determined, generating detection result information of the compliance of the application program.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above application detection method, and will not be described herein.
In the several embodiments provided in the present application, the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
A fourth aspect of the present application provides a non-transitory electronic device readable storage medium including a program which, when executed by an electronic device, causes the electronic device to execute all or part of the flow of the application detection method of the first aspect of the present application and any of the embodiments thereof. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM), a random access memory (RandomAccessMemory, RAM), a flash memory (flash memory), a hard disk (HARDDISKDRIVE, abbreviated as HDD), a Solid state disk (Solid-state STATEDRIVE, SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored on a computer readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, randomAccessMemory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
According to the application program detection method, device, equipment and storage medium, when the operation instruction of the application to be detected is received, the application to be detected is controlled to call the function to be detected, the call record of the application to be detected for the function to be detected is obtained, the call record comprises the access record of the application to be detected for user information, whether the application to be detected has malicious information access behaviors is detected according to the comparison of the call record and the preset malicious application library of the function to be detected, the user information safety can be effectively protected, privacy leakage behaviors can be prevented, whether the application program has malicious behaviors can be detected more accurately, and a basis is provided for improvement of the problem of non-compliance of the later application program.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.
Claims (5)
1. An application detection method, comprising:
receiving an operation instruction of an application to be detected, wherein the operation instruction carries a function to be detected;
controlling the application to be detected to call the function to be detected;
acquiring a call record of the application to be detected on the function to be detected, wherein the call record comprises an access record of the application to be detected on user information; the calling record comprises a called function name to be detected, and the function name to be detected is used for representing an access record of the application to be detected to user information;
The obtaining the call record of the application to be detected to the function to be detected includes:
Acquiring call stack information of the application to be detected on the function to be detected, taking the call stack information as the call record, and comprising the following steps: judging and hooking the function to be tested in the call stack information through a Hook technology, outputting the call stack information as a call log, and storing the call log into the call log so as to trace the whole process of malicious information access behavior after detection is completed;
According to the call record and a preset malicious behavior library of the function to be detected, detecting whether the application to be detected has malicious information access behaviors or not comprises the following steps: judging whether the access behavior of the application to be detected to the user information in the call record is in the preset malicious behavior library or not; when the access behavior of the application to be detected to the user information is in the preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected; receiving authorization information of a user for the application to be checked; when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized or not according to the authorization information; and when the access behavior of the to-be-detected application to the user information is not authorized, determining that malicious information access behaviors exist in the calling behavior of the to-be-detected application to the function to be detected.
2. The method according to claim 1, further comprising, after the detecting whether the malicious information access behavior exists in the application to be detected according to the call record and the preset malicious behavior library of the function to be detected:
and generating detection result information of the application to be detected, and outputting the detection result information.
3. An application detection apparatus, comprising:
the first receiving module receives an operation instruction of an application to be detected, wherein the operation instruction carries a function to be detected;
The control module is used for controlling the application to be detected to call the function to be detected;
The acquisition module is used for acquiring a call record of the application to be detected on the function to be detected, wherein the call record comprises an access record of the application to be detected on user information; the calling record comprises a called function name to be detected, and the function name to be detected is used for representing an access record of the application to be detected to user information;
The obtaining the call record of the application to be detected to the function to be detected includes:
Acquiring call stack information of the application to be detected on the function to be detected, taking the call stack information as the call record, and comprising the following steps: judging and hooking the function to be tested in the call stack information through a Hook technology, outputting the call stack information as a call log, and storing the call log into the call log so as to trace the whole process of malicious information access behavior after detection is completed;
The detection module is used for detecting whether the application to be detected has malicious information access behaviors according to the call record and a preset malicious behavior library of the function to be detected;
the second receiving module is used for receiving the authorization information of the user on the application to be detected;
The detection module is used for: judging whether the access behavior of the application to be detected to the user information in the call record is in the preset malicious behavior library or not; when the access behavior of the application to be detected to the user information is in the preset malicious behavior library, determining that the malicious information access behavior exists in the calling behavior of the application to be detected to the function to be detected;
The detection module is also used for: when the access behavior of the application to be detected to the user information is not in the preset malicious behavior library, judging whether the access behavior of the application to be detected to the user information is authorized or not according to the authorization information; and when the access behavior of the to-be-detected application to the user information is not authorized, determining that malicious information access behaviors exist in the calling behavior of the to-be-detected application to the function to be detected.
4. An electronic device, the electronic device comprising:
a memory for storing a computer program;
a processor for executing the computer program for implementing the method according to claim 1 or 2.
5. A non-transitory electronic device-readable storage medium, comprising: program which, when run by an electronic device, causes the electronic device to perform the method of claim 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111013803.7A CN113672902B (en) | 2021-08-31 | 2021-08-31 | Application program detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111013803.7A CN113672902B (en) | 2021-08-31 | 2021-08-31 | Application program detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113672902A CN113672902A (en) | 2021-11-19 |
| CN113672902B true CN113672902B (en) | 2024-09-06 |
Family
ID=78547678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111013803.7A Active CN113672902B (en) | 2021-08-31 | 2021-08-31 | Application program detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113672902B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110128632A (en) * | 2010-05-24 | 2011-11-30 | 충남대학교산학협력단 | Method and device for detecting malicious action of application program for smartphone |
| CN103186740B (en) * | 2011-12-27 | 2015-09-23 | 北京大学 | A kind of automated detection method of Android malware |
| CN104182688A (en) * | 2014-08-26 | 2014-12-03 | 北京软安科技有限公司 | Android malicious code detection device and method based on dynamic activation and behavior monitoring |
| CN106845234A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of Android malware detection method based on the monitoring of function flow key point |
| CN107506646B (en) * | 2017-09-28 | 2021-08-10 | 努比亚技术有限公司 | Malicious application detection method and device and computer readable storage medium |
| CN109101815B (en) * | 2018-07-27 | 2023-04-07 | 平安科技(深圳)有限公司 | Malicious software detection method and related equipment |
-
2021
- 2021-08-31 CN CN202111013803.7A patent/CN113672902B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113672902A (en) | 2021-11-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| CN111782492B (en) | Page first screen loading duration testing method and device, computer equipment and medium | |
| CN108763951B (en) | Data protection method and device | |
| CN111782416B (en) | Data reporting method, device, system, terminal and computer readable storage medium | |
| EP3101584A1 (en) | Data access control method, device and terminal | |
| CN110490773B (en) | Block chain-based screen recording evidence obtaining method and device and electronic equipment | |
| US12010515B2 (en) | Security management on a mobile device | |
| CN114611132A (en) | Privacy compliance detection method and privacy compliance detection device for mobile application software | |
| CN110727941B (en) | Privacy data protection method and device, terminal equipment and storage medium | |
| EP3828696A1 (en) | Method invoke chain tracing method, electronic apparatus, and computer-readable storage medium | |
| CN113051613A (en) | Privacy policy detection method and device, electronic equipment and readable storage medium | |
| CN104036194A (en) | Vulnerability detection method and device for revealing private data in application program | |
| CN114244808A (en) | Method and device for passively checking offline illegal external connection based on non-client mode | |
| WO2015067189A1 (en) | Method and apparatus for installing application | |
| US9510182B2 (en) | User onboarding for newly enrolled devices | |
| TW201421233A (en) | System and method of testing motherboard | |
| CN113672902B (en) | Application program detection method, device, equipment and storage medium | |
| CN103530550A (en) | Method and device for processing document/application program on mobile communication terminal | |
| WO2020113401A1 (en) | Data detection method, apparatus and device | |
| CN113596600B (en) | Security management method, device, equipment and storage medium for live broadcast embedded program | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| WO2022193142A1 (en) | Behavior monitoring method and apparatus, terminal device, and computer readable storage medium | |
| CN116451225A (en) | Application security detection method, device, computer equipment and storage medium | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| KR101482508B1 (en) | Browsing method for preventing file outflow and recording-medium recorded program thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |