CN110598382B - Sensitive authority control method and device and electronic equipment - Google Patents
Sensitive authority control method and device and electronic equipment Download PDFInfo
- Publication number
- CN110598382B CN110598382B CN201910743199.XA CN201910743199A CN110598382B CN 110598382 B CN110598382 B CN 110598382B CN 201910743199 A CN201910743199 A CN 201910743199A CN 110598382 B CN110598382 B CN 110598382B
- Authority
- CN
- China
- Prior art keywords
- sensitive
- control
- information
- authority
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a sensitive authority control method, a sensitive authority control device and electronic equipment, which can realize more fine-grained, more efficient and safer authority control. The method comprises the following steps: performing static analysis on a target application, and determining a mapping relation between a control of the target application and a sensitive authority; intercepting a sensitive permission request of the target application, and acquiring part of behavior information triggering the sensitive permission request; supplementing the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information; and determining an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and responding to the sensitive authority request according to the authority control decision. The device comprises a static analysis module, an interception module, a supplement module and a control decision module. The electronic device comprises a memory, a processor and a computer program stored on the memory and executable on the processor to implement the sensitive rights control method.
Description
Technical Field
The invention relates to the technical field of intelligent terminal application software analysis, in particular to a method and a device for controlling a sensitive authority and electronic equipment.
Background
With the rapid popularization of intelligent terminal equipment, the number of application software suitable for intelligent terminals also shows explosive growth. Although the rapid growth of mobile applications stimulates continuous innovation of the internet and continuous perfection of functions, and brings excellent use experience to users, the problems of misuse of application permissions or leakage of user privacy data and the like gradually cause relatively serious negative effects, and more users are paid attention to and pay attention to.
In the existing mobile operating system, an authority system is mostly adopted to protect the integrity of the system and the privacy of users, and when the application is installed in a familiar mode, a related authority request list is displayed to the users, and the users are installed and operated after obtaining authorization according to the wishes of the users, or further, the users can carry out dynamic authority management, and the authority control mechanism has certain defects. In order to more fit with the detailed division of actual functional requirements, a fine-grained authority control method is developed, which mainly comprises a fine-grained authority control method according to accessed data, a fine-grained authority control method based on a code entity and an authority division authority control method based on finer granularity.
However, the existing fine-grained authority control methods are basically developed around developers, and often have the following problems: from the perspective of an application developer, the functions are realized by using codes, a plurality of authority control options divided based on the functions are not intuitive enough for users, the users are difficult to understand the actual meanings of the options, and excessive authority granting and authority abuse can be caused; most of fine-grained authority control methods based on accessed data need users to manually identify private data, and authority control methods based on finer-grained authority division need users to participate in confirmation and authorization of detailed authorities in a large range, so that the manual participation degree is high, and the control efficiency is low; different developers have different development concepts, so that the division of the authority control path is different, the division of various paths needs to consume great effort and cost, and the universality is poor, so that the expansion is inconvenient.
Disclosure of Invention
In view of this, the present invention provides a method for controlling sensitive permission with finer granularity, more comprehensive, safer and more efficient for an application under the condition of less user intervention.
Based on the above purpose, the present invention provides a method for controlling sensitive permission, comprising:
performing static analysis on a target application, and determining a mapping relation between a control of the target application and a sensitive authority;
intercepting a sensitive permission request of the target application, and acquiring part of behavior information triggering the sensitive permission request;
supplementing the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information;
and determining an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and responding to the sensitive authority request according to the authority control decision.
Optionally, the performing static analysis on the target application to determine a mapping relationship between a control of the target application and a sensitive permission includes:
performing program static analysis on the target application to obtain context information related to the sensitive permission in the target application;
and comparing the context information with a control cluster mapped by a general control-sensitive authority, and determining the mapping relation between the control and the sensitive authority corresponding to the context information in the target application.
Optionally, the performing program static analysis on the target application to obtain context information related to the sensitive permission in the target application includes:
analyzing the APK resource file of the target application to acquire control information in the target application;
analyzing and determining an application program interface calling relation of the target application by using a program source code risk analysis tool according to the control information;
traversing the application program interface of the target application according to the application program interface calling relation, and screening out a sensitive application program interface;
determining corresponding sensitive control information and user interaction component information corresponding to the sensitive control information according to the sensitive application program interface;
the context information related to the sensitive permission comprises the sensitive application program interface, the sensitive control information and the user interaction component information.
Optionally, the comparing the context information with a control cluster mapped by a general control-sensitive permission to determine the mapping relationship between the control and the sensitive permission corresponding to the context information in the target application includes:
determining user interface data corresponding to each group of context information according to the context information;
processing the user interface data by utilizing a natural language processing technology to obtain a characteristic vector corresponding to each group of the context information;
calculating the similarity between the user interface data and the clustering center of each control cluster mapped by the general control-sensitive authority according to the characteristic vector, and determining the control cluster to which the corresponding control of the context information belongs;
and determining the mapping relation between the control corresponding to the context information and the sensitive authority according to the general control-sensitive authority mapping and the control cluster to which the control corresponding to the context information belongs.
Optionally, the intercepting the sensitive permission request of the target application, and acquiring part of behavior information triggering the sensitive permission request includes:
when the target application runs, intercepting the target application by utilizing an event message interception technology, and extracting and obtaining part of sensitive application program interface information, part of sensitive control information and corresponding part of user interaction component information which trigger the sensitive permission request;
the partial behavior information includes the partial sensitive application program interface information, the partial sensitive control information, and the partial user interaction component information.
Optionally, the intercepting the target application by using the event message intercepting technology is to intercept the sensitive application program interface request by using an Xposed framework service, and trigger a callback function required by the sensitive application program interface request.
Optionally, the supplementing the partial behavior information according to the mapping relationship between the control and the sensitive permission to obtain complete behavior information includes: determining context information corresponding to the part of the behavior information according to the mapping relation between the control and the sensitive authority;
and supplementing the partial behavior information according to the context information to obtain complete behavior information.
Optionally, determining, according to the complete behavior information, an authority control decision corresponding to the sensitive authority request includes:
determining sensitive control information corresponding to the complete behavior information;
judging whether a decision is made on a sensitive permission request corresponding to a control cluster to which the sensitive control information belongs according to a user historical decision record;
if the decision is made, processing the sensitive permission request according to the historical decision record of the user;
and if the decision is not made, generating decision request push information to acquire a corresponding user decision, processing the sensitive permission request according to the user decision and updating the user historical decision record.
Based on the above object, the present invention further provides a sensitive permission control apparatus, including:
the static analysis module is configured to perform static analysis on the target application and determine a mapping relation between a control of the target application and the sensitive authority;
the intercepting module is configured to intercept the sensitive permission request of the target application and acquire part of behavior information triggering the sensitive permission request;
the supplement module is configured to supplement the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information;
and the control decision module is configured to determine an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and respond to the sensitive authority request according to the authority control decision.
In view of the above, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor implements the sensitive permission control method when executing the program.
From the above description, it can be seen that the sensitive permission control method, the sensitive permission control device and the electronic device provided by the invention adopt an analysis mode combining static analysis and dynamic interception to respond and process the sensitive permission request of the target application by adopting a corresponding permission control decision, and associate the expected function and the actual function of the target application in combination with the context information triggering the sensitive permission request, so as to realize fine-grained permission control and facilitate the understanding of users; the scheme based on the user historical decision is adopted when the corresponding authority control decision is adopted, so that the user participation degree is greatly reduced while the actual requirements and the preference of the user are better fitted, and the high-quality user experience is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a method for controlling a sensitive permission according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a method for determining a mapping relationship between a control and a sensitive permission in a sensitive permission control method according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a method for performing static analysis on a target application in a sensitivity permission control method according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a method for determining a mapping relationship between a control and a sensitive permission according to a general control-sensitive permission mapping in a sensitive permission control method according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a method for determining an authority control decision in a sensitive authority control method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a sensitive permission control apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a sensitive permission control electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In one aspect, the present invention provides a method for sensitive rights control.
As shown in fig. 1, some optional embodiments of the present invention provide a sensitive permission control method, including:
s1: performing static analysis on a target application, and determining a mapping relation between a control of the target application and a sensitive authority;
firstly, static analysis is carried out on the target application to determine a sensitive permission request possibly involved in the target application, and a mapping relation between a control and sensitive permission in the target application is established.
S2: intercepting a sensitive permission request of the target application, and acquiring part of behavior information triggering the sensitive permission request;
in order to reduce the participation degree of users and improve the working efficiency of the control method, sensitive permission requests are intercepted in the running process of the target application, so that the sensitive permission requests can be automatically processed.
S3: supplementing the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information;
and intercepting the target application in operation, wherein the obtained information is often not comprehensive enough, and the part of incomplete behavior information obtained during interception is completely supplemented by utilizing the mapping relation between the control and the sensitive authority obtained in the step of static analysis.
S4: and determining an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and responding to the sensitive authority request according to the authority control decision.
And determining the authority control decision of the sensitive authority request corresponding to the complete behavior data by adopting a scheme based on user historical decision data according to the complete behavior information, and carrying out corresponding operation.
The sensitive authority control method adopts an analysis method combining static analysis and dynamic interception to respond and process a sensitive authority request of a target application by adopting a corresponding authority control decision, associates an expected function determined by static analysis and an actual function determined by dynamic interception of the target application by combining context information of a offending sensitive authority request, realizes fine-grained authority control and is more convenient for a user to understand; the scheme based on the historical decision data of the user is adopted when the corresponding authority control decision is adopted, so that the actual requirements and preferences of the user are better met, the participation degree of the user is greatly reduced, and the high-quality user experience is ensured.
As shown in fig. 2, in a method for controlling a sensitive permission provided by some optional embodiments of the present invention, the performing static analysis on a target application and determining a mapping relationship between a control of the target application and a sensitive permission S1 includes:
s11: performing program static analysis on the target application to obtain context information related to the sensitive permission in the target application;
s12: and comparing the context information with a control cluster mapped by a general control-sensitive authority, and determining the mapping relation between the control and the sensitive authority corresponding to the context information in the target application.
In the sensitive permission control method, program static analysis is carried out on a target application to obtain Context information (Context) related to sensitive permission in the target application, a control cluster of the Context information Context is determined based on general control-sensitive permission mapping, and then an association mapping relation between a control corresponding to the Context information Context and the sensitive permission in the target application is determined. In the step of static analysis of the sensitive authority control method, the mapping relation between the control and the sensitive authority corresponding to the context information of the target application is determined by combining the static analysis with the general control-sensitive authority mapping, so that part of behavior information obtained by dynamic interception can be supplemented later.
As shown in fig. 3, in a method for controlling sensitive rights provided by some optional embodiments of the present invention, the performing static program analysis on the target application to obtain context information S11 related to sensitive rights in the target application includes:
s111, analyzing the APK resource file of the target application to acquire control information in the target application, wherein the control information comprises a control ID and control related attributes;
s112, analyzing and determining an application program interface calling relation of the target application by using a program source code risk analysis tool according to the control information;
and analyzing the target application by using a FlowDroid source code risk analysis tool, determining a calling relationship among application program interfaces in the target application according to the control information, and visually displaying the calling relationship by constructing a calling relationship diagram.
S113 traversing the application program interface of the target application according to the application program interface calling relation, and screening out a sensitive application program interface;
and during the process of traversing, the previously constructed call relation graph can be adopted to carry out screening for the venation in sequence, and the screened sensitive application program interface refers to an application program interface triggering a sensitive permission request.
S114, according to the sensitive application program interface, determining corresponding sensitive control information and user interaction component information corresponding to the sensitive control information;
the sensitive control information refers to relevant information of a control triggering a sensitive permission request, and the user interaction component information refers to relevant information of Activity of a user interaction component where the sensitive control is located.
When corresponding sensitive control information and user interaction component Activity information corresponding to the sensitive control information are determined according to the sensitive application program interface API, if a method entry point of the sensitive application program interface API is a callback function bound to a label, the sensitive control information and the Activity information where the sensitive control is located can be directly acquired; in addition to this, a triggering control of a callback function or a listening event, i.e., the sensitive control, may be determined through information flow analysis, thereby determining the sensitive control information and the user-interactive component Activity information.
The context information related to the sensitive permission comprises the sensitive application program interface API, the sensitive control information and the user interaction component Activity information.
As shown in fig. 4, in a method for controlling sensitive permission provided in some optional embodiments of the present invention, the comparing the context information with a control cluster mapped by a general control-sensitive permission to determine a mapping relation S12 between the control and the sensitive permission in the target application corresponding to the context information includes:
s121: determining User Interface (UI) data corresponding to each group of context information according to the context information;
in the sensitive authority control method, in the step of determining the mapping relation between the control and the sensitive authority, the context information and the UI data of the user interface are connected, namely, the relation between the context information and the actual potential function is established, so that classification, decision and the like made according to the relation in the later steps are more biased to the behavior habit of a user end, and the sensitive authority control method is more convenient for the user to understand.
S122: processing the UI data of the user interface by utilizing a Natural Language Processing (NLP) technology to obtain a characteristic vector corresponding to each group of the context information;
s123: calculating the similarity between the UI data of the user interface and the clustering center of each control cluster mapped by the general control-sensitive authority according to the characteristic vector, and determining the control cluster to which the corresponding control of the context information belongs;
s124: and determining the mapping relation between the control corresponding to the context information and the sensitive authority according to the general control-sensitive authority mapping and the control cluster to which the control corresponding to the context information belongs.
In a sensitive permission control method provided in some optional embodiments of the present invention, the intercepting a sensitive permission request of a target application, and acquiring partial behavior information S2 triggering the sensitive permission request includes:
when the target application runs, intercepting the target application by utilizing an event message interception technology, and extracting and obtaining part of sensitive application program interface information, part of sensitive control information and corresponding part of user interaction component information which trigger the sensitive permission request;
the partial behavior information includes the partial sensitive application program interface information, the partial sensitive control information, and the partial user interaction component information.
In order to realize fine-grained permission control during running, comprehensive context information needs to be acquired, so that when the target program is intercepted, besides intercepting a sensitive Application Program Interface (API), control information triggering a sensitive permission request and Activity information of a user interaction component where the control is located need to be intercepted and acquired.
In a sensitive permission control method provided in some optional embodiments of the present invention, the intercepting the target application by using an event message intercepting technique is to intercept, by using an Xposed framework service, a callback function required for intercepting the sensitive application program interface request and triggering the sensitive application program interface request.
When the Xpos framework service is used for intercepting the target application, except the sensitive API relevant to the sensitive permission request, callback functions possibly required by triggering the sensitive API request, including all callbacks and monitoring events, are intercepted, and therefore the related sensitive control information and the Activity information of the user interaction component are determined.
In a method for controlling a sensitive permission provided in some optional embodiments of the present invention, the supplementing the partial behavior information according to the mapping relationship between the control and the sensitive permission to obtain complete behavior information includes:
determining context information corresponding to the part of the behavior information according to the mapping relation between the control and the sensitive authority;
and supplementing the partial behavior information according to the context information to obtain complete behavior information.
In the sensitive authority control method, the data information intercepted in the running process of the target application is limited, and the intercepted data information is part of behavior information compared with the intercepted information of the complete behavior. The part of the behavior information comprises the part of the sensitive Application Program Interface (API) information, the part of the sensitive control information and the part of the user interaction component Activity information. And determining the context information corresponding to the part of the behavior information according to the mapping relation between the control and the sensitive authority, and supplementing the part of the sensitive application program interface API information, the part of the sensitive control information and the part of the user interaction component Activity information to obtain the complete behavior information.
As shown in fig. 5, in a sensitive permission control method according to some alternative embodiments of the present invention, determining a permission control decision S4 corresponding to the sensitive permission request according to the complete behavior information includes:
determining sensitive control information corresponding to the complete behavior information;
judging whether a decision is made on a sensitive permission request corresponding to a control cluster to which the sensitive control information belongs according to a user historical decision record;
if the decision is made, processing the sensitive permission request according to the historical decision record of the user;
and if the decision is not made, generating decision request push information to acquire a corresponding user decision, processing the sensitive permission request according to the user decision and updating the user historical decision record.
The sensitive authority control method adopts a decision authority control strategy based on a user history decision scheme, firstly, sensitive control information corresponding to the complete behavior information is determined, and whether a user has made a decision on a sensitive authority request corresponding to the same control cluster to which the sensitive control information belongs is judged according to a user history decision record: if the sensitive permission request of the same control cluster is decided, processing the sensitive permission request according to decision selection in the user history decision record; and if the sensitive permission of the same control cluster is not decided, requesting the user to decide the sensitive permission request appearing for the first time and simultaneously recording. By adopting the mode, the participation degree of the user in the authority control process can be greatly reduced while the actual requirements and the preferences of the user are fitted, and the high-quality user experience is ensured.
In another aspect, the invention further provides a sensitive authority control device.
As shown in fig. 6, some alternative embodiments of the present invention provide a sensitive permission control apparatus, including:
the static analysis module 1 is configured to perform static analysis on a target application and determine a mapping relation between a control of the target application and a sensitive permission;
the interception module 2 is configured to intercept the sensitive permission request of the target application and acquire part of behavior information triggering the sensitive permission request;
the supplement module 3 is configured to supplement the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information;
and the control decision module 4 is configured to determine an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and respond to the sensitive authority request according to the authority control decision.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
In another aspect, the present invention further provides an electronic device for executing the sensitive permission control method.
As shown in fig. 7, the electronic apparatus includes:
one or more processors 701 and a memory 702, one processor 701 being illustrated in fig. 6.
The electronic device executing the sensitive permission control method may further include: an input device 703 and an output device 703.
The processor 701, the memory 702, the input device 703 and the output device 703 may be connected by a bus or other means, and fig. 7 illustrates an example of a connection by a bus.
The memory 702, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the sensitive authority control method in this embodiment of the present application. The processor 701 executes various functional applications and data processing of the server by running the nonvolatile software programs, instructions and modules stored in the memory 702, that is, implements the sensitive authority control method of the above-described method embodiment.
The memory 702 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a device that performs the sensitive authority control method, and the like. Further, the memory 702 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 702 may optionally include memory located remotely from processor 701, and such remote memory may be coupled to member user behavior monitoring devices via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 703 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the apparatus performing the sensitive authority control method. The output device 703 may include a display device such as a display screen.
The one or more modules are stored in the memory 702 and, when executed by the one or more processors 701, perform the sensitive permission control method of any of the method embodiments described above. The technical effect of the embodiment of the device for executing the sensitive authority control method is the same as or similar to that of any method embodiment.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. A method for controlling sensitive permission, comprising:
performing static analysis on a target application, and determining a mapping relation between a control of the target application and a sensitive authority;
intercepting a sensitive permission request of the target application, and acquiring part of behavior information triggering the sensitive permission request;
the part of behavior information comprises part of sensitive application program interface information, part of sensitive control information and part of user interaction component information;
supplementing the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information;
and determining an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and responding to the sensitive authority request according to the authority control decision.
2. The method of claim 1, wherein the statically analyzing the target application and determining the mapping relationship between the control and the sensitive permission of the target application comprises:
performing program static analysis on the target application to obtain context information related to the sensitive permission in the target application;
and comparing the context information with a control cluster mapped by a general control-sensitive authority, and determining the mapping relation between the control and the sensitive authority corresponding to the context information in the target application.
3. The method of claim 2, wherein the performing program static analysis on the target application to obtain context information related to sensitive rights in the target application comprises:
analyzing the APK resource file of the target application to acquire control information in the target application;
analyzing and determining an application program interface calling relation of the target application by using a program source code risk analysis tool according to the control information;
traversing the application program interface of the target application according to the application program interface calling relation, and screening out a sensitive application program interface;
determining corresponding sensitive control information and user interaction component information corresponding to the sensitive control information according to the sensitive application program interface;
the context information related to the sensitive permission comprises the sensitive application program interface, the sensitive control information and the user interaction component information.
4. The method of claim 2, wherein the comparing the context information with a control cluster mapped by a common control-sensitive permission to determine the mapping relationship between the control and the sensitive permission in the target application corresponding to the context information comprises:
determining user interface data corresponding to each group of context information according to the context information;
processing the user interface data by utilizing a natural language processing technology to obtain a characteristic vector corresponding to each group of the context information;
calculating the similarity between the user interface data and the clustering center of each control cluster mapped by the general control-sensitive authority according to the characteristic vector, and determining the control cluster to which the corresponding control of the context information belongs;
and determining the mapping relation between the control corresponding to the context information and the sensitive authority according to the general control-sensitive authority mapping and the control cluster to which the control corresponding to the context information belongs.
5. The method according to claim 1, wherein the intercepting the sensitive permission request of the target application and acquiring the partial behavior information triggering the sensitive permission request comprises:
and when the target application runs, intercepting the target application by utilizing an event message interception technology, and extracting and obtaining the part of sensitive application program interface information, the part of sensitive control information and the corresponding part of user interaction component information which trigger the sensitive permission request.
6. The method of claim 5, wherein the intercepting the target application by the event message interception technique is intercepting a callback function required for triggering a sensitive application program interface request by an Xpos framework service.
7. The method of claim 1, wherein the supplementing the partial behavior information according to the mapping relationship between the control and the sensitive permission to obtain complete behavior information comprises: determining context information corresponding to the part of the behavior information according to the mapping relation between the control and the sensitive authority;
and supplementing the partial behavior information according to the context information to obtain complete behavior information.
8. The method of claim 1, wherein determining, based on the complete behavior information, a permission control decision corresponding to the sensitive permission request comprises:
determining sensitive control information corresponding to the complete behavior information;
judging whether a decision is made on a sensitive permission request corresponding to a control cluster to which the sensitive control information belongs according to a user historical decision record;
if the decision is made, processing the sensitive permission request according to the historical decision record of the user;
and if the decision is not made, generating decision request push information to acquire a corresponding user decision, processing the sensitive permission request according to the user decision and updating the user historical decision record.
9. A sensitive rights control apparatus, comprising:
the static analysis module is configured to perform static analysis on the target application and determine a mapping relation between a control of the target application and the sensitive authority;
the intercepting module is configured to intercept the sensitive permission request of the target application and acquire part of behavior information triggering the sensitive permission request;
the supplement module is configured to supplement the partial behavior information according to the mapping relation between the control and the sensitive authority to obtain complete behavior information;
and the control decision module is configured to determine an authority control decision corresponding to the sensitive authority request according to the complete behavior information, and respond to the sensitive authority request according to the authority control decision.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 8 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910743199.XA CN110598382B (en) | 2019-08-13 | 2019-08-13 | Sensitive authority control method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910743199.XA CN110598382B (en) | 2019-08-13 | 2019-08-13 | Sensitive authority control method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110598382A CN110598382A (en) | 2019-12-20 |
| CN110598382B true CN110598382B (en) | 2020-11-13 |
Family
ID=68853947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910743199.XA Active CN110598382B (en) | 2019-08-13 | 2019-08-13 | Sensitive authority control method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110598382B (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108334780A (en) * | 2018-02-06 | 2018-07-27 | 南京航空航天大学 | Privacy leakage detection method based on contextual information |
| CN109992941B (en) * | 2019-04-10 | 2021-02-12 | 维沃移动通信有限公司 | Authority management method and terminal equipment |
-
2019
- 2019-08-13 CN CN201910743199.XA patent/CN110598382B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110598382A (en) | 2019-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110008045B (en) | Method, device and equipment for aggregating microservices and storage medium | |
| US20170012982A1 (en) | Protecting Data From Unauthorized Access | |
| CN106325908A (en) | Application package installation method and application package installation device | |
| CN111737687A (en) | Access control method, system, electronic device and medium for webpage application system | |
| CN110704131B (en) | Method and device for calling native application by HTML5 application | |
| CN109657485B (en) | Authority processing method and device, terminal equipment and storage medium | |
| CN113783975A (en) | Request management method, device, medium and equipment based on local DNS (Domain name Server) | |
| CN109302639B (en) | Bullet screen message distribution method, bullet screen message distribution device, terminal and storage medium | |
| CN116561013B (en) | Testing method and device based on target service framework, electronic equipment and medium | |
| CN117807601A (en) | Vulnerability detection method, device, medium and equipment for application program | |
| CN110598382B (en) | Sensitive authority control method and device and electronic equipment | |
| CN112463266A (en) | Execution policy generation method and device, electronic equipment and storage medium | |
| CN112560025A (en) | Interface permission detection method, device, medium and electronic equipment | |
| CN113094236A (en) | System data acquisition method and device, computer equipment and storage medium | |
| US10831883B1 (en) | Preventing application installation using system-level messages | |
| CN109413507B (en) | Method, device, terminal and medium for processing reference relationship between barrage library and live broadcast room | |
| CN110737861A (en) | webpage data processing method, device, equipment and storage medium | |
| CN114006757B (en) | Access control method, device, architecture, medium and equipment for GIS service | |
| WO2018049813A1 (en) | Authority configuration method and device | |
| US11321481B1 (en) | Method for determining to grant or deny a permission request based on empirical data aggregation | |
| CN113568907A (en) | Method, device, server and storage medium for processing station information message | |
| CN113761433A (en) | Service processing method and device | |
| CN113641966B (en) | Application integration method, system, equipment and medium | |
| CN115333871B (en) | Firewall operation and maintenance method and device, electronic equipment and readable storage medium | |
| US11838328B1 (en) | Preventing data exfiltration to unsanctioned cloud computing services (CCS) accounts using CCS application programming interfaces |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |