Analyzing security of applications
First Claim
1. A non-transitory computer-readable medium having a plurality of computer instructions executable by at least one computing device, wherein, upon execution, the plurality of computer instructions cause the at least one computing device to at least:
- identify an application in an application marketplace;
perform an analysis of the application of a set of code fragments employed by the application and a set of device resources employed by the application;
determine a resource consumption profile employed by the application;
generate an application fingerprint based at least in part upon the analysis of the application, the application fingerprint comprising information about the code fragments, the set of device resources, and the resource consumption profile;
identify a potentially malicious component of the application based at least in part upon a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications in the application marketplace, wherein one of the plurality of other applications comprises a first application designated as a malicious application, another of the plurality of other applications comprises a second application designated as a non-malicious application;
modify an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from the set of device resources;
generate a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold;
identify a related application in the application marketplace based at least in part on a comparison of the application fingerprint with the plurality of other application fingerprints of the respective plurality of other applications; and
assign the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component.
1 Assignment
0 Petitions
Accused Products
Abstract
In various embodiments, static, dynamic, and behavioral analyses may be performed on an application. A set of code fragments employed by the application may be determined. A set of device resources employed by the application may be determined. An application fingerprint is generated for the application and potentially malicious component and/or behaviors are identified. The application fingerprint encodes identifiers for the set of code fragments and identifiers for the set of device resources.
131 Citations
23 Claims
-
1. A non-transitory computer-readable medium having a plurality of computer instructions executable by at least one computing device, wherein, upon execution, the plurality of computer instructions cause the at least one computing device to at least:
-
identify an application in an application marketplace; perform an analysis of the application of a set of code fragments employed by the application and a set of device resources employed by the application; determine a resource consumption profile employed by the application; generate an application fingerprint based at least in part upon the analysis of the application, the application fingerprint comprising information about the code fragments, the set of device resources, and the resource consumption profile; identify a potentially malicious component of the application based at least in part upon a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications in the application marketplace, wherein one of the plurality of other applications comprises a first application designated as a malicious application, another of the plurality of other applications comprises a second application designated as a non-malicious application; modify an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from the set of device resources; generate a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold; identify a related application in the application marketplace based at least in part on a comparison of the application fingerprint with the plurality of other application fingerprints of the respective plurality of other applications; and assign the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
-
at least one computing device; and at least one service executable in the at least one computing device, wherein the at least one service, when executed, causes the at least one computing device to at least; obtain an application fingerprint for an application in an application marketplace, the application fingerprint based at least in part upon a set of code fragments employed by the application, a set of device resources employed by the application, and a resource consumption profile; identify a potentially malicious component of the application based at least in part upon the application fingerprint; modify an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from the set of device resources; generate a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold; identify a related application in the application marketplace based at least in part on a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications; and assign the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
identifying, by at least one computing device, an application in an application marketplace; obtaining, by the at least one computing device, an application fingerprint for the application, the application fingerprint based at least in part upon a static analysis of the application, a dynamic analysis of the application, and a behavioral analysis of usage of the application by a plurality of users of the application marketplace; determining, by the at least one computing device, that the application is a potentially malicious application based at least in part upon the application fingerprint; modifying, by the at least one computing device, an application sandbox in which an application instance is executed to adjust a capability of the application to access a respective device resource from a set of device resources; generating, by the at least one computing device, a score based at least in part upon the application fingerprint, assigning a maliciousness designation to the application in response to the score exceeding a threshold; identifying a related application in the application marketplace based at least in part on a comparison of the application fingerprint with a plurality of other application fingerprints of a respective plurality of other applications; and assigning the related application the maliciousness designation in response to a determination that a respective application fingerprint of the related application indicates that the related application comprises the potentially malicious component. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
Specification