CN111290935A - Application program APP detection method, device, equipment and medium - Google Patents
Application program APP detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN111290935A CN111290935A CN201811486778.2A CN201811486778A CN111290935A CN 111290935 A CN111290935 A CN 111290935A CN 201811486778 A CN201811486778 A CN 201811486778A CN 111290935 A CN111290935 A CN 111290935A
- Authority
- CN
- China
- Prior art keywords
- app
- detected
- technical framework
- software
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3692—Test management for test results analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides an application program APP detection method, device, equipment and medium. The method comprises the following steps: collecting vulnerability information from a network to form a vulnerability information base; collecting a software package from a network; extracting technical framework fingerprint information of the software package to form a software baseline library; identifying the technical framework of the APP to be detected to obtain the technical framework fingerprint information of the APP to be detected; comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library, and confirming the technical framework identity information of the APP to be detected; and comparing the technical framework identity information based on the APP to be detected with the vulnerability information base to generate a vulnerability detection result of the APP to be detected. According to the technical scheme provided by the embodiment of the invention, the technical component framework used by the APP can be identified, the identity information of the technical framework is confirmed and matched with the vulnerability library, the vulnerability of the APP to be detected is rapidly detected and found, the detection efficiency and accuracy are greatly improved, and the occurrence of false alarm is avoided.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting an APP of an application.
Background
In recent years, mobile internet technology development and national strategy implementation are based on electronic commerce and electronic government vigorous development of smart phones, mobile phone Applications (APPs) are gradually popularized, the following information security problem becomes more severe, and among numerous security problems, the security problem caused by a technical framework introduced by the mobile phone APP is often more difficult to find, more serious in harm and lack of an effective detection means than the problem at a system level.
In order to actively deal with the problem of the safety of the APP, safety manufacturers at home and abroad release APP safety check systems or tools. In the research and development process of the tool, only the configuration safety problem of an Android operating system and a native component is usually paid attention to checking, or a component with safety attribute is provided for application development and use, the technical architecture risk introduced by the APP is ignored, more indexes such as the type and the quantity of the problem sought to be detected are indexes, and the actual safety problem in the application is ignored.
The existing detection mechanism is a mode based on general configuration item detection, namely whether a safety risk exists or not is judged according to analysis and analysis of a fixed configuration item in an application configuration file, and a safety suggestion is given, so that the mode has a small application range and a limited safety effect of actual improvement; the other method is that a large number of test cases are designed based on the specific business scene of the APP, meanwhile, testers need to compile related test scripts, business events of the APP are triggered through the scripts, therefore, business behavior records are generated, and whether risks exist in the operation or not is judged through monitoring and analyzing the operation behavior records. The method has huge development workload and no value of general popularization.
In summary, the conventional APP security vulnerability configuration checking mainly includes two types, namely manual checking and tool checking, and both types of checking tools have many problems in task scheduling, which are specifically as follows:
1. the artificial efficiency is low: the method for manually checking the APP security vulnerability configuration requires inspectors to know APP service scenes and internal behaviors, seriously depends on personal experience of the inspectors, and cannot ensure the overall detection level; and only one mobile phone APP can be checked at a time, the method is not suitable for large-scale application, equipment is manually checked, and a scheduling algorithm is not allocated.
2. The workload is large: the inspection aiming at the fixed configuration files and configuration items has limited found problems and unobvious promotion effect. For example, for comprehensive test and verification of the service scene of the APP, a test case needs to be designed in advance, a large number of detection scripts are compiled, the workload is huge, the test scripts are difficult to be universal for different APPs, and the script reusability is not high. Therefore, when a large number of APPs are detected in batch, the detection efficiency is seriously affected.
3. The accuracy is low: in a traditional checking mode, a business behavior is triggered based on a simulation request event, output behavior characteristic data is obtained, rule matching is carried out, and whether corresponding vulnerability risks exist is determined. Because the setting of the rule is mechanical, and the business is dynamically changed, the conditions of false alarm and false alarm can be caused, and the accuracy is low.
Disclosure of Invention
The embodiment of the invention provides an application program APP detection method, device, equipment and medium, which can identify a technical component framework used by an APP, confirm identity information of the technical framework, match the identity information with a vulnerability library, quickly detect and find vulnerabilities of the APP to be detected, greatly improve detection efficiency and accuracy and avoid false alarm.
In a first aspect, an embodiment of the present invention provides an application program APP detection method, where the method includes:
collecting vulnerability information from a network to form a vulnerability information base;
collecting a software package from the network;
extracting technical framework fingerprint information of the software package to form a software baseline library;
identifying a technical framework of an APP to be detected to obtain technical framework fingerprint information of the APP to be detected;
comparing the technical framework fingerprint information of the APP to be tested with the technical framework fingerprint information of the software baseline library, and confirming the technical framework identity information of the APP to be tested, wherein the technical framework identity information comprises a technical framework software version and a technical framework software name;
and comparing the technical framework identity information of the APP to be detected with the vulnerability information base to generate a vulnerability detection result of the APP to be detected.
According to the application program APP detection method, the technical framework fingerprint information extraction of the software package comprises the following steps:
decompressing the software package to release the media file of the software package to a specified directory, and extracting the file of the software package from the specified directory;
generating abstract information based on the core program class file of the software package file;
and obtaining the technical framework fingerprint information of the software baseline library according to the abstract information.
According to the detection method of the application program APP, the software baseline library comprises:
the technical framework software comprises a technical framework software name, a technical framework version number, a basic package path name, a core file directory and the technical framework fingerprint information.
According to the application program APP detection method, the method further comprises the following steps:
and carrying out format conversion on the installation package of the APP to be detected.
According to the method for detecting the APP, the format conversion is carried out on the installation package of the APP to be detected, and the method comprises the following steps:
reading an installation package file of the APP to be tested;
decompressing the file content of the installation package file;
releasing the decompressed file to a specified directory;
and converting the content format of the file in the specified directory.
According to the application program APP detection method, the method further comprises the following steps:
decompressing the file after the content format conversion is executed;
scanning and analyzing the decompressed file, and screening a scanning file directory of the APP to be detected;
matching the scanning file directory of the APP to be detected with the file directory of the software baseline library, and determining whether a software package matched with the technical architecture of the APP to be detected exists in the software baseline library, wherein the scanning file directory of the APP to be detected comprises a key package path name, and the file directory of the software baseline library comprises the basic package path name.
According to the application program APP detection method, the method further comprises the following steps:
and when a software package matched with the technical framework of the APP to be detected exists in the software baseline library, comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library, and confirming the technical framework identity information of the APP to be detected.
According to the method for detecting the APP, the step of comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library comprises the following steps:
generating technical framework fingerprint information of the APP to be detected based on the scanning file directory of the APP to be detected;
comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library;
the scanning file directory of the APP to be detected further comprises a technical architecture software name and a version number.
According to the application program APP detection method, the vulnerability information is collected from the network to form a vulnerability information base, and the method comprises the following steps:
and acquiring vulnerability information from the network by using a web crawler to form the vulnerability information base.
According to the application program APP detection method, the method further comprises the following steps:
and periodically updating the vulnerability information base based on a preset period, so that the publishing of the vulnerability information in the network is synchronous with the updating of the vulnerability information in the vulnerability information base.
In a second aspect, an embodiment of the present invention provides an apparatus for detecting an APP, where the apparatus includes:
the first acquisition module is used for acquiring vulnerability information from a network to form a vulnerability information base;
the second acquisition module is used for acquiring the software package from the network;
the extraction module is used for extracting technical framework fingerprint information of the software package to form a software baseline library;
the identification module is used for identifying the technical framework of the APP to be detected to obtain the technical framework fingerprint information of the APP to be detected;
the confirmation module is used for comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library and confirming the technical framework identity information of the APP to be detected, wherein the technical framework identity information comprises a technical framework software version and a technical framework software name;
and the first comparison module is used for comparing the technical framework identity information of the APP to be detected with the vulnerability information base to generate a vulnerability detection result of the APP to be detected.
According to the application program APP detection device, the extraction module is specifically configured to:
decompressing the software package to release the media file of the software package to a specified directory, and extracting the file of the software package from the specified directory;
generating abstract information based on the core program class file of the software package file;
and obtaining the technical framework fingerprint information of the software baseline library according to the abstract information.
According to the application program APP detection device, the software baseline library comprises:
the technical framework software comprises a technical framework software name, a technical framework version number, a basic package path name, a core file directory and the technical framework fingerprint information.
According to the application program APP detection device, the device further comprises:
and the format conversion module is used for carrying out format conversion on the installation package of the APP to be tested.
According to the APP detection apparatus for an application program, the format conversion module is specifically configured to:
reading an installation package file of the APP to be tested;
decompressing the file content of the installation package file;
releasing the decompressed file to a specified directory;
and converting the content format of the file in the specified directory.
According to the application program APP detection device, the device further comprises:
the decompression module is used for decompressing the file subjected to the content format conversion;
the screening module is used for scanning and analyzing the decompressed files and screening a scanning file directory of the APP to be tested;
and the matching module is used for matching the scanning file directory of the APP to be detected with the file directory of the software baseline library and confirming whether a software package matched with the technical architecture of the APP to be detected exists in the software baseline library, wherein the scanning file directory of the APP to be detected comprises a key package path name, and the file directory of the software baseline library comprises the basic package path name.
According to the application program APP detection device, the device further comprises:
and the second comparison module is used for comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library when the software baseline library has a software package matched with the technical framework of the APP to be detected, and confirming the technical framework identity information of the APP to be detected.
According to the application program APP detection device, the comparison module is specifically used for:
generating technical framework fingerprint information of the APP to be detected based on the scanning file directory of the APP to be detected;
comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library;
the scanning file directory of the APP to be detected further comprises a technical architecture software name and a version number.
According to the application program APP detection device, the first acquisition module is specifically configured to:
and acquiring vulnerability information from the network by using a web crawler to form the vulnerability information base.
According to the application program APP detection device, the device further comprises:
and the updating module is used for periodically updating the vulnerability information base based on a preset period so that the publishing of the vulnerability information in the network is synchronous with the updating of the vulnerability information in the vulnerability information base.
The embodiment of the invention provides application program APP detection equipment, which comprises: at least one processor, at least one memory, and computer program instructions stored in the memory, which when executed by the processor, implement the method of the first aspect of the embodiments described above.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which computer program instructions are stored, which, when executed by a processor, implement the method of the first aspect in the foregoing embodiments.
The application program APP detection method, device, equipment and medium provided by the embodiment of the invention can identify the technical component framework used by the APP, confirm the identity information of the technical framework, match the identity information with the vulnerability library, quickly detect and find the vulnerability of the APP to be detected, greatly improve the detection efficiency and accuracy and avoid the occurrence of false alarm conditions.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart illustrating an application program APP detection method according to an embodiment of the present invention;
fig. 2 shows a schematic structural diagram of an application program APP detection apparatus according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating an application APP detection method according to another embodiment of the present invention;
FIG. 4 is a flowchart illustrating an application APP detection method according to another embodiment of the present invention;
FIG. 5 is a schematic diagram illustrating a detection result of an APP to be detected according to an embodiment of the present invention;
fig. 6 shows a hardware structure diagram of an application APP detection device according to an embodiment of the present invention.
Detailed Description
Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the technical terms possibly referred to herein and their meanings are first listed below, and it is to be understood that these technical terms are known in the art.
An embodiment of the present invention may provide an application program APP detection method, and referring to fig. 1, fig. 1 shows a schematic flow diagram of an application program APP detection method 100 according to an embodiment of the present invention, where the method includes:
s110, collecting vulnerability information from a network to form a vulnerability information base;
s120, collecting a software package from a network;
s130, extracting technical framework fingerprint information of the software package to form a software baseline library;
s140, identifying the technical framework of the APP to be detected to obtain the technical framework fingerprint information of the APP to be detected;
s150, comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library, and confirming the technical framework identity information of the APP to be detected, wherein the technical framework identity information comprises a technical framework software version and a technical framework software name;
and S160, comparing the technical framework identity information of the APP to be detected with the vulnerability information base to generate a vulnerability detection result of the APP to be detected.
The software refers to a technical framework used in the application program APP.
By utilizing the scheme provided by the invention, the technical component framework used by the APP can be identified, the identity information of the technical framework is confirmed and matched with the vulnerability library, the vulnerability of the APP to be detected is rapidly detected and found, the detection efficiency and the accuracy are greatly improved, and the occurrence of false alarm condition is avoided.
An embodiment of the present invention may provide an application APP detection apparatus, and referring to fig. 2, fig. 2 shows a schematic structural diagram of an application APP detection apparatus 200 according to an embodiment of the present invention, where the apparatus includes:
the first acquisition module 210 is configured to acquire vulnerability information from a network to form a vulnerability information base;
a second collecting module 220, configured to collect the software package from the network;
the extraction module 230 is configured to extract technical framework fingerprint information of the software package to form a software baseline library;
the identification module 240 is configured to identify the technical framework of the APP to be detected to obtain technical framework fingerprint information of the APP to be detected;
the confirmation module 250 is configured to compare technical frame fingerprint information of the APP to be detected with technical frame fingerprint information of the software baseline library, and confirm technical frame identity information of the APP to be detected, where the technical frame identity information includes a technical frame software version and a technical frame software name;
and the comparison module 260 is used for comparing the technical framework identity information of the APP to be detected with the vulnerability information base to generate a vulnerability detection result of the APP to be detected.
By utilizing the scheme provided by the invention, the technical component framework used by the APP can be identified, the identity information of the technical framework is confirmed and matched with the vulnerability library, the vulnerability of the APP to be detected is rapidly detected and found, the detection efficiency and the accuracy are greatly improved, and the occurrence of false alarm condition is avoided.
The following describes, by way of specific examples, alternative specific processes of embodiments of the present invention. It should be noted that the scheme of the present invention does not depend on a specific algorithm, and in practical applications, any known or unknown hardware, software, algorithm, program, or any combination thereof may be used to implement the scheme of the present invention, and the scheme of the present invention is within the protection scope of the present invention as long as the essential idea of the scheme of the present invention is adopted.
Referring to fig. 3, fig. 3 is a schematic flow chart of an application detection method according to another embodiment of the present invention, which mainly includes the following steps:
s310: and establishing a leak library.
As one example, a web crawler module is adopted to automatically collect vulnerability information from the vulnerability publishing platform and periodically and automatically update the vulnerability database, so that the vulnerability database and the vulnerability information published by the vulnerability publishing platform are kept synchronous.
S320: and establishing a software baseline library.
As an example, software package media are collected from official websites automatically and periodically based on a web crawler module, downloaded to the local and extracted from technical architecture fingerprint information to form a baseline library.
S330: and identifying a technical framework.
Analyzing the information of the APP to be tested, analyzing the technical framework introduced into the APP to be tested, comparing the technical framework fingerprint information by combining the software baseline library, and confirming the software version of the technical framework.
S340: and detecting the vulnerability.
As an example, based on the APP technical architecture software name and version information, the comparison is performed with a vulnerability information base, the existing vulnerability information is recorded, and a detection result is generated.
S350: and generating a vulnerability report.
As an example, based on the detection result, an APP detection report is generated, including bug descriptions and repair suggestions and the like, and is used for downloading by a user.
The above steps are described in detail below:
wherein, S320: establishing a software baseline library flow:
the software baseline library is used as a basis for identifying the APP technical framework and is also a bridge for associating information of the vulnerability library, and the software information is extracted according to vulnerability information published in the network and added into an acquisition list for baseline acquisition to form the software baseline library.
The specific process is as follows:
first, manually add a software name, collect configuration information such as a Uniform Resource Locator (URL) address, and execute a collection process. The system can automatically acquire the corresponding software package through a web crawler program and the like and download the software package to a local server;
second, the software package is decompressed and the media files are released to the specified directory, and the software package files are extracted from the specified directory, which in one embodiment includes: core program class files, configuration files, class library files, etc.;
thirdly, generating abstract information based on the core program class file, wherein the abstract information is used as fingerprint information of the technical framework;
fourthly, manually confirming and completing the related information, comprising: data such as technical framework software name, version number, basic package path name, core file directory, fingerprint information and the like are stored in a baseline database, and a baseline database of the technical framework is formed according to the information;
fifthly, the process is repeated based on the known bugs, and the information of the baseline library is continuously perfected.
Referring to fig. 4, fig. 4 is a schematic flowchart illustrating an application APP detection method according to another embodiment of the present invention, where the method includes:
s410, starting;
s420, uploading an installation package of the APP to be tested;
as an example, uploading an installation package of the APP to be detected, starting a detection task, and starting an appropriate amount of detection tasks corresponding to the number of the APP to be detected according to the number of the uploaded APP to be detected;
in one embodiment, detection modes such as parallel detection can be adopted to improve detection efficiency.
S430, performing content format conversion on the installation package of the APP to be tested;
as an example, an Android Package (APK) File is read, the File content of the APK File is decompressed, the decompressed File is released to a specified directory, and then the files in each specified directory are converted into a content format, for example, the APP to be tested is converted from the APK format into the JAR format, then the JAR File is decompressed, and the decompressed File is released into a temporary detection folder, where a Java archive File (JAR) is a compressed format.
S440, identifying a technical framework of the APP to be detected;
as an example, according to a technical framework baseline library, analyzing files in a detection folder, and identifying, extracting and recording information of a technical framework corresponding to an APP to be detected based on a directory range and fingerprint features of a technical framework core file in the baseline library.
Firstly, comprehensively scanning and analyzing decompressed APP to be detected, screening scanning file directories (such as key package path names and file names) of the APP to be detected, and carrying out fuzzy matching with the file directories (such as basic package path names) in a baseline library so as to quickly detect whether a software package matched with a technical framework of the APP to be detected exists in the software baseline library;
secondly, when the matched software package exists, the detection process of the technical framework fingerprint information is carried out next.
In one embodiment, according to a matched software list in a baseline library, performing cycle detection, detecting whether a core file directory exists, if the file exists, reading the file in the core file directory, generating abstract information, matching the abstract information of the APP to be detected with the abstract information of the software baseline library, and if the file exists, determining a technical frame name and a corresponding version number of the software package; if the file does not exist or the summary information does not match, it is ignored.
S450, matching a leak library;
and searching whether the technical framework vulnerability information of the type exists in the vulnerability library or not according to the technical framework information (such as the technical framework name, the corresponding version number and the like) extracted in the last step.
S460, judging whether the APP to be tested has a bug, if so, executing S470, and if not, executing S480;
s470, recording vulnerability information;
when the corresponding vulnerability is retrieved from the vulnerability database, recording the detection result;
in one embodiment, the detection result may include the name of the APP to be detected, the name of the technical framework, the version of the technical framework, the vulnerability ID, the vulnerability details, and the like.
And when the corresponding bug cannot be searched in the bug library, indicating that the known bug is not found in the technical framework of the APP to be tested, and not making any record.
S480, generating a detection report;
as an example, after the detection is completed, a vulnerability report is generated according to vulnerability result information recorded in the detection process.
In one embodiment, the vulnerability report may include an application name, a total number of vulnerabilities, separately statistical vulnerability data by vulnerability level, and a vulnerability information list.
And S490, ending the detection.
The technical scheme of the invention is described in detail by the following specific examples, which are as follows:
first, baseline information is generated.
As an example, such as the OKHTTP framework is the most mainstream lightweight framework at the Android end, which is a technical framework dedicated by Android applications for handling network communication requests, and which will replace Http Url Connection and Apache Http Client as mainstream technical frameworks.
In one embodiment, the software baseline is established by collecting both the versions of okhttp2.0.0 and okhttp3.11.0.
In addition, the path names of the basic packages of the versions of the okhttp2.0.0 and the okhttp3.11.0 are different, for example, the path name of the basic package of the version of the okhttp2.0.0 is okio, and the path name of the basic package of the version of the okhttp3.11.0 is okhttp3. And the file and directory structures within the two versions are different, respectively.
Therefore, the summary information of the two versions of okhttp2.0.0 and okhttp3.11.0 can be generated respectively for the path name of the basic package, the internal file and the directory structure of the two versions; and at the same time, the software name, version number and basic packet path information can be determined, specifically referring to table 1:
TABLE 1
| Software name | Version number | Basic package path | Summary information | Other information |
| okhttp | 2.0.0 | okio | 38CB8F463A53682A5295C79D0A6AD942 | … |
| okhttp | 3.11.0 | okhttp3 | 7DDCFEE116781800CF6537A5054C5011 | … |
And secondly, identifying the APP technology framework.
And introducing an okhttp2.0.0 version technical framework into the APP demo.apk packet, performing format conversion on the APPdemo.apk packet to convert the APPdemo.apk packet into a jar packet, decompressing the jar packet, and extracting file contents.
Firstly, the file directory of the okhttp2.0.0 version is scanned, and the scanned file directory (for example, okio) is subjected to fuzzy matching with the path name of the basic package in the baseline library information, for example, referring to table 1 again, the software baseline with the path of the basic package as okio can be matched.
Secondly, based on the scanned file directory, generating summary information (technical framework fingerprint information) of the APP to be detected, namely: 38CB8F463a53682a5295C79D0A6AD942, and comparing the summary information of the APP to be tested with the summary information (refer to table 1)38CB8F463a53682a5295C79D0A6AD942 in the baseline library, after the comparison is consistent, determining that the software name of the APP to be tested is okhttp, and the version number is: 2.0.0.
the scanning file directory of the APP to be detected also comprises a technical architecture software name and a version number, namely abstract information of the APP to be detected can be generated according to the key package path name, the technical architecture software name and the version number of the APP to be detected; and generating abstract information of the software baseline library according to the path name, the technical architecture software name and the version number of the basic package of the software baseline library so as to facilitate comparison.
Thirdly, detecting the loophole;
matching with the vulnerability information base based on the software name and version number of the to-be-detected APP obtained in the second step, wherein the matching result refers to FIG. 5, and FIG. 5 shows a schematic diagram of the detection result of the to-be-detected APP in the embodiment of the present invention.
Referring to fig. 5, fig. 5 shows that the okhttp before version 3.1.2, 2.7.4 and 3.x allows man-in-the-middle attacks to be fixed through a certificate by sending a certificate chain with a certificate from an unsecured trusted CA and a fixed certificate.
To sum up, this application provides an APP detection method based on framework compares, through carrying out the degree of depth analysis to APP, to the analysis, the discernment of the technical component frame that APP used, confirms technical frame type and version to match with the public leak storehouse, the known leak that the rapid detection discovery APP exists promotes detection efficiency and rate of accuracy by a wide margin, and theoretical rate of accuracy can reach 100%, effectively avoids the emergence of the wrong report condition.
By collecting APP information, an APP base line is established and is in butt joint with a public vulnerability system, information of a vulnerability library is continuously updated, vulnerability discovery and vulnerability public release are basically kept synchronous through periodic automatic execution inspection, and quick discovery and quick restoration are achieved.
In addition, compared with the prior art, the technical scheme of the embodiment of the invention has the following advantages:
firstly, the detection efficiency is high: the defects that in the manual detection process, the efficiency of manual analysis of the installation package, decompiling and reduction and manual analysis is low are overcome, and the detection efficiency is improved in an automatic mode instead; in addition, the detection process of the scenario case trigger mode based on script driving is avoided from the detection mode, the APP technology framework is directly analyzed, the time of the detection process is greatly saved, and the detection efficiency is improved.
Secondly, the universality is good: the detection rule is specially designed and realized aiming at a specific technical architecture component, but not aiming at a specific service scene, so that the direct coupling with the service scene is avoided, the universality of the detection rule is improved, and the detection rule is suitable for the detection of various APPs.
Thirdly, the accuracy is high: the leak library used originates from an authoritative official release platform, is officially validated, and is widely approved.
In addition, the application program APP detection method described in the embodiment of the present invention with reference to fig. 1 may be implemented by an application program APP detection device. Fig. 6 shows a hardware structure diagram of an application APP detection device according to an embodiment of the present invention.
The application APP detection device may comprise a processor 1003 and a memory 1004 storing computer program instructions.
Fig. 6 is a block diagram illustrating an exemplary hardware architecture of a computing device capable of implementing a communication method and a network server according to an embodiment of the present invention. As shown in fig. 6, computing device 1000 includes input device 1001, input interface 1002, processor 1003, memory 1004, output interface 1005, and output device 1006.
The input interface 1002, the processor 1003, the memory 1004, and the output interface 1005 are connected to each other via a bus 1010, and the input device 1001 and the output device 1006 are connected to the bus 1010 via the input interface 1002 and the output interface 1005, respectively, and further connected to other components of the computing device 1000.
Specifically, the input device 1001 receives input information from the outside and transmits the input information to the processor 1003 via the input interface 1002; the processor 1003 processes the input information based on computer-executable instructions stored in the memory 1004 to generate output information, stores the output information temporarily or permanently in the memory 1004, and then transmits the output information to the output device 1006 through the output interface 1005; output device 1006 outputs the output information external to computing device 1000 for use by a user.
The computing device 1000 may perform the steps of the communication method described herein.
Processor 1003 may be one or more Central Processing Units (CPUs). In the case where the processor 1003 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
The memory 1004 may be, but is not limited to, one or more of Random Access Memory (RAM), Read Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM), compact disc read only memory (CD-ROM), a hard disk, and the like. The memory 1004 is used to store program codes.
It is understood that, in the embodiment of the present application, the functions of any one or all of the first acquisition module to the comparison module provided in fig. 2 may be implemented by using the central processor 1003 shown in fig. 6.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When used in whole or in part, can be implemented in a computer program product that includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.)). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
All parts of the specification are described in a progressive mode, the same and similar parts of all embodiments can be referred to each other, and each embodiment is mainly introduced to be different from other embodiments. In particular, as to the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple and reference may be made to the description of the method embodiments in relevant places.
Claims (13)
1. An application program APP detection method comprises the following steps:
collecting vulnerability information from a network to form a vulnerability information base;
collecting a software package from the network;
extracting technical framework fingerprint information of the software package to form a software baseline library;
identifying a technical framework of an APP to be detected to obtain technical framework fingerprint information of the APP to be detected;
comparing the technical framework fingerprint information of the APP to be tested with the technical framework fingerprint information of the software baseline library, and confirming the technical framework identity information of the APP to be tested, wherein the technical framework identity information comprises a technical framework software version and a technical framework software name;
and comparing the technical framework identity information of the APP to be detected with the vulnerability information base to generate a vulnerability detection result of the APP to be detected.
2. The method of claim 1, wherein the extracting technical framework fingerprint information from the software package comprises:
decompressing the software package to release the media file of the software package to a specified directory, and extracting the file of the software package from the specified directory;
generating abstract information based on the core program class file of the software package file;
and obtaining the technical framework fingerprint information of the software baseline library according to the abstract information.
3. The method of claim 1, wherein the software baseline library comprises:
the technical framework software comprises a technical framework software name, a technical framework version number, a basic package path name, a core file directory and the technical framework fingerprint information.
4. The method of claim 3, further comprising:
and carrying out format conversion on the installation package of the APP to be detected.
5. The method of claim 4, wherein the format conversion of the installation package of the APP to be tested comprises:
reading an installation package file of the APP to be tested;
decompressing the file content of the installation package file;
releasing the decompressed file to a specified directory;
and converting the content format of the file in the specified directory.
6. The method of claim 5, further comprising:
decompressing the file after the content format conversion is executed;
scanning and analyzing the decompressed file, and screening a scanning file directory of the APP to be detected;
matching the scanning file directory of the APP to be detected with the file directory of the software baseline library, and determining whether a software package matched with the technical architecture of the APP to be detected exists in the software baseline library, wherein the scanning file directory of the APP to be detected comprises a key package path name, and the file directory of the software baseline library comprises the basic package path name.
7. The method of claim 6, further comprising:
and when a software package matched with the technical framework of the APP to be detected exists in the software baseline library, comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library, and confirming the technical framework identity information of the APP to be detected.
8. The method of claim 7, wherein the comparing the technical framework fingerprint information of the APP to be tested with the technical framework fingerprint information of the software baseline library comprises:
generating technical framework fingerprint information of the APP to be detected based on the scanning file directory of the APP to be detected;
comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library;
the scanning file directory of the APP to be detected further comprises a technical architecture software name and a version number.
9. The method of claim 1, wherein the collecting vulnerability information from the network to form a vulnerability information base comprises:
and acquiring vulnerability information from the network by using a web crawler to form the vulnerability information base.
10. The method of claim 1, further comprising:
and periodically updating the vulnerability information base based on a preset period, so that the publishing of the vulnerability information in the network is synchronous with the updating of the vulnerability information in the vulnerability information base.
11. An application program (APP) detection device, comprising:
the first acquisition module is used for acquiring vulnerability information from a network to form a vulnerability information base;
the second acquisition module is used for acquiring the software package from the network;
the extraction module is used for extracting technical framework fingerprint information of the software package to form a software baseline library;
the identification module is used for identifying the technical framework of the APP to be detected to obtain the technical framework fingerprint information of the APP to be detected;
the confirmation module is used for comparing the technical framework fingerprint information of the APP to be detected with the technical framework fingerprint information of the software baseline library and confirming the technical framework identity information of the APP to be detected, wherein the technical framework identity information comprises a technical framework software version and a technical framework software name;
and the comparison module is used for comparing the technical framework identity information of the APP to be detected with the vulnerability information base to generate the vulnerability detection result of the APP to be detected.
12. An application program (APP) detection device, comprising: at least one processor, at least one memory, and computer program instructions stored in the memory that, when executed by the processor, implement the method of any of claims 1-10.
13. A computer-readable storage medium having computer program instructions stored thereon, which when executed by a processor implement the method of any one of claims 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811486778.2A CN111290935B (en) | 2018-12-06 | 2018-12-06 | Application program APP detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811486778.2A CN111290935B (en) | 2018-12-06 | 2018-12-06 | Application program APP detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111290935A true CN111290935A (en) | 2020-06-16 |
| CN111290935B CN111290935B (en) | 2023-07-18 |
Family
ID=71029758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811486778.2A Active CN111290935B (en) | 2018-12-06 | 2018-12-06 | Application program APP detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111290935B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113553594A (en) * | 2021-07-23 | 2021-10-26 | 中信银行股份有限公司 | Vulnerability information processing method and device, electronic equipment and readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120084868A1 (en) * | 2010-09-30 | 2012-04-05 | International Business Machines Corporation | Locating documents for providing data leakage prevention within an information security management system |
| CN103473505A (en) * | 2012-06-06 | 2013-12-25 | 腾讯科技(深圳)有限公司 | Scanning prompt method and device for software vulnerabilities |
| CN106503564A (en) * | 2016-10-26 | 2017-03-15 | 上海携程商务有限公司 | The discovery method and system of software vulnerability |
| CN107273751A (en) * | 2017-06-21 | 2017-10-20 | 北京计算机技术及应用研究所 | Security breaches based on multi-mode matching find method online |
| CN107480531A (en) * | 2017-07-18 | 2017-12-15 | 北京计算机技术及应用研究所 | Automated software validating vulnerability system and method based on vulnerability database |
| CN107977576A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of host leakage location and method based on employing fingerprint |
-
2018
- 2018-12-06 CN CN201811486778.2A patent/CN111290935B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120084868A1 (en) * | 2010-09-30 | 2012-04-05 | International Business Machines Corporation | Locating documents for providing data leakage prevention within an information security management system |
| CN103473505A (en) * | 2012-06-06 | 2013-12-25 | 腾讯科技(深圳)有限公司 | Scanning prompt method and device for software vulnerabilities |
| CN107977576A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of host leakage location and method based on employing fingerprint |
| CN106503564A (en) * | 2016-10-26 | 2017-03-15 | 上海携程商务有限公司 | The discovery method and system of software vulnerability |
| CN107273751A (en) * | 2017-06-21 | 2017-10-20 | 北京计算机技术及应用研究所 | Security breaches based on multi-mode matching find method online |
| CN107480531A (en) * | 2017-07-18 | 2017-12-15 | 北京计算机技术及应用研究所 | Automated software validating vulnerability system and method based on vulnerability database |
Non-Patent Citations (2)
| Title |
|---|
| JU AN WANG 等: "Measuring Similarity for Security Vulnerabilities", 《HICSS \'10: PROCEEDINGS OF THE 2010 43RD HAWAII INTERNATIONAL CONFERENCE ON SYSTEM SCIENCES》, pages 1 - 10 * |
| 王涛 等: "软件漏洞静态检测模型及检测框架_", 《计算机科学》, pages 80 - 86 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113553594A (en) * | 2021-07-23 | 2021-10-26 | 中信银行股份有限公司 | Vulnerability information processing method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111290935B (en) | 2023-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2551820C2 (en) | Method and apparatus for detecting viruses in file system | |
| CN102663281B (en) | Method and device for detecting malicious software | |
| CN102819713B (en) | A kind of method and system detecting bullet window safe | |
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| US10025694B1 (en) | Monitoring activity of software development kits using stack trace analysis | |
| US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
| JP2013543624A (en) | Computer system analysis method and apparatus | |
| CN108667766B (en) | File detection method and file detection device | |
| CN110489701A (en) | Extract the method, apparatus and CMS recognition methods of CMS identification feature | |
| CN114386032A (en) | Firmware detection system and method for power Internet of things equipment | |
| CN115033894B (en) | Software component supply chain safety detection method and device based on knowledge graph | |
| JP5752642B2 (en) | Monitoring device and monitoring method | |
| WO2015131643A1 (en) | Software detection method and device | |
| CN112257032B (en) | Method and system for determining APP responsibility main body | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| CN105205398A (en) | Shell checking method based on dynamic behaviors of APK (android package) packing software | |
| CN114139161A (en) | Method, device, electronic equipment and medium for batch vulnerability detection | |
| CN111290935A (en) | Application program APP detection method, device, equipment and medium | |
| CN113434400A (en) | Test case execution method and device, computer equipment and storage medium | |
| CN110555147A (en) | website data capturing method, device, equipment and medium thereof | |
| CN111597557A (en) | Malicious application detection method, system, device, equipment and storage medium | |
| CN108038233B (en) | Method and device for collecting articles, electronic equipment and storage medium | |
| CN113031995B (en) | Rule updating method and device, storage medium and electronic equipment | |
| CN106487771B (en) | Network behavior acquisition method and device | |
| CN110381010B (en) | Self-adaptive webapp identification and vulnerability management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |