小程序敏感数据收集行为检测  

作　　者：花楠 杨哲慜 HUA Nan;YANG Zhe-Min(School of Computer Science,Fudan University,Shanghai 200433,China)

机构地区：[1]复旦大学计算机科学技术学院,上海200433

出　　处：《计算机系统应用》2024年第11期224-236,共13页Computer Systems & Applications

基　　金：工信部专项(TC220H079)。

摘　　要：小程序近年来被广泛应用,因承载了大量的敏感用户数据而引发了广泛的隐私安全担忧.现有的面向传统移动应用的隐私安全分析方法无法直接应用于小程序中.一方面,现有方法难以有效分析小程序闭源框架行为带来的隐私流转以及JavaScript闭包特性带来的跨作用域隐私流转,造成分析结果的缺失.另一方面,小程序动态加载子包的机制导致不完整的分析范围,进一步造成分析结果的缺失.为此本文提出了动静态混合的小程序隐私收集行为分析方法.首先,该方法为小程序中的不同单元边界构建了基于控制流或数据依赖关系的数据传播路径,即小程序隐私传播流图.进一步地,该方法通过学习并迁移传统移动应用端界面设计知识,并利用UI事件与页面转换行为之间的控制流关联作为指引,有效地对小程序界面进行探索,从而触发子包加载过程.相应的子包代码经分析后与已有分析结果融合,形成更为全面的小程序隐私传播流图.本文基于小程序隐私传播流图实现了对小程序内敏感数据的追踪.本文基于上述方法实现了小程序隐私收集行为分析工具MiniSafe.评估结果表明, MiniSafe在精确率与召回率上分别达到了90.4%与87.4%,均优于现有工作.同时, MiniSafe平均在每个小程序中检测出7项敏感数据收集行为,通过考虑小程序子包中的敏感数据收集行为使整体检测效果提升了42.9%,具有较好的检测效果与实际可用性.Mini-programs have been widely used in recent years,causing widespread privacy and security concerns for carrying a large amount of sensitive user data.Existing privacy and security analysis techniques for traditional mobile applications cannot be directly applied to mini-programs.On the one hand,it is difficult for existing methods to effectively analyze the privacy transfer caused by the closed-source mini-program framework and the cross-scope privacy transfer caused by the JavaScript closures,resulting in a lack of analysis results.On the other hand,the mechanism of dynamic sub-package loading leads to incomplete analysis scope,further resulting in a lack of analysis results.This study proposes a hybrid dynamic/static method for analyzing the privacy collection behaviors in mini-programs.First,this method constructs a data propagation path based on either control flow or data dependency for different unit boundaries in the mini-programs,namely the mini-program privacy propagation flow graph.Furthermore,this method effectively explores the mini-program UI by learning and transferring traditional mobile application UI design knowledge,and using the control flow association between UI events and page transition information as a guide,thereby triggering the sub-package loading process.The corresponding sub-package code is analyzed and integrated with existing analysis results to form a more comprehensive mini-program privacy propagation flow graph.This study implements the tracking of sensitive data in mini-programs through the privacy propagation flow graph.Based on the above method,this study implements MiniSafe,a privacy collection behavior analysis tool for mini-programs.The evaluation results show that MiniSafe achieves 90.4%and 87.4%in precision and recall respectively,both of which outperform existing work.MiniSafe detects an average of 7 sensitive data collection behaviors in each mini-program.By considering sensitive data collection behaviors in mini-program sub-packages,the overall detection number has i

关 键 词：小程序 敏感数据收集 数据流分析 小程序隐私传播流图 UI自动化探索 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]