小程序敏感数据收集行为检测
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

工信部专项(TC220H079)


Detection for Sensitive Data Collection Behaviors in Mini-programs
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    小程序近年来被广泛应用, 因承载了大量的敏感用户数据而引发了广泛的隐私安全担忧. 现有的面向传统移动应用的隐私安全分析方法无法直接应用于小程序中. 一方面, 现有方法难以有效分析小程序闭源框架行为带来的隐私流转以及JavaScript闭包特性带来的跨作用域隐私流转, 造成分析结果的缺失. 另一方面, 小程序动态加载子包的机制导致不完整的分析范围, 进一步造成分析结果的缺失. 为此本文提出了动静态混合的小程序隐私收集行为分析方法. 首先, 该方法为小程序中的不同单元边界构建了基于控制流或数据依赖关系的数据传播路径, 即小程序隐私传播流图. 进一步地, 该方法通过学习并迁移传统移动应用端界面设计知识, 并利用UI事件与页面转换行为之间的控制流关联作为指引, 有效地对小程序界面进行探索, 从而触发子包加载过程. 相应的子包代码经分析后与已有分析结果融合, 形成更为全面的小程序隐私传播流图. 本文基于小程序隐私传播流图实现了对小程序内敏感数据的追踪. 本文基于上述方法实现了小程序隐私收集行为分析工具MiniSafe. 评估结果表明, MiniSafe在精确率与召回率上分别达到了90.4%与87.4%, 均优于现有工作. 同时, MiniSafe平均在每个小程序中检测出7项敏感数据收集行为, 通过考虑小程序子包中的敏感数据收集行为使整体检测效果提升了42.9%, 具有较好的检测效果与实际可用性.

    Abstract:

    Mini-programs have been widely used in recent years, causing widespread privacy and security concerns for carrying a large amount of sensitive user data. Existing privacy and security analysis techniques for traditional mobile applications cannot be directly applied to mini-programs. On the one hand, it is difficult for existing methods to effectively analyze the privacy transfer caused by the closed-source mini-program framework and the cross-scope privacy transfer caused by the JavaScript closures, resulting in a lack of analysis results. On the other hand, the mechanism of dynamic sub-package loading leads to incomplete analysis scope, further resulting in a lack of analysis results. This study proposes a hybrid dynamic/static method for analyzing the privacy collection behaviors in mini-programs. First, this method constructs a data propagation path based on either control flow or data dependency for different unit boundaries in the mini-programs, namely the mini-program privacy propagation flow graph. Furthermore, this method effectively explores the mini-program UI by learning and transferring traditional mobile application UI design knowledge, and using the control flow association between UI events and page transition information as a guide, thereby triggering the sub-package loading process. The corresponding sub-package code is analyzed and integrated with existing analysis results to form a more comprehensive mini-program privacy propagation flow graph. This study implements the tracking of sensitive data in mini-programs through the privacy propagation flow graph. Based on the above method, this study implements MiniSafe, a privacy collection behavior analysis tool for mini-programs. The evaluation results show that MiniSafe achieves 90.4% and 87.4% in precision and recall respectively, both of which outperform existing work. MiniSafe detects an average of 7 sensitive data collection behaviors in each mini-program. By considering sensitive data collection behaviors in mini-program sub-packages, the overall detection number has increased by 42.9%, demonstrating good detection performance and practical usability.

    参考文献
    相似文献
    引证文献
引用本文

花楠,杨哲慜.小程序敏感数据收集行为检测.计算机系统应用,2024,33(11):224-236

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2024-04-02
  • 最后修改日期:2024-04-29
  • 录用日期:
  • 在线发布日期: 2024-09-24
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京海淀区中关村南四街4号 中科院软件园区 7号楼305房间,邮政编码:100190
电话:010-62661041 传真: Email:csa (a) iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号