Behavioral scanning of mobile applications

US 9,894,096 B1
Filed: 07/29/2014
Issued: 02/13/2018
Est. Priority Date: 04/25/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining a suitability of a mobile application for distribution in a mobile application marketplace, the method comprising:

receiving a mobile application for distribution in a mobile application marketplace;

performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions;

selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions;

executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device;

recording behaviors of the simulated mobile device in response to providing the one or more events to the mobile application;

classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and

determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Behavioral analysis of a mobile application is performed to determine whether the application is malicious. During analysis, various user interactions are simulated in an emulated environment to activate many possible resulting behaviors of an application. The behaviors are classified as hard or soft signals. A probability of the application being malicious is determined through combining soft signals, and the application is classified as malicious or non-malicious. Users of the application, the developer of the application, or a distributor of the application are notified of the application classification to enable responsive action.

Citations

30 Claims

1. A computer-implemented method for determining a suitability of a mobile application for distribution in a mobile application marketplace, the method comprising:
- receiving a mobile application for distribution in a mobile application marketplace;
  
  performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions;
  
  selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions;
  
  executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device;
  
  recording behaviors of the simulated mobile device in response to providing the one or more events to the mobile application;
  
  classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and
  
  determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein recording behaviors of the simulated mobile device comprises:
    - emulating one or more common user behaviors associated with the mobile application;
      
      varying one or more temporal qualities relating to the emulated user behaviors, including at least one of;
      
      the number of accesses of the mobile application,the duration of a particular session of accessing the mobile application; and
      
      inputting the emulated user behaviors into the mobile application within the emulated environment of the mobile device.
  - 3. The method of claim 2, wherein the emulated user behaviors are input independently to analyze a response of the mobile application to the emulated user behaviors.
  - 4. The method of claim 2, wherein the emulated user behaviors are input in combination to analyze a response of the mobile application to the emulated user behaviors.
  - 5. The method of claim 2, further comprising:
    - recording a response of the mobile application to the inputted emulated user behaviors;
      
      determining a second set of emulated user behaviors based on the response of the mobile application;
      
      inputting the second set of emulated user behaviors into the mobile application; and
      
      analyzing a second response of the mobile application to the second set of user behaviors.
  - 6. The method of claim 2, wherein the emulated user behaviors trigger the registered application permissions using at least one of the emulated user inputs.
  - 7. The method of claim 1, wherein the emulated environment comprises one or more unrelated mobile applications executing concurrently alongside the mobile application.
  - 8. The method of claim 7, further comprising:
    - analyzing an effect of the one or more unrelated mobile applications on the mobile application being tested, the effect comprising at least one of;
      
      a change in utilization of a processing resource of the emulated environment, anda change in utilization of a memory resource of the emulated environment.
  - 9. The method of claim 1, wherein the emulated environment comprises an emulated mobile operating system and applications installed on the emulated operating system.
  - 10. The method of claim 1, wherein performing the static analysis on the application comprises analyzing the application manifest.

11. A computer program product for determining a suitability of a mobile application for distribution in a mobile application marketplace, the computer program product comprising a non-transitory computer-readable storage medium containing computer program instructions for:
- receiving a mobile application for distribution in a mobile application marketplace;
  
  performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions;
  
  selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions;
  
  executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device;
  
  recording behaviors of the simulated mobile device in response to providing one or more events to the mobile application;
  
  classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and
  
  determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, wherein recording behaviors of the simulated mobile device comprises:
    - emulating one or more common user behaviors associated with the mobile application;
      
      varying one or more temporal qualities relating to the emulated user behaviors, including at least one of;
      
      the number of accesses of the mobile application,the duration of a particular session of accessing the mobile application; and
      
      inputting the emulated user behaviors into the mobile application within the emulated environment of the mobile device.
  - 13. The computer program product of claim 12, wherein the emulated user behaviors are input independently to analyze a response of the mobile application to the emulated user behaviors.
  - 14. The computer program product of claim 13, wherein the emulated environment comprises an emulated mobile operating system and applications installed on the emulated operating system.
  - 15. The computer program product of claim 12, wherein the emulated user behaviors are input in combination to analyze a response of the mobile application to the emulated user behaviors.
  - 16. The computer program product of claim 12, further comprising:
    - recording a response of the mobile application to the inputted emulated user behaviors;
      
      determining a second set of emulated user behaviors based on the response of the mobile application;
      
      inputting the second set of emulated user behaviors into the mobile application; and
      
      analyzing a second response of the mobile application to the second set of user behaviors.
  - 17. The computer program product of claim 11, wherein the emulated environment comprises one or more unrelated mobile applications executing concurrently alongside the mobile application being tested within the emulated environment.
  - 18. The computer program product of claim 17, further comprising:
    - analyzing an effect of the one or more unrelated mobile applications on the mobile application being tested, the effect comprising at least one of;
      
      a change in utilization of a processing resource of the emulated environment, anda change in utilization of a memory resource of the emulated environment.
  - 19. The computer program product of claim 11, wherein performing the static analysis on the application comprises analyzing the application manifest.
  - 20. The computer program product of claim 11, wherein the emulated user behaviors trigger the registered application permissions using at least one of the emulated user inputs.

21. A system comprising:
- a computer processor; and
  
  a non-transitory computer-readable storage medium containing computer program instructions executed by the computer processor for;
  
  receiving a mobile application for distribution in a mobile application marketplace;
  
  performing a static analysis on the mobile application to identify a set of registered application permissions of the mobile application, and determine one or more events that simulate user interaction on the client device based on the identified registered application permissions;
  
  selecting an emulated environment configured to execute the mobile application based on the identified registered application permissions;
  
  executing the mobile application in the selected emulated environment, the emulated environment simulating a mobile device;
  
  recording behaviors of the simulated mobile device in response to providing one or more emulated inputs to the mobile application;
  
  classifying the mobile application as malicious or non-malicious based on the recorded behaviors; and
  
  determining, based on the classification, whether to approve or reject the mobile application for distribution in the mobile application marketplace.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein recording behaviors of the simulated mobile device comprises:
    - emulating one or more common user behaviors associated with the mobile application;
      
      varying one or more temporal qualities relating to the emulated user behaviors, including at least one of;
      
      the number of accesses of the mobile application,the duration of a particular session of accessing the mobile application; and
      
      inputting the emulated user behaviors into the mobile application within the emulated environment of the mobile device.
  - 23. The system of claim 22, wherein the emulated user behaviors are input independently to analyze a response of the mobile application to the emulated user behaviors.
  - 24. The system of claim 22, wherein the emulated user behaviors are input in combination to analyze a response of the mobile application to the emulated user behaviors.
  - 25. The system of claim 22, further comprising:
    - recording a response of the mobile application to the inputted emulated user behaviors;
      
      determining a second set of emulated user behaviors based on the response of the mobile application;
      
      inputting the second set of emulated user behaviors into the mobile application; and
      
      analyzing a second response of the mobile application to the second set of user behaviors.
  - 26. The system of claim 22, wherein performing the static analysis on the application comprises analyzing the application manifest.
  - 27. The system of claim 22, wherein the emulated user behaviors trigger the registered application permissions using at least one of the emulated user inputs.
  - 28. The system of claim 21, wherein the emulated environment comprises one or more unrelated mobile applications executing concurrently alongside the mobile application.
  - 29. The system of claim 28, further comprising:
    - analyzing an effect of the one or more unrelated mobile applications on the mobile application being tested, the effect comprising at least one of;
      
      a change in utilization of a processing resource of the emulated environment, anda change in utilization of a memory resource of the emulated environment.
  - 30. The system of claim 21, wherein the emulated environment comprises an emulated mobile operating system and applications installed on the emulated operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Twitter Inc (X Holdings Corp.)
Original Assignee
Twitter Inc (X Holdings Corp.)
Inventors
Daswani, Neilkumar Murli, Ranadive, Ameet, Rizvi, Shariq, Gagnon, Michael, Demir, Tufan, Eisenhaur, Gerald E.
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US14/445,806
Time in Patent Office

1,295 Days
Field of Search

726 23, 726 25, 713161, 713165, 713168, 713187, 713188
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 3/005   Input arrangements through ...

G06F 3/017   Gesture based interaction, ...

G06F 3/0304   Detection arrangements usin...

G06V 40/11   Hand-related biometrics; Ha...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04M 1/72403   with means for local suppor...

Behavioral scanning of mobile applications

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral scanning of mobile applications

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links