CN105843653A - TA (trusted application) configuration method and device - Google Patents

TA (trusted application) configuration method and device Download PDF

Info

Publication number
CN105843653A
CN105843653A CN201610225472.6A CN201610225472A CN105843653A CN 105843653 A CN105843653 A CN 105843653A CN 201610225472 A CN201610225472 A CN 201610225472A CN 105843653 A CN105843653 A CN 105843653A
Authority
CN
China
Prior art keywords
safety applications
application
untrusted
safety
execution environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610225472.6A
Other languages
Chinese (zh)
Other versions
CN105843653B (en
Inventor
张志华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengbao Intelligent System Technology Co Ltd
Original Assignee
Hengbao Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hengbao Co Ltd filed Critical Hengbao Co Ltd
Priority to CN201610225472.6A priority Critical patent/CN105843653B/en
Publication of CN105843653A publication Critical patent/CN105843653A/en
Application granted granted Critical
Publication of CN105843653B publication Critical patent/CN105843653B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a TA (trusted application) configuration method and device. The method comprises the following steps: a TA is deployed in a TEE (trusted execution environment) in a deployment stage; access control is performed on the TA in a use stage; the TA is updated through a trusted service management system in an update stage, wherein the step of deploying the TA in the TEE has following options: the TA is preset in a mobile phone; the TA is installed to the mobile phone in a manner of binding with certain untrusted application; the TA is set in the trusted service management system and is installed to the mobile phone by means of interaction between the trusted service management system and the mobile phone. According to the TA configuration method and device, security protection measures are taken in each stage, and more trusted security interaction service is provided for a CA (client application) in an REE (rich execution environment).

Description

A kind of safety applications collocation method and device
Technical field
The application relates to communication technical field, particularly relates to a kind of safety applications collocation method and device.
Background technology
The development of mobile communication technology brings the fast development of mobile terminal technology, with BBP is The traditional function type mobile terminal of core is difficult to meet the mobile service demand that people are become increasingly abundant.Have Open high-order SOS, the Mobile solution of third party's exploitation can be installed, mobile network can be passed through Network realizes wireless access, has powerful disposal ability and become with the mobile intelligent terminal of more memory spaces Development trend for mobile terminal.Different from traditional functional form mobile terminal, mobile intelligent terminal is the most not Being simple voice call instrument again, it has possessed the mobility of regular handset, telecommunications service function and PC (Personal Computer, personal computer) disposal ability of computer, network function, take telecommunications Business and network service merge within one device.The universal of mobile intelligent terminal brings great convenience While, also bring great potential safety hazard.
Mobile intelligent terminal have evolved into can download from mobile Internet and install various third party should Freeware platform, meanwhile, mobile intelligent terminal process critical services demand day by day increase.From Multimedia service is to functions such as mobile phone remote payment and bank account management, and these development trends make mobile Intelligent terminal becomes the target of attack of the virus such as Malware, wooden horse.Due on current mobile intelligent terminal Lacking integrity protection mechanism, its software and hardware is easily subject to attack and distort, and operating system and third party are soft The safe prestige that the security threat that the security breaches that part exists make mobile intelligent terminal exist exists than PC terminal Coerce more serious.
It is non-security that common Mobile operating system Android, iOS belong to REE (untrusted execution environment) Environment, the application that it is installed belongs to non-security application.Corresponding with REE is TEE (credible execution ring Border), it is and REE parallel running the isolated execution environment isolated therewith, and by TA (safety Application) provide security service for REE, REE accesses TA by CA (client application).
Traditional application software deployment way under REE insecure environments is broadly divided into two kinds: the first, It is preset in smart machine by equipment manufacturers, such as the application software of mobile operator customization;The second, Issued in application market or official website by application developer, download voluntarily for user and install.
Summary of the invention
There is problems of two kinds of deployment way and all need not special access right and extra safety certification measure, Rely only on software levels protection (such as antivirus software or security guard etc.) on Mobile operating system, safety Protection level is low.Downloading or renewal process is easily forged and distorts, it is impossible to meeting user to quick Sense data and the demand of the high business of level of security.
In order to solve the problems referred to above, the application provides a kind of safety applications collocation method and device.
The application proposes a kind of safety applications collocation method, including:
At deployment phase, safety applications is deployed in credible execution environment;
In operational phase, conduct interviews control to safety applications;
In the more new stage, by trusted service management system, safety applications is updated;
Wherein, described safety applications is deployed in credible execution environment, including:
Safety applications is preset on mobile phone terminal;Safety applications is bundled with the application of some untrusted The mode installed is installed to mobile phone terminal;Safety applications is placed in trusted service management system, passes through The mode that trusted service manages system mutual with mobile phone terminal is installed to mobile phone terminal.
Preferably, described control that safety applications is conducted interviews, including:
When client application sends safety applications access request, safety applications performs ring to current untrusted Border is detected, it may be judged whether there is risk;
Safety applications sends authenticating identity request to client application, it is judged that the security of client application;
Safety applications and client application set up escape way, are communicated by escape way.
Preferably, described safety applications deployment way safety applications being preset on mobile phone terminal includes:
Preset safety applications is in credible execution environment, and preset client application to untrusted performs in environment;
Create credible execution environment access module, be deployed to untrusted and perform in environment;
Write client application behavior script, store to client application;
Start client application and access credible execution environment;
Client application reads client application behavior script, and access behavior is sent to credible execution environment Access modules;
Credible execution environment access module loads in credible execution environment according to client application behavior script Safety applications.
Preferably, described the application of safety applications and some untrusted is carried out the mode that binding installs install to Safety applications deployment way on mobile phone terminal includes:
Safety applications is bundled with untrusted application;
Install in untrusted performs environment or untrusted of upgrading is applied;
Untrusted application is run in untrusted performs environment;
The safety applications file of binding is copied under credible execution environment assigned catalogue by untrusted application;
Load the safety applications in credible execution environment.
Preferably, described safety applications is placed in trusted service management system, is managed by trusted service The safety applications deployment way that the system mode mutual with mobile phone terminal is installed to mobile phone terminal includes:
Step S1: untrusted application of installing in untrusted performs environment or upgrade;
Step S2: run untrusted application in untrusted performs environment;
Step S3: untrusted application judges whether client has safety applications to install file, does not continue, There is then execution step S5;
Step S4: system connects trusted service management system and obtains safety applications installation kit;
Step S5: system is opened safety applications installation kit and obtained safety applications file;
Step S6: safety applications file is copied to client by system;
Step S7: system judges whether there is safety applications file in credible execution environment, has, continues, does not has There is then execution step S3;
Step S8: safety applications file is copied under credible execution environment assigned catalogue by system;
Step S9: the safety applications in system loads is credible execution ambient environment.
Preferably, described by trusted service management system safety applications is updated, including:
Untrusted application is run in untrusted performs environment;
Untrusted application and client application obtain the version information of safety applications by escape way;
Untrusted application connects trusted service management system and obtains the version information of safety applications installation kit;
Untrusted application comparison safety applications and the version information of safety applications installation kit, if always, move back Go out the method, otherwise continue;
Safety applications installation kit is obtained from trusted service management system;
Open safety applications installation kit and obtain safety applications file;
Safety applications file is copied under the assigned catalogue of client credible execution environment;
Former safety applications file is deleted;
Load the safety applications in credible execution ambient environment.
The application also proposes a kind of safety applications configuration device, including:
Deployment module, at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, described deployment module, including:
Preset deployment assembly, for being preset at mobile phone terminal by safety applications;
Assembly is disposed in binding, for safety applications is carried out the mode that binding is installed with the application of some untrusted Install to mobile phone terminal;
Remote deployment assembly, for being placed in trusted service management system by safety applications, by convincing The business management system mode mutual with mobile phone terminal is installed to mobile phone terminal.
Access control module, in operational phase, conduct interviews control to safety applications;
Security update module, in the more new stage, is entered safety applications by trusted service management system Row updates.
Preferably, described access control module includes:
Risk Monitoring module, is used for when client application sends safety applications access request, safety applications Current untrusted is performed environment detect, it may be judged whether there is risk
Authentication module, sends authenticating identity for safety applications to client application and asks, it is judged that visitor The security of family end application;
Secure communication module, sets up escape way for safety applications and client application, is led to by safety Road communicates.
Preferably, described preset deployment assembly includes:
Application preset unit, in preset safety applications to credible execution environment, preset client application Perform in environment to untrusted;
Module creation unit, is used for creating credible execution environment access module, is deployed to untrusted and performs ring In border;
Script compilation unit, is used for writing client application behavior script, stores to client application;
Communication unit, is used for starting client application and accesses credible execution environment;
Data transmission unit, reads client application behavior script for client application, will access behavior It is sent to credible execution environment access module;
First application loading unit, for credible execution environment access module according to client application behavior pin Safety applications in this loading is credible execution environment.
Preferably, described binding deployment assembly includes:
Application bundle unit, for bundling safety applications with untrusted application;
First performs operating unit, untrusted application of installing in performing environment at untrusted or upgrade;
First runs applying unit, runs untrusted application in performing environment at untrusted;
First file transmission unit, copies to credible for untrusted application by the safety applications file of binding Perform under environment assigned catalogue;
Second application loading unit, for loading the safety applications in credible execution environment.
Preferably, described remote deployment assembly includes:
Second performs operating unit, untrusted application of installing in performing environment at untrusted or upgrade;
Second runs applying unit, runs untrusted application in performing environment at untrusted;
For untrusted application, first file judging unit, judges whether client has safety applications to install literary composition Part;
First installation kit acquiring unit, is used for connecting trusted service management system and obtains safety applications installation kit;
First installation kit performance element, is used for opening safety applications installation kit and obtains safety applications file;
File storage unit, for being copied to client by safety applications file;
Second file judging unit, is used for judging whether there is safety applications file in credible execution environment;
Second file transmission unit, for being copied to credible execution environment assigned catalogue by safety applications file Under;
3rd application loading unit, for loading the safety applications in credible execution environment.
Preferably, described security update module includes:
3rd application running unit, runs untrusted application in performing environment at untrusted;
Application message acquiring unit, obtains peace with client application by escape way for untrusted application The version information of full application;
Installation kit information acquisition unit, connects trusted service management system for untrusted application and obtains safety The version information of application installation kit;
Information comparing unit, for the version of untrusted application comparison safety applications Yu safety applications installation kit Information;
Second installation kit acquiring unit, for obtaining safety applications installation kit from trusted service management system;
Second installation kit performance element, is used for opening safety applications installation kit and obtains safety applications file;
3rd file transmission unit, for being copied to client credible execution environment by safety applications file Under assigned catalogue;
Unit is deleted in application, for being deleted by former safety applications file;
4th application loading unit, for loading the safety applications in credible execution environment.
A kind of safety applications collocation method of the invention described above proposition and device, it is thus achieved that techniques below effect:
The safety applications collocation method of the application proposition and device, all be have employed TA by each stage Safety prevention measure, provides more believable secure interactive service to the CA in REE.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to reality Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below, Accompanying drawing in description is only some embodiments described in the application, for those of ordinary skill in the art From the point of view of, it is also possible to other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the structural representation of the application safety applications configuration device;
Fig. 2 is the structural representation of the application deployment module;
Fig. 3 is the structural representation of the application access control module;
Fig. 4 is the structural representation of the application security update module;
Fig. 5 is the structural representation of the application preset deployment assembly;
Fig. 6 is that the application bundlees the structural representation disposing assembly;
Fig. 7 is the structural representation of the application remote deployment assembly;
Fig. 8 is the flow chart of the application safety applications collocation method;
Fig. 9 be the application at deployment phase, safety applications is deployed in the flow chart in credible execution environment;
Figure 10 is that the application is at operational phase, the flow chart of the control that conducts interviews safety applications;
Figure 11 is the flow chart that safety applications is preset on mobile phone terminal by the application;
Figure 12 is that the mode that safety applications and the application of some untrusted carry out binding installation is installed by the application Flow chart to mobile phone terminal;
Figure 13 is that safety applications is placed in trusted service management system by the application, is managed by trusted service The system mode mutual with mobile phone terminal installs the flow chart to mobile phone terminal;
Figure 14 be the application in the more new stage, by trusted service management system safety applications is updated Flow chart.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out Clearly and completely describe.
The application proposes a kind of safety applications configuration device, as it is shown in figure 1, include:
Deployment module 1, at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, deployment module 1, as in figure 2 it is shown, include:
Preset deployment assembly 11, for being preset at mobile phone terminal by safety applications;Assembly 12 is disposed in binding, The mode installed for safety applications and the application of some untrusted carry out binding is installed to mobile phone terminal; Remote deployment assembly 13, for safety applications is placed in trusted service management system, passes through trusted service The management system mode mutual with mobile phone terminal is installed to mobile phone terminal.
Three of the above module can work simultaneously or arrange selector, enables one.
Wherein, as it is shown in figure 5, preset deployment assembly 11 includes:
Application preset unit 111, in preset safety applications to credible execution environment, preset client Apply to untrusted execution environment;Module creation unit 112, is used for creating credible execution environment access Module, is deployed to untrusted and performs in environment;Script compilation unit 113, is used for writing client application Behavior script, stores to client application;Communication unit 114, is used for starting client application and accesses Credible execution environment;Data transmission unit 115, reads client application behavior pin for client application This, be sent to credible execution environment access module by access behavior;First application loading unit 116, uses The peace in credible execution environment is loaded according to client application behavior script in credible execution environment access module Full application.
As shown in Figure 6, binding deployment assembly 12 includes:
Application bundle unit 121, for bundling safety applications with untrusted application;First performs Operating unit 122, untrusted application of installing in performing environment at untrusted or upgrade;First runs Applying unit 123, runs untrusted application in performing environment at untrusted;First file transmission is single Unit 124, copies to credible execution environment for untrusted application by the safety applications file of binding and specifies mesh Under record;Second application loading unit 125, for loading the safety applications in credible execution environment.
The mode of concrete binding is should as mutual with user or communication with the outside world main body using untrusted application With, trusted application is as the background application of backstage safe handling, and mobile phone terminal runs untrusted when mounted Application, untrusted application is automatically releasable trusted application in TEE, and user can be avoided to directly contact can Letter application;Time in use, untrusted application receives access request, forwards the request to trusted application In, it is processed by trusted application, then result is returned via untrusted application, can avoid the external world The potential safety hazard directly caused with trusted application communication, promotes the safety in utilization of TA.
As it is shown in fig. 7, remote deployment assembly 13 includes:
Second performs operating unit 131, installs or untrusted of upgrading should in performing environment at untrusted With;Second runs applying unit 132, runs untrusted application in performing environment at untrusted;The For untrusted application, one file judging unit 133, judges whether client has safety applications to install file; First installation kit acquiring unit 134, is used for connecting trusted service management system and obtains safety applications installation kit; First installation kit performance element 135, is used for opening safety applications installation kit and obtains safety applications file;Literary composition Part memory cell 136, for being copied to client by safety applications file;Second file judging unit 137, For judging whether credible execution environment has safety applications file;Second file transmission unit 138, uses In safety applications file being copied under credible execution environment assigned catalogue;3rd application loading unit 139, For loading the safety applications in credible execution environment.
Access control module 2, in operational phase, conduct interviews control to safety applications;
Wherein said access control module 2 includes as shown in Figure 3:
Risk Monitoring module 21, for when client application sends safety applications access request, safety should Detect with current untrusted is performed environment, it may be judged whether there is risk;
Specifically, first have to assembly is verified, see whether identical, if not with arranging when dispatching from the factory Same then send risk warning notice, secondly need all client application are carried out risk evaluation and test, whether see There is risk application, if having, also sending risk warning notice, finally background application being detected, See whether this terminal is monitored, if monitored, send risk warning notice.
Authentication module 22, sends authenticating identity for safety applications to client application and asks, it is judged that The security of client application;
Secure communication module 23, sets up escape way, by safety for safety applications and client application Passage communicates.
Specifically, safety applications is poured into identity ID when mounted, accesses peace in client application simultaneously When entirely applying, generating public and private secret key pair, PKI is sent to client application, client application is by public affairs Key coded communication information is sent to safety applications, and safety applications uses private key to be decrypted the communication information, So safety applications and client application uses the communication information to set up escape way, safety applications and client Application uses escape way to securely communicate.
Security update module 3, in the more new stage, by trusted service management system to safety applications It is updated.
Wherein, described security update module as shown in Figure 4, including:
3rd application running unit 31, runs untrusted application in performing environment at untrusted;Application Information acquisition unit 32, obtains safety applications with client application by escape way for untrusted application Version information;Installation kit information acquisition unit 33, connecting trusted service management for untrusted application is System obtains the version information of safety applications installation kit;Information comparing unit 34, for untrusted application comparison Safety applications and the version information of safety applications installation kit;Second installation kit acquiring unit 35, for from can Telecommunications services management system obtains safety applications installation kit;Second installation kit performance element 36, is used for opening peace Full application installation kit obtains safety applications file;3rd file transmission unit 37, for by safety applications literary composition Part is copied under the assigned catalogue of client credible execution environment;Unit 38 is deleted in application, for by former peace Full application file is deleted;4th application loading unit 39, for loading the peace in credible execution environment Full application.
The above-mentioned a kind of safety applications configuration device introducing the application proposition according to Fig. 1-7, below according to figure 8-14 introduces a kind of safety applications collocation method that the application proposes.
A kind of safety applications collocation method that the application proposes, as shown in Figure 8, including:
Step S1: at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, safety applications is deployed in credible execution environment, as it is shown in figure 9, include:
Safety applications is preset on mobile phone terminal (step S101);By safety applications and some untrusted Application carries out the mode of binding installation and installs to mobile phone terminal (step S102);Safety applications is placed in In trusted service management system, install by the way of trusted service management system and mobile phone terminal are mutual to On mobile phone terminal (step S103).
Wherein, as shown in figure 11, safety applications deployment way safety applications being preset on mobile phone terminal Including:
Step S1011: in preset safety applications to credible execution environment, preset client application is the most non-can Letter performs in environment;
Step S1012: create credible execution environment access module, is deployed to untrusted and performs in environment;
Step S1013: write client application behavior script, store to client application;
Step S1014: start client application and access credible execution environment;
Step S1015: client application reads client application behavior script, access behavior is sent to Credible execution environment access module;
Step S1016: credible execution environment access module loads credible according to client application behavior script Perform the safety applications in environment.
As shown in figure 12, the application of safety applications and some untrusted is carried out the mode that binding installs install to Safety applications deployment way on mobile phone terminal includes:
Step S1021: safety applications is bundled with untrusted application;
The mode of concrete binding is should as mutual with user or communication with the outside world main body using untrusted application With, trusted application is as the background application of backstage safe handling, and mobile phone terminal runs untrusted when mounted Application, untrusted application is automatically releasable trusted application in TEE, and user can be avoided to directly contact can Letter application;Time in use, untrusted is applied and receives access request, forwards the request to credible answering In with, it is processed by trusted application, then result is returned, outside can avoiding via untrusted application The potential safety hazard that boundary directly causes with trusted application communication, promotes the safety in utilization of TA.
Step S1022: untrusted application of installing in untrusted performs environment or upgrade;
Step S1023: run untrusted application in untrusted performs environment;
Step S1024: the safety applications file of binding is copied to credible execution environment and refers to by untrusted application Determine under catalogue;
Step S1025: load the safety applications in credible execution environment.
As shown in figure 13, safety applications is placed in trusted service management system, is managed by trusted service The safety applications deployment way that the system mode mutual with mobile phone terminal is installed to mobile phone terminal includes:
Step S1031: untrusted application of installing in untrusted performs environment or upgrade;
Step S1032: run untrusted application in untrusted performs environment;
Step S1033: untrusted application judges whether client has safety applications to install file, does not continue Continuous, there is then execution step S1035;
Step S1034: system connects trusted service management system and obtains safety applications installation kit;
Step S1035: system is opened safety applications installation kit and obtained safety applications file;
Step S1036: safety applications file is copied to client by system;
Step S1037: system judges whether there is safety applications file in credible execution environment, has, continues, The most then perform step S1033;
Step S1038: safety applications file is copied under credible execution environment assigned catalogue by system;
Step S1039: the safety applications in system loads is credible execution ambient environment.
Step S2: in operational phase, conduct interviews control to safety applications;
Concrete, described control that safety applications is conducted interviews, as shown in Figure 10, including:
Step S201: when client application sends safety applications access request, safety applications is to the most non- Credible execution environment detects, it may be judged whether there is risk;
Specifically, first have to assembly is verified, see whether identical, if not with arranging when dispatching from the factory Same then send risk warning notice, secondly need all client application are carried out risk evaluation and test, whether see There is risk application, if having, also sending risk warning notice, finally background application being detected, See whether this terminal is monitored, if monitored, send risk warning notice.
Step S202: safety applications sends authenticating identity request to client application, it is judged that client application Security;
Step S203: safety applications and client application set up escape way, are led to by escape way Letter.
Specifically, safety applications is poured into identity ID when mounted, accesses peace in client application simultaneously When entirely applying, generating public and private secret key pair, PKI is sent to client application, client application is by public affairs Key coded communication information is sent to safety applications, and safety applications uses private key to be decrypted the communication information, So safety applications and client application uses the communication information to set up escape way, safety applications and client Application uses escape way to securely communicate.
Step S3: in the more new stage, is updated safety applications by trusted service management system;
Concrete, described by trusted service management system, safety applications is updated, as shown in figure 14, Including:
Step S301: run untrusted application in untrusted performs environment;
Step S302: untrusted application and client application obtain the version of safety applications by escape way Information;
Step S303: untrusted application connects trusted service management system and obtains the version of safety applications installation kit This information;
Step S304: untrusted application comparison safety applications and the version information of safety applications installation kit, as Fruit the most then exits the method, otherwise continues;
Step S305: obtain safety applications installation kit from trusted service management system;
Step S306: open safety applications installation kit and obtain safety applications file;
Step S307: safety applications file is copied under the assigned catalogue of client credible execution environment;
Step S308: former safety applications file is deleted;
Step S309: load the safety applications in credible execution ambient environment.
The above, be only presently preferred embodiments of the present invention, and the present invention not makees any pro forma limit System, although the present invention is disclosed above with preferred embodiment, but is not limited to the present invention, any Those skilled in the art, in the range of without departing from technical solution of the present invention, when may utilize above-mentioned taking off The technology contents shown is made a little change or is modified to the Equivalent embodiments of equivalent variations, as long as be without departing from The content of technical solution of the present invention, any letter above example made according to the technical spirit of the present invention Single amendment, equivalent variations and modification, all still fall within the range of technical solution of the present invention.

Claims (10)

1. a safety applications collocation method, it is characterised in that including:
At deployment phase, safety applications is deployed in credible execution environment;
In operational phase, conduct interviews control to safety applications;
In the more new stage, by trusted service management system, safety applications is updated;
Wherein, described safety applications is deployed in credible execution environment, including:
Safety applications is preset on mobile phone terminal;Safety applications is bundled with the application of some untrusted The mode installed is installed to mobile phone terminal;Safety applications is placed in trusted service management system, passes through The mode that trusted service manages system mutual with mobile phone terminal is installed to mobile phone terminal.
2. safety applications collocation method as claimed in claim 1, it is characterised in that described should to safety With the control that conducts interviews, including:
When client application sends safety applications access request, safety applications performs ring to current untrusted Border is detected, it may be judged whether there is risk;
Safety applications sends authenticating identity request to client application, it is judged that the security of client application;
Safety applications and client application set up escape way, are communicated by escape way.
3. safety applications collocation method as claimed in claim 1, it is characterised in that described should by safety Include with the safety applications deployment way being preset on mobile phone terminal:
Preset safety applications is in credible execution environment, and preset client application to untrusted performs in environment;
Create credible execution environment access module, be deployed to untrusted and perform in environment;
Write client application behavior script, store to client application;
Start client application and access credible execution environment;
Client application reads client application behavior script, and access behavior is sent to credible execution environment Access modules;
Credible execution environment access module loads in credible execution environment according to client application behavior script Safety applications.
4. safety applications collocation method as claimed in claim 1, it is characterised in that described should by safety The safety applications installing to mobile phone terminal by the mode carrying out binding installation with the application of some untrusted is disposed Mode includes:
Safety applications is bundled with untrusted application;
Install in untrusted performs environment or untrusted of upgrading is applied;
Untrusted application is run in untrusted performs environment;
The safety applications file of binding is copied under credible execution environment assigned catalogue by untrusted application;
Load the safety applications in credible execution environment.
5. safety applications collocation method as claimed in claim 1, it is characterised in that described by credible Safety applications is updated by service management system, including:
Untrusted application is run in untrusted performs environment;
Untrusted application and client application obtain the version information of safety applications by escape way;
Untrusted application connects trusted service management system and obtains the version information of safety applications installation kit;
Untrusted application comparison safety applications and the version information of safety applications installation kit, if consistent, move back Go out the method, otherwise continue;
Safety applications installation kit is obtained from trusted service management system;
Open safety applications installation kit and obtain safety applications file;
Safety applications file is copied under the assigned catalogue of client credible execution environment;
Former safety applications file is deleted;
Load the safety applications in credible execution ambient environment.
6. a safety applications configuration device, it is characterised in that including:
Deployment module, at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, described deployment module, including:
Preset deployment assembly, for being preset at mobile phone terminal by safety applications;
Assembly is disposed in binding, for safety applications is carried out the mode that binding is installed with the application of some untrusted Install to mobile phone terminal;
Remote deployment assembly, for being placed in trusted service management system by safety applications, by convincing The business management system mode mutual with mobile phone terminal is installed to mobile phone terminal;
Access control module, in operational phase, conduct interviews control to safety applications;
Security update module, in the more new stage, is entered safety applications by trusted service management system Row updates.
7. safety applications configuration device as claimed in claim 6, it is characterised in that described access controls Module includes:
Risk Monitoring module, is used for when client application sends safety applications access request, safety applications Current untrusted is performed environment detect, it may be judged whether there is risk;
Authentication module, sends authenticating identity for safety applications to client application and asks, it is judged that visitor The security of family end application;
Secure communication module, sets up escape way for safety applications and client application, is led to by safety Road communicates.
8. safety applications configuration device as claimed in claim 6, it is characterised in that described preset deployment Assembly includes:
Application preset unit, in preset safety applications to credible execution environment, preset client application Perform in environment to untrusted;
Module creation unit, is used for creating credible execution environment access module, is deployed to untrusted and performs ring In border;
Script compilation unit, is used for writing client application behavior script, stores to client application;
Communication unit, is used for starting client application and accesses credible execution environment;
Data transmission unit, reads client application behavior script for client application, will access behavior It is sent to credible execution environment access module;
First application loading unit, for credible execution environment access module according to client application behavior pin Safety applications in this loading is credible execution environment.
9. safety applications configuration device as claimed in claim 6, it is characterised in that described binding is disposed Assembly includes:
Application bundle unit, for bundling safety applications with untrusted application;
First performs operating unit, untrusted application of installing in performing environment at untrusted or upgrade;
First runs applying unit, runs untrusted application in performing environment at untrusted;
First file transmission unit, copies to credible for untrusted application by the safety applications file of binding Perform under environment assigned catalogue;
Second application loading unit, for loading the safety applications in credible execution environment.
10. safety applications configuration device as claimed in claim 6, it is characterised in that described safety is more New module includes:
3rd application running unit, runs untrusted application in performing environment at untrusted;
Application message acquiring unit, obtains peace with client application by escape way for untrusted application The version information of full application;
Installation kit information acquisition unit, connects trusted service management system for untrusted application and obtains safety The version information of application installation kit;
Information comparing unit, for the version of untrusted application comparison safety applications Yu safety applications installation kit Information;
Second installation kit acquiring unit, for obtaining safety applications installation kit from trusted service management system;
Second installation kit performance element, is used for opening safety applications installation kit and obtains safety applications file;
3rd file transmission unit, for being copied to client credible execution environment by safety applications file Under assigned catalogue;
Unit is deleted in application, for being deleted by former safety applications file;
4th application loading unit, for loading the safety applications in credible execution environment.
CN201610225472.6A 2016-04-12 2016-04-12 A kind of safety applications collocation method and device Active CN105843653B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610225472.6A CN105843653B (en) 2016-04-12 2016-04-12 A kind of safety applications collocation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610225472.6A CN105843653B (en) 2016-04-12 2016-04-12 A kind of safety applications collocation method and device

Publications (2)

Publication Number Publication Date
CN105843653A true CN105843653A (en) 2016-08-10
CN105843653B CN105843653B (en) 2017-11-24

Family

ID=56597369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610225472.6A Active CN105843653B (en) 2016-04-12 2016-04-12 A kind of safety applications collocation method and device

Country Status (1)

Country Link
CN (1) CN105843653B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106547633A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Multi-channel communication systems and electronic equipment
CN106778255A (en) * 2016-11-24 2017-05-31 工业和信息化部电信研究院 Credible performing environment isolation detection method and device based on internal memory traversal
CN107679858A (en) * 2017-10-24 2018-02-09 恒宝股份有限公司 Mobile terminal and method of mobile payment
CN107995230A (en) * 2016-10-26 2018-05-04 中国移动通信有限公司研究院 A kind of method for down loading and terminal
CN108600222A (en) * 2018-04-24 2018-09-28 北京握奇智能科技有限公司 The communication means of client application and trusted application, system and terminal
CN108595970A (en) * 2018-03-13 2018-09-28 Oppo广东移动通信有限公司 Configuration method, device, terminal and the storage medium of processing component
CN109863475A (en) * 2017-10-09 2019-06-07 华为技术有限公司 The upgrade method and relevant device of a kind of application in safety element
CN110366843A (en) * 2017-07-13 2019-10-22 华为技术有限公司 Control the method and terminal of trusted application access
CN110933668A (en) * 2019-11-20 2020-03-27 江苏恒宝智能系统技术有限公司 eSIM card and safety control method thereof
CN111428281A (en) * 2020-03-25 2020-07-17 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN112800488A (en) * 2021-04-12 2021-05-14 支付宝(杭州)信息技术有限公司 Application upgrading method and device and electronic equipment
CN113486411A (en) * 2021-07-19 2021-10-08 上海擎昆信息科技有限公司 Security chip and design method and initialization method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015073139A1 (en) * 2013-11-15 2015-05-21 Oracle International Corporation System and method for managing tokens authorizing on-device operations
CN104683336A (en) * 2015-02-12 2015-06-03 中国科学院信息工程研究所 Security-region-based method and system for protecting Android private data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015073139A1 (en) * 2013-11-15 2015-05-21 Oracle International Corporation System and method for managing tokens authorizing on-device operations
CN104683336A (en) * 2015-02-12 2015-06-03 中国科学院信息工程研究所 Security-region-based method and system for protecting Android private data

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106547633B (en) * 2016-10-19 2019-12-31 沈阳微可信科技有限公司 Multi-channel communication system and electronic device
CN106547633A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Multi-channel communication systems and electronic equipment
CN107995230A (en) * 2016-10-26 2018-05-04 中国移动通信有限公司研究院 A kind of method for down loading and terminal
CN107995230B (en) * 2016-10-26 2019-10-18 中国移动通信有限公司研究院 A kind of method for down loading and terminal
CN106778255A (en) * 2016-11-24 2017-05-31 工业和信息化部电信研究院 Credible performing environment isolation detection method and device based on internal memory traversal
CN110366843A (en) * 2017-07-13 2019-10-22 华为技术有限公司 Control the method and terminal of trusted application access
US11379573B2 (en) 2017-07-13 2022-07-05 Huawei Technologies Co., Ltd. Trusted application access control method and terminal
CN110366843B (en) * 2017-07-13 2020-12-25 华为技术有限公司 Method and terminal for controlling access of trusted application
CN109863475A (en) * 2017-10-09 2019-06-07 华为技术有限公司 The upgrade method and relevant device of a kind of application in safety element
CN107679858A (en) * 2017-10-24 2018-02-09 恒宝股份有限公司 Mobile terminal and method of mobile payment
CN108595970A (en) * 2018-03-13 2018-09-28 Oppo广东移动通信有限公司 Configuration method, device, terminal and the storage medium of processing component
CN108595970B (en) * 2018-03-13 2020-08-28 Oppo广东移动通信有限公司 Configuration method and device of processing assembly, terminal and storage medium
CN108600222B (en) * 2018-04-24 2021-01-29 北京握奇智能科技有限公司 Communication method, system and terminal of client application and trusted application
CN108600222A (en) * 2018-04-24 2018-09-28 北京握奇智能科技有限公司 The communication means of client application and trusted application, system and terminal
CN110933668A (en) * 2019-11-20 2020-03-27 江苏恒宝智能系统技术有限公司 eSIM card and safety control method thereof
CN110933668B (en) * 2019-11-20 2023-01-24 江苏恒宝智能系统技术有限公司 eSIM card and safety control method thereof
CN111428281B (en) * 2020-03-25 2021-06-18 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN113673000A (en) * 2020-03-25 2021-11-19 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN111428281A (en) * 2020-03-25 2020-07-17 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN113673000B (en) * 2020-03-25 2024-03-08 支付宝(杭州)信息技术有限公司 Method and device for operating trusted program in TEE
CN112800488A (en) * 2021-04-12 2021-05-14 支付宝(杭州)信息技术有限公司 Application upgrading method and device and electronic equipment
CN113486411A (en) * 2021-07-19 2021-10-08 上海擎昆信息科技有限公司 Security chip and design method and initialization method thereof
CN113486411B (en) * 2021-07-19 2024-05-14 上海擎昆信息科技有限公司 Security chip and design method and initialization method thereof

Also Published As

Publication number Publication date
CN105843653B (en) 2017-11-24

Similar Documents

Publication Publication Date Title
CN105843653A (en) TA (trusted application) configuration method and device
CN100578522C (en) Electronic device, update method for same and integrated circuit
EP1479187B2 (en) Controlling access levels in phones by certificates
CN103491056B (en) The control method and device of application permission
CN106778291B (en) The partition method and isolating device of application program
CN104854561A (en) Application wrapping for application management framework
CN105656860A (en) Safety management and control method, apparatus and system for Android system
CN103403669A (en) Securing and managing APPs on a device
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
CN103036871B (en) Support device and method of application plug-in of browser
CN100489767C (en) Communicating device
CN109634619A (en) Credible performing environment implementation method and device, terminal device, readable storage medium storing program for executing
CN111447176B (en) Method, device, computer equipment and storage medium for safely accessing external network by internal network
CN103744652A (en) Hybrid APP development method and device across mobile terminals
CN104517054A (en) Method, device, client and server for detecting malicious APK
US10389685B2 (en) Systems and methods for securely transferring selective datasets between terminals
CN103514000A (en) Browser plug-in installation method and device
CN106557669A (en) A kind of authority control method and device of application program installation process
CN109522683A (en) Software source tracing method, system, computer equipment and storage medium
CN104318174A (en) Document protecting method, document protecting devices and document protecting system
CN108763357B (en) File processing method and related device
CN102467622B (en) Method and device for monitoring opened file
KR20150030047A (en) Method and system for application authentication
CN103052060A (en) Method for improving information security of mobile terminal and mobile terminal
EP3281142B1 (en) Apparatus with test execution environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190313

Address after: 212355 Hengtang Industrial Zone, Yunyang Town, Danyang City, Zhenjiang City, Jiangsu Province

Patentee after: Jiangsu Hengbao Intelligent System Technology Co. Ltd.

Address before: 212355 Hengtang Industrial Zone, Zhenjiang City, Jiangsu Province

Patentee before: Hengbao Corp.