CN106933645A - A kind of Apk security risks automatic Static auditing system and method - Google Patents
A kind of Apk security risks automatic Static auditing system and method Download PDFInfo
- Publication number
- CN106933645A CN106933645A CN201710030223.6A CN201710030223A CN106933645A CN 106933645 A CN106933645 A CN 106933645A CN 201710030223 A CN201710030223 A CN 201710030223A CN 106933645 A CN106933645 A CN 106933645A
- Authority
- CN
- China
- Prior art keywords
- function
- stain
- apk
- branch
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000003068 static effect Effects 0.000 title claims abstract description 26
- 230000006870 function Effects 0.000 claims abstract description 112
- 238000012550 audit Methods 0.000 claims abstract description 57
- 238000004458 analytical method Methods 0.000 claims abstract description 38
- 230000006399 behavior Effects 0.000 claims abstract description 30
- 125000004122 cyclic group Chemical group 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 5
- 238000004088 simulation Methods 0.000 claims description 5
- 230000007613 environmental effect Effects 0.000 claims description 3
- 238000000151 deposition Methods 0.000 claims 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 7
- 238000011161 development Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/427—Parsing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention provides a kind of Apk security risks automatic Static auditing system and method, methods described includes step S101, decompiling goes out AndroidManifest.xml, classes.dex and resource file of Apk, and according to Dalvik bytecodes and AndroidManifest.xml files, generate basic function calling figure;Step S102, during the related function of asynchronous call function in Android storehouses, life cycle all added into the basic function calling figure, be expanded function call graph;Step S103, filters to the code path in the spread function calling figure, obtains the suspect path set comprising possible stain data dissemination behavior;Step S104, every byte code instruction of suspect path function is simulated execution during stain analyzer is gathered suspect path, and stain analysis is carried out based on memory object model, and accurately detects stain data message and stain data dissemination behavior.The Apk security risk automatic Static auditing systems and method that the present invention is provided can carry out Security audit analysis to Apk application programs comprehensively, quickly and efficiently, with very strong practicality.
Description
Technical field
The present invention relates to mobile message security technology area, more particularly to a kind of Apk security risks automatic Static audit
System and method.
Background technology
With the development of mobile Internet, mobile terminal safety also increasingly attracts attention.Particularly android system
It is fast-developing so that Android platform has been increasingly becoming the first big mobile-terminal platform in the world, and product covers machine top
Box, mobile phone, flat board, and various intelligent terminals, the life of people is affected from all angles.And the work(of these intelligent terminals
Can be all the more it is powerful, include voice call, data service, NFC etc..Android intelligent terminal is deep
Enter into our everyone lives, paid class service, life kind service, map class service, the service of amusement class, personal letter
Breath class service etc..In this case, the user of APP application programs increasingly increases, at the same time, APP developer's operation
The safety problem that business and Android phone user are faced increasingly increases.On the one hand due to Android application developer water
Flat uneven, the ununified coding criterion requirement of developer, developer's awareness of safety in itself is relatively weak, Yi Jikai
Originator can consciously or unconsciously abuse authority;On the other hand, because some lawless persons are deliberately applied using, the APP that creates instability complete
Program, the leak of the system application that part malicious code can also be developed by using manufacturer obtains authority high, and further harm is used
The personal secrets at family, therefore to the security audit behavior of these application programs such as Android source codes and APP application programs increasingly
It is important.
In the prior art, mainly there are following two modes to audit the application program based on Android:
One kind be based primarily upon by manual audit experienced developer code walk-through and unit testing find
Source code logical security, audit violate the source code of program specification, and it is wrong that the artificial penetration testing of tester carrys out discovery procedure
By mistake, security breaches.The method cost of labor of artificial code audit is high, efficiency is low, and depends on exploitation and tester's level
Height, the quality of application program is difficult to control.
Another kind is the running log of collection system daily record and APP application programs, or decompiling log information is carried out
Reduction, obtains original log information;Original log information and running log information unification are exported, final log information is obtained;
Final log information is filtered according to audit log information white list, it is determined that log information to be audited;Treated using described
The log information of audit carries out the audit of Android applications.For example, one kind that the patent of Publication No. CN105653943A is provided
The log audit method of Android applications.This review mode on the one hand needs to rely on operating system log pattern and APP runs
Daily record, log information amount is big, and redundancy is excessive, therefore also needs to carry out daily record a large amount of and complicated analysis work, Cai Nengzheng
The malicious act of APP really is analyzed, the method cannot also audit to the normalization of code.On the other hand need first to run or
Mono- relatively long time of dry run APP, collecting enough daily record could more fully audit the behavior of APP, in fortune
Row order section could find the safety problem of APP, exist that auditing system audit grain is not fine enough, the security of audit with it is flexible
The problem of the aspect Shortcomings such as property.
The content of the invention
For problem above, patent purpose of the present invention is to devise a kind of Apk security risks automatic Static audit system
System and method, quickly and efficiently can carry out Security audit analysis, with very strong practicality to application program.
Specific technical scheme of the invention is as follows:
A kind of Apk security risks automatic Static auditing method, comprises the following steps:
Step S101, decompiling goes out AndroidManifest.xml, classes.dex and resource file of Apk, reads
Its Dalvik bytecode and AndroidManifest.xml files, using the AndroidManifest.xml files as function
Entrance parses all of function call instruction and generates basic function calling figure;
Step S102, the related function of the call function with asynchronous nature that will be used in Apk, life cycle
Android storehouses are all added in the basic function calling figure, and be expanded function call graph;
Step S103, filters to the code path in the spread function calling figure, obtains comprising possible stain number
Gather suspect path according to dissemination;
Step S104, every byte code instruction of suspect path function carries out mould during stain analyzer is gathered suspect path
Intend performing, stain analysis is carried out based on memory object model, and accurately detect stain data message and stain data dissemination
Behavior.
Specifically, of the present invention carry out stain analysis based on memory object model, further include:
When stain analyzer runs into the unknown condition branch comprising unknown-value, introduce fuzzy rule to be controlled stream
Decision-making, is divided into unknown condition branch unknown-value branch, Infinite Cyclic branch and infinite recursion branch Three models and enters respectively
Row treatment.
Specifically, of the present invention be divided into unknown-value branch, Infinite Cyclic branch and infinite recursion by unknown condition branch
Branch's Three models are simultaneously respectively processed, and specifically include:
Unknown-value branch reconstruction context environmental, returns to known branches state;
Infinite Cyclic branch establishing circulates maximum times threshold values p, when counting reaches p, jumps out circulation, continues executing with follow-up
Bytecode;
Infinite recursion sets recurrence depth capacity threshold values q, when counting reaches depth capacity q, stops recurrence, recovers follow-up
Bytecode is performed.
Specifically, the method for the invention also includes:
Step S105, according to the stain data message and stain data dissemination behavior outcome of detection, exports examining report.
A kind of Apk security risks automatic Static auditing system, including Web Application Server, file server and audit
Server;Wherein:
The Web Application Server is used for User logs in and the APK file of application program to be measured is sent into audit clothes
Business device;
The file server is used to store the APK file of the application program to be measured;
The audit server is used to be parsed the APK file that the Web Application Server sends, and decompiling goes out
Dalvik bytecodes and AndroidManifest.xml files, and using AndroidManifest.xml files as function entrance
Parse all of function call instruction generation basic function calling figure;Meanwhile, the tune with asynchronous nature that will be used in Apk
In all adding the basic function calling figure with the Android storehouses of the related function of function, life cycle, the function that is expanded is adjusted
With figure;Code path in the spread function calling figure is filtered, is obtained comprising possible stain data dissemination behavior
Gather suspect path;And the byte code instruction simulation of every suspect path function is held in gathering the suspect path
OK, stain analysis is carried out based on memory object model, and accurately detects stain data message and stain data dissemination behavior.
Specifically, spread function calling figure of the present invention is all of explicit comprising what is run into the execution of Dalvik bytecodes
With implicit controlling stream and all of code path.
Specifically, audit server of the present invention includes:
Parsing module, parses for the APK file to the application program to be measured, and decompiling goes out Dalvik bytecodes
With AndroidManifest.xml files;
Function call graph generation module, for all as function entrance parsing using AndroidManifest.xml files
Function call instruction generates basic function calling figure;Meanwhile, the call function with asynchronous nature, the life that will be used in Apk
The Android storehouses of the function of life cycle correlation are all added in the basic function calling figure, and be expanded function call graph;
Filtering module, for being filtered to the code path in the spread function calling figure, obtains comprising possible dirty
The suspect path set of point data dissemination;
Stain analysis module, for being carried out to every byte code instruction of suspect path function in the set of the suspect path
Simulation is performed, and stain analysis, and accurately detection stain data message and dirty point data are carried out based on memory object model
Broadcast behavior.
Specifically, stain analysis module of the present invention is further included:
When the unknown condition branch comprising unknown-value is run into, introduce fuzzy rule to be controlled the decision-making of stream, will not
Know that conditional branching is divided into unknown-value branch, Infinite Cyclic branch and infinite recursion branch Three models and is respectively processed.
Specifically, audit server of the present invention also includes:
Security risk Audit Report module, for stain data message and stain data dissemination behavior knot according to detection
Really, examining report is exported.
The present invention provide application program automatic Static auditing system and method compared with prior art, can quickly,
Security audit analysis effectively are carried out to application program, it is sudden and violent that the application code that on the one hand can audit writes normative, component
Dew leak, component privilege abuse, code perform leak, cryptographic algorithm misuse, SSL bypass, weak encryption, obfuscated codes, hard coded
Password, the improper use of danger API, SQL injection, sensitive information/leakage of personal information, the storage of unsafe file it is many-sided
Safety problem;On the other hand, the system can carry out depth scan to application code, and audit finding programmer writes program
Code lack of standardization and above-mentioned application security issue is carried out from examine, can not only reduce application security detection work
Measure, moreover it is possible to faster discovery leak earlier, and do not need dynamic auditing system or method to take like that, examine efficiency
Height, can mitigate workload.
Brief description of the drawings
Embodiments of the present invention is further illustrated referring to the drawings, wherein:
Fig. 1 is a kind of flow chart of Apk security risks automatic Static auditing method of the invention;
Fig. 2 is a kind of module map of Apk security risks automatic Static auditing system of the invention;
Fig. 3 is a kind of module map of Apk security risks automatic Static auditing system audit server of the invention.
Specific embodiment
The present invention is described in further detail with specific embodiment below in conjunction with the accompanying drawings.
The present invention proposes a kind of Apk security risks automatic Static auditing system and method, and the method exists
On the basis of FlowDroid static state stain analyses, the analysis of FlowDroid stains is led to when the access in domain or array is dealt with objects
Cross reverse alias analysis and rise to O (n with array reference problem, time complexity dealing with objects2).This method is on this basis
Memory object model and fuzzy Bifurcation Analysis are introduced, the introducing of memory object model will deal with objects the time in domain or array
Complexity is reduced to O (n), and the related function of asynchronous call function, Android application programs life cycle is included into audit model
Enclose, expand the audit coverage to App;The introducing of fuzzy Bifurcation Analysis solves what is run into during stain path filtering
Unknown-value branch, Infinite Cyclic branch and infinite recursion branch detection problem, improve detection speed and accuracy rate.
Fig. 1 is referred to, the present embodiment specifically includes following steps:
Step S101, decompiling goes out AndroidManifest.xml, classes.dex and resource file of Apk, reads
Its Dalvik bytecode and AndroidManifest.xml files, using the AndroidManifest.xml files as function
Entrance parses all of function call instruction and generates basic function calling figure.
Specifically, registered user signs in auditing system first, the APK file or ZIP of application program to be audited are uploaded
File, then auditing system is by according to the task amount dynamically distributes audit task of each audit server, when task is more, to bear
Carry the task of balanced each audit server.
After audit server receives audit task, audit APK file or ZIP file will be automatically begun to.Server is obtained
Take the APK file or ZIP file of application program to be measured and parsed, call parsing module, decompiling goes out Dalvik bytes
Code AndroidManifest.xml files, classes.dex files and resource file, then therefrom extract permissions list and
Module information, Smali files and Java files etc..Because the Android application development tools that developer uses are different, resource
The bibliographic structure of file is slightly different, but does not influence the system to the auditing result of Android application programs.
Then, the Dalvik bytecodes and AndroidManifest.xml files of application program are read, with
AndroidManifest.xml generates one substantially as function entrance according to the call instruction included in wherein each function
Function call graph.
Step S102, the related function of the call function with asynchronous nature that will be used in Apk, life cycle
Android storehouses are all added in the basic function calling figure, and be expanded function call graph.
Specifically, the related letter of the function with asynchronous function call property that Android storehouses are provided, life cycle
Number, all adds basic function calling figure, and be expanded function call graph.Dalvik words are contained in spread function calling figure
The all explicit and implicit controlling streams that section code runs into performing, so as to extend sensitive information leakage behavior (i.e. stain data
Dissemination) audit detection coverage.
The behavior of stain data dissemination returns to src comprising a source API (src), a target API (target) and one
The incoming target of information code path path, this code path that may include stain data dissemination behavior is exactly suspicious
Path.This method exactly analyzes the code road in stain data dissemination behavior for the security audit of Android application programs
Footpath.
All of code path is contained in spread function calling figure, certainly including suspect path, in actual Android
In application program, there is the very small part that the related code path of safety problem typically only accounts for whole program, only need to rehear
The meter analysis code path related to stain data dissemination behavior.
Step S103, filters to the code path in the spread function calling figure, obtains comprising possible stain number
Gather suspect path according to dissemination.
Specifically, the API analyses using lightweight carry out the selection of suspect path collection.Stain data dissemination behavior is exactly right
Code path filtering in spread function calling figure, first chooses a set comprising suspect path, every suspect path all by
One or more functions are constituted, and one group of Dalvik byte code instruction is included in each function.Every suspect path contains institute
There are the code path path that directly or indirectly have invoked source API (src) to target API (target), the API analyses of lightweight
Code path analysis can be greatly decreased without changing analysis result.The set of suspect path also needs further analysis to obtain accurate
Stain data dissemination path.
Step S104, every byte code instruction of suspect path function carries out mould during stain analyzer is gathered suspect path
Intend performing, construct the every memory object model of the byte code instruction of suspect path function, carried out based on memory object model
Stain is analyzed, and accurately detects stain data message and stain data dissemination behavior.
Specifically, carrying out stain analysis based on memory object model.Stain analyzer can to every in the set of suspect path
The byte code instruction for doubting path function is simulated execution.In the process of implementation, first for each suspicious code path is created
Context, and the type information of object is added in internal memory, so can be to the global state in object code path and part
The information of the memory object in state effectively represented, so as to construct every byte code instruction of suspect path function
Memory object model.Stain state in memory object can be propagated, any that the object comprising stain state is transported
Calculate derivative object also by comprising same stain state.
Stain analysis detailed process is carried out based on memory object model as follows:
A () first, memory object model is loaded into stain analyzer, to the global state in object code path and
The information of the memory object in local state is effectively represented;Then, stain analyzer is based on a series of executing rules pair
Bytecode in object function is performed, when unknown-value is run into and cannot analyze, into fuzzy analysis pattern.
When () stain analyzer runs into the unknown condition branch comprising unknown-value b, introduce fuzzy rule to be controlled stream
Decision-making, by software security code profiler travel through AST syntax trees, find and obtain including if-else, while, do-
The control statement of while, for, switch.Unknown condition branch is divided into three kinds:Unknown-value branch, Infinite Cyclic and infinitely pass
Return.
C () is processed 3 kinds of situations of unknown condition branch respectively:Unknown-value branch reconstruction context environmental, returns to
Know bifurcation state;Infinite Cyclic branch establishing circulates maximum times threshold values p, when counting reaches p, jumps out circulation, continues executing with
Subsequent byte code;Infinite recursion sets recurrence depth capacity threshold values q, when counting reaches depth capacity q, stops recurrence, recovers
Subsequent byte code is performed.
D () stain analyzer effectively represents the stain data message of given value, unknown-value and memory object, and accurately examine
Survey stain data and stain data dissemination behavior.
Step S105, according to the stain data message and stain data dissemination behavior outcome of detection, exports examining report.
Specifically, stain analyzer is after detection stain data and stain data dissemination behavior, security risk is called to examine
Meter module (xhtml2pdf) generation PDF examining reports.
Based on the above method, a kind of Apk security risks automatic Static auditing system of the invention, because auditing system is being answered
Static auditing analysis is carried out before being installed with program, the expense or influence user when will not introduce operation are after application program is installed
Use.The mean audit analysis time of the system single sample is tens of seconds, because the system can configure many audits point
Multiple samples can be carried out audit analysis by analysis server simultaneously.
Refer to Fig. 2, including Web Application Server, file server and audit server;
First, User logs in is to static auditing Web application service systems, and by Web application service systems by APK file
Or ZIP compressed files upload to file server.Secondly, Web application service systems are automatically by audit task and the task institute
The APK file or ZIP compressed file equilibriums for needing are distributed to audit server, because audit server can dispose many, can
To realize the load balancing of audit task.Finally, audit server is audited task automatically, and return the result to Web should
Use service system.Wherein:
The Web Application Server is used for User logs in and sends out the APK file of application program to be measured or ZIP file
Give audit server;The file server is used to store the APK file or ZIP file of the application program to be measured;
The audit server is used to be parsed the APK file that the Web Application Server sends, and decompiling goes out
Dalvik bytecodes and AndroidManifest.xml files, and using AndroidManifest.xml files as function entrance
Parse all of function call instruction generation basic function calling figure;Meanwhile, the tune with asynchronous nature that will be used in Apk
In all adding the basic function calling figure with the Android storehouses of the related function of function, life cycle, the function that is expanded is adjusted
With figure;Code path in the spread function calling figure is filtered, is obtained comprising possible stain data dissemination behavior
Gather suspect path;And the byte code instruction simulation of every suspect path function is held in gathering the suspect path
OK, stain analysis is carried out based on memory object model, and accurately detects stain data message and stain data dissemination behavior.
Specifically, spread function calling figure of the present invention is all of explicit comprising what is run into the execution of Dalvik bytecodes
With implicit controlling stream and all of code path.
Specifically, referring to Fig. 3, audit server of the present invention includes:
Parsing module, parses for the APK file or ZIP file to the application program to be measured, and decompiling goes out
Dalvik bytecodes and AndroidManifest.xml files;
Function call graph generation module, for all as function entrance parsing using AndroidManifest.xml files
Function call instruction generates basic function calling figure;Meanwhile, the call function with asynchronous nature, the life that will be used in Apk
The Android storehouses of the function of life cycle correlation are all added in the basic function calling figure, and be expanded function call graph;
Filtering module, for being filtered to the code path in the spread function calling figure, obtains comprising possible dirty
The suspect path set of point data dissemination;
Stain analysis module, for being carried out to every byte code instruction of suspect path function in the set of the suspect path
Simulation is performed, and constructs the every memory object model of the byte code instruction of suspect path function, and accurately detects stain number
It is believed that breath and stain data dissemination behavior.
Specifically, stain analysis module of the present invention is further included:
When the unknown condition branch comprising unknown-value is run into, introduce fuzzy rule to be controlled the decision-making of stream, will not
Know that conditional branching is divided into unknown-value branch, Infinite Cyclic branch and infinite recursion branch Three models and is respectively processed.
Specifically, audit server of the present invention also includes:
Security risk Audit Report module, for stain data message and stain data dissemination behavior knot according to detection
Really, examining report is exported.
The specific embodiment of present invention described above, is not intended to limit the scope of the present invention..Any basis
Various other corresponding change and deformation that technology design of the invention is made, should be included in the guarantor of the claims in the present invention
In the range of shield.
Claims (9)
1. a kind of Apk security risks automatic Static auditing method, it is characterised in that comprise the following steps:
Step S101, decompiling goes out AndroidManifest.xml, classes.dex and resource file of Apk, reads it
Dalvik bytecodes and AndroidManifest.xml files, are entered using the AndroidManifest.xml files as function
The all of function call instruction of mouth parsing simultaneously generates basic function calling figure;
Step S102, the related function of the call function with asynchronous nature that will be used in Apk, life cycle
Android storehouses are all added in the basic function calling figure, and be expanded function call graph;
Step S103, filters to the code path in the spread function calling figure, obtains comprising possible dirt point data
Broadcast the suspect path set of behavior;
Step S104, stain analyzer is simulated to every byte code instruction of suspect path function in the set of suspect path and holds
OK, stain analysis is carried out based on memory object model, and accurately detects stain data message and stain data dissemination behavior.
2. Apk security risks automatic Static auditing method according to claim 1, it is characterised in that described based on interior
Depositing object model carries out stain analysis, further includes:
When stain analyzer runs into the unknown condition branch comprising unknown-value, introduce fuzzy rule to be controlled determining for stream
Plan, is divided into unknown condition branch unknown-value branch, Infinite Cyclic branch and infinite recursion branch Three models and carries out respectively
Treatment.
3. Apk security risks automatic Static auditing method according to claim 2, it is characterised in that it is described will be unknown
Conditional branching is divided into unknown-value branch, Infinite Cyclic branch and infinite recursion branch Three models and is respectively processed, specifically
Including:
Unknown-value branch reconstruction context environmental, returns to known branches state;
Infinite Cyclic branch establishing circulates maximum times threshold values p, when counting reaches p, jumps out circulation, continues executing with subsequent byte
Code;
Infinite recursion sets recurrence depth capacity threshold values q, when counting reaches depth capacity q, stops recurrence, recovers subsequent byte
Code is performed.
4. Apk security risks automatic Static auditing method according to claim 1, it is characterised in that methods described is also
Including:
Step S105, according to the stain data message and stain data dissemination behavior outcome of detection, exports examining report.
5. a kind of Apk security risks automatic Static auditing system, it is characterised in that including Web Application Server, file service
Device and audit server;Wherein:
The Web Application Server is used for User logs in and the APK file of application program to be measured is sent into audit server;
The file server is used to store the APK file of the application program to be measured;
The audit server is used to be parsed the APK file that the Web Application Server sends, and decompiling goes out
Dalvik bytecodes and AndroidManifest.xml files, and using AndroidManifest.xml files as function entrance
Parse all of function call instruction generation basic function calling figure;Meanwhile, the tune with asynchronous nature that will be used in Apk
In all adding the basic function calling figure with the Android storehouses of the related function of function, life cycle, the function that is expanded is adjusted
With figure;Code path in the spread function calling figure is filtered, is obtained comprising possible stain data dissemination behavior
Gather suspect path;And the byte code instruction simulation of every suspect path function is held in gathering the suspect path
OK, stain analysis is carried out based on memory object model, and accurately detects stain data message and stain data dissemination behavior.
6. Apk security risks automatic Static auditing system according to claim 5, it is characterised in that the extension letter
All of explicit and implicit controlling stream and all of code road that number calling figure runs into being performed comprising Dalvik bytecodes
Footpath.
7. Apk security risks automatic Static auditing system according to claim 5, it is characterised in that the audit clothes
Business device includes:
Parsing module, parses for the APK file to the application program to be measured, decompiling go out Dalvik bytecodes and
AndroidManifest.xml files;
Function call graph generation module, for parsing all functions as function entrance using AndroidManifest.xml files
Call instruction generates basic function calling figure;Meanwhile, the call function with asynchronous nature, the Life Cycle that will be used in Apk
The Android storehouses of the function of phase correlation are all added in the basic function calling figure, and be expanded function call graph;
Filtering module, for being filtered to the code path in the spread function calling figure, obtains comprising possible stain number
Gather suspect path according to dissemination;
Stain analysis module, for being simulated to every byte code instruction of suspect path function in the set of the suspect path
Perform, stain analysis is carried out based on memory object model, and accurately detect stain data message and stain data dissemination row
For.
8. Apk security risks automatic Static auditing system according to claim 5, it is characterised in that the stain point
Analysis module is further included:
When the unknown condition branch comprising unknown-value is run into, introduce fuzzy rule to be controlled the decision-making of stream, by unknown bar
Part branch is divided into unknown-value branch, Infinite Cyclic branch and infinite recursion branch Three models and is respectively processed.
9. Apk security risks automatic Static auditing system according to claim 5, it is characterised in that the audit clothes
Business device also includes:
Security risk Audit Report module, for stain data message and stain data dissemination behavior outcome according to detection,
Output examining report.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710030223.6A CN106933645A (en) | 2017-01-17 | 2017-01-17 | A kind of Apk security risks automatic Static auditing system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710030223.6A CN106933645A (en) | 2017-01-17 | 2017-01-17 | A kind of Apk security risks automatic Static auditing system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106933645A true CN106933645A (en) | 2017-07-07 |
Family
ID=59444701
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710030223.6A Pending CN106933645A (en) | 2017-01-17 | 2017-01-17 | A kind of Apk security risks automatic Static auditing system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106933645A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109542509A (en) * | 2018-11-13 | 2019-03-29 | 北京梆梆安全科技有限公司 | A kind of risk checking method and device of resource file |
CN109901841A (en) * | 2019-03-01 | 2019-06-18 | 太仓市同维电子有限公司 | A method of display methods call graph when checking java bytecode |
CN110197072A (en) * | 2018-06-04 | 2019-09-03 | 腾讯科技(深圳)有限公司 | The method of excavation and system of software security flaw, storage medium and computer equipment |
CN110826068A (en) * | 2019-11-01 | 2020-02-21 | 海南车智易通信息技术有限公司 | Safety detection method and safety detection system |
CN111045679A (en) * | 2019-01-09 | 2020-04-21 | 国家计算机网络与信息安全管理中心 | SQL injection detection and defense method, device and storage medium |
CN111666218A (en) * | 2020-06-08 | 2020-09-15 | 北京字节跳动网络技术有限公司 | Code auditing method and device, electronic equipment and medium |
CN111966718A (en) * | 2020-09-09 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | System and method for data propagation tracking of application systems |
CN111984963A (en) * | 2020-07-31 | 2020-11-24 | 厦门安胜网络科技有限公司 | Method and device for bypassing self-signed certificate verification |
CN112711424A (en) * | 2019-10-25 | 2021-04-27 | 腾讯科技(深圳)有限公司 | Application risk problem determination method and device and storage medium |
CN113206849A (en) * | 2021-04-29 | 2021-08-03 | 杭州安恒信息安全技术有限公司 | Vulnerability scanning method and device based on ghidra and related equipment |
CN113609481A (en) * | 2021-06-02 | 2021-11-05 | 西安四叶草信息技术有限公司 | Byte code-based PHP taint analysis method and device |
CN113835718A (en) * | 2020-06-23 | 2021-12-24 | 北京字节跳动网络技术有限公司 | Android application package generation method and device, terminal device and medium |
CN116340942A (en) * | 2023-03-01 | 2023-06-27 | 软安科技有限公司 | Function call graph construction method based on object propagation graph and pointer analysis |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110093955A1 (en) * | 2009-10-19 | 2011-04-21 | Bank Of America Corporation | Designing security into software during the development lifecycle |
US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
CN103984900A (en) * | 2014-05-19 | 2014-08-13 | 南京赛宁信息技术有限公司 | Android application vulnerability detection method and Android application vulnerability detection system |
CN104834858A (en) * | 2015-04-24 | 2015-08-12 | 南京邮电大学 | Method for statically detecting malicious code in android APP (Application) |
US20150242636A1 (en) * | 2014-02-25 | 2015-08-27 | The Board Of Regents, The University Of Texas System | Systems and methods for automated detection of application vulnerabilities |
US9454659B1 (en) * | 2014-08-15 | 2016-09-27 | Securisea, Inc. | Software vulnerabilities detection system and methods |
-
2017
- 2017-01-17 CN CN201710030223.6A patent/CN106933645A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110093955A1 (en) * | 2009-10-19 | 2011-04-21 | Bank Of America Corporation | Designing security into software during the development lifecycle |
US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
US20150242636A1 (en) * | 2014-02-25 | 2015-08-27 | The Board Of Regents, The University Of Texas System | Systems and methods for automated detection of application vulnerabilities |
CN103984900A (en) * | 2014-05-19 | 2014-08-13 | 南京赛宁信息技术有限公司 | Android application vulnerability detection method and Android application vulnerability detection system |
US9454659B1 (en) * | 2014-08-15 | 2016-09-27 | Securisea, Inc. | Software vulnerabilities detection system and methods |
CN104834858A (en) * | 2015-04-24 | 2015-08-12 | 南京邮电大学 | Method for statically detecting malicious code in android APP (Application) |
Non-Patent Citations (3)
Title |
---|
何欣峰: "软件设计安全威胁分析与探索", 《无线互联科技》 * |
汤俊伟等: "Android应用软件漏洞静态挖掘技术", 《华中科技大学学报(自然科学版)》 * |
王允超等: "基于静态污点分析的Android应用Intent注入漏洞检测方法", 《计算机科学》 * |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110197072A (en) * | 2018-06-04 | 2019-09-03 | 腾讯科技(深圳)有限公司 | The method of excavation and system of software security flaw, storage medium and computer equipment |
CN110197072B (en) * | 2018-06-04 | 2023-03-21 | 腾讯科技(深圳)有限公司 | Method and system for discovering software security vulnerability, storage medium and computer equipment |
CN109542509A (en) * | 2018-11-13 | 2019-03-29 | 北京梆梆安全科技有限公司 | A kind of risk checking method and device of resource file |
CN111045679A (en) * | 2019-01-09 | 2020-04-21 | 国家计算机网络与信息安全管理中心 | SQL injection detection and defense method, device and storage medium |
CN111045679B (en) * | 2019-01-09 | 2024-02-23 | 国家计算机网络与信息安全管理中心 | SQL injection detection and defense method, SQL injection detection and defense device and storage medium |
CN109901841B (en) * | 2019-03-01 | 2022-02-18 | 太仓市同维电子有限公司 | Method for displaying method calling relation diagram during viewing of java byte codes |
CN109901841A (en) * | 2019-03-01 | 2019-06-18 | 太仓市同维电子有限公司 | A method of display methods call graph when checking java bytecode |
CN112711424B (en) * | 2019-10-25 | 2024-06-11 | 腾讯科技(深圳)有限公司 | Method and device for determining risk problems of application program and storage medium |
CN112711424A (en) * | 2019-10-25 | 2021-04-27 | 腾讯科技(深圳)有限公司 | Application risk problem determination method and device and storage medium |
CN110826068A (en) * | 2019-11-01 | 2020-02-21 | 海南车智易通信息技术有限公司 | Safety detection method and safety detection system |
CN111666218A (en) * | 2020-06-08 | 2020-09-15 | 北京字节跳动网络技术有限公司 | Code auditing method and device, electronic equipment and medium |
CN113835718A (en) * | 2020-06-23 | 2021-12-24 | 北京字节跳动网络技术有限公司 | Android application package generation method and device, terminal device and medium |
CN111984963B (en) * | 2020-07-31 | 2022-05-20 | 厦门安胜网络科技有限公司 | Method and apparatus for bypassing self-signed certificate verification |
CN111984963A (en) * | 2020-07-31 | 2020-11-24 | 厦门安胜网络科技有限公司 | Method and device for bypassing self-signed certificate verification |
CN111966718B (en) * | 2020-09-09 | 2024-03-15 | 支付宝(杭州)信息技术有限公司 | System and method for data propagation tracking of application systems |
CN111966718A (en) * | 2020-09-09 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | System and method for data propagation tracking of application systems |
CN113206849B (en) * | 2021-04-29 | 2022-12-20 | 杭州安恒信息安全技术有限公司 | Vulnerability scanning method and device based on ghidra and related equipment |
CN113206849A (en) * | 2021-04-29 | 2021-08-03 | 杭州安恒信息安全技术有限公司 | Vulnerability scanning method and device based on ghidra and related equipment |
CN113609481A (en) * | 2021-06-02 | 2021-11-05 | 西安四叶草信息技术有限公司 | Byte code-based PHP taint analysis method and device |
CN113609481B (en) * | 2021-06-02 | 2024-01-30 | 西安四叶草信息技术有限公司 | PHP (phase-shift register) taint analysis method and device based on byte codes |
CN116340942A (en) * | 2023-03-01 | 2023-06-27 | 软安科技有限公司 | Function call graph construction method based on object propagation graph and pointer analysis |
CN116340942B (en) * | 2023-03-01 | 2024-04-30 | 软安科技有限公司 | Function call graph construction method based on object propagation graph and pointer analysis |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106933645A (en) | A kind of Apk security risks automatic Static auditing system and method | |
Afonso et al. | Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy | |
CN103577324B (en) | Static detection method for privacy information disclosure in mobile applications | |
CN105653956B (en) | Android malware classification method based on dynamic behaviour dependency graph | |
Yang et al. | Leakminer: Detect information leakage on android with static taint analysis | |
CN104834859B (en) | The dynamic testing method of malicious act in a kind of Android applications | |
CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
CN105893848A (en) | Precaution method for Android malicious application program based on code behavior similarity matching | |
CN106778266A (en) | A kind of Android Malware dynamic testing method based on machine learning | |
CN104331663B (en) | Web shell detection method and web server | |
Kim et al. | Software vulnerability detection methodology combined with static and dynamic analysis | |
CN106570399A (en) | Method for detecting privacy leakage across app components | |
CN112688966A (en) | Webshell detection method, device, medium and equipment | |
Martín et al. | A new tool for static and dynamic Android malware analysis | |
CN109933977A (en) | A kind of method and device detecting webshell data | |
CN108710798B (en) | Detection method for collusion behavior between Android third-party libraries | |
Chen et al. | Automatic privacy leakage detection for massive android apps via a novel hybrid approach | |
Talukder et al. | Droidpatrol: a static analysis plugin for secure mobile software development | |
Zuo | Defense of Computer Network Viruses Based on Data Mining Technology. | |
CN111309589A (en) | Code security scanning system and method based on code dynamic analysis | |
KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
CN103971055B (en) | A kind of Android malware detection method based on program slicing technique | |
Canbay et al. | Detection of mobile applications leaking sensitive data | |
CN105787369B (en) | Android software safety analytical method based on slice measurement | |
CN114792006B (en) | LSTM-based android cross-application collusion security analysis method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170707 |