CN110140124A

CN110140124A - Grouping is using same key sharing data

Info

Publication number: CN110140124A
Application number: CN201780082026.7A
Authority: CN
Inventors: 杨李军; 熊晟; 王奇
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2017-12-29
Filing date: 2017-12-29
Publication date: 2019-08-16
Anticipated expiration: 2037-12-29
Also published as: WO2019127468A1; CN110140124B

Abstract

The method and terminal of a kind of data processing provided by the present application, are related to field of communication technology, are conducive to the safety for improving the data in terminal in application program.This method applies to terminal, operation has the first application process, the second application process and key management process in the terminal, this method specifically includes: the second application process sends access request to the first application process, which is used to request access to the third data of first application process；Key management process receives the decoding request of request decryption third data；If whether key management process determines the second application process in the process grouping where the first application process according to the decoding request.If key management process is grouped corresponding decryption key decryption third data using the process, obtains the 4th data, returns to the 4th data.If not existing, key management process returns to third data without decryption.

Description

Grouping is using same key sharing data

Technical field

This application involves field of communication technology more particularly to the methods and terminal of a kind of data processing.

Background technique

Each application program in terminal is operated in the process space independent, what the data and function of each process were mutually isolated.If needing to communicate between process, the process that is accessed needs first to carry out authorization check to access process.If verifying successfully, shows that the access process has access authority, then the access process is allowed to access.Otherwise, show that the access process does not have access authority, then the access process is not allowed to access.

As it can be seen that terminal is by authority mechanism come the communication security between guarantee process at present.However, during accessed process authorization, it is easy to the case where accidentally authorizing occur.Such as: user may be induced and be mounted with virus applications, and be authorized to virus applications.So, which can pass through the authorization check of other processes (accessed process), it can the data of random access other application, even key message in this way can cause damages to user.

Summary of the invention

The method and terminal of a kind of data processing provided by the present application, can be improved the Information Security in terminal in application process.

In a first aspect, a kind of method of data processing provided by the present application, can be applied to terminal, the first application process of terminal operating, the second application process and the key management process.This method specifically includes: the second application process sends access request to the first application process, which is used to request access to the third data of first application process；Key management process receives the decoding request of request decryption third data；If key management process determines the second application process in the process grouping where the first application process according to the decoding request, the process where key management process uses the first application process is grouped corresponding decryption key decryption third data, obtains the 4th data；In response to the decoding request, key management process returns to the 4th data.

Wherein, terminal is grouped with N number of process；Each of N number of process grouping includes at least one process, and the grouping of at least one process includes two or more processes；Wherein, N is the integer greater than 1 or equal to 1；N number of process is grouped corresponding M decruption key, and each process is grouped a corresponding decruption key；Wherein, M is positive integer, N >=M.

Wherein, first application process is one of process of the first application program operation, and the first application program can be any one application in terminal, for the program and data acquisition system that certain business function can be performed, such as: short message application, Meituan application, Taobao's application etc..

Wherein, the second application process can be another process in the first application program, be different from the first application process, and the second application process is also possible to a process in the second application program, and the second application program is different from the second application program.

In some embodiments, the second application process need to obtain the permission of the first application process of access in advance.

In some embodiments, first data can be the data for needing to encrypt, the data e.g. determined according to the business nature of the first application process or the first application program, such as can be data important, crucial, sensitive in the first application process or the first application program.

In some embodiments, key management module determines grouping corresponding to third application process according to the information such as the type of service of third application process or downloading source, and the mark of third application process and the packet identification is established corresponding relationship, and be stored in local.

It can be seen that, when second application process and the first application process belong to the grouping of same process, key management process is grouped corresponding decruption key using the process where the first application process and third data is decrypted, so that the second application process gets the third data after decryption, i.e. the 4th data.It realizes the second application process and when the first application process belongs to the grouping of same process, could access the data of the first application process, be conducive to the data safety in the first application process of raising.

In a kind of possible design, the decoding request that key management process receives request decryption third data is specially that key management process receives the decoding request that the first application process is sent according to access request.Key management process returns to the 4th data specifically: key management process returns to the 4th data to the first application process.First application process sends the 4th data to the second application process.

As it can be seen that terminal, which can be the second application process, accesses the first application process, third data are decrypted from the first application process to key management process request., can be by the first application process by the third data after decryption after third data are decrypted in key management process, i.e. the 4th data are sent to the second application process.The embodiment of the present application provides a kind of method that second application process accesses the first application process third data as a result,.

In a kind of possible design, if key management process determines the second application process not in the process grouping where the first application process, key management process sends third data to the first application process；First application process sends the third data to the second application process.

It can be seen that, the application realizes the second application process and the first application process not in the grouping of same process, key management process is not decrypted third data, and third data are transmitted directly to the second application process by the first application process, be conducive to include the first application process Information Security.

In a kind of possible design, if the second application process is not in a packet, key management module can also directly refuse the first application process to the decoding request of third data, terminate process.

In a kind of possible design, after the second application process sends access request to the first application process, before key management process receives the decoding request of request decryption third data, the method also includes: the second application process receives the third data that the first application process is sent；Key management process receives the decoding request of request decryption third data specifically: key management process receives the decoding request that the second application process is sent；Key management process returns to the 4th data specifically: key management process returns to the 4th data to the second application process.

As it can be seen that first getting the data of the first application process encryption, i.e. third data, then third data are decrypted from the second application process to key management process request when terminal can be the data of the second application process the first application process of access.After third data are decrypted in key management process, the third data after decryption, i.e. the 4th data can be sent to the second application process.The embodiment of the present application provides a kind of method that second application process accesses the first application process third data as a result,.

In a kind of possible design, if key management process determines the second application process not in the process grouping where the first application process, key management process sends third data to the second application process.

It can be seen that, the application realizes the second application process and the first application process not in the grouping of same process, key management process is not decrypted third data, and third data are directly sent to the second application process, be conducive to include the first application process Information Security.

In a kind of possible design, corresponding decryption key decryption third data are grouped using the process where the first application process in key management process, before obtaining the 4th data, the method also includes: key management process obtains the mark of the first application process；Key management process determines the mark of the process grouping where the first application process according to the mark of the first application process；Key management process obtains the corresponding decruption key of process grouping where the first application process according to the mark of the process grouping where the first application process.

The method that a kind of process where obtaining the first application process this application provides terminal as a result, is grouped corresponding decruption key.

In a kind of possible design, the first application process request key management process encrypts the first data；Key management process determines the process grouping where the first application process according to the request；Key management process is grouped corresponding encryption key using the process where the first application process and encrypts to first data, generates the second data；N number of process is grouped corresponding M encryption key, and each process is grouped a corresponding encryption key；Key management process sends the second data to the first application process.

The application realizes the method encrypted for the application process in the grouping of same process using identical encryption key as a result, is conducive to promote the Information Security in application process.

In a kind of possible design, the first application process saves the second data.

In some embodiments, the second data are stored in the encryption memory block in the first application process by the first application process.Wherein, encryption memory block is a piece of particular memory space in the first application process, is exclusively used in storage by the encrypted data of key management module.

In a kind of possible design, key management process determines that the grouping of the process where the first application process includes: the mark that key management process obtains the first application process according to the request；Key management process determines the mark of the process grouping where the first application process according to the mark of the first application process；Key management process obtains the corresponding encryption key of process grouping where the first application process according to the mark of the process grouping where the first application process.

Second aspect, a kind of terminal, including the first application program module, the second application program module and key management module, the second application program module, for sending access request to the first application program module, access request is used to request access to the third data of the first application process；Key management module, for receiving the decoding request of request decryption third data；Key management module, determine the second application process in the process grouping where the first application process according to decoding request if being also used to key management module, third data described in corresponding decryption key decryption then are grouped using the process where the first application process, obtain the 4th data；Key management module is also used to return to the 4th data in response to decoding request.

In a kind of possible design, key management module is also used to receive the decoding request that the first application program module is sent according to access request: key management module, is also used to return to the 4th data to the first application program module；First application program module, for sending the 4th data to the second application program module.

In a kind of possible design, key management module, if being also used to key management module determines that the second application process in the process grouping where the first process, does not send third data to the first application program module；First application program module is also used to send third data to the second application program module.

In a kind of possible design, the second application program module is also used to receive the third data of the first application program module transmission；Key management module is also used to receive the decoding request of the second application program module transmission；Key management module is also used to return to the 4th data to the second application program module.

In a kind of possible design, key management module, if being also used to key management module determines that the second application process in the process grouping where the first application process, does not send third data to the second application program module.

In a kind of possible design, key management module is also used to obtain the mark of the first application program module；Key management module is also used to the mark according to the first application program module, determines the mark of the process grouping where the first application program module；Key management module, is also used to the mark according to the process grouping where the first application program module, and the process where obtaining the first application program module is grouped corresponding decruption key.

In a kind of possible design, the first application program module is also used to that key management module is requested to encrypt the first data；Key management module is also used to determine the process grouping where the first application program module according to the request；Key management module, the process where being also used for the first application program module are grouped corresponding encryption key and encrypt to the first data, generate the second data；N number of process is grouped corresponding M encryption key, and each process is grouped a corresponding encryption key；Key management module is also used to send the second data to the first application program module.

In a kind of possible design, the first application program module is also used to save the second data.

In a kind of possible design, key management module is also used to obtain the mark of the first application program module；Key management module is also used to the mark according to the first application program module, determines the mark of the process grouping where the first application program module；Key management module, is also used to the mark according to the process grouping where the first application program module, and the process where obtaining the first application program module is grouped corresponding encryption key.

The third aspect, a kind of terminal, it include: processor, memory and touch screen, memory, touch screen are coupled with processor, memory is for storing computer program code, computer program code includes computer instruction, when processor computer instructions, terminal executes the method such as the data processing in first aspect in any any possible design method.

Fourth aspect, a kind of computer storage medium, including computer instruction, when computer instruction is run at the terminal, so that terminal executes the method such as any any possible design method data processing in first aspect.

5th aspect, a kind of computer program product, when computer program product is run on computers, so that computer executes the method such as any any possible design method data processing in first aspect.

Detailed description of the invention

Fig. 1 is a kind of hardware structural diagram of terminal provided by the present application；

Fig. 2 is a kind of flow diagram one of data processing method provided by the present application；

Fig. 3 is a kind of schematic diagram of the memory space of process provided by the present application；

Fig. 4 is a kind of flow diagram two of data processing method provided by the present application；

Fig. 5 is a kind of flow diagram three of data processing method provided by the present application；

Fig. 6 is a kind of software configuration schematic diagram of terminal provided by the present application；

Fig. 7 is a kind of flow diagram four of data processing method provided by the present application；

Fig. 8 is a kind of flow diagram five of data processing method provided by the present application；

Fig. 9 is a kind of flow diagram six of data processing method provided by the present application；

Figure 10 is a kind of flow diagram seven of data processing method provided by the present application；

Figure 11 is a kind of flow diagram eight of data processing method provided by the present application；

Figure 12 is a kind of composition schematic diagram one of terminal provided by the present application；

Figure 13 is a kind of composition schematic diagram two of terminal provided by the present application.

Specific embodiment

Hereinafter, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance or implicitly indicate the quantity of indicated technical characteristic." first " is defined as a result, the feature of " second " can explicitly or implicitly include one or more of the features.In the description of the present application, unless otherwise indicated, the meaning of " plurality " is two or more.

Firstly, first briefly being introduced the communication mechanism between application program to better understand the technical solution of the application.

Terminal is assigned with unique user identifier (user Identifier, UID) or process identification (PID) (Process Identifier, PID), and permanent retention when the application is installed, for each application program.When being communicated between different application, using adhesive (Binder) mechanism.Binder mechanism is based on client-side/server-side (Client/Sever, C/S) framework.Specifically, accessed application program, as service (Sever) end, the application program of access is held as client (Client).The task of access is sent to the end Server by the end Client, and the end Server can judge whether the end Client meets access authority according to UID/PID according to permission control strategy.Only apply for that the end Client of specified permission could access the end Server.

Currently, permission control is many times to allow user to choose whether to run by popping up permission inquiry session frame.Permission is divided into installation permission and dynamic rights.Installation permission refers to that application program when installing first time, can once inquire all permissions involved in entire application program, such as: in Android 6.0, also referred to as Android M, the Android system of version before.Dynamic rights be then need which permission to play frame again in application program operational process and ask the user whether to corresponding permission, such as: the Android system of Android M and later version.

It should be noted that, it may be that not support the application program of dynamic rights, and avoid the agreement of user and directly acquire the access authority of certain important application programs by declaring for certain malicious applications, the critical data for obtaining these important application programs brings loss to user.For this purpose, being grouped by terminal to application program mounted thereto this application provides a kind of method of data processing, the application program in same grouping at runtime, is encrypted using identical key pair critical data.In this way, the encrypted data of application program in same grouping, can only be decrypted by application programs other in the grouping.So, even if malicious application obtains the access authority of the application program, due to that can not be decrypted to the data of encryption, advantageously ensure that the data safety of user not in same grouping.

Illustratively, terminal in the application can be that can install application program and show application program image target mobile phone (mobile phone 100 as shown in Figure 1), tablet computer, personal computer (Personal Computer, PC), personal digital assistant (personal digital assistant, PDA), smartwatch, net book, wearable electronic, augmented reality (Augmented Reality, AR) equipment, virtual reality (Virtual Reality, VR) equipment etc., the application does not do the concrete form of the terminal specifically limited.

As shown in Figure 1, being illustrated using mobile phone 100 as above-mentioned terminal, mobile phone 100 be can specifically include:

Processor 101 is the control centre of mobile phone 100, utilize the various pieces of various interfaces and connection mobile phone 100, by running or executing the application program being stored in memory 103, and the data that calling is stored in memory 103, the various functions and processing data of mobile phone 100 are executed.In some embodiments, processor 101 may include one or more processing units；For example, processor 101 can be 960 chip of kylin of Huawei Tech Co., Ltd's manufacture.

Radio circuit 102 can be used for receive and send messages or communication process in, wireless signal sends and receivees.Particularly, it after radio circuit 102 can receive the downlink data of base station, is handled to processor 101；In addition, the data for being related to uplink are sent to base station.In general, radio circuit includes but is not limited to antenna, at least one amplifier, transceiver, coupler, low-noise amplifier, duplexer etc..In addition, radio circuit 102 can also be communicated with other equipment by wireless communication.Any communication standard or agreement, including but not limited to global system for mobile communications, general packet radio service, CDMA, wideband code division multiple access, long term evolution, Email, short message service etc. can be used in the wireless communication.

Memory 103 is stored in the application program and data of memory 103 by operation for storing application program and data, processor 101, executes the various functions and data processing of mobile phone 100.Memory 103 mainly includes storing program area and storage data area, wherein storing program area can application program (such as sound-playing function, image player function etc.) needed for storage program area, at least one function；Storage data area can store according to the data (such as audio data, phone directory etc.) created when using mobile phone 100.In addition, memory 103 may include high-speed random access memory (Random Access Memory, RAM), it can also include nonvolatile storage, such as disk memory, flush memory device or other volatile solid-state parts etc..Memory 103 can store various operating systems, for example, what Apple Inc. was developed Operating system, what Google was developed Operating system etc..Above-mentioned memory 103 can be independent, is connected by above-mentioned communication bus with processor 101；Memory 103 can also be integrated with processor 101.

Touch screen 104 can specifically include Trackpad 104-1 and display 104-2.

Wherein, Trackpad 104-1 can acquire the touch event (for example user uses the operations of any suitable object on Trackpad 104-1 or near Trackpad 104-1 such as finger, stylus) of the user of mobile phone 100 on it or nearby, and collected touch information is sent to other devices (such as processor 101).Wherein, touch event of the user near Trackpad 104-1 can be referred to as suspension touch control；Suspension touch control can refer to, user be not necessarily in order to select, move or drag target (such as icon etc.) and directly contact Trackpad, and it is neighbouring to execute wanted function only to need user to be located at equipment.Furthermore, it is possible to realize Trackpad 104-1 using multiple types such as resistance-type, condenser type, infrared ray and surface acoustic waves.

Display (also referred to as display screen) 104-2 can be used for showing information input by user or be supplied to the information of user and the various menus of mobile phone 100.Display 104-2 can be configured using forms such as liquid crystal display, Organic Light Emitting Diodes.Trackpad 104-1 can be covered on display 104-2, after Trackpad 104-1 detects touch event on it or nearby, processor 101 is sent to determine the type of touch event, corresponding visual output can be provided according to the type of touch event on display 104-2 by being followed by subsequent processing device 101.Although in Fig. 1, Trackpad 104-1 and display screen 104-2 are to output and input function as two independent components come realize mobile phone 100, but it is in some embodiments it is possible to Trackpad 104-1 and display screen 104-2 is integrated and that realizes mobile phone 100 output and input function.It is understood that touch screen 104 is stacked by the material of multilayer, Trackpad (layer) and display screen (layer) are only illustrated in the embodiment of the present application, other layers are not recorded in the embodiment of the present application.In addition, the front that Trackpad 104-1 can be configured in the form of full panel in mobile phone 100, the front that display screen 104-2 can also be configured in the form of full panel in mobile phone 100, can be realized as the structure of Rimless in the front of mobile phone in this way.

In addition, mobile phone 100 can also have fingerprint identification function.For example, Fingerprint Identification Unit 112 can be configured at the back side (such as lower section of rear camera) of mobile phone 100, or Fingerprint Identification Unit 112 is configured in the front (such as lower section of touch screen 104) of mobile phone 100.In another example fingerprint extracting device 112 can be configured in touch screen 104 to realize fingerprint identification function, i.e. the fingerprint identification function that can be integrated with touch screen 104 to realize mobile phone 100 of fingerprint extracting device 112.In this case, the fingerprint extracting device 112 configuration can be a part of touch screen 104, can also otherwise configure in touch screen 104 in touch screen 104.The main component of fingerprint extracting device 112 in the embodiment of the present application is fingerprint sensor, which can use any kind of detection technology, including but not limited to optical profile type, condenser type, piezoelectric type or Supersonic etc..

Mobile phone 100 can also include blue-tooth device 105, for realizing the data exchange between mobile phone 100 and other short-range equipment (such as mobile phone, smartwatch etc.).

Mobile phone 100 can also include at least one sensor 106, such as optical sensor, motion sensor and other sensors.Specifically, optical sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can adjust the brightness of the display of touch screen 104 according to the light and shade of ambient light, proximity sensor can close the power supply of display when mobile phone 100 is moved in one's ear.As a kind of motion sensor, accelerometer sensor can detect the size of (generally three axis) acceleration in all directions, size and the direction that can detect that gravity when static can be used to identify application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, percussion) of mobile phone posture etc.；The other sensors such as the gyroscope, barometer, hygrometer, thermometer, the infrared sensor that can also configure as mobile phone 100, details are not described herein.

WiFi device 107, for providing the network insertion for following WiFi relevant criterion agreement for mobile phone 100, mobile phone 100 can be linked into WiFi access point by WiFi device 107, and then help user to send and receive e-mail, browse webpage and access Streaming Media etc., it provides wireless broadband internet access for user.In some other embodiment, which can also be used as WiFi wireless access point, and WiFi network access can be provided for other equipment.

Positioning device 108, for providing geographical location for mobile phone 100.It is understood that the positioning device 108 specifically can be the receiver of the positioning systems such as global positioning system (Global Positioning System, GPS) or Beidou satellite navigation system, Russian GLONASS.Positioning device 108 sends that information to processor 101 and is handled, or be sent to memory 103 and saved after receiving the geographical location that above-mentioned positioning system is sent.In other some embodiments, the positioning device 108 can also be auxiliary global satellite positioning system (Assisted Global Positioning System, AGPS receiver), AGPS system as secondary server by assisting positioning device 108 to complete ranging and positioning service, in this case, network communicates with the positioning device 108 (i.e. GPS receiver) of equipment such as mobile phone 100 and provides positioning assistance assisted location service device by wireless communication.In other some embodiments, which is also possible to the location technology based on WiFi access point.Since each WiFi access point has a globally unique (Media Access Control, MAC) address, equipment can scan in the case where opening WiFi and collect the broadcast singal of the WiFi access point of surrounding, therefore the available MAC Address broadcast out to WiFi access point；These can be indicated the data (such as MAC Address) of WiFi access point by equipment, and network is sent to location server by wireless communication, the geographical location of each WiFi access point is retrieved by location server, and the degree of strength of WiFi broadcast singal is combined, it calculates the geographical location of the equipment and is sent in the positioning device 108 of the equipment.

Voicefrequency circuit 109, loudspeaker 113, microphone 114 can provide the audio interface between user and mobile phone 100.Electric signal after the audio data received conversion can be transferred to loudspeaker 113 by voicefrequency circuit 109, be converted to voice signal output by loudspeaker 113；On the other hand, the voice signal of collection is converted to electric signal by microphone 114, audio data is converted to after being received by voicefrequency circuit 109, then audio data is exported to RF circuit 102 to be sent to such as another mobile phone, or audio data is exported to memory 103 to be further processed.

Peripheral Interface 110, for providing various interfaces for external input-output apparatus (such as keyboard, mouse, external-connection displayer, external memory, subscriber identification module card etc.).Such as pass through universal serial bus (Universal Serial Bus, USB) interface is connect with mouse, it is attached by subscriber identification module card (Subscriber Identification Module, the SIM) card of hard contact and telecom operators' offer on subscriber identification module card card slot.Peripheral Interface 110 can be used to the input/output peripheral equipment of said external being couple to processor 101 and memory 103.

Mobile phone 100 can also include the power supply device 111 (such as battery and power management chip) powered to all parts, battery can be logically contiguous by power management chip and processor 101, to realize the functions such as management charging, electric discharge and power managed by power supply device 111.

Although Fig. 1 is not shown, mobile phone 100 can also include camera (front camera and/or rear camera), flash lamp, micro projector, near-field communication (Near Field Communication, NFC) device etc., details are not described herein.

Method in following embodiment can be realized in the mobile phone 100 with above-mentioned hardware configuration.

As shown in Fig. 2, being a kind of method flow diagram of data processing provided by the present application, this method includes the ciphering process to data, and this method can be applied to terminal, and first application process of terminal operating and key management process, this method specifically include:

S101, the first application process generate the first data.

In some embodiments, first data can be the data for needing to encrypt, the data e.g. determined according to the business nature of the first application process or the first application program, such as can be data important, crucial, sensitive in the first application process or the first application program.For example, the first data can be the information such as account, password, identifying code, short message content if the first application program is short message application.Specifically, the first data can be whole short message content comprising critical data, it is also possible to partial content in a short message content, only critical data, the embodiment of the present application is without limitation.If the first data are this kind of data for needing to encrypt, the first application process needs to request to encrypt the first data to key management module, i.e. execution step S102.

In some embodiments, first data can be the data for not needing encryption, the data for not needing encryption are e.g. determined according to the business nature of the first application process or the first application program, then the first application process directly stores the first data, that is, is not required to execute below step.

S102, the first application process encrypt the first data to key management module request, and the first data are carried in request message.

Wherein, key management module, which is mainly used for executing, carries out encryption process, and the encryption and decryption key etc. of creation and each grouping of management to the specific data in each application process.Key management module at runtime, is referred to as key management process.

S103, key management module encrypt the first data, generate the second data.

Specifically, the inter-process communication mechanisms based on binder are it is found that key management module can obtain the mark of caller, the i.e. mark of the first application process when key management module is called by the first application process.The mark of first application process can be the PID of the first application process, be also possible to the UID of the first application program.So, key management module can according to the mark of the first application process determine the first application process corresponding to grouping, obtain the first application process corresponding to grouping mark.Then, the mark of the grouping according to corresponding to the first application process obtains the corresponding encryption key of the first application process.Finally, key management module encrypts the first data according to the encryption key of acquisition, the second data are obtained.Wherein, the second data are the data after the first data encryption, are ciphertext.

It should be noted that the first application process can correspond to a grouping, this is grouped a corresponding encryption key, then the first application process corresponds to an encryption key.Then, key management module encrypts the first data using this encryption key.First application process can also correspond to multiple groupings, the corresponding multiple encryption keys of this multiple grouping, then the first application process corresponds to multiple encryption keys.Then, key management module encrypts the first data using this multiple encryption key.The embodiment of the present application is without limitation.

It should also be noted that, grouping here, alternatively referred to as process are grouped.The one or more processes run in terminal can correspond to one or more process groupings.And the one or more process respectively corresponds one or more encryption keys.

It illustrates, it is assumed that the application process run in terminal can be divided into three process groupings, and respectively process grouping A, process grouping B and process are grouped C.So, process grouping A, process grouping B and process grouping C can respectively correspond different encryption keys, A and the corresponding identical encryption key of process grouping B can also be grouped with process, process grouping C corresponds to another different encryption key, can also be that process grouping A, process grouping B and process grouping C respectively correspond an identical encryption key.The embodiment of the present application to process be grouped and encryption key corresponding relationship without limitation.

Second data are sent to the first application process by S104, key management module.

S105, the first application process save the second data.

Specifically, the second data are stored in the encryption memory block in the first application process by the first application process.Wherein, encryption memory block is a piece of particular memory space in the first application process, is exclusively used in storage by the encrypted data of key management module.

Illustratively, as shown in figure 3, being the space schematic diagram of the first application process.The space of first application process includes: stack (stack), heap (heap), BBS (Block Started by Symbol) section, data segment (data segment) section, code segment (code/text segment).

Wherein, BBS sections, data segment and code segment belong to static memory distribution, for saving code, global variable and static variable, have fixed function.Stack is distributed and is discharged automatically by operating system, for storing the local variable of the first application process, can be also used for Transfer Parameters and return value.

Heap is to be distributed and discharged by the first application process, for storing the memory headroom section being dynamically allocated in the operation of the first application process.In the embodiment of the present application, the first application process can distribute one section of memory headroom in heap when running first time, store the encrypted data of key-encrypted module for special, i.e. encryption memory block.

It can be seen that, in the embodiment of the present application, first application process is in the process of running, first determine the corresponding grouping of the first application process, the corresponding encryption key of the grouping is obtained again, it is encrypted using data of the encryption key to the first application process, and is stored in specific encryption memory block, be conducive to the safety for improving the critical data of application program.

As shown in figure 4, being a kind of method flow diagram of data processing provided by the embodiments of the present application, this method includes the decrypting process to data, is specifically included:

S201, the second application process request access to the third data of the first application process to the first application process.

In some embodiments, the second application process need to obtain the permission of the first application process of access in advance, be shown in figure with S201a.Specifically, can be the request that the second application process sends application access authority to the first application process, the first application process authorizes the second application process.It is also possible to the first application process directly to be authorized to the second application process, the second application process is allowed to access the data of the first application process.It can also be that the first application process defaults the permission that the second application process has the first application process of access, the embodiment of the present application is without limitation.

Then, the data of the first application process, including third data can be read in the second application process.Illustratively, the second application process can read total data in the first application process, can also read data associated with the second application process, the embodiment of the present application is without limitation.

It is exemplary, it is assumed that the first application process is the process in short message application, and the second application process is the process in Meituan application, and Meituan applies the access authority with short message application.So Meituan application can read whole short message contents in short message application or Meituan application and can read in short message application, apply associated short message content with Meituan, such as: Meituan application is sent to the verification code information etc. of short message application.

S202, the first application process determine that third data are stored in encryption memory block.

Specifically, the first application process according to get index corresponding to third data determine third data whether be stored in encryption memory block.If third data are not stored in encryption memory block, third data are that in plain text, third data are sent to the second application process by the first application process.If third data are stored in encryption memory block, third data are ciphertext, and the first application process also needs that third data are decrypted, i.e. execution step S203.

S203, the first application process are decrypted third data to key management module request, and the mark and third data of the second application process are carried in request.

Specifically, the first application process can obtain the mark of caller, the i.e. mark of the second application process when the first application process is called by the second application process.

S204, key management module according to the mark of the second application process, determine the second application process whether the grouping corresponding to the first application process, if so, executing S205；Otherwise, then key management module is not decrypted third data, directly return third data.

Specifically, key management module can obtain the mark of caller, the i.e. mark of the first application process when key management module is called by the first application process.Key management module can determine the mark for the application program for including in grouping corresponding to the first application process and the grouping according to the mark of the first application process.Further, whether key management module can determine the second application process in the grouping according to the mark of the second application process.If the second application process is in a packet, third data are decrypted in key management module, i.e. execution step S205.If not in a packet, key management module is not decrypted third data the second application process, third data directly are returned to the first application process.If not in a packet, key management module can also directly refuse the first application process to the decoding request of third data to the second application process, terminate process.

In other words, when second application process accesses the first application process, even if the second application process has access authority, but the second application process and the first application process are simultaneously not belonging to the same grouping, and the second application process can not obtain the plaintext that the first application process is stored in the data of encryption memory block.In this way, if the second application process is rogue program, even if induction user accesses the first application process to the second application process and authorizes, the second application process can not obtain the data of the first application process encryption, improve the safety of encryption data in the first application process.

Third data are decrypted in S205, key management module, obtain the 4th data.

Specifically, key management module obtains the corresponding decruption key of the grouping according to the corresponding grouping of the first application process.Third data are decrypted using the decruption key got, obtain the 4th data.Wherein, the 4th data are the data after third data deciphering, in plain text.

It should also be noted that, the first application process can correspond to a grouping, this is grouped a corresponding decruption key, then the first application process corresponds to a decruption key.Then, key management module is decrypted third data using this decruption key.First application process can also correspond to multiple groupings, each grouping corresponds to a decruption key again in this multiple grouping, then the first application process corresponds to multiple decruption keys.Then, key management module is decrypted third data using this multiple decruption key.The embodiment of the present application is without limitation.

S206, key management module send the 4th data to the first application process.

S207, the first application process send the 4th data to the second application process.

As it can be seen that in the embodiment of the present application, when the second application process needs to access the encryption data of the first application process, needing the first application process application key management module that encryption data is decrypted.And key management module need to first determine the second application process whether in the corresponding grouping of the first application process, if, encryption data is decrypted, and to the first application process return decryption after data.The case where the second application process is avoided as a result, after the permission for accidentally obtaining the first application process of access, just can directly read the data of the first application process generation, improves the safety of the data of the first application process.

It should also be noted that, in the embodiment of the present application, the second application process can decrypt third data to key management module application by the first application process.Second application process directly can also decrypt third data to key management module application, i.e. step S202~S207 can be replaced step S301~S305.

As shown in figure 5, being a kind of method flow diagram of data processing provided by the embodiments of the present application, the method comprising the steps of S201, S301~S305 is specific as follows:

S301, the first application process return to third data to the second application process.

Wherein, if third data are stored in the encryption memory block of the first application process, third data are ciphertext, then the first application process is needed to need that third data are decrypted, i.e. execution step S302.If third data are stored in the non-encrypted memory block of the first application process, third data are as the first application process data finally to be obtained in plain text.

S302, the second application process request decryption third data to key management module, and the mark of third data and the first application process is carried in the request.

It should be noted that the second application process can obtain the mark of caller, the i.e. mark of the first application process when the second application process is called by the first application process.

S303, key management module according to determine the second application process whether the grouping corresponding to the first application process.If so, executing S304；Otherwise, key management module is not decrypted third data, directly returns to third data to the first application process.

Specifically, key management module can also obtain the mark of the second application process when key management module is called by the second application process.So, key management module determines the mark for the application process for including in grouping corresponding to the first application process and the grouping according to the mark of the first application process carried in request.Further, whether key management module can determine the second application process in the grouping according to the mark of the second application process.If the second application process is in a packet, third data are decrypted in key management module, i.e. execution step S304.If not in a packet, key management module is not decrypted third data the second application process, third data directly are returned to the first application process.If not in a packet, key management module can also directly refuse the second application process to the decoding request of third data to the second application process, terminate process.

Third data are decrypted in S304, key management module, obtain the 4th data.

This step can refer to step S205, and it is no longer repeated.

S305, key management module send the 4th data to the second application process.

As a result, in the embodiment of the present application, the second application process can be decrypted the encryption data to key management module application after getting the first application process encryption data.And key management module need to first determine the second application process whether in the corresponding grouping of the first application process, if, encryption data is decrypted, and to the first application process return decryption after data.The case where the second application process is avoided as a result, after the permission for accidentally obtaining the first application process of access, just can directly read the data of the first application process generation, improves the safety of the data of the first application process.

Illustratively, as shown in fig. 6, being a kind of composition schematic diagram of terminal provided by the embodiments of the present application, which includes multiple application processes 601~604, key management module 605 and secure storage module 606.

Wherein, terminal is grouped this multiple application process, and the application process in same grouping carries out encryption and decryption using identical key pair specific data, i.e., can mutual access particular data between the application process in same grouping.Wherein, group technology will be introduced specifically below.Such as: the process that application process 601 and application process 602 are grouped for first.Application process 603 and application process 604 are the process of second packet.

Key management module 605 carries out encryption process, and the encryption and decryption key etc. of creation and each grouping of management to the specific data in each application process for executing.Specifically, key management module 605 further includes grouping management module 60501 and encrypting module 60502.

Wherein, grouping management module 60501, for being grouped according to grouping strategy application processes, grouping management module 60502 can automatically generate grouping strategy, also can receive the setting of user, update grouping strategy, the application to grouping strategy without limitation.Grouping management module 60502 can also request encrypting module 60502 for grouping creation key, establish application and grouping, and/or the corresponding relationship of key etc..Wherein encrypting module 60502, for creating new key pair for grouping, the data of application processes are encrypted, are decrypted.

Secure storage module 606, the key of the encryption and decryption for storing the generation of key management module 605, guarantees the safety of key storage.

Below by taking data processing method provided by the present application applies to terminal as shown in FIG. 6 as an example, technical solution provided by the present application is described in detail.

It is illustrated firstly, for the grouping strategy of application process.Terminal can be according to source, the type of service etc. of the corresponding application program of application process, and application processes are grouped.

Illustratively, grouping strategy can be is grouped according to the downloading source of application program.Specifically, the application program downloaded from the application market in terminal, since these application programs are audited by restocking, it is believed that be believable application program, can be divided into and be grouped for one.It is downloaded from other modes, is downloaded by application market, it is believed that be incredible application program, another grouping can be divided into.

Illustratively, grouping strategy can also be is grouped according to the specific type of service of application program.Specifically, the application program downloaded from application market is in restocking, application market can classify to these application programs, such as: office, shopping, social activity, amusement, news etc..It is possible to be grouped according to these classification to application program, such as same type of application program is divided into a grouping, the application program for being also possible to several types is divided into a grouping, and the embodiment of the present application is without limitation.

It should be noted that, application market is in terminal downloads application program, also the source-information of the application program, type of service are handed down to terminal, so that terminal is grouped or it is sent to terminal to the classification information of application program by application market according to these information.As shown in fig. 7, the flow diagram of publication, restocking audit, classification, downloading for application program.

In some embodiments, after application developer or user have found that application program has malicious act, it can be reported to application market, application market re-starts audit, is grouped again.As shown in figure 8, being audited the flow diagram of restocking again for application program.

Illustratively, grouping strategy can also be the setting according to user, specified that certain application programs are divided into a grouping.Grouping strategy can also be the combination of the above various grouping strategies, and the embodiment of the present application is without limitation.

After terminal determines grouping strategy, terminal is grouped each application program according to grouping strategy, and determines key for each grouping.Specifically, as shown in figure 9, being a kind of method flow schematic diagram of data processing provided by the embodiments of the present application, this method specifically includes:

After S401, terminal detect that third application program is installed, notice packet management module is the corresponding third application process grouping of third application program.

Wherein, third application program is that terminal needs new application program to be mounted, and third application program is different from the first application program and the second application program.

It should be noted that noting that grouping management module, the embodiment of the present application is without limitation after terminal is also possible to the operation for detecting user's requirement installation third application program.

It should also be noted that, installing application program in terminal usually has two classes, one kind is application program of terminal preset, such as short message application, photograph application, browser application etc..When these application programs can be terminal and first power on, voluntarily installed by system trigger terminal.Another kind of is user oneself downloading installation, such as: Meituan application, Alipay application etc., these applications are that have the operation triggering terminal of user to install.Either which kind of mounting means, terminal can be after application program be installed, or after starting installation, notice packet management module.

Third application process is grouped by S402, grouping management module according to grouping strategy.

Specifically, grouping management determines grouping corresponding to third application process according to the information such as the type of service of third application process or downloading source, and the mark of third application process and the packet identification are established corresponding relationship, and it is stored in local.

Further, if third application process is the application program of first installation in the grouping, grouping management module request encrypting module is that the grouping creates new packet key pair, i.e. execution step S403.If third application process is not the application program of first installation in the grouping, grouping management module directly establishes the corresponding relationship between third application process and grouping, key, i.e. execution step S406.

It illustrates, it is assumed that third application process is Meituan application, and shopping grouping is grouped into corresponding to third application process.So, when Meituan application is installed, or user is received in terminal and requires installation Meituan in application, notice packet management module.Meituan application is divided into shopping grouping by grouping management module.It is shopping grouping creation key pair in grouping management module request encrypting module if Meituan application is the application program of first installation in shopping grouping.If Meituan application is not first application program installed in shopping grouping, Meituan is directly established corresponding relationship using the key being grouped with shopping and shopping is grouped by grouping management module.

It is that grouping corresponding to third application process creates key pair that S403, grouping management module, which send request to encrypting module,.

Wherein, the mark of grouping corresponding to third application process is carried in the request.

S403a, encrypting module are that grouping corresponding to third application process creates key pair.

The key pair of creation is stored in secure storage module by S404, encrypting module.

Exemplary, in Android system, secure storage module may include cipher key store (keystore) and keymaster.Wherein, what keystore was used for storage is the index of key pair, the interface for using key pair for providing other application.Keymaster is used to store the content of key pair and carries out encrypting and decrypting processing to data.Specifically, the key pair of creation can be stored in keymaster by keystore by encrypting module, since keymaster and keystore is physically isolated, the storage safety of key pair can be improved.

The information of the key pair of creation is returned to grouping management module by S405, encrypting module.

Wherein, the information of key pair may include the corresponding relationship of the index of packet identification and key pair.

Illustratively, the corresponding relationship of packet identification and the index of key pair can be returned to grouping management module by encrypting module.When encrypting module needs to encrypt, corresponding encryption key can be found from secure storage module according to the index of key pair, be encrypted using the encryption key found.When encrypting module needs to decrypt, corresponding decruption key can be found from secure storage module according to the index of key pair, be decrypted using the close key of the decryption found.

Wherein, step S405 can also be executed before or while S404, and the embodiment of the present application does not limit the ordinal relation between step S404 and S405.

Third application process and grouping, key pair are established corresponding relationship by S406, grouping management module.

Illustratively, the corresponding relationship of packet identification and key pair index that grouping management module is returned according to encrypting module, and local existing third application process mark and packet identification corresponding relationship, establish the mark of third application process, the corresponding relationship of packet identification and key pair index.

It should be noted that if the application program in some grouping sends variation, such as some application program changes to another grouping from a grouping, grouping management module needs the corresponding relationship of more new application and grouping, key pair.

It illustrates, it is assumed that sending in some is grouped has malicious application, which can be rejected from the grouping, change to another grouping, the malicious application is no longer allowed to access the data of other application this grouping Nei.Alternatively, finding that some application can also can need not then reject from the grouping in some grouping, change to another grouping by the assessment to business nature.

Thus, the embodiment of the present application provides a kind of method of data processing, can be grouped to application program, and creates key pair for the grouping, the corresponding relationship of application program and grouping, key pair is established, so as to realize that the application program in same grouping carries out encryption and decryption using same key.

Further, step S102~S104 in the ciphering process of data is refined, then, step S102~S104 can be replaced S501~S507, and as shown in Figure 10, data processing method provided by the embodiments of the present application also specifically includes:

S501, grouping management module receive the first data that the first application process is sent.

Specifically, grouping management module is called by the first application process, the mark of available first application process of grouping management module.

S502, grouping management module obtain the index of the corresponding encryption key of the first application process or key pair according to the mark of the first application process.

Exemplary, grouping management module searches the corresponding packet identification of mark of the first application process, the index of the corresponding encryption key of the packet identification or key pair is further determined according to the packet identification according to the mark of the first application process.And the index of the encryption key or key pair found corresponds to the corresponding encryption key of the first application process or key pair.

The index of first data and the encryption key or key pair that get is sent to encrypting module by S503, grouping management module.

S504, encrypting module read the corresponding encryption key of the first application process from secure storage module according to encryption key or the index of key pair.

S505, encrypting module encrypt the first data according to the encryption key of acquisition, obtain the second data.

The second obtained data are sent to grouping management module by S506, encrypting module.

Second data are sent to the first application process by S507, grouping management module.

Further, step S203~S206 in the decrypting process of data is refined, then, step S203~S206 can be replaced S601~S607, and as shown in figure 11, data processing method provided by the embodiments of the present application also specifically includes:

S601, the first application process are decrypted third data to grouping management module request, and the mark and third data of the second application process are carried in request.

S602, grouping management module according to the mark of the second application process, determine the second application process whether the grouping corresponding to the first application process.If so, thening follow the steps S603.Otherwise, grouping management module does not request encrypting module that third data are decrypted, but directly returns to third data to the first application process.

Specifically, grouping management module can obtain the mark of caller, the i.e. mark of the first application process when grouping management module is called by the first application process.Grouping management module can determine the mark for the application program for including in grouping corresponding to the first application process and the grouping according to the mark of the first application process.Further, whether grouping management module can determine the second application process in the grouping according to the mark of the second application process.If the second application process is in a packet, third data are decrypted in grouping management module request encrypting module, i.e. execution step S603.If not in a packet, grouping management module does not request encrypting module that third data are decrypted to the second application process, but third data directly are returned to the first application process, and the first application process returns to third data to the second application process.

S603, grouping management module obtain the index of the corresponding decruption key of the first application process or key pair according to the mark of the first application process.

Exemplary, grouping management module searches the corresponding packet identification of mark of the first application process, the index of the corresponding decruption key of the packet identification or key pair is further determined according to the packet identification according to the mark of the first application process.And the index of the decruption key or key pair found corresponds to the corresponding encryption key of the first application process or key pair.

The index of third data and the decruption key or key pair that get is sent to encrypting module by S604, grouping management module.

S605, encrypting module read the corresponding decruption key of the first application process from secure storage module according to decruption key or the index of key pair.

S606, encrypting module are decrypted third data according to the decruption key of acquisition, obtain the 4th data.

Wherein, the 4th data are the data after third data deciphering, in plain text.

The 4th obtained data are sent to grouping management module by S607, encrypting module.

4th data are sent to the first application process by S608, grouping management module.

It is understood that above-mentioned terminal etc. is in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or software module.Those skilled in the art should be readily appreciated that, unit and algorithm steps described in conjunction with the examples disclosed in the embodiments of the present disclosure, and the embodiment of the present application can be realized with the combining form of hardware or hardware and computer software.Some function is executed in a manner of hardware or computer software driving hardware actually, specific application and design constraint depending on technical solution.Professional technician can use different methods to achieve the described function each specific application, but this realization is it is not considered that exceed the range of the embodiment of the present invention.

Two or more functions can also be integrated in a processing module according to the division that above method example carries out functional module to above-mentioned terminal etc. for example, each functional module of each function division can be corresponded to by the embodiment of the present application.Above-mentioned integrated module both can take the form of hardware realization, can also be realized in the form of software function module.It should be noted that being schematically that only a kind of logical function partition, there may be another division manner in actual implementation to the division of module in the embodiment of the present invention.

In the case where each function division of use correspondence each functional module, Figure 12 shows a kind of possible structural schematic diagram of terminal involved in above-described embodiment.As shown in figure 12, terminal 1200 includes: the first application program module 1201, the second application program module 1202 and key management module 1203.

Wherein, first application program module 1201 is for supporting terminal to execute S101, S102 and S105 in Fig. 2, S202, S203 and S207 in Fig. 4, the S302 in Fig. 5, S601 in S501 in Figure 10, Figure 11 and/or other processes for techniques described herein.Second application program module 1202 is for supporting terminal to execute the S201a in Fig. 4 and S201, and/or other processes for techniques described herein.Key management module 1203 is for supporting terminal to execute the S103 in Fig. 2 and S104, the S303-S305 in the S204-S206 in Fig. 4, Fig. 5, S402-S406 in Fig. 9, S602-S608 in S502-S507 in Figure 10, Figure 11, and/or other processes for techniques described herein.

Wherein, all related contents for each step that above method embodiment is related to can quote the function description of corresponding function module, and details are not described herein.

Certainly, terminal 1200 can also include secure storage unit 1204, for storing the grouping information in the application, encryption key and decruption key etc..Terminal 1200 can also include communication unit, interact for terminal and other equipment.And, the function of specifically can be realized of above-mentioned functional unit also includes but is not limited to the corresponding function of method and step described in examples detailed above, the detailed description of other units of terminal 1200 can refer to the detailed description of its corresponding method and step, and which is not described herein again for the embodiment of the present application.

Using integrated unit, above-mentioned first application program module 1201, the second application program module 1202 can be the processing module of terminal together with can integrate with key management module 1203.Above-mentioned communication unit can be the communication module of terminal, such as RF circuit, WiFi module or bluetooth module.Above-mentioned secure storage unit can be the memory module of terminal.

Figure 13 shows a kind of possible structural schematic diagram of terminal involved in above-described embodiment.The terminal 1300 includes: processing module 1301, memory module 1302 and communication module 1303.Processing module 1301 is for carrying out control management to the movement of terminal.Memory module 1302, for saving the program code and data of terminal.Communication module 1303 with other terminals for communicating.Wherein, processing module 1301 can be processor or controller, such as it can be central processing unit (Central Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application-Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) either other programmable logic device, transistor logic, hardware component or any combination thereof.It, which may be implemented or executes, combines various illustrative logic blocks, module and circuit described in the disclosure of invention.The processor is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, DSP and the combination of microprocessor etc..Communication module 1303 can be transceiver, transmission circuit or communication interface etc..Memory module 1302 can be memory.

When processing module 1301 is processor (processor 101 as shown in Figure 1), communication module 1303 is RF transmission circuit (radio circuit 102 as shown in Figure 1), when memory module 1302 is memory (memory 103 as shown in Figure 1), terminal provided by the embodiment of the present application can be terminal 100 shown in FIG. 1.Wherein, above-mentioned communication module 1303 not only may include RF circuit, can also include WiFi module and bluetooth module.The communication modules such as RF circuit, WiFi module and bluetooth module may be collectively referred to as communication interface.Wherein, above-mentioned processor, communication interface and memory can be coupled by bus.

Through the above description of the embodiments, it is apparent to those skilled in the art that, for convenience and simplicity of description, only the example of the division of the above functional modules, in practical application, it can according to need and be completed by different functional modules above-mentioned function distribution, i.e., the internal structure of device is divided into different functional modules, to complete all or part of the functions described above.The specific work process of the system, apparatus, and unit of foregoing description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.

In several embodiments provided herein, it should be understood that disclosed system, device and method may be implemented in other ways.Such as, the apparatus embodiments described above are merely exemplary, such as, the division of the module or unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of device or unit, can be electrical property, mechanical or other forms.

The unit as illustrated by the separation member may or may not be physically separated, and component shown as a unit may or may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.

In addition, each functional unit in each embodiment of the application can integrate in one processing unit, it is also possible to each unit and physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.

If the integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product, can store in a computer readable storage medium.Based on this understanding, substantially all or part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products the technical solution of the application in other words, the computer software product is stored in a storage medium, it uses including some instructions so that a computer equipment (can be personal computer, server or the network equipment etc.) or processor execute all or part of the steps of each embodiment the method for the application.And storage medium above-mentioned includes: the various media that can store program code such as flash memory, mobile hard disk, read-only memory, random access memory, magnetic or disk.

The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, and any change or replacement within the technical scope of the present application should all be covered within the scope of protection of this application.Therefore, the protection scope of the application should be based on the protection scope of the described claims.

Claims

A kind of method of data processing, which is characterized in that be applied to terminal, first application process of terminal operating, the second application process and key management process, which comprises

Second application process sends access request to first application process, and the access request is used to request access to the third data of first application process；

The key management process receives the decoding request that the third data are decrypted in request；

If the key management process determines second application process in the process grouping where first application process according to the decoding request, then the key management process is grouped third data described in corresponding decryption key decryption using the process where first application process, obtains the 4th data；

In response to the decoding request, the key management process returns to the 4th data；

Wherein, the terminal is grouped with N number of process；Each of described N number of process grouping includes at least one process, and the grouping of at least one process includes two or more processes；Wherein, N is the integer greater than 1 or equal to 1；N number of process is grouped corresponding M decruption key, and each process is grouped a corresponding decruption key；Wherein, M is positive integer, N >=M.
The method according to claim 1, wherein the decoding request that the key management process receives the request decryption third data is specially

The key management process receives the decoding request that the first application process is sent according to the access request；

The key management process returns to the 4th data specifically:

The key management process returns to the 4th data to first application process；

The method also includes:

First application process sends the 4th data to second application process.
Method according to claim 1 or 2, which is characterized in that the method also includes:

If the key management process determines second application process not in the process grouping where first application process, the key management process sends the third data to first application process；

First application process sends the third data to second application process.
The method according to claim 1, wherein after second application process sends access request to first application process, before the key management process receives the decoding request that the third data are decrypted in request, the method also includes:

Second application process receives the third data that first application process is sent；

The key management process receives the decoding request that the third data are decrypted in request specifically:

The key management process receives the decoding request that second application process is sent；

The key management process returns to the 4th data specifically:

The key management process returns to the 4th data to second application process.
According to the method described in claim 4, it is characterized in that, the method also includes:

If the key management process determines second application process not in the process grouping where first application process, the key management process sends the third data to second application process.
Method according to claim 1-5, which is characterized in that third data described in corresponding decryption key decryption are grouped using the process where first application process in the key management process, before obtaining the 4th data, the method also includes:

The key management process obtains the mark of first application process；

The key management process determines the mark of the process grouping where first application process according to the mark of first application process；

The key management process obtains the corresponding decruption key of process grouping where first application process according to the mark of the process grouping where first application process.
Method according to claim 1-6, which is characterized in that the method also includes:

First application process requests the key management process to encrypt the first data；

Process where the key management process determines first application process according to the request is grouped；

The key management process is grouped corresponding encryption key using the process where first application process and encrypts to first data, generates the second data；N number of process is grouped corresponding M encryption key, and each process is grouped a corresponding encryption key corresponding with its decruption key；

The key management process sends second data to first application process.
The method according to the description of claim 7 is characterized in that after the key management process sends second data to first application process, the method also includes:

First application process saves second data.
According to the method described in claim 8, it is characterized in that, the process grouping where the key management process determines first application process according to the request includes:

The key management process obtains the mark of first application process；

The key management process determines the mark of the process grouping where first application process according to the mark of first application process；

The key management process obtains the corresponding encryption key of process grouping where first application process according to the mark of the process grouping where first application process.
A kind of terminal, which is characterized in that including the first application program module, the second application program module and key management module,

Second application program module, for sending access request to first application program module, the access request is used to request access to the third data of the first application process；

The key management module decrypts the decoding request of the third data for receiving request；

The key management module, determine the second application process in the process grouping where first application process according to the decoding request if being also used to the key management module, third data described in corresponding decryption key decryption then are grouped using the process where first application process, obtain the 4th data；

The key management module is also used to return to the 4th data in response to the decoding request；

Wherein, the terminal is grouped with N number of process；Each of described N number of process grouping includes at least one process, and the grouping of at least one process includes two or more processes；Wherein, N is the integer greater than 1 or equal to 1；N number of process is grouped corresponding M decruption key, and each process is grouped a corresponding decruption key；Wherein, M is positive integer, N >=M.
Terminal according to claim 10, which is characterized in that

The key management module is also used to receive the decoding request that the first application program module is sent according to the access request:

The key management module is also used to return to the 4th data to first application program module；

First application program module, for sending the 4th data to second application program module.
Terminal described in 0 or 11 according to claim 1, it is characterized in that, the key management module, if being also used to the key management module determines that second application process in the process grouping where first process, does not send the third data to first application program module；

First application program module is also used to send the third data to second application program module.
Terminal according to claim 10, which is characterized in that

Second application program module is also used to receive the third data that first application program module is sent；

The key management module is also used to receive the decoding request that second application program module is sent；

The key management module is also used to return to the 4th data to second application program module.
Terminal according to claim 13, it is characterized in that, the key management module, if being also used to the key management module determines that second application process in the process grouping where first application process, does not send the third data to second application program module.
The described in any item terminals of 0-14 according to claim 1, which is characterized in that

The key management module is also used to obtain the mark of first application program module；

The key management module is also used to the mark according to first application program module, determines the mark of the process grouping where first application program module；

The key management module, is also used to the mark according to the process grouping where first application program module, and the process where obtaining first application program module is grouped corresponding decruption key.
The described in any item terminals of 0-15 according to claim 1, which is characterized in that

First application program module is also used to that the key management module is requested to encrypt the first data；

The key management module is also used to determine the process grouping where first application program module according to the request；

The key management module, the process where being also used for first application program module are grouped corresponding encryption key and encrypt to first data, generate the second data；N number of process is grouped corresponding M encryption key, and each process is grouped a corresponding encryption key corresponding with its decruption key；

The key management module is also used to send second data to first application program module.
Terminal according to claim 16, which is characterized in that

First application program module is also used to save second data.
Terminal according to claim 17, which is characterized in that

The key management module is also used to obtain the mark of first application program module；

The key management module is also used to the mark according to first application program module, determines the mark of the process grouping where first application program module；

The key management module, is also used to the mark according to the process grouping where first application program module, and the process where obtaining first application program module is grouped corresponding encryption key.
A kind of terminal, it is characterized in that, it include: processor, memory and touch screen, the memory, the touch screen are coupled with the processor, the memory is for storing computer program code, the computer program code includes computer instruction, when the processor reads the computer instruction from the memory, in the method for execution data processing as described in any one of claim 1-9.
A kind of computer storage medium, which is characterized in that including computer instruction, when the computer instruction is run at the terminal, so that the method that the terminal executes the data processing as described in any one of claim 1-9.
A kind of computer program product, which is characterized in that when the computer program product is run on computers, so that the method that the computer executes the data processing as described in any one of claim 1-9.