CN112231697A - Third-party SDK behavior detection method, device, medium and electronic equipment - Google Patents

Third-party SDK behavior detection method, device, medium and electronic equipment Download PDF

Info

Publication number
CN112231697A
CN112231697A CN202011223482.9A CN202011223482A CN112231697A CN 112231697 A CN112231697 A CN 112231697A CN 202011223482 A CN202011223482 A CN 202011223482A CN 112231697 A CN112231697 A CN 112231697A
Authority
CN
China
Prior art keywords
code block
target
sdk
behavior
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011223482.9A
Other languages
Chinese (zh)
Inventor
王葵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202011223482.9A priority Critical patent/CN112231697A/en
Publication of CN112231697A publication Critical patent/CN112231697A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application provides a method, a device, a medium and electronic equipment for detecting third-party SDK behaviors, and relates to the field of computer technologies and software. According to the method, an application program to be detected containing a target third-party SDK is obtained, the application program to be detected is operated in a simulator behavior honeypot, then call stack information when a target behavior occurs is obtained from an operation log of the application program to be detected according to set behavior characteristics of the target behavior, a called code block when the target behavior occurs is determined according to the obtained call stack information, and if the called code block belongs to a code block of the target third-party SDK, the target behavior is determined to be generated by the target third-party SDK. The method can monitor the behaviors of the specific third-party SDK, reduce potential risks and improve the safety of the APP in the using process.

Description

Third-party SDK behavior detection method, device, medium and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for detecting an SDK behavior of a third party.
Background
Currently, the use of third-party SDKs (Software Development Kit) is very common, and a formal APP on the shelf generally integrates about 20 third-party SDKs. While the third-party SDK is widely used, its related security problem is getting more and more attention, and the insecure network communication will cause the disclosure of user privacy.
And an effective coping means is lacked in the third-party SDK behavior detection. Users, including APP developers, lack a clear understanding of the integrated third party SDK, leaving a potential safety hazard.
How to provide a method for detecting the third-party SDK behavior to monitor the behavior of a specific third-party SDK and improve the safety of the APP use process is a hotspot problem to be solved.
Disclosure of Invention
The embodiment of the application provides a method, a device, a medium and an electronic device for detecting a third-party SDK behavior, so that the monitoring of the behavior of a specific third-party SDK is realized, and the safety of an APP application process is improved.
In order to achieve the above purpose, the technical solution of the embodiment of the present application is implemented as follows:
in a first aspect, an embodiment of the present application provides a method for detecting an SDK behavior of a third party, including:
acquiring an application program to be detected containing a target third-party Software Development Kit (SDK), and running the application program to be detected in a simulator behavior honeypot;
acquiring call stack information when the target behavior occurs from the running log of the application program to be detected according to the set behavior characteristics of the target behavior;
determining a code block called when a target behavior is generated according to the acquired call stack information;
and if the called code block belongs to the code block of the target third-party SDK, determining that the target behavior is generated by the target third-party SDK.
In a second aspect, an embodiment of the present application provides an apparatus for detecting an SDK behavior of a third party, including:
the simulation operation unit is used for acquiring the application program to be detected containing the target third-party software development kit SDK and operating the application program to be detected in the simulator behavior honeypot;
the behavior detection unit is used for acquiring call stack information when the target behavior occurs from the running log of the application program to be detected according to the set behavior characteristics of the target behavior; determining a code block called when a target behavior is generated according to the acquired call stack information; and if the called code block belongs to the code block of the target third-party SDK, determining that the target behavior is generated by the target third-party SDK.
In an alternative embodiment, the simulation run unit is specifically configured to: for each candidate application program, performing decompiling on a program package file of the candidate application program to obtain a code package of the candidate application program;
and carrying out code segmentation on the code packet of the candidate application program to obtain a code block contained in the candidate application program.
In an optional embodiment, the behavior detection unit is specifically configured to:
acquiring a call chain from the call stack information; the call chain comprises function information of a plurality of call points;
removing function information of a call point associated with a system function from the call chain;
and determining the code blocks to be called when the target behaviors are generated according to the function information of the rest calling points in the calling chain.
In a third aspect, an embodiment of the present application provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the method according to any one of the first aspect.
In a fourth aspect, this embodiment of the present application further provides an electronic device, including a memory and a processor, where the memory stores a computer program executable on the processor, and when the computer program is executed by the processor, the processor is caused to implement the method according to any one of the first aspect.
According to the method, the device, the medium and the electronic equipment for detecting the third-party SDK behavior, the application program to be detected containing the target third-party SDK is obtained, the application program to be detected is operated in the simulator behavior honeypot, then the call stack information when the target behavior occurs is obtained from the operation log of the application program to be detected according to the set behavior characteristics of the target behavior, so that the called code block when the target behavior occurs is determined according to the obtained call stack information, and if the called code block belongs to the code block of the target third-party SDK, the target behavior is determined to be generated by the target third-party SDK. Because adopt simulator action honeypot to wait to detect application including target third party SDK and simulate the operation in this application embodiment, the target action of control production, the rethread carries out retrospective analysis to call stack information, confirms the target action who belongs to third party SDK, and this mode can monitor specific third party SDK's action, reduces the potential risk, promotes APP use's security.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of a framework structure of a honeypot for simulator behavior according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a method for detecting an SDK behavior of a third party according to an embodiment of the present application;
fig. 3 is a schematic diagram of call stack information provided in an embodiment of the present application;
fig. 4 is a schematic flowchart of a process for acquiring an application to be detected according to an embodiment of the present application;
fig. 5 is a flowchart illustrating a code segmentation process according to an embodiment of the present application;
fig. 6 is a flowchart illustrating a method for determining a code block to be called when a target behavior is generated according to an embodiment of the present application;
FIG. 7 is a system framework diagram provided by an embodiment of the present application;
fig. 8 is a schematic structural diagram of a device for detecting an SDK behavior of a third party according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that references in the specification of the present application to the terms "comprises" and "comprising," and variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Some terms in the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.
(1) And (3) SDK: the development of a collection of relevant documents, paradigms and tools for APPs (mobile applications) is facilitated. On the android platform, in order to improve development efficiency and reduce cost, an APP developer can give a certain function to a third party for development, a third party service provider packages services into a toolkit (namely, an SDK) for the APP developer to use, and at present, common SDK types comprise a third party login sharing type, a payment type, a push type, an advertisement type and a data statistical analysis type.
(2) APK (Android application package): the Android operating system uses an application package file format for distributing and installing mobile applications and middleware. The code of an Android application program is required to be run on an Android device, and the code must be compiled first and then packaged into a file which can be recognized by an Android system to be run, and the file format which can be recognized and run by the Android system is 'APK'. An APK file contains compiled code files (. dex files), file resources (resources), native resource files (assets), certificates (certifies), and manifest files (manifest files). In the embodiments of the present application, the package file of the candidate application is an APK file.
(3) Call stack backtracking: and carrying out hook on API functions generating sensitive behaviors for the android application, acquiring and recording call stack information of the key functions in a java virtual machine when the key functions are called, and then backtracking the call stack information to find call points of the key functions.
(4) API (Application Programming Interface): some predefined functions. The operating system is a large service center besides coordinating the execution of the application program, memory allocation and system resource management, and calls various services (each service is a function) of the service center to help the application program achieve the purposes of opening a window, drawing a graph and using peripheral equipment. The application program interface is: "computer Operating system" or "library" provides the code that the application calls to use. The main purpose is to allow application developers to invoke a set of routine functions without regard to the underlying source code or understanding the details of its internal working mechanisms. The API itself is abstract and defines only one interface, and does not involve the concrete operation of the application program in the actual implementation process.
(5) Hook: also known as hook functions, are a platform for operating system message handling mechanisms on which an application can set up a subroutine to monitor certain messages for a given window, and the monitored window can be created by other processes. When a message arrives, it is processed before the target window processing function. The hook mechanism allows an application to intercept handling operating system messages or specific events. The hook can monitor various event messages in the system or process, intercept messages sent to the target window and process the messages. A hook is actually a segment of a program that handles messages and is put on the system by a system call. Whenever a particular message is sent, the hook program captures the message before the destination window is reached, i.e. the hook function gets control. A Hook has a list of pointers associated with it, called a Hook chain, maintained by the system. The pointers of this list point to the specified, application-defined, callback functions called by the Hook subroutine, i.e. the individual processing subroutines of the Hook. When a message associated with the specified Hook type occurs, the system passes the message to the Hook subroutine. Some Hook subroutines may simply monitor messages, or modify messages, or stop the progress of messages, avoiding passing these messages to the next Hook subroutine or destination window.
(6) Behavior honeypot: the honeypot technology is a technology for cheating an attacker, the attacker is induced to attack the attacker by arranging hosts, network services or information serving as baits, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, attack intentions and motivations are presumed, a defender can clearly know the facing security threats, and the security protection capability of an actual system is enhanced by technical and management means. In the embodiment of the application, the simulator behavior honeypot can be set according to honeypot technology and used for performing simulation execution on the application program integrated with the specific third-party SDK.
The word "exemplary" is used hereinafter to mean "serving as an example, embodiment, or illustration. Any embodiment described as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
The terms "first" and "second" are used herein for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature, and in the description of embodiments of the application, unless stated otherwise, "plurality" means two or more.
With the development of mobile internet and the wide-range use of smart mobile terminals, the security problem of smart phones becomes the most important problem for the mobile internet industry and mobile internet users. In the rapid development of the mobile internet, with the gradual expansion of the number and the scale of developers, many SDK tools and middleware for providing various services to the developers are derived, for example, there are SDK middleware for providing advertisement promotion service, SDK middleware for providing message and data push, SDK middleware for providing application promotion and distribution, and the like. The SDK middleware provides various common functions for developers in an open form of a development interface, and great convenience is brought to the developers. At present, the use of third-party SDKs under Android platforms is very common, and about 20 third-party SDKs are generally integrated into one APP which is put on shelf formally. While the third-party SDK is widely used, related security problems of the third-party SDK are increasingly concerned, and insecure network communication will cause privacy disclosure of users, for example, the third-party SDK may have security holes, privacy data of mobile phone users, and some malicious SDKs execute malicious operations by using the APP. Wherein part of third party's SDK still has hot renewal function, can follow the high in the clouds developments during rerun code down-sending and carry out, and this kind of condition leads to the user, including the behavior that APP developer specifically executed to integrated third party's SDK can not have exact understanding to leave the potential safety hazard.
On the aspect of third-party SDK behavior detection, the existing scheme is mainly based on a static code analysis mode, an effective corresponding means is lacked, and how to provide a method for detecting the third-party SDK behavior is provided, so that the monitoring of the specific third-party SDK behavior is realized, the safety of the APP using process is improved, and the method is a problem which needs to be solved urgently.
In the embodiment of the application, the application to be detected including the target third-party SDK is obtained, the application to be detected is operated in the simulator behavior honeypot, the call stack information when the target behavior occurs is obtained from the operation log of the application to be detected according to the set behavior characteristics of the target behavior, the called code block when the target behavior occurs is determined according to the obtained call stack information, and if the called code block belongs to the code block of the target third-party SDK, the target behavior is determined to be generated by the target third-party SDK. Because adopt simulator action honeypot to wait to detect application including target third party SDK and simulate the operation in this application embodiment, the target action of control production, the rethread carries out retrospective analysis to call stack information, confirms the target action who belongs to third party SDK, and this mode can monitor specific third party SDK's action, reduces the potential risk, promotes APP use's security.
To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. In the embodiment of the application, the application program to be detected is an APP under an Android platform; the target behavior is a sensitive behavior generated at the runtime of the APP that needs to be monitored. Although the embodiments of the present application provide the method operation steps as shown in the following embodiments or figures, more or less operation steps may be included in the method based on the conventional or non-inventive labor. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application. The methods described below may be performed in the embodiments or in the methods shown in the drawings, sequentially or in parallel, in an actual process or when the apparatus is executed.
Fig. 1 shows a schematic diagram of a framework structure of a simulator behavior honeypot provided by an embodiment of the present application. As shown in fig. 1, the simulator honeypot mainly comprises the following parts:
1. the Hook module is used for performing Hook on the function specified by the application to acquire related parameters, execution results and the like of the function;
2. the automatic triggering module is used for automatically running the APP and triggering the behavior of the APP as much as possible;
3. the sensitive behavior monitoring point module is used for setting sensitive behaviors needing to be monitored, such as network access, sub-packet loading, command execution, elf file access and the like;
4. and the LOG recording module is used for carrying out LOG output on the execution information of the sensitive behavior and the call stack information when the sensitive behavior occurs. The LOG recording module can be subdivided into two sub-modules, namely a behavior LOG sub-module and a call stack LOG sub-module.
In the embodiment of the application, the simulator behavior honeypot shown in fig. 1, which is set according to the honeypot technology, is used for performing simulation execution on the application program integrated with the target third-party SDK to capture behavior information of the application program, so that sensitive behaviors generated by the application program can be monitored.
Fig. 2 shows a flowchart of a method for detecting third-party SDK behavior according to an embodiment of the present application. As shown in fig. 2, the method comprises the steps of:
step S201, acquiring the application program to be detected containing the target third-party SDK.
Wherein the target third party SDK may be a pre-specified third party SDK that is desired to be detected. The number of the target third-party SDKs and the number of the application programs to be detected can be one or more. In the embodiment of the present application, the number of target third party SDKs and the number of applications to be detected are both described as an example. Illustratively, the application to be detected may be an application APP under an Android platformiThe target third party SDK may be an application APPiProgram package file APKiIncluded third party Software Development Kit (SDK)j. The method for detecting the third-party SDK behavior provided by the embodiment of the application comprises the steps of firstly obtaining the SDK containing the target third-party software development kitjTo be detected application program APPi
And S202, running the application program to be detected in the simulator behavior honeypot.
In particular, the application APP to be detected is run in the simulator behavior honeypot shown in fig. 1i. The Hook module of the simulator behavior honeypot is provided with an application program APP to be detectediThe designated function takes a hook to acquire relevant parameters, execution results and the like. The automatic trigger module of the simulator behavior honeypot can automatically run an application program APP to be detectediAnd triggering APP as much as possibleiThe behavior of (c). And the sensitive behavior monitoring point module of the simulator behavior honeypot sets the behavior characteristics of the target behavior to be monitored, such as network access, sub-packet loading, command execution, elf file access and the like. The LOG recording module of the simulator behavior honeypot outputs LOG to the execution information of the target behavior and the call stack information when the target behavior occurs, wherein the target behavior is a sensitive behavior determined according to the set behavior characteristics of the target behavior; for exampleAnd acquiring behaviors of the user such as private information, illegal website link and the like. In some embodiments, the target behavior is part of a sensitive behavior. In some other embodiments, the target behavior is all of the sensitive behavior. The embodiments of the present application are all described by taking as an example the case where the target behavior is a sensitive behavior.
Step S203, obtaining call stack information when the target behavior occurs from the running log of the application to be detected according to the behavior feature of the set target behavior.
The set behavior characteristics of the target behaviors are the behavior characteristics which are set in the simulator behavior honeypot and used for selecting the target behaviors to be monitored. The set behavior feature of the target behavior may be a behavior feature set for the application to be detected and used for data acquisition. The behavior characteristics of the set target behavior include, but are not limited to, network access, sub-packet loading, command execution, elf file access, and the like.
Specifically, according to the behavior characteristics of the set target behavior, the APP is detected from the application program to be detectediThe call stack information when the target behavior occurs is obtained from the running log. The call stack information contains the call chain when the target behavior occurs.
Illustratively, obtaining call stack information when the target behavior occurs may be obtaining a call chain as shown in FIG. 3.
And step S204, determining a called code block when the target behavior is generated according to the acquired call stack information.
Specifically, for the obtained call stack information, the relevant system function in the call chain is removed, and the function information of the actual call point of the call chain is obtained. And determining the code block to be called when the target behavior is generated according to the function information of the actual calling point of the calling chain.
Illustratively, for the call chain shown in fig. 3, some calls related to the system in the call chain, such as java.net and com.android.okhttp related calls on the call chain, are searched from front to back, and the function information of the actual call point to the call chain is com.tencent.msdk.dns.core.a.a.b. (htpdnsimpl.java: 53). In some embodiments, the code blocks that are called when the target behavior occurs may be determined according to the prefix of the class name of the function information of the actual call point of the call chain.
In step S205, if the called code block belongs to the code block of the target third party SDK, it is determined that the target behavior is generated by the target third party SDK.
Illustratively, if the target third-party SDK is com.intent.msdk, for the call chain shown in fig. 3, if the called code block thereof is judged to belong to the code block of com.intent.msdk, it is determined that the target behavior is generated by the target third-party SDK.
According to the method for detecting the third-party SDK behavior, the application program to be detected containing the target third-party SDK is obtained, the application program to be detected is operated in the simulator behavior honeypot, and then the call stack information when the target behavior occurs is obtained from the operation log of the application program to be detected according to the set behavior characteristics of the target behavior, so that the called code block when the target behavior occurs can be determined according to the obtained call stack information. And if the called code block belongs to the code block of the target third-party SDK, determining that the target behavior is generated by the target third-party SDK. Because adopt simulator action honeypot to wait to detect application including target third party SDK and simulate the operation in this application embodiment, the target action of control production, the rethread carries out retrospective analysis to call stack information, confirms the target action who belongs to third party SDK, and this mode can monitor specific third party SDK's action, reduces the potential risk, promotes APP use's security.
In the embodiment of the application, the application program to be detected containing the target third-party SDK is acquired through code segmentation and third-party SDK identification. The following further describes obtaining the application to be detected including the target third-party SDK by code segmentation and third-party SDK identification. As shown in fig. 4, acquiring the application program to be detected including the target third party SDK specifically includes the following steps:
step S401, performing code segmentation on the package file of the candidate application program to obtain each code block included in the candidate application program.
In some embodiments, the candidate applications may be selected one by one to perform the code segmentation of step S401 in this embodiment, for each selected candidate application, until the label information of each code block in the selected candidate application is identified to include the target SDK label information, and then the next candidate application is selected.
Specifically, first, a candidate application is acquired. And then, carrying out code segmentation on the acquired package file of the candidate application program to obtain each code block contained in the candidate application program.
In some embodiments, the candidate applications may be a plurality of android applications APP, and the package files of the candidate applications may be the android application package APK files. In particular, the package file of the candidate application is decompiled by dex, for example, the decompiled object is APK1、APK2、…、APKnAnd acquiring a decompiled smali code packet. And then cutting the decompiled code package according to a specified cutting rule to obtain code blocks contained in each APK file, such as code block 1, code block 2, … and code block m. Alternatively, the specified cutting rule may be a memory path of the decompiled smali code package.
Step S402, according to the attribution relationship between each code block and the third-party SDK, setting SDK marking information for each code block, wherein the SDK marking information is used for identifying the third-party SDK to which the code block belongs.
And extracting basic information of the code block, such as the path name, the opcode simhash value, the number of classes, the number of methods, a called API set, a tree structure of code organization of the code block and the like, of the code block.
In some embodiments, the third party SDK to which each code block belongs can be identified by comparing and analyzing the codes of the code blocks, and manually marked, so as to obtain the attribution relationship between the code blocks and the third party SDKs. And then according to the obtained attribution relationship between the code block and the third-party SDK, a code block data sample set of the attribution relationship between the code block and the third-party SDK can be established, wherein the code block data sample set contains a label of the code block, the label can be SDK marking information set for each code block, and the SDK marking information is used for identifying the third-party SDK to which the code block belongs.
In some other embodiments, in combination with the artificially marked established code block data sample set, the attribution relationship between the code block and the third-party SDK may be identified by performing cluster analysis on the code block by using a new code block obtained by code splitting on a package file of the candidate application. And then adding the attribution relation obtained according to the clustering analysis to the code block data sample set for storage. Specifically, the cluster analysis may be to generate a Key value according to partial information in the basic information of the code block, for example, according to a path name and an opcode simd hash in the basic information of the code block, so that each block has a unique Key value. A Key value corresponding to the code block is also generated for each code block in the set of code block data samples. And performing clustering analysis on each code block according to the Key value to obtain the attribution relationship between the code block and the third-party SDK.
The code block data sample set may also be regarded as a label system, which may also contain other information of the code block, such as the function, type, etc. of the code block. From the code block data sample set, it can be determined which third party SDKs the android application APP contains.
Step S403, determining whether the labeling information of each code block in the candidate application includes the target SDK labeling information. If yes, go to step S404; if not, the process returns to step S401.
And step S404, determining the candidate application program as the application program to be detected.
And when the labeling information of each code block in the candidate application program comprises the target SDK labeling information, determining the candidate application program as the application program to be detected.
Specifically, if the labeling information of a certain code block in a specific candidate application program includes the target SDK labeling information, it may be determined that the labeling information of each code block in the candidate application program includes the target SDK labeling information, and the candidate application program is determined as the application program to be detected. Accordingly, the application program to be detected in the candidate application programs can be determined, and the application program to be detected may be one or multiple application programs, which is not specifically limited in this application.
According to the method for detecting the third-party SDK behavior, code segmentation is carried out on the program package file of the candidate application program to obtain each code block contained in the candidate application program; setting SDK marking information for each code block according to the attribution relationship between each code block and the third-party SDK, wherein the SDK marking information is used for identifying the third-party SDK to which the code block belongs; and when the labeling information of each code block in the candidate application program comprises the target SDK labeling information, determining the candidate application program as the application program to be detected. According to the method, the code block cutting and the third-party SDK identification are adopted, the granularity of the detection of the third-party SDK behavior is refined to the third-party SDK, the method can monitor the behavior of the specific third-party SDK, potential risks are reduced, and the safety of the APP in the using process is improved. Under the condition that the third-party SDK is frequently used and the safety problem is frequent, the monitoring mode is helpful for clearly analyzing the APP with malicious behaviors, and determining the division of responsibility whether the initiator of the specific malicious or sensitive behaviors is the APP developer or the integrated third-party SDK.
In other embodiments, when the to-be-detected application program including the target third-party SDK is acquired through code segmentation and third-party SDK identification, candidate application programs may be further selected one by one, and the code segmentation in step S401 in fig. 4 may be performed until all the candidate application programs complete code segmentation, and then other process steps after step S401 in fig. 4 are sequentially performed on all the candidate application programs.
In some optional embodiments, the called code block belongs to the code block of the target third party SDK, and may be determined by the following method:
and when the SDK marking information of the called code block is consistent with the SDK marking information of the code block of the target third-party SDK, determining that the called code block belongs to the code block of the target third-party SDK.
In some embodiments, the code block data sample set includes a correspondence between the target third-party SDK and the code block to which the target third-party SDK belongs, and labeling information of the code block to which the target third-party SDK belongs.
Specifically, the SDK tagging information of the called code block is compared with the SDK tagging information of the code block of the target third party SDK, and if the SDK tagging information of the called code block is consistent with the SDK tagging information of the target third party SDK, it can be determined that the called code block belongs to the code block of the target third party SDK.
For example, in connection with the code block data sample set, it may be determined whether the SDK tagging information of the called code block is consistent with the SDK tagging information of the code block of the target third party SDK. And when the SDK marking information of the called code block is consistent with the SDK marking information of the code block of the target third-party SDK, determining that the called code block belongs to the code block of the target third-party SDK.
According to the method for detecting the third-party SDK behavior, whether the SDK marking information of the called code block is consistent with the SDK marking information of the code block of the target third-party SDK is judged, so that the called code block is determined to belong to the code block of the target third-party SDK. According to the method, the SDK marking information of the called code block is compared with the SDK marking information of the code block of the target third-party SDK, so that the calculation amount is small, the behavior monitoring efficiency of the third-party SDK can be improved, the potential risk is effectively reduced, and the safety of the APP in the using process is improved.
Fig. 5 is a flowchart illustrating a code segmentation process provided by an embodiment of the present application. In some optional embodiments, when the code of the package file of the candidate application program is segmented to obtain each code block included in the candidate application program, the package file may be decompiled. As shown in fig. 5, the process of obtaining the code block may specifically include the following steps:
step S501, for each candidate application program, performing decompiling on the program package file of the candidate application program to obtain a code package of the candidate application program.
Illustratively, the candidate applications may be a plurality of android applications APPFor example, is APP1、APP2、…、APPn(ii) a The package file of the candidate application may be an android Application Package (APK) file, such as an APK1、APK2、…、APKn. Wherein, APP1、APP2、…、APPnWith APK1、APK2、…、APKnIs in one-to-one correspondence in order. For example, it may be a candidate application APPtThe package file APK of t ∈ (1, n)tT e (1, n) to obtain candidate application program APPtThe code package of (1).
In some embodiments, decompilation of the package file is achieved by means of dex decompilation.
For example, decompiling candidate application APP by dextProgram package file APKtObtaining candidate application program APPtThe smali code packet of (1).
Step S502, the code packet of the candidate application program is subjected to code division to obtain a code block contained in the candidate application program.
For example, the code packet of the candidate application program may be code-divided according to a specified cutting rule, for example, the code packet of the smali code packet may be code-divided according to a storage path of the smali code packet, so as to obtain the code block included by the candidate application program.
In some optional embodiments, when determining the code block to be called when the target behavior is generated, the code block to be called when the target behavior is generated may be determined by acquiring a call chain according to the acquired call stack information, and then performing processing analysis on the call chain. As shown in fig. 6, the process may specifically include the following steps:
step S601, obtaining a call chain from the call stack information.
Wherein the call chain comprises function information of a plurality of call points.
Specifically, in the embodiment of the application, the application program APP to be detected is executed through the simulator behavior honeypotiSimulation execution is performed. Simulator behavior honeypot behavior according to set target behaviorAnd outputting the execution information of the sensitive behavior and the call stack information when the sensitive behavior occurs in the form of a LOG of the LOG. In some embodiments, call stack information is obtained by parsing LOG of LOG output by the simulator behavior honeypot. The call stack information contains the call chain when the target behavior occurs. Each calling chain corresponds to a sensitive behavior, and the calling chains and the sensitive behaviors are in one-to-one correspondence. Fig. 3 shows a call chain of an embodiment of the present application. As can be seen from fig. 3, the call chain includes function information of a plurality of call points. And subsequently, backtracking the call stack information to obtain the call chain from the call stack information. The obtained call chain is used for an analysis process of call stack backtracking.
Step S602, removing function information of a call point associated with the system function from the call chain.
Illustratively, for the call chain shown in fig. 3, by searching from front to back, some calls related to the system in the call chain are removed, such as java.net and com.android.okhttp related calls on the call chain, and the function information of the call points remaining in the call chain is obtained as com.tencent.msdk.dns.core.a.a.b. (httpdnimpl.java: 53), which is the function information of the actual call points of the call chain.
Step S603, determining a code block to be called when the target behavior is generated according to the function information of the remaining call points in the call chain.
Specifically, the code block called when the target behavior occurs may be determined according to the prefix of the class name of the function information of the actual call point of the call chain. For example, when the function information is com.tencent.msdk.dns.core.a.a.b. (http digital markup.java: 53), the prefix information of the acquired class name is com.tencent.msdk.dns.core.a.a.a.a.a.a.a.b., and the called code block can be judged when the target behavior corresponding to the call chain is generated by combining the record of the code block basic information in the code block data sample set.
According to the method for detecting the third-party SDK behavior, the called code block when the target behavior corresponding to the call chain is generated is judged in a call stack backtracking mode. According to the method, a call stack backtracking mode is adopted, so that the code block generating the sensitive behavior can be accurately positioned, the third-party SDK generating the sensitive behavior can be accurately determined, potential risks can be effectively reduced, and the safety of the APP in the using process is improved.
Fig. 7 is a system framework diagram of a method for detecting an SDK behavior of a third party according to an embodiment of the present application. In one embodiment, as shown in fig. 7, the system mainly comprises two modules of code cutting and third-party SDK recognition and dynamic behavior monitoring analysis. The code cutting and third-party SDK identification module is mainly used for analyzing codes of an APK file of the APP by reversely analyzing the APP and adopting a code block cutting mode to identify which third-party SDKs are contained in the APK file and which code blocks are contained in the SDKs; and the dynamic behavior monitoring and analyzing module is used for performing honeypot simulation execution on the APP containing the specific third-party SDK, capturing the sensitive behavior information generated by the APP, analyzing the call stack information generated by the sensitive behaviors, and judging whether the initiator of the sensitive behaviors belongs to the third-party SDK to be monitored or not through code matching.
In the system in the above embodiment, the codes of the APK file applied by the APP are cut into independent code blocks by using code cutting, and then the third-party SDK in the APK file is identified by using a means of artificial labeling or cluster analysis; and aiming at the APP containing the specific third-party SDK, the dynamic honeypot is adopted to perform simulation operation, the generated sensitive behavior is monitored, and the dynamic behavior belonging to the third-party SDK is determined by backtracking analysis of the call stack information, so that the purpose of monitoring the dynamic behavior of the specific third-party SDK is achieved.
Based on the same inventive concept, the embodiment of the application also provides a detection device for the third-party SDK behavior, and the detection device for the third-party SDK behavior can be arranged in the server. Because the device is a device corresponding to the method for detecting the SDK behavior of the third party provided in the embodiment of the present application, and the principle of the device for solving the problem is similar to that of the method, the implementation of the device may refer to the implementation of the above method, and repeated details are not described again.
Fig. 8 is a block diagram illustrating a structure of an apparatus for detecting a third-party SDK behavior according to an embodiment of the present application, where as shown in fig. 8, the apparatus for detecting a third-party SDK behavior includes: a simulation operation unit 801 and a behavior detection unit 802; wherein the content of the first and second substances,
the simulation operation unit 801 is used for acquiring the application program to be detected containing the target third-party SDK and operating the application program to be detected in the simulator behavior honeypot;
a behavior detection unit 802, configured to obtain call stack information when a target behavior occurs from an operation log of an application to be detected according to a set behavior feature of the target behavior; determining a code block called when a target behavior is generated according to the acquired call stack information; and if the called code block belongs to the code block of the target third-party SDK, determining that the target behavior is generated by the target third-party SDK.
In an alternative embodiment, the simulation operation unit 801 is specifically configured to:
code segmentation is carried out on the program package file of the candidate application program to obtain each code block contained in the candidate application program; setting SDK marking information for each code block according to the attribution relationship between each code block and the third-party SDK, wherein the SDK marking information is used for identifying the third-party SDK to which the code block belongs; and when the labeling information of each code block in the candidate application program comprises the target SDK labeling information, determining the candidate application program as the application program to be detected.
In an alternative embodiment, the behavior detection unit 802 is specifically configured to:
and when the SDK marking information of the called code block is consistent with the SDK marking information of the code block of the target third-party SDK, determining that the called code block belongs to the code block of the target third-party SDK.
In an alternative embodiment, the simulation operation unit 801 is specifically configured to:
for each candidate application program, performing decompiling on the program package file of the candidate application program to obtain a code package of the candidate application program;
and carrying out code segmentation on the code packet of the candidate application program to obtain a code block contained in the candidate application program.
In an alternative embodiment, the behavior detection unit 802 is specifically configured to:
acquiring a call chain from the call stack information; the calling chain comprises function information of a plurality of calling points;
removing function information of a calling point associated with the system function from the calling chain;
and determining the code blocks to be called when the target behaviors are generated according to the function information of the rest calling points in the calling chain.
Based on the same inventive concept, the embodiment of the application also provides the electronic equipment. In one embodiment, the electronic device may be a server. In this embodiment, the electronic device may be configured as shown in fig. 9, and include a memory 901, a communication module 903, and one or more processors 902.
A memory 901 for storing computer programs executed by the processor 902. The memory 901 may mainly include a program storage area and a data storage area, where the program storage area may store an operating system, a program required for running an instant messaging function, and the like; the storage data area can store various instant messaging information, operation instruction sets and the like.
Memory 901 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 901 may also be a non-volatile memory (non-volatile memory) such as, but not limited to, a read-only memory (rom), a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD), or the memory 901 may be any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 901 may be a combination of the above memories.
The processor 902 may include one or more Central Processing Units (CPUs), a digital processing unit, and the like. The processor 902 is configured to implement the detection method of the third-party SDK behavior when the computer program stored in the memory 901 is called.
The communication module 903 is used for communicating with a terminal device or other servers.
The embodiment of the present application does not limit the specific connection medium among the memory 901, the communication module 903, and the processor 902. In the embodiment of the present application, the memory 901 and the processor 902 are connected through the bus 904 in fig. 9, the bus 904 is represented by a thick line in fig. 9, and the connection manner between other components is merely illustrative and is not limited. The bus 904 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The memory 901 stores a computer storage medium, and the computer storage medium stores computer executable instructions, which are used to implement the method for detecting the third-party SDK behavior according to the embodiment of the present application. The processor 902 is configured to perform the above-described third party SDK behavior detection method.
The embodiment of the application further provides a computer storage medium, wherein computer-executable instructions are stored in the computer storage medium and used for realizing the method for detecting the third-party SDK behavior described in any embodiment of the application.
In some possible embodiments, the aspects of the third party SDK behavior detection method provided in this application may also be implemented in the form of a program product including program code for causing a computer device to perform the steps of the third party SDK behavior detection method according to various exemplary embodiments of this application described above in this specification when the program product is run on the computer device, for example, the computer device may perform the flow of the third party SDK behavior detection method of steps S201 to S205 shown in fig. 2.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.

Claims (10)

1. A method for detecting third-party SDK behaviors is characterized by comprising the following steps:
acquiring an application program to be detected containing a target third-party Software Development Kit (SDK), and running the application program to be detected in a simulator behavior honeypot;
acquiring call stack information when the target behavior occurs from the running log of the application program to be detected according to the set behavior characteristics of the target behavior;
determining a code block called when a target behavior is generated according to the acquired call stack information;
and if the called code block belongs to the code block of the target third-party SDK, determining that the target behavior is generated by the target third-party SDK.
2. The method according to claim 1, wherein the obtaining the application to be tested containing the target third party software development kit SDK comprises:
code segmentation is carried out on the program package file of the candidate application program to obtain each code block contained in the candidate application program;
setting SDK marking information for each code block according to the attribution relationship between each code block and a third-party SDK, wherein the SDK marking information is used for identifying the third-party SDK to which the code block belongs;
and when the labeling information of each code block in the candidate application program comprises target SDK labeling information, determining the candidate application program as the application program to be detected.
3. The method according to claim 2, wherein the called code block belongs to a code block of the target third party SDK, and specifically comprises:
and when the SDK marking information of the called code block is consistent with the SDK marking information of the code block of the target third-party SDK, determining that the called code block belongs to the code block of the target third-party SDK.
4. The method according to claim 2, wherein the code splitting the package file of the candidate application to obtain each code block included in the candidate application comprises:
for each candidate application program, performing decompiling on a program package file of the candidate application program to obtain a code package of the candidate application program;
and carrying out code segmentation on the code packet of the candidate application program to obtain a code block contained in the candidate application program.
5. The method according to any one of claims 1 to 4, wherein determining, according to the obtained call stack information, a code block to be called when the target behavior is generated includes:
acquiring a call chain from the call stack information; the call chain comprises function information of a plurality of call points;
removing function information of a call point associated with a system function from the call chain;
and determining the code blocks to be called when the target behaviors are generated according to the function information of the rest calling points in the calling chain.
6. An apparatus for detecting third party SDK behavior, comprising:
the simulation operation unit is used for acquiring the application program to be detected containing the target third-party software development kit SDK and operating the application program to be detected in the simulator behavior honeypot;
the behavior detection unit is used for acquiring call stack information when the target behavior occurs from the running log of the application program to be detected according to the set behavior characteristics of the target behavior; determining a code block called when a target behavior is generated according to the acquired call stack information; and if the called code block belongs to the code block of the target third-party SDK, determining that the target behavior is generated by the target third-party SDK.
7. The apparatus according to claim 6, wherein the simulation run unit is specifically configured to:
code segmentation is carried out on the program package file of the candidate application program to obtain each code block contained in the candidate application program;
setting SDK marking information for each code block according to the attribution relationship between each code block and a third-party SDK, wherein the SDK marking information is used for identifying the third-party SDK to which the code block belongs;
and when the labeling information of each code block in the candidate application program comprises target SDK labeling information, determining the candidate application program as the application program to be detected.
8. The apparatus according to claim 6, wherein the behavior detection unit is specifically configured to:
and when the SDK marking information of the called code block is consistent with the SDK marking information of the code block of the target third-party SDK, determining that the called code block belongs to the code block of the target third-party SDK.
9. A computer-readable storage medium having a computer program stored therein, the computer program characterized by: the computer program, when executed by a processor, implements the method of any of claims 1-5.
10. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor, the computer program, when executed by the processor, implementing the method of any of claims 1-5.
CN202011223482.9A 2020-11-05 2020-11-05 Third-party SDK behavior detection method, device, medium and electronic equipment Pending CN112231697A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011223482.9A CN112231697A (en) 2020-11-05 2020-11-05 Third-party SDK behavior detection method, device, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011223482.9A CN112231697A (en) 2020-11-05 2020-11-05 Third-party SDK behavior detection method, device, medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN112231697A true CN112231697A (en) 2021-01-15

Family

ID=74122729

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011223482.9A Pending CN112231697A (en) 2020-11-05 2020-11-05 Third-party SDK behavior detection method, device, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112231697A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114861180A (en) * 2022-05-25 2022-08-05 广东粤密技术服务有限公司 Application program security detection method and device
CN116881962A (en) * 2023-07-12 2023-10-13 上海隽钰网络工程有限公司 Security monitoring system, method, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104992081A (en) * 2015-06-24 2015-10-21 华中科技大学 Security enhancement method for third-party code of Android application program
CN108769071A (en) * 2018-07-02 2018-11-06 腾讯科技(深圳)有限公司 attack information processing method, device and internet of things honey pot system
CN110737887A (en) * 2019-10-22 2020-01-31 厦门美图之家科技有限公司 Malicious code detection method and device, electronic equipment and storage medium
CN111124486A (en) * 2019-12-05 2020-05-08 任子行网络技术股份有限公司 Method, system and storage medium for discovering android application to refer to third-party tool
CN111753330A (en) * 2020-06-18 2020-10-09 百度在线网络技术(北京)有限公司 Method, device and equipment for determining data leakage subject and readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104992081A (en) * 2015-06-24 2015-10-21 华中科技大学 Security enhancement method for third-party code of Android application program
CN108769071A (en) * 2018-07-02 2018-11-06 腾讯科技(深圳)有限公司 attack information processing method, device and internet of things honey pot system
CN110737887A (en) * 2019-10-22 2020-01-31 厦门美图之家科技有限公司 Malicious code detection method and device, electronic equipment and storage medium
CN111124486A (en) * 2019-12-05 2020-05-08 任子行网络技术股份有限公司 Method, system and storage medium for discovering android application to refer to third-party tool
CN111753330A (en) * 2020-06-18 2020-10-09 百度在线网络技术(北京)有限公司 Method, device and equipment for determining data leakage subject and readable storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114861180A (en) * 2022-05-25 2022-08-05 广东粤密技术服务有限公司 Application program security detection method and device
CN114861180B (en) * 2022-05-25 2023-09-08 广东粤密技术服务有限公司 Application program security detection method and device
CN116881962A (en) * 2023-07-12 2023-10-13 上海隽钰网络工程有限公司 Security monitoring system, method, device and storage medium
CN116881962B (en) * 2023-07-12 2024-05-10 上海隽钰网络工程有限公司 Security monitoring system, method, device and storage medium

Similar Documents

Publication Publication Date Title
US10419499B2 (en) Method and system for application security evaluation
CN108133139B (en) Android malicious application detection system based on multi-operation environment behavior comparison
US10581879B1 (en) Enhanced malware detection for generated objects
CN109145603A (en) A kind of Android privacy leakage behavioral value methods and techniques based on information flow
CN112685737A (en) APP detection method, device, equipment and storage medium
Hu et al. Migdroid: Detecting app-repackaging android malware via method invocation graph
US10547626B1 (en) Detecting repackaged applications based on file format fingerprints
CN108664793B (en) Method and device for detecting vulnerability
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US12026256B2 (en) Context-based analysis of applications
JP6711000B2 (en) Information processing apparatus, virus detection method, and program
CN104809397A (en) Android malicious software detection method and system based on dynamic monitoring
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
US20190180032A1 (en) Classification apparatus, classification method, and classification program
CN103746992A (en) Reverse-based intrusion detection system and reverse-based intrusion detection method
CN112231697A (en) Third-party SDK behavior detection method, device, medium and electronic equipment
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
KR101256468B1 (en) Apparatus and method for detecting malicious file
US10970392B2 (en) Grouping application components for classification and malware detection
CN108898014A (en) A kind of checking and killing virus method, server and electronic equipment
CN108932199B (en) Automatic taint analysis system based on user interface analysis
KR20160090566A (en) Apparatus and method for detecting APK malware filter using valid market data
JP5613000B2 (en) Application characteristic analysis apparatus and program
Afridi et al. Android application behavioral analysis through intent monitoring
WO2021243555A1 (en) Quick application test method and apparatus, device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40037837

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination