CN111931167B - Method and system for preventing Android application from being hijacked by sandbox - Google Patents
Method and system for preventing Android application from being hijacked by sandbox Download PDFInfo
- Publication number
- CN111931167B CN111931167B CN202011069803.4A CN202011069803A CN111931167B CN 111931167 B CN111931167 B CN 111931167B CN 202011069803 A CN202011069803 A CN 202011069803A CN 111931167 B CN111931167 B CN 111931167B
- Authority
- CN
- China
- Prior art keywords
- class
- application
- class loader
- loader
- android
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to the field of information security, in particular to a method and a system for preventing Android applications from being hijacked by a sandbox. The method comprises the following steps: starting an Android application; obtaining a specific class in the Android application; detecting and obtaining a class loader of a specific class; judging whether the class loader of the specific class is the same as the target class loader; when the class loader of the specific class is different from the target class loader, protecting the application; when the class loader of the specific class is the same as the target class loader, the application is kept working normally. The method and the system for preventing the Android application from being hijacked by the sandbox have the advantages of good detection effect, difficulty in bypassing and practicability and reliability, whether the Android application runs in the sandbox environment can be determined by detecting the class loader of the system layer service class and judging whether the class loader is the system class loader, the problems of poor effect, easiness in bypassing and low practicability existing in the existing sandbox detection means are solved, and the requirement of Android application for protecting data is met.
Description
Technical Field
The invention relates to the field of information security, in particular to a method and a system for preventing Android applications from being hijacked by a sandbox.
Background
Sandboxing (sandbox), also known as sandboxing, is a security mechanism for protecting operating systems in the field of computer security, by providing an isolated environment for running programs using virtual machine processes in order to run programs that are untrusted, destructive, or irreducible from some source. In the existing Android operating system, various sandbox applications are layered endlessly, and are used for providing a function of double-open application or multiple-open application for a user at first to meet the requirement of multiple account login of the user, but due to the mechanism of the sandbox, the Android application running in the sandbox is easy to be tampered, so that the user can perform harsh operations such as simulated positioning, simulated navigation and simulated machine type on the multiple-open application through the sandbox environment, even can intercept application data and modify the data, and is very harmful, so that the sandbox environment needs to be detected to prevent the Android application from being hijacked by the sandbox.
The existing sandbox detection technology mainly detects the path of an application storage directory, and the principle is as follows: after the application is installed, a storage directory is established on the storage device, a path of the storage directory can be obtained through a query interface provided by an Android system, when a user utilizes a sandbox to perform multi-open operation on the application, the sandbox additionally establishes the storage directory for the application needing multi-open, at the moment, if the path of the storage directory is obtained, the path is found to be inconsistent with a correct path, accordingly, the application can be judged to be operated in a sandbox environment, but part of sandbox software has an IO redirection technology, the correct path can still be returned, and the detection method is caused to be invalid. Similarly, the technology for detecting the application list has the following principle: the application list is directly inquired to obtain the installed application list in the system, when the application is opened too much, two applications with the same package name appear in the application list, and accordingly the fact that the applications run in the sandbox environment can be judged, but the method for inquiring the application list is easily hijacked by sandbox software and cannot return the applications with the same package name, namely the detection method can be also bypassed by the sandbox software.
In addition, the sandbox detection technology adopts a PS detection scheme, and the principle is as follows: the method comprises the steps that a PS command is executed on an Android platform to obtain process information, then the process information is filtered by the aid of the uid of an application, if a user utilizes a sandbox to perform multi-opening operation on the application, an additional process can be found after the filtering operation is completed, accordingly, the fact that the application runs in the sandbox environment can be judged, the method cannot be easily bypassed, in part of Android systems, the PS command cannot obtain the process information, the method is limited in use, when the Android application has multi-process requirements, normal requirements and the sandbox environment cannot be distinguished, misjudgment is easily caused, practicability is low, and therefore a new detection means is needed to prevent the Android application from being hijacked by the sandbox.
Disclosure of Invention
In order to overcome the technical defects of poor effect, easiness in bypassing and low practicability existing in the existing sandbox detection means, the invention provides a practical and reliable method and system for preventing Android application from being hijacked by a sandbox, wherein the method and system have good detection effect and are difficult to bypass.
In order to solve the problems, the invention is realized according to the following technical scheme:
the invention discloses a method for preventing Android application from being hijacked by a sandbox, which is characterized by comprising the following steps:
starting an Android application;
obtaining a specific class in the Android application;
detecting and obtaining a class loader of a specific class;
judging whether the class loader of the specific class is the same as the target class loader;
when the class loader of the specific class is different from the target class loader, protecting the application;
when the class loader of the specific class is the same as the target class loader, the application is kept working normally.
The specific class is a system layer service class and is used for defining a service interface so as to provide system services through the interface.
The detecting and obtaining of the class loader of the specific class specifically includes:
inputting the obtained specific class;
calling an Android system interface to obtain a corresponding class loader;
and outputting the obtained class loader.
The class loader comprises:
the root class loader is used for loading Java core classes;
the extension class loader is used for loading an extension directory of a Java running environment;
and the system class loader is used for loading the specified file and class path from the Java command when the Java running environment is started.
The target class loader is a system class loader.
The protection of the application comprises the following steps:
acquiring information of an Android application;
analyzing the application information and judging whether the application is sensitive application or not;
if the application is sensitive, quitting the application;
if the application is not a sensitive application, the application is kept working normally.
The application information comprises: package name of application, version number of application.
The invention discloses a system for preventing Android application from being hijacked by a sandbox, which is characterized by comprising the following steps:
the starting module is used for starting the Android application;
the extraction module is used for obtaining a specific class in the Android application;
the detection module is used for detecting and obtaining the class loader of a specific class;
the judging module is used for judging whether the class loader of the specific class is the same as the target class loader or not;
the protection module is used for protecting the application when the class loader of the specific class is different from the target class loader;
and the maintaining module is used for keeping the application to normally work when the class loader of the specific class is the same as the target class loader.
Compared with the prior art, the invention has the beneficial effects that:
the method and the system for preventing the Android application from being hijacked by the sandbox have the advantages of good detection effect, difficulty in bypassing and practicability and reliability, the Android application can be determined whether to operate in the sandbox environment or not by detecting the class loader of the system layer service class and judging whether the class loader is the system class loader or not, the detection effect is good, the system layer service class must be loaded by the system class loader according to the specification of the Java operation environment, and the class loader of the sandbox is in the sandbox environment, so that the characteristic is not easy to be imitated or bypassed.
Drawings
Embodiments of the invention are described in further detail below with reference to the attached drawing figures, wherein:
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a flow chart illustrating a method of detecting and obtaining class loaders of a particular class according to the present invention;
FIG. 3 is a flow chart of a method for protecting an application according to the present invention;
fig. 4 is a schematic diagram of the system architecture of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
As shown in fig. 1 to 4, the method for preventing the Android application from being hijacked by the sandbox is characterized by comprising the following steps:
101. and starting the Android application.
Specifically, the Android application is started when receiving the input of the user, that is, when the user initiates a click input action to the application in the Android system, the Android application is started to work.
102. And obtaining a specific class in the Android application.
Specifically, the specific class is a system layer service class, and is used for defining a service interface so as to provide a system service through the interface.
103. Class loaders of a particular class are detected and obtained.
The detecting and obtaining of the class loader of the specific class specifically includes:
201. the specific class obtained is entered.
Specifically, the specific class is a system layer service class.
202. And calling an Android system interface to obtain a corresponding class loader.
Specifically, the Android system interface is an API interface with a query function, and as a preferred embodiment of the present invention, the Android system interface code is "getClass (). getClass loader ()" so as to obtain a class loader corresponding to a system layer service class.
203. And outputting the obtained class loader.
Specifically, the class loader includes:
and the root class loader is used for loading the core class of the Java and is realized by the native code.
The extension class loader is used for loading an extension directory of a Java running environment, the extension class loader is realized by Java language, and a parent class loader of the extension class loader is null.
And the system class loader is realized by Java language and is used for loading the specified file and class path from the Java command when the Java running environment starts. The system class loader is also called an application class loader, the application program can acquire the system class loader through a static method, and when the system class loader is not particularly specified, the user-defined class loader takes the system class loader as a parent loader.
The class loader of the specific class is one of the class loaders, and the result is used for subsequent judgment work.
104. It is determined whether the class loader for the particular class is the same as the target class loader.
Specifically, the target class loader is a system class loader, and when the class loader of the system layer service class is the system class loader, it is stated that the class loader of the system layer service class is the same as the target class loader. The advantage of this setting lies in: according to the specification of the Java execution environment, the system layer service class must be loaded by a system class loader, and the sandbox environment is the class loader of the sandbox, so that the feature is not easy to imitate or bypass.
105. When the class loader of the specific class is different from the target class loader, the application is protected.
Specifically, when the class loader of the specific class is different from the target class loader, it indicates that the application runs in the sandbox environment and the application data needs to be protected.
The protection of the application comprises the following steps:
301. and acquiring information of the Android application.
Specifically, the application information includes:
the package name of the application can be used for distinguishing different Android applications through the information;
the version name of the application can be obtained through the information;
and the version number of the application can be used for distinguishing different versions of the Android application through the information.
302. And analyzing the application information and judging whether the application is sensitive application or not.
Specifically, comparing the package name of the Android application with the recorded application information to determine whether the application is sensitive; and comparing the version number of the Android application with the release record of the application to determine whether the version is a sensitive version.
303. If the application is sensitive, quitting the application;
specifically, when the Android application is a sensitive application and runs in a sandbox environment, the application is directly quitted, so that a user cannot modify application data.
304. If the application is not a sensitive application, the application is kept working normally.
Specifically, when the Android runs in a sandbox environment but is not a sensitive application, the Android application allows the user to continue using the Android application.
106. When the class loader of the specific class is the same as the target class loader, the application is kept working normally.
Specifically, when the Android is not operated in the sandbox environment, the user is allowed to continue normal use.
The invention discloses a system for preventing Android application from being hijacked by a sandbox, which is characterized by comprising the following steps:
the starting module 1 is used for starting the Android application;
the extraction module 2 is used for obtaining a specific class in the Android application;
the detection module 3 is used for detecting and obtaining the class loader of a specific class;
the judging module 4 is used for judging whether the class loader of the specific class is the same as the target class loader;
the protection module 5 is used for protecting the application when the class loader of the specific class is different from the target class loader;
and the maintaining module 6 is used for keeping the application normally working when the class loader of the specific class is the same as the target class loader.
The method and the system for preventing the Android application from being hijacked by the sandbox have the advantages of good detection effect, difficulty in bypassing and practicability and reliability, the Android application can be determined whether to operate in the sandbox environment or not by detecting the class loader of the system layer service class and judging whether the class loader is the system class loader or not, the detection effect is good, the system layer service class must be loaded by the system class loader according to the specification of the Java operation environment, and the class loader of the sandbox is in the sandbox environment, so that the characteristic is not easy to be imitated or bypassed.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, so that any modification, equivalent change and modification made to the above embodiment according to the technical spirit of the present invention are within the scope of the technical solution of the present invention.
Claims (6)
1. A method for preventing Android applications from being hijacked by sandboxes is characterized by comprising the following steps:
starting an Android application;
obtaining a specific class in the Android application;
detecting and obtaining a class loader of a specific class;
judging whether the class loader of the specific class is the same as the target class loader;
when the class loader of the specific class is different from the target class loader, protecting the application;
when the class loader of the specific class is the same as the target class loader, keeping the application working normally;
the specific class is a system layer service class and is used for defining a service interface so as to provide system services through the interface;
the target class loader is a system class loader.
2. The method for preventing the Android application from being hijacked by the sandbox according to claim 1, wherein: the detecting and obtaining of the class loader of the specific class specifically includes:
inputting the obtained specific class;
calling an Android system interface to obtain a corresponding class loader;
and outputting the obtained class loader.
3. The method for preventing the Android application from being hijacked by the sandbox according to claim 2, wherein: the class loader comprises:
the root class loader is used for loading Java core classes;
the extension class loader is used for loading an extension directory of a Java running environment;
and the system class loader is used for loading the specified file and class path from the Java command when the Java running environment is started.
4. The method for preventing the Android application from being hijacked by the sandbox according to claim 1, wherein: the protection of the application comprises the following steps:
acquiring information of an Android application;
analyzing the application information and judging whether the application is sensitive application or not;
if the application is sensitive, quitting the application;
if the application is not a sensitive application, the application is kept working normally.
5. The method for preventing the Android application from being hijacked by the sandbox according to claim 4, wherein: the application information comprises: package name of application, version number of application.
6. A system for preventing Android applications from being hijacked by a sandbox is characterized by comprising:
the starting module is used for starting the Android application;
the extraction module is used for obtaining a specific class in the Android application;
the detection module is used for detecting and obtaining the class loader of a specific class;
the judging module is used for judging whether the class loader of the specific class is the same as the target class loader or not;
the protection module is used for protecting the application when the class loader of the specific class is different from the target class loader;
the maintenance module is used for keeping the application to normally work when the class loader of the specific class is the same as the target class loader;
the specific class is a system layer service class used for defining a service interface to provide system services through the interface,
the target class loader is a system class loader.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011069803.4A CN111931167B (en) | 2020-10-09 | 2020-10-09 | Method and system for preventing Android application from being hijacked by sandbox |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011069803.4A CN111931167B (en) | 2020-10-09 | 2020-10-09 | Method and system for preventing Android application from being hijacked by sandbox |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111931167A CN111931167A (en) | 2020-11-13 |
| CN111931167B true CN111931167B (en) | 2021-02-09 |
Family
ID=73334327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011069803.4A Active CN111931167B (en) | 2020-10-09 | 2020-10-09 | Method and system for preventing Android application from being hijacked by sandbox |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111931167B (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8141070B2 (en) * | 2005-05-24 | 2012-03-20 | International Business Machines Corporation | Bridging class loader name spaces |
| CN102902911B (en) * | 2012-09-18 | 2015-08-19 | 北京深思数盾科技有限公司 | A kind of method of safe operation third party code in Java Virtual Machine |
| CN108229148B (en) * | 2016-12-21 | 2022-06-21 | 武汉安天信息技术有限责任公司 | Sandbox unshelling method and sandbox unshelling system based on Android virtual machine |
| CN108279940B (en) * | 2016-12-30 | 2020-12-15 | 华为技术有限公司 | Module loading method and device in web container |
| CN111523097B (en) * | 2020-04-09 | 2023-08-29 | 北京智慧章鱼科技有限公司 | App brush user identification method, device and storage medium based on Android system |
-
2020
- 2020-10-09 CN CN202011069803.4A patent/CN111931167B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111931167A (en) | 2020-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7386839B1 (en) | System and method for troubleshooting software configuration problems using application tracing | |
| US6412071B1 (en) | Method for secure function execution by calling address validation | |
| US20160142437A1 (en) | Method and system for preventing injection-type attacks in a web based operating system | |
| JP4518564B2 (en) | Method for preventing unauthorized code execution, program for preventing unauthorized code execution, and recording medium for program for preventing unauthorized code execution | |
| CN100481101C (en) | Method for computer safety start | |
| CN101515320B (en) | Vulnerability testing method in attack and system thereof | |
| CN106055385A (en) | System and method for monitoring virtual machine process, and method for filtering page fault anomaly | |
| JP2021504826A (en) | How to launch application programs, launchers and computer-readable storage media | |
| CN108491327A (en) | A kind of Android application dynamic Receiver components local refusal service leak detection method | |
| CN107450964A (en) | It is a kind of to be used to finding that virtual machine is examined oneself whether there is the method for leak in system | |
| CN105718796B (en) | A kind of system call level monitoring method of Android privacy of user data access | |
| CN111931167B (en) | Method and system for preventing Android application from being hijacked by sandbox | |
| CN109522235A (en) | A method of it is detected for the privacy leakage of Android dynamically load | |
| US20080244324A1 (en) | Method and system for providing enhanced exception messages for exceptions thrown by virtual machines | |
| CN116150739A (en) | Automatic stack overflow defense method based on dynamic protection of key address | |
| CN102222189A (en) | Method for protecting operating system | |
| CN106845235A (en) | A kind of Android platform call back function detection method based on machine learning method | |
| CN111814119B (en) | Anti-debugging method | |
| CN117725583A (en) | Linux malicious code detection method and system based on virtual machine introspection | |
| CN112632547A (en) | Data processing method and related device | |
| CN111931191A (en) | Dynamic detection method and system for binary software stack overflow leakage hole of Linux platform | |
| KR101207434B1 (en) | System and Method for Preventing Collision Between Different Digital Documents Protection System | |
| CN107798244A (en) | A kind of method and device for detecting Remote Code Execution Vulnerability | |
| CN106557693A (en) | A kind of malice Hook behavioral value method and system | |
| CN111611580B (en) | Method and system for detecting whether program runs in environment of Jinshan safe sandbox system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |