Analyzing security of applications

US 9,652,617 B1
Filed: 06/25/2013
Issued: 05/16/2017
Est. Priority Date: 06/25/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer-readable medium having a plurality of computer instructions executable by at least one computing device, wherein, upon execution, the plurality of computer instructions cause the at least one computing device to at least:

identify an application in an application marketplace;

perform an analysis of the application of a set of code fragments employed by the application and a set of device resources employed by the application;

determine a resource consumption profile employed by the application;

generate an application fingerprint based at least in part upon the analysis of the application, the application fingerprint comprising information about the code fragments, the set of device resources, and the resource consumption profile;

identify a potentially malicious component of the application based at least in part upon a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications in the application marketplace, wherein one of the plurality of other applications comprises a first application designated as a malicious application, another of the plurality of other applications comprises a second application designated as a non-malicious application;

modify an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from the set of device resources;

generate a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold;

identify a related application in the application marketplace based at least in part on a comparison of the application fingerprint with the plurality of other application fingerprints of the respective plurality of other applications; and

assign the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, static, dynamic, and behavioral analyses may be performed on an application. A set of code fragments employed by the application may be determined. A set of device resources employed by the application may be determined. An application fingerprint is generated for the application and potentially malicious component and/or behaviors are identified. The application fingerprint encodes identifiers for the set of code fragments and identifiers for the set of device resources.

131 Citations

23 Claims

1. A non-transitory computer-readable medium having a plurality of computer instructions executable by at least one computing device, wherein, upon execution, the plurality of computer instructions cause the at least one computing device to at least:
- identify an application in an application marketplace;
  
  perform an analysis of the application of a set of code fragments employed by the application and a set of device resources employed by the application;
  
  determine a resource consumption profile employed by the application;
  
  generate an application fingerprint based at least in part upon the analysis of the application, the application fingerprint comprising information about the code fragments, the set of device resources, and the resource consumption profile;
  
  identify a potentially malicious component of the application based at least in part upon a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications in the application marketplace, wherein one of the plurality of other applications comprises a first application designated as a malicious application, another of the plurality of other applications comprises a second application designated as a non-malicious application;
  
  modify an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from the set of device resources;
  
  generate a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold;
  
  identify a related application in the application marketplace based at least in part on a comparison of the application fingerprint with the plurality of other application fingerprints of the respective plurality of other applications; and
  
  assign the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the plurality of computer instructions further cause the at least one computing device to update a malicious component recognition data model in response to receiving a manual confirmation of identification of the malicious component of the application, wherein identifying the potentially malicious component is further configured to identify the potentially malicious component based at least in part on the malicious component recognition data model.
  - 3. The non-transitory computer-readable medium of claim 1, wherein identifying the potentially malicious component is further based at least in part upon identifying the potentially malicious component when one of the set of code fragments employed by the application is associated with a known malicious behavior.

4. A system, comprising:
- at least one computing device; and
  
  at least one service executable in the at least one computing device, wherein the at least one service, when executed, causes the at least one computing device to at least;
  
  obtain an application fingerprint for an application in an application marketplace, the application fingerprint based at least in part upon a set of code fragments employed by the application, a set of device resources employed by the application, and a resource consumption profile;
  
  identify a potentially malicious component of the application based at least in part upon the application fingerprint;
  
  modify an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from the set of device resources;
  
  generate a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold;
  
  identify a related application in the application marketplace based at least in part on a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications; and
  
  assign the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 5. The system of claim 4, wherein identifying the potentially malicious component of the application is further based at least in part upon a comparison of the application fingerprint with the plurality of other application fingerprints of the respective plurality of other applications in the application marketplace, and one of the plurality of other applications comprises a first application designated as a potentially malicious application and another of the plurality of other applications comprises a second application designated as a non-malicious application.
  - 6. The system of claim 4, wherein identifying the potentially malicious component of the application identifies the potentially malicious component based at least in part upon at least one of:
    - a representation within the application fingerprint of a symbol table of an application binary corresponding to the application, an indication within the application fingerprint that a code fragment associated with the application comprises an obfuscated symbol table, an indication within the application fingerprint that a code fragment associated with the application comprises a packed symbol table corresponding to the application that comprises a stripped binary, or an indication within the application fingerprint that the application binary corresponding to the application comprises a stripped binary.
  - 7. The system of claim 4, wherein identifying the potentially malicious component of the application identifies the potentially malicious component when the application fingerprint indicates that at least one of the set of code fragments corresponds to a known malicious code fragment.
  - 8. The system of claim 4, wherein identifying the potentially malicious component of the application identifies the potentially malicious component when the application fingerprint indicates that the resource consumption profile indicates an anomalous access of a device resource.
  - 9. The system of claim 8, wherein the anomalous access of the device resource comprises an access of more than a threshold percentage of data stored on a mobile device designated as personal information.
  - 10. The system of claim 4, wherein identifying the potentially malicious component of the application identifies the potentially malicious component when the application fingerprint indicates that an application binary corresponding to the application comprises a stripped binary, wherein the stripped binary lacks debugging information associated with the application.
  - 11. The system of claim 4, wherein the at least one service further causes the at least one computing device to alter the application to mitigate a malicious behavior associated with the malicious component of the application by disabling data access for the malicious component.
  - 12. The system of claim 4, wherein identifying the potentially malicious component of the application identifies the potentially malicious component when the application fingerprint indicates that a domain name system (DNS) name embedded within an application binary corresponding to the application comprises a known malicious DNS name.
  - 13. The system of claim 12, wherein the at least one service further causes the at least one computing device to generate a patch associated with the malicious component, the patch being configured to replace the known malicious DNS name embedded within the application binary.
  - 14. The system of claim 4, wherein identifying the potentially malicious component of the application identifies the potentially malicious component when the application fingerprint indicates a variance between network activity exhibited by the application and user activity associated with the application fingerprint exceeds a threshold.
  - 15. The system of claim 4, wherein the score comprises a confidence score associated with a degree of maliciousness of the application.

16. A method, comprising:
- identifying, by at least one computing device, an application in an application marketplace;
  
  obtaining, by the at least one computing device, an application fingerprint for the application, the application fingerprint based at least in part upon a static analysis of the application, a dynamic analysis of the application, and a behavioral analysis of usage of the application by a plurality of users of the application marketplace;
  
  determining, by the at least one computing device, that the application is a potentially malicious application based at least in part upon the application fingerprint;
  
  modifying, by the at least one computing device, an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from a set of device resources;
  
  generating, by the at least one computing device, a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold;
  
  identifying a related application in the application marketplace based at least in part on a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications; and
  
  assigning the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The method of claim 16, further comprising certifying, by the at least one computing device, that the application is a non-malicious application based at least in part upon the application fingerprint by determining that an application binary associated with the application was generated according to a plurality of predetermined practices.
  - 18. The method of claim 17, wherein determining that the application binary associated with the application was generated according to a plurality of predetermined practices further comprises analyzing the application binary to determine whether the application binary was generated using an approved build tool.
  - 19. The method of claim 17, wherein determining that the application binary associated with the application was generated according to a plurality of predetermined practices further comprises determining that the application binary comprises a binary including information aiding in at least one of an analysis or a debugging of the application binary.
  - 20. The method of claim 16, wherein the application fingerprint comprises a first application fingerprint, and wherein determining whether the application is a malicious application further comprises determining, by the at least one computing device, a degree of variance between the first application fingerprint associated with a first application binary associated with the application and a second application fingerprint associated with a second application binary, the second application fingerprint being based at least in part upon a static analysis of the second application binary.
  - 21. The method of claim 20, wherein the first application binary comprises a first version of the application and the second application binary comprises an updated version of the application.
  - 22. The method of claim 21, wherein determining whether the application is a malicious application further comprises:
    - comparing, by the at least one computing device, the updated version of the application with a set of release notes associated with the updated version, the set of release notes comprising a description using a plurality of text characters to describe changes made from a prior version of the application; and
      
      designating, by the at least one computing device, the application as a malicious application when the degree of variance between the updated version and the set of release notes exceeds a predetermined threshold.
  - 23. The method of claim 16, wherein determining, by the at least one computing device, that the application is a potentially malicious application based at least in part upon the application fingerprint further comprises determining an indication within the application fingerprint that a code fragment associated with the application comprises an obfuscated symbol table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Evans, Ethan Zane, Markley, David Allen
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
Nguyen, Trong

Application Number

US13/926,211
Time in Patent Office

1,421 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

G06F 21/6245   Protecting personal data, e...

Analyzing security of applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

131 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Analyzing security of applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links