CN114697381A - Service operation method and device, storage medium and electronic equipment - Google Patents

Service operation method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN114697381A
CN114697381A CN202210303262.XA CN202210303262A CN114697381A CN 114697381 A CN114697381 A CN 114697381A CN 202210303262 A CN202210303262 A CN 202210303262A CN 114697381 A CN114697381 A CN 114697381A
Authority
CN
China
Prior art keywords
server application
service
target
sandbox
application package
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210303262.XA
Other languages
Chinese (zh)
Inventor
杨晓龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingdong Technology Holding Co Ltd
Original Assignee
Jingdong Technology Holding Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Technology Holding Co Ltd filed Critical Jingdong Technology Holding Co Ltd
Priority to CN202210303262.XA priority Critical patent/CN114697381A/en
Publication of CN114697381A publication Critical patent/CN114697381A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present disclosure relates to the field of computer processing, and in particular, to a service operation method, a service operation apparatus, a storage medium, and an electronic device. The service operation method is applied to the sandbox and comprises the following steps: responding to an operation request of a target service sent by a client, and extracting a server application identifier corresponding to the target service; sending the server application identifier to a control platform to acquire server application information returned by the control platform; and determining a target server application package according to the server application information so as to run the target service based on the target server application package. The service operation method provided by the disclosure can solve the problem of safety control of service operation data.

Description

Service operation method and device, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of computer processing, and in particular, to a service operation method, a service operation apparatus, a storage medium, and an electronic device.
Background
The existing service is operated at the client in the technical forms of native technology development, H5, reactionactive native, flute and the like, and in any technical form, the existing service is directly operated in the client, and in any technical form, network transmission or local data storage is exposed in the client environment, so that a security control means is lacked, and the risk of information leakage exists in the access of three-party services.
The third-party service is directly operated in the client application, the client application can be randomly accessed for storing related user information and other sensitive data, the risk of data leakage exists, meanwhile, the front end of the third-party service is directly operated in the client in communication with the service server during operation, and a safety control means is lacked.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure is directed to providing a service operation method, a service operation apparatus, a storage medium, and an electronic device, and aims to solve the problem of security management and control of service operation data.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the embodiments of the present disclosure, a service operation method is provided, which is applied to a sandbox, and includes: responding to an operation request of a target service sent by a client, and extracting a server application identifier corresponding to the target service; sending the server application identifier to a control platform to acquire server application information returned by the control platform; and determining a target server application package according to the server application information so as to run the target service based on the target server application package.
According to some embodiments of the present disclosure, based on the foregoing solution, the determining a target server application package according to the server application information includes: detecting whether the sandbox has a local server application packet corresponding to the target service; when the local server application package does not exist, determining the target server application package based on a target address in the server application information; determining the target server application package based on the local server application package when the local server application package is present.
According to some embodiments of the present disclosure, based on the foregoing solution, the determining the target server application package based on the local server application package includes: judging whether the local server application package needs to be updated according to version information in the server application information; when the updating is needed, the target server application packet is obtained based on the target address in the server application information; and when the local server application package is judged not to need updating, the local server application package is taken as the target server application package.
According to some embodiments of the present disclosure, based on the foregoing solution, when the local server application package exists, the method further includes: signature verification is carried out on the signature information of the local server application package and the signature information in the server application information; determining the target server application package based on the local server application package when signature verification passes; determining the target server application package based on a target address in the server application information when the signature verification fails.
According to some embodiments of the present disclosure, based on the foregoing solution, when the target service is executed based on the target server application package, the method further includes: detecting whether an application communication request exists; wherein the application communication request is requested by the target server application package to a service server; when the application communication request is detected to exist, the service server and/or the application communication request are/is verified; and executing the application communication request after the verification is passed.
According to some embodiments of the present disclosure, based on the foregoing scheme, the verifying the service server includes: and performing white list verification on the service server according to a server white list in the server application information.
According to some embodiments of the present disclosure, based on the foregoing scheme, the verifying the application communication request includes: and performing certificate verification on the application communication request.
According to some embodiments of the present disclosure, based on the foregoing scheme, the executing the application communication request includes: intercepting the application communication request, and generating a sandbox application request based on a business server corresponding to the application communication request; wherein the sandbox application request is requested by the sandbox from the service server; sending the sandbox application request to the service server to obtain a data result returned by the service server; and transmitting the data result back to the target server application package.
According to some embodiments of the present disclosure, based on the foregoing solution, when the target service is executed based on the target server application package, the method further includes: detecting whether a data storage request exists; when a data storage request exists, encrypting data to be stored corresponding to the data storage request to obtain encrypted data; and storing the encrypted data to a storage area of the sandbox.
According to a second aspect of the embodiments of the present disclosure, there is provided a service operating apparatus, including: the response module is used for responding to an operation request of a target service sent by a client and extracting a server application identifier corresponding to the target service; sending the server application identifier to a control platform to acquire server application information returned by the control platform; and determining a target server application package according to the server application information so as to run the target service based on the target server application package.
According to a third aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the service operation method as in the above embodiments.
According to a fourth aspect of the embodiments of the present disclosure, there is provided an electronic apparatus, including: one or more processors; a storage device, configured to store one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the service operation method as in the above embodiments.
Exemplary embodiments of the present disclosure may have some or all of the following advantages:
in the technical solutions provided by some embodiments of the present disclosure, when a target service needs to be run in a client, the client sends a request to a sandbox to invoke the sandbox, then obtains server application information from a management and control platform through the sandbox, finally determines a target server application package, and finally runs the target service in the sandbox by using the target server application package. Compared with the method for directly running the third-party service in the client application, the service running method provided by the disclosure changes the execution main body into the sandbox which is isolated from the host application for execution, so that on one hand, the running environment is more closed and safer, and the risk of data leakage can be avoided; on the other hand, the controllability of the service operation is higher, and the safety management of activities such as service data request, storage and the like is more facilitated.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty. In the drawings:
fig. 1 schematically illustrates a flow chart of a service operation method in an exemplary embodiment of the present disclosure;
FIG. 2 is a schematic diagram illustrating a data interaction for determining a target server application package in an exemplary embodiment of the present disclosure;
FIG. 3 is a schematic flow chart diagram illustrating a method for sandboxing a target server application package in an exemplary embodiment of the present disclosure;
FIG. 4 is a flow diagram schematically illustrating a method for sandboxing a target business in an exemplary embodiment of the present disclosure;
fig. 5 schematically illustrates a composition diagram of a service operation apparatus in an exemplary embodiment of the present disclosure;
FIG. 6 schematically illustrates a schematic diagram of a computer-readable storage medium in an exemplary embodiment of the disclosure;
fig. 7 schematically shows a structural diagram of a computer system of an electronic device in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Implementation details of the technical solution of the embodiments of the present disclosure are set forth in detail below.
Fig. 1 schematically shows a flow chart of a service operation method in an exemplary embodiment of the present disclosure. As shown in fig. 1, the service operation method includes steps S101 to S103:
step S101, in response to an operation request of a target service sent by a client, extracting a server application identifier corresponding to the target service;
step S102, the server application identification is sent to a control platform so as to obtain server application information returned by the control platform;
step S103, determining a target server application package according to the server application information, and running the target service based on the target server application package.
In the technical solutions provided by some embodiments of the present disclosure, when a target service needs to be run in a client, the client sends a request to a sandbox to invoke the sandbox, then obtains server application information from a management and control platform through the sandbox, finally determines a target server application package, and finally runs the target service in the sandbox by using the target server application package. Compared with the method for directly running the third-party service in the client application, the service running method provided by the disclosure changes the execution main body into the sandbox which is isolated from the host application for execution, so that on one hand, the running environment is more closed and safer, and the risk of data leakage can be avoided; on the other hand, the controllability of the service operation is higher, and the safety management of activities such as service data request, storage and the like is more facilitated.
Hereinafter, each step of the service operation method in this exemplary embodiment will be described in more detail with reference to the drawings and the embodiments.
In step S101, in response to an operation request of a target service sent by a client, a server application identifier corresponding to the target service is extracted.
In one embodiment of the present disclosure, a certain application package in the server application is run by starting a sandbox when the client needs to run the target service.
The client is a host App executed by the target service function, and may include an iOS application and an android application.
The target service may be a third party service, presented by a corresponding server application, e.g. H5, reactivnative, Flutter, etc.
The sandbox is a virtual isolation sandbox which is bound with the client in advance, and the sandbox is an independent service function operation environment and provides basic capability required by operation. Safe and controllable, and the sandbox needs to run depending on the host app.
And the application package is a web application, and the application package is a technical carrier for service function execution, such as an html page or an applet.
Therefore, the client sends the running request of the target service to the sandbox, the sandbox responds to the running request, and extracts the server application identifier, namely the application Key, corresponding to the target service.
In addition, when the client starts the sandbox, the sandbox can check the client sending the operation request, and the sandbox is restarted when the client is determined to be the pre-bound sandbox, or the fingerprint information of the sandbox bound with the client can be sent to the sandbox so that the sandbox is restarted when the sandbox judges matching based on the fingerprint information, so that the operation safety can be further ensured, and the sandbox is prevented from being forged.
In step S102, the server application identifier is sent to a management and control platform, so as to obtain server application information returned by the management and control platform.
In one embodiment of the disclosure, when creating a web application, the management and control platform assigns an application Key to the application as a server application identifier, and meanwhile, an application package in the server application is stored in the management and control platform in an offline compressed form and can be updated periodically. Each application Key corresponds to the detail information of the application package, i.e., the server application information.
Therefore, the sandbox carries the application Key sent by the client and carries out network communication with the management and control platform through the internal network module. And when the management and control platform receives the application Key transmitted by the sandbox, extracting corresponding server application information based on the application Key.
In step S103, a target server application package is determined according to the server application information, so as to run the target service based on the target server application package.
In an embodiment of the present disclosure, the sandbox receives server application information returned by the management and control platform, and needs to determine a target server application package which is to be finally operated with the target service.
Therefore, the determining a target server application package according to the server application information includes: detecting whether a local server application packet corresponding to the target service exists in the sandbox; when the local server application package does not exist, determining the target server application package based on a target address in the server application information; determining the target server application package based on the local server application package when the local server application package is present.
Specifically, whether the sandbox has the downloaded application package or not can be judged, if the application package is opened for the first time, the offline application package does not exist locally, the downloading needs to be performed first, and at this time, the downloading of the application package can be performed through the target address in the server application information.
And if the offline application package exists locally, determining the target server application package according to the existing offline application package.
Further, the determining the target server application package based on the local server application package comprises: judging whether the local server application package needs to be updated according to version information in the server application information; when the updating is needed, the target server application packet is obtained based on the target address in the server application information; and when the local server application package is judged not to need updating, the local server application package is used as the target server application package.
Specifically, the server application information further includes version information of the application package. And determining whether the current application package is the latest version or not according to the version information. If not the latest version, then no update is required.
And when the update is needed, finishing the update of the local server application package according to the target address in the server application information to obtain a target server application package. It should be noted that the downloading process and the updating process may share a target address.
When the local server application package is judged not to be updated, the local server application package is the latest at the moment, and the local server application package can be directly used as the target server application package.
In one embodiment of the present disclosure, when the local server application package is present, it may also be checked whether the local server application package is available, e.g., tampered with or replaced. Thus, prior to said determining said target server application package based on said local server application package, said method further comprises: signature verification is carried out on the signature information of the local server application package and the signature information in the server application information; determining the target server application package based on the local server application package when the signature verification passes; determining the target server application package based on a target address in the server application information when the signature verification fails.
Specifically, a signature generated by the tampered application package is inconsistent with a signature in the issued server application information, the signature of the application package is verified through the signature information, if the verification is passed, the application package is usable, and then a target server application package is determined according to the local server application package; if the signature verification fails, indicating that the application package may have been tampered with or replaced, the application package may be re-downloaded.
And finally, after the target server application package is determined, the application is used for realizing the presentation of the target service and completing the service operation.
In an embodiment of the present disclosure, before obtaining the server application information returned by the management and control platform, the method further includes: sending the fingerprint information of the sandbox to the control platform so that the control platform can carry out sandbox authorization verification based on the fingerprint information; when the management and control platform passes the sandbox authorization verification, server application information returned by the management and control platform is acquired; and/or when the management and control platform passes the registration and verification of the server application identifier, acquiring server application information returned by the management and control platform.
Specifically, to further enhance security management, the sandbox and the application also need to be verified.
For example, the regulatory platform needs to perform a sandbox check. When the sandbox is in network communication with the control platform through the internal network module, fingerprint information of the sandbox needs to be transmitted, and the control platform conducts authorization verification according to the fingerprint information.
Further, the method further comprises: registering on the control platform based on the sandbox information of the sandbox to acquire the fingerprint information of the sandbox distributed by the control platform.
That is, the sandbox SDK needs to register at the governing platform and generate fingerprint information. If the fingerprint information indicates that the fingerprint information is authorized by the management and control platform, the target service can be executed.
Therefore, the management and control platform needs to perform authorization verification of the entry sandbox based on the fingerprint information, check whether the entry sandbox is registered in the platform, extract the server application information based on the application Key only after the verification is passed, and return the server application information to the sandbox. If the check fails, the sandbox starts up unsuccessfully and the target service cannot be run.
Based on the method, the service function can be prevented from being executed in an unauthorized sandbox SDK or sandbox forgery can be prevented, and the method is safer and more controllable.
Also for example, the governing platform also needs to check the application Key. When the management and control platform creates an application, an application Key is generated, so that if the application Key exists, the application package is registered in the management and control platform and has a corresponding server application identifier.
Therefore, the management and control platform can verify the application Key, and when the application Key is available, the management and control platform extracts the server application information based on the application Key and returns the server application information to the sandbox.
Fig. 2 is a schematic diagram illustrating data interaction for determining a target server application package according to an exemplary embodiment of the present disclosure. As shown in fig. 2, the method for determining a target server application package includes the following steps:
step S201, the client sends an operation request of a target service to the sandbox;
step S202, calling up a sandbox after the inspection is passed;
step S203, the fingerprint information and the application Key are transmitted, namely the sandbox transmits parameters such as the fingerprint information and the application Key to carry out network communication with the control platform through an internal network module;
step S204, fingerprint and Key are verified, the fingerprint information is verified by the management and control platform to check whether the application package is a sandbox authorized by the management and control platform, and the application Key is verified to check whether the application package is registered in the management and control platform;
step S205, returning server application information, wherein the application Key is used for acquiring detail information of the web application, namely the server application information, including one or more of signature information, version information, download address, update address, service server white list and the like;
step S206, determining a target server application package, judging whether the application package needs to be downloaded or updated by the sandbox according to the returned server application information, and finally determining the target server application package;
fig. 3 is a schematic flow chart illustrating a method for sandboxing a target server application package according to an exemplary embodiment of the present disclosure. Referring to fig. 3, the sandbox target server application package determining method includes the following steps:
step S301, the sandbox judges whether to download the application package; if downloading is needed, executing step S302, if not, executing step S303;
step S302, downloading an application package according to a target address to obtain a target server application package;
step S303, judging whether to update the application package according to the version information; if the updating is needed, executing step S304, if not, executing step S305;
step S304, updating the application packet according to the target address to obtain a target server application packet;
step S305, inquiring a local application package to obtain a target server application package;
step S306, loading the target server application package.
Based on the method, compared with the method of directly presenting the service by using the client application, the method of presenting the service by using the sandbox to start the server web application is equivalent to providing a closed and safe operation environment, and is isolated from the host App, so that the client application can be prevented from randomly accessing sensitive data related to user information and other data, and the risk of data leakage is prevented; and also effectively resist the interference of external codes.
Meanwhile, the target service is in the sandbox environment, so that the security is closed, and the management of the circulation of the service data is facilitated, so that the service data is safe and controllable, for example, the data transmission, the data storage and the like are shown.
In one embodiment of the present disclosure, when the target service is executed based on the target server application package, the method further includes: detecting whether an application communication request exists; wherein the application communication request is requested by the target server application package to a service server; when the application communication request is detected to exist, the service server and/or the application communication request are/is checked; and executing the application communication request after the verification is passed.
The data on which the page dynamic construction depends may need to communicate with the service server, and at this time, an application communication request is generated, and the request is sent to the service server by the application package. In order to perform security control on data transmission of network communication, some control measures are proposed.
For example, the service server may be checked. In an embodiment of the present disclosure, the verifying the service server includes: and performing white list verification on the service server according to a server white list in the server application information.
Specifically, the server application information may include a server white list corresponding to the application packet, and the service server in the white list may respond to the application communication request. Therefore, the white list check can be carried out on the server domain name, and the access prohibition request exceeding the white list range is ensured.
For example, the application communication request may also be checked. In an embodiment of the present disclosure, the verifying the application communication request includes: and performing certificate verification on the application communication request.
Wherein, the certificate verification is HTTPS certificate verification. The HTTPS certificate verification is added, so that the risk of tampering of the application communication request packet can be prevented.
Forwarding may also be intercepted, for example, by a sandbox when executing application communication requests. In one embodiment of the present disclosure, the executing the application communication request includes: intercepting the application communication request, and generating a sandbox application request based on a business server corresponding to the application communication request; wherein the sandbox application request is that the sandbox requests the service server; sending the sandbox application request to the service server to obtain a data result returned by the service server; and transmitting the data result back to the target server application package.
Specifically, to prevent h5 from exposing request and response data in debug mode, we designed sandbox intercept forwarding mode. When the application package needs to make an application communication request to the service server, the sandbox intercepts the request, and uses a safer and more reliable network module in the sandbox to continue execution of the request, so as to generate a sandbox application request made by the sandbox to the service server. And when the business server receives the data result after responding, transmitting the data result to the sandbox, and then transmitting the data result back to the application package by the sandbox.
Based on the method, the communication capacity of the service server is given to the network module in the sandbox for network communication, and the safety of data transmission is improved.
It should be noted that, the verification of the service server and the application communication request, and the sandbox interception and forwarding may be selectively designed according to needs, and one of them may be selected, or multiple items may be combined.
In one embodiment of the present disclosure, when the target service is executed based on the target server application package, the method further includes: detecting whether a data storage request exists; when a data storage request exists, encrypting data to be stored corresponding to the data storage request to obtain encrypted data; and storing the encrypted data in a storage area of the sandbox.
Specifically, when the application package is involved in processing the storage of local data when running a business function, in order to ensure the security of sensitive information, the sandbox may be used for the access function, so that the data is accessed in the sandbox and isolated from the host app.
Meanwhile, in order to further improve the security of the data, the stored data can be encrypted by using a safe and reliable encryption algorithm and then stored.
Based on the method, the local storage of the service data is performed through the function provided by the sandbox, the local storage is effectively isolated from the host App environment, and meanwhile, the stored data is encrypted and protected, so that the leakage of sensitive data is prevented.
Fig. 4 schematically illustrates a flowchart of a method for running a target service by a sandbox in an exemplary embodiment of the present disclosure. Referring to fig. 4, the sandbox operation target service method includes the following steps:
step S401, acquiring service data;
step S402, carrying out white list verification according to a white list in the server application information; if the verification is passed, executing step S403, and if the verification is not passed, executing step S409;
step S403, checking an HTTPS certificate for the application communication request; if the verification is passed, executing step S404, and if the verification is not passed, executing step S409;
step S404, the sandbox intercepts and forwards the application communication request;
step S405, the service server processes data;
step S406, completing the service operation of page rendering;
step S407, encrypting page data rendered by the page;
step S408, the encrypted page data is locally stored by utilizing the access function of the sandbox;
and step S409, when the white list verification fails or the HTTPS certificate verification fails, returning to page loading exception.
Fig. 5 schematically illustrates a composition diagram of a service operation apparatus in an exemplary embodiment of the present disclosure, and as shown in fig. 5, the service operation apparatus 500 may include a response module 501, an obtaining module 502, and an operation module 503. Wherein:
a response module 501, configured to respond to an operation request of a target service sent by a client, and extract a server application identifier corresponding to the target service;
an obtaining module 502, configured to send the server application identifier to a management and control platform, so as to obtain server application information returned by the management and control platform;
an operation module 503, configured to determine a target server application package according to the server application information, so as to operate the target service based on the target server application package.
According to an exemplary embodiment of the present disclosure, the running module 503 includes a download judging unit, configured to detect whether the sandbox has a local server application package corresponding to the target service; when the local server application package does not exist, determining the target server application package based on a target address in the server application information; determining the target server application package based on the local server application package when the local server application package is present.
According to an exemplary embodiment of the present disclosure, the running module 503 further includes an update determining unit, configured to determine whether the local server application package needs to be updated according to version information in the server application information; when the updating is needed, the target server application packet is obtained based on the target address in the server application information; and when the local server application package is judged not to need updating, the local server application package is taken as the target server application package.
According to an exemplary embodiment of the present disclosure, the running module 503 further includes a signature verification unit, configured to perform signature verification on the signature information of the local server application package and the signature information in the server application information when the local server application package exists; determining the target server application package based on the local server application package when signature verification passes; determining the target server application package based on a target address in the server application information when the signature verification fails.
According to an exemplary embodiment of the present disclosure, the service operating apparatus 500 further includes a verification module (not shown in the figure) configured to register on the management and control platform based on the sandbox information of the sandbox, so as to obtain the fingerprint information of the sandbox allocated by the management and control platform.
According to an exemplary embodiment of the present disclosure, the service operating apparatus 500 further includes a request management and control module (not shown in the figure) for detecting whether there is an application communication request; wherein the application communication request is requested by the target server application package to a service server; when the application communication request is detected to exist, the service server and/or the application communication request are/is verified; and executing the application communication request after the verification is passed.
According to an exemplary embodiment of the present disclosure, the request management and control module further includes a white list checking unit, configured to perform white list checking on the service server according to a server white list in the server application information.
According to an exemplary embodiment of the present disclosure, the request management and control module further includes a certificate verification unit, configured to perform certificate verification on the application communication request.
According to an exemplary embodiment of the present disclosure, the request management and control module further includes a request execution unit, configured to intercept the application communication request, and generate a sandbox application request based on a service server corresponding to the application communication request; wherein the sandbox application request is requested by the sandbox from the service server; sending the sandbox application request to the service server to obtain a data result returned by the service server; and transmitting the data result back to the target server application package.
According to an exemplary embodiment of the present disclosure, the service operating apparatus 500 further includes a storage management and control module (not shown in the figure) for detecting whether there is a data storage request; when a data storage request exists, encrypting data to be stored corresponding to the data storage request to obtain encrypted data; and storing the encrypted data in a storage area of the sandbox.
The details of each module in the service operation apparatus 500 are already described in detail in the corresponding service operation method, and therefore are not described herein again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, there is also provided a storage medium capable of implementing the above-described method. Fig. 6 schematically illustrates a schematic diagram of a computer-readable storage medium in an exemplary embodiment of the disclosure, and as shown in fig. 6, a program product 600 for implementing the above method according to an embodiment of the disclosure is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a mobile phone. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided. Fig. 7 schematically shows a structural diagram of a computer system of an electronic device in an exemplary embodiment of the disclosure.
It should be noted that the computer system 700 of the electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the application scope of the embodiment of the present disclosure.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for system operation are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An Input/Output (I/O) interface 705 is also connected to the bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a Network interface card such as a LAN (Local Area Network) card, a modem, and the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, the processes described below with reference to the flowcharts may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by a Central Processing Unit (CPU)701, performs various functions defined in the system of the present disclosure.
It should be noted that the computer readable medium shown in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present disclosure also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (14)

1. A business operation method is applied to a sandbox, and is characterized by comprising the following steps:
responding to an operation request of a target service sent by a client, and extracting a server application identifier corresponding to the target service;
sending the server application identifier to a control platform to acquire server application information returned by the control platform;
and determining a target server application package according to the server application information so as to run the target service based on the target server application package.
2. The service operation method according to claim 1, wherein the determining a target server application package according to the server application information includes:
detecting whether the sandbox has a local server application packet corresponding to the target service;
when the local server application package does not exist, determining the target server application package based on a target address in the server application information;
determining the target server application package based on the local server application package when the local server application package is present.
3. The service operation method according to claim 2, wherein the determining the target server application package based on the local server application package comprises:
judging whether the local server application package needs to be updated according to version information in the server application information;
when the updating is needed, the target server application packet is obtained based on the target address in the server application information;
and when the local server application package is judged not to need updating, the local server application package is taken as the target server application package.
4. The service operation method according to claim 2, wherein when the local server application package exists, the method further comprises:
signature verification is carried out on the signature information of the local server application package and the signature information in the server application information;
when the signature verification passes, determining the target server application package based on the local server application package;
and when the signature verification fails, determining the target server application package based on the target address in the server application information.
5. The service operation method according to claim 1, wherein before obtaining the server application information returned by the management and control platform, the method further comprises:
sending the fingerprint information of the sandbox to the control platform so that the control platform can carry out sandbox authorization verification based on the fingerprint information;
when the management and control platform passes the sandbox authorization verification, server application information returned by the management and control platform is acquired; and/or
And when the management and control platform passes the registration and verification of the server application identifier, acquiring the server application information returned by the management and control platform.
6. The service operation method according to claim 5, wherein before the operation request in response to the target service sent by the client, the method further comprises:
registering on the control platform based on the sandbox information of the sandbox to acquire the fingerprint information of the sandbox distributed by the control platform.
7. The service running method according to claim 1, wherein when running the target service based on the target server application package, the method further comprises:
detecting whether an application communication request exists; wherein the application communication request is requested by the target server application package to a service server;
when the application communication request is detected to exist, the service server and/or the application communication request are/is checked;
and executing the application communication request after the verification is passed.
8. The service operation method according to claim 7, wherein the verifying the service server comprises:
and performing white list verification on the service server according to a server white list in the server application information.
9. The service operation method according to claim 7, wherein the verifying the application communication request comprises:
and performing certificate verification on the application communication request.
10. The service execution method according to claim 7, wherein the executing the application communication request comprises:
intercepting the application communication request, and generating a sandbox application request based on a business server corresponding to the application communication request; wherein the sandbox application request is requested by the sandbox from the service server;
sending the sandbox application request to the service server to obtain a data result returned by the service server;
and transmitting the data result back to the target server application package.
11. The service running method according to claim 1, wherein when running the target service based on the target server application package, the method further comprises:
detecting whether a data storage request exists;
when a data storage request exists, encrypting data to be stored corresponding to the data storage request to obtain encrypted data;
and storing the encrypted data in a storage area of the sandbox.
12. A service operation apparatus, comprising:
the response module is used for responding to an operation request of a target service sent by a client and extracting a server application identifier corresponding to the target service;
the acquisition module is used for sending the server application identifier to a control platform so as to acquire server application information returned by the control platform;
and the operation module is used for determining a target server application package according to the server application information so as to operate the target service based on the target server application package.
13. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a service operation method according to any one of claims 1 to 11.
14. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out a method of service operation according to any of claims 1 to 11.
CN202210303262.XA 2022-03-24 2022-03-24 Service operation method and device, storage medium and electronic equipment Pending CN114697381A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210303262.XA CN114697381A (en) 2022-03-24 2022-03-24 Service operation method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210303262.XA CN114697381A (en) 2022-03-24 2022-03-24 Service operation method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN114697381A true CN114697381A (en) 2022-07-01

Family

ID=82138981

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210303262.XA Pending CN114697381A (en) 2022-03-24 2022-03-24 Service operation method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114697381A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US20100146523A1 (en) * 2008-12-05 2010-06-10 Tripod Ventures Inc./ Entreprises Tripod Inc. Browser environment application and local file server application system
US20110283284A1 (en) * 2010-05-13 2011-11-17 Sap Ag Distributed business process management system with local resource utilization
US20140351889A1 (en) * 2011-12-28 2014-11-27 Beijing Qihoo Technology Company Limited Sandbox technology based webpage browsing method and device
US20150213259A1 (en) * 2014-01-27 2015-07-30 Microsoft Corporation Web Service Sandbox System
WO2018036321A1 (en) * 2016-08-24 2018-03-01 中兴通讯股份有限公司 Email viewing method, and user terminal
CN113949579A (en) * 2021-10-20 2022-01-18 安天科技集团股份有限公司 Website attack defense method and device, computer equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US20100146523A1 (en) * 2008-12-05 2010-06-10 Tripod Ventures Inc./ Entreprises Tripod Inc. Browser environment application and local file server application system
US20110283284A1 (en) * 2010-05-13 2011-11-17 Sap Ag Distributed business process management system with local resource utilization
US20140351889A1 (en) * 2011-12-28 2014-11-27 Beijing Qihoo Technology Company Limited Sandbox technology based webpage browsing method and device
US20150213259A1 (en) * 2014-01-27 2015-07-30 Microsoft Corporation Web Service Sandbox System
WO2018036321A1 (en) * 2016-08-24 2018-03-01 中兴通讯股份有限公司 Email viewing method, and user terminal
CN113949579A (en) * 2021-10-20 2022-01-18 安天科技集团股份有限公司 Website attack defense method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US11637707B2 (en) System and method for managing installation of an application package requiring high-risk permission access
Jung et al. Repackaging attack on android banking applications and its countermeasures
JP3753885B2 (en) Host system elements of the international cryptosystem
Sivakumaran et al. A Study of the Feasibility of Co-located App Attacks against {BLE} and a {Large-Scale} Analysis of the Current {Application-Layer} Security Landscape
CN110333868B (en) Method and system for generating installation packages of sub-applications
CN108701201A (en) A kind of access control method of mobile terminal, device, terminal and storage medium
CN109960903A (en) A kind of method, apparatus, electronic equipment and storage medium that application is reinforced
CN111639327A (en) Authentication method and device for open platform
CN105718807A (en) Android system based on software TCM and trusted software stack and trusted authentication system and method thereof
CN110708335A (en) Access authentication method and device and terminal equipment
US20210390173A1 (en) Interaction Method and Apparatus
CN108595950A (en) A kind of safe Enhancement Methods of SGX of combination remote authentication
CN106357694A (en) Method and device for processing access request
CN111083093A (en) Method and device for calling terminal capability
CN111783051A (en) Identity authentication method and device and electronic equipment
CN106709281A (en) Patch releasing and obtaining method and device
CN110581833B (en) Service security protection method and device
Park et al. TGVisor: A tiny hypervisor-based trusted geolocation framework for mobile cloud clients
CN110430213A (en) Service request processing method, apparatus and system
CN114697381A (en) Service operation method and device, storage medium and electronic equipment
CN106648770B (en) Generation method, loading method and device of application program installation package
Khadiranaikar et al. Improving Android application security for intent based attacks
Park et al. A tiny hypervisor-based trusted geolocation framework with minimized TPM operations
CN112926047A (en) Authorization control method and device for localized deployment product, electronic equipment and medium
DONG et al. Sesoa: Security enhancement system with online authentication for android apk

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination