Static and dynamic security analysis of apps for mobile devices
地域:
CA
CA Santa Clara
摘要
Techniques for performing static and dynamic analysis on a mobile device application are disclosed. Static analysis is performed on a mobile device application using a static analysis engine. A set of static analysis results is generated. Dynamic analysis of the application is selectively customized based at least in part on a presence of a permission in the set of static analysis results. Dynamic analysis is performed using a dynamic analysis engine. A determination of whether the application is malicious is made based at least in part on the dynamic analysis.
說明書
This application is a continuation of U.S. patent application Ser. No. 15/707,619 entitled STATIC AND DYNAMIC SECURITY ANALYSIS OF APPS FOR MOBILE DEVICES filed Sep. 18, 2017, which is a continuation of U.S. patent application Ser. No. 13/954,815, now U.S. Pat. No. 9,811,665 entitled STATIC AND DYNAMIC SECURITY ANALYSIS OF APPS FOR MOBILE DEVICES filed Jul. 30, 2013 both of which are incorporated herein by reference for all purposes.
Individuals are increasingly spending more time using mobile devices and less time using traditional computers. This shift in usage is present both in personal and in business contexts. For example, employees of companies are increasingly using mobile devices for their work related activities. In conjunction with this shift in user behavior, nefarious individuals and organizations are increasingly targeting mobile devices with malicious applications (“malware”). Unfortunately, it can be difficult to protect mobile devices using existing techniques.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
權(quán)利要求
What is claimed is:1. A system, comprising:a processor configured to:perform static analysis on a mobile device application using a static analysis engine to generate a set of static analysis results, wherein the static analysis results include a set of permissions granted to the mobile device application and further include a minimum operating system version number required by the mobile device application to execute; select, by a dynamic analysis engine, a particular emulator from a plurality of emulators each meeting the minimum operating system version requirement of the mobile device application, wherein the selection is based at least in part on the minimum operating system version number included in the static analysis results; selectively customize how the dynamic analysis engine will perform dynamic analysis of the mobile device application, using the set of permissions granted to the mobile device application, wherein in the event a first permission is included in the set of permissions granted to the mobile device application, a type of dynamic analysis associated with the first permission will be selected for performing during dynamic analysis of the mobile device application, and wherein in the event the first permission is not included in the set of permissions granted to the mobile device application, the type of dynamic analysis associated with the first permission will not be selected for performing during dynamic analysis of the mobile device application; perform the customized dynamic analysis of the mobile device application using the dynamic analysis engine; and assign a final maliciousness verdict to the application based at least in part on an evaluation of one or more static analysis results and an evaluation of one or more dynamic analysis results; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 wherein performing static analysis includes reversing the mobile device application into an intermediate source code form. 3. The system of claim 1 wherein performing static analysis includes determining the presence of a filetype mismatch. 4. The system of claim 1 wherein performing dynamic analysis includes emulating a mobile device and wherein performing dynamic analysis further includes simulating an event external to the simulated mobile device. 5. The system of claim 4 wherein the simulated event comprises a simulated location change. 6. The system of claim 4 wherein the simulated event comprises a simulated transmission of a message to the simulated mobile device from a simulated entity. 7. The system of claim 1 wherein performing at least one of static and dynamic analysis includes determining that a deletion action is taken in response to receipt of message appearing to have been sent by a carrier. 8. The system of claim 1 wherein the static analysis results include at least one indication that a feature of the mobile device application is suspicious which warrants additional investigation during dynamic analysis, and wherein the dynamic analysis engine is configured to determine whether the feature identified as suspicious during static analysis is malicious. 9. The system of claim 1 wherein the processor is further configured to report the determination to a data security appliance. 10. The system of claim 1 wherein the mobile device application has a location permission and wherein a location-type dynamic analysis is selected for performing during dynamic analysis of the mobile device application. 11. The system of claim 1 wherein the mobile device application lacks a message access permission and wherein a messaging-type dynamic analysis is not selected for performing during dynamic analysis of the mobile device application. 12. A method, comprising:performing static analysis on a mobile device application using a static analysis engine to generate a set of static analysis results, wherein the static analysis results include a set of permissions granted to the mobile device application and further include a minimum operating system version number required by the mobile device application to execute; selecting, by a dynamic analysis engine, a particular emulator from a plurality of emulators each meeting the minimum operating system version requirement of the mobile device application, wherein the selection is based at least in part on the minimum operating system version number included in the static analysis results; selectively customizing how the dynamic analysis engine will perform dynamic analysis of the mobile device application, using the set of permissions granted to the mobile device application, wherein in the event a first permission is included in the set of permissions granted to the mobile device application, a type of dynamic analysis associated with the first permission will be selected for performing during dynamic analysis of the mobile device application, and wherein in the event the first permission is not included in the set of permissions granted to the mobile device application, the type of dynamic analysis associated with the first permission will not be selected for performing during dynamic analysis of the mobile device application; performing the customized dynamic analysis of the mobile device application using the dynamic analysis engine; and assigning a final maliciousness verdict to the application based at least in part on an evaluation of one or more static analysis results and an evaluation of one or more dynamic analysis results. 13. The method of claim 12 wherein performing static analysis includes reversing the mobile device application into an intermediate source code form. 14. The method of claim 12 wherein performing static analysis includes determining the presence of a filetype mismatch. 15. The method of claim 13 wherein performing dynamic analysis includes emulating a mobile device and wherein performing dynamic analysis further includes simulating an event external to the simulated mobile device. 16. The method of claim 15 wherein the simulated event comprises a simulated location change. 17. The method of claim 15 wherein the simulated event comprises a simulated transmission of a message to the simulated mobile device from a simulated entity. 18. The method of claim 13 wherein performing at least one of static and dynamic analysis includes determining that a deletion action is taken in response to receipt of message appearing to have been sent by a carrier. 19. The method of claim 12 further comprising reporting the determination to a data security appliance. 20. The method of claim 12 wherein the mobile device application has a location permission and wherein a location-type dynamic analysis is selected for performing during dynamic analysis of the mobile device application. 21. The method of claim 12 wherein the mobile device application lacks a message access permission and wherein a messaging-type dynamic analysis is not selected for performing during dynamic analysis of the mobile device application. 22. The method of claim 12 wherein the static analysis results include at least one indication that a feature of the mobile device application is suspicious which warrants additional investigation during dynamic analysis, and wherein the dynamic analysis engine is configured to determine whether the feature identified as suspicious during static analysis is malicious. 23. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:performing static analysis on a mobile device application using a static analysis engine to generate a set of static analysis results, wherein the static analysis results include a set of permissions granted to the mobile device application and further include a minimum operating system version number required by the mobile device application to execute; selecting, by a dynamic analysis engine, a particular emulator from a plurality of emulators each meeting the minimum operating system version requirement of the mobile device application, wherein the selection is based at least in part on the minimum operating system version number included in the static analysis results; selectively customizing how the dynamic analysis engine will perform dynamic analysis of the mobile device application, using the set of permissions granted to the mobile device application, wherein in the event a first permission is included in the set of permissions granted to the mobile device application, a type of dynamic analysis associated with the first permission will be selected for performing during dynamic analysis of the mobile device application, and wherein in the event the first permission is not included in the set of permissions granted to the mobile device application, the type of dynamic analysis associated with the first permission will not be selected for performing during dynamic analysis of the mobile device application; performing the customized dynamic analysis of the mobile device application using the dynamic analysis engine; and assigning a final maliciousness verdict to the application based at least in part on an evaluation of one or more static analysis results and an evaluation of one or more dynamic analysis results.
意見反饋
使用該功能遇到問題