CN109598146B - Privacy risk assessment method and device - Google Patents

Privacy risk assessment method and device Download PDF

Info

Publication number
CN109598146B
CN109598146B CN201811497292.9A CN201811497292A CN109598146B CN 109598146 B CN109598146 B CN 109598146B CN 201811497292 A CN201811497292 A CN 201811497292A CN 109598146 B CN109598146 B CN 109598146B
Authority
CN
China
Prior art keywords
privacy
application
version
evaluated
needing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811497292.9A
Other languages
Chinese (zh)
Other versions
CN109598146A (en
Inventor
贾志军
王磊
易珍珍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201811497292.9A priority Critical patent/CN109598146B/en
Publication of CN109598146A publication Critical patent/CN109598146A/en
Application granted granted Critical
Publication of CN109598146B publication Critical patent/CN109598146B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses a privacy risk assessment method and device. One embodiment of the method comprises: detecting one or more of the following items of the version of the application needing to be evaluated to obtain a privacy risk detection result of the version of the application needing to be evaluated: the method comprises the steps of safety of privacy data, comprehensiveness of information related to privacy authorities informing users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities, wherein the privacy authorities are authorities for acquiring the privacy data of the users of the application; and generating a privacy risk evaluation result of the version of the application needing to be evaluated based on the privacy risk detection result of the version of the application needing to be evaluated. The method and the device have the advantages that the privacy risks of the multiple versions of the application are detected, the safety of the multiple versions of the application in the aspect of the privacy data of the user is evaluated, and the privacy risk evaluation result is obtained, so that the safety of the multiple versions of the application in the aspect of the privacy data of the user can be known.

Description

Privacy risk assessment method and device
Technical Field
The application relates to the field of computers, in particular to the field of security, and particularly relates to a privacy risk assessment method and device.
Background
Such as privacy risks of applications that illegally obtain the private data of the user, not only cause the private data of the user to be leaked, but also cause a lot of security problems. However, due to the lack of means for evaluating the security of the application in terms of the user's private data, the user cannot know the security of the application in terms of the user's private data.
Disclosure of Invention
The embodiment of the application provides a privacy risk assessment method and device.
In a first aspect, an embodiment of the present application provides a privacy risk assessment method, including: detecting one or more of the following items of the version of the application needing to be evaluated to obtain a privacy risk detection result of the version of the application needing to be evaluated: the method comprises the steps of safety of privacy data, comprehensiveness of information related to privacy authorities informing users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities, wherein the privacy authorities are authorities for acquiring the privacy data of the users of the application; and generating a privacy risk evaluation result of the version of the application needing to be evaluated based on the privacy risk detection result of the version of the application needing to be evaluated.
In a second aspect, an embodiment of the present application provides a privacy risk assessment apparatus, including: the detection unit is configured to detect one or more of the following of the version of the application needing to be evaluated, and obtain a privacy risk detection result of the version of the application needing to be evaluated: the method comprises the steps of safety of privacy data, comprehensiveness of information which is related to privacy authorities and informs users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities, wherein the privacy authorities are authorities for acquiring the privacy data of the users of the application; an evaluation unit configured to generate a privacy risk evaluation result of the version of the application requiring evaluation based on a privacy risk detection result of the version of the application requiring evaluation.
According to the privacy risk assessment method and device provided by the embodiment of the application, the privacy risk detection result of the version of the application needing to be assessed is obtained by detecting one or more of the following items of the version of the application needing to be assessed: the method comprises the steps of safety of privacy data, comprehensiveness of information related to privacy authorities informing users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities, wherein the privacy authorities are authorities for acquiring the privacy data of the users of the application; and generating a privacy risk evaluation result of the version of the application needing to be evaluated based on the privacy risk detection result of the version of the application needing to be evaluated. . The method and the device have the advantages that the privacy risks of the multiple versions of the application are detected, the safety of the multiple versions of the application in the aspect of the privacy data of the user is evaluated, and the privacy risk evaluation result is obtained, so that the safety of the multiple versions of the application in the aspect of the privacy data of the user is known.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
FIG. 1 illustrates an exemplary system architecture suitable for use in implementing embodiments of the present application;
FIG. 2 illustrates a flow diagram of one embodiment of a privacy risk assessment method according to the present application;
FIG. 3 shows a flow diagram of another embodiment of a privacy risk assessment method according to the present application;
FIG. 4 shows a schematic structural diagram of one embodiment of a privacy risk assessment apparatus according to the present application;
FIG. 5 is a schematic block diagram of a computer system suitable for use to implement a server according to embodiments of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
FIG. 1 illustrates an exemplary system architecture suitable for use to implement embodiments of the present application.
As shown in fig. 1, the system architecture may include a terminal 101, a network 102, and a server 103. The network 102 may be a wired network or a wireless network.
The terminal 101 may be a smart device, a smart phone, a tablet computer, or a vehicle-mounted terminal. The terminal 101 may have a monitoring code running thereon, and the monitoring code is used for monitoring operations associated with obtaining the private data, which are executed when the code of the version needing to be evaluated of the application loads the runtime on the terminal 101, and operations associated with obtaining the private data, which are executed when the plug-in associated with the version needing to be evaluated of the application loads the runtime. The monitoring code can be used for determining the privacy authority which can be used by the version needing evaluation of the application and the privacy authority which can be used by the plug-in associated with the version needing evaluation of the application. The plug-in associated with the version of the application requiring evaluation may be referred to as an SDK (Software Development Kit, SDK for short) associated with the version of the application requiring evaluation. The SDK associated with the version of the application that needs to be evaluated may be an SDK provided by the provider of the application or an SDK provided by a third party other than the provider of the application.
The terminal 101 may send the determined privacy permission usable by the version of the application requiring evaluation and the determined privacy permission usable by the SDK associated with the version of the application requiring evaluation to the server 103, so that the server 103 may determine the privacy permission usable by the version of the application requiring evaluation and the privacy permission usable by the SDK associated with the version of the application requiring evaluation.
The server 103 may obtain data related to the evaluation privacy risk of the evaluation-required version of the application from a server storing an installation package of each version of the application, for example, an installation package of the evaluation-required version of the application, a user privacy permission agreement of the evaluation-required version of the application. The server 103 may analyze the data related to evaluating the privacy risk to obtain information related to evaluating the privacy risk, such as all privacy authorities applied for the version of the application that needs to be evaluated.
The server 103 may detect whether a privacy risk condition exists in the version of the application that needs to be evaluated according to the privacy permission available to the version of the application that needs to be evaluated, the privacy permission available to the SDK associated with the version of the application that needs to be evaluated, and the information related to evaluating privacy risk, and obtain a privacy risk evaluation result of the version of the application that needs to be evaluated. The server 103 may provide the privacy risk assessment results for the version of the application that needs to be assessed to the user of the application. The server 103 may also provide the privacy risk assessment results of the version of the application that needs to be assessed to relevant personnel, such as a security engineer.
It should be understood that the number of terminals 101, servers 103 are exemplary. In the application, privacy risk assessment can be performed on any version to be assessed of any application to be assessed, and a privacy risk assessment result is obtained. The privacy risk assessment results may also be provided to relevant personnel, such as security engineers, so that the relevant personnel, such as security engineers, may know the security of the version of the application that needs to be assessed in terms of the user's private data.
Referring to fig. 2, a flow diagram of one embodiment of a privacy risk assessment method according to the present application is shown. The method comprises the following steps:
step 201, one or more tests are performed on the version of the application that needs to be evaluated.
In this embodiment, the privacy authority is an authority to acquire the private data of the user of the application. Each privacy permission may correspond to a respective privacy data type.
For example, the private data types of the private data of the user of the application include: the types of contact information, telephone numbers, short message/multimedia message information and the like of the users, and the privacy authority comprises the following steps: the authority of acquiring the contact information of the user, the authority of acquiring the telephone number, the authority of acquiring the short message/multimedia message information and the like.
In this embodiment, the version of the application that needs to be evaluated is not characterized by a certain version, and any one version of the application that needs to be evaluated for privacy risk may be referred to as the version that needs to be evaluated.
In this embodiment, the usable privacy authority may be equivalent to the privacy data of the privacy data type corresponding to the acquirable privacy authority. The code loading runtime of a version of an application to be evaluated may obtain the privacy data of the privacy data type corresponding to a privacy authority, and may refer to the version of the application to be evaluated as the version of the application to be evaluated may use the privacy authority.
For example, the application is an APP running on an Android operating system, and when it is determined that a code loading run of a version of the APP to be evaluated can acquire private data of a private data type corresponding to a privacy authority, it may be determined that the version of the APP to be evaluated can use the privacy authority.
In the embodiment, when evaluating the privacy risk of the version of the application needing to be evaluated, the version of the application needing to be evaluated can be subjected to one or more of privacy data security, comprehensiveness of information related to privacy authorities and informing users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities.
In this embodiment, when detecting the security of private data, it may be detected whether the following conditions exist: the private data is not encrypted during local storage and is not encrypted during transmission. When it is detected that any one of the above-described cases exists for the version of the application that needs to be evaluated, it may be determined that the private data is not secure in the version of the application that needs to be evaluated. When all of the above do not exist, it can be determined that private data is safe in the version of the application that needs to be evaluated.
In the embodiment, when the comprehensiveness of the information associated with the privacy authority informing the user of the application of the version of the application requiring evaluation is detected, it is possible to detect whether there is a case where the user of the application is not informed of the information associated with the privacy authority that should be informed to the user of the application. When it is detected that the version of the application requiring evaluation has a condition that the information associated with the privacy authority, which should be notified to the user of the application, is not notified to the user of the application, it may be determined that the information associated with the privacy authority, which the version of the application requiring evaluation notifies the user of the application, is incomplete. When there is no case where the version of the application requiring evaluation has a user who does not notify the user of the information associated with the privacy authority that should be notified to the user of the application, it may be determined that the information associated with the privacy authority that the version of the application requiring evaluation notifies the user of the application is comprehensive.
In this embodiment, the information associated with the privacy authority to be notified to the user of the application may include: the privacy permission information indicates all privacy permissions applied by the version of the application needing to be evaluated, and the information indicates that the version of the application needing to be evaluated uses the privacy permissions when the version of the application needing to be evaluated uses the privacy permissions.
In this embodiment, it may be detected whether information indicating privacy permissions applied to versions of applications that need to be evaluated is presented to a user, and when it is detected that information indicating all privacy permissions applied to versions of applications that need to be evaluated is not presented to the user, for example, it is detected that a list including identifications of all privacy permissions applied to versions of applications that need to be evaluated is not presented to the user, it may be determined that the versions of applications that need to be evaluated have a privacy risk condition that is a condition of application of privacy permissions of the user that is not notified of the application.
For example, the application is an APP running on an Android operating system, a version of the APP to be evaluated presents a user privacy permission agreement of the version of the APP to be evaluated to a user in an installation process, but a user may click a button indicating all privacy permissions granted to a version application of the APP to be evaluated under the condition that the user privacy permission agreement is not completely read, after the installation of the version of the APP to be evaluated is completed, information indicating all privacy permissions of the version application of the APP to be evaluated is not presented to the user, for example, a list containing all privacy permissions of the version application of the APP to be evaluated is not presented to the user, at this time, the user does not know the privacy permission application condition of the version of the APP to be evaluated comprehensively, and it can be determined that the version of the APP to be evaluated has a privacy risk condition that the user privacy permission application condition of the application is not notified.
In this embodiment, whether information indicating that the version of the application which needs to be evaluated uses the privacy right is presented to the user when the version of the application which needs to be evaluated uses the privacy right can be detected, and when the information indicating that the version of the application which needs to be evaluated uses the privacy right is not presented to the user when the version of the application which needs to be evaluated uses the privacy right is detected, it can be determined that the version of the application which needs to be evaluated has a privacy risk condition that the use condition of the privacy right of the user of the application is not informed.
For example, the application is an APP running on an Android operating system, and a version of the APP to be evaluated applies for a privacy authority and acquires the privacy authority when a user agrees to grant the privacy authority to the version of the APP to be evaluated in the installation process. When the code of the version of the APP to be evaluated is loaded and run, the privacy data of the privacy data type corresponding to the privacy permission is acquired by using the privacy permission, but the user who does not inform the application of acquiring the privacy data of the type is not presented, that is, information indicating that the version of the APP to be evaluated uses the privacy permission is not presented to the user, and at this time, the privacy risk condition that the use condition of the privacy permission of the user who does not inform the application exists in the version of the APP to be evaluated can be detected.
In this embodiment, the case that whether the privacy authority application condition of the application and the privacy authority notification condition of the application do not coincide with each other exists in the version of the application that needs to be evaluated includes: the version of the application needing evaluation applies for the privacy permission of the version of the application needing evaluation, which is not informed to the user of the application through the user privacy permission protocol of the version of the application needing evaluation. When it is detected that there is a case where the version of the application requiring evaluation applies for the privacy authority of the version of the application requiring evaluation, which is not notified to the user of the application by the user privacy permission agreement of the version of the application requiring evaluation, the consistency of the privacy authority application case and the privacy authority notification case can be determined.
For example, an application is an APP running on an Android operating system, a version of the APP needing to be evaluated applies for a privacy permission, but a user privacy permission protocol of the version of the APP needing to be evaluated does not include content indicating that the version of the APP needing to be evaluated applies for the privacy permission. In the installation process of the version of the APP needing to be evaluated, the user privacy permission protocol is presented to the user, when the user browses the user privacy permission protocol, the user cannot know that the version of the APP needing to be evaluated applies for the privacy permission, and at the moment, the situation that the application condition of the privacy permission of the application and the notification condition of the privacy permission of the version of the APP needing to be evaluated are inconsistent can be determined.
In this embodiment, the privacy risk detection result may include one or more of the following: the method comprises the steps of detecting results corresponding to the safety of the privacy data, detecting results corresponding to the comprehensiveness of information related to the privacy authority informing users of the application, and detecting results corresponding to the consistency of the application condition of the privacy authority and the informing condition of the privacy authority. The detection result corresponding to the security of the private data comprises one of the following: the private data is safe and the private data is unsafe. The detection result of the comprehensive correspondence of the information associated with the privacy authority informing the user of the application includes one of: the information associated with the privacy authority informing the user of the application is comprehensive, and the information associated with the privacy authority informing the user of the application is not comprehensive. The detection result corresponding to the consistency of the privacy authority application condition and the privacy authority informing condition comprises one of the following: the privacy authority application condition is consistent with the privacy authority informing condition, and the privacy authority application condition is inconsistent with the privacy authority informing condition.
And 202, generating a privacy risk evaluation result of the version of the application needing evaluation.
In this embodiment, after the privacy risk detection result of the version of the application that needs to be evaluated is obtained, the privacy risk evaluation result of the version of the application that needs to be evaluated may be generated. The privacy risk assessment result of the version of the application needing to be assessed comprises the following steps: the application information comprises indication information indicating whether privacy data is safe or not, indication information indicating whether information associated with privacy authorities informing users of the application is comprehensive or not, and indication information indicating whether the application condition of the privacy authorities is consistent with the informing condition of the privacy authorities. For example, the application is an APP running on an Android operating system, and after a privacy risk assessment result of a version of the APP to be assessed is generated, the privacy risk assessment result of the version of the APP to be assessed may be provided to a user using the version of the APP to be assessed. The privacy risk assessment result of the to-be-assessed version of the APP includes: the information processing method comprises the steps of indicating information corresponding to the privacy risk conditions, wherein the risk conditions are associated with privacy data, information associated with privacy authorities and to be notified to users of applications is not notified to the users of the applications, and the indication information corresponds to the privacy risk conditions, wherein the privacy risk conditions are different from the privacy authority notification conditions.
In this embodiment, any one of the cases that the privacy data is unsafe, the information associated with the privacy authority and informing the user of the application is incomplete, and the application condition of the privacy authority is inconsistent with the informing condition of the privacy authority may be referred to as a privacy risk condition. When a privacy risk condition is detected, the privacy risk assessment result may further include information describing the detected privacy risk condition.
Referring to fig. 3, a flow diagram of another embodiment of a privacy risk assessment method according to the present application is shown. The method comprises the following steps:
step 301, one or more items of detection are performed on the version of the application that needs to be evaluated by detecting whether there is a situation associated with the detected item.
In the embodiment, when the privacy risk of the version of the application needing to be evaluated is evaluated, the version of the application needing to be evaluated can be detected, wherein the detection can be carried out on the version of the application needing to be evaluated, and the detection can be carried out on one or more of privacy data security, safety of information related to privacy authorities informing users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities.
In this embodiment, the plug-in associated with the version of the application requiring evaluation may be referred to as the SDK associated with the version of the application requiring evaluation. The SDK associated with the version of the application that needs to be evaluated may be an SDK provided by the provider of the application or an SDK provided by a third party other than the provider of the application.
In this embodiment, the privacy data security is determined by detecting whether one or more of the following conditions exist: the privacy data is not encrypted when the privacy data is stored, the privacy data is not encrypted when the privacy data is transmitted, the version of the application which needs to be evaluated can use the privacy authority which forbids the version of the application which needs to be evaluated from being used, and the SDK associated with the version of the application which needs to be evaluated can use the privacy authority which forbids the SDK from being used. The code of the SDK associated with the version of the application requiring evaluation is loaded and run at the code loading runtime of the version of the application requiring evaluation.
In this embodiment, when detecting the security of the private data, the condition that needs to be detected may be one or more of a condition that the private data is not encrypted when the private data is stored, a condition that the private data is not encrypted when the private data is transmitted, a condition that the version of the application that needs to be evaluated can use the privacy authority that prohibits the version of the application that needs to be evaluated from being used, a condition that the SDK associated with the version of the application that needs to be evaluated can use the privacy authority that prohibits the SDK from being used, and the like. When the condition requiring detection is one, the private data can be determined to be unsafe when the condition requiring detection is detected in the version of the application requiring evaluation. When there are a plurality of cases to be detected, it can be determined that the private data is not secure when any one of the cases is detected. For example, one application is an APP running on an Android operating system, and for one version of the APP to be evaluated, one SDK associated with the version to be evaluated is an SDK used for pushing advertisement information to a user. The SDK may load and run when the code of the version of the APP that needs to be evaluated loads and runs, and the SDK may obtain the advertisement pushed to the APP from the server and present advertisement information to the user in the interface of the APP.
In this embodiment, the privacy permission that the evaluation-required version of the application is prohibited from being used by the evaluation-required version of the application includes: the version of the application that needs to be evaluated may use the privacy permissions that are not applied for the version of the application that needs to be evaluated.
In this embodiment, the privacy authority usable by the version of the application requiring evaluation may be determined by performing operation analysis associated with obtaining the privacy data on the code loading runtime of the version of the application requiring evaluation.
In this embodiment, the code of the installation package of the version of the application that needs to be evaluated may be analyzed to determine all privacy authorities that can be used by the version of the application that needs to be evaluated. Which may also be referred to as performing static code analysis, determines the privacy permissions that the version of the application that needs to be evaluated may use.
For example, the application is an APP running on an Android operating system, and all privacy authorities of the APP application are determined in advance by analyzing an Android manifest. A third-party SDK feature library, an Android system permission knowledge library and a permission-API feature library can be constructed in advance. Each information item in the third party SDK feature repository may contain an identification of an SDK and an identification of privacy rights that the SDK may use. Each information item in the Android system permission knowledge base can contain an identifier of a permission in the Android system. Each information item in the authority-API feature library comprises an identifier of one authority in an Android system and an identifier of an API called when the authority is used. When the code of the installation package of the version needing to be evaluated of the application is analyzed, all privacy authorities which can be used by the version needing to be evaluated of the application can be determined by combining a third-party SDK characteristic library, an Android system authority knowledge library and an authority-API characteristic library.
In this embodiment, whether the version of the application that needs to be evaluated has a privacy risk condition that an unapplied privacy right can be used or not can be detected according to the privacy right application condition of the version of the application that needs to be evaluated and the determined privacy right that the version of the application that needs to be evaluated can be used.
In this embodiment, the code loading runtime of an SDK associated with the version of the application that needs to be evaluated may obtain the privacy data of the privacy data type corresponding to a privacy authority, which may be referred to as that the SDK associated with the version of the application that needs to be evaluated may use the privacy authority.
For example, the application is an APP running on an Android operating system, and the code of the SDK associated with the version of the APP that needs to be evaluated is loaded and run when the code of the version of the APP that needs to be evaluated loads and runs. When it is determined that the code loading runtime of the SDK associated with the version of the APP that needs to be evaluated can obtain the privacy data of the privacy data type corresponding to one privacy permission, it may be determined that the SDK associated with the version of the APP that needs to be evaluated can use the privacy permission.
In this embodiment, the privacy permission that the SDK associated with the version of the application that needs to be evaluated may use to prohibit the SDK associated with the version that needs to be evaluated may include the following: the SDK associated with the version needing to be evaluated can use the privacy permission which forbids the SDK associated with the version needing to be evaluated from being used in the privacy permission applied by the version needing to be evaluated, and the SDK associated with the version needing to be evaluated of the application can use the privacy permission which is not applied by the version needing to be evaluated of the application.
In this embodiment, the code of the SDK associated with the version of the application that needs to be evaluated may be analyzed to determine the privacy permissions that the SDK associated with the version that needs to be evaluated may use. Whether the SDK associated with the version of the application needing to be evaluated has the privacy permission which can be used by the SDK associated with the version of the application needing to be evaluated can be judged according to all privacy permissions applied by the version of the application needing to be evaluated and the privacy permission which can be used by the SDK associated with the version of the application needing to be evaluated.
In this embodiment, the privacy data is unsafe, the information associated with the privacy authority informing the user of the application is incomplete, and the condition of applying the privacy authority is inconsistent with the condition of informing the privacy authority, which are considered as the privacy risk. When the version of the application needing to be evaluated has at least one privacy risk, the reason why the version of the application needing to be evaluated has the privacy risk can be further determined, and the traceability information of the version of the application needing to be evaluated is generated.
In this embodiment, risk tracing information indicating the reason for the privacy risk of the version of the application that needs to be evaluated may be generated based on the tracing association information, where the tracing association information includes one or more of the following: the method comprises the steps of obtaining privacy risk assessment results of a version needing to be assessed, the privacy risk assessment results of a previous version of the version needing to be assessed of an application, version attribute information of the version needing to be assessed of the application, and version attribute information of the previous version of the version needing to be assessed of the application. The version attribute information may include a version number, information describing a function of the version of the application, and the like.
For example, the application is an APP running on an Android operating system, and for a version of the APP that needs to be evaluated, which is a latest version of the APP, a previous version of the APP that needs to be evaluated is a previous version of the APP that needs to be evaluated, and the latest version of the APP adds new functions compared with the previous version. The application condition of the privacy authority of the latest version of the APP is not changed, and the application condition of the privacy authority of the latest version of the APP is consistent with the application condition of the privacy authority of the last version of the latest version of the APP. The new function can use the privacy authorities except all the privacy authorities of the previous version application, at this moment, can detect that the risk that the latest version of the APP can use the non-applied privacy authority exists, can further determine that the reason of the privacy risk is that the APP is added with the new function, and can generate the traceability information indicating the privacy risk caused by adding the new function to the APP.
For another example, the application is an APP running on an Android operating system, for a version of the APP that needs to be evaluated, the SDK associated with the latest version of the APP may use a privacy permission that is not applied by the latest version of the APP, at this time, it may be detected that the SDK associated with the latest version of the APP may use a privacy permission that is prohibited from being used by the SDK associated with the latest version of the APP, it may be determined that the cause of the occurrence of the privacy risk is a privacy risk caused by the SDK associated with the latest version of the APP, and tracing information indicating that the privacy risk is caused by the SDK associated with the latest version of the APP may be generated.
In this embodiment, when detecting the comprehensiveness of the information associated with the privacy authority that informs the user of the application, the comprehensiveness of the information associated with the privacy authority that informs the user of the application is determined by detecting whether one or more of the following conditions exist: the content of the privacy permission protocol of the version needing to be evaluated of the application is not informed to the user of the application, the application condition of the user privacy authority is not informed to the application, and the use condition of the user privacy authority is not informed to the application.
In this embodiment, when detecting the comprehensiveness of the information associated with the privacy authority informing the user of the application, the condition requiring detection may be one or more of a condition in which the content of the privacy license agreement of the version requiring evaluation of the application is not informed to the user of the application, a condition in which the user applies for the privacy authority not informed to the application, a condition in which the user of the application uses the privacy authority not informed to the application, and the like. When the condition requiring detection is one, when the condition requiring detection is detected in the version requiring evaluation of the application, the information associated with the privacy authority informing the user of the application can be determined to be incomplete. When there are a plurality of cases to be detected, it is possible to determine that information associated with privacy authority to notify the user of the application is incomplete when any one of the cases is detected.
In this embodiment, it may be detected whether the user is presented with the content of the user privacy license agreement of the evaluation-required version of the application, for example, whether the user is presented with the content of the user privacy license agreement of the evaluation-required version of the application during the installation process of the evaluation-required version of the application. When it is detected that the user is not presented with the content of the user privacy license agreement of the evaluation-required version of the application, it may be determined that the evaluation-required version of the application has content of the privacy license agreement of the evaluation-required version of the application that is not notified to the user of the application.
For example, the application is an APP running on an Android operating system, in some low-version Android operating systems, multiple permissions are granted to the running APP on the Android operating system by default, and the multiple permissions include privacy permissions. In the installation process of each version of the APP, a plurality of permissions are automatically acquired under the condition that the user is not presented with the content of the user privacy permission agreement. The installation process of each version of the APP can be monitored, and it is determined that no user privacy permission agreement is presented to the user in the installation process of each version of the APP, so that the privacy risk condition that the user application of the application is not informed of the content of the privacy permission agreement of the version needing to be evaluated exists in each version of the APP can be detected.
In this embodiment, it may be detected whether information indicating privacy permissions applied to versions of applications that need to be evaluated is presented to a user, and when it is detected that information indicating all privacy permissions applied to versions of applications that need to be evaluated is not presented to the user, for example, it is detected that a list including identifications of all privacy permissions applied to versions of applications that need to be evaluated is not presented to the user, it may be determined that the versions of applications that need to be evaluated have a privacy risk condition that is a condition of application of privacy permissions of the user that is not notified of the application.
For example, the application is an APP running on an Android operating system, a version of the APP to be evaluated presents a user privacy permission agreement of the version of the APP to be evaluated to a user in an installation process, but a user may click a button indicating all privacy permissions granted to a version application of the APP to be evaluated under the condition that the user privacy permission agreement is not completely read, after the installation of the version of the APP to be evaluated is completed, information indicating all privacy permissions of the version application of the APP to be evaluated is not presented to the user, for example, a list containing all privacy permissions of the version application of the APP to be evaluated is not presented to the user, at this time, the user does not know the privacy permission application condition of the version of the APP to be evaluated comprehensively, and it can be determined that the version of the APP to be evaluated has a privacy risk condition that the user privacy permission application condition of the application is not notified.
In this embodiment, whether information indicating that the version of the application which needs to be evaluated uses the privacy right is presented to the user when the version of the application which needs to be evaluated uses the privacy right is detected, and when the information indicating that the version of the application which needs to be evaluated uses the privacy right is not presented to the user when the version of the application which needs to be evaluated uses the privacy right is detected, it may be determined that the version of the application which needs to be evaluated has a privacy risk condition that the use condition of the privacy right of the user of the application is not informed.
For example, the application is an APP running on an Android operating system, and a version of the APP to be evaluated applies for a privacy authority and acquires the privacy authority when a user agrees to grant the privacy authority to the version of the APP to be evaluated in the installation process. When the code of the version of the APP to be evaluated is loaded and run, the privacy data of the privacy data type corresponding to the privacy authority is acquired by using the privacy authority, but the user who does not inform the application of acquiring the privacy data of the type is not presented with information indicating that the version of the APP to be evaluated uses the privacy authority, and at this time, a privacy risk condition that the use condition of the user privacy authority of the application is not informed to the version of the APP to be evaluated exists can be detected.
In this embodiment, the consistency between the privacy authority application condition and the privacy authority notification condition is determined by detecting whether one or more of the following conditions exist: the version of the application needing to be evaluated applies for the privacy permission of the version of the application needing to be evaluated, which is not informed to the user of the application through the user privacy permission protocol of the version of the application needing to be evaluated, and at least one user privacy permission protocol informs the user of the application that the privacy permission of the version of the application needing to be evaluated, which is not applied.
For example, an application is an APP running on an Android operating system, a version of the APP needing to be evaluated applies for a privacy permission, but a user privacy permission protocol of the version of the APP needing to be evaluated does not include content indicating that the version of the APP needing to be evaluated applies for the privacy permission. In the installation process of the version of the APP needing to be evaluated, the user privacy permission protocol is presented to the user, when the user browses the user privacy permission protocol, the user cannot know that the version of the APP needing to be evaluated applies for the privacy permission, and at the moment, the condition that the application condition of the privacy permission of the application and the notification condition of the privacy permission of the version of the APP needing to be evaluated are inconsistent can be determined.
For another example, the user privacy permission agreement of the version of the APP to be evaluated includes content indicating that the version of the APP to be evaluated applies for a privacy permission, but the version of the APP to be evaluated does not apply for the privacy permission, and at this time, it may be determined that the application condition of the privacy permission of the application and the notification condition of the privacy permission are inconsistent.
In this embodiment, the privacy risk detection result may include one or more of the following: the method comprises the steps of detecting results corresponding to the safety of the privacy data, detecting results corresponding to the comprehensiveness of information related to the privacy authorities and informing users of the application, and detecting results corresponding to the consistency of the application conditions of the privacy authorities and informing conditions of the privacy authorities. The detection result corresponding to the security of the private data comprises one of the following: the private data is safe and the private data is unsafe. The detection result of the comprehensive correspondence of the information associated with the privacy authority informing the user of the application includes one of: the information associated with the privacy authority informing the user of the application is comprehensive, and the information associated with the privacy authority informing the user of the application is not comprehensive. The detection result corresponding to the consistency of the privacy authority application condition and the privacy authority informing condition comprises one of the following: the privacy authority application condition is consistent with the privacy authority informing condition, and the privacy authority application condition is inconsistent with the privacy authority informing condition.
And step 302, generating a privacy risk assessment result of the version of the application needing to be assessed.
In this embodiment, after the privacy risk detection result of the version of the application that needs to be evaluated is obtained, the privacy risk evaluation result of the version of the application that needs to be evaluated may be generated. The privacy risk assessment result of the version of the application needing to be assessed comprises the following steps: the application information comprises indication information indicating whether privacy data is safe or not, indication information indicating whether information related to privacy authorities informing users of the application is comprehensive or not, and indication information indicating whether the application condition of the privacy authorities is consistent with the informing condition of the privacy authorities.
In this embodiment, any one of the cases that the privacy data is unsafe, the information associated with the privacy authority and informing the user of the application is incomplete, and the application condition of the privacy authority is inconsistent with the informing condition of the privacy authority may be referred to as a privacy risk condition. When a privacy risk condition is detected, the privacy risk assessment result may further include information describing the detected privacy risk condition.
In this embodiment, when at least one version of an application that needs to be evaluated has a privacy right that the version of the application that needs to be evaluated can use and forbid use of the version of the application that needs to be evaluated and/or a privacy right that an SDK associated with the version of the application that needs to be evaluated can use and forbid use of the SDK associated with the version of the application that needs to be evaluated, privacy risk point information of the application may be generated, and the privacy risk point information of the application may be compared with privacy risk point information of other applications to obtain a comparison result. The other application is of the same type as the application. After the comparison results are obtained, the comparison results may be provided to a user of the application.
In this embodiment, when a version of an application that needs to be evaluated can use a privacy permission that prohibits the version of the application that needs to be evaluated from being used, the privacy permission can be referred to as a use-prohibited privacy permission that can be used by the application. Each SDK associated with a version of an application that needs to be evaluated may be referred to as an SDK associated with the application. When an SDK associated with a version of the application that needs to be evaluated may use privacy permissions that prohibit use by the SDK, then the privacy permissions may be referred to as usage-prohibited privacy permissions that the SDK associated with the application may use.
In this embodiment, when at least one version of one application to be evaluated has a privacy permission that prohibits the version of the application to be evaluated from being used and/or an SDK associated with the version of the application to be evaluated can use a privacy permission that prohibits the SDK associated with the version of the application to be evaluated from being used, all privacy permissions that the application can use to prohibit use and all privacy permissions that the SDK associated with the application cannot use can be determined. Then, privacy risk point information of the application may be generated, the privacy risk point information of the application including: identification of all privacy authorities that an application may use that are prohibited from being used, identification of all privacy authorities that an SDK associated with the application is prohibited from being used. Similarly, the privacy risk point information of other applications includes: identification of all privacy rights that are available to other applications that are prohibited from use, identification of all privacy rights that are prohibited from use by an SDK associated with other applications.
Referring to fig. 4, as an implementation of the methods shown in the above-mentioned figures, the present application provides an embodiment of a privacy risk assessment apparatus, which corresponds to the method embodiment shown in fig. 2. Specific implementations of corresponding operations that the respective units in the apparatus are configured to perform may refer to the specific implementations of corresponding operations described in the method embodiments.
As shown in fig. 4, the privacy risk assessment apparatus of the present embodiment includes: a detection unit 401 and an evaluation unit 402. The detection unit 401 is configured to detect one or more of the following versions of the application that need to be evaluated, and obtain a privacy risk detection result of the versions of the application that need to be evaluated: the method comprises the steps of safety of privacy data, comprehensiveness of information which is related to privacy authorities and informs users of the application, and consistency of application conditions of the privacy authorities and informing conditions of the privacy authorities, wherein the privacy authorities are authorities for acquiring the privacy data of the users of the application; (ii) a The evaluation unit 402 is configured to generate a privacy risk evaluation result of the version of the application requiring evaluation based on the privacy risk detection result of the version of the application requiring evaluation.
In some optional implementations of the embodiment, the private data security is determined by detecting whether one or more of the following conditions exist: the method comprises the steps of storing the privacy data without encrypting the privacy data, transmitting the privacy data without encrypting the privacy data, enabling a version of the application needing to be evaluated to use a first forbidden privacy authority, enabling a plug-in associated with the version of the application needing to be evaluated to use a second forbidden privacy authority, wherein the first forbidden privacy authority is a privacy authority for forbidding the version of the application needing to be evaluated to use, and the second forbidden privacy authority is a privacy authority for forbidding the plug-in to use.
In some optional implementations of this embodiment, the version of the application that needs to be evaluated presents at least one privacy risk; the device further comprises: the tracing unit is configured to generate risk tracing information of a version of the application needing to be evaluated based on tracing associated information, the risk tracing information indicates a reason causing privacy risk, and the tracing associated information includes one or more of the following items: the method includes the steps of obtaining privacy risk assessment results of a version of the application needing to be assessed, obtaining privacy risk assessment results of a previous version of the application needing to be assessed, obtaining version attribute information of the version of the application needing to be assessed, and obtaining version attribute information of the previous version of the application needing to be assessed.
In some optional implementations of the embodiment, the comprehensiveness of the information associated with the privacy permissions informing the user of the application is determined by detecting whether one or more of the following conditions exist: the user of the application is not informed of the content of the user privacy permission agreement of the version of the application needing to be evaluated, the application condition of the user privacy permission of the application is not informed, and the use condition of the user privacy permission of the application is not informed.
In some optional implementations of the embodiment, the consistency between the privacy authority application condition and the privacy authority notification condition is determined by detecting whether one or more of the following conditions exist: applying an unapproved privacy permission, wherein the unapproved privacy permission is the privacy permission applied by the version of the application needing evaluation and informed to the user of the application through a user privacy permission protocol of the version of the application needing evaluation.
In some optional implementations of this embodiment, the apparatus further includes: and the comparison unit is configured to compare the privacy risk point information of the application with the privacy risk point information of other applications to obtain a comparison result, wherein the types of the other applications are the same as the types of the applications, and the privacy risk point information of the application is obtained based on the identifier of the first disabled privacy authority which can be used by the version of the application needing to be evaluated and/or the identifier of the second disabled privacy authority which can be used by the plug-in associated with the version of the application needing to be evaluated.
In some optional implementations of this embodiment, the detection unit is further configured to detect one or more of the following for the version of the application that needs to be evaluated: detecting one or more of the following items of the version of the application needing to be evaluated based on the detection associated information, wherein the detection associated information comprises the following items: the code of the installation package of the version of the application needing to be evaluated, the version attribute information of the version of the application needing to be evaluated, and the identification of the operation associated with obtaining the private data are determined based on monitoring the code of the version of the application needing to be evaluated when the code of the version of the application needing to be evaluated is loaded to a runtime.
FIG. 5 illustrates a schematic block diagram of a computer system suitable for use to implement a server according to embodiments of the present application.
As shown in fig. 5, the computer system includes a Central Processing Unit (CPU) 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data necessary for the operation of the computer system are also stored. The CPU501, ROM 502, and RAM503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506; an output portion 507; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, the processes described in the embodiments of the present application may be implemented as computer programs. For example, embodiments of the present application include a computer program product comprising a computer program carried on a computer readable medium, the computer program comprising instructions for carrying out the method illustrated by the flow chart. The computer program can be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the method of the present application when executed by the Central Processing Unit (CPU) 501.
The present application also provides a server, which may be configured with one or more processors; a memory for storing one or more programs, the one or more programs may include instructions for performing the operations described in the above embodiments. The one or more programs, when executed by the one or more processors, cause the one or more processors to perform the instructions of the operations described in the above embodiments.
The present application also provides a computer readable medium, which may be included in a server; or the device can exist independently and is not assembled into the server. The computer readable medium carries one or more programs which, when executed by a server, cause the server to perform the operations described in the embodiments above.
It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a message execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a message execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable messages for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer messages.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be understood by those skilled in the art that the scope of the invention herein referred to is not limited to the technical embodiments with the specific combination of the above technical features, but also encompasses other technical embodiments with any combination of the above technical features or their equivalents without departing from the inventive concept. For example, technical embodiments formed by mutually replacing the above-mentioned features with (but not limited to) technical features having similar functions disclosed in the present application.

Claims (16)

1. A privacy risk assessment method, comprising:
detecting one or more of the following items of the version of the application needing to be evaluated to obtain a privacy risk detection result of the version of the application needing to be evaluated: privacy data security, comprehensiveness of information associated with privacy permissions informing users of the application, consistency of privacy permission application conditions and privacy permission informing conditions, wherein the privacy permissions are permissions for obtaining privacy data of the users of the application, and the privacy data security is determined by detecting whether the following two conditions exist: the version of the application needing to be evaluated can use the privacy permission which is not applied by the version of the application needing to be evaluated, and the SDK associated with the version of the application needing to be evaluated can use the privacy permission which is prohibited from being used by the SDK, wherein the version of the application needing to be evaluated can use the privacy permission which is not applied by the version of the application needing to be evaluated based on the following steps: detecting whether the version of the application needing to be evaluated has available and unapplied privacy authorities or not according to the privacy authority application condition of the version of the application needing to be evaluated and the determined privacy authorities available to the version of the application needing to be evaluated, wherein the available privacy authorities of the version of the application needing to be evaluated are determined on the basis of the following steps: a third-party SDK feature library, an Android system permission knowledge library and a permission-API feature library are constructed in advance; when the codes of the installation package of the version needing to be evaluated of the application are analyzed, determining the usable privacy authority of the version needing to be evaluated of the application by combining a third-party SDK (software development kit) feature library, an Android system authority knowledge library and an authority-API (application programming interface) feature library;
and generating a privacy risk evaluation result of the version of the application needing to be evaluated based on the privacy risk detection result of the version of the application needing to be evaluated.
2. The method of claim 1, the private data security is further determined by detecting whether one or more of: the private data is not encrypted when stored and is not encrypted when transmitted.
3. The method of claim 2, the version of the application to be evaluated presents at least one privacy risk; and
the method further comprises the following steps:
generating risk tracing information of the version of the application needing to be evaluated based on tracing associated information, wherein the risk tracing information indicates the reason of privacy risk, and the tracing associated information comprises one or more of the following items: the method includes the steps of obtaining privacy risk assessment results of a version of the application needing to be assessed, obtaining privacy risk assessment results of a previous version of the application needing to be assessed, obtaining version attribute information of the version of the application needing to be assessed, and obtaining version attribute information of the previous version of the application needing to be assessed.
4. The method of claim 3, the comprehensiveness of information associated with privacy privileges that informs a user of the application is determined by detecting whether one or more of the following exists: the user of the application is not informed of the content of the user privacy permission agreement of the version of the application needing to be evaluated, the application condition of the user privacy permission of the application is not informed, and the use condition of the user privacy permission of the application is not informed.
5. The method of claim 4, wherein the consistency of the privacy authority application scenario and the privacy authority notification scenario is determined by detecting whether one or more of the following conditions exist: applying an unconfirmed privacy permission, wherein at least one unconfirmed privacy permission is not applied, and the unconfirmed privacy permission is the privacy permission applied by the version needing evaluation of the application, which is notified to the user of the application through a user privacy permission protocol of the version needing evaluation of the application.
6. The method of claim 5, further comprising:
and comparing the privacy risk point information of the application with the privacy risk point information of other applications to obtain a comparison result, wherein the types of the other applications are the same as the types of the applications, and the privacy risk point information of the application is obtained based on the identifier of the first disabled privacy authority which can be used by the version of the application needing to be evaluated and/or the identifier of the second disabled privacy authority which can be used by the plug-in associated with the version of the application needing to be evaluated.
7. The method according to one of claims 1 to 6, detecting one or more of the following for a version of an application that needs to be evaluated:
detecting one or more of the following items of the version of the application needing to be evaluated based on the detection associated information, wherein the detection associated information comprises the following steps: the code of the installation package of the version of the application needing evaluation, the version attribute information of the version of the application needing evaluation, and the identification of the operation associated with obtaining the privacy data, wherein the operation associated with obtaining the privacy data is determined based on monitoring the code of the version of the application needing evaluation when the code of the version of the application needing evaluation is loaded and run.
8. A privacy risk assessment apparatus comprising:
the detection unit is configured to detect one or more of the following items of the version of the application needing to be evaluated, and obtain a privacy risk detection result of the version of the application needing to be evaluated: privacy data security, comprehensiveness of information associated with privacy authorities informing a user of the application, consistency of a privacy authority application situation and a privacy authority informing situation, wherein the privacy authority is authority for acquiring privacy data of the user of the application, and the privacy data security is determined by detecting whether the following two situations exist or not: the evaluation-required version of the application can use the privacy authority that is not applied for the evaluation-required version of the application, and the SDK associated with the evaluation-required version of the application can use the privacy authority that forbids the use of the SDK, wherein the evaluation-required version of the application can use the privacy authority that is not applied for the evaluation-required version of the application, and the privacy authority that is not applied for the evaluation-required version of the application is determined based on the following steps: detecting whether the version of the application needing to be evaluated has available and unapplied privacy authorities or not according to the application condition of the privacy authorities of the version of the application needing to be evaluated and the determined privacy authorities of the version of the application needing to be evaluated, wherein the available privacy authorities of the version of the application needing to be evaluated are determined based on the following steps: a third-party SDK feature library, an Android system authority knowledge library and an authority-API feature library are constructed in advance; when the codes of the installation package of the version needing to be evaluated of the application are analyzed, determining the usable privacy authority of the version needing to be evaluated of the application by combining a third-party SDK (software development kit) feature library, an Android system authority knowledge library and an authority-API (application programming interface) feature library;
an evaluation unit configured to generate a privacy risk evaluation result of the version of the application requiring evaluation based on a privacy risk detection result of the version of the application requiring evaluation.
9. The apparatus of claim 8, private data security is further determined by detecting whether one or more of the following conditions exist: the private data is not encrypted when stored and is not encrypted when transmitted.
10. The apparatus of claim 9, the version of the application to be evaluated presents at least one privacy risk; the device further comprises:
the tracing unit is configured to generate risk tracing information of the version of the application needing to be evaluated based on tracing associated information, the risk tracing information indicates a reason causing privacy risk, and the tracing associated information includes one or more of the following items: the method includes the steps of obtaining privacy risk assessment results of a version of the application needing to be assessed, obtaining privacy risk assessment results of a previous version of the application needing to be assessed, obtaining version attribute information of the version of the application needing to be assessed, and obtaining version attribute information of the previous version of the application needing to be assessed.
11. The apparatus of claim 10, the comprehensiveness of information associated with privacy privileges that informs a user of the application is determined by detecting whether one or more of the following exists: the method comprises the steps of not informing a user of the application of the content of the user privacy permission agreement of the version of the application needing to be evaluated, not informing the application of the user privacy permission, and not informing the application of the user privacy permission.
12. The apparatus of claim 11, the consistency of the privacy authority application scenario with the privacy authority notification scenario is determined by detecting whether one or more of the following conditions exist: applying an unconfirmed privacy permission, wherein at least one unconfirmed privacy permission is not applied, and the unconfirmed privacy permission is the privacy permission applied by the version needing evaluation of the application, which is notified to the user of the application through a user privacy permission protocol of the version needing evaluation of the application.
13. The apparatus of claim 12, the apparatus further comprising: and the comparison unit is configured to compare the privacy risk point information of the application with the privacy risk point information of other applications to obtain a comparison result, wherein the types of the other applications are the same as the types of the applications, and the privacy risk point information of the application is obtained based on the identifier of the first disabled privacy authority which can be used by the version of the application needing to be evaluated and/or the identifier of the second disabled privacy authority which can be used by the plug-in associated with the version of the application needing to be evaluated.
14. The apparatus according to one of claims 8 to 13, the detection unit being further configured to detect one or more of the following of the version of the application requiring evaluation based on the detection association information, the detection association information comprising: the code of the installation package of the version of the application needing to be evaluated, the version attribute information of the version of the application needing to be evaluated, and the identification of the operation associated with obtaining the private data are determined based on monitoring the code of the version of the application needing to be evaluated when the code of the version of the application needing to be evaluated is loaded to a runtime.
15. A server, comprising:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method recited in any of claims 1-7.
16. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.
CN201811497292.9A 2018-12-07 2018-12-07 Privacy risk assessment method and device Active CN109598146B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811497292.9A CN109598146B (en) 2018-12-07 2018-12-07 Privacy risk assessment method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811497292.9A CN109598146B (en) 2018-12-07 2018-12-07 Privacy risk assessment method and device

Publications (2)

Publication Number Publication Date
CN109598146A CN109598146A (en) 2019-04-09
CN109598146B true CN109598146B (en) 2023-02-17

Family

ID=65961580

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811497292.9A Active CN109598146B (en) 2018-12-07 2018-12-07 Privacy risk assessment method and device

Country Status (1)

Country Link
CN (1) CN109598146B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110851872B (en) * 2019-11-19 2021-02-23 支付宝(杭州)信息技术有限公司 Risk assessment method and device for private data leakage
CN113806201A (en) * 2020-06-11 2021-12-17 福建天泉教育科技有限公司 Industry APP permission test system
CN114971107A (en) * 2021-02-25 2022-08-30 华为技术有限公司 Privacy risk feedback method and device and first terminal equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103514397A (en) * 2013-09-29 2014-01-15 西安酷派软件科技有限公司 Server, terminal and authority management and permission method
CN103593605A (en) * 2013-10-24 2014-02-19 复旦大学 Android platform applications dynamic analysis system based on permission use behaviors
CN105117544A (en) * 2015-08-21 2015-12-02 李涛 Android platform App risk assessment method based on mobile cloud computing and Android platform App risk assessment device based on mobile cloud computing
CN108280352A (en) * 2018-01-17 2018-07-13 西安邮电大学 A kind of privacy assessment and right management method based on 8.0 authority mechanisms of Android

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104346566A (en) * 2013-07-31 2015-02-11 腾讯科技(深圳)有限公司 Method, device, terminal, server and system for detecting privacy authority risks
CN103577750B (en) * 2013-11-15 2016-08-17 北京奇虎科技有限公司 Privacy authority management method and device
CN106529274A (en) * 2016-10-26 2017-03-22 努比亚技术有限公司 Terminal and information security protection method thereof
CN106815527A (en) * 2016-12-01 2017-06-09 全球能源互联网研究院 The detection method and device of a kind of IOS application datas safety

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103514397A (en) * 2013-09-29 2014-01-15 西安酷派软件科技有限公司 Server, terminal and authority management and permission method
CN103593605A (en) * 2013-10-24 2014-02-19 复旦大学 Android platform applications dynamic analysis system based on permission use behaviors
CN105117544A (en) * 2015-08-21 2015-12-02 李涛 Android platform App risk assessment method based on mobile cloud computing and Android platform App risk assessment device based on mobile cloud computing
CN108280352A (en) * 2018-01-17 2018-07-13 西安邮电大学 A kind of privacy assessment and right management method based on 8.0 authority mechanisms of Android

Also Published As

Publication number Publication date
CN109598146A (en) 2019-04-09

Similar Documents

Publication Publication Date Title
CN109598127B (en) Privacy risk assessment method and device
CN109344657B (en) Privacy risk assessment method and device
KR101402057B1 (en) Analyzing system of repackage application through calculation of risk and method thereof
CN109598146B (en) Privacy risk assessment method and device
US9053322B2 (en) Computing environment security method and electronic computing system
KR101739125B1 (en) Apparatus and method for analysing a permission of application for mobile device and detecting risk
KR101214893B1 (en) Apparatus and method for detecting similarity amongf applications
EP2595423A1 (en) Application security evaluation system and method
KR101277517B1 (en) Apparatus and method for detecting falsified application
CN108763951B (en) Data protection method and device
CN106845223B (en) Method and apparatus for detecting malicious code
KR20150044490A (en) A detecting device for android malignant application and a detecting method therefor
CN112749088B (en) Application program detection method and device, electronic equipment and storage medium
CN112115473A (en) Method for security detection of Java open source assembly
Schindler et al. Privacy leak identification in third-party android libraries
CN109145589B (en) Application program acquisition method and device
CN106407815B (en) Vulnerability detection method and device
CN109635558B (en) Access control method, device and system
Seghir et al. Evicheck: Digital evidence for android
CN113282906B (en) Authority detection method, device, terminal and storage medium
CN114637675A (en) Software evaluation method and device and computer readable storage medium
CN113254837A (en) Application program evaluation method, device, system, equipment and medium
CN113553578A (en) Log printing response method and device, electronic equipment and storage medium
CN108256320B (en) Dynamic detection method, device, equipment and storage medium for differential domain
Gamba et al. Mules and permission laundering in android: Dissecting custom permissions in the wild

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant