+

WO2018199366A1 - Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité - Google Patents

Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité Download PDF

Info

Publication number
WO2018199366A1
WO2018199366A1 PCT/KR2017/004584 KR2017004584W WO2018199366A1 WO 2018199366 A1 WO2018199366 A1 WO 2018199366A1 KR 2017004584 W KR2017004584 W KR 2017004584W WO 2018199366 A1 WO2018199366 A1 WO 2018199366A1
Authority
WO
WIPO (PCT)
Prior art keywords
class
dex file
application
obfuscation
file
Prior art date
Application number
PCT/KR2017/004584
Other languages
English (en)
Korean (ko)
Inventor
안성범
김태우
정명주
전상훈
정상민
임성열
한광희
서동필
류주현
Original Assignee
라인 가부시키가이샤
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 라인 가부시키가이샤 filed Critical 라인 가부시키가이샤
Priority to PCT/KR2017/004584 priority Critical patent/WO2018199366A1/fr
Priority to JP2018080912A priority patent/JP7131946B2/ja
Priority to US15/958,115 priority patent/US10963563B2/en
Publication of WO2018199366A1 publication Critical patent/WO2018199366A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the following description relates to a method and system for detection and detection of obfuscation of a dex file, and a computer program stored in a computer readable recording medium in combination with a computer to execute the security evaluation method on a computer.
  • the App store is an online content marketplace that sells various applications that can be mounted on a terminal such as a smartphone.
  • a terminal such as a smartphone.
  • the developer of an application registers a file (for example, an Android Application Package (Apk)) for installing a developed application on a terminal in an app store, and users of the application are required through the app store.
  • By downloading a file for the application it is possible to install and run the application on their terminal.
  • various game applications such as game publishers are distributed to users.
  • the first risk of an application is that the application contains information developed by malicious intentions, such as malicious code, to perform malicious functions on the terminal of the application publisher or the user on which the application is installed and run.
  • Korean Patent Laid-Open No. 10-2014-0098025 relates to a system and method for security evaluation of an application uploaded to an app store, and when an application to be registered in an app store detects a malicious function, the application Disclosed is a technique for rejecting entry into an app store.
  • the second risk of an application is the risk to the security of the application itself.
  • the application performs a function other than the function originally intended by the developer, thereby reducing the reliability of the service to be provided through the application. This exists. Therefore, there is a need for application publishers to provide a certain level of security for applications in distributing various applications (installation files of applications) that they did not develop directly.
  • each application may be equipped with security solutions of different security levels and may not include any security measures.
  • security solutions of different security levels and may not include any security measures.
  • security levels provided by the security solutions mounted in each application.
  • Java-level vulnerability check can be performed at the programming language level (for example, Android Application Package (Apk)), and from the application publisher's point of view, each of the numerous registered applications There is a problem that it is difficult to provide security that is maintained above a certain level.
  • programming language level for example, Android Application Package (Apk)
  • the level of security applied to the registered application is analyzed and identified in an objective manner in terms of obfuscation, vulnerability, and / or security solution, and the analyzed information is provided to provide security for the application. It provides a method and system for evaluating security that can be used to improve gender.
  • a method for evaluating security of an application comprising: registering an Android application package (Apk); Searching for an application class in a dex file included in the android application package; Determining whether to call an API (Application Programming Interface) for loading another Dex file further included in the Android application package based on a class and a method called in a body instruction of a method included in the application class And determining that an obfuscation has been applied to the dex file when it is determined that there is an API call for loading the other dex file.
  • API Application Programming Interface
  • a computer program for recording a computer program for executing the security evaluation method is provided.
  • a computer program stored in a computer readable recording medium for executing the security evaluation method in a computer in combination with a computer is provided.
  • a system for evaluating the security of an application comprising: at least one processor implemented to execute instructions readable by a computer, the at least one processor registering an Android application package (Apk) Searching for an application class in a dex file included in the android application package, and further comprising the android application package based on a class and a method called in a body instruction of a method included in the application class. If it is determined whether an API (Application Programming Interface) call for loading another dex file is found, and it is determined that an API call for loading the other dex file exists, it is determined that obfuscation is applied to the dex file. It provides a security evaluation system characterized in that the decision.
  • API Application Programming Interface
  • the level of security applied to the registered application is analyzed and identified in an objective manner in terms of obfuscation, vulnerability, and / or security solution, and the analyzed information is provided to provide security for the application. Can be used to improve sex.
  • FIG. 1 is a diagram illustrating an example of a network environment according to an embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating an internal configuration of an electronic device and a server according to an embodiment of the present invention.
  • FIG. 3 is a block diagram of a security evaluation system according to an embodiment of the present invention.
  • FIG. 4 is a diagram illustrating an example of determining whether to apply obfuscation of a dex file according to an embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of a process of detecting an API call according to one embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example of detecting obfuscation using encryption of a body instruction according to an embodiment of the present invention.
  • FIG. 7 is a block diagram illustrating an example of components that may be included in a processor of a server according to an embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating an example of a security evaluation method that can be performed by a server according to an embodiment of the present invention.
  • FIG. 9 is a block diagram illustrating another example of components that may be included in a processor of a server according to an embodiment of the present invention.
  • FIG. 10 is a flowchart illustrating another example of a security evaluation method that can be performed by a server according to an embodiment of the present invention.
  • the security evaluation system may be implemented through a server to be described later, and the security evaluation method according to the embodiments of the present invention may be performed through the server described above.
  • a computer program according to an embodiment of the present invention may be installed and run on a server, and the server may perform a security evaluation method according to an embodiment of the present invention under control of the driven computer program.
  • the computer program described above may be stored in a computer-readable recording medium in combination with a computer-implemented server to execute a security evaluation method on a computer.
  • FIG. 1 is a diagram illustrating an example of a network environment according to an embodiment of the present invention.
  • the network environment of FIG. 1 illustrates an example including a plurality of electronic devices 110, 120, 130, and 140, a plurality of servers 150 and 160, and a network 170.
  • 1 is an example for describing the present invention, and the number of electronic devices or the number of servers is not limited as shown in FIG. 1.
  • the plurality of electronic devices 110, 120, 130, and 140 may be fixed terminals or mobile terminals implemented as computer devices.
  • Examples of the plurality of electronic devices 110, 120, 130, and 140 include a smart phone, a mobile phone, a navigation device, a computer, a notebook computer, a digital broadcasting terminal, a personal digital assistant (PDA), and a portable multimedia player (PMP). Tablet PC).
  • FIG. 1 illustrates the shape of a smart phone as an example of the electronic device 1 110, in the embodiments of the present invention, the electronic device 1 110 may use a wireless or wired communication method to substantially connect the network 170. It may mean one of various physical devices that can communicate with other electronic devices 120, 130, 140 and / or servers 150, 160.
  • the communication method is not limited, and may include not only a communication method using a communication network (for example, a mobile communication network, a wired internet, a wireless internet, a broadcasting network) that the network 170 may include, but also a short range wireless communication between devices.
  • the network 170 may include a personal area network (PAN), a local area network (LAN), a campus area network (CAN), a metropolitan area network (MAN), a wide area network (WAN), and a broadband network (BBN). And one or more of networks such as the Internet.
  • the network 170 may also include any one or more of network topologies, including bus networks, star networks, ring networks, mesh networks, star-bus networks, trees, or hierarchical networks, but It is not limited.
  • Each of the servers 150 and 160 communicates with the plurality of electronic devices 110, 120, 130, and 140 through the network 170 to provide a command, code, file, content, service, or the like. It may be implemented in devices.
  • the server 150 may be a system that provides a first service to a plurality of electronic devices 110, 120, 130, and 140 connected through the network 170, and the server 160 may also have a network ( It may be a system that provides a second service to the plurality of electronic devices 110, 120, 130, and 140 connected through the 170.
  • the server 150 may be at least some of the devices constituting the system of the application publisher, and receives a package file of an application installed and operated on the plurality of electronic devices 110, 120, 130, and 140.
  • the service to be distributed can be provided as the first service.
  • the server 160 may provide a service associated with the application as the second service to a plurality of electronic devices 110, 120, 130, and 140 that install and run the application through the distributed package file.
  • the server 150 may be implemented as a dedicated system for evaluating the security of a package file to be registered to provide information about the evaluated security for the package file to be registered.
  • 2 is a block diagram illustrating an internal configuration of an electronic device and a server according to an embodiment of the present invention. 2 illustrates an internal configuration of the electronic device 1 110 and the server 150 as an example of the electronic device. In addition, the other electronic devices 120, 130, 140, or the server 160 may also have the same or similar internal configuration as the aforementioned electronic device 1 110 or the server 150.
  • the electronic device 1 110 and the server 150 may include memories 211 and 221, processors 212 and 222, communication modules 213 and 223, and input / output interfaces 214 and 224.
  • the memories 211 and 221 may be computer-readable recording media, and may include a permanent mass storage device such as random access memory (RAM), read only memory (ROM), and a disk drive.
  • RAM random access memory
  • ROM read only memory
  • the non-volatile mass storage device such as a ROM and a disk drive may be included in the electronic device 1 110 or the server 150 as a separate permanent storage device that is separated from the memories 211 and 221.
  • the memory 211, 221 includes an operating system and at least one program code (for example, a browser installed and driven in the electronic device 1 110 or an application installed in the electronic device 1 110 to provide a specific service). Code) can be stored.
  • These software components may be loaded from a computer readable recording medium separate from the memories 211 and 221.
  • Such a separate computer-readable recording medium may include a computer-readable recording medium such as a floppy drive, disk, tape, DVD / CD-ROM drive, memory card, and the like.
  • software components may be loaded into the memory 211, 221 through a communication module 213, 223 that is not a computer readable recording medium.
  • At least one program is a computer program that is installed by files provided by a file distribution system (for example, the server 160 described above) through the network 170 to distribute installation files of developers or applications. It may be loaded into the memories 211 and 221 based on (for example, the above-described application).
  • a file distribution system for example, the server 160 described above
  • the network 170 to distribute installation files of developers or applications. It may be loaded into the memories 211 and 221 based on (for example, the above-described application).
  • Processors 212 and 222 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input / output operations. Instructions may be provided to the processors 212, 222 by the memory 211, 221 or the communication modules 213, 223. For example, the processors 212 and 222 may be configured to execute a command received according to a program code stored in a recording device such as the memory 211 and 221.
  • the communication modules 213 and 223 may provide a function for the electronic device 1 110 and the server 150 to communicate with each other through the network 170, and the electronic device 1 110 and / or the server 150 may communicate with each other. May provide a function for communicating with another electronic device (eg, electronic device 2 120) or another server (eg, server 160). For example, a request generated by the processor 212 of the electronic device 1 110 according to a program code stored in a recording device such as the memory 211 may be controlled by the server 170 through the network 170 under the control of the communication module 213. 150).
  • control signals, commands, contents, files, and the like provided according to the control of the processor 222 of the server 150 are transmitted to the communication module of the electronic device 1 110 via the communication module 223 and the network 170 ( It may be received by the electronic device 1110 through 213.
  • the control signal, command, content, file, etc. of the server 150 received through the communication module 213 may be transmitted to the processor 212 or the memory 211, and the content, file, etc. may be transferred to the electronic device 1.
  • 110 may be stored as a storage medium (permanent storage described above) that may further include.
  • the input / output interface 214 may be a means for interfacing with the input / output device 215.
  • the input device may include a device such as a keyboard or a mouse, and the output device may include a device such as a display or a speaker.
  • the input / output interface 214 may be a means for interfacing with a device in which functions for input and output are integrated into one, such as a touch screen.
  • the input / output device 215 may be configured as one device with the electronic device 1110.
  • the input / output interface 224 of the server 150 may be a means for interfacing with an apparatus (not shown) for input or output that may be connected to or included in the server 150.
  • the processor 212 of the electronic device 1110 uses data provided by the server 150 or the electronic device 2 120 in processing a command of a computer program loaded in the memory 211.
  • the service screen or the content may be displayed on the display through the input / output interface 214.
  • the electronic device 1 110 and the server 150 may include more components than those of FIG. 2. However, it is not necessary to clearly show most of the prior art components.
  • the electronic device 1 110 may be implemented to include at least some of the above-described input / output devices 215 or other components such as a transceiver, a global positioning system (GPS) module, a camera, various sensors, a database, and the like. It may further include elements.
  • GPS global positioning system
  • an acceleration sensor when the electronic device 1 110 is a smartphone, an acceleration sensor, a gyro sensor, a camera module, various physical buttons, a button using a touch panel, an input / output port, and vibration for a smartphone generally include Various components such as a vibrator may be implemented to be further included in the electronic device 1 110.
  • FIG. 3 is a block diagram of a security evaluation system according to an embodiment of the present invention.
  • the security evaluation system 300 of FIG. 3 may be implemented through the server 150 described above.
  • the server 150 includes the package decomposition module 310, the file identification module 320, the parsing module 330, the analysis module 340, and the report module 350 included in the security evaluation system 300. May be representations of the different functions of the processor 222.
  • the package disassembly module 310 may be used as a function of the processor 222 in which the processor 222 of the server 150 disassembles a package file according to a control command included in a computer program.
  • the vulnerability detection module 342 included in the analysis module 340 may be implemented as a core module for vulnerability detection.
  • the server 150 may provide a service for distributing package files of applications registered by developers to users.
  • the package disassembly module 310 may disassemble the registered package files.
  • an Android application package (Apk) is a file format of a package file used for distributing software and middleware of Android, which is a mobile operating system, and has a '.apk' extension.
  • APK Android application package
  • embodiments of the present invention will be described based on a package file such as an APK, but it will be readily understood by those skilled in the art that the same or similar features may be applied to other kinds of package files through this description. .
  • the file identification module 320 may identify files included in the disassembled package file.
  • the extensions shown in Figure 3 ('dex', 'so', 'dll', 'json', 'ini', 'apk', 'xml', 'cert') as described previously, It will be readily understood by those skilled in the art.
  • the parsing module 330 may parse the identified files.
  • the parser 331 may parse files of a specific extension (eg, 'dex', 'so', 'dll') among the identified files, and the collector 332 may parse a specific extension (eg, You can collect the necessary information from the files of 'json', 'ini', 'apk', 'xml', and 'cert').
  • the parsing module 330 may identify each of the classes and methods included in the 'dex' file, and track a number of masses by instructing the instructions contained in the method. Can be identified by separating. The mass of instructions can be divided based on branch instructions such as the 'goto' statement, the 'switch' statement, or the 'if' statement.
  • the parsing module 330 may generate and manage information on call relationships between these instruction masses. For example, the call relations between the instruction masses may be managed in a tree structure, and the information on the call relations may include information on a method called by a specific instruction mass. The generation and management of such information may be processed for each of files included in a package file such as an APK file, and the parsing method may vary according to the characteristics of the file.
  • the parsed information and the collected information may be passed to the analysis module 340.
  • the analysis module 340 obfuscates a corresponding package file (or an application installed and driven in a user terminal such as the electronic device 1 110 through the package file) based on the information transmitted from the parsing module 330. It can generate and provide analysis information from an obfuscation point of view, a vulnerability point of view, and a security solution point of view.
  • the obfuscation detection module 341 may generate analysis information on the level of obfuscation applied to files of a specific extension (eg, 'dex', 'so', 'dll'). Can be. To this end, the obfuscation detection module 341 may determine whether obfuscation is applied for each preset item according to the type of file.
  • a specific extension eg, 'dex', 'so', 'dll'.
  • the vulnerability detection module 342 generates analysis information on whether there are any vulnerabilities in files of a specific extension (for example, 'dex', 'so', or 'config' which is a configuration file extension). can do.
  • the security evaluation system 300 may manage information about known vulnerabilities, and the vulnerability detection module 342 uses information about these vulnerabilities to determine which vulnerabilities exist in which files. Analyze information can be generated.
  • the platform detection module 343 may extract information about the platform on which the corresponding application is developed and / or the platform on which the corresponding application operates.
  • the security evaluation system 300 may use different analysis methods depending on which platform the application is developed on, for example, a development tool such as Unity or Cocos.
  • the security evaluation system 300 may use a different analysis method for each platform because the file format included in the package file may vary for each platform on which the application operates.
  • the security evaluation system 300 may extract information about the platform for the package file, and may analyze the package file or provide information about the extracted platform to the outside based on such information.
  • the security tool detection module 344 can detect the security solution that the developer of the package file has inserted into the package file. For example, a first security tool provided in a library form by a third party may be added to a corresponding package file by a developer. As another example, a second security tool developed by the developer may be added to the package file by the developer. In other words, the security tool detection module 344 may generate analysis information about whether the security tool is applied to the package file.
  • the relationship analysis module 345 may generate analysis information about a reference relationship between files included in the package file. For example, when the first file includes code for calling the second file, the analysis information may be generated such that the information about the reference relationship between the first file and the second file is included in the analysis information.
  • the report module 350 collects the analysis information generated by the analysis module 340 and provides a report for the person of the security evaluation system 300 (for example, an administrator of the server 150 or a security inspection team of an application publisher). Can be generated. Such a report may be provided to terminals of related parties using Hypertext Markup Language (HTML) or eXtensible Markup Language (XML) as in the example of FIG. 3.
  • HTML Hypertext Markup Language
  • XML eXtensible Markup Language
  • An Android application package (Apk) registered in the security evaluation system 300 may include a dex file in an obfuscated state or an obfuscated state. In this case, the security evaluation system 300 may determine whether obfuscation is applied to the dex file included in the registered Android application package.
  • the first dex file 410 illustrated in FIG. 4 may represent a file in which obfuscation is not applied, and the second dex file 420 and the third dex file 430 may represent files in the obfuscated state. Can be.
  • the first dex file 410 may be obfuscated into two dex files (multi dex), such as the second dex file 420 and the third dex file 430.
  • the second dex file 420 may include the classes (Class A, Class B, Class C, Class D, and Class E) in the first Dex file 410.
  • the five classes of, hereinafter, 'Class A ⁇ E') may be files that have been removed, and the removed classes are new dex files that contain encrypted and encrypted classes A ⁇ E (431).
  • the 3 Dex file 430 may be included in the Android application package.
  • the second dex file 420 is the third dex.
  • the application class 421 included in the second dex file 420 should include a function for loading the dex file.
  • an API for loading a dex file is provided. Therefore, the application class 421 included in the second dex file 420 may include a function (DexLoader) for calling the API.
  • the class loader ('ClassLoader' or 'DexClassLoader') class and the class loader class for loading the dex file (the third dex file 430 in the embodiment of FIG. 4) through the application class 421
  • the containing loadclass ('LoadClass') method must be called.
  • the security evaluation system 300 may include an application class included in the dex file. 4, whether an API call for loading a dex file (eg, the third dex file 430 in FIG. 4) is made through the application class 421 included in the second dex file 420 in FIG. 4. You can check.
  • whether or not to apply obfuscation of the corresponding dex file may be determined according to whether the class loader class and the load class method included in the class loader class are called.
  • the security evaluation system 300 may check whether the class loader class and the load class method are called in the dex file to determine whether to apply obfuscation.
  • the security evaluation system 300 makes the first dex file. It can be seen that the obfuscation is not applied to the file 410.
  • the second dex file 420 of FIG. 4 can obtain the encrypted classes A to E 431 only when the third dex file 430 is loaded, an API call for loading the third dex file 430 is performed. This will be done, and the security evaluation system 300 can detect that obfuscation is applied to the second dex file 420 through the detection of such an API call.
  • FIG. 5 is a diagram illustrating an example of a process of detecting an API call according to one embodiment of the present invention.
  • the security evaluation system 300 may register the APK 500.
  • APK 500 may be registered with an application publisher for distribution to users of the application.
  • the security evaluation system 300 may be implemented in an apparatus (eg, the server 150) that provides a service for distributing package files of applications for which an application publisher is registered, or the apparatus and network 170 described above. It can be implemented as a separate system to communicate over).
  • the security evaluation system 300 may receive and register the APK 500 registered in the server 150 through the network 170.
  • the security evaluation system 300 may extract the class name of the application class 521 from the Android manifest file 510.
  • the Android application package includes an Android manifest file 510 such as 'AndroidManifest.xml', it is well known that the Android manifest file 510 includes a class name of an application class 521.
  • the security evaluation system 300 may collect all calls from the application class 521 identified through the extracted class name. For example, the security evaluation system 300 may identify the application class 521 included in the first dex file 520 through the extracted class name, and include all of the identified application classes 521. You can create a call list for the classes and methods that are called in each of the body instructions. For example, the security evaluation system 300 may generate the above-mentioned call list based on the call relationship generated by the parsing module 330 described with reference to FIG. 3.
  • the security evaluation system 300 may detect an API call for loading another dex file (the second dex file 530 in the embodiment of FIG. 5). To this end, the security evaluation system 300 may check whether the class loader ('ClassLoader' or 'DexClassLoader') class and the load class ('LoadClass') method are called through the call list. In other words, the call of the classloader class and the load class method can be detected as an API call to load another Dex file.
  • the security evaluation system 300 may determine that obfuscation is applied to the first dex file 520 as in step 5. If the API call is not detected, the security evaluation system 300 may determine that obfuscation is not applied to the first dex file 520 as in step 6.
  • the API call is not made in the body instruction of the method included in the application class, and the API call for loading the Dex file may be made in the body instruction of another method called through the corresponding method.
  • the security evaluation system 300 detects the method included in the application class in such a manner that it detects the API call through another call list collected in the body instruction of the method identified through the call list. You can also check whether API calls are made to all methods that are called directly or indirectly. In this case, when the API call is not made in all methods that are directly or indirectly called through the method included in the application class, the security evaluation system 300 determines that obfuscation is not applied to the first dex file 520. Can be.
  • FIG. 6 is a diagram illustrating an example of detecting obfuscation using encryption of a body instruction according to an embodiment of the present invention.
  • FIG. 6 illustrates a method 620 including an operation code 612 that is modified by obfuscating the operation code 611 of a specific method 610 included in a dex file through encryption, encoding, or addition of a dummy code. ) Shows an example of the generation.
  • the modified operation code 612 is not replaced with arbitrary code, but rather with code that can be compiled, and thus has some patterns.
  • the modified opcode 612 may include a pattern of instructions that do not affect or have no meaning in the register (for example, a sequence or branch of LDR instructions in an ARM assembly instruction or a sequence of LSLS instructions).
  • normal byte codes are predefined codes according to a series of constant hexa values. For example, the following website describes the Dalvik OP code.
  • Each method can determine the number of local variable registers used by the '.local' directive. If '.local' is 2, it means that two local variable registers are used, such as v0 and v1. At this time, if a hexadecimal value is found, '0B' may be followed by the hexa value may mean a local variable register. For example, the hexadecimal value '0B' corresponds to the OP code name 'move-result-object vx', as described on the website described above, and this OP code is the long / double of the previous method invocation. It can be seen that the command moves the result value to 'vx' and 'vx + 1'.
  • '0B02' moves the long / double result of the previous command execution into two local variable registers, 'v2' and 'v3'.
  • the security evaluation system 300 may check whether the number of local variable registers checked through '.local' and whether local variable registers required through local variable registers required through '0B02' are available.
  • the hexadecimal value '6E' must specify the local variable registers corresponding to the parameters of the current instance and the local variable registers corresponding to the method parameters after the OP code 'invoke-virtual', as described on the website mentioned above. do.
  • the security evaluation system 300 may check whether these registers are available registers using '.local', and in this way, whether the operation code of the method 610 is a general (or normal) code. It is possible to determine if the code is obfuscated (or modified).
  • the security evaluation system 300 may store and manage the standardized pattern in advance, and then determine whether to apply obfuscation to the dex file by detecting a method of an operation code that processes the command of the pattern.
  • the security evaluation system 300 searches for the prestored pattern in the opcode 611 or the modified opcode 612, and the modified opcode 612 in which the prestored pattern is found. Through it can be determined that the obfuscation is applied to the method 620, which may mean that the obfuscation is applied to the dex file including the method (620).
  • the security evaluation system 300 may obfuscate based on the weight of obfuscated methods among the methods included in the dex file. You can also determine the security level according to.
  • FIG. 7 is a block diagram illustrating an example of components that may be included in a processor of a server according to an embodiment of the present invention
  • FIG. 8 is a security evaluation that may be performed by a server according to an embodiment of the present invention.
  • the security evaluation system 300 may be implemented in the form of a computer device such as the server 150 described above.
  • the processor 222 of the server 150 is a component for implementing the security evaluation system 300.
  • the APK registerer 710, the application class searcher 720, and the API call are checked.
  • the unit 730, the obfuscation determiner 740, a security determiner 750, and an information provider 760 may be included.
  • the processor 222 and the components of the processor 222 may perform steps 810 to 860 included in the security evaluation method of FIG. 8.
  • the processor 222 and the components of the processor 222 may be implemented to execute a control instruction according to a code of an operating system included in the memory 221 or a code of at least one program.
  • the components of the processor 222 may be representations of different functions of the processor 222 performed by the processor 222 according to a control command provided by a code stored in the server 150.
  • the APK registerer 710 may be used as a functional representation of the processor 222 in which the processor 222 registers an Android application package (Apk) according to the above-described control command.
  • the APK registerer 710 may register an Android application package.
  • An Android application package can be registered with an application publisher for distribution to users of the application.
  • the security evaluation system may be implemented in a device that provides a service for distributing package files of applications for which an application publisher is registered or as a separate system that communicates with the aforementioned device through the network 170. have.
  • the security evaluation system 300 may receive and register an Android application package registered with an application publisher through the network 170.
  • the application class search unit 720 may search for the application class in the Dex file included in the Android application package.
  • the application class search unit 720 may extract the class name of the application class from the Android manifest file, such as 'AndroidManifest.xml', the Android application package, extracted from the dex file using the extracted class name You can search for the application class corresponding to the class name.
  • the API call checker 730 may load another index file further included in the Android application package based on a class and a method called in a body instruction of a method included in an application class. You can check whether API (Application Programming Interface) is called.
  • the API call confirmation unit 730 may generate a call list for the classes and methods called in the body instructions of all the methods included in the identified application class.
  • the API call verification unit 730 may check whether the class loader ('ClassLoader' or 'DexClassLoader') class and the load class ('LoadClass') method are called through the call list. In other words, the call of the classloader class and the load class method can be detected as an API call to load another Dex file.
  • the API call checker 730 classloader class and load class through the call list collected in the body instruction of the method identified through the call list. You can further search whether the method is called. As such, the API call checking process is repeatedly performed not only on the classes and methods directly called by all the methods included in the application class, but also on the classes and methods called again by the called methods. This can be done for all classes and methods called directly or indirectly by.
  • the obfuscation determination unit 740 determines that an API call for loading another Dex file exists, the obfuscation may be determined to be applied to the Dex file. If the API call for loading the other dex file is not confirmed, the obfuscation determination unit 740 may determine that the obfuscation is not applied to the dex file in step 840.
  • the security determiner 750 may determine the security of the registered Android application package based at least on whether or not obfuscation is applied to the Dex file. For example, the security of a registered Android application package may be determined to be relatively higher when obfuscation is applied to the dex file than when obfuscation is not applied to the dex file.
  • the information provider 760 may provide information about whether obfuscation is applied to the dex file. For example, with respect to a specific dex file, information about a file name of the dex file and whether or not obfuscation is applied may be provided together. For example, the related information may be provided to an administrator or the like as described with reference to FIG. 3.
  • FIG. 9 is a block diagram illustrating another example of components that may be included in a processor of a server according to an embodiment of the present invention
  • FIG. 10 is a security diagram that the server may perform according to an embodiment of the present invention. It is a flowchart which shows the other example of an evaluation method.
  • the processor 222 of the server 150 is a component for implementing the security evaluation system 300, the APK registerer 910, the junk code pattern manager 920, and the junk code pattern searcher 930. ) And the obfuscation determination unit 940.
  • the processor 222 and the components of the processor 222 may perform steps 1010 to 1040 included in the security evaluation method of FIG. 10.
  • the processor 222 and the components of the processor 222 may be implemented to execute a control instruction according to a code of an operating system included in the memory 221 or a code of at least one program.
  • the components of the processor 222 may be representations of different functions of the processor 222 performed by the processor 222 according to a control command provided by a code stored in the server 150. .
  • the APK registerer 910 may register an Android application package.
  • the APK registration unit 910 may correspond to the APK registration unit 710 described with reference to FIG. 7.
  • the junk code pattern manager 920 may receive and manage a junk code pattern to be searched for. As described above with reference to FIG. 6, the junk code pattern may preset and use patterns that appear according to obfuscation of a body instruction of a method. In this case, step 1020 may be performed before step 1010.
  • the junk code pattern search unit 930 may search for the junk code pattern in a body instruction of a method included in the dex file.
  • Dex files are created through compilation, so the transformed code resulting from obfuscation of the body instructions of the method cannot contain any random values and has a certain pattern. Accordingly, the junk code pattern search unit 930 may check whether the junk code pattern is found in the body instruction of the method.
  • the obfuscation determiner 940 may determine that obfuscation is applied to the dex file.
  • the security of the registered Android application package may be determined based at least on whether obfuscation is applied to the Dex file.
  • security can be determined based on the ratio of obfuscated methods to the entire method since it is possible to determine whether obfuscation is performed for each method.
  • information about a method to which obfuscation is applied may be provided to an administrator or the like.
  • the embodiments of FIGS. 7 and 8 and the embodiments of FIGS. 9 and 10 may be combined. For example, detection of an API call for loading a dex file and detection of a junk code pattern may be performed in parallel for a registered APK. In this case, the obfuscation determination unit 740 or the obfuscation determination unit 940 determines that an API call for loading another Dex file exists or if the junk code pattern is detected, the deobfuscation is applied to the Dex file. Can be. In this case, the security may be determined through a weighted sum of the security determined in parallel, and each detected information may be provided to an administrator.
  • the security level applied to the registered application is determined in an objective manner in accordance with obfuscation, vulnerability, and / or security solution. It can be used to improve the security of the application by analyzing and understanding and providing the analyzed information. In addition, it is possible to determine whether to apply obfuscation to the dex file included in the Android Application Package (Apk).
  • the system or apparatus described above may be implemented as a hardware component, a software component or a combination of hardware components and software components.
  • the devices and components described in the embodiments are, for example, processors, controllers, arithmetic logic units (ALUs), digital signal processors, microcomputers, field programmable gate arrays (FPGAs).
  • ALUs arithmetic logic units
  • FPGAs field programmable gate arrays
  • PLU programmable logic unit
  • the processing device may execute an operating system (OS) and one or more software applications running on the operating system.
  • the processing device may also access, store, manipulate, process, and generate data in response to the execution of the software.
  • processing device includes a plurality of processing elements and / or a plurality of types of processing elements. It can be seen that it may include.
  • the processing device may include a plurality of processors or one processor and one controller.
  • other processing configurations are possible, such as parallel processors.
  • the software may include a computer program, code, instructions, or a combination of one or more of the above, and configure the processing device to operate as desired, or process it independently or collectively. You can command the device.
  • Software and / or data may be any type of machine, component, physical device, virtual equipment, computer storage medium or device in order to be interpreted by or to provide instructions or data to the processing device. It can be embodied in.
  • the software may be distributed over networked computer systems so that they may be stored or executed in a distributed manner.
  • Software and data may be stored on one or more computer readable media.
  • the method according to the embodiment may be embodied in the form of program instructions that can be executed by various computer means and recorded in a computer readable medium.
  • the computer readable medium may include program instructions, data files, data structures, etc. alone or in combination.
  • the program instructions recorded on the media may be those specially designed and constructed for the purposes of the embodiments, or they may be of the kind well-known and available to those having skill in the computer software arts.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks.
  • Such a recording medium may be various recording means or storage means in the form of a single or several hardware combined, and is not limited to a medium directly connected to any computer system, but may be distributed on a network.
  • Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un procédé et un système permettant de détecter si un obscurcissement a été appliqué à un fichier DEX et d'évaluer la sécurité. Le procédé d'évaluation de sécurité peut comprendre les étapes consistant à : enregistrer un progiciel d'application Android (APK) ; rechercher un fichier DEX, compris dans l'APK, pour une classe d'application ; vérifier s'il faut appeler une interface de programmation d'application (API) pour charger un autre fichier DEX compris en outre dans l'APK, sur la base d'une classe et d'un procédé appelé par une instruction de corps d'un procédé compris dans la classe d'application ; et déterminer qu'un obscurcissement a été appliqué au fichier DEX, lorsque l'existence d'un appel d'API pour charger un autre fichier DEX est confirmée.
PCT/KR2017/004584 2017-04-20 2017-04-28 Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité WO2018199366A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/KR2017/004584 WO2018199366A1 (fr) 2017-04-28 2017-04-28 Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité
JP2018080912A JP7131946B2 (ja) 2017-04-20 2018-04-19 アプリケーションの保安性を評価する方法およびシステム
US15/958,115 US10963563B2 (en) 2017-04-20 2018-04-20 Method and system for evaluating security of application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2017/004584 WO2018199366A1 (fr) 2017-04-28 2017-04-28 Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
PCT/KR2017/004236 Continuation WO2018194196A1 (fr) 2017-04-20 2017-04-20 Procédé et système de détection d'application d'obfuscation et d'évaluation de la sécurité d'un fichier elf
PCT/KR2017/004243 Continuation WO2018194198A1 (fr) 2017-04-20 2017-04-20 Procédé et système pour détecter l'application d'un brouillage à un fichier pe et évaluer sa sécurité

Related Child Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/006903 Continuation WO2019004502A1 (fr) 2017-04-20 2017-06-29 Procédé et système d'évaluation de sécurité d'application

Publications (1)

Publication Number Publication Date
WO2018199366A1 true WO2018199366A1 (fr) 2018-11-01

Family

ID=63918554

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/004584 WO2018199366A1 (fr) 2017-04-20 2017-04-28 Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité

Country Status (1)

Country Link
WO (1) WO2018199366A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614773A (zh) * 2018-11-20 2019-04-12 江苏通付盾信息安全技术有限公司 代码自修改方法、装置及电子设备
CN110489159A (zh) * 2019-08-02 2019-11-22 北京字节跳动网络技术有限公司 安装包精简方法及数据解析方法、装置、介质和设备
CN111935061A (zh) * 2019-12-26 2020-11-13 长扬科技(北京)有限公司 一种工控主机的网络安全防护实现方法及工控主机
CN113746886A (zh) * 2020-05-29 2021-12-03 北京沃东天骏信息技术有限公司 用于apk文件的分析方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120120686A (ko) * 2011-04-25 2012-11-02 삼성전자주식회사 휴대용 단말기에서 어플리케이션 패키지를 처리하기 위한 장치 및 방법
KR20140029562A (ko) * 2012-08-28 2014-03-11 바른소프트기술 주식회사 안드로이드 어플리케이션의 디컴파일 방지를 위한 암호화 방법
KR20160118920A (ko) * 2015-04-04 2016-10-12 홍동철 Apk 파일 보호 방법, 이를 수행하는 apk 파일 보호 시스템, 및 이를 저장하는 기록매체
KR101700731B1 (ko) * 2012-04-26 2017-01-31 텐센트 테크놀로지(센젠) 컴퍼니 리미티드 애플리케이션에 접근하기 위한 방법 및 장치
KR20170018744A (ko) * 2015-08-10 2017-02-20 라인 가부시키가이샤 어플리케이션의 코드를 보호하기 위한 시스템 및 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120120686A (ko) * 2011-04-25 2012-11-02 삼성전자주식회사 휴대용 단말기에서 어플리케이션 패키지를 처리하기 위한 장치 및 방법
KR101700731B1 (ko) * 2012-04-26 2017-01-31 텐센트 테크놀로지(센젠) 컴퍼니 리미티드 애플리케이션에 접근하기 위한 방법 및 장치
KR20140029562A (ko) * 2012-08-28 2014-03-11 바른소프트기술 주식회사 안드로이드 어플리케이션의 디컴파일 방지를 위한 암호화 방법
KR20160118920A (ko) * 2015-04-04 2016-10-12 홍동철 Apk 파일 보호 방법, 이를 수행하는 apk 파일 보호 시스템, 및 이를 저장하는 기록매체
KR20170018744A (ko) * 2015-08-10 2017-02-20 라인 가부시키가이샤 어플리케이션의 코드를 보호하기 위한 시스템 및 방법

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109614773A (zh) * 2018-11-20 2019-04-12 江苏通付盾信息安全技术有限公司 代码自修改方法、装置及电子设备
CN110489159A (zh) * 2019-08-02 2019-11-22 北京字节跳动网络技术有限公司 安装包精简方法及数据解析方法、装置、介质和设备
CN111935061A (zh) * 2019-12-26 2020-11-13 长扬科技(北京)有限公司 一种工控主机的网络安全防护实现方法及工控主机
CN111935061B (zh) * 2019-12-26 2021-06-11 长扬科技(北京)有限公司 一种工控主机的网络安全防护实现方法及工控主机
CN113746886A (zh) * 2020-05-29 2021-12-03 北京沃东天骏信息技术有限公司 用于apk文件的分析方法及装置

Similar Documents

Publication Publication Date Title
JP7131946B2 (ja) アプリケーションの保安性を評価する方法およびシステム
WO2017026739A1 (fr) Système et procédé d'obscurcissement de code d'application
WO2013089340A1 (fr) Appareil et procédé de détection de similarité entre applications
Jing et al. Morpheus: automatically generating heuristics to detect android emulators
WO2014035043A1 (fr) Appareil et procédé permettant de diagnostiquer des applications malveillantes
WO2013077538A1 (fr) Dispositif et procédé d'analyse d'application basée sur une api
US9607145B2 (en) Automated vulnerability and error scanner for mobile applications
CN106845223B (zh) 用于检测恶意代码的方法和装置
WO2018199366A1 (fr) Procédé et système permettant de détecter si un obscurcissement a été appliqué à un fichier dex et d'évaluer la sécurité
WO2019054613A1 (fr) Procédé et système d'identification de progiciel source libre en fonction d'un fichier binaire
CN104537309A (zh) 应用程序漏洞检测方法、装置及服务器
CN104537308B (zh) 提供应用安全审计功能的系统及方法
WO2013137616A1 (fr) Procédé et appareil d'évaluation de permissions requises pour une application
CN107408176A (zh) 恶意对象的执行剖析检测
WO2017026738A1 (fr) Système et procédé de protection de codes pour une application
WO2014088262A1 (fr) Dispositif et procédé de détection d'applications frauduleuses/modifiées
WO2019066222A1 (fr) Procédé et système pour identifier un progiciel libre sur la base d'un fichier binaire
WO2019135425A1 (fr) Procédé et système de vérification de licence de logiciel à source ouverte
WO2018097344A1 (fr) Procédé et système de vérification de validité de résultat de détection
WO2018194196A1 (fr) Procédé et système de détection d'application d'obfuscation et d'évaluation de la sécurité d'un fichier elf
JP2020531936A (ja) アプリケーションの脆弱点を探知する方法およびシステム
CN116974947A (zh) 一种组件检测方法、装置、电子设备及存储介质
Meng et al. WeMinT: Tainting sensitive data leaks in WeChat mini-programs
KR102382889B1 (ko) 프로세스 정보를 사용하여 웹쉘을 탐지하는 방법 및 시스템
CN116881173B (zh) 接口参数的检测方法、装置、电子设备和计算机可读介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17907838

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17907838

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载