[go: up one dir, main page]

WO2015067170A1 - Method and system for analyzing android application program - Google Patents

Method and system for analyzing android application program Download PDF

Info

Publication number
WO2015067170A1
WO2015067170A1 PCT/CN2014/090302 CN2014090302W WO2015067170A1 WO 2015067170 A1 WO2015067170 A1 WO 2015067170A1 CN 2014090302 W CN2014090302 W CN 2014090302W WO 2015067170 A1 WO2015067170 A1 WO 2015067170A1
Authority
WO
WIPO (PCT)
Prior art keywords
analysis
privacy
instruction
instructions
involve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2014/090302
Other languages
French (fr)
Chinese (zh)
Inventor
柴洪峰
束骏亮
鲁志军
李卷孺
刘发章
林培胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Publication of WO2015067170A1 publication Critical patent/WO2015067170A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Definitions

  • the present invention relates to information security and, more particularly, to methods and systems for analyzing Android applications.
  • the identification of privacy breaches is usually performed after a privacy breach has occurred. For example, after a privacy leak occurs on a device running the Android platform, the application on the Android platform is analyzed and detected (for example, analyzing and detecting the resources used by the application, and the data received and received) to ascertain the privacy leakage.
  • the existing technical solution deals with privacy leakage in a remedial form according to the result data of the application running, coping with time lag and failing to prevent privacy leakage. Therefore, there is a need for a technical solution that can prevent privacy breaches.
  • a method of analyzing an Android application including the following steps:
  • this step includes:
  • the above privacy leakage analysis step comprises:
  • An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak.
  • the method further comprises the steps of:
  • this step includes:
  • the step of analyzing the behavior of the dynamic data comprises:
  • the behavior involving privacy leakage is identified according to a predetermined analysis algorithm.
  • the foregoing privacy leakage analysis step further comprises:
  • the step of dynamic analysis in operation further comprises:
  • a system for analyzing an Android application including:
  • a pre-run static analysis device comprising:
  • An extracting unit for extracting a binary file related to a logic flow in an application file
  • a decompilation unit for decompiling the binary file to obtain decompiled code
  • the first analysis unit is configured to perform a privacy leak analysis on the decompiled code to identify an instruction that may involve a privacy leak.
  • the first analysis unit is configured to:
  • An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak.
  • the system further comprises:
  • a dynamic analysis device in operation comprising:
  • the second analysis unit is configured to analyze the behavior of the dynamic data and identify behaviors involving privacy leakage.
  • the second analysis unit is configured to:
  • the behavior involving privacy leakage is identified according to a predetermined analysis algorithm.
  • the first analysis unit is further configured to:
  • the second analysis unit is further configured to:
  • One advantage of the present invention is the ability to perform pre-run static analysis and runtime dynamic analysis to detect privacy breaches.
  • An advantage of the present invention is that it can comprehensively use the dynamic analysis of the behavior of the application that triggers the application during the static analysis and the running process, and analyzes the relevant instructions related to the privacy leakage and the operation of the statistical application according to the predetermined algorithm to determine whether the privacy is stored.
  • One advantage of the present invention is that a privacy breach analysis report is generated.
  • One advantage of the present invention is that it can detect the leakage of private data at the layer of the application without modifying the underlying layer of the Android system, and does not impose an additional burden on the Android system.
  • FIG. 1 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention.
  • FIG. 2 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention.
  • FIG. 3 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a system for analyzing an Android application according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention. As shown, the method includes the following steps:
  • Step 101 Extract a binary file related to the logic flow in the application file
  • Step 102 Decompile the binary file to obtain decompiled code.
  • Step 103 Perform a privacy disclosure analysis on the decompiled code to identify an instruction that may involve a privacy breach.
  • privacy disclosure refers to the disclosure of sensitive information about Android devices and users to third parties.
  • FIG. 2 is a schematic diagram showing the steps of a method of analyzing an Android application according to another embodiment of the present invention.
  • Figure 2 further describes the situation with respect to step 103 of Figure 1.
  • the privacy breach analysis steps include:
  • Step 1031 Find key instructions related to private data in the decompiled code
  • Step 1032 Determine whether the key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world.
  • Step 1033 Mark the instruction of the key instruction and other instructions related to the key instruction to perform an operation of exchanging data with the outside world as an instruction that may involve a privacy leak.
  • data exchange with the outside world refers to the exchange of private data with a third party.
  • a static analysis report can be generated.
  • FIG. 3 is a schematic diagram showing the steps of a method of analyzing an Android application according to another embodiment of the present invention.
  • the method describes the running dynamic analysis of the application. As shown in FIG. 3, the method includes the following steps:
  • Step 201 Record dynamic data of the application at runtime
  • Step 202 Analyze the behavior of the dynamic data to identify behaviors involving privacy breaches.
  • the behavior of dynamic data refers to operations related to the dynamic data.
  • the behavior of the application can be actively triggered to record the dynamic data of the runtime as completely as possible.
  • information such as Class, Method, Opcode, String, etc. of the running application may be obtained from the dynamic data, and the behavior of the leaking private data that may exist may be identified therefrom. For example, you can configure policies to perform different types of behavioral analysis.
  • the pre-run static analysis and the in-run dynamic analysis described above are combined.
  • the step of analyzing the behavior of the dynamic data may include: analyzing, in the dynamic data, a portion related to the instruction that may be involved in the privacy leakage identified by the static analysis, and according to the predetermined analysis.
  • the algorithm identifies behaviors involving privacy breaches.
  • This embodiment improves the efficiency of identifying privacy leaks through comprehensive analysis.
  • a privacy breach security analysis report is also generated.
  • the system includes a pre-run static analysis device, the device comprising: an extracting unit for extracting a binary file related to a logic flow in an application file, and a decompilation unit for decompiling the binary file
  • the decompiled code, the first analysis unit is configured to perform a privacy leak analysis on the decompiled code to identify an instruction that may involve a privacy leak.
  • the first analysis unit is configured to:
  • An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak.
  • system can also include an in-service dynamic analysis device, the device comprising:
  • the second analysis unit is configured to analyze the behavior of the dynamic data and identify behaviors involving privacy leakage.
  • the monitoring unit can be deployed at the bottom of the Android system to avoid overloading the system.
  • the monitoring unit loaded into the Android system sends the recorded dynamic data to the second analysis unit for further analysis.
  • the second analysis unit is configured to:
  • the behavior involving privacy leakage is identified according to a predetermined analysis algorithm.
  • the second analysis unit also receives an instruction from the first analysis unit that may involve a privacy leak.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed are a method and device for analyzing an Android application program. The method comprises the following step: performing static analysis before operation, and the step comprises: extracting a binary file relating to a logical flow in an application program file; conducting de-compilation on the binary file to obtain a de-compilation code; and conducting privacy disclosure analysis on the de-compilation code, and recognizing an instruction possibly relating to privacy disclosure.

Description

一种分析Android应用程序的方法和系统Method and system for analyzing Android application 技术领域Technical field

本发明涉及信息安全,并且尤其涉及分析Android应用程序的方法和系统。The present invention relates to information security and, more particularly, to methods and systems for analyzing Android applications.

背景技术Background technique

在现有技术中,查明隐私泄露通常在隐私泄露事件发生后进行。例如,在运行Android平台的设备发生了隐私泄露之后,对Android平台上的应用程序进行分析检测(例如分析检测该应用程序使用过的资源,收发过的数据)从而查明隐私泄露。In the prior art, the identification of privacy breaches is usually performed after a privacy breach has occurred. For example, after a privacy leak occurs on a device running the Android platform, the application on the Android platform is analyzed and detected (for example, analyzing and detecting the resources used by the application, and the data received and received) to ascertain the privacy leakage.

现有的技术方案根据应用程序运行的结果数据以补救的形式来处理隐私泄露,应对时间滞后而且无法预防隐私泄露。因此,需要一种能够预防隐私泄露的技术方案。The existing technical solution deals with privacy leakage in a remedial form according to the result data of the application running, coping with time lag and failing to prevent privacy leakage. Therefore, there is a need for a technical solution that can prevent privacy breaches.

发明内容Summary of the invention

根据本发明的一个目的,公开一种分析Android应用程序的方法,包括以下步骤:According to one aspect of the present invention, a method of analyzing an Android application is disclosed, including the following steps:

运行前静态分析,该步骤包括:Static analysis before running, this step includes:

提取应用程序文件中的涉及逻辑流程的二进制文件,Extract the binary files involved in the logic flow in the application file,

对该二进制文件进行反编译得到反编译代码,Decompiling the binary to get the decompiled code.

对该反编译代码进行隐私泄露分析,识别可能涉及隐私泄露的指令。Perform a privacy disclosure analysis of the decompiled code to identify instructions that may involve privacy breaches.

优选地,上述隐私泄露分析步骤包括:Preferably, the above privacy leakage analysis step comprises:

在反编译代码中查找涉及隐私数据的关键指令,Find key instructions in the decompiled code that involve private data.

判断关键指令和与该关键指令相关的其它指令是否执行与外界进行数据交换的操作,Determining whether a key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world,

将关键指令和与该关键指令相关的其它指令中的执行与外界进行数据交换的操作的指令标记为可能涉及隐私泄露的指令。An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak.

优选地,该方法还包括以下步骤:Preferably, the method further comprises the steps of:

运行中动态分析,该步骤包括:Dynamic analysis in operation, this step includes:

记录应用程序在运行时的动态数据,Record the dynamic data of the application at runtime,

分析动态数据的行为,识别涉及隐私泄露的行为。Analyze the behavior of dynamic data and identify behaviors that involve privacy breaches.

优选地,分析动态数据的行为的步骤包括:Preferably, the step of analyzing the behavior of the dynamic data comprises:

分析动态数据中的与通过静态分析识别的可能涉及隐私泄露的指令相关的部分,Analyze the parts of the dynamic data that are related to instructions that may be involved in privacy breaches identified by static analysis,

根据预定的分析算法识别涉及隐私泄露的行为。The behavior involving privacy leakage is identified according to a predetermined analysis algorithm.

优选地,上述隐私泄露分析步骤还包括:Preferably, the foregoing privacy leakage analysis step further comprises:

生成静态分析报告。 Generate a static analysis report.

优选地,运行中动态分析的步骤还包括:Preferably, the step of dynamic analysis in operation further comprises:

生成隐私泄露安全分析报告。Generate a privacy disclosure security analysis report.

根据本发明的一个目的,公开一种分析Android应用程序的系统,包括:According to one aspect of the present invention, a system for analyzing an Android application is disclosed, including:

运行前静态分析装置,该装置包括:A pre-run static analysis device comprising:

提取单元,用于提取应用程序文件中的涉及逻辑流程的二进制文件,An extracting unit for extracting a binary file related to a logic flow in an application file,

反编译单元,用于对该二进制文件进行反编译得到反编译代码,a decompilation unit for decompiling the binary file to obtain decompiled code,

第一分析单元,用于对该反编译代码进行隐私泄露分析,识别可能涉及隐私泄露的指令。The first analysis unit is configured to perform a privacy leak analysis on the decompiled code to identify an instruction that may involve a privacy leak.

优选地,所述第一分析单元被配置成:Preferably, the first analysis unit is configured to:

在反编译代码中查找涉及隐私数据的关键指令,Find key instructions in the decompiled code that involve private data.

判断关键指令和与该关键指令相关的其它指令是否执行与外界进行数据交换的操作,Determining whether a key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world,

将关键指令和与该关键指令相关的其它指令中的执行与外界进行数据交换的操作的指令标记为可能涉及隐私泄露的指令。An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak.

优选地,该系统还包括:Preferably, the system further comprises:

运行中动态分析装置,该装置包括:A dynamic analysis device in operation, the device comprising:

监控单元,用于记录应用程序在运行时的动态数据,A monitoring unit for recording dynamic data of an application at runtime,

第二分析单元,用于分析动态数据的行为,识别涉及隐私泄露的行为。The second analysis unit is configured to analyze the behavior of the dynamic data and identify behaviors involving privacy leakage.

优选地,所述第二分析单元被配置成:Preferably, the second analysis unit is configured to:

分析动态数据中的与通过静态分析识别的可能涉及隐私泄露的指令相关的部分,Analyze the parts of the dynamic data that are related to instructions that may be involved in privacy breaches identified by static analysis,

根据预定的分析算法识别涉及隐私泄露的行为。The behavior involving privacy leakage is identified according to a predetermined analysis algorithm.

优选地,所述第一分析单元还被配置成:Preferably, the first analysis unit is further configured to:

生成静态分析报告。Generate a static analysis report.

优选地,所述第二分析单元还被配置成:Preferably, the second analysis unit is further configured to:

生成隐私泄露安全分析报告。Generate a privacy disclosure security analysis report.

本发明的一个优势在于,能够进行运行前静态分析与运行时动态分析来检测隐私泄露。本发明的一个优势在于,能够综合使用运行前静态分析和运行过程中触发应用程序的行为的动态分析,根据预定的算法分析统计应用中涉及到隐私泄露的相关指令及其操作从而判定是否存隐私泄露。本发明的一个优势在于,生成隐私泄露分析报告。本发明的一个优势在于,能够在应用程序的层面对隐私数据的泄漏进行检测,无需对Android系统底层进行修改,也不会对Android系统造成额外的负担。One advantage of the present invention is the ability to perform pre-run static analysis and runtime dynamic analysis to detect privacy breaches. An advantage of the present invention is that it can comprehensively use the dynamic analysis of the behavior of the application that triggers the application during the static analysis and the running process, and analyzes the relevant instructions related to the privacy leakage and the operation of the statistical application according to the predetermined algorithm to determine whether the privacy is stored. Give way. One advantage of the present invention is that a privacy breach analysis report is generated. One advantage of the present invention is that it can detect the leakage of private data at the layer of the application without modifying the underlying layer of the Android system, and does not impose an additional burden on the Android system.

附图说明 DRAWINGS

在参照附图阅读了本发明的具体实施方式以后,本领域技术人员将会更清楚地了解本发明的各个方面。本领域技术人员应当理解的是,这些附图仅仅用于配合具体实施方式说明本发明的技术方案,而并非意在对本发明的保护范围构成限制。Various aspects of the present invention will become apparent to those skilled in the <RTIgt; It should be understood by those skilled in the art that these drawings are only used to illustrate the technical solutions of the present invention, and are not intended to limit the scope of the present invention.

图1是根据本发明一个实施例的分析Android应用程序的方法的步骤示意图。1 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention.

图2是根据本发明一个实施例的分析Android应用程序的方法的步骤示意图。2 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention.

图3是根据本发明一个实施例的分析Android应用程序的方法的步骤示意图。3 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention.

图4是根据本发明一个实施例的分析Android应用程序的系统的结构示意图。4 is a schematic structural diagram of a system for analyzing an Android application according to an embodiment of the present invention.

具体实施方式detailed description

下面参照附图,对本发明的具体实施方式作进一步的详细描述。在下面的描述中,为了解释的目的,陈述许多具体细节以便提供对实施例的一个或多个方面的透彻理解。然而,对于本领域技术人员可以显而易见的是,可以这些具体细节的较少程度来实践各实施例的一个或多个方面。因此下面的描述不被视为局限性的,而是通过所附权利要求来限定保护范围。Specific embodiments of the present invention will be further described in detail below with reference to the drawings. In the following description, numerous specific details are set forth However, it will be apparent to those skilled in the art that one or more aspects of the various embodiments can be The following description is therefore not to be taken in a limiting

图1是根据本发明一个实施例的分析Android应用程序的方法的步骤示意图。如图所示,该方法包括以下步骤:1 is a schematic diagram of the steps of a method of analyzing an Android application, in accordance with one embodiment of the present invention. As shown, the method includes the following steps:

步骤101:提取应用程序文件中的涉及逻辑流程的二进制文件,Step 101: Extract a binary file related to the logic flow in the application file,

步骤102:对该二进制文件进行反编译得到反编译代码,Step 102: Decompile the binary file to obtain decompiled code.

步骤103:对该反编译代码进行隐私泄露分析,识别可能涉及隐私泄露的指令。Step 103: Perform a privacy disclosure analysis on the decompiled code to identify an instruction that may involve a privacy breach.

上述3个步骤是应用程序的运行前静态分析。这里,隐私泄露是指将关于Android设备和用户的敏感信息泄露给第三方的情况。The above three steps are the pre-run static analysis of the application. Here, privacy disclosure refers to the disclosure of sensitive information about Android devices and users to third parties.

图2是根据本发明另一个实施例的分析Android应用程序的方法的步骤示意图。图2进一步描述关于图1中步骤103的情况。如图所示,隐私泄露分析步骤包括:2 is a schematic diagram showing the steps of a method of analyzing an Android application according to another embodiment of the present invention. Figure 2 further describes the situation with respect to step 103 of Figure 1. As shown, the privacy breach analysis steps include:

步骤1031:在反编译代码中查找涉及隐私数据的关键指令,Step 1031: Find key instructions related to private data in the decompiled code,

步骤1032:判断关键指令和与该关键指令相关的其它指令是否执行与外界进行数据交换的操作,Step 1032: Determine whether the key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world.

步骤1033:将关键指令和与该关键指令相关的其它指令中的执行与外界进行数据交换的操作的指令标记为可能涉及隐私泄露的指令。Step 1033: Mark the instruction of the key instruction and other instructions related to the key instruction to perform an operation of exchanging data with the outside world as an instruction that may involve a privacy leak.

这里,与外界进行数据交换是指与第三方进行隐私数据的交换。在一个示例中,可以生成静态分析报告。Here, data exchange with the outside world refers to the exchange of private data with a third party. In one example, a static analysis report can be generated.

图3是根据本发明另一个实施例的分析Android应用程序的方法的步骤示意图。在该 方法中,描述应用程序的运行中动态分析。如图3所示,该方法包括以下步骤:3 is a schematic diagram showing the steps of a method of analyzing an Android application according to another embodiment of the present invention. In the In the method, describe the running dynamic analysis of the application. As shown in FIG. 3, the method includes the following steps:

步骤201:记录应用程序在运行时的动态数据,Step 201: Record dynamic data of the application at runtime,

步骤202:分析动态数据的行为,识别涉及隐私泄露的行为。Step 202: Analyze the behavior of the dynamic data to identify behaviors involving privacy breaches.

这里,动态数据的行为是指与该动态数据相关的操作。通过分析动态数据能够对应用程序运行中的一切操作进行监控和判断,从而识别应用程序在运行期间是否进行了泄漏隐私数据的操作。Here, the behavior of dynamic data refers to operations related to the dynamic data. By analyzing dynamic data, it is possible to monitor and judge all operations in the running of the application to identify whether the application has leaked private data during operation.

在一个示例中,可以主动触发应用程序的行为,从而记录尽可能完全的运行时的动态数据。In one example, the behavior of the application can be actively triggered to record the dynamic data of the runtime as completely as possible.

在一个示例中,可以根据动态数据获取例如运行中应用程序的Class、Method、Opcode、String等信息,并从中识别出可能存在的泄漏隐私数据的行为。例如,可以配置策略来进行不同类型的行为分析。In one example, information such as Class, Method, Opcode, String, etc. of the running application may be obtained from the dynamic data, and the behavior of the leaking private data that may exist may be identified therefrom. For example, you can configure policies to perform different types of behavioral analysis.

在一个实施例中,将上述的运行前静态分析和运行中动态分析相结合。此时,对于上述实施例中的步骤202来说,分析动态数据的行为的步骤可以包括:分析动态数据中的与通过静态分析识别的可能涉及隐私泄露的指令相关的部分,以及根据预定的分析算法识别涉及隐私泄露的行为。In one embodiment, the pre-run static analysis and the in-run dynamic analysis described above are combined. At this time, for step 202 in the above embodiment, the step of analyzing the behavior of the dynamic data may include: analyzing, in the dynamic data, a portion related to the instruction that may be involved in the privacy leakage identified by the static analysis, and according to the predetermined analysis. The algorithm identifies behaviors involving privacy breaches.

该实施例通过综合分析提高了识别隐私泄露的行为的效率。在一个示例中,还生成隐私泄露安全分析报告。This embodiment improves the efficiency of identifying privacy leaks through comprehensive analysis. In one example, a privacy breach security analysis report is also generated.

图4是根据本发明一个实施例的分析Android应用程序的系统的结构示意图。如图所示,该系统包括运行前静态分析装置,该装置包括:提取单元,用于提取应用程序文件中的涉及逻辑流程的二进制文件,反编译单元,用于对该二进制文件进行反编译得到反编译代码,第一分析单元,用于对该反编译代码进行隐私泄露分析,识别可能涉及隐私泄露的指令。4 is a schematic structural diagram of a system for analyzing an Android application according to an embodiment of the present invention. As shown, the system includes a pre-run static analysis device, the device comprising: an extracting unit for extracting a binary file related to a logic flow in an application file, and a decompilation unit for decompiling the binary file The decompiled code, the first analysis unit, is configured to perform a privacy leak analysis on the decompiled code to identify an instruction that may involve a privacy leak.

在一个实施例中,第一分析单元被配置成:In one embodiment, the first analysis unit is configured to:

在反编译代码中查找涉及隐私数据的关键指令,Find key instructions in the decompiled code that involve private data.

判断关键指令和与该关键指令相关的其它指令是否执行与外界进行数据交换的操作,Determining whether a key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world,

将关键指令和与该关键指令相关的其它指令中的执行与外界进行数据交换的操作的指令标记为可能涉及隐私泄露的指令。An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak.

再如图所示,该系统还可以包括运行中动态分析装置,该装置包括:As further shown, the system can also include an in-service dynamic analysis device, the device comprising:

监控单元,用于记录应用程序在运行时的动态数据,A monitoring unit for recording dynamic data of an application at runtime,

第二分析单元,用于分析动态数据的行为,识别涉及隐私泄露的行为。 The second analysis unit is configured to analyze the behavior of the dynamic data and identify behaviors involving privacy leakage.

这里,监控单元可以被部署在Android系统底层从而避免给系统带来过多的负载。被加载到Android系统的监控单元将记录的动态数据发送到第二分析单元以供进一步分析。Here, the monitoring unit can be deployed at the bottom of the Android system to avoid overloading the system. The monitoring unit loaded into the Android system sends the recorded dynamic data to the second analysis unit for further analysis.

在一个实施例中,所述第二分析单元被配置成:In one embodiment, the second analysis unit is configured to:

分析动态数据中的与通过静态分析识别的可能涉及隐私泄露的指令相关的部分,Analyze the parts of the dynamic data that are related to instructions that may be involved in privacy breaches identified by static analysis,

根据预定的分析算法识别涉及隐私泄露的行为。The behavior involving privacy leakage is identified according to a predetermined analysis algorithm.

这里,第二分析单元还从第一分析单元接收可能涉及隐私泄露的指令。Here, the second analysis unit also receives an instruction from the first analysis unit that may involve a privacy leak.

通过以上实施方式的描述,本领域中的普通技术人员能够理解,在不偏离本发明的精神和范围的情况下,还可以对本发明的具体实施方式作各种变更和替换。这些变更和替换都落在本发明权利要求书所限定的范围内。 Various changes and substitutions of the specific embodiments of the present invention can be made by those of ordinary skill in the art. Such changes and substitutions are intended to fall within the scope of the appended claims.

Claims (12)

一种分析Android应用程序的方法,其特征在于,包括以下步骤:A method for analyzing an Android application, comprising the steps of: 运行前静态分析,该步骤包括:Static analysis before running, this step includes: 提取应用程序文件中的涉及逻辑流程的二进制文件,Extract the binary files involved in the logic flow in the application file, 对该二进制文件进行反编译得到反编译代码,Decompiling the binary to get the decompiled code. 对该反编译代码进行隐私泄露分析,识别可能涉及隐私泄露的指令。Perform a privacy disclosure analysis of the decompiled code to identify instructions that may involve privacy breaches. 如权利要求1所述的方法,其特征在于,The method of claim 1 wherein 上述隐私泄露分析步骤包括:The above privacy breach analysis steps include: 在反编译代码中查找涉及隐私数据的关键指令,Find key instructions in the decompiled code that involve private data. 判断关键指令和与该关键指令相关的其它指令是否执行与外界进行数据交换的操作,Determining whether a key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world, 将关键指令和与该关键指令相关的其它指令中的执行与外界进行数据交换的操作的指令标记为可能涉及隐私泄露的指令。An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak. 如权利要求1或2所述的方法,其特征在于,该方法还包括以下步骤:The method of claim 1 or 2, further comprising the steps of: 运行中动态分析,该步骤包括:Dynamic analysis in operation, this step includes: 记录应用程序在运行时的动态数据,Record the dynamic data of the application at runtime, 分析动态数据的行为,识别涉及隐私泄露的行为。Analyze the behavior of dynamic data and identify behaviors that involve privacy breaches. 如权利要求3所述的方法,其特征在于,The method of claim 3 wherein: 分析动态数据的行为的步骤包括:The steps to analyze the behavior of dynamic data include: 分析动态数据中的与通过静态分析识别的可能涉及隐私泄露的指令相关的部分,Analyze the parts of the dynamic data that are related to instructions that may be involved in privacy breaches identified by static analysis, 根据预定的分析算法识别涉及隐私泄露的行为。The behavior involving privacy leakage is identified according to a predetermined analysis algorithm. 如权利要求4所述的方法,其特征在于,The method of claim 4 wherein: 上述隐私泄露分析步骤还包括:The above privacy leakage analysis steps also include: 生成静态分析报告。Generate a static analysis report. 如权利要求5所述的方法,其特征在于,The method of claim 5 wherein: 运行中动态分析的步骤还包括:The steps of dynamic analysis in operation also include: 生成隐私泄露安全分析报告。 Generate a privacy disclosure security analysis report. 一种分析Android应用程序的系统,其特征在于,包括:A system for analyzing an Android application, comprising: 运行前静态分析装置,该装置包括:A pre-run static analysis device comprising: 提取单元,用于提取应用程序文件中的涉及逻辑流程的二进制文件,An extracting unit for extracting a binary file related to a logic flow in an application file, 反编译单元,用于对该二进制文件进行反编译得到反编译代码,a decompilation unit for decompiling the binary file to obtain decompiled code, 第一分析单元,用于对该反编译代码进行隐私泄露分析,识别可能涉及隐私泄露的指令。The first analysis unit is configured to perform a privacy leak analysis on the decompiled code to identify an instruction that may involve a privacy leak. 如权利要求1所述的系统,其特征在于,The system of claim 1 wherein: 所述第一分析单元被配置成:The first analysis unit is configured to: 在反编译代码中查找涉及隐私数据的关键指令,Find key instructions in the decompiled code that involve private data. 判断关键指令和与该关键指令相关的其它指令是否执行与外界进行数据交换的操作,Determining whether a key instruction and other instructions related to the key instruction perform an operation of exchanging data with the outside world, 将关键指令和与该关键指令相关的其它指令中的执行与外界进行数据交换的操作的指令标记为可能涉及隐私泄露的指令。An instruction in a key instruction and other instructions related to the key instruction that performs an operation of exchanging data with the outside world is marked as an instruction that may involve a privacy leak. 如权利要求7或8所述的系统,其特征在于,该系统还包括:The system of claim 7 or 8, wherein the system further comprises: 运行中动态分析装置,该装置包括:A dynamic analysis device in operation, the device comprising: 监控单元,用于记录应用程序在运行时的动态数据,A monitoring unit for recording dynamic data of an application at runtime, 第二分析单元,用于分析动态数据的行为,识别涉及隐私泄露的行为。The second analysis unit is configured to analyze the behavior of the dynamic data and identify behaviors involving privacy leakage. 如权利要求9所述的系统,其特征在于,The system of claim 9 wherein: 所述第二分析单元被配置成:The second analysis unit is configured to: 分析动态数据中的与通过静态分析识别的可能涉及隐私泄露的指令相关的部分,Analyze the parts of the dynamic data that are related to instructions that may be involved in privacy breaches identified by static analysis, 根据预定的分析算法识别涉及隐私泄露的行为。The behavior involving privacy leakage is identified according to a predetermined analysis algorithm. 如权利要求10所述的系统,其特征在于,The system of claim 10 wherein: 所述第一分析单元还被配置成:The first analysis unit is further configured to: 生成静态分析报告。Generate a static analysis report. 如权利要求11所述的系统,其特征在于,The system of claim 11 wherein: 所述第二分析单元还被配置成:The second analysis unit is further configured to: 生成隐私泄露安全分析报告。 Generate a privacy disclosure security analysis report.
PCT/CN2014/090302 2013-11-06 2014-11-05 Method and system for analyzing android application program Ceased WO2015067170A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310542708.5A CN104636661A (en) 2013-11-06 2013-11-06 Method and system for analyzing Android application program
CN201310542708.5 2013-11-06

Publications (1)

Publication Number Publication Date
WO2015067170A1 true WO2015067170A1 (en) 2015-05-14

Family

ID=53040904

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/090302 Ceased WO2015067170A1 (en) 2013-11-06 2014-11-05 Method and system for analyzing android application program

Country Status (2)

Country Link
CN (1) CN104636661A (en)
WO (1) WO2015067170A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106934290A (en) * 2015-12-31 2017-07-07 阿里巴巴集团控股有限公司 leak detection method and device
CN109995526A (en) * 2019-04-10 2019-07-09 睿驰达新能源汽车科技(北京)有限公司 A kind of storage method of key and the call method and device of device, key

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760761A (en) * 2016-02-04 2016-07-13 中国联合网络通信集团有限公司 Software behavior analyzing method and device
CN107577946A (en) * 2017-10-17 2018-01-12 江苏通付盾信息安全技术有限公司 Analysis method, device, system and the PC equipment of iOS application programs
CN110147672A (en) * 2019-03-28 2019-08-20 江苏通付盾信息安全技术有限公司 It is a kind of based on iOS application safety detection method, apparatus and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737190A (en) * 2012-07-04 2012-10-17 复旦大学 Detection method for information leakage hidden trouble in Android application log based on static state analysis
CN102779255A (en) * 2012-07-16 2012-11-14 腾讯科技(深圳)有限公司 Method and device for judging malicious program
CN103309808A (en) * 2013-06-13 2013-09-18 中国科学院信息工程研究所 Label-based black box detection method and system for privacy disclosure of Android user

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740B (en) * 2011-12-27 2015-09-23 北京大学 A kind of automated detection method of Android malware

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737190A (en) * 2012-07-04 2012-10-17 复旦大学 Detection method for information leakage hidden trouble in Android application log based on static state analysis
CN102779255A (en) * 2012-07-16 2012-11-14 腾讯科技(深圳)有限公司 Method and device for judging malicious program
CN103309808A (en) * 2013-06-13 2013-09-18 中国科学院信息工程研究所 Label-based black box detection method and system for privacy disclosure of Android user

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106934290A (en) * 2015-12-31 2017-07-07 阿里巴巴集团控股有限公司 leak detection method and device
CN106934290B (en) * 2015-12-31 2020-07-07 阿里巴巴集团控股有限公司 Vulnerability detection method and device
CN109995526A (en) * 2019-04-10 2019-07-09 睿驰达新能源汽车科技(北京)有限公司 A kind of storage method of key and the call method and device of device, key

Also Published As

Publication number Publication date
CN104636661A (en) 2015-05-20

Similar Documents

Publication Publication Date Title
CN107888554B (en) Method and device for detecting server attack
TW201629832A (en) Method and device for identifying computer virus variants
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
TWI528216B (en) Method, electronic device, and user interface for on-demand detecting malware
US10121004B2 (en) Apparatus and method for monitoring virtual machine based on hypervisor
CN104504337A (en) Method for detecting malicious application disclosing Android data
TWI541669B (en) Detection systems and methods for static detection applications, and computer program products
WO2017049800A1 (en) Method and apparatus for detecting loophole code in application
WO2015067170A1 (en) Method and system for analyzing android application program
CN105205413B (en) A data protection method and device
WO2015184752A1 (en) Abnormal process detection method and apparatus
CN104462962B (en) A kind of method for detecting unknown malicious code and binary vulnerability
CN103729595A (en) Method for offline detecting private data leakage of Android application program
US20130275945A1 (en) System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing
CN105488414A (en) Method and system for preventing malicious codes from detecting virtual environments
WO2017107896A1 (en) Document protection method and device
CN106503552A (en) The Android malware detecting system that is excavated with pattern of traffic based on signature and method
CN115391230A (en) Test script generation method, test script penetration method, test script generation device, test penetration device, test equipment and test medium
WO2015074489A1 (en) Method and apparatus for testing android application program
CN104239801B (en) The recognition methods of 0day leaks and device
CN105740661B (en) A kind of method and apparatus for protecting application program
CN113544676A (en) Attack estimation device, attack control method and attack estimation program
US8549631B2 (en) Internet site security system and method thereto
CN106919844B (en) A kind of android system vulnerability of application program detection method
JP6258189B2 (en) Specific apparatus, specific method, and specific program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14859954

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 25/08/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14859954

Country of ref document: EP

Kind code of ref document: A1