技术领域technical field
本发明涉及终端设备的技术领域,具体而言,本发明涉及应用程序行为拦截的方法和装置。The present invention relates to the technical field of terminal equipment, in particular, the present invention relates to a method and device for intercepting application program behavior.
背景技术Background technique
移动终端是指可以在移动中使用的计算机设备,包括手机、平板电脑等。随着移动终端的普及,各种应用程序的应用也得到广泛使用,例如,手机助手,可以智能化且分类别地管理应用程序,以方便用户使用。Mobile terminals refer to computer devices that can be used on the move, including mobile phones, tablet computers, etc. With the popularization of mobile terminals, applications of various applications are also widely used. For example, mobile assistants can manage application programs intelligently and in a classified manner for the convenience of users.
在应用程序的使用给用户的工作、生活带来便捷方便服务的同时,也会给用户带来困扰,例如,如果应用程序中携带有病毒,则不仅会恶意攻击服务系统,使得服务系统崩溃,造成用户的个人数据信息丢失;还会盗取用户其它应用程序的账户名称和相应的密码,例如,如果盗取到用户的支付宝账户名称和相应的密码,并进行登录,会造成用户的财产损失;如果盗取到用户使用的邮箱的账户名称和相应的密码,进行登录,会造成用户的工作数据信息的泄露,以及个人隐私信息的泄露。While the use of applications brings convenience and services to users’ work and life, it will also bring troubles to users. For example, if an application contains a virus, it will not only maliciously attack the service system, causing the service system to crash, Cause the loss of the user's personal data information; also steal the user's account name and corresponding password of other applications, for example, if the user's Alipay account name and corresponding password are stolen and logged in, it will cause the user's property loss ; If the account name and corresponding password of the mailbox used by the user are stolen and logged in, the user's work data information and personal privacy information will be leaked.
然而,本发明的发明人发现,现有的移动终端会因为受到恶意程序(如计算机病毒、木马)的攻击,而出现在用户未知的情况下,自动执行应用程序行为的相应操作,导致用户体验不佳;甚至使得用户因为应用程序的执行而丢失重要的数据信息以及个人隐私信息。However, the inventors of the present invention have found that existing mobile terminals will automatically execute corresponding operations of application program behaviors without the user's knowledge due to attacks by malicious programs (such as computer viruses, Trojan horses), resulting in user experience Poor; even makes the user lose important data information and personal privacy information due to the execution of the application.
因此,有必要提供一种应用程序行为拦截的方法和装置,能够及时有效地对应用程序行为进行拦截。Therefore, it is necessary to provide a method and device for intercepting application program behavior, which can intercept application program behavior in a timely and effective manner.
发明内容Contents of the invention
本发明的目的旨在至少解决上述技术缺陷,特别是拦截模块能够及时有效地拦截应用程序行为,暂停相应的操作,并通知用户该操作,只有得到用户的确认信息后,才能允许应用程序行为运行,提高了用户的体验。The purpose of the present invention is to at least solve the above-mentioned technical defects, especially the interception module can timely and effectively intercept the application program behavior, suspend the corresponding operation, and notify the user of the operation, and the application program behavior can only be allowed to run after obtaining the user's confirmation information , improving the user experience.
本发明提供了一种应用程序行为拦截的方法,包括:The present invention provides a method for intercepting application program behavior, including:
预先注入到系统服务进程中的拦截模块拦截到应用程序的信息后,向所述应用程序发送相应的询问信息;After the interception module pre-injected into the system service process intercepts the information of the application program, it sends corresponding inquiry information to the application program;
所述应用程序根据所述询问信息弹出相应的提示框,并接收用户输入的是否进行相应的操作的确认信息后向所述拦截模块返回;The application program pops up a corresponding prompt box according to the inquiry information, and returns to the interception module after receiving the confirmation information input by the user whether to perform the corresponding operation;
所述拦截模块根据接收的确认信息,允许或阻断所述系统服务进程对所述应用程序的危险操作。The interception module allows or blocks the dangerous operation of the application program by the system service process according to the received confirmation information.
本发明还提供了一种应用程序行为拦截的装置,包括:The present invention also provides a device for intercepting application program behavior, including:
预先注入到系统服务进程中的拦截模块,用于拦截到应用程序的危险操作信息后,向所述应用程序发送相应的询问信息;根据应用程序返回的是否进行相应的操作的确认信息,允许或阻断所述系统服务进程对所述应用程序的危险操作。The interception module pre-injected into the system service process is used to intercept the dangerous operation information of the application program, and then send the corresponding inquiry information to the application program; according to the confirmation information returned by the application program whether to perform the corresponding operation, allow or Blocking the dangerous operation of the system service process on the application program.
本发明的技术方案中,特别是能够对应用程序行为进行有效地拦截,,拦截后,暂停相应的操作,并通知用户该操作,只有得到用户的确认信息后才执行相应的操作,这样使得存储于应用程序中的数据信息和个人隐私信息被泄露的可能性降低,不仅提高了个人数据的安全性,也提高了用户的体验度。In the technical solution of the present invention, in particular, the application program behavior can be effectively intercepted. After intercepting, the corresponding operation is suspended, and the user is notified of the operation. The possibility of leakage of data information and personal privacy information in applications is reduced, which not only improves the security of personal data, but also improves user experience.
本发明附加的方面和优点将在下面的描述中部分给出,这些将从下面的描述中变得明显,或通过本发明的实践了解到。Additional aspects and advantages of the invention will be set forth in part in the description which follows, and will become apparent from the description, or may be learned by practice of the invention.
附图说明Description of drawings
本发明上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present invention will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:
图1a为本发明实施例的应用程序行为拦截的方法的流程示意图;FIG. 1a is a schematic flow diagram of a method for intercepting application program behavior according to an embodiment of the present invention;
图1b为本发明实施例中的预先注入到系统服务进程中的拦截模块拦截到应用程序的卸载的示意图;Figure 1b is a schematic diagram of the interception module pre-injected into the system service process in the embodiment of the present invention to intercept the uninstallation of the application program;
图2为本发明实施例的应用程序行为拦截的装置的内部结构的框架示意图。FIG. 2 is a schematic framework diagram of an internal structure of an application program behavior interception device according to an embodiment of the present invention.
具体实施方式detailed description
下面详细描述本发明的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本发明,而不能解释为对本发明的限制。Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.
本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“所述”和“该”也可包括复数形式。应该进一步理解的是,本发明的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或无线耦接。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的全部或任一单元和全部组合。Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of said features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Additionally, "connected" or "coupled" as used herein may include wireless connection or wireless coupling. The expression "and/or" used herein includes all or any elements and all combinations of one or more associated listed items.
本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本发明所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样被特定定义,否则不会用理想化或过于正式的含义来解释。Those skilled in the art can understand that, unless otherwise defined, all terms (including technical terms and scientific terms) used herein have the same meaning as commonly understood by those of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in commonly used dictionaries, should be understood to have meanings consistent with their meaning in the context of the prior art, and unless specifically defined as herein, are not intended to be idealized or overly Formal meaning to explain.
本技术领域技术人员可以理解,这里所使用的“终端”、“终端设备”既包括无线信号接收器的设备,其仅具备无发射能力的无线信号接收器的设备,又包括接收和发射硬件的设备,其具有能够在双向通信链路上,进行双向通信的接收和发射硬件的设备。这种设备可以包括:蜂窝或其他通信设备,其具有单线路显示器或多线路显示器或没有多线路显示器的蜂窝或其他通信设备;PCS(Personal Communications Service,个人通信系统),其可以组合语音、数据处理、传真和/或数据通信能力;PDA(Personal Digital Assistant,个人数字助理),其可以包括射频接收器、寻呼机、互联网/内联网访问、网络浏览器、记事本、日历和/或GPS(Global Positioning System,全球定位系统)接收器;常规膝上型和/或掌上型计算机或其他设备,其具有和/或包括射频接收器的常规膝上型和/或掌上型计算机或其他设备。这里所使用的“终端”、“终端设备”可以是便携式、可运输、安装在交通工具(航空、海运和/或陆地)中的,或者适合于和/或配置为在本地运行,和/或以分布形式,运行在地球和/或空间的任何其他位置运行。这里所使用的“终端”、“终端设备”还可以是通信终端、上网终端、音乐/视频播放终端,例如可以是PDA、MID(Mobile Internet Device,移动互联网设备)和/或具有音乐/视频播放功能的移动电话,也可以是智能电视、机顶盒等设备。Those skilled in the art can understand that the "terminal" and "terminal equipment" used here not only include wireless signal receiver equipment, which only has wireless signal receiver equipment without transmission capabilities, but also include receiving and transmitting hardware. A device having receive and transmit hardware capable of bi-directional communication over a bi-directional communication link. Such equipment may include: cellular or other communication equipment, which has a single-line display or a multi-line display or a cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data Processing, facsimile and/or data communication capabilities; PDA (Personal Digital Assistant, Personal Digital Assistant), which may include radio frequency receiver, pager, Internet/Intranet access, web browser, notepad, calendar and/or GPS (Global Positioning System (Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal", "terminal device" may be portable, transportable, installed in a vehicle (air, sea, and/or land), or adapted and/or configured to operate locally, and/or In distributed form, the operation operates at any other location on Earth and/or in space. The "terminal" and "terminal equipment" used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDAs, MIDs (Mobile Internet Devices, mobile Internet devices) and/or with music/video playback terminals. Functional mobile phones, smart TVs, set-top boxes and other devices.
本发明的发明人考虑到,特别是能够对应用程序行为进行有效地拦截,拦截后,暂停相应的操作,并通知用户该操作,只有得到用户的确认信息后才执行相应的操作,这样使得存储于应用程序中的数据信息和个人隐私信息被泄露的可能性降低,不仅提高了个人数据的安全性,也提高了用户的体验度。The inventor of the present invention considers that, in particular, the application program behavior can be effectively intercepted. After intercepting, the corresponding operation is suspended, and the user is notified of the operation. The possibility of leakage of data information and personal privacy information in applications is reduced, which not only improves the security of personal data, but also improves user experience.
下面结合附图详细说明本发明的技术方案。The technical scheme of the present invention will be described in detail below in conjunction with the accompanying drawings.
需要说明的是,本发明中的应用程序行为可以具体为应用程序的卸载,例如,应用程序行为可以具体为手机助手等应用程序的卸载;此外,本发明的应用程序行为也可以具体为通过黑客软件对客户手机短信信息的获取;另外,本发明的应用程序行为可以具体为通过账号密码盗取软件对客户安装在手机上的支付软件内的账户和支付密码信息的获取;本发明中的应用程序行为是多种多样的,在此不再赘述。It should be noted that the application program behavior in the present invention can specifically be the uninstallation of the application program. For example, the application program behavior can specifically be the uninstallation of applications such as mobile assistants; The software obtains the short message information of the customer's mobile phone; in addition, the application program behavior of the present invention can specifically be the acquisition of the account and payment password information in the payment software installed on the mobile phone by the customer through the account password stealing software; the application in the present invention Program behaviors are diverse and will not be repeated here.
在拦截模块对应用程序的危险操作信息进行拦截之前,需要将拦截模块注入到系统服务进程中。Before the interception module intercepts the dangerous operation information of the application program, the interception module needs to be injected into the system service process.
其中,危险操作具体可以包括:自动添加书签的操作、强制联网的操作、恶意扣除用户通讯费用的操作、大量垃圾广告刷屏的操作、强制开机自启动的操作、阻止应用程序完全卸载的操作、恶意群发短信信息的操作、使用公用证书的操作、安装恶意插件的操作、连接恶意扣费网站的操作、阻止卸载应用程序的操作、使应用程序的操作系统崩溃的操作、在运行应用程序的过程中自动推送广告的操作、盗取用户网上支付的账户和密码的操作、修改应用程序的快捷方式的操作和修改用户所使用的主页的操作。这里危险操作并没有穷举,在此不再赘述。Specifically, dangerous operations may include: automatic bookmarking operations, forced networking operations, malicious deduction of user communication fees, operations of swiping the screen with a large number of spam advertisements, operations of forcing the startup to start automatically, operations that prevent applications from being completely uninstalled, Malicious group text message operations, operations using public certificates, operations installing malicious plug-ins, operations connecting to malicious chargeback websites, operations preventing uninstallation of applications, operations that crash the operating system of applications, operations in the process of running applications The operation of automatically pushing advertisements, stealing the user's online payment account and password, modifying the shortcut of the application program, and modifying the homepage used by the user. The dangerous operations here are not exhaustive, and will not be repeated here.
为了使得更好地理解本发明,列举如下应用场景:应用程序的危险操作是指对应用程序进行卸载的操作,仅仅是示例。In order to better understand the present invention, the following application scenarios are enumerated: the dangerous operation of the application refers to the operation of uninstalling the application, which is only an example.
在拦截模块对应用程序的卸载信息进行拦截之前,需要将拦截模块注入到系统服务进程中。Before the interception module intercepts the uninstallation information of the application program, the interception module needs to be injected into the system service process.
拦截模块具体根据如下方法注入到系统服务进程中:The interception module is injected into the system service process according to the following methods:
首先,在将拦截模块注入到系统服务进程中之前,先要获取root权限。First of all, before injecting the interception module into the system service process, the root authority must be obtained.
具体地,获取root权限的方法为:接收指定程序发出的获取root权限的请求;获取并运行至少一个破解方案中的代码;其中,破解方案用于通过操作系统的漏洞获取操作系统的root权限;当通过运行破解方案的代码成功获取root权限时,为指定程序建立具有root权限的后台服务进程;其中,后台服务进程用于完成指定程序欲执行的root权限下的操作。Specifically, the method for obtaining root privileges is: receiving a request for obtaining root privileges issued by a specified program; obtaining and running at least one code in a cracking scheme; wherein, the cracking scheme is used to obtain root privileges of the operating system through a loophole in the operating system; When the root authority is successfully obtained by running the code of the cracking scheme, a background service process with root authority is established for the specified program; wherein, the background service process is used to complete the operation under the root authority that the specified program wants to perform.
在获取root权限时,不修改操作系统中的文件,而且仅在当不具有root权限的指定程序欲执行root权限下的操作时才会触发,因此,可以在保证操作系统不被破坏的情况下,对操作系统进行临时提升权限,既保证了操作系统的稳定性,又能完成最高权限下的操作。When obtaining root privileges, the files in the operating system are not modified, and it is only triggered when a specified program without root privileges intends to perform operations under root privileges. Therefore, the operating system can be guaranteed not to be damaged , to temporarily elevate the authority of the operating system, which not only ensures the stability of the operating system, but also completes the operation under the highest authority.
临时提升权限的操作至少包括以下任意一种:备份系统、修改系统的内部程序、将应用程序安装到SD(Secure Digital Memory Card,安全数据卡)上、获取文件目录、静默安装应用程序、卸载应用程序、以及卸载系统预装应用程序等。The operation of temporarily elevating privileges includes at least one of the following: backing up the system, modifying the internal program of the system, installing the application on the SD (Secure Digital Memory Card, secure data card), obtaining the file directory, silently installing the application, and uninstalling the application programs, and uninstall system pre-installed applications, etc.
上述获取root提升权限的方法可以应用于各种需要授予提升权限的软件或产品中,如卸载系统预装的软件、安装或卸载应用程序、备份或还原应用数据、启用或禁用应用程序。或者是清理自启动的软件等,或者是应用在公私隔离的设备中的各种需要调用提升权限的场景,以及可用于清理系统文件,或者是用于检测不安全的手机端的钓鱼网站等。The method for obtaining elevated root privileges above can be applied to various software or products that require elevated privileges, such as uninstalling pre-installed software on the system, installing or uninstalling applications, backing up or restoring application data, and enabling or disabling applications. Or clean up self-starting software, etc., or various scenarios that need to call elevated privileges in public-private isolated devices, and can be used to clean up system files, or to detect phishing websites on unsafe mobile phones, etc.
然后,在root权限下,将拦截模块注入到系统服务进程中。Then, under root authority, inject the interception module into the system service process.
具体地,将拦截模块注入到系统服务进程,具体包括以下步骤:Specifically, injecting the interception module into the system service process includes the following steps:
首先,暂停系统服务进程;First, suspend the system service process;
然后,将修改后的系统服务进程的库文件覆盖原库文件;其中,修改后的库文件中的函数中包含有拦截模块的功能代码;此外,修改后的库文件还包括架包、SO和动态链接库。Then, the library file of the modified system service process is overwritten with the original library file; wherein, the functions in the modified library file include the function code of the interception module; in addition, the modified library file also includes the frame package, SO and dynamic link library.
将拦截模块注入到系统服务进程中的原库文件中的过程具体为:The process of injecting the interception module into the original library file in the system service process is as follows:
进入系统服务进程中,在系统服务进程中调用MAP函数,direopen函数的地址;把相应的SO的地址写到对应的内存中,以找到对应的direopen函数;调用对应的direopen函数,调用SO库,将SO库加载到system Server目标进程中,获得目标进程的虚拟机,以用于加载相应的架包。Enter the system service process, call the MAP function in the system service process, the address of the direopen function; write the address of the corresponding SO into the corresponding memory to find the corresponding direopen function; call the corresponding direopen function, call the SO library, Load the SO library into the system Server target process, and obtain the virtual machine of the target process, which is used to load the corresponding shelf package.
需要说明的是,通过C代码来加载用于钩入卸载应用程序的钩子点、架包,以及调用与钩子点对应的函数点;通过JAVA代码来加载用于注入卸载应用程序的钩子点,以及调用与卸载应用程序的hook拦截对应的函数;拦截模块利用hook技术拦截到应用程序的卸载操作信息。It should be noted that the hook point and frame package for hooking into the uninstall application are loaded through C code, and the function point corresponding to the hook point is called; the hook point for injecting into the uninstall application is loaded through JAVA code, and Call the function corresponding to the hook interception of uninstalling the application program; the interception module uses the hook technology to intercept the uninstallation operation information of the application program.
在上述拦截模块利用hook技术拦截到应用程序的卸载操作信息的过程中,根据获取的反射点调用相应接口函数,并进行放行,如果要进一步完善上述过程,需要把所有的点堵住,数据的点不同,进行放行操作,Hook的点也是不同的。In the process of intercepting the uninstallation operation information of the application program by the above interception module using hook technology, it calls the corresponding interface function according to the obtained reflection point and releases it. If the above process is to be further improved, all points need to be blocked, and the data The point is different, and the point of Hook is also different for the release operation.
具体地,在利用反射机制调用add Perferred Activate函数的方法中,使用的Hook技术为Elf Hook,Hook点均为system_server进程,libbinder.so的ioctl方法;在ioctl内,对原本需要分发给各系统服务特定方法的数据进行解析,需要解析并放行的点为:包管理器中add Preferred Activity函数的调用点。Specifically, in the method of using the reflection mechanism to call the add Preferred Activate function, the Hook technology used is Elf Hook, the Hook point is the system_server process, and the ioctl method of libbinder.so; The data of a specific method is parsed, and the point that needs to be parsed and released is: the calling point of the add Preferred Activity function in the package manager.
如图1a所示,本发明实施例中的应用程序行为拦截的方法的流程具体包括如下步骤:As shown in Figure 1a, the flow of the method for intercepting application program behavior in the embodiment of the present invention specifically includes the following steps:
S110:预先注入到系统服务进程中的拦截模块拦截到应用程序的危险操作信息后,向应用程序发送相应的询问信息。S110: After the interception module pre-injected into the system service process intercepts the dangerous operation information of the application program, it sends corresponding inquiry information to the application program.
需要说明的是,在本发明的方案中,应用程序行为包括对应用程序进行危险操作,其中,危险操作具体可以包括:自动添加书签的操作、强制联网的操作、恶意扣除用户通讯费用的操作、大量垃圾广告刷屏的操作、强制开机自启动的操作、阻止应用程序完全卸载的操作、恶意群发短信信息的操作、使用公用证书的操作、安装恶意插件的操作、连接恶意扣费网站的操作、阻止卸载应用程序的操作、使应用程序的操作系统崩溃的操作、在运行应用程序的过程中自动推送广告的操作、盗取用户网上支付的账户和密码的操作、修改应用程序的快捷方式的操作和修改用户所使用的主页的操作。这里危险操作并没有穷举,在此不再赘述。It should be noted that in the solution of the present invention, the application program behavior includes performing dangerous operations on the application program, wherein the dangerous operations may specifically include: operations of automatically adding bookmarks, operations of forcing networking, operations of maliciously deducting user communication fees, The operation of swiping the screen with a large number of spam advertisements, the operation of forcing the startup to start automatically, the operation of preventing the application from being completely uninstalled, the operation of sending malicious mass SMS messages, the operation of using public certificates, the operation of installing malicious plug-ins, the operation of connecting to malicious charging websites, Preventing the operation of uninstalling the application, crashing the operating system of the application, automatically pushing advertisements during the running of the application, stealing the account and password of the user's online payment, and modifying the shortcut of the application and actions that modify the home page a user is using. The dangerous operations here are not exhaustive, and will not be repeated here.
在本步骤中,在拦截模块拦截到应用程序的危险操作之前,需要对应用程序的危险操作进行监控。为了使得本领域的普通技术人员更好地理解本发明,下面详细列举系统服务进程是如何对应用程序的危险操作进行监控的:In this step, before the interception module intercepts the dangerous operation of the application program, the dangerous operation of the application program needs to be monitored. In order to enable those of ordinary skill in the art to better understand the present invention, how the system service process monitors the dangerous operation of the application program is enumerated in detail below:
(1)与终端、联网相关的危险操作:(1) Dangerous operations related to terminals and networking:
获取运营商信息:目标应用,例如通过getSimOperatorName()函数可以获得移动终端的IMSI,由此可进一步判断运营商的名称,进一步可以向运营商发送约定指令,实现扣费之类的非法目的。监控平台通过挂钩与此相关的消息,便可以对事件行为的捕获。Obtaining operator information: the target application, for example, can obtain the IMSI of the mobile terminal through the getSimOperatorName() function, so that the name of the operator can be further judged, and the agreed command can be sent to the operator to achieve illegal purposes such as fee deduction. The monitoring platform can capture the event behavior by hooking the related messages.
切换APN操作:同理,目标应用通过与APN切换有关的函数实现ANP切换控制的操作,也可被监控单元通过调用相应的挂钩插件进行监控。Switching APN operation: Similarly, the target application realizes the operation of ANP switching control through functions related to APN switching, and can also be monitored by the monitoring unit by calling the corresponding hook plug-in.
类似的操作,还包括获取手机识别码IME的操作,也与上述同理。Similar operations also include the operation of obtaining the mobile phone identification code IME, which is also the same as above.
(2)与通知栏广告相关的危险操作:(2) Dangerous operations related to notification bar advertisements:
通知栏广告是最易被恶意程序利用的手段,监控单元通过调用相应的挂钩插件对notify函数产生的事件消息进行监控,也可对其实施监控。Notification bar advertisements are the means most likely to be used by malicious programs. The monitoring unit can monitor the event messages generated by the notify function by calling the corresponding hook plug-in, and can also monitor them.
(3)与通信操作相关的危险操作:(3) Dangerous operations related to communication operations:
如电话拔打操作,通过StartActivity()函数可以监控拔打电话的事件行为,利用相应的挂钩插件可以对拔打电话操作建立事件行为监控。For example, the call operation can monitor the event behavior of the call through the StartActivity() function, and use the corresponding hook plug-in to establish event behavior monitoring for the call operation.
短信操作,对应于SendTextMessage()之类的函数,同理,可以借助挂钩插件对这类函数建立事件行为监控。SMS operation corresponds to functions such as SendTextMessage(). Similarly, event behavior monitoring can be established for such functions with the help of hook plug-ins.
联系人操作:一般对应于Query()、Insert()函数,监控单元利用挂钩插件挂钩此类函数可以实现对此类事件行为的监控捕获。Contact operation: generally corresponds to the Query() and Insert() functions. The monitoring unit can use the hook plug-in to hook such functions to realize the monitoring and capture of such event behaviors.
(4)与命令操作相关的危险操作:(4) Dangerous operations related to command operations:
如SU提权操作或执行命令操作,均需用到Execve()函数,监控单元14通过监控此函数的返回消息,便可实现该类事件行为的监控。For example, the SU privilege escalation operation or command execution operation requires the Execve() function, and the monitoring unit 14 can monitor the behavior of such events by monitoring the return message of this function.
(5)与界面及访问操作相关的危险操作:(5) Dangerous operations related to interface and access operations:
如创造快捷方式的事件行为,则对应于SentBroacast()函数。同理,对于隐藏程序图标的操作,也可对应特定函数监控之。For example, the event behavior of creating a shortcut corresponds to the SentBroacast() function. Similarly, for the operation of hiding the program icon, it can also be monitored corresponding to a specific function.
如HTTP网络访问操作,则对应于Sentto()、Write()等函数。Such as HTTP network access operations, corresponding to Sentto (), Write () and other functions.
(6)与程序操作相关的危险操作:(6) Dangerous operations related to program operations:
如应用加载操作,指当前目标应用加载相关应用的操作,通过对dexclassloader()、loadlibrary()等函数进行挂钩监控,可以实现对此类事件行为的捕获。For example, the application loading operation refers to the operation of loading related applications by the current target application. By hooking and monitoring functions such as dexclassloader() and loadlibrary(), such event behaviors can be captured.
S120:应用程序根据询问信息弹出相应的提示框,并接收用户输入的是否进行相应的操作的确认信息后向拦截模块返回。S120: The application program pops up a corresponding prompt box according to the inquiry information, and returns to the interception module after receiving confirmation information input by the user whether to perform the corresponding operation.
为了使得更好地理解本发明,列举如下应用场景:应用程序的危险操作是指对应用程序进行卸载的操作,仅仅是示例。In order to better understand the present invention, the following application scenarios are enumerated: the dangerous operation of the application refers to the operation of uninstalling the application, which is only an example.
应用程序根据询问信息弹出卸载提示框,并接收用户输入的是否进行卸载的确认信息后向拦截模块返回。The application program pops up an uninstallation prompt box according to the inquiry information, and returns to the interception module after receiving confirmation information input by the user whether to uninstall.
在实际应用中,通过弹出是否同意卸载应用程序的卸载提示框,卸载提示框往往是悬浮于应用程序的界面上的动态弹出窗口,弹出的动态窗口的按钮往往是两个,一个按钮显示的内容是“继续进程”,另一个按钮显示的内容是“关闭进程”,当用户点击“继续进程”的按钮,则允许系统服务进程对应用程序的卸载操作;当用户点击“关闭进程”的按钮,则阻断系统服务进程对应用程序的卸载操作。In practical applications, by popping up an uninstallation prompt box whether to agree to uninstall the application, the uninstallation prompt box is often a dynamic pop-up window suspended on the interface of the application program, and the pop-up dynamic window often has two buttons, and the content displayed by one button is It is "Continue Process", and the content of the other button is "Close Process". When the user clicks the button of "Continue Process", the system service process is allowed to uninstall the application; when the user clicks the button of "Close Process", Then block the unloading operation of the application program by the system service process.
S130:拦截模块根据接收的确认信息,允许或阻断系统服务进程对应用程序的危险操作。S130: The interception module allows or blocks the dangerous operation of the application program by the system service process according to the received confirmation information.
具体而言,在本步骤中,当应用程序的危险操作是指对用户发送或接收到的短信信息进行敏感操作,则拦截模块根据接收的确认信息,允许或阻断系统服务进程对用户发送或接收到的短信信息进行敏感操作。其中,对用户发送或接收到的短信信息进行敏感操作具体可以包括:Specifically, in this step, when the dangerous operation of the application refers to sensitive operations on the SMS information sent or received by the user, the interception module allows or blocks the Received SMS information for sensitive operations. Among them, performing sensitive operations on SMS messages sent or received by users may specifically include:
对短信信息进行屏蔽的操作、对短信信息进行分割的操作、以用户的名义接收或发送短信的操作、获取短信信息的内容的操作。The operation of shielding the short message information, the operation of dividing the short message information, the operation of receiving or sending the short message in the name of the user, and the operation of obtaining the content of the short message information.
当应用程序的危险操作是指对应用程序进行安装或卸载的操作,则拦截模块根据接收的确认信息,允许或阻断系统服务进程对应用程序进行安装或卸载的操作。When the dangerous operation of the application program refers to the operation of installing or uninstalling the application program, the interception module allows or blocks the operation of installing or uninstalling the application program by the system service process according to the received confirmation information.
当应用程序的危险操作是指读取用户通讯录上的联系人的操作,则拦截模块根据接收的确认信息,允许或阻断系统服务进程读取用户通讯录上的联系人的操作。When the dangerous operation of the application refers to the operation of reading the contacts in the user's address book, the interception module allows or blocks the operation of the system service process to read the contacts in the user's address book according to the received confirmation information.
当应用程序的危险操作是指监控用户移动终端信号变化的操作,则拦截模块根据接收的确认信息,允许或阻断系统服务进程监控用户移动终端信号变化的操作。When the dangerous operation of the application refers to the operation of monitoring the signal change of the user's mobile terminal, the interception module allows or blocks the system service process to monitor the signal change of the user's mobile terminal according to the received confirmation information.
当应用程序的危险操作是指监控用户所在网络变化的操作,则拦截模块根据接收的确认信息,允许或阻断系统服务进程监控用户所在网络变化的操作。When the dangerous operation of the application refers to the operation of monitoring the change of the user's network, the interception module allows or blocks the operation of the system service process to monitor the change of the user's network according to the received confirmation information.
为了使得更好地理解本发明,列举如下应用场景:应用程序的危险操作是指对应用程序进行卸载的操作,仅仅是示例。In order to better understand the present invention, the following application scenarios are enumerated: the dangerous operation of the application refers to the operation of uninstalling the application, which is only an example.
若拦截模块多次接收到用户输入的是否卸载的确认信息,而且多次是否卸载的确认信息的内容并不相同,为了防止由于多次是否卸载的确认信息的内容不同,引起的用户的重要应用程序的恶意卸载,系统服务默认为执行第一次接收到的是否卸载的确认信息的内容,这样有效地避免了由于客户重要应用程序的恶意卸载而引起的数据丢失、隐私信息丢失以及涉及个人财产的密码信息的丢失,造成不可挽回的损失。If the interception module receives the confirmation information of whether to uninstall or not input by the user for many times, and the content of the confirmation information of whether to uninstall is different for many times, in order to prevent the important application of the user from being different due to the different contents of the confirmation information of whether to uninstall or not Malicious uninstallation of the program, the system service defaults to the content of the confirmation message received for the first time whether to uninstall, which effectively avoids data loss, privacy information loss, and personal property related to the malicious uninstallation of the important application program of the customer. The loss of password information will cause irreparable losses.
此外,若应用程序的危险操作信息显示为应用程序已经运行完相应的危险操作,则跳过拦截;这样,预先注入到系统服务进程中的拦截模块的拦截功能失效,这样节省了系统内存运行的资源,提高了系统服务进程的服务效率。In addition, if the dangerous operation information of the application program shows that the application program has completed the corresponding dangerous operation, the interception is skipped; in this way, the interception function of the interception module pre-injected into the system service process is invalid, which saves system memory. resources, improving the service efficiency of the system service process.
为了使得更好地理解本发明,列举如下应用场景:应用程序的危险操作是指对应用程序进行卸载的操作,仅仅是示例。In order to better understand the present invention, the following application scenarios are enumerated: the dangerous operation of the application refers to the operation of uninstalling the application, which is only an example.
若系统服务进程中的拦截模块拦截到的应用程序的卸载信息显示为,应用程序已经被完全卸载了,则直接跳出向应用程序发送卸载询问信息的步骤以及后续的相关步骤,预先注入到系统服务进程中的卸载拦截模块的卸载拦截功能失效,这样节省了系统内存运行的资源,提高了系统服务进程的服务效率。If the uninstallation information of the application program intercepted by the interception module in the system service process shows that the application program has been completely uninstalled, the step of sending the uninstallation query information to the application program and subsequent related steps will be skipped directly, and pre-injected into the system service The unloading interception function of the in-process unloading interception module is invalid, which saves the resources of the system memory operation and improves the service efficiency of the system service process.
需要说明的是,上述所描述的拦截模块允许或阻断系统服务进程对应用程序的卸载操作,仅仅是本发明所描述的一个应用场景,对于准备或者正在进行安装的应用程序而言,本发明可以通过将自身注册为默认安装器的形式,获取该应用程序的安装广播信息。继而,将这个新装应用程序作为目标应用,将其安装包或签名之类的特征信息通过远程规则库接口发送到云端服务器中,由云端服务器对其做出安全性判断。一种实施例中,云端服务器为应用程序的安全级别设定黑、灰、白三种级别,分别代表不同危险程度,并设定对应的处理规则。例如,黑应用禁止安装,灰应用由用户自行选择,白应用则可径行安装。当然,可以进一步简化为灰、白两种,或者简化为黑、白两种。本领域技术人员熟悉服务器的这种云端控制技术,将在后续进一步概要揭示。无论如何,本发明将从本机远程规则库接口中获得云端服务器有关这些应用的处理规则的反馈,利用反馈结果做出相应的后续处理。具体而言,当针对当前目标应用返回黑应用标识时,可以随即停止该目标应用的安装;当标识为白应用或灰应用时,则可放行安装。出于交互性的考虑,当完成远程判断后,本发明将向用户界面弹窗提醒用户有关判断结果,并显示相应的处理建议,询问用户是否确定对当前新装应用建构主动防御环境,用户从中确定对当前新装目标应用进行主动防御的标识后,即确定了该目标应用。It should be noted that the interception module described above allows or blocks the uninstallation operation of the application program by the system service process, which is only an application scenario described in the present invention. For the application program that is ready or being installed, the present invention You can obtain the installation broadcast information of the application by registering itself as the default installer. Then, the newly installed application is used as the target application, and the characteristic information such as its installation package or signature is sent to the cloud server through the remote rule base interface, and the cloud server makes a security judgment on it. In one embodiment, the cloud server sets three levels for the security level of the application program: black, gray, and white, respectively representing different risk levels, and sets corresponding processing rules. For example, black apps are prohibited from being installed, gray apps are selected by the user, and white apps can be installed directly. Of course, it can be further simplified into gray and white, or into black and white. Those skilled in the art are familiar with this cloud control technology of the server, which will be further briefly disclosed later. In any case, the present invention will obtain feedback from the cloud server on the processing rules of these applications from the local remote rule base interface, and use the feedback results to make corresponding follow-up processing. Specifically, when a black application identification is returned for the current target application, the installation of the target application can be stopped immediately; when the identification is a white application or a gray application, the installation can be released. For the sake of interactivity, after the remote judgment is completed, the present invention will remind the user of the judgment result in a pop-up window on the user interface, and display corresponding processing suggestions, asking the user whether to confirm the construction of an active defense environment for the current newly installed application, from which the user can determine After the active defense identification is performed on the currently newly installed target application, the target application is determined.
为了使本领域的普通技术人员更好地理解本发明,下面列举一个拦截卸载手机助手的实例以说明本发明应用程序行为拦截的方法的具体过程:In order to enable those of ordinary skill in the art to better understand the present invention, an example of intercepting and uninstalling mobile phone assistants is listed below to illustrate the specific process of the method for application program behavior interception of the present invention:
如上所述,通过JAVA代码实现了下钩子,拦截卸载函数的过程。当允许执行与卸载手机助手相对应的函数之前,可以预先获知与手机助手相关的参数。As mentioned above, the hook is implemented through the JAVA code to intercept the process of uninstalling the function. Before the function corresponding to uninstalling the mobile assistant is allowed to be executed, parameters related to the mobile assistant may be known in advance.
当卸载函数被执行时,先执行与卸载手机助手相对应的函数;当系统服务进程检测到某个用户或应用程序试图去卸载该手机助手的应用程序的时候,系统服务进程优先调用与卸载手机助手相对应的函数,通过比较某个用户或应用程序调用的函数与卸载手机助手的函数之间的匹配度,来允许或阻断系统服务进程对手机助手的卸载操作。When the uninstall function is executed, the function corresponding to uninstalling the mobile assistant is executed first; when the system service process detects that a user or application program is trying to uninstall the application program of the mobile assistant, the system service process calls and uninstalls the mobile phone first. The function corresponding to the assistant allows or blocks the uninstallation operation of the mobile assistant by the system service process by comparing the matching degree between the function called by a user or an application program and the function for uninstalling the mobile assistant.
具体地,若匹配度大于等于预先设置的阈值,则表明卸载手机助手的执行人为用户自己,允许对手机助手的卸载操作;否则,则表明卸载手机助手的执行人非用户自己,阻断对手机助手的卸载操作。Specifically, if the matching degree is greater than or equal to the preset threshold, it indicates that the executor of uninstalling the mobile assistant is the user himself, and the uninstall operation of the mobile assistant is allowed; Assistant's uninstall operation.
如图1b所示,为本发明实施例中的预先注入到系统服务进程中的拦截模块拦截到应用程序的卸载的示意图。As shown in FIG. 1 b , it is a schematic diagram of the interception module pre-injected into the system service process in the embodiment of the present invention to intercept the uninstallation of the application program.
从图1b中可以看出:预先注入到系统服务进程中的拦截模块拦截到Yahoo天气和浏览器两种应用程序的卸载,先暂停对Yahoo天气和浏览器两种应用程序的卸载,拦截模块只有在接收到用户输入的确认卸载的确认信息后,才能允许系统服务进程对Yahoo天气和浏览器两种应用程序的卸载;否则,阻断卸载过程。It can be seen from Figure 1b that: the interception module pre-injected into the system service process intercepts the uninstallation of Yahoo weather and browser applications, first suspends the uninstallation of Yahoo weather and browser applications, and the interception module only After receiving the confirmation information for confirming the uninstallation input by the user, the system service process can be allowed to uninstall the Yahoo weather and browser applications; otherwise, the uninstallation process is blocked.
在本应用场景中,通过预先注入到系统服务进程中的拦截模块拦截到应用程序的危险操作信息后,向应用程序发送相应的询问信息;应用程序根据询问信息弹出相应的提示框,并接收用户输入的是否进行相应的操作的确认信息后向拦截模块返回;拦截模块根据接收的确认信息,允许或阻断系统服务进程对应用程序的危险操作;这样能够做到对应用程序行为进行有效地拦截,拦截后,暂停相应的操作,并通知用户该操作,只有得到用户的确认信息后才执行相应的操作,这样使得存储于应用程序中的数据信息和个人隐私信息被泄露的可能性降低,不仅提高了个人数据的安全性,也提高了用户的体验度。In this application scenario, after the dangerous operation information of the application is intercepted by the interception module pre-injected into the system service process, the corresponding inquiry information is sent to the application; the application pops up a corresponding prompt box according to the inquiry information, and receives the user The input confirmation information whether to perform the corresponding operation is returned to the interception module; the interception module allows or blocks the dangerous operation of the application program by the system service process according to the received confirmation information; this can effectively intercept the application program behavior , after interception, suspend the corresponding operation, and notify the user of the operation, and only execute the corresponding operation after getting the user's confirmation information, so that the possibility of data information and personal privacy information stored in the application program being leaked is reduced, not only Improve the security of personal data, but also improve the user experience.
图2为本发明实施例的应用程序行为拦截的装置的内部结构的框架示意图。如图2所示,本实施例应用程序行为拦截的装置包括:拦截模块210和注入模块220。FIG. 2 is a schematic framework diagram of an internal structure of an application program behavior interception device according to an embodiment of the present invention. As shown in FIG. 2 , the device for intercepting application program behavior in this embodiment includes: an interception module 210 and an injection module 220 .
需要说明的是,本发明应用程序行为拦截的装置的实施例中的应用程序行为可以具体为应用程序的卸载;此外,本发明的应用程序行为也可以具体为通过黑客软件对客户手机短信信息的获取;另外,本发明的应用程序行为可以具体为通过黑客软件对客户安装于手机支付软件内的账户和支付密码信息的获取;本发明中的应用程序行为是多种多样的,在此不再赘述。It should be noted that the application program behavior in the embodiment of the device for intercepting application program behavior of the present invention can be specifically the uninstallation of the application program; in addition, the application program behavior of the present invention can also be specifically the interception of the short message information of the customer's mobile phone through the hacker software. Acquisition; In addition, the application program behavior of the present invention can specifically be the acquisition of the account and payment password information installed in the mobile phone payment software by the customer through hacker software; the application program behavior in the present invention is diverse and will not be discussed here. repeat.
具体而言,预先注入到系统服务进程中的拦截模块210,用于拦截到应用程序的危险操作信息后,向应用程序发送相应的询问信息;根据应用程序返回的是否进行相应的操作的确认信息,允许或阻断系统服务进程对应用程序的危险操作。Specifically, the interception module 210 pre-injected into the system service process is used to intercept the dangerous operation information of the application program, and then send corresponding inquiry information to the application program; , to allow or block the dangerous operation of the application program by the system service process.
卸载拦截模块210利用hook技术拦截到应用程序的危险操作信息。The uninstall interception module 210 utilizes hook technology to intercept dangerous operation information of the application program.
注入模块220,用于获取root权限;在root权限下,将拦截模块注入到系统服务进程中。The injection module 220 is used to obtain root authority; under the root authority, inject the interception module into the system service process.
具体地,注入模块220具体用于暂停系统服务进程;将修改后的系统服务进程的库文件覆盖原库文件;其中,修改后的库文件中的函数中包含有拦截模块的功能代码。Specifically, the injection module 220 is specifically used to suspend the system service process; overwrite the original library file with the library file of the modified system service process; wherein, the functions in the modified library file include the function code of the interception module.
进一步地,拦截模块220包括:拦截单元和卸载确认单元;Further, the interception module 220 includes: an interception unit and an uninstallation confirmation unit;
拦截单元,用于拦截到应用程序的危险操作信息后,输出提示通知;The interception unit is configured to output a prompt notification after intercepting the dangerous operation information of the application program;
确认单元,用于接收到提示通知后,向应用程序发送相应的询问信息;并根据应用程序返回的是否进行相应的操作的确认信息,允许或阻断系统服务进程对应用程序的危险操作。The confirmation unit is configured to send corresponding inquiry information to the application program after receiving the prompt notification; and allow or block the dangerous operation of the application program by the system service process according to the confirmation information returned by the application program whether to perform the corresponding operation.
在上述实施例中,通过预先注入到系统服务进程中的拦截模块,拦截到应用程序的危险操作信息后,向应用程序发送相应的询问信息;根据应用程序返回的是否进行相应的操作的确认信息,允许或阻断系统服务进程对应用程序的危险操作;这样能够做到对应用程序行为进行有效地拦截,拦截后,暂停相应的操作,并通知用户该操作,只有得到用户的确认信息后才执行相应的操作,这样使得存储于应用程序中的数据信息和个人隐私信息被泄露的可能性降低,不仅提高了个人数据的安全性,也提高了用户的体验度。In the above-mentioned embodiment, after intercepting the dangerous operation information of the application program through the interception module pre-injected into the system service process, the corresponding query information is sent to the application program; according to the confirmation information returned by the application program whether to perform the corresponding operation , to allow or block the dangerous operation of the application program by the system service process; in this way, the application program behavior can be effectively intercepted. After interception, the corresponding operation will be suspended, and the user will be notified of the operation. Executing corresponding operations reduces the possibility of data information and personal privacy information stored in the application program being leaked, which not only improves the security of personal data, but also improves user experience.
上述拦截模块和注入模块的功能的具体实现方法,可以参考上述如图1a、图1b所示的方法流程步骤的具体内容,此处不再赘述。For the specific implementation methods of the functions of the above-mentioned interception module and injection module, you can refer to the specific content of the above-mentioned method flow steps shown in Fig. 1a and Fig. 1b , and details will not be repeated here.
此外,本发明还包括具有上述拦截模块和注入模块的装置的终端设备,根据上述装置对应用程序行为进行拦截。In addition, the present invention also includes a terminal device having the above interception module and injection module, and the application program behavior is intercepted according to the above device.
当拦截模块多次接收到用户输入的是否进行相应的操作的确认信息,而且多次确认信息的内容并不相同的时候,系统服务默认仅仅执行第一次接收到的是否进行相应的操作的确认信息的内容,这样提高了客户数据的安全性。When the interception module receives the confirmation information of whether to perform the corresponding operation input by the user multiple times, and the content of the multiple confirmation information is not the same, the system service only executes the confirmation of whether to perform the corresponding operation received for the first time by default. The content of the information, which increases the security of customer data.
进一步地,当系统服务进程中的拦截模块拦截到的应用程序的危险操作信息显示为,应用程序已经运行完相应的危险操作,则跳过拦截,这样节省了系统内存运行的资源,提高了系统服务进程的服务效率。Further, when the dangerous operation information of the application program intercepted by the interception module in the system service process shows that the application program has finished running the corresponding dangerous operation, the interception is skipped, which saves the running resources of the system memory and improves the performance of the system. The service efficiency of the service process.
本技术领域技术人员可以理解,本发明包括涉及用于执行本申请中所述操作中的一项或多项的设备。这些设备可以为所需的目的而专门设计和制造,或者也可以包括通用计算机中的已知设备。这些设备具有存储在其内的计算机程序,这些计算机程序选择性地激活或重构。这样的计算机程序可以被存储在设备(例如,计算机)可读介质中或者存储在适于存储电子指令并分别耦联到总线的任何类型的介质中,所述计算机可读介质包括但不限于任何类型的盘(包括软盘、硬盘、光盘、CD-ROM、和磁光盘)、ROM(Read-Only Memory,只读存储器)、RAM(Random Access Memory,随即存储器)、EPROM(Erasable ProgrammableRead-Only Memory,可擦写可编程只读存储器)、EEPROM(Electrically ErasableProgrammable Read-Only Memory,电可擦可编程只读存储器)、闪存、磁性卡片或光线卡片。也就是,可读介质包括由设备(例如,计算机)以能够读的形式存储或传输信息的任何介质。Those skilled in the art will appreciate that the present invention includes devices related to performing one or more of the operations described in this application. These devices may be specially designed and fabricated for the required purposes, or they may include known devices found in general purpose computers. These devices have computer programs stored therein that are selectively activated or reconfigured. Such a computer program can be stored in a device (e.g., computer) readable medium, including but not limited to any type of medium suitable for storing electronic instructions and respectively coupled to a bus. Types of disks (including floppy disks, hard disks, CDs, CD-ROMs, and magneto-optical disks), ROM (Read-Only Memory, read-only memory), RAM (Random Access Memory, random access memory), EPROM (Erasable Programmable Read-Only Memory, Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory, Electrically Erasable Programmable Read-Only Memory), flash memory, magnetic card or optical card. That is, a readable medium includes any medium that stores or transmits information in a form readable by a device (eg, a computer).
本技术领域技术人员可以理解,可以用计算机程序指令来实现这些结构图和/或框图和/或流图中的每个框以及这些结构图和/或框图和/或流图中的框的组合。本技术领域技术人员可以理解,可以将这些计算机程序指令提供给通用计算机、专业计算机或其他可编程数据处理方法的处理器来实现,从而通过计算机或其他可编程数据处理方法的处理器来执行本发明公开的结构图和/或框图和/或流图的框或多个框中指定的方案。Those skilled in the art will understand that computer program instructions can be used to implement each block in these structural diagrams and/or block diagrams and/or flow diagrams and combinations of blocks in these structural diagrams and/or block diagrams and/or flow diagrams . Those skilled in the art can understand that these computer program instructions can be provided to general-purpose computers, professional computers, or processors of other programmable data processing methods for implementation, so that the computer or processors of other programmable data processing methods can execute the present invention. A scheme specified in a block or blocks of a structure diagram and/or a block diagram and/or a flow diagram of the invention disclosure.
本技术领域技术人员可以理解,本发明中已经讨论过的各种操作、方法、流程中的步骤、措施、方案可以被交替、更改、组合或删除。进一步地,具有本发明中已经讨论过的各种操作、方法、流程中的其他步骤、措施、方案也可以被交替、更改、重排、分解、组合或删除。进一步地,现有技术中的具有与本发明中公开的各种操作、方法、流程中的步骤、措施、方案也可以被交替、更改、重排、分解、组合或删除。Those skilled in the art can understand that the various operations, methods, and steps, measures, and solutions in the processes discussed in the present invention can be replaced, changed, combined, or deleted. Further, other steps, measures, and schemes in the various operations, methods, and processes that have been discussed in the present invention may also be replaced, changed, rearranged, decomposed, combined, or deleted. Further, steps, measures, and schemes in the prior art that have operations, methods, and processes disclosed in the present invention can also be alternated, changed, rearranged, decomposed, combined, or deleted.
以上所述仅是本发明的部分实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above descriptions are only part of the embodiments of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principles of the present invention. It should be regarded as the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410751739.6ACN104376263B (en) | 2014-12-09 | 2014-12-09 | The method and apparatus that application behavior intercepts |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410751739.6ACN104376263B (en) | 2014-12-09 | 2014-12-09 | The method and apparatus that application behavior intercepts |
| Publication Number | Publication Date |
|---|---|
| CN104376263A CN104376263A (en) | 2015-02-25 |
| CN104376263Btrue CN104376263B (en) | 2018-02-16 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410751739.6AActiveCN104376263B (en) | 2014-12-09 | 2014-12-09 | The method and apparatus that application behavior intercepts |
| Country | Link |
|---|---|
| CN (1) | CN104376263B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105138366A (en)* | 2015-08-24 | 2015-12-09 | 百度在线网络技术(北京)有限公司 | Recognition software silent installation method and device |
| CN105160247B (en)* | 2015-09-30 | 2019-05-31 | 北京奇虎科技有限公司 | A method of identification browser is held as a hostage |
| CN105718814B (en)* | 2016-01-20 | 2018-12-11 | 广东欧珀移动通信有限公司 | A kind of guard method of terminal applies and device |
| CN107330320B (en)* | 2016-04-29 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Method and device for monitoring application process |
| CN106022110B (en)* | 2016-05-18 | 2019-04-09 | Oppo广东移动通信有限公司 | Method and device for identifying application of push platform |
| CN106095512B (en)* | 2016-06-21 | 2020-03-17 | 北京小米移动软件有限公司 | Application program opening method and device |
| CN106503570B (en)* | 2016-11-17 | 2020-01-14 | 深圳Tcl数字技术有限公司 | Method and device for protecting Root authority |
| CN108804911B (en)* | 2017-04-28 | 2021-05-04 | 华为技术有限公司 | A method and device for acquiring an implicit identifier |
| CN107295177B (en)* | 2017-06-27 | 2020-01-24 | Oppo广东移动通信有限公司 | Application disabling method, device and terminal device |
| CN110210220B (en)* | 2018-07-19 | 2023-03-07 | 腾讯科技(深圳)有限公司 | Information leakage detection method and device and storage medium |
| CN110928595B (en)* | 2018-08-31 | 2024-02-02 | 北京搜狗科技发展有限公司 | Authority operation method and device |
| CN109711148A (en)* | 2018-12-17 | 2019-05-03 | 深圳壹账通智能科技有限公司 | Method, device, computer device and storage medium for intercepting application behavior |
| CN111625812B (en)* | 2019-02-27 | 2023-05-02 | 斑马智行网络(香港)有限公司 | Operation and processing method and device |
| CN110633188A (en)* | 2019-08-29 | 2019-12-31 | 凡普数字技术有限公司 | Method and device for suspending interception and monitoring of codes of application program |
| CN112738809A (en)* | 2019-10-28 | 2021-04-30 | 成都鼎桥通信技术有限公司 | Mobile data connection switching method, device, equipment and storage medium |
| CN115398431A (en)* | 2020-06-02 | 2022-11-25 | 深圳市欢太科技有限公司 | User information violation acquisition detection method and related equipment |
| CN112615961A (en)* | 2020-12-25 | 2021-04-06 | 珠海格力电器股份有限公司 | Method and device for processing short message sending request |
| CN113613182B (en)* | 2021-08-10 | 2023-03-21 | 中国平安财产保险股份有限公司 | Short message sending method, computer equipment and readable storage medium |
| CN114489796B (en)* | 2022-01-20 | 2025-06-03 | 深圳Tcl新技术有限公司 | Input interception method, device, electronic device and storage medium |
| CN116048325A (en)* | 2022-06-30 | 2023-05-02 | 荣耀终端有限公司 | A processing method for application abnormal behavior, electronic equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198255A (en)* | 2013-04-03 | 2013-07-10 | 武汉大学 | Method and system for monitoring and intercepting sensitive behaviour of Android software |
| CN103544005A (en)* | 2013-09-10 | 2014-01-29 | Tcl集团股份有限公司 | Expansion developing method and device for Android custom control |
| CN103679001A (en)* | 2013-12-06 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for controlling behaviors of application program in mobile communication terminal |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102007019541A1 (en)* | 2007-04-25 | 2008-10-30 | Wincor Nixdorf International Gmbh | Method and system for authenticating a user |
| CN104123492A (en)* | 2014-07-21 | 2014-10-29 | 蓝盾信息安全技术有限公司 | Windows process protection method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198255A (en)* | 2013-04-03 | 2013-07-10 | 武汉大学 | Method and system for monitoring and intercepting sensitive behaviour of Android software |
| CN103544005A (en)* | 2013-09-10 | 2014-01-29 | Tcl集团股份有限公司 | Expansion developing method and device for Android custom control |
| CN103679001A (en)* | 2013-12-06 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for controlling behaviors of application program in mobile communication terminal |
| Publication number | Publication date |
|---|---|
| CN104376263A (en) | 2015-02-25 |
| Publication | Publication Date | Title |
|---|---|---|
| CN104376263B (en) | The method and apparatus that application behavior intercepts | |
| US8732827B1 (en) | Smartphone security system | |
| CN103198255B (en) | Method and system for monitoring and intercepting sensitive behaviour of Android software | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| CN103116722A (en) | Processing method, processing device and processing system of notification board information | |
| CN103716785B (en) | A kind of mobile Internet safety service system | |
| EP2562667A1 (en) | Apparatus and method for providing security information on background process | |
| CN104462961A (en) | Mobile terminal and privacy permission optimizing method thereof | |
| US9747449B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN104463569A (en) | Secure connection payment method and device | |
| KR20140074252A (en) | Secure execution of unsecured apps on a device | |
| CN106446632A (en) | Hide display starting device and hide display starting method for application programs | |
| CN103713904A (en) | Method, related device and system for installing applications in working area of mobile terminal | |
| US8701195B2 (en) | Method for antivirus in a mobile device by using a mobile storage and a system thereof | |
| WO2016019893A1 (en) | Application installation method and apparatus | |
| CN104392176A (en) | Mobile terminal and method for intercepting device manager authority thereof | |
| CN104462997B (en) | Method, device and system for protecting work data in mobile terminal | |
| WO2017107830A1 (en) | Application installation method, apparatus and electronic device | |
| CN104881601A (en) | Floating window display setting, control method and device | |
| WO2015058574A1 (en) | Method and apparatus for implementing push notification of extensive application program | |
| CN104239786A (en) | ROOT-free active defense configuration method and device | |
| CN104239797B (en) | Active defense method and device | |
| CN107729764A (en) | Sensitive information protection method, device, storage medium and electronic equipment | |
| CN106022128A (en) | Method and device for detecting process access right and mobile terminal | |
| CN107026933A (en) | A message management method, device and intelligent terminal for multiple applications |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20220725 Address after:Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before:100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before:Qizhi software (Beijing) Co.,Ltd. |