CN112817822A - APP behavior monitoring method and device, terminal and storage medium - Google Patents
APP behavior monitoring method and device, terminal and storage medium Download PDFInfo
- Publication number
- CN112817822A CN112817822A CN202110160517.7A CN202110160517A CN112817822A CN 112817822 A CN112817822 A CN 112817822A CN 202110160517 A CN202110160517 A CN 202110160517A CN 112817822 A CN112817822 A CN 112817822A
- Authority
- CN
- China
- Prior art keywords
- app
- terminal
- preset
- operating system
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 78
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000006399 behavior Effects 0.000 claims abstract description 76
- 230000002159 abnormal effect Effects 0.000 claims abstract description 31
- 230000008569 process Effects 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 28
- 238000012795 verification Methods 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 13
- 238000007619 statistical method Methods 0.000 claims description 5
- 238000012806 monitoring device Methods 0.000 claims 1
- 238000012545 processing Methods 0.000 description 7
- 238000013475 authorization Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 241000209202 Bromus secalinus Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Alarm Systems (AREA)
Abstract
The invention is suitable for the technical field of application programs and provides an APP behavior monitoring method and device, a terminal and a storage medium, wherein the method comprises the steps of detecting whether an APP is started on the terminal or not; if the APP is detected to be started, judging whether a current operating system of the terminal is abnormal; if the operating system is abnormal, quitting the APP; if the operating system is normal, carrying out validity check on the APP; if the APP passes the validity check, monitoring the operation process of the APP, and controlling the preset behavior according to the corresponding safety strategy when the APP is monitored to have the preset behavior; and if the APP does not pass the validity check, exiting the APP. In the technical scheme, the running environment, the legality and the safety of the APP during running are monitored, and the behaviors of the APP are controlled when the monitoring objects are abnormal, so that the threat generated by the malicious APP or the APP due to the abnormal attack to the use of the terminal is effectively prevented.
Description
Technical Field
The invention belongs to the technical field of application programs, and particularly relates to an APP behavior monitoring method and device, a terminal and a storage medium.
Background
With the rapid development of mobile internet technology, more and more services can be operated on mobile terminals, for example, people can perform various services through APP (abbreviation of APP APPlication) installed on a mobile phone, so as to realize various functions.
According to the 38 th statistical report of the development condition of the Chinese Internet published by the information center of the Chinese Internet, a lot of behaviors of stealing user privacy data, maliciously deducting fees, luring cheats and the like to damage the legitimate rights and interests of users exist in APP.
Obviously, the safety of the APP seriously affects the life and work of people, but the current technology still lacks a set of perfect method mechanism for behavior monitoring of the APP, so that the use safety of the mobile terminal is seriously threatened due to malicious APP or abnormal attack of the APP.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for monitoring APP behavior, a terminal, and a storage medium, and provide a set of complete method mechanisms for performing behavior monitoring on APP, thereby ensuring the use safety of a terminal for running APP.
A first aspect of an embodiment of the present invention provides an APP behavior monitoring method, where the method includes the following steps:
detecting whether the APP is started on the terminal;
if the APP is detected to be started, judging whether a current operating system of the terminal is abnormal;
if the current operating system of the terminal is abnormal, prompting a user and controlling the APP to exit;
if the current operating system of the terminal is normal, carrying out validity check on the APP;
if the APP passes the validity check, monitoring the operation process of the APP, and controlling a preset behavior according to a safety strategy corresponding to the preset behavior when the APP is monitored to have the preset behavior;
and if the APP does not pass the validity check, prompting a user and controlling the APP to exit.
A second aspect of an embodiment of the present invention provides an APP behavior monitoring apparatus, where the apparatus includes:
the starting monitoring unit is used for detecting whether the APP is started on the terminal;
the judging unit is used for judging whether the current operating system of the terminal is abnormal or not when the APP is detected to be started;
the first control unit is used for prompting a user when the current operating system of the terminal is abnormal and controlling the APP to exit;
the APP verification unit is used for verifying the validity of the APP when the current operating system of the terminal is normal;
the operation monitoring unit is used for monitoring the operation process of the APP when the APP passes the validity check, and controlling the preset behavior according to the safety strategy corresponding to the preset behavior when the APP is monitored to have the preset behavior;
and the second control unit is used for prompting the user when the APP does not pass the validity check and controlling the APP to exit.
A third aspect of an embodiment of the present invention provides a terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements steps such as an APP behavior monitoring method when executing the computer program.
A fourth aspect of embodiments of the present invention provides a storage medium storing a computer program that, when executed by a processor, performs steps such as an APP behavior monitoring method.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the technical scheme, the running environment, the legality and the safety of the APP during running are monitored, and the behaviors of the APP are controlled when the monitoring objects are abnormal, so that the threat generated by the malicious APP or the APP due to the abnormal attack to the use of the terminal is effectively prevented.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a flow chart of a first embodiment of an APP behavior monitoring method of the present invention;
FIG. 2 is a sub-flowchart of step S15 in the first embodiment of the APP behavior monitoring method of the present invention;
FIG. 3 is a sub-flowchart of step S15 in a second embodiment of the APP behavior monitoring method of the present invention;
FIG. 4 is a sub-flowchart of step S15 in a third embodiment of the APP behavior monitoring method of the present invention;
FIG. 5 is a sub-flowchart of step S15 in a fourth embodiment of the APP behavior monitoring method of the present invention;
FIG. 6 is a sub-flowchart of step S15 in the fifth embodiment of the APP behavior monitoring method of the present invention
Fig. 7 is a schematic structural diagram of a first embodiment of an APP behavior monitoring apparatus of the present invention;
fig. 8 is a schematic structural diagram of a first embodiment of the terminal of the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Fig. 1 is a flowchart of a first embodiment of an APP behavior monitoring method according to the present invention, and as shown in fig. 1, the APP behavior monitoring method includes the following steps:
s11: and detecting whether the APP is started on the terminal.
In this embodiment, the terminal may be a computing device such as a mobile phone and a tablet computer, on which the APP may be installed and run. In step S11, the start-up of the APP installed on the terminal is detected.
S12: and if the APP is detected to be started, judging whether the current operating system of the terminal is abnormal.
In step S12 of this embodiment, when detecting that the APP starts, the APP running environment is detected, that is, whether the current operating system of the terminal is abnormal is determined. Specifically, the criterion for judging whether the operating system is abnormal is whether the current operating system is out of prison or is Root.
For example, cell phone jail crossing generally refers to iOS jail crossing, which is a technical means for acquiring the highest permission of the operating system iOS, and a user can acquire the highest permission of the operating system iOS by using the technology and software, and may even further release the restriction of an operator on a cell phone network.
The Root authority is one of system authorities, also called Root authority, and obtaining the Root authority means that the highest authority of the system is obtained, so that all operations of adding, deleting, modifying and searching can be performed on any file (including system files) in the system. Root of the terminal means that the terminal is opened with the highest authority of the operating system.
In other embodiments, the APP running environment may be periodically detected and the detection result may be stored, and when detecting that the APP is started, the stored latest detection result is read to determine whether the current operating system of the terminal is abnormal.
S13: and if the current operating system of the terminal is abnormal, exiting the APP.
Generally, an attacker analyzes and cracks the APP by adopting the situation that the operating system is jail-off or the operating system is Root, and for the sake of safety, the APP is not allowed to be used under the situation that the operating system is jail-off or Root, so that the attacker is prevented from cracking the APP. In particular, financial APPs, such as mobile banking APPs, have high security requirements, and such APPs are absolutely not allowed to be used when an operating system is jail-bar or Root. In step S13 of this embodiment, if the determination result is that the current operating system of the terminal is jail-off or Root, it is considered that the current operating system of the terminal is abnormal, and for safety, an APP running environment abnormality is presented to the user, and the started APP is controlled to exit. The user can be prompted in various modes, for example, a floating window is built on the terminal, information that the APP running environment is abnormal is displayed through the floating window, or the information that the APP running environment is abnormal is broadcasted through voice.
And S14, if the current operating system of the terminal is normal, performing validity check on the APP.
In step S14 in this embodiment, if the determination result is that the current operating system of the terminal is not jail-bar or Root-bar, the current operating system of the terminal is considered to be normal, and at this time, the validity of the APP is further checked. Specifically, the validity of the APP is checked by checking the package name and the certificate signature of the APP. If the package name and the certificate signature of the APP are verified to be legal (the package name and the certificate signature of the APP can be verified by using the prior art), the APP is considered to be legal, that is, the validity check is passed. If one of the package name and the certificate signature of the APP fails to pass the verification, the APP is considered to fail to pass the validity check.
And S15, if the APP passes the validity check, monitoring the operation process of the APP, and controlling the preset behavior according to the safety strategy corresponding to the preset behavior when the APP is monitored to have the preset behavior.
As shown in fig. 2, step S15 of the present embodiment includes the following sub-steps:
s151: if the APP passes the validity check, intercepting and monitoring an API (APPlication Programming Interface) function called by the APP and used for acquiring the privacy equipment information of the terminal;
s152: when monitoring that the APP calls an API function for acquiring the privacy equipment information of the terminal, comparing a stack of the called API function with a preset white list;
s153: and if the comparison result is that the stack of the called API function is not in the preset white list, rejecting the calling of the APP to the API function.
The privacy device information of the terminal includes various identity information of the terminal, such as a mobile phone number of a mobile phone, an IEMI, and the like, and may further include a MAC address of the device. The preset white list records an API function which can be legally called by the APP correspondingly for realizing various services.
Specifically, in sub-step S151, a Runtime (Runtime) technology is adopted to intercept and monitor an API function called by the APP for acquiring the privacy device information of the terminal.
In sub-step S152, when it is monitored that the APP calls the API function for acquiring the privacy device information of the terminal, it is further determined whether the user authorizes the APP to acquire the privacy device information (the user can know when the API function call is monitored), and if so, the stack of the called API function is compared with the preset white list.
In the sub-step S153, if the comparison result in the step S152 is that the stack of the called API function is not in the preset white list, it indicates that the APP is obtaining the privacy device information of the terminal beyond the original user authorization at this time, or the APP is doing a business unrelated to the user authorization, and the behavior is not allowed, so that the APP is rejected from calling the API function, thereby effectively preventing the APP from illegally stealing the user privacy data. And if the judgment result is that the user does not authorize the APP to acquire the privacy equipment information, prompting the user to authorize, and if the user authorizes the APP to acquire the privacy equipment information, comparing the stack of the called API function with a preset white list. And if the user refuses to obtain the privacy equipment information from the APP for authorization, refusing the APP to call the API function. Here, even if the user selects to obtain the privacy device information authorization for the APP, it is necessary to monitor whether the APP exceeds the user authorization and does nothing related to the corresponding service, that is, compare the stack of the API function to be called with the preset white list.
And if the comparison result is that the stack of the called API function is in the preset white list, not interfering the behavior of calling the API function by the APP.
And S16, if the APP does not pass the validity check, prompting the user and controlling the APP to exit.
When the APP fails to pass the validity check, it represents that the APP has been illegally tampered, so in step S16, a prompt is made to the user that the APP has been illegally tampered, and the APP is controlled to exit. The user can be prompted in various ways, for example, a floating window is built on the terminal, prompt information is displayed through the floating window, or the prompt information is reported through voice, and the like.
In a second embodiment of the APP behavior monitoring method of the present invention, referring to fig. 1, the APP behavior monitoring method comprises steps S11-S16. The present embodiment is different from the first embodiment in that, as shown in fig. 3, in the present embodiment, step S15 includes the following sub-steps:
s154, if the APP passes the validity check, whether the user logs in the APP is monitored;
s155: when a monitoring user logs in the APP, acquiring the IP address and/or position information of a terminal for statistical analysis;
s156: and if the analysis result is that the IP address is abnormal and/or the position information changes, carrying out corresponding prompt on the user, and controlling the APP to log out or controlling the APP to log out according to a control instruction input by the user based on the prompt.
Specifically, in the running process of the APP, whether the user logs in the APP is monitored, the user uploads current terminal information, the IP address and the position information of the terminal to a server of the APP when logging in the APP, at the moment, the corresponding IP address and/or the position information of the terminal are obtained to perform statistical analysis, the abnormal IP address and/or the changed position information (compared with historical data) are/is prompted to change, if the received control instruction input by the user based on the prompt is log-out, the APP is controlled to log out, and if the received control instruction input by the user based on the prompt is log-out, the APP is controlled to log out. Therefore, the malicious leakage of the account information under the condition that the user is unaware and the corresponding security risk caused by the malicious leakage are effectively avoided.
In this embodiment, the rest of the cases are the same as those in the first embodiment of the method, and are not described herein again.
In a third embodiment of the APP behavior monitoring method of the present invention, referring to fig. 1, the APP behavior monitoring method comprises steps S11-S16. The present embodiment is different from the first embodiment in that, as shown in fig. 4, in the present embodiment, step S15 includes the following sub-steps:
s157: if the APP passes the validity check, monitoring whether a user carries out preset sensitive operation on the APP;
s158: if it is monitored that the user carries out preset sensitive operation on the APP, a safety verification strategy corresponding to the preset sensitive operation is adopted to carry out safety verification on the preset sensitive operation;
s159: if the safety verification is passed, executing preset sensitive operation aiming at the APP;
s160: and if the safety verification fails, rejecting preset sensitive operation aiming at the APP.
Specifically, the preset sensitive operations include transfer operations, transaction ordering operations, money setting-related operations, and the like. According to the importance degree of the service corresponding to the preset sensitive operation, a corresponding safety verification strategy is preset, when the situation that the user carries out the preset sensitive operation aiming at the APP is monitored in the operation process of the APP, the corresponding safety verification strategy is adopted to carry out safety verification on the preset sensitive operation, the preset sensitive operation is executed if the safety verification is passed, and the preset sensitive operation is refused to be executed if the safety verification is not passed.
The multi-factor identity authentication can be performed by adopting technologies such as artificial intelligence of biological feature recognition and the like to realize a security verification strategy, for example, the security verification strategy combining face recognition, living body detection and fingerprint recognition is performed according to the importance degree of a service corresponding to preset sensitive operation, so that the authenticity and the validity of the user identity and the security of user sensitive data are ensured.
In this embodiment, the rest of the cases are the same as those in the first embodiment of the method, and are not described herein again.
In a fourth embodiment of the APP behavior monitoring method of the present invention, referring to fig. 1, the APP behavior monitoring method comprises steps S11-S16. The present embodiment is different from the first embodiment in that, as shown in fig. 5, in the present embodiment, step S15 includes the following sub-steps:
s161: monitoring the life cycle of the operation interface of the APP if the APP passes the validity check, and monitoring the behavior of switching the operation interface of the APP from foreground operation to background operation when the life cycle is not finished;
s162: and if the situation that the operation interface of the APP is switched from foreground operation to background operation when the life cycle is not finished is monitored, carrying out corresponding prompt on a user.
Specifically, in the running process of the APP, the lifecycle of the operation interface of the APP is monitored, and the interface hijacking problem generated by switching from foreground running to background running but not user operation (without receiving the triggering operation of the user) is monitored and prompted to the user, so that the user is alerted, and the fishing risk caused by the interface hijacking is prevented.
In other embodiments of the method of the present invention, sub-step S162 may further include the next sub-step: if the operation interface of the APP is monitored to be switched from foreground operation to background operation under the condition that the life cycle is not finished, whether the reason causing the operation interface of the APP to be switched between the foreground and the background is legal or illegal is judged, and when the judgment result is that the reason is illegal, corresponding prompt is carried out on a user, and the APP is controlled to exit. The reason for judging whether the switching between the front and the back of the operation interface is legal or illegal can be various, for example, whether the switching is caused by a preset event, such as a call, a voice call or a video call incoming call, or a call and connection, occurs.
In a fifth embodiment of the APP behavior monitoring method of the present invention, referring to fig. 1, the APP behavior monitoring method comprises steps S11-S16. The present embodiment is different from the first embodiment in that, as shown in fig. 6, in the present embodiment, step S15 includes the following sub-steps:
s163: if the APP passes the validity check, monitoring whether the interface of the APP is recorded or captured;
s164: and when the screen recording or screen capturing of the interface of the APP is monitored, corresponding prompt is carried out on a user.
Specifically, when the APP runs, the operation of screen recording or screen capturing of an operation interface of the APP is monitored, and when the operations are monitored, a user is prompted. Further, according to a control instruction input by a user based on a prompt, screen recording or screen capturing is stopped, and a picture obtained by screen capturing is deleted. Effectively preventing the safety risk caused by the malicious recording of the operation behavior of the user. Further, when the operation of recording or capturing the screen of the operation interface of the APP is monitored, it may be determined whether a trigger object of the operation of recording or capturing the screen is legal, for example, the screen recording or capturing triggered by the application in the application white list is determined to be legal, the screen recording or capturing triggered by the operation of a specific user is determined to be legal (for example, it is monitored that the user presses a power key and a volume key of the mobile phone at the same time), and if not, the screen recording or capturing is determined to be illegal.
The contents of the embodiments of the APP behavior monitoring method of the present invention may be combined arbitrarily, for example, step S15 of one embodiment of the method of the present invention includes the substeps described in all the embodiments above.
The present invention further provides an APP behavior monitoring apparatus, where each unit included in the APP behavior monitoring apparatus is configured to execute each step in the method embodiments corresponding to fig. 1 to 6. Please refer to the related descriptions of the embodiments corresponding to fig. 1-6. Fig. 7 shows an exploded schematic diagram of a first embodiment of an APP behavior monitoring apparatus 700 of the present invention, and as shown in fig. 7, the APP behavior monitoring apparatus 700 includes:
a start monitoring unit 710, configured to detect whether there is an APP start on the terminal;
a determining unit 720, configured to determine whether a current operating system of the terminal is abnormal when detecting that the APP is started;
the first control unit 730 is configured to prompt a user when a current operating system of the terminal is abnormal, and control the APP to exit;
an APP verification unit 740, configured to perform validity verification on the APP when the current operating system of the terminal is normal;
the operation monitoring unit 750 is configured to monitor an operation process of the APP when the APP passes validity check, and control a preset behavior according to a security policy corresponding to the preset behavior when the APP is monitored to have the preset behavior;
and the second control unit 760 is configured to prompt the user and control the APP to exit when the APP fails to pass the validity check.
Wherein the operation monitoring unit 750 includes:
the API function calling monitoring module is used for intercepting and monitoring an API function called by the APP and used for acquiring the privacy equipment information of the terminal when the APP passes the validity check;
the comparison module is used for comparing a stack of the called API function with a preset white list when monitoring that the APP calls the API function used for acquiring the privacy equipment information of the terminal;
and the first processing module is used for rejecting the calling of the APP to the API function when the comparison result is that the stack of the called API function is not in the preset white list.
And/or, the operation monitoring unit 750 includes:
the login monitoring module is used for monitoring whether a user logs in the APP or not when the APP passes the validity check;
the statistical analysis module is used for acquiring the IP address and/or the position information of the terminal for statistical analysis when the monitoring user logs in the APP;
and the second processing module is used for carrying out corresponding prompt on the user when the analysis result is that the IP address is abnormal and/or the position information changes, and controlling the APP to log out or controlling the APP to log out according to a control instruction input by the user based on the prompt.
And/or, the operation monitoring unit 750 includes:
the sensitive operation monitoring module is used for monitoring whether a user carries out preset sensitive operation on the APP or not when the APP passes the validity check;
the safety verification module is used for adopting a safety verification strategy corresponding to preset sensitive operation to perform safety verification on the preset sensitive operation when monitoring that the user performs the preset sensitive operation on the APP;
the third processing module is used for executing preset sensitive operation aiming at the APP when the safety verification passes;
and the fourth processing module is used for refusing preset sensitive operation aiming at the APP when the safety verification fails.
And/or, the operation monitoring unit 750 includes:
the first interface monitoring module is used for monitoring the life cycle of the operation interface of the APP when the APP passes the validity check, and monitoring the behavior of switching the operation interface of the APP from foreground operation to background operation when the life cycle is not finished;
and the fifth processing module is used for carrying out corresponding prompt on a user when the situation that the operation interface of the APP is switched from foreground operation to background operation under the condition that the life cycle is not finished is monitored.
And/or, the operation monitoring unit 750 includes:
the second interface monitoring module is used for monitoring whether the interface of the APP is recorded or captured when the APP passes the validity check;
and the sixth processing module is used for correspondingly prompting the user when the screen recording or screen capturing of the interface of the APP is monitored.
The present invention also provides a terminal, as shown in fig. 8, the terminal 100 includes: a processor 101, a memory 102, and a computer program 103 stored in the memory 102 and operable on the processor 101. The steps in the embodiments of the APP behavior monitoring method described above are implemented when the processor 101 executes the computer program 103.
Illustratively, the computer program 103 may be partitioned into one or more units/modules, which are stored in the memory 102 and executed by the processor 101 to carry out the invention.
The terminal 100 can include, but is not limited to, a processor 101, a memory 102. Those skilled in the art will appreciate that fig. 8 is only an example of the terminal 100 and does not constitute a limitation of the terminal 100, that the terminal 100 may include more or less components than those shown, or some components may be combined, or different components, for example, the terminal 100 may further include input and output devices, network access devices, buses, etc.
The Processor 101 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an APPlication Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The storage 102 may be an internal storage unit of the terminal 100, such as a hard disk or a memory of the terminal 100. The memory 102 may also be an external storage device of the terminal 100, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the terminal 100. Further, the memory 102 may also include both internal storage units of the terminal 100 and external storage devices. The memory 102 is used for storing the computer program 103 and other programs and data required by the terminal 100. The memory 102 may also be used to temporarily store data that has been output or is to be output.
The invention further provides a storage medium, which stores a computer program, and the computer program, when executed by a processor, implements the steps in any embodiment of the APP behavior monitoring method.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (10)
1. An APP behavior monitoring method is characterized by comprising the following steps:
detecting whether the APP is started on the terminal;
if the APP is detected to be started, judging whether a current operating system of the terminal is abnormal;
if the current operating system of the terminal is abnormal, prompting a user and controlling the APP to exit;
if the current operating system of the terminal is normal, carrying out validity check on the APP;
if the APP passes the validity check, monitoring the operation process of the APP, and controlling a preset behavior according to a safety strategy corresponding to the preset behavior when the APP is monitored to have the preset behavior;
and if the APP does not pass the validity check, prompting a user and controlling the APP to exit.
2. The method according to claim 1, wherein the determining whether the current operating system of the terminal is abnormal comprises:
judging whether the current operating system of the terminal is jail-off or ROOT;
the current operating system of the terminal is abnormal, and the method comprises the following steps:
the current operating system of the terminal is jail-crossing or ROOT;
the current operating system of the terminal is normal, and the method comprises the following steps:
the current operating system of the terminal is not jail-off or not ROOT.
3. The method of claim 1, wherein said checking the validity of the APP comprises:
and carrying out validity check on the package name and the certificate signature of the APP.
4. The method according to claim 1, wherein when a preset behavior of the APP is monitored, controlling the preset behavior according to a security policy corresponding to the preset behavior includes:
when monitoring that the APP calls an API function used for acquiring the privacy equipment information of the terminal, comparing a stack of the called API function with a preset white list;
and if the comparison result is that the stack of the called API function is not in the preset white list, rejecting the calling of the APP to the API function.
5. The method according to claim 1, wherein when a preset behavior of the APP is monitored, controlling the preset behavior according to a security policy corresponding to the preset behavior includes:
when monitoring that a user logs in the APP, acquiring the IP address and/or the position information of the terminal for statistical analysis;
and if the analysis result is that the IP address is abnormal and/or the position information changes, carrying out corresponding prompt on the user, and controlling the APP to log out or controlling the APP to log out according to a control instruction input by the user based on the prompt.
6. The method according to claim 1, wherein when a preset behavior of the APP is monitored, controlling the preset behavior according to a security policy corresponding to the preset behavior includes:
when the situation that the life cycle of the APP interface is not finished is monitored, switching from foreground operation to background operation, and carrying out corresponding prompt on a user; and/or
And when the screen recording or screen capturing of the interface of the APP is monitored, corresponding prompt is carried out on a user.
7. The method according to claim 1, wherein when a preset behavior of the APP is monitored, controlling the preset behavior according to a security policy corresponding to the preset behavior includes:
if it is monitored that a user carries out preset sensitive operation on the APP, adopting a safety verification strategy corresponding to the preset sensitive operation to carry out safety verification on the preset sensitive operation;
if the safety verification is passed, executing preset sensitive operation aiming at the APP;
and if the safety verification fails, rejecting preset sensitive operation aiming at the APP.
8. An APP behavior monitoring device, comprising:
the starting monitoring unit is used for detecting whether the APP is started on the terminal;
the judging unit is used for judging whether the current operating system of the terminal is abnormal or not when the APP is detected to be started;
the first control unit is used for prompting a user when the current operating system of the terminal is abnormal and controlling the APP to exit;
the APP verification unit is used for verifying the validity of the APP when the current operating system of the terminal is normal;
the operation monitoring unit is used for monitoring the operation process of the APP when the APP passes the validity check, and controlling the preset behavior according to the safety strategy corresponding to the preset behavior when the APP is monitored to have the preset behavior;
and the second control unit is used for prompting the user when the APP does not pass the validity check and controlling the APP to exit.
9. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 7 when executing the computer program.
10. A storage medium storing a computer program, characterized in that the computer program realizes the steps of the method according to any one of claims 1 to 7 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160517.7A CN112817822A (en) | 2021-02-05 | 2021-02-05 | APP behavior monitoring method and device, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160517.7A CN112817822A (en) | 2021-02-05 | 2021-02-05 | APP behavior monitoring method and device, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112817822A true CN112817822A (en) | 2021-05-18 |
Family
ID=75861804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110160517.7A Pending CN112817822A (en) | 2021-02-05 | 2021-02-05 | APP behavior monitoring method and device, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112817822A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656793A (en) * | 2021-08-13 | 2021-11-16 | 展讯通信(上海)有限公司 | Method and device for monitoring instant messaging program on terminal, storage medium and terminal |
| WO2022100660A1 (en) * | 2020-11-13 | 2022-05-19 | 奇安信科技集团股份有限公司 | Behavior control method, apparatus, electronic device, and storage medium |
| CN115361470A (en) * | 2022-08-26 | 2022-11-18 | 中国银行股份有限公司 | Method and device for limiting mobile terminal APP operation network environment |
| TWI836263B (en) * | 2021-09-02 | 2024-03-21 | 大陸商鼎捷軟件股份有限公司 | Interface control system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103366104A (en) * | 2013-07-22 | 2013-10-23 | 腾讯科技(深圳)有限公司 | Method and device for controlling accessing of application |
| US20170068810A1 (en) * | 2014-02-21 | 2017-03-09 | Beijing Qihoo Technology Company Limited | Method and apparatus for installing an application program based on an intelligent terminal device |
| CN108229171A (en) * | 2018-02-11 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Driver processing method, device and storage medium |
| CN111062032A (en) * | 2019-12-13 | 2020-04-24 | 上海钧正网络科技有限公司 | Anomaly detection method and system and computer-readable storage medium |
-
2021
- 2021-02-05 CN CN202110160517.7A patent/CN112817822A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103366104A (en) * | 2013-07-22 | 2013-10-23 | 腾讯科技(深圳)有限公司 | Method and device for controlling accessing of application |
| US20170068810A1 (en) * | 2014-02-21 | 2017-03-09 | Beijing Qihoo Technology Company Limited | Method and apparatus for installing an application program based on an intelligent terminal device |
| CN108229171A (en) * | 2018-02-11 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Driver processing method, device and storage medium |
| CN111062032A (en) * | 2019-12-13 | 2020-04-24 | 上海钧正网络科技有限公司 | Anomaly detection method and system and computer-readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 骆鉴等 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022100660A1 (en) * | 2020-11-13 | 2022-05-19 | 奇安信科技集团股份有限公司 | Behavior control method, apparatus, electronic device, and storage medium |
| CN113656793A (en) * | 2021-08-13 | 2021-11-16 | 展讯通信(上海)有限公司 | Method and device for monitoring instant messaging program on terminal, storage medium and terminal |
| TWI836263B (en) * | 2021-09-02 | 2024-03-21 | 大陸商鼎捷軟件股份有限公司 | Interface control system and method |
| CN115361470A (en) * | 2022-08-26 | 2022-11-18 | 中国银行股份有限公司 | Method and device for limiting mobile terminal APP operation network environment |
| CN115361470B (en) * | 2022-08-26 | 2024-02-27 | 中国银行股份有限公司 | Method and device for limiting mobile terminal APP operation network environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7182924B2 (en) | Mobile security measures | |
| CN112817822A (en) | APP behavior monitoring method and device, terminal and storage medium | |
| KR101700552B1 (en) | Context based switching to a secure operating system environment | |
| CN111131310B (en) | Access control method, device, system, computer device and storage medium | |
| US8949995B2 (en) | Certifying server side web applications against security vulnerabilities | |
| US10148631B1 (en) | Systems and methods for preventing session hijacking | |
| CN113315637B (en) | Security authentication method, device and storage medium | |
| US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
| US11379591B2 (en) | Methods and devices for user authorization | |
| EP3687140A2 (en) | On-demand and proactive detection of application misconfiguration security threats | |
| US20210314339A1 (en) | On-demand and proactive detection of application misconfiguration security threats | |
| US10339307B2 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| CN108521425B (en) | Industrial control protocol filtering method and board card | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN114138590A (en) | Operation and maintenance processing method and device for Kubernetes cluster and electronic equipment | |
| CN111581616B (en) | Multi-terminal login control method and device | |
| US20150172310A1 (en) | Method and system to identify key logging activities | |
| US11336667B2 (en) | Single point secured mechanism to disable and enable the access to all user associated entities | |
| CN116827551A (en) | Method and device for preventing global override | |
| US11663325B1 (en) | Mitigation of privilege escalation | |
| CN114257404B (en) | Abnormal external connection statistical alarm method, device, computer equipment and storage medium | |
| CN111291366B (en) | Secure middleware system | |
| US11461744B2 (en) | Introducing variance to online system access procedures | |
| US10326771B2 (en) | Secure file transaction system | |
| US20160241766A1 (en) | Method of disabling transmission and capture of visual content on a device to protect from inappropriate content |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210518 |