WO2017220014A1 - System permission management method and apparatus, and intelligent terminal - Google Patents

System permission management method and apparatus, and intelligent terminal Download PDF

Info

Publication number
WO2017220014A1
WO2017220014A1 PCT/CN2017/089743 CN2017089743W WO2017220014A1 WO 2017220014 A1 WO2017220014 A1 WO 2017220014A1 CN 2017089743 W CN2017089743 W CN 2017089743W WO 2017220014 A1 WO2017220014 A1 WO 2017220014A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
signature information
signature
legal
upgraded
Prior art date
Application number
PCT/CN2017/089743
Other languages
French (fr)
Chinese (zh)
Inventor
刘华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017220014A1 publication Critical patent/WO2017220014A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Definitions

  • the present invention relates to the field of intelligent terminals, and in particular, to a system rights management method, device, and intelligent terminal.
  • the current smart device is a device that only supports a single signature. If the user installs an apk that is inconsistent with the system signature, the use of the apk is limited, which actually limits the smart device. Universal support for a variety of applications also reduces device compatibility, which will certainly seriously affect the user experience, especially for carrier customers with special needs.
  • each operator wants to make its apk have system permissions generally there are two ways:
  • the above two methods are complicated to use and difficult to operate.
  • the first method requires the operator to send the apk to the terminal manufacturer for signature, but the operator application mall has a lot of apks and often needs to be upgraded, which is difficult to operate.
  • the manufacturer needs to provide the signature file to the operator, so that the operation will cause the leakage of the signature information of the manufacturer to a certain extent, and there is a big hidden danger to the information and technical security of the manufacturer. It can be seen that the existing methods all try to set the signature of the application to the unique system signature information specified by the intelligent terminal manufacturer to obtain the system authority. According to the above analysis, the method has the problems of high operation difficulty and potential security risks.
  • the system rights management method, device and intelligent terminal provided by the embodiments of the present invention mainly solve the technical problem that the existing signature of the application is set as the unique system signature information set by the smart terminal manufacturer as much as possible to obtain the system authority, and the operation exists. Difficulties and security risks.
  • an embodiment of the present invention provides a system rights management method, including:
  • the smart terminal After obtaining the application to be installed, the smart terminal acquires signature information of the application;
  • the preset legal signature list includes system signature information of the smart terminal system and at least one operator signature information
  • the application When the matching of the signature information and the legal signature information is successful, the application is allowed to be installed on the smart terminal, and the application is set to have system authority.
  • An embodiment of the present invention further provides a system rights management apparatus, including:
  • the signature information obtaining module is configured to acquire signature information of the application after the smart terminal acquires the application to be installed;
  • the authentication module is configured to match the signature information with the legal signature information in the preset legal signature list, where the preset legal signature list includes system signature information of the smart terminal system and at least one operator signature information;
  • the rights management module is configured to allow the application to be installed on the smart terminal when the matching of the signature information and the legal signature information is successful, and set the application to have system rights.
  • the embodiment of the invention further provides an intelligent terminal, comprising the system rights management device as described above.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the foregoing system authority management method.
  • the legal signature list may be preset.
  • the preset legal signature list may include at least the system signature information of the intelligent terminal system.
  • An operator signature information that is, the signature information of the corresponding operator can be added to the legal signature list of the smart terminal in advance. In this way, after the smart terminal obtains the application to be installed, the signature information and the preset of the application can be directly legal.
  • the legal signature information in the signature list is matched. If the legal signature information in the legal signature list is successfully matched, the application is allowed to be installed on the smart terminal, and the application is set to have system authority.
  • the smart terminal no longer supports only one system signature, and it can support more than two system signatures; the operator does not need to send the application to the terminal manufacturer to help set the signature, and the terminal manufacturer does not need to sign his own.
  • the information is sent to the operator, which can support and manage the rights of the operator's application system more easily and conveniently, and improve security.
  • FIG. 1 is a schematic flowchart of a system authority management method in an application installation process according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic flowchart of a system authority management method in an application upgrade process according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic flowchart of a system authority management method in an application running process according to Embodiment 1 of the present invention
  • FIG. 4 is a schematic structural diagram of an intelligent terminal according to Embodiment 2 of the present invention.
  • FIG. 5 is a schematic structural diagram 1 of a system authority management apparatus according to Embodiment 2 of the present invention.
  • FIG. 6 is a second schematic structural diagram of a system rights management apparatus according to Embodiment 2 of the present invention.
  • FIG. 7 is a schematic structural diagram 3 of a system authority management apparatus according to Embodiment 2 of the present invention.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the system rights management method provided by this embodiment is applicable to various types of intelligent terminals of various systems, for example, for Android, iOS, windows phone, Symbian, BlackBerry OS, windows mobile, etc., and is also applicable to mobile phones, IPAD, various Mobile terminals such as readers are also suitable for non-mobile type smart terminals.
  • a legal signature list may be set first, and the legal signature information is pre-stored in the legal signature list, which naturally includes the system signature information of the intelligent terminal system, that is, the intelligence.
  • the legal signature information in this embodiment further includes at least one operator signature information. Specifically, each operator can negotiate with the corresponding smart terminal manufacturer, and let the terminal manufacturer store the operator's operator signature information as legal information in the legal signature list. Therefore, the number of the operator signature information included in the embodiment and the signature information of the specific carrier may be flexibly set according to the actual application scenario.
  • the intelligent terminal performs system authority management through signature authentication, it no longer manages only according to the system signature information of the terminal, but also manages each application according to the legal signature information in the signature legal list, when the application signature information When matching with any of the operator signature information, the system authority can also be issued to the application. In this way, the operator is not required to frequently send the application to the terminal manufacturer for signature, saving manpower, material resources and cost; at the same time, the operator does not need to send its own signature information to the operator to avoid security risks.
  • the legal signature information in the legal signature list in this embodiment can support real-time update. For example, when a new operator joins or the signature information of the previously joined operator changes, it can be directly or The terminal manufacturer sends corresponding update information to the smart terminal, and correspondingly updates the legal signature information in the legal signature list according to the update message.
  • the system rights management method in this embodiment includes:
  • S101 The smart terminal acquires an application to be installed.
  • the smart terminal can be obtained from the operator application mall or through other sources. Install the application's installation package.
  • S102 Acquire signature information of the application.
  • the signature information may be obtained from the installation package of the application.
  • the signature information at this time is generally the signature information of the operator, but may also be the system signature information of the terminal system, for example, the system that the operator has acquired the terminal system before.
  • signing information it may be system signature information.
  • S104 Determine whether the matching is successful, if yes, go to S105; otherwise, go to S106.
  • the determining step if the acquired signature information matches any of the legal signature information in the legal signature list, the matching is successful.
  • S105 Allow the above-mentioned application to be installed to be installed on the smart terminal, and set the application to have system authority, that is, the application can apply for system authority after the installation.
  • S106 Allow the above-mentioned application to be installed to be installed on the smart terminal, and set the application to have no system authority, that is, the application cannot be applied to the system after the application is installed. In this way, the intelligent terminal can support multiple signatures, and the system can be safely operated to the utmost extent.
  • the installation package generally has identification information for applying for system rights. Therefore, in this embodiment, for the application to be installed, before the signature information is obtained for matching, the identifier of the application system permission may be determined in the installation package of the application, and if yes, the process proceeds to S102.
  • the signature information is followed by a subsequent judgment; otherwise, the application is directly transferred to the above S106, but after installation, it cannot apply for system authority.
  • the following uses the application apk of the Android system as an example.
  • the obtained signature information is first matched with the system signature information in the legal signature list. If the matching is successful, the signature authentication is successful. Otherwise, the signature information is matched with the remaining operator signature information.
  • Legal signature list When the operator signature information includes multiple items, you can match them one by one at this time. You can also set the priority of each operator's signature information in advance. For example, the more operators that publish applications, the higher the priority, and then Match the priority to match; or directly match randomly.
  • the signature information 2 may be added to the legal signature list as the legal signature information through the above update process; and then the signature information 2 and the legal signature list are determined by the above-mentioned determination that the signature information 2 is inconsistent with the signature information 1.
  • the legal signature information in the matching is matched, and the matching can be matched according to the above matching rule. If the matching is successful, the application to be upgraded is allowed to be upgraded, and the system authority is set; if the matching fails, it is determined that the application may be maliciously tampered. This upgrade is not allowed.
  • the specific process is shown in Figure 2, including:
  • S202 Obtain the signature information 2 after the upgrade of the application to be upgraded and the current signature information 1 before the upgrade.
  • the upgraded signature information can be obtained from the upgrade package.
  • S203 determining whether the two signature information is consistent, if yes, go to S204; otherwise, go to S205;
  • S205 Match the signature information 2 with the legal signature information in the preset legal signature list.
  • the specific matching rule can also use the matching rule of the above example.
  • S206 Determine whether the matching is successful, if yes, go to S207; otherwise, go to S208.
  • each application that has been installed on the smart terminal is in the operation process, in particular, an application having the system permission to apply for the system is in operation, and one of the actions actually needs to use the system permission (for example, downloading and installing or uninstalling other applications)
  • further authentication of these applications may be performed.
  • the system permission application request sent by the application of the smart terminal during the running process is received, and then the signature information of the application that initiates the system permission application request is obtained, and the legal signature information in the legal signature list is matched, and the matching is allowed to be applied.
  • S301 The application in a certain running process on the smart terminal sends a system permission application request.
  • S302 Acquire signature information of an application that initiates a system permission application request.
  • S303 Match the obtained signature information with the legal signature information in the preset legal signature list.
  • the specific matching rule can also use the matching rule of the above example.
  • S304 Determine whether the matching is successful, if yes, go to S305; otherwise, go to S306.
  • S305 The application that allows the system permission application request to be initiated continues to perform the above actions.
  • S306 The application that initiates the system permission request request is not allowed to perform the above actions.
  • the operator's signature information is set as a legal sign in advance in the smart terminal.
  • the name information is used for subsequent signature authentication, which enables the intelligent terminal to support multi-signature authentication under the premise of minimal modification. Compared with the existing intelligent terminal, only one signature authentication scheme is supported, which is lower in cost, more flexible in control, and more secure. .
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • the embodiment provides an intelligent terminal.
  • the system of the smart terminal may be any one of a system such as Android, iOS, windows phone, Symbian, BlackBerry OS, and Windows mobile, and the terminal may be a mobile phone, an IPAD, or the like.
  • a mobile terminal of a mobile type such as a reader may also be a non-mobile type smart terminal.
  • the intelligent terminal includes a system authority management device 10.
  • the system rights management apparatus 10 includes a list maintenance module 11, a signature information acquisition module 12, an authentication module 13, and an authority management module 14.
  • the list maintenance module 11 is configured to maintain a pre-set legal signature list on the smart terminal, where the legal signature list pre-stores legal signature information that allows the use of the system authority, which naturally includes the system signature information of the intelligent terminal system, that is, the smart terminal manufacturer. Pre-default signature information.
  • the legal signature information in this embodiment further includes at least one operator signature information. Specifically, each operator can negotiate with the corresponding smart terminal manufacturer, and let the terminal manufacturer store the operator's operator signature information as legal information in the legal signature list. Therefore, the number of the operator signature information included in the embodiment and the signature information of the specific carrier may be flexibly set according to the actual application scenario.
  • the intelligent terminal performs system authority management through signature authentication, it no longer manages only according to the system signature information of the terminal, but also manages each application according to the legal signature information in the signature legal list, when the application signature information When matching with any of the operator signature information, the system authority can also be issued to the application. In this way, the operator is not required to frequently send the application to the terminal manufacturer for signature, saving manpower, material resources and cost; at the same time, the operator does not need to send its own signature information to the operator to avoid security risks.
  • the legal signature information in the legal signature list in this embodiment can support real-time update, for example, when a new operator joins or the signature information of the previously joined operator changes.
  • the corresponding update information may be sent to the smart terminal directly or by the terminal manufacturer, and the list maintenance module 11 may perform corresponding update on the legal signature information in the legal signature list according to the update message.
  • the signature information obtaining module 12 is configured to obtain the signature information of the application after the smart terminal acquires the application to be installed; specifically, the signature information may be obtained from the installation package of the application.
  • the authentication module 13 is configured to match the signature information acquired by the signature information acquiring module 12 with the legal signature information in the legal signature list.
  • the authentication module 13 can be matched by the following matching rules:
  • the obtained signature information is first matched with the system signature information in the legal signature list. If the matching is successful, the signature authentication is successful. Otherwise, the signature information is matched with the remaining operator signature information.
  • Legal signature list When the operator signature information includes multiple items, you can match them one by one at this time. You can also set the priority of each operator's signature information in advance. For example, the more operators that publish applications, the higher the priority, and then Match the priority to match; or directly match randomly.
  • the rights management module 14 is configured to allow the application to be installed on the smart terminal when the matching of the signature information and the legal signature information is successful, and set the application to have the system authority; otherwise, the application to be installed is Install on the smart terminal and set the application to have no system permissions, that is, the application cannot be applied to the system after installation. In this way, the intelligent terminal can support multiple signatures, and the system can be safely operated to the utmost extent.
  • the system rights management apparatus 10 further includes an application type determining module 15 configured to determine whether there is identification information of the application system authority in the installation package of the application to be installed, if yes, notify The signature information acquisition module 12 acquires its signature information and makes subsequent judgments.
  • system rights management apparatus in this embodiment further includes an upgrade processing module 16, in an application upgrade process:
  • the signature information obtaining module 12 is further configured to: when the smart terminal has an application to be upgraded, obtain the signature information of the upgraded application and the current signature information before the upgrade of the application to be upgraded;
  • the upgrade processing module 16 is configured to determine whether the signature information of the upgraded application and the current signature information before the upgrade of the application to be upgraded are consistent;
  • the authentication module 13 is further configured to match the upgraded signature information with the legal signature information in the legal signature list when the determination result of the upgrade processing module 16 is inconsistent;
  • the rights management module 14 is further configured to allow the application to be upgraded to be upgraded when the authentication module 13 is successfully matched, and set the application to be upgraded to have system authority; otherwise, the application to be upgraded is not allowed to be upgraded to prevent malicious tampering. In this way, when the operator's signature information changes, the previous application of the operator cannot be upgraded normally, and malicious tampering can be avoided. It can further improve the rationality and accuracy of system authority management.
  • each application that has been installed on the smart terminal is in the operation process, in particular, an application having the system permission to apply for the system is in operation, and one of the actions actually needs to use the system permission (for example, downloading and installing or uninstalling other applications)
  • the signature information acquiring module 12 is further configured to acquire signature information of the application that initiates the system permission application request when the application of the smart terminal is requested to be sent by the system during the running process;
  • the authentication module 13 is further configured to match the signature information with the legal signature information in the legal signature list; the matching rule may also adopt the foregoing matching rule, or may adopt other rules different from the foregoing rules.
  • the rights management module 14 is further configured to allow the application to execute the system authority when the authentication module is successfully matched, that is, to allow the application to continue to perform the above actions; otherwise, the application is prohibited from executing the system permission, that is, it is prohibited from continuing to perform the above actions, and may pop up a Corresponding error message.
  • the smart terminal in this embodiment sets the signature information of the operator to the legal signature information in advance to perform subsequent signature authentication, so that the smart terminal can support multi-signature authentication with minimal modification, and only one signature is supported by the existing smart terminal.
  • the certified solution has lower cost, more flexible control and better security.
  • Embodiments of the present invention also provide a storage medium including a stored program, wherein the program described above executes the method of any of the above.
  • the foregoing storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), and a Random Access Memory (RAM).
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • Embodiments of the present invention also provide a processor for running a program, wherein the program is executed to perform the steps of any of the above methods.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the system rights management method, device, and intelligent terminal provided by the embodiments of the present invention have the following beneficial effects: when the smart terminal obtains the application to be installed, the signature information and the preset information of the application can be directly legalized.
  • the legal signature information in the signature list is matched. If the legal signature information in the legal signature list is successfully matched, the application is allowed to be installed on the smart terminal, and the application is set to have system authority.
  • the smart terminal no longer supports only one system signature, which can support more than two system signatures; the operator does not need Send the application to the terminal manufacturer to help them set the signature.
  • the terminal manufacturer does not need to send its own signature information to the operator. It can realize the support and management of the operator application system rights and improve the security. Sex.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A system permission management method and apparatus, and an intelligent terminal. A valid signature list is preset, the preset valid signature list comprising signature information of at least one operator in addition to system signature information of an intelligent system. After an application to be installed is obtained on the intelligent terminal (S101), signature information of the application is directly matched with valid signature information in the preset valid signature list (S103). If the signature information of the application is successfully matched with any valid signature information in the valid signature list (S104), the application is allowed to be installed on the intelligent terminal and is set to possess a system permission (S105). The intelligent system can support two or more system signatures, the operator does not need to send the application to a terminal vender for helping setting the signature, and the terminal vender does not need to send signature information of the terminal vender to the operator. Support and management of the system permission of the operator application can be simply and conveniently implemented, and the security can be improved.

Description

系统权限管理方法、装置及智能终端System authority management method, device and intelligent terminal 技术领域Technical field
本发明涉及智能终端领域,尤其涉及一种系统权限管理方法、装置及智能终端。The present invention relates to the field of intelligent terminals, and in particular, to a system rights management method, device, and intelligent terminal.
背景技术Background technique
目前市面上的各种智能终端(例如手机、机顶盒、IPAD等)中的应用要获取终端系统权限,都需要通过系统签名认证,而目前的各种智能终端都只支持一种系统签名,该系统签名为终端厂家设置的默认签名信息,因此目前智能终端中基本都是终端的内置应用具有系统权限,而各运营商提供的第三方应用的签名一般都是运营商自己的签名信息,这就导致运营商提供的应用不能正常获得终端系统权限。例如:如果用户在Android智能终端中准备安装非系统签名的apk,此时apk是无法获取到系统权限的。从上述描述中可以看出,目前的智能设备是一种只支持单一签名的设备,如果用户安装了与系统签名不一致的apk时,此apk的使用就会受到限制,实际上是限制了智能设备对各种应用的普遍支持,也就降低了设备的兼容性,这也必定会严重影响用户的体验,尤其是对有特殊需求的运营商客户。目前,为了解决上述问题,各运营商想要使其apk具备系统权限,一般有两种办法:At present, applications in various intelligent terminals (such as mobile phones, set-top boxes, IPADs, etc.) on the market need to obtain terminal system authority, and all need to pass system signature authentication. Currently, various intelligent terminals only support one type of system signature. The signature is the default signature information set by the terminal manufacturer. Therefore, in the current smart terminal, the built-in application of the terminal basically has system authority, and the signature of the third-party application provided by each operator is generally the operator's own signature information, which leads to The application provided by the operator cannot obtain the terminal system authority normally. For example, if the user is preparing to install a non-system-signed apk in the Android smart terminal, the apk cannot obtain the system permission. As can be seen from the above description, the current smart device is a device that only supports a single signature. If the user installs an apk that is inconsistent with the system signature, the use of the apk is limited, which actually limits the smart device. Universal support for a variety of applications also reduces device compatibility, which will certainly seriously affect the user experience, especially for carrier customers with special needs. At present, in order to solve the above problems, each operator wants to make its apk have system permissions, generally there are two ways:
方法一:method one:
1.在应用程序的AndroidManifest.xml中的manifest节点中加入android:sharedUserId="android.uid.system"这个属性。1. Add the android:sharedUserId="android.uid.system" attribute to the manifest node in the AndroidManifest.xml of the application.
2.修改Android.mk文件,加入LOCAL_CERTIFICATE:=platform这一行。2. Modify the Android.mk file and add the line LOCAL_CERTIFICATE:=platform.
3.使用mm命令来编译3. Use the mm command to compile
方法二: Method Two:
1.同上,加入android:sharedUserId="android.uid.system"这个属性。1. Same as above, add the attribute android:sharedUserId="android.uid.system".
2.使用eclipse编译出apk文件,但是这个apk文件是不能用的。2. Use eclipse to compile the apk file, but this apk file is not available.
3.用压缩软件打开apk文件,删掉META-INF目录下的CERT.SF和CERT.RSA两个文件。3. Open the apk file with the compression software and delete the CERT.SF and CERT.RSA files in the META-INF directory.
4.使用目标系统的platform密钥来重新给apk文件签名。这步比较麻烦。4. Re-sign the apk file with the platform key of the target system. This step is more troublesome.
A、首先找到密钥文件,在我的Android源码目录中的位置A, first find the key file, in the location of my Android source directory
是"build/target/product/security/",下面的platform.pk8和platform.x509.pem两个文件。Is "build/target/product/security/", the following two files, platform.pk8 and platform.x509.pem.
B、然后用Android提供的Signapk工具来签名,signapk的源代码是在"build/tools/signapk"下,用法为"signapk platform.x509.pem platform.pk8input.apk output.apk"这样生成的apk运行在系统进程中,并具有了system权限。B, then use the Signapk tool provided by Android to sign, the source code of signapk is under "build/tools/signapk", the usage is "signapk platform.x509.pem platform.pk8input.apk output.apk" generated apk run In the system process, and has system privileges.
以上两种方法使用起来都是比较复杂,且难以操作,方法一需要运营商将apk发给终端厂家进行签名,但是运营商应用商城的apk很多且经常需要升级,操作难度大。方法二需要厂家提供签名文件给运营商,这样操作在一定程度上会造成厂家签名信息的泄露,对厂家的信息、技术安全存在较大的隐患。可见现有的方法都是想办法将应用的签名设置为智能终端厂家所指定的唯一系统签名信息以获取系统权限,根据上述分析可知这种方式存在操作难度大、存在安全隐患的问题。The above two methods are complicated to use and difficult to operate. The first method requires the operator to send the apk to the terminal manufacturer for signature, but the operator application mall has a lot of apks and often needs to be upgraded, which is difficult to operate. In the second method, the manufacturer needs to provide the signature file to the operator, so that the operation will cause the leakage of the signature information of the manufacturer to a certain extent, and there is a big hidden danger to the information and technical security of the manufacturer. It can be seen that the existing methods all try to set the signature of the application to the unique system signature information specified by the intelligent terminal manufacturer to obtain the system authority. According to the above analysis, the method has the problems of high operation difficulty and potential security risks.
发明内容Summary of the invention
本发明实施例提供的系统权限管理方法、装置及智能终端,主要解决的技术问题是:解决现有将应用的签名尽可能设置为智能终端厂家设置的唯一系统签名信息以获取系统权限,存在操作难度大、有安全隐患的问题。The system rights management method, device and intelligent terminal provided by the embodiments of the present invention mainly solve the technical problem that the existing signature of the application is set as the unique system signature information set by the smart terminal manufacturer as much as possible to obtain the system authority, and the operation exists. Difficulties and security risks.
为解决上述技术问题,本发明实施例提供一种系统权限管理方法,包括: To solve the above technical problem, an embodiment of the present invention provides a system rights management method, including:
在智能终端获取到待安装的应用后,获取该应用的签名信息;After obtaining the application to be installed, the smart terminal acquires signature information of the application;
将所述签名信息与预设合法签名列表中的合法签名信息进行匹配,所述预设合法签名列表包含所述智能终端系统的系统签名信息和至少一个运营商签名信息;And matching the signature information with the legal signature information in the preset legal signature list, where the preset legal signature list includes system signature information of the smart terminal system and at least one operator signature information;
在所述签名信息与所述合法签名信息中的任意一个匹配成功时,允许所述应用在所述智能终端上安装,并设置该应用具有系统权限。When the matching of the signature information and the legal signature information is successful, the application is allowed to be installed on the smart terminal, and the application is set to have system authority.
本发明实施例还提供一种系统权限管理装置,包括;An embodiment of the present invention further provides a system rights management apparatus, including:
签名信息获取模块,设置为在智能终端获取到待安装的应用后,获取该应用的签名信息;The signature information obtaining module is configured to acquire signature information of the application after the smart terminal acquires the application to be installed;
认证模块,设置为将所述签名信息与预设合法签名列表中的合法签名信息进行匹配,所述预设合法签名列表包含所述智能终端系统的系统签名信息和至少一个运营商签名信息;The authentication module is configured to match the signature information with the legal signature information in the preset legal signature list, where the preset legal signature list includes system signature information of the smart terminal system and at least one operator signature information;
权限管理模块,设置为在所述签名信息与所述合法签名信息中的任意一个匹配成功时,允许所述应用在所述智能终端上安装,并设置该应用具有系统权限。The rights management module is configured to allow the application to be installed on the smart terminal when the matching of the signature information and the legal signature information is successful, and set the application to have system rights.
本发明实施例还提供一种智能终端,包括如上所述的系统权限管理装置。The embodiment of the invention further provides an intelligent terminal, comprising the system rights management device as described above.
本发明实施例还提供一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行前述的系统权限管理方法。The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the foregoing system authority management method.
本发明实施例的有益效果是:The beneficial effects of the embodiments of the present invention are:
根据本发明实施例提供的系统权限管理方法、装置、智能终端及存储介质,可以先预设合法签名列表,预设的合法签名列表中除了包含智能终端系统的系统签名信息外,还可包括至少一个运营商签名信息,也即可以预先将相应运营商的签名信息加入智能终端的合法签名列表中。这样当在智能终端获取到待安装的应用后,可直接将该应用的签名信息与预设合法 签名列表中的合法签名信息进行匹配,如与合法签名列表中的任意一个合法签名信息匹配成功时,允许该应用在智能终端上安装,并设置该应用具有系统权限。通过上述方式,智能终端则不再只支持一个系统签名,其可以支持两个以上的系统签名;运营商不需要将应用发给终端厂家让其帮忙设置签名,终端厂家也不需要将自己的签名信息发给运营商,既能比较简单方便的实现对运营商应用系统权项的支持和管理,又能提升安全性。According to the system rights management method, device, intelligent terminal and storage medium provided by the embodiment of the present invention, the legal signature list may be preset. The preset legal signature list may include at least the system signature information of the intelligent terminal system. An operator signature information, that is, the signature information of the corresponding operator can be added to the legal signature list of the smart terminal in advance. In this way, after the smart terminal obtains the application to be installed, the signature information and the preset of the application can be directly legal. The legal signature information in the signature list is matched. If the legal signature information in the legal signature list is successfully matched, the application is allowed to be installed on the smart terminal, and the application is set to have system authority. In the above manner, the smart terminal no longer supports only one system signature, and it can support more than two system signatures; the operator does not need to send the application to the terminal manufacturer to help set the signature, and the terminal manufacturer does not need to sign his own. The information is sent to the operator, which can support and manage the rights of the operator's application system more easily and conveniently, and improve security.
附图说明DRAWINGS
图1为本发明实施例一中应用安装过程中的系统权限管理方法流程示意图;1 is a schematic flowchart of a system authority management method in an application installation process according to Embodiment 1 of the present invention;
图2为本发明实施例一中应用升级过程中的系统权限管理方法流程示意图;2 is a schematic flowchart of a system authority management method in an application upgrade process according to Embodiment 1 of the present invention;
图3为本发明实施例一中应用运行过程中的系统权限管理方法流程示意图;3 is a schematic flowchart of a system authority management method in an application running process according to Embodiment 1 of the present invention;
图4为本发明实施例二中智能终端结构示意图;4 is a schematic structural diagram of an intelligent terminal according to Embodiment 2 of the present invention;
图5为本发明实施例二中系统权限管理装置结构示意图一;5 is a schematic structural diagram 1 of a system authority management apparatus according to Embodiment 2 of the present invention;
图6为本发明实施例二中系统权限管理装置结构示意图二;6 is a second schematic structural diagram of a system rights management apparatus according to Embodiment 2 of the present invention;
图7为本发明实施例二中系统权限管理装置结构示意图三。FIG. 7 is a schematic structural diagram 3 of a system authority management apparatus according to Embodiment 2 of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例只是本发明中一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
实施例一: Embodiment 1:
本实施例提供的系统权限管理方法适用于各种系统的各种类型智能终端,例如适用于Android、iOS、windows phone、Symbian、BlackBerry OS、windows mobile等系统,也适用于手机、IPAD、各种阅读器等移动类型的智能终端,也适用于非移动类型的智能终端。The system rights management method provided by this embodiment is applicable to various types of intelligent terminals of various systems, for example, for Android, iOS, windows phone, Symbian, BlackBerry OS, windows mobile, etc., and is also applicable to mobile phones, IPAD, various Mobile terminals such as readers are also suitable for non-mobile type smart terminals.
本实施例中对于智能终端系统权限的管理,可以先设置一个合法签名列表,该合法签名列表中预先存储允许使用系统权限的各合法签名信息,自然包括智能终端系统的系统签名信息,也即智能终端厂家预先默认的签名信息。除此之外,本实施例中的合法签名信息还包括至少一个运营商签名信息。具体的,各运营商可以与对应的智能终端制造商协商,让终端制造商将运营商的运营商签名信息作为合法信息存储在合法签名列表中。因此,本实施例中的运营商签名信息包含的个数以及具体包含哪些运营商的签名信息都可以根据实际应用场景灵活设定。通过以上设置,智能终端在通过签名认证进行系统权限管理时,就不再仅根据终端的系统签名信息进行管理,还根据签名合法列表中的合法签名信息对各应用进行管理,当应用的签名信息与其中任意一个运营商签名信息匹配时,也可给该应用下发系统权限。这样不需要运营商频繁的将应用发给终端厂家进行签名,节省人力、物力和成本;同时运营商也不需要将自身的签名信息发给运营商,避免安全隐患。In this embodiment, for the management of the authority of the intelligent terminal system, a legal signature list may be set first, and the legal signature information is pre-stored in the legal signature list, which naturally includes the system signature information of the intelligent terminal system, that is, the intelligence. The default signature information of the terminal manufacturer. In addition, the legal signature information in this embodiment further includes at least one operator signature information. Specifically, each operator can negotiate with the corresponding smart terminal manufacturer, and let the terminal manufacturer store the operator's operator signature information as legal information in the legal signature list. Therefore, the number of the operator signature information included in the embodiment and the signature information of the specific carrier may be flexibly set according to the actual application scenario. Through the above settings, when the intelligent terminal performs system authority management through signature authentication, it no longer manages only according to the system signature information of the terminal, but also manages each application according to the legal signature information in the signature legal list, when the application signature information When matching with any of the operator signature information, the system authority can also be issued to the application. In this way, the operator is not required to frequently send the application to the terminal manufacturer for signature, saving manpower, material resources and cost; at the same time, the operator does not need to send its own signature information to the operator to avoid security risks.
另外,根据上述描述可知,本实施例中的合法签名列表中的合法签名信息可支持实时更新,例如当有新的运营商加入或者之前加入的运营商的签名信息发生变化时,则可以直接或由终端制造商向智能终端发送对应的更新信息,根据该更新消息对合法签名列表中的合法签名信息进行对应更新。In addition, according to the above description, the legal signature information in the legal signature list in this embodiment can support real-time update. For example, when a new operator joins or the signature information of the previously joined operator changes, it can be directly or The terminal manufacturer sends corresponding update information to the smart terminal, and correspondingly updates the legal signature information in the legal signature list according to the update message.
基于上述设置,请参见图1所示,本实施例中的系统权限管理方法包括:Based on the above settings, as shown in FIG. 1, the system rights management method in this embodiment includes:
S101:智能终端获取到待安装的应用。S101: The smart terminal acquires an application to be installed.
该步骤智能终端可以从运营商应用商城或通过其他来源获取到待安 装应用的安装包。In this step, the smart terminal can be obtained from the operator application mall or through other sources. Install the application's installation package.
S102:获取该应用的签名信息。S102: Acquire signature information of the application.
具体可以从应用的安装包中获取到签名信息,此时的签名信息一般为运营商的签名信息,但也可能为终端系统的系统签名信息,例如当运营商之前就已经获取到终端系统的系统签名信息时,就可能是系统签名信息。Specifically, the signature information may be obtained from the installation package of the application. The signature information at this time is generally the signature information of the operator, but may also be the system signature information of the terminal system, for example, the system that the operator has acquired the terminal system before. When signing information, it may be system signature information.
S103:将获取的签名信息与预设的合法签名列表中的合法签名信息进行匹配。S103: Match the obtained signature information with the legal signature information in the preset legal signature list.
S104:判断匹配是否成功,如是,转至S105;否则,转至S106。S104: Determine whether the matching is successful, if yes, go to S105; otherwise, go to S106.
该判断步骤中,只要获取的签名信息与合法签名列表中的任意一个合法签名信息匹配成功时,就判定匹配成功。In the determining step, if the acquired signature information matches any of the legal signature information in the legal signature list, the matching is successful.
S105:允许上述待安装的应用在智能终端上安装,并设置该应用具有系统权限,也即该应用安装之后可以申请到系统权限。S105: Allow the above-mentioned application to be installed to be installed on the smart terminal, and set the application to have system authority, that is, the application can apply for system authority after the installation.
S106:允许上述待安装的应用在智能终端上安装,并设置该应用不具有系统权限,也即该应用安装之后不能申请到系统权限。这样既能实现智能终端支持多签名,又能最大限度的保证系统运行安全。S106: Allow the above-mentioned application to be installed to be installed on the smart terminal, and set the application to have no system authority, that is, the application cannot be applied to the system after the application is installed. In this way, the intelligent terminal can support multiple signatures, and the system can be safely operated to the utmost extent.
本实施例中,对于终端的应用中,并非所有应用都需要申请系统权限。因此,对于需要申请系统权限的应用,其安装包中一般都设有申请系统权限的标识信息。因此,本实施例中,对于待安装的应用,在获取其签名信息进行匹配之前,还可以先判断该应用的安装包中是否存在申请系统权限的标识信息,如存在,再转至上述S102获取其签名信息并进行后续的判断;否则,直接转至上述S106对该应用进行安装,但安装之后其不能申请系统权限。下面以Android系统的应用apk为示例进行说明。In this embodiment, not all applications need to apply for system rights in the application of the terminal. Therefore, for an application that needs to apply for system rights, the installation package generally has identification information for applying for system rights. Therefore, in this embodiment, for the application to be installed, before the signature information is obtained for matching, the identifier of the application system permission may be determined in the installation package of the application, and if yes, the process proceeds to S102. The signature information is followed by a subsequent judgment; otherwise, the application is directly transferred to the above S106, but after installation, it cannot apply for system authority. The following uses the application apk of the Android system as an example.
对于Android系统的apk软件安装包,具体可以在其AndroidManifest.xml中查看是否具有上述标识信息,如没有则并没有申请系统权限,这类apk无需校验签名信息就可以直接顺利的安装到智能终端中。 For the Android system's apk software installation package, you can check whether it has the above identification information in its AndroidManifest.xml. If it does not, it does not apply for system permissions. This type of apk can be directly installed to the smart terminal without verifying the signature information. in.
上述S103中,将获取的签名信息与预设的合法签名列表中的合法签名信息进行匹配时,可以遵循以下匹配规则进行匹配:In the above S103, when the obtained signature information is matched with the legal signature information in the preset legal signature list, the following matching rules may be matched:
先将获取的签名信息与合法签名列表中的系统签名信息进行匹配,如匹配成功,则签名认证成功,否则,再将该签名信息与剩下的运营商签名信息进行匹配。合法签名列表当运营商签名信息包括多个时,此时可以按序逐个匹配;也可以预先设置各运营商签名信息的优先级,例如发布应用越多的运营商优先级越高,然后按照设定的优先级进行匹配;或者直接随机匹配等等。The obtained signature information is first matched with the system signature information in the legal signature list. If the matching is successful, the signature authentication is successful. Otherwise, the signature information is matched with the remaining operator signature information. Legal signature list When the operator signature information includes multiple items, you can match them one by one at this time. You can also set the priority of each operator's signature information in advance. For example, the more operators that publish applications, the higher the priority, and then Match the priority to match; or directly match randomly.
本实施例中,当智能终端中存在待升级的应用时(例如某一个或多个应用需要升级,且可通过自升级的方式完成升级),需要先判断该应用升级前后的签名信息是否一致,如不一致,则该存在被恶意篡改的可能。针对这种情况现有的是一律禁止升级。但会存在运营商在开始发布该应用时使用的签名信息1,但在后续对该应用升级时改为使用签名信息2的情况,此时也对该应用禁止升级会导致正常的升级也失败。对于这种情况,本实施例可以先将签名信息2通过上述更新流程加入合法签名列表中作为合法签名信息;然后通过上述判定签名信息2与签名信息1不一致时,将签名信息2与合法签名列表中的合法签名信息进行匹配,且匹配时可以按照上述匹配规则进行匹配,如匹配成功,则允许该待升级应用升级,并设置其具有系统权限;如匹配失败,此时才判定可能被恶意篡改,不允许该带升级应用升级。具体过程参见图2所示,包括:In this embodiment, when there is an application to be upgraded in the smart terminal (for example, one or more applications need to be upgraded, and the upgrade can be completed by means of self-upgrade), it is necessary to first determine whether the signature information of the application before and after the upgrade is consistent. If there is an inconsistency, there may be a possibility of being tampered with. For the current situation, the existing upgrade is forbidden. However, there will be a signature information 1 used by the operator when the application is started to be released, but the signature information 2 is used instead when the application is upgraded. In this case, prohibiting the upgrade of the application may cause the normal upgrade to fail. In this case, the signature information 2 may be added to the legal signature list as the legal signature information through the above update process; and then the signature information 2 and the legal signature list are determined by the above-mentioned determination that the signature information 2 is inconsistent with the signature information 1. The legal signature information in the matching is matched, and the matching can be matched according to the above matching rule. If the matching is successful, the application to be upgraded is allowed to be upgraded, and the system authority is set; if the matching fails, it is determined that the application may be maliciously tampered. This upgrade is not allowed. The specific process is shown in Figure 2, including:
S201:智能终端上的某一待升级应用需要升级。S201: An application to be upgraded on the smart terminal needs to be upgraded.
此时只能终端可以通过各种渠道获取到对应的升级包。At this time, only the terminal can obtain the corresponding upgrade package through various channels.
S202:获取待升级应用升级后的签名信息2以及升级前当前的签名信息1。S202: Obtain the signature information 2 after the upgrade of the application to be upgraded and the current signature information 1 before the upgrade.
具体可以从升级包中获取升级后的签名信息2.Specifically, the upgraded signature information can be obtained from the upgrade package.
S203:判断两个签名信息是否一致,如是,转至S204;否则,转至S205; S203: determining whether the two signature information is consistent, if yes, go to S204; otherwise, go to S205;
S204:允许待升级应用升级。S204: Allow the application to be upgraded to be upgraded.
S205:将签名信息2与预设的合法签名列表中的合法签名信息进行匹配。具体匹配规则也可以用上述示例的匹配规则。S205: Match the signature information 2 with the legal signature information in the preset legal signature list. The specific matching rule can also use the matching rule of the above example.
S206:判断匹配是否成功,如是,转至S207;否则,转至S208。S206: Determine whether the matching is successful, if yes, go to S207; otherwise, go to S208.
S207:允许该待升级应用升级,并设置其具有系统权限。S207: Allow the application to be upgraded to be upgraded and set it to have system authority.
S208:不允许该待升级应用升级。S208: The application to be upgraded is not allowed to be upgraded.
通过上述进一步的判断过程,可以避免因运营商的签名信息发生变化时,该运营商之前的应用不能正常完成升级的问题。可进一步提升系统权限管理的合理性和准确性。Through the above further judging process, it is possible to avoid the problem that the application of the operator cannot be upgraded normally when the signature information of the operator changes. It can further improve the rationality and accuracy of system authority management.
本实施例中,智能终端上已安装好的各应用在运营过程中,尤其是具备申请系统权限的应用在运营过程中,其某个动作实际需要使用系统权限(例如下载安装或卸载其他应用)时,本实施例为了进一步提升管理的安全性,还可对这些应用做进一步的鉴权认定。此时会接收到智能终端的应用在运行过程中发送的系统权限申请请求,然后获取发起系统权限申请请求之应用的签名信息,并与合法签名列表中的合法签名信息进行匹配,匹配成功允许应用执行系统权限,也即允许其继续执行上述动作;否则,禁止应用执行系统权限,也即禁止其继续执行上述动作,并可弹出一个对应的错误提示。具体过程参见图3所示,包括:In this embodiment, each application that has been installed on the smart terminal is in the operation process, in particular, an application having the system permission to apply for the system is in operation, and one of the actions actually needs to use the system permission (for example, downloading and installing or uninstalling other applications) In this embodiment, in order to further improve the security of management, further authentication of these applications may be performed. At this time, the system permission application request sent by the application of the smart terminal during the running process is received, and then the signature information of the application that initiates the system permission application request is obtained, and the legal signature information in the legal signature list is matched, and the matching is allowed to be applied. Execute system permissions, that is, allow them to continue to perform the above actions; otherwise, the application is prohibited from executing system permissions, that is, it is prohibited from continuing to perform the above actions, and a corresponding error prompt may be popped up. The specific process is shown in Figure 3, including:
S301:智能终端上的某一运行过程中的应用发送系统权限申请请求。S301: The application in a certain running process on the smart terminal sends a system permission application request.
S302:获取发起系统权限申请请求之应用的签名信息。S302: Acquire signature information of an application that initiates a system permission application request.
S303:将获取的签名信息与预设的合法签名列表中的合法签名信息进行匹配。具体匹配规则也可以用上述示例的匹配规则。S303: Match the obtained signature information with the legal signature information in the preset legal signature list. The specific matching rule can also use the matching rule of the above example.
S304:判断匹配是否成功,如是,转至S305;否则,转至S306。S304: Determine whether the matching is successful, if yes, go to S305; otherwise, go to S306.
S305:允许发起系统权限申请请求之应用继续执行上述动作。S305: The application that allows the system permission application request to be initiated continues to perform the above actions.
S306:不允许发起系统权限申请请求之应用执行上述动作。S306: The application that initiates the system permission request request is not allowed to perform the above actions.
本实施例通过在智能终端中提前将运营商的签名信息设置为合法签 名信息以进行后续签名认证,可以使得智能终端在改动最小的前提下支持多签名认证,相对现有智能终端仅支持一种签名认证的方案,成本更低,控制更灵活,且安全性更好。In this embodiment, the operator's signature information is set as a legal sign in advance in the smart terminal. The name information is used for subsequent signature authentication, which enables the intelligent terminal to support multi-signature authentication under the premise of minimal modification. Compared with the existing intelligent terminal, only one signature authentication scheme is supported, which is lower in cost, more flexible in control, and more secure. .
实施例二:Embodiment 2:
本实施例提供了一种智能终端,该智能终端的系统可以是Android、iOS、windows phone、Symbian、BlackBerry OS、windows mobile等系统中的任意一种,且该终端可以是手机、IPAD、各种阅读器等移动类型的智能终端,也可以是非移动类型的智能终端。参见图4所示,该智能终端包括系统权限管理装置10。其中,参见图5所示,系统权限管理装置10包括列表维护模块11、签名信息获取模块12、认证模块13以及权限管理模块14。The embodiment provides an intelligent terminal. The system of the smart terminal may be any one of a system such as Android, iOS, windows phone, Symbian, BlackBerry OS, and Windows mobile, and the terminal may be a mobile phone, an IPAD, or the like. A mobile terminal of a mobile type such as a reader may also be a non-mobile type smart terminal. Referring to FIG. 4, the intelligent terminal includes a system authority management device 10. As shown in FIG. 5, the system rights management apparatus 10 includes a list maintenance module 11, a signature information acquisition module 12, an authentication module 13, and an authority management module 14.
列表维护模块11设置为在智能终端上维护预先设置的合法签名列表,该合法签名列表中预先存储允许使用系统权限的各合法签名信息,自然包括智能终端系统的系统签名信息,也即智能终端厂家预先默认的签名信息。除此之外,本实施例中的合法签名信息还包括至少一个运营商签名信息。具体的,各运营商可以与对应的智能终端制造商协商,让终端制造商将运营商的运营商签名信息作为合法信息存储在合法签名列表中。因此,本实施例中的运营商签名信息包含的个数以及具体包含哪些运营商的签名信息都可以根据实际应用场景灵活设定。通过以上设置,智能终端在通过签名认证进行系统权限管理时,就不再仅根据终端的系统签名信息进行管理,还根据签名合法列表中的合法签名信息对各应用进行管理,当应用的签名信息与其中任意一个运营商签名信息匹配时,也可给该应用下发系统权限。这样不需要运营商频繁的将应用发给终端厂家进行签名,节省人力、物力和成本;同时运营商也不需要将自身的签名信息发给运营商,避免安全隐患。The list maintenance module 11 is configured to maintain a pre-set legal signature list on the smart terminal, where the legal signature list pre-stores legal signature information that allows the use of the system authority, which naturally includes the system signature information of the intelligent terminal system, that is, the smart terminal manufacturer. Pre-default signature information. In addition, the legal signature information in this embodiment further includes at least one operator signature information. Specifically, each operator can negotiate with the corresponding smart terminal manufacturer, and let the terminal manufacturer store the operator's operator signature information as legal information in the legal signature list. Therefore, the number of the operator signature information included in the embodiment and the signature information of the specific carrier may be flexibly set according to the actual application scenario. Through the above settings, when the intelligent terminal performs system authority management through signature authentication, it no longer manages only according to the system signature information of the terminal, but also manages each application according to the legal signature information in the signature legal list, when the application signature information When matching with any of the operator signature information, the system authority can also be issued to the application. In this way, the operator is not required to frequently send the application to the terminal manufacturer for signature, saving manpower, material resources and cost; at the same time, the operator does not need to send its own signature information to the operator to avoid security risks.
另外,本实施例中的合法签名列表中的合法签名信息可支持实时更新,例如当有新的运营商加入或者之前加入的运营商的签名信息发生变化 时,则可以直接或由终端制造商向智能终端发送对应的更新信息,列表维护模块11可根据该更新消息对合法签名列表中的合法签名信息进行对应更新。In addition, the legal signature information in the legal signature list in this embodiment can support real-time update, for example, when a new operator joins or the signature information of the previously joined operator changes. The corresponding update information may be sent to the smart terminal directly or by the terminal manufacturer, and the list maintenance module 11 may perform corresponding update on the legal signature information in the legal signature list according to the update message.
签名信息获取模块12,设置为在智能终端获取到待安装的应用后,获取该应用的签名信息;具体可以从应用的安装包中获取到签名信息。The signature information obtaining module 12 is configured to obtain the signature information of the application after the smart terminal acquires the application to be installed; specifically, the signature information may be obtained from the installation package of the application.
认证模块13,设置为将签名信息获取模块12获取的签名信息与合法签名列表中的合法签名信息进行匹配。认证模块13可以采用以下匹配规则进行匹配:The authentication module 13 is configured to match the signature information acquired by the signature information acquiring module 12 with the legal signature information in the legal signature list. The authentication module 13 can be matched by the following matching rules:
先将获取的签名信息与合法签名列表中的系统签名信息进行匹配,如匹配成功,则签名认证成功,否则,再将该签名信息与剩下的运营商签名信息进行匹配。合法签名列表当运营商签名信息包括多个时,此时可以按序逐个匹配;也可以预先设置各运营商签名信息的优先级,例如发布应用越多的运营商优先级越高,然后按照设定的优先级进行匹配;或者直接随机匹配等等。The obtained signature information is first matched with the system signature information in the legal signature list. If the matching is successful, the signature authentication is successful. Otherwise, the signature information is matched with the remaining operator signature information. Legal signature list When the operator signature information includes multiple items, you can match them one by one at this time. You can also set the priority of each operator's signature information in advance. For example, the more operators that publish applications, the higher the priority, and then Match the priority to match; or directly match randomly.
权限管理模块14,设置为在签名信息与所述合法签名信息中的任意一个匹配成功时,允许应用在所述智能终端上安装,并设置该应用具有系统权限;否则,许上述待安装的应用在智能终端上安装,并设置该应用不具有系统权限,也即该应用安装之后不能申请到系统权限。这样既能实现智能终端支持多签名,又能最大限度的保证系统运行安全。The rights management module 14 is configured to allow the application to be installed on the smart terminal when the matching of the signature information and the legal signature information is successful, and set the application to have the system authority; otherwise, the application to be installed is Install on the smart terminal and set the application to have no system permissions, that is, the application cannot be applied to the system after installation. In this way, the intelligent terminal can support multiple signatures, and the system can be safely operated to the utmost extent.
本实施例中,对于终端的应用中,并非所有应用都需要申请系统权限。因此,对于需要申请系统权限的应用,其安装包中一般都设有申请系统权限的标识信息。因此,参见图6所示,本实施例中,系统权限管理装置10还包括应用类型判断模块15,设置为判断待安装应用的安装包中是否存在申请系统权限的标识信息,如存在,再通知签名信息获取模块12获取其签名信息并进行后续的判断。In this embodiment, not all applications need to apply for system rights in the application of the terminal. Therefore, for an application that needs to apply for system rights, the installation package generally has identification information for applying for system rights. Therefore, as shown in FIG. 6, in the embodiment, the system rights management apparatus 10 further includes an application type determining module 15 configured to determine whether there is identification information of the application system authority in the installation package of the application to be installed, if yes, notify The signature information acquisition module 12 acquires its signature information and makes subsequent judgments.
参见图7所示,本实施例中的系统权限管理装置还包括升级处理模块16,在某一应用升级过程中: Referring to FIG. 7, the system rights management apparatus in this embodiment further includes an upgrade processing module 16, in an application upgrade process:
签名信息获取模块12还设置为在智能终端存在待升级应用时,获取待升级应用升级后的签名信息和待升级应用升级前当前的签名信息;The signature information obtaining module 12 is further configured to: when the smart terminal has an application to be upgraded, obtain the signature information of the upgraded application and the current signature information before the upgrade of the application to be upgraded;
升级处理模块16设置为判断待升级应用升级后的签名信息和待升级应用升级前当前的签名信息是否一致;The upgrade processing module 16 is configured to determine whether the signature information of the upgraded application and the current signature information before the upgrade of the application to be upgraded are consistent;
认证模块13还设置为在升级处理模块16的判断结果为不一致时,将升级后的签名信息与合法签名列表中的合法签名信息进行匹配;The authentication module 13 is further configured to match the upgraded signature information with the legal signature information in the legal signature list when the determination result of the upgrade processing module 16 is inconsistent;
权限管理模块14还设置为在认证模块13匹配成功时,允许待升级应用升级,并设置待升级应用具有系统权限;否则,不允许该待升级应用升级,防止被恶意篡改。这样可以避免因运营商的签名信息发生变化时,该运营商之前的应用不能正常完成升级的问题,又能避免恶意篡改。可进一步提升系统权限管理的合理性和准确性。The rights management module 14 is further configured to allow the application to be upgraded to be upgraded when the authentication module 13 is successfully matched, and set the application to be upgraded to have system authority; otherwise, the application to be upgraded is not allowed to be upgraded to prevent malicious tampering. In this way, when the operator's signature information changes, the previous application of the operator cannot be upgraded normally, and malicious tampering can be avoided. It can further improve the rationality and accuracy of system authority management.
本实施例中,智能终端上已安装好的各应用在运营过程中,尤其是具备申请系统权限的应用在运营过程中,其某个动作实际需要使用系统权限(例如下载安装或卸载其他应用)时,本实施例为了进一步提升管理的安全性,还可对这些应用做进一步的鉴权认定。此时,签名信息获取模块12还设置为在智能终端的应用在运行过程中发送的系统权限申请请求时,获取发起系统权限申请请求之应用的签名信息;In this embodiment, each application that has been installed on the smart terminal is in the operation process, in particular, an application having the system permission to apply for the system is in operation, and one of the actions actually needs to use the system permission (for example, downloading and installing or uninstalling other applications) In this embodiment, in order to further improve the security of management, further authentication of these applications may be performed. At this time, the signature information acquiring module 12 is further configured to acquire signature information of the application that initiates the system permission application request when the application of the smart terminal is requested to be sent by the system during the running process;
认证模块13还设置为将上述签名信息与合法签名列表中的合法签名信息进行匹配;匹配规则也可以采用上述匹配规则,也可以采用与上述规则不同的其他规则。The authentication module 13 is further configured to match the signature information with the legal signature information in the legal signature list; the matching rule may also adopt the foregoing matching rule, or may adopt other rules different from the foregoing rules.
权限管理模块14还设置为在认证模块匹配成功时,允许应用执行系统权限,也即允许其继续执行上述动作;否则,禁止应用执行系统权限,也即禁止其继续执行上述动作,并可弹出一个对应的错误提示。The rights management module 14 is further configured to allow the application to execute the system authority when the authentication module is successfully matched, that is, to allow the application to continue to perform the above actions; otherwise, the application is prohibited from executing the system permission, that is, it is prohibited from continuing to perform the above actions, and may pop up a Corresponding error message.
本实施例中的智能终端提前将运营商的签名信息设置为合法签名信息以进行后续签名认证,可以使得智能终端在改动最小的前提下支持多签名认证,相对现有智能终端仅支持一种签名认证的方案,成本更低,控制更灵活,且安全性更好。 The smart terminal in this embodiment sets the signature information of the operator to the legal signature information in advance to perform subsequent signature authentication, so that the smart terminal can support multi-signature authentication with minimal modification, and only one signature is supported by the existing smart terminal. The certified solution has lower cost, more flexible control and better security.
本发明的实施例还提供了一种存储介质,该存储介质包括存储的程序,其中,上述程序运行时执行上述任一项所述的方法。Embodiments of the present invention also provide a storage medium including a stored program, wherein the program described above executes the method of any of the above.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in the embodiment, the foregoing storage medium may include, but is not limited to, a USB flash drive, a Read-Only Memory (ROM), and a Random Access Memory (RAM). A variety of media that can store program code, such as a hard disk, a disk, or an optical disk.
本发明的实施例还提供了一种处理器,该处理器用于运行程序,其中,该程序运行时执行上述任一项方法中的步骤。Embodiments of the present invention also provide a processor for running a program, wherein the program is executed to perform the steps of any of the above methods.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上内容是结合具体的实施方式对本发明实施例所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。The above is a detailed description of the embodiments of the present invention in conjunction with the specific embodiments, and the specific embodiments of the present invention are not limited to the description. It will be apparent to those skilled in the art that the present invention may be made without departing from the spirit and scope of the invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种系统权限管理方法、装置及智能终端具有以下有益效果:当在智能终端获取到待安装的应用后,可直接将该应用的签名信息与预设合法签名列表中的合法签名信息进行匹配,如与合法签名列表中的任意一个合法签名信息匹配成功时,允许该应用在智能终端上安装,并设置该应用具有系统权限。通过上述方式,智能终端则不再只支持一个系统签名,其可以支持两个以上的系统签名;运营商不需要 将应用发给终端厂家让其帮忙设置签名,终端厂家也不需要将自己的签名信息发给运营商,既能比较简单方便的实现对运营商应用系统权项的支持和管理,又能提升安全性。 As described above, the system rights management method, device, and intelligent terminal provided by the embodiments of the present invention have the following beneficial effects: when the smart terminal obtains the application to be installed, the signature information and the preset information of the application can be directly legalized. The legal signature information in the signature list is matched. If the legal signature information in the legal signature list is successfully matched, the application is allowed to be installed on the smart terminal, and the application is set to have system authority. In the above manner, the smart terminal no longer supports only one system signature, which can support more than two system signatures; the operator does not need Send the application to the terminal manufacturer to help them set the signature. The terminal manufacturer does not need to send its own signature information to the operator. It can realize the support and management of the operator application system rights and improve the security. Sex.

Claims (11)

  1. 一种系统权限管理方法,包括:A system rights management method includes:
    在智能终端获取到待安装的应用后,获取该应用的签名信息;After obtaining the application to be installed, the smart terminal acquires signature information of the application;
    将所述签名信息与预设的合法签名列表中的合法签名信息进行匹配,所述合法签名列表包含所述智能终端系统的系统签名信息以及和一个运营商签名信息;Matching the signature information with legal signature information in a preset legal signature list, where the legal signature list includes system signature information of the intelligent terminal system and an operator signature information;
    在所述签名信息与所述合法签名信息中的任意一个匹配成功时,允许所述应用在所述智能终端上安装,并设置该应用具有系统权限。When the matching of the signature information and the legal signature information is successful, the application is allowed to be installed on the smart terminal, and the application is set to have system authority.
  2. 如权利要求1所述的系统权限管理方法,其中,还包括:The system rights management method of claim 1, further comprising:
    在所述智能终端存在待升级应用时,判断所述待升级应用升级后的签名信息与升级前当前的签名信息是否一致,如否,将所述升级后的签名信息与所述合法签名列表中的合法签名信息进行匹配,匹配成功允许所述待升级应用升级,并设置所述待升级应用具有系统权限。When the smart terminal has an application to be upgraded, it is determined whether the upgraded signature information of the application to be upgraded is consistent with the current signature information before the upgrade, and if not, the upgraded signature information is in the legal signature list. The legal signature information is matched, and the matching succeeds to allow the application to be upgraded to be upgraded, and the application to be upgraded is set to have system authority.
  3. 如权利要求1所述的系统权限管理方法,其中,还包括:The system rights management method of claim 1, further comprising:
    接收到所述智能终端的应用在运行过程中发送的系统权限申请请求时,获取发起系统权限申请请求之应用的签名信息,并与所述合法签名列表中的合法签名信息进行匹配,匹配成功允许所述应用执行系统权限;否则,禁止所述应用执行系统权限。And receiving, by the application of the smart terminal, the signature information of the application that initiates the system permission request, and matching the legal signature information in the legal signature list, and the matching succeeds. The application executes system permissions; otherwise, the application is prohibited from executing system permissions.
  4. 如权利要求1-3任一项所述的系统权限管理方法,其中,在获取所述应用的签名信息之前,还包括:The system rights management method according to any one of claims 1 to 3, wherein before acquiring the signature information of the application, the method further includes:
    判断所述应用的安装包中是否具有申请系统权限的标识信息,如存在,再获取所述签名信息;否则,允许所述应用在所述智能终端上安装,设置所述应用不具有系统权限。Determining whether the installation package of the application has the identification information for applying the system authority, and if yes, acquiring the signature information; otherwise, allowing the application to be installed on the smart terminal, and setting the application does not have the system authority.
  5. 如权利要求1-3任一项所述的系统权限管理方法,其中,将所述签名信息与所述合法签名信息进行匹配包括:先将所述签名信息与所述系统签名信息进行匹配,匹配失败再跟所述运营商签名信息进行匹配。 The system rights management method according to any one of claims 1 to 3, wherein the matching the signature information with the legal signature information comprises: first matching the signature information with the system signature information, and matching The failure then matches the carrier signature information.
  6. 如权利要求1-3任一项所述的系统权限管理方法,其中,还包括:The system rights management method according to any one of claims 1 to 3, further comprising:
    接收运营商发送的签名更新信息,根据所述签名更新信息对所述合法签名列表中的合法签名信息进行对应更新。The signature update information sent by the operator is received, and the legal signature information in the legal signature list is updated correspondingly according to the signature update information.
  7. 一种系统权限管理装置,包括;A system authority management device, including:
    签名信息获取模块,设置为在智能终端获取到待安装的应用后,获取该应用的签名信息;The signature information obtaining module is configured to acquire signature information of the application after the smart terminal acquires the application to be installed;
    认证模块,设置为将所述签名信息与合法签名列表中的合法签名信息进行匹配,所述合法签名列表包含所述智能终端系统的系统签名信息和至少一个运营商签名信息;An authentication module, configured to match the signature information with legal signature information in a legal signature list, where the legal signature list includes system signature information of the intelligent terminal system and at least one operator signature information;
    权限管理模块,设置为在所述签名信息与所述合法签名信息中的任意一个匹配成功时,允许所述应用在所述智能终端上安装,并设置该应用具有系统权限。The rights management module is configured to allow the application to be installed on the smart terminal when the matching of the signature information and the legal signature information is successful, and set the application to have system rights.
  8. 如权利要求7所述的系统权限管理装置,其中,包括升级处理模块;The system rights management apparatus according to claim 7, comprising an upgrade processing module;
    所述签名信息获取模块还设置为在所述智能终端存在待升级应用时,获取所述待升级应用升级后的签名信息和所述待升级应用升级前当前的签名信息;The signature information obtaining module is further configured to: when the smart terminal has an application to be upgraded, obtain the signature information of the upgraded application and the current signature information before the upgrade of the application to be upgraded;
    所述升级处理模块设置为判断所述待升级应用升级后的签名信息和所述待升级应用升级前当前的签名信息是否一致;The upgrade processing module is configured to determine whether the signature information of the upgraded application and the current signature information before the upgrade of the application to be upgraded are consistent;
    所述认证模块还设置为在所述升级处理模块的判断结果为不一致时,将所述升级后的签名信息与所述合法签名列表中的合法签名信息进行匹配;The authentication module is further configured to match the upgraded signature information with legal signature information in the legal signature list when the determination result of the upgrade processing module is inconsistent;
    所述权限管理模块还设置为在所述认证模块匹配成功时,允许所述待升级应用升级,并设置所述待升级应用具有系统权限。The rights management module is further configured to allow the application to be upgraded to be upgraded when the authentication module is successfully matched, and set the to-be-upgraded application to have system rights.
  9. 如权利要求7或8所述的系统权限管理装置,其中,所述签名 信息获取模块还设置为在所述智能终端的应用在运行过程中发送的系统权限申请请求时,获取发起系统权限申请请求之应用的签名信息;A system authority management apparatus according to claim 7 or 8, wherein said signature The information obtaining module is further configured to: obtain, when the application of the smart terminal is a system permission application request sent during the running process, the signature information of the application that initiates the system permission application request;
    所述认证模块还设置为将所述签名信息与所述合法签名列表中的合法签名信息进行匹配;The authentication module is further configured to match the signature information with legal signature information in the legal signature list;
    所述权限管理模块还设置为在所述认证模块匹配成功时,允许发起系统权限申请请求之应用执行系统权限;否则,禁止发起系统权限申请请求之应用执行系统权限。The rights management module is further configured to allow the application that initiates the system permission request to execute the system authority when the authentication module matches successfully; otherwise, the application that executes the system permission request request is prohibited from executing the system authority.
  10. 一种智能终端,包括如权利要求7-9任一项所述的系统权限管理装置。An intelligent terminal comprising the system rights management device according to any one of claims 7-9.
  11. 一种存储介质,所述存储介质包括存储的程序,其中,所述程序运行时执行权利要求1至6中任一项所述的方法。 A storage medium, the storage medium comprising a stored program, wherein the program is executed to perform the method of any one of claims 1 to 6.
PCT/CN2017/089743 2016-06-24 2017-06-23 System permission management method and apparatus, and intelligent terminal WO2017220014A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610488792.0A CN107545170A (en) 2016-06-24 2016-06-24 System right management method, apparatus and intelligent terminal
CN201610488792.0 2016-06-24

Publications (1)

Publication Number Publication Date
WO2017220014A1 true WO2017220014A1 (en) 2017-12-28

Family

ID=60784272

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/089743 WO2017220014A1 (en) 2016-06-24 2017-06-23 System permission management method and apparatus, and intelligent terminal

Country Status (2)

Country Link
CN (1) CN107545170A (en)
WO (1) WO2017220014A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113541966A (en) * 2021-07-23 2021-10-22 湖北亿咖通科技有限公司 Authority management method, device, electronic equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112764832A (en) * 2021-01-21 2021-05-07 青岛海信移动通信技术股份有限公司 Application program installing and uninstalling method and communication terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103065098A (en) * 2011-10-24 2013-04-24 联想(北京)有限公司 Access method and electronic device
CN103530534A (en) * 2013-09-23 2014-01-22 北京理工大学 Android program ROOT authorization method based on signature verification
CN103686722A (en) * 2012-09-13 2014-03-26 中兴通讯股份有限公司 Access control method and device
CN103858130A (en) * 2013-08-23 2014-06-11 华为终端有限公司 Method, apparatus and terminal for administration of permission

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103065098A (en) * 2011-10-24 2013-04-24 联想(北京)有限公司 Access method and electronic device
CN103686722A (en) * 2012-09-13 2014-03-26 中兴通讯股份有限公司 Access control method and device
CN103858130A (en) * 2013-08-23 2014-06-11 华为终端有限公司 Method, apparatus and terminal for administration of permission
CN103530534A (en) * 2013-09-23 2014-01-22 北京理工大学 Android program ROOT authorization method based on signature verification

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113541966A (en) * 2021-07-23 2021-10-22 湖北亿咖通科技有限公司 Authority management method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107545170A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
EP3642751B1 (en) Mutual authentication with integrity attestation
EP2876568B1 (en) Permission management method and apparatus, and terminal
KR101190479B1 (en) Ticket authorized secure installation and boot
US8082442B2 (en) Securely sharing applications installed by unprivileged users
US10659234B2 (en) Dual-signed executable images for customer-provided integrity
US20170308705A1 (en) System, device and method for anti-rollback protection of over-the-air updated device images
WO2015090153A1 (en) Security detection method, apparatus, and system for application installation package
US8473753B2 (en) Real-time secure self-acquiring root authority
CN111832013A (en) Firmware upgrading method and device
WO2015184891A1 (en) Security management and control method, apparatus, and system for android system
CN107292176B (en) Method and system for accessing a trusted platform module of a computing device
EP3343424B1 (en) Control board secure start method, and software package upgrade method and device
JP2009503648A (en) Automatic update of computer readable components to support trusted environments
CN111052117B (en) Safely defining operating system composition without multiple authoring
US20170068531A1 (en) Method of deploying a set of software application(s)
CN104573435A (en) Method for terminal authority management and terminal
US10592661B2 (en) Package processing
US11416604B2 (en) Enclave handling on an execution platform
CN108460273B (en) Application management method of terminal, application server and terminal
US20140317704A1 (en) Method and system for enabling the federation of unrelated applications
TW202044022A (en) Update signals
WO2016165215A1 (en) Method and apparatus for loading code signing on applications
US10419486B1 (en) Enhancing enterprise security on mobile platforms
WO2017220014A1 (en) System permission management method and apparatus, and intelligent terminal
WO2018233638A1 (en) Method and apparatus for determining security state of ai software system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17814752

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17814752

Country of ref document: EP

Kind code of ref document: A1