Systems and methods for evaluating application trustworthiness

US 8,869,284 B1
Filed: 10/04/2012
Issued: 10/21/2014
Est. Priority Date: 10/04/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for evaluating application trustworthiness, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying an application subject to a security assessment;

identifying a secondary identifier used by the application to validate the application to a legitimate third-party service to which the application is configured to send a request during execution;

querying a secondary identity database with the secondary identifier for information about the secondary identifier;

determining whether the application is malicious based at least in part on the information about the secondary identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for evaluating application trustworthiness may include 1) identify an application subject to a security assessment, 2) identify a secondary identifier used by the application to identify the application to a third-party service to which the application is configured to send a request during execution, 3) query a secondary identity database with the secondary identifier for information about the secondary identifier, and 4) determine whether the application is malicious based at least in part on the information about the secondary identifier. Various other methods, systems, and computer-readable media are also disclosed.

10 Citations

View as Search Results

20 Claims

1. A computer-implemented method for evaluating application trustworthiness, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying an application subject to a security assessment;
  
  identifying a secondary identifier used by the application to validate the application to a legitimate third-party service to which the application is configured to send a request during execution;
  
  querying a secondary identity database with the secondary identifier for information about the secondary identifier;
  
  determining whether the application is malicious based at least in part on the information about the secondary identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein determining whether the application is malicious comprises:
    - determining, based on the information about the secondary identifier, that the secondary identifier has been associated with at least one malicious application;
      
      determining, at least in part based on the secondary identifier having been associated with the malicious application, that the application subject to the security assessment also is malicious.
  - 3. The computer-implemented method of claim 1, wherein determining whether the application is malicious comprises:
    - determining that a digitally-signed certificate used as a primary identifier for the application does not match the application;
      
      determining, based at least in part on the digitally-signed certificate not matching the application, that the application is a potentially repackaged application;
      
      using the secondary identifier to identify an originally packaged and trusted version of the application;
      
      comparing the originally packaged and trusted version of the application with the potentially repackaged application to determine that the application is not malicious.
  - 4. The computer-implemented method of claim 1, wherein identifying the secondary identifier comprises at least one of:
    - parsing a manifest of the application for the secondary identifier;
      
      performing a static analysis of the application to identify the secondary identifier;
      
      intercepting a communication from the application to the third-party service to identify the secondary identifier.
  - 5. The computer-implemented method of claim 1, wherein the secondary identifier comprises at least one of:
    - a publisher identifier for an advertisement network;
      
      an application identifier for a third-party library.
  - 6. The computer-implemented method of claim 1, wherein identifying the secondary identifier is in response to checking a digitally-signed primary identifier of the application but failing to recognize the digitally-signed primary identifier of the application as valid.
  - 7. The computer-implemented method of claim 1, further comprising performing a remediation action on the application in response to determining that the application is malicious.
  - 8. The computer-implemented method of claim 7, further comprising:
    - identifying an additional secondary identifier used by the application;
      
      submitting the additional secondary identifier to the secondary identity database as being associated with a malicious application in response to determining that the application is malicious and identifying the additional secondary identifier used by the application.

9. A system for evaluating application trustworthiness, the system comprising:
- an identification module programmed to identify an application subject to a security assessment;
  
  an analysis module programmed to identify a secondary identifier used by the application to validate the application to a legitimate third-party service to which the application is configured to send a request during execution;
  
  a querying module programmed to query a secondary identity database with the secondary identifier for information about the secondary identifier;
  
  a determination module programmed to determine whether the application is malicious based at least in part on the information about the secondary identifier;
  
  at least one processor configured to execute the identification module, the analysis module, the querying module, and the determination module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the determination module is programmed to determine whether the application is malicious by:
    - determining, based on the information about the secondary identifier, that the secondary identifier has been associated with at least one malicious application;
      
      determining, at least in part based on the secondary identifier having been associated with the malicious application, that the application subject to the security assessment also is malicious.
  - 11. The system of claim 9, wherein the determination module is programmed to determine whether the application is malicious by:
    - determining that a digitally-signed certificate used as a primary identifier for the application does not match the application;
      
      determining, based at least in part on the digitally-signed certificate not matching the application, that the application is a potentially repackaged application;
      
      using the secondary identifier to identify an originally packaged and trusted version of the application;
      
      comparing the originally packaged and trusted version of the application with the potentially repackaged application to determine that the application is not malicious.
  - 12. The system of claim 9, wherein the analysis module is programmed to identify the secondary identifier by at least one of:
    - parsing a manifest of the application for the secondary identifier;
      
      performing a static analysis of the application to identify the secondary identifier;
      
      intercepting a communication from the application to the third-party service to identify the secondary identifier.
  - 13. The system of claim 9, wherein the secondary identifier comprises at least one of:
    - a publisher identifier for an advertisement network;
      
      an application identifier for a third-party library.
  - 14. The system of claim 9, wherein the analysis module is programmed to identify the secondary identifier in response to checking a digitally-signed primary identifier of the application but failing to recognize the digitally-signed primary identifier of the application as valid.
  - 15. The system of claim 9, wherein the determination module is further programmed to perform a remediation action on the application in response to determining that the application is malicious.
  - 16. The system of claim 15, wherein the determination module is further programmed to:
    - identify an additional secondary identifier used by the application;
      
      submit the additional secondary identifier to the secondary identity database as being associated with a malicious application in response to determining that the application is malicious and identifying the additional secondary identifier used by the application.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify an application subject to a security assessment;
  
  identify a secondary identifier used by the application to validate the application to a legitimate third-party service to which the application is configured to send a request during execution;
  
  query a secondary identity database with the secondary identifier for information about the secondary identifier;
  
  determine whether the application is malicious based at least in part on the information about the secondary identifier.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to determine whether the application is malicious by causing the computing device to:
    - determine, based on the information about the secondary identifier, that the secondary identifier has been associated with at least one malicious application;
      
      determine, at least in part based on the secondary identifier having been associated with the malicious application, that the application subject to the security assessment also is malicious.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to determine whether the application is malicious by causing the computing device to:
    - determine that a digitally-signed certificate used as a primary identifier for the application does not match the application;
      
      determine, based at least in part on the digitally-signed certificate not matching the application, that the application is a potentially repackaged application;
      
      use the secondary identifier to identify an originally packaged and trusted version of the application;
      
      compare the originally packaged and trusted version of the application with the potentially repackaged application to determine that the application is not malicious.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to identify the secondary identifier by causing the computing device to at least one of:
    - parse a manifest of the application for the secondary identifier;
      
      perform a static analysis of the application to identify the secondary identifier;
      
      intercept a communication from the application to the third-party service to identify the secondary identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Mao, Jun
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/645,307
Time in Patent Office

747 Days
Field of Search

726/24, 726/23
US Class Current

726/24
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Systems and methods for evaluating application trustworthiness

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for evaluating application trustworthiness

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others