WO2018059351A1 - Application permission control method and device, and terminal - Google Patents

Application permission control method and device, and terminal Download PDF

Info

Publication number
WO2018059351A1
WO2018059351A1 PCT/CN2017/103182 CN2017103182W WO2018059351A1 WO 2018059351 A1 WO2018059351 A1 WO 2018059351A1 CN 2017103182 W CN2017103182 W CN 2017103182W WO 2018059351 A1 WO2018059351 A1 WO 2018059351A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
permission
sensitive information
virtual
information
Prior art date
Application number
PCT/CN2017/103182
Other languages
French (fr)
Chinese (zh)
Inventor
张园园
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018059351A1 publication Critical patent/WO2018059351A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/106Enforcing content protection by specific content processing
    • G06F21/1063Personalisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software

Definitions

  • the present disclosure relates to, but is not limited to, the field of communication technologies, and in particular, to an application authority control method, apparatus, and terminal.
  • Management strategies for mobile phones and other mobile terminal applications are mostly based on access control.
  • the application permissions are often applied during the installation, and the permissions are obtained in the background during the installation process. Or in the application running process, according to the application request, let the user choose whether to give the corresponding permission to the application.
  • This paper provides an application permission control method, device and terminal, so that the application software can operate normally without obtaining real information authority.
  • An embodiment of the present disclosure provides a rights management method, including a dynamic rights management control method, including:
  • the permission is configured by using a permission configuration table, including allowing the application to access the real sensitive information.
  • An embodiment of the present disclosure further provides an apparatus with application authority control, including:
  • the information processing module is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information;
  • the storage module is configured to: store virtual sensitive information and a rights configuration table.
  • An embodiment of the present disclosure further provides a terminal with application authority control, where the terminal includes a processor, a memory, where:
  • the processor is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information; wherein the permission is passed
  • the rights configuration table configuration includes a first permission to allow an application to access authentic sensitive information, and a second permission to allow an application to access virtual sensitive information.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the application in the case that the real sensitive information right is not provided to the application, the application can be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally without providing real sensitive information. Can use the app. Thereby effectively preventing the leakage of sensitive information of the user, and also being able to check which applications may have security risks.
  • FIG. 1 is a flow chart of a method of authority control according to an embodiment of the present disclosure
  • FIG. 2 is a flowchart of a method for controlling rights under an Android system according to an embodiment of the present disclosure
  • FIG. 3 is a flowchart of still another method for controlling rights in an Android system according to an embodiment of the present disclosure
  • FIG. 4 is a structural diagram of an authority control apparatus according to an embodiment of the present disclosure.
  • FIG. 5 is a structural diagram of an authority control terminal according to an embodiment of the present disclosure.
  • FIG. 1 is a flowchart of a permission control method according to an embodiment of the present disclosure. As shown in FIG. 1, the process may include the following steps:
  • Step S101 accepting an application to obtain a sensitive information request
  • Step S102 based on the request, according to the permission of the application to obtain sensitive information, allowing the application to obtain real sensitive information or virtual sensitive information in the terminal; wherein the permission is configured through the permission configuration table, including allowing the application to access the real The first privilege of sensitive information and the second privilege that allows the application to access virtual sensitive information.
  • the virtual sensitive permission record in the permission configuration table is matched, the application is allowed to access the virtual sensitive information. If you match the real permission record, you can also allow the app to access real sensitive information. Both approaches ensure that the application can continue to run without termination due to lack of permissions. At the same time, according to the actual needs of the user, the virtual sensitive information authority is provided for the untrusted application, thereby ensuring that the user's privacy is not leaked.
  • the method for configuring the permission includes: when accepting the request for obtaining the sensitive information permission by the application, recording, in the permission configuration table, the second permission that allows the application to access the virtual sensitive information, and returning the application permission to the application Successful results.
  • the application when the application requests the sensitive information permission, the application can be granted permission to access the real sensitive information, so that the application can continue to run. More secure user privacy.
  • the privilege configuration table configuration method includes at least one of the following: setting through a setting interface; setting by using a parameter; setting by using a privilege selection interface.
  • the permission by parameter By setting the permission by parameter, it can be through some preset parameters, such as the permissions configured for some or some types of applications are virtual sensitive information rights, or for certain or certain types of applications, for example A game that can be performed by gravity sensing, etc., directly sets the permission configuration table through parameters. It saves the user's tedious configuration for specific permissions and saves time for user configuration permissions.
  • the virtual permission option is added in the permission selection interface of the system, and after the user selects the item, the virtual authority corresponding to the selection is recorded in the item configuration table.
  • the advantage of this approach is that it does not require prior configuration and is easy to implement.
  • the "rights configuration table" is (runtime-permissions.xml)
  • the dialog window popped up in the native interface adds a "" Virtual option.
  • the framework code adds a record to the list of permissions for the corresponding application in the native "permission configuration table" (runtime-permissions.xml). This allows you to rely directly on the system itself without having to add other applications.
  • the sensitive information includes information related to user privacy.
  • the sensitive information of the configuration management is limited to the information related to the privacy of the user, and the control and management functions of the configuration table can be more effectively utilized, and the interests of the user are better protected.
  • the information related to user privacy includes sensitive information corresponding to Dangerous rights defined by the Android system.
  • the user privacy information rights may include normal rights and dangerous rights, and ordinary rights may be automatically granted by the system. But the dangerous permission system lets the user decide whether to grant. Therefore, with the mechanism, the partial authority can be independently configured. On the one hand, the system can be configured to implement sensitive information, and on the other hand, the sensitive information corresponding to the authority is grasped, which is the core interest of the user. , making the entire permission configuration more clear.
  • the virtual sensitive information setting method includes at least one of the following methods: setting through an interface; and setting by using a parameter.
  • the user can be provided with more targeted virtual information setting methods.
  • the virtual sensitive information loading time includes at least one time point: when the terminal starts, according to the permission, when the application accesses the virtual sensitive information.
  • virtual sensitive information For virtual sensitive information, it can be loaded when needed to reduce the time spent on resources. Or load it at boot time with enough resources to reduce the time it takes to launch the app. By combining at least one of the two methods or a combination of the two, the most appropriate setting for system performance can be obtained.
  • the present disclosure also provides another embodiment based on the same inventive concept.
  • FIG. 2 is a flow chart of a method for controlling rights under an Android system according to an embodiment of the present disclosure. The process can include the following steps:
  • Step S202 accepting the application request to obtain the sensitive information permission, and adding a “virtual” option to the dialog window popped up in the native permission selection interface.
  • Step S204 If the user selects the "virtual" option, the framework code adds a record in the permission list of the corresponding application in the native "permission configuration table" (runtime-permissions.xml): the applied permission type + virtual attribute. Then return the result of the successful application application, indicating that the application has been granted permissions.
  • the framework code adds a record in the permission list of the corresponding application in the native "permission configuration table" (runtime-permissions.xml): the applied permission type + virtual attribute. Then return the result of the successful application application, indicating that the application has been granted permissions.
  • Step S206 When the application reads and writes sensitive information through a specific interface, the framework code is matched from the “permission configuration table” (runtime-permissions.xml). If the user who is configured to access the sensitive information is configured as a "virtual" attribute, the corresponding virtual information result is queried and returned to the application.
  • the framework code is matched from the “permission configuration table” (runtime-permissions.xml). If the user who is configured to access the sensitive information is configured as a "virtual" attribute, the corresponding virtual information result is queried and returned to the application.
  • the application application permission returns the result directly for the authorization.
  • the framework code is marked as Virtual in the READ_CONTACTS of CONTACTS in the Permission Group of the Permissions Configuration Table.
  • the read/write interface of the framework can add the hook function to match the content in the runtime-permission.xml, and find that the specific sensitive information of the application is authorized as the "Virtual" attribute, and the corresponding information can be obtained directly from the virtual configuration file.
  • the virtual value of the sensitive information is returned to the application.
  • the virtual control of sensitive information is realized more simply in the native permission configuration window, thereby implementing the virtual access method more conveniently.
  • the present disclosure also provides another embodiment based on the same inventive concept.
  • FIG. 3 is a flowchart of another method for controlling the rights of the present disclosure in the Android system, and the process may include:
  • Step S301 When the mobile phone is powered on, the framework loads the virtual information configuration file, where all the virtual configuration files of the sensitive permissions of android6.0 are recorded.
  • Step S302 After an application of the mobile phone is opened by the user, the application applies for obtaining the location information, and the android system can query the setting of the user before the application in the permission configuration table runtime-permission.xml, and if there is no record, go to step S303. If there is a record, it is "allow” to return the real location information, “virtual” can return the virtual location information, “reject” can return null directly, and then the whole process ends.
  • Step S303 Applying the first application for location information permission, the android system pops up a prompt box, respectively, three options of “allow”, “reject”, “virtual”, wait for the user to select, and record the selection result to the permission configuration table runtime- Permission.xml for the next query. If the user selects "Allow”, then go to step S304; if the user selects "Virtual”, go to step S305; if the user selects "Reject”, return directly to null, and then the entire process ends.
  • Step S304 The user selects “Allow”, indicating that the real location information authority of the application can be authorized, and the application directly returns the real geographical location when acquiring the location information. Then the whole process ends.
  • Step S305 The user selects “virtual”, indicating that the current application is not trusted, and the application directly returns to the virtual geographic location when acquiring the location information, and then the entire process ends.
  • FIG. 4 is a structural diagram of an authority control device according to an embodiment of the present disclosure, and the device may include:
  • the information processing module is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information;
  • the storage module is configured to: store virtual sensitive information and a rights configuration table.
  • the application can also be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally, and the application can be used without providing real sensitive information. . Thereby effectively preventing the leakage of sensitive information of the user, and also being able to check which applications may have security risks.
  • the device further includes:
  • the human-computer interaction module is configured to: when the application requests the sensitive information permission, the human-computer interaction module can provide the sensitive information permission selection option, allowing the application to obtain the virtual sensitive information permission, and record the permission information in the permission configuration table.
  • the user's virtual rights configuration selection for the application can be received and recorded in the rights configuration table, thereby facilitating control of the specific rights of the application.
  • FIG. 5 is a structural diagram of a rights control terminal according to an embodiment of the present disclosure. As shown in FIG. 5, the terminal may include:
  • the processor is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information; wherein the permission is passed
  • the rights configuration table configuration includes a first permission to allow an application to access authentic sensitive information, and a second permission to allow an application to access virtual sensitive information.
  • the application can also be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally, and the application can be used without providing real sensitive information. . Thereby effectively preventing the leakage of sensitive information of the user, and also being able to check which applications may have security risks.
  • Embodiments of the present disclosure also provide a computer readable storage medium storing a computer executable The instructions, when the computer executable instructions are executed, implement the above application permission control method.
  • modules or steps of the embodiments of the present disclosure may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices. Alternatively, they may be implemented by program code executable by a computing device such that they may be stored in a storage device by a computing device and, in some cases, may be executed in a different order than herein.
  • the steps shown or described are either made separately into different integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module.
  • embodiments of the present disclosure are not limited to any specific combination of hardware and software.
  • computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
  • Computer storage media include, but are not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), and Electrically Erasable Programmable Read-only Memory (EEPROM). Flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disc storage, magnetic cassette, magnetic tape, disk storage or other magnetic storage device, or Any other medium used to store the desired information and that can be accessed by the computer.
  • communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
  • the application in the case that the real sensitive information right is not provided to the application, the application can be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally without providing real sensitive information. Can use the app.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An application permission control method comprises: receiving, from an application, a sensitive information acquisition request; and permitting, on the basis of the request, and according to a permission level of the application with respect to acquisition of sensitive information, the application to acquire true sensitive information or virtual sensitive information in a terminal, wherein the permission level is configured on the basis of a permission configuration table, and comprises a first permission level permitting the application to access the true sensitive information and a second permission level permitting the application to access the virtual sensitive information.

Description

一种应用权限控制方法、装置及终端Application permission control method, device and terminal 技术领域Technical field
本公开涉及但不限于通信技术领域,尤其是一种应用权限控制方法、装置及终端。The present disclosure relates to, but is not limited to, the field of communication technologies, and in particular, to an application authority control method, apparatus, and terminal.
背景技术Background technique
对于手机及其他移动终端应用的管理策略大多基于权限控制。而在常见的安卓(android)手机中,应用的权限往往是在安装时申请的,安装的过程中即在后台获得了权限。或者是在应用运行过程,根据应用请求,让用户选择是否给予应用相应的权限。Management strategies for mobile phones and other mobile terminal applications are mostly based on access control. In the common Android (android) mobile phone, the application permissions are often applied during the installation, and the permissions are obtained in the background during the installation process. Or in the application running process, according to the application request, let the user choose whether to give the corresponding permission to the application.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
面对一些强制获取用户敏感信息权限的应用,可以直接允许或拒绝应用的权限申请,然而,允许即存在信息安全隐患,而拒绝则这些应用就停止运行。无法实现在不透露用户真实个人信息的情况下,还可以保证用户继续正常使用此类应用。In the face of some applications that forcibly obtain the user's sensitive information, you can directly allow or deny the application's permission application. However, the information security risk exists, and the application stops when it refuses. It is impossible to ensure that users continue to use such applications normally without revealing the true personal information of the users.
本文提供了一种应用权限控制方法、装置及终端,以便应用软件在未获得真实信息权限时能够正常运行。This paper provides an application permission control method, device and terminal, so that the application software can operate normally without obtaining real information authority.
本公开实施例提供一种权限管理方法,包括一种动态权限管理控制方法,包含:An embodiment of the present disclosure provides a rights management method, including a dynamic rights management control method, including:
接受应用获取敏感信息请求;Accept the application to obtain sensitive information requests;
基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;其中,所述权限通过权限配置表配置,包括允许应用访问真实敏感信息的第一权限,以及允许应用访问虚拟敏感信息的第二权限。 And obtaining, according to the request, the real-time sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information; wherein the permission is configured by using a permission configuration table, including allowing the application to access the real sensitive information. The first permission, and the second permission to allow the application to access the virtual sensitive information.
本公开实施例还提供一种具有应用权限控制的装置,包含:An embodiment of the present disclosure further provides an apparatus with application authority control, including:
信息处理模块,设置为:接受应用获取敏感信息请求;基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;The information processing module is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information;
存储模块,设置为:存储虚拟敏感信息以及权限配置表。The storage module is configured to: store virtual sensitive information and a rights configuration table.
本公开实施例还提供一种具有应用权限控制的终端,所述终端包括处理器,存储器;其中:An embodiment of the present disclosure further provides a terminal with application authority control, where the terminal includes a processor, a memory, where:
处理器,设置为:接受应用获取敏感信息请求;基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;其中,所述权限通过权限配置表配置,包括允许应用访问真实敏感信息的第一权限,以及允许应用访问虚拟敏感信息的第二权限。The processor is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information; wherein the permission is passed The rights configuration table configuration includes a first permission to allow an application to access authentic sensitive information, and a second permission to allow an application to access virtual sensitive information.
本公开实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述应用权限控制方法。The embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
通过本公开实施例,在未向应用提供真实敏感信息权限的情况下,也能根据应用的请求来通知该应用已经获取所请求权限,从而使该应用可以正常运行,不需要提供真实敏感信息就能使用应用。从而有效防止了用户的敏感信息泄露,以及还能够清查哪些应用可能存在安全隐患。Through the embodiment of the present disclosure, in the case that the real sensitive information right is not provided to the application, the application can be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally without providing real sensitive information. Can use the app. Thereby effectively preventing the leakage of sensitive information of the user, and also being able to check which applications may have security risks.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1是根据本公开实施例的权限控制方法流程图;1 is a flow chart of a method of authority control according to an embodiment of the present disclosure;
图2是根据本公开实施例在安卓系统下的权限控制方法流程图;2 is a flowchart of a method for controlling rights under an Android system according to an embodiment of the present disclosure;
图3是本公开实施例在安卓系统下的又一种权限控制方法流程图;3 is a flowchart of still another method for controlling rights in an Android system according to an embodiment of the present disclosure;
图4是根据本公开实施例的权限控制装置结构图;4 is a structural diagram of an authority control apparatus according to an embodiment of the present disclosure;
图5是根据本公开实施例的一种权限控制终端结构图。FIG. 5 is a structural diagram of an authority control terminal according to an embodiment of the present disclosure.
本公开的较佳实施方式 Preferred embodiment of the present disclosure
下面结合附图对本公开的实施方式进行描述。Embodiments of the present disclosure will be described below with reference to the accompanying drawings.
在本实施例中提供了一种应用权限控制方法,图1是根据本公开实施例的权限控制方法的流程图,如图1所示,该流程可以包括如下步骤:In this embodiment, an application permission control method is provided. FIG. 1 is a flowchart of a permission control method according to an embodiment of the present disclosure. As shown in FIG. 1, the process may include the following steps:
步骤S101,接受应用获取敏感信息请求;Step S101, accepting an application to obtain a sensitive information request;
步骤S102,基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;其中,所述权限通过权限配置表配置,包括允许应用访问真实敏感信息的第一权限,以及允许应用访问虚拟敏感信息的第二权限。Step S102, based on the request, according to the permission of the application to obtain sensitive information, allowing the application to obtain real sensitive information or virtual sensitive information in the terminal; wherein the permission is configured through the permission configuration table, including allowing the application to access the real The first privilege of sensitive information and the second privilege that allows the application to access virtual sensitive information.
通过上述步骤,在接受应用获取敏感信息请求时,如果匹配权限配置表中虚拟敏感权限记录,则允许应用访问虚拟敏感信息。如果匹配真实权限记录,也可以允许应用访问真实的敏感信息。两种途径都保证了应用可以继续运行,不会因为没有权限而终止。同时又根据用户的实际需要,对于不信任的应用,提供虚拟敏感信息权限,保障了用户隐私不被泄露。Through the above steps, when accepting the application to obtain the sensitive information request, if the virtual sensitive permission record in the permission configuration table is matched, the application is allowed to access the virtual sensitive information. If you match the real permission record, you can also allow the app to access real sensitive information. Both approaches ensure that the application can continue to run without termination due to lack of permissions. At the same time, according to the actual needs of the user, the virtual sensitive information authority is provided for the untrusted application, thereby ensuring that the user's privacy is not leaked.
可选地,所述权限的配置方法,包括:接受所述应用提出获取敏感信息权限请求时,在权限配置表中记录允许应用访问虚拟敏感信息的第二权限,并返回给所述应用申请权限成功结果。Optionally, the method for configuring the permission includes: when accepting the request for obtaining the sensitive information permission by the application, recording, in the permission configuration table, the second permission that allows the application to access the virtual sensitive information, and returning the application permission to the application Successful results.
通过这种权限配置方法,在应用请求敏感信息权限时,可以实现不授予该应用访问真实的敏感信息权限下,使得应用可以继续运行。更加保障了用户隐私的安全。Through the permission configuration method, when the application requests the sensitive information permission, the application can be granted permission to access the real sensitive information, so that the application can continue to run. More secure user privacy.
可选地,所述权限配置表配置方法,包括以下至少一种:通过设置界面中设定;通过参数设定;通过权限选择界面设定。Optionally, the privilege configuration table configuration method includes at least one of the following: setting through a setting interface; setting by using a parameter; setting by using a privilege selection interface.
通过设置界面,可以配置所述应用的特定权限,特别是对于某些应用如订购外卖的APP(Application,计算机应用程序)等,需要配置给予部分真实的敏感信息访问权限,而又不希望其访问所有的真实敏感信息时,则通过这种配置方式,将每种权限独立进行配置,并记录到权限配置表中。能使得用户更清晰地控制敏感信息权限,进而获得更好的控制管理效果。Through the setting interface, specific permissions of the application can be configured, especially for certain applications, such as an APP (Application, Computer Application), which needs to be configured to give partial real sensitive information access without wishing to access it. For all true and sensitive information, each configuration is configured independently and recorded in the permission configuration table. It enables users to control sensitive information permissions more clearly, and thus achieve better control and management effects.
通过参数设定权限,则可以是通过某种预设的参数,例如给某些或某类应用配置的权限都是虚拟的敏感信息权限,或针对某些或某类应用例如需要 重力感应才能进行的游戏等,直接通过参数设置权限配置表。省去了用户针对特定权限配置的繁琐,节省了用户配置权限的时间。By setting the permission by parameter, it can be through some preset parameters, such as the permissions configured for some or some types of applications are virtual sensitive information rights, or for certain or certain types of applications, for example A game that can be performed by gravity sensing, etc., directly sets the permission configuration table through parameters. It saves the user's tedious configuration for specific permissions and saves time for user configuration permissions.
通过权限选择界面,则可以是当系统收到应用提出敏感权限请求时,在系统的权限选择界面中,加入虚拟权限选项,用户选择该项目后,在项目配置表记录该选择对应的虚拟权限。这种方式的优点在于,无须事先进行配置,并且方便实现。例如在另一个实例中,提到在安卓系统6.0及以后的版本,“权限配置表”为(runtime-permissions.xml),应用在获取敏感信息权限时,在原生界面弹出的对话窗口增加一个“虚拟”选项。如果用户选择“虚拟”选项,则框架代码在原生的“权限配置表”(runtime-permissions.xml)中对应应用的权限列表中增加一条记录。这样即可直接依托对于系统本身完成,无须添加其他应用。Through the permission selection interface, when the system receives the application requesting the sensitive permission, the virtual permission option is added in the permission selection interface of the system, and after the user selects the item, the virtual authority corresponding to the selection is recorded in the item configuration table. The advantage of this approach is that it does not require prior configuration and is easy to implement. For example, in another example, it is mentioned that in the Android system 6.0 and later versions, the "rights configuration table" is (runtime-permissions.xml), and when the application obtains the sensitive information permission, the dialog window popped up in the native interface adds a "" Virtual option. If the user selects the "virtual" option, the framework code adds a record to the list of permissions for the corresponding application in the native "permission configuration table" (runtime-permissions.xml). This allows you to rely directly on the system itself without having to add other applications.
以上三种权限配置表配置方法都有各自的优点,在本公开实施例中,可以结合实际的需求,选择至少一种以上的方式进行组合,用来给用户提供更为方便的权限配置表配置方法。The above three privilege configuration table configuration methods have their own advantages. In the embodiment of the present disclosure, at least one or more modes may be combined in combination with actual requirements to provide a more convenient privilege configuration table configuration for the user. method.
可选地,所述敏感信息包括涉及用户隐私的信息。Optionally, the sensitive information includes information related to user privacy.
在终端上有许多不同的信息,如果全部加以配置则会使得用户感到冗杂,不利于选择所需要配置的权限。因此将配置管理的敏感信息限定为涉及用户隐私的信息,能更有效地发挥配置表的控制管理功能,也更好地保护用户的利益。There are a lot of different information on the terminal, and if all are configured, it will make the user feel redundant, which is not conducive to selecting the permissions that need to be configured. Therefore, the sensitive information of the configuration management is limited to the information related to the privacy of the user, and the control and management functions of the configuration table can be more effectively utilized, and the interests of the user are better protected.
可选地,所述涉及用户隐私的信息包括安卓系统定义的危险(Dangerous)权限对应的敏感信息。Optionally, the information related to user privacy includes sensitive information corresponding to Dangerous rights defined by the Android system.
在安卓系统6.0中,对于用户隐私信息权限可以包括普通权限和危险权限,普通权限可以通过系统自动授予。但是危险权限系统则让用户决定是否授予。因此借助于该机制,可以针对该部分权限进行独立配置,一方面可以借助系统原生的机制来实现对于敏感信息的配置,一方面则抓住了该权限对应的敏感信息,是用户最为核心的利益,使得整个权限配置变得目的更为明确。In Android 6.0, the user privacy information rights may include normal rights and dangerous rights, and ordinary rights may be automatically granted by the system. But the dangerous permission system lets the user decide whether to grant. Therefore, with the mechanism, the partial authority can be independently configured. On the one hand, the system can be configured to implement sensitive information, and on the other hand, the sensitive information corresponding to the authority is grasped, which is the core interest of the user. , making the entire permission configuration more clear.
可选地,所述虚拟敏感信息设置方法包括以下至少一种方法:通过设置界面中设定;通过参数设定。 Optionally, the virtual sensitive information setting method includes at least one of the following methods: setting through an interface; and setting by using a parameter.
对于虚拟的敏感信息,可以通过参数进行默认配置,这样可以节省用户配置信息的时间,提升应用运行的流畅度。也可以通过设置界面针对每个应用的特定权限进行详细的配置,一方面通过不同应用访问的不同虚拟信息,可以排查到哪些应用存在安全隐患;另一方面,对于某些特定应用,如果需求特定的敏感信息,可以通过该方法进行定制。For virtual sensitive information, you can configure the default parameters through parameters. This saves users' configuration time and improves the smooth running of the application. You can also configure the specific permissions for each application through the settings interface. On the one hand, you can check which applications have security risks through different virtual information accessed by different applications. On the other hand, for specific applications, if the requirements are specific Sensitive information can be customized by this method.
通过两种方法中至少一种或两种方法的组合,可以给用户提供更具有针对性的虚拟信息设置方式。By combining at least one of the two methods or a combination of the two methods, the user can be provided with more targeted virtual information setting methods.
可选地,所述虚拟敏感信息加载时间,包括以下至少一个时间点:在终端启动时;根据所述权限,应用访问虚拟敏感信息时。Optionally, the virtual sensitive information loading time includes at least one time point: when the terminal starts, according to the permission, when the application accesses the virtual sensitive information.
对于虚拟敏感信息,可以在需要使用时加载,以减少占用资源的时间。或者在拥有足够资源的情况下,在开机时加载,以减少启动应用的时间。通过两种方式中至少一种或两种方式的组合,可以获得对于系统性能最为合适设置。For virtual sensitive information, it can be loaded when needed to reduce the time spent on resources. Or load it at boot time with enough resources to reduce the time it takes to launch the app. By combining at least one of the two methods or a combination of the two, the most appropriate setting for system performance can be obtained.
基于相同的发明构思,本公开还提供另外一个实施例。The present disclosure also provides another embodiment based on the same inventive concept.
在本实施例中提供了一种在安卓6.0及其以后系统上实现应用控制的方法。In this embodiment, a method for implementing application control on Android 6.0 and later systems is provided.
图2是根据本公开实施例在安卓系统下的权限控制方法流程图。该流程可以包括以下几个步骤:2 is a flow chart of a method for controlling rights under an Android system according to an embodiment of the present disclosure. The process can include the following steps:
步骤S202:接受到应用请求获取敏感信息权限,在原生权限选择界面弹出的对话窗口增加一个“虚拟”选项。Step S202: accepting the application request to obtain the sensitive information permission, and adding a “virtual” option to the dialog window popped up in the native permission selection interface.
步骤S204:如果用户选择“虚拟”选项,框架代码在原生的“权限配置表”(runtime-permissions.xml)中对应应用的权限列表中增加一条记录:申请的权限类型+虚拟属性。然后返回应用申请成功的结果,表示已经授予应用相关权限。Step S204: If the user selects the "virtual" option, the framework code adds a record in the permission list of the corresponding application in the native "permission configuration table" (runtime-permissions.xml): the applied permission type + virtual attribute. Then return the result of the successful application application, indicating that the application has been granted permissions.
步骤S206:应用通过特定接口读取、写入敏感信息时,框架代码从“权限配置表”(runtime-permissions.xml)中匹配。如果当前应用该敏感信息访问权限用户配置为“虚拟”属性,则查询对应的虚拟信息结果,返回给应用。Step S206: When the application reads and writes sensitive information through a specific interface, the framework code is matched from the “permission configuration table” (runtime-permissions.xml). If the user who is configured to access the sensitive information is configured as a "virtual" attribute, the corresponding virtual information result is queried and returned to the application.
例如,在原生系统中,通过替换android系统原生的ActivityCompat类库 文件,扩展ActivityCompat类库文件的requestPermissions()接口,可以在弹出的权限选择窗口中增加“虚拟”选项。当用户选择授予应用特定敏感信息虚拟权限后,应用申请权限返回结果可以直接为授权成功。框架代码则在权限配置表Permission Group中CONTACTS的READ_CONTACTS中标记为Virtual。而在应用访问敏感信息时,框架的读写接口可以增加钩子函数匹配runtime-permission.xml中的内容,发现该应用特定敏感信息授权为“Virtual”属性,则可以直接从虚拟配置文件中获取对应敏感信息的虚拟值返回给应用。For example, in the native system, by replacing the android system's native ActivityCompat class library File, extend the requestPermissions() interface of the ActivityCompat class library file, and add the "virtual" option to the pop-up permission selection window. After the user chooses to grant the virtual permission of the application-specific sensitive information, the application application permission returns the result directly for the authorization. The framework code is marked as Virtual in the READ_CONTACTS of CONTACTS in the Permission Group of the Permissions Configuration Table. When the application accesses the sensitive information, the read/write interface of the framework can add the hook function to match the content in the runtime-permission.xml, and find that the specific sensitive information of the application is authorized as the "Virtual" attribute, and the corresponding information can be obtained directly from the virtual configuration file. The virtual value of the sensitive information is returned to the application.
通过修改系统原有代码,在原生的权限配置窗口更简单地实现了对敏感信息的虚拟控制,从而更加方便地的实现了该虚拟访问的方法。By modifying the original code of the system, the virtual control of sensitive information is realized more simply in the native permission configuration window, thereby implementing the virtual access method more conveniently.
基于相同的发明构思,本公开还提供另外一个实施例。The present disclosure also provides another embodiment based on the same inventive concept.
该流程以授予应用虚拟定位权限为例,如图3所示,图3是本公开在安卓系统下的又一种权限控制方法流程图,该流程可以包括:For example, as shown in FIG. 3, FIG. 3 is a flowchart of another method for controlling the rights of the present disclosure in the Android system, and the process may include:
步骤S301:手机开机时,框架加载虚拟信息配置文件,其中记录了所有android6.0的敏感权限的虚拟配置文件。Step S301: When the mobile phone is powered on, the framework loads the virtual information configuration file, where all the virtual configuration files of the sensitive permissions of android6.0 are recorded.
步骤S302:当手机的某一应用被用户打开后,应用申请获取位置信息,android系统可以查询权限配置表runtime-permission.xml中该应用之前用户的设置,如果没有记录则转到步骤S303。如果有记录,是“允许”则可以返回真实的位置信息,是“虚拟”则可以返回虚拟的位置信息,是“拒绝”则可以直接返回null,然后整个流程结束。Step S302: After an application of the mobile phone is opened by the user, the application applies for obtaining the location information, and the android system can query the setting of the user before the application in the permission configuration table runtime-permission.xml, and if there is no record, go to step S303. If there is a record, it is "allow" to return the real location information, "virtual" can return the virtual location information, "reject" can return null directly, and then the whole process ends.
步骤S303:应用第一次申请位置信息权限,android系统弹出提示框,分别为“允许”、“拒绝”、“虚拟”三个选项,等待用户选择,并将选择结果记录到权限配置表runtime-permission.xml中以便下次查询。如果用户选择“允许”,则转到步骤S304;如果用户选择“虚拟”,则转到步骤S305;如果用户选择“拒绝”,则直接返回null,然后整个流程结束。Step S303: Applying the first application for location information permission, the android system pops up a prompt box, respectively, three options of “allow”, “reject”, “virtual”, wait for the user to select, and record the selection result to the permission configuration table runtime- Permission.xml for the next query. If the user selects "Allow", then go to step S304; if the user selects "Virtual", go to step S305; if the user selects "Reject", return directly to null, and then the entire process ends.
步骤S304:用户选择“允许”,表示可以授权该应用真实位置信息权限,应用获取位置信息时直接返回真实的地理位置。然后整个流程结束。Step S304: The user selects “Allow”, indicating that the real location information authority of the application can be authorized, and the application directly returns the real geographical location when acquiring the location information. Then the whole process ends.
步骤S305:用户选择“虚拟”,表示不信赖当前应用,应用获取位置信息时直接返回虚拟的地理位置,然后整个流程结束。 Step S305: The user selects “virtual”, indicating that the current application is not trusted, and the application directly returns to the virtual geographic location when acquiring the location information, and then the entire process ends.
基于相同的发明构思,本公开还提供另外一个实施例。其中提供了一种权限控制装置,图4为根据本公开实施例的权限控制装置结构图,该装置可以包含:The present disclosure also provides another embodiment based on the same inventive concept. There is provided a permission control device, and FIG. 4 is a structural diagram of an authority control device according to an embodiment of the present disclosure, and the device may include:
信息处理模块,设置为:接受应用获取敏感信息请求;基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;The information processing module is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information;
存储模块,设置为:存储虚拟敏感信息以及权限配置表。The storage module is configured to: store virtual sensitive information and a rights configuration table.
通过该装置,在未向应用提供真实敏感信息权限的情况下,也能根据应用的请求来通知其已经获取所请求权限,从而使该应用可以正常运行,不需要提供真实敏感信息就能使用应用。从而有效防止了用户的敏感信息泄露,以及还能够清查哪些应用可能存在安全隐患。Through the device, if the right of the application is not provided with the real sensitive information, the application can also be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally, and the application can be used without providing real sensitive information. . Thereby effectively preventing the leakage of sensitive information of the user, and also being able to check which applications may have security risks.
可选地,该装置还包括:Optionally, the device further includes:
人机交互模块,设置为:当应用请求敏感信息权限时,可以通过人机交互模块提供敏感信息权限选择选项,允许应用获得虚拟敏感信息权限,并记录到权限配置表中。The human-computer interaction module is configured to: when the application requests the sensitive information permission, the human-computer interaction module can provide the sensitive information permission selection option, allowing the application to obtain the virtual sensitive information permission, and record the permission information in the permission configuration table.
通过人机交互模块,可以接收用户对于应用的虚拟权项配置选择,并且将其记录到权限配置表中,从而方便对所述应用的特定权限进行控制。Through the human-computer interaction module, the user's virtual rights configuration selection for the application can be received and recorded in the rights configuration table, thereby facilitating control of the specific rights of the application.
基于相同的发明构思,本公开还提供另外一个实施例。图5是根据本公开实施例的权限控制终端的结构图,如图5所示,该终端可以包括:The present disclosure also provides another embodiment based on the same inventive concept. FIG. 5 is a structural diagram of a rights control terminal according to an embodiment of the present disclosure. As shown in FIG. 5, the terminal may include:
处理器,设置为:接受应用获取敏感信息请求;基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;其中,所述权限通过权限配置表配置,包括允许应用访问真实敏感信息的第一权限,以及允许应用访问虚拟敏感信息的第二权限。The processor is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information; wherein the permission is passed The rights configuration table configuration includes a first permission to allow an application to access authentic sensitive information, and a second permission to allow an application to access virtual sensitive information.
通过该终端,在未向应用提供真实敏感信息权限的情况下,也能根据应用的请求来通知其已经获取所请求权限,从而使该应用可以正常运行,不需要提供真实敏感信息就能使用应用。从而有效防止了用户的敏感信息泄露,以及还能够清查哪些应用可能存在安全隐患。Through the terminal, if the real sensitive information permission is not provided to the application, the application can also be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally, and the application can be used without providing real sensitive information. . Thereby effectively preventing the leakage of sensitive information of the user, and also being able to check which applications may have security risks.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行 指令,所述计算机可执行指令被执行时实现上述应用权限控制方法。Embodiments of the present disclosure also provide a computer readable storage medium storing a computer executable The instructions, when the computer executable instructions are executed, implement the above application permission control method.
本领域的技术人员可以明白,上述的本公开实施例的模块或步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成不同集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本公开实施例不限制于任何特定的硬件和软件结合。Those skilled in the art will appreciate that the above-described modules or steps of the embodiments of the present disclosure may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices. Alternatively, they may be implemented by program code executable by a computing device such that they may be stored in a storage device by a computing device and, in some cases, may be executed in a different order than herein. The steps shown or described are either made separately into different integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, embodiments of the present disclosure are not limited to any specific combination of hardware and software.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于随机存取存储器(RAM,Random Access Memory)、只读存储器(ROM,Read-Only Memory)、电可擦除只读存储器(EEPROM,Electrically Erasable Programmable Read-only Memory)、闪存或其他存储器技术、光盘只读存储器(CD-ROM,Compact Disc Read-Only Memory)、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。 Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and functional blocks/units of the methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical The components work together. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer readable medium, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media. Computer storage media include, but are not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), and Electrically Erasable Programmable Read-only Memory (EEPROM). Flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disc storage, magnetic cassette, magnetic tape, disk storage or other magnetic storage device, or Any other medium used to store the desired information and that can be accessed by the computer. Moreover, it is well known to those skilled in the art that communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
本领域的普通技术人员可以理解,可以对本公开的技术方案进行修改或者等同替换,而不脱离本公开技术方案的精神和范围,均应涵盖在本公开的权利要求范围当中。A person skilled in the art can understand that the technical solutions of the present disclosure may be modified or equivalent, without departing from the spirit and scope of the present disclosure, and should be included in the scope of the claims of the present disclosure.
工业实用性Industrial applicability
通过本公开实施例,在未向应用提供真实敏感信息权限的情况下,也能根据应用的请求来通知该应用已经获取所请求权限,从而使该应用可以正常运行,不需要提供真实敏感信息就能使用应用。 Through the embodiment of the present disclosure, in the case that the real sensitive information right is not provided to the application, the application can be notified according to the request of the application that the requested permission has been obtained, so that the application can run normally without providing real sensitive information. Can use the app.

Claims (11)

  1. 一种应用权限控制方法,包含:An application permission control method, comprising:
    接受应用获取敏感信息请求;Accept the application to obtain sensitive information requests;
    基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;其中,所述权限通过权限配置表配置,包括允许应用访问真实敏感信息的第一权限,以及允许应用访问虚拟敏感信息的第二权限。And obtaining, according to the request, the real-time sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information; wherein the permission is configured by using a permission configuration table, including allowing the application to access the real sensitive information. The first permission, and the second permission to allow the application to access the virtual sensitive information.
  2. 如权利要求1所述应用权限控制方法,其中,所述权限的配置方法,包括:接受所述应用提出获取敏感信息权限请求时,在权限配置表中记录允许应用访问虚拟敏感信息的第二权限,并返回给所述应用申请权限成功结果。The application permission control method according to claim 1, wherein the method for configuring the permission comprises: when accepting the request for obtaining the sensitive information permission by the application, recording the second permission for allowing the application to access the virtual sensitive information in the permission configuration table And return a successful result to the application request permission.
  3. 如权利要求1所述应用权限控制方法,其中,所述权限配置表配置方法,包括以下至少之一:The application authority control method according to claim 1, wherein the rights configuration table configuration method comprises at least one of the following:
    通过设置界面中设定;Set through the settings interface;
    通过参数设定;By parameter setting;
    通过权限选择界面设定。Set through the permission selection interface.
  4. 如权利要求1所述应用权限控制方法,其中,所述敏感信息包括涉及用户隐私的信息。The application authority control method according to claim 1, wherein said sensitive information includes information relating to user privacy.
  5. 如权利要求4所述应用权限控制方法,其中,所述涉及用户隐私的信息包括安卓系统定义的危险Dangerous权限对应的敏感信息。The application authority control method according to claim 4, wherein the information relating to user privacy includes sensitive information corresponding to dangerous Dangerous rights defined by the Android system.
  6. 如权利要求1所述应用权限控制方法,其中,所述虚拟敏感信息设置方法包括以下至少之一:The application authority control method according to claim 1, wherein the virtual sensitive information setting method comprises at least one of the following:
    通过设置界面中设定;Set through the settings interface;
    通过参数设定。Set by parameters.
  7. 如权利要求1所述应用权限控制方法,其中,所述虚拟敏感信息加载时间,包括以下至少之一:The application authority control method according to claim 1, wherein the virtual sensitive information loading time comprises at least one of the following:
    在终端启动时;When the terminal is started;
    根据所述权限,应用访问虚拟敏感信息时。 According to the permission, when the application accesses the virtual sensitive information.
  8. 一种具有应用权限控制的装置,包含:A device with application permission control, comprising:
    信息处理模块,设置为:接受应用获取敏感信息请求;基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;The information processing module is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to obtain the sensitive information;
    存储模块,设置为:存储虚拟敏感信息以及权限配置表。The storage module is configured to: store virtual sensitive information and a rights configuration table.
  9. 如权利要求8所述具有应用权限控制的装置,还包含:The device with application authority control according to claim 8, further comprising:
    人机交互模块,设置为:当应用请求敏感信息权限时,可以通过人机交互模块提供敏感信息权限选择选项,允许应用获得虚拟敏感信息权限,并记录到权限配置表中。The human-computer interaction module is configured to: when the application requests the sensitive information permission, the human-computer interaction module can provide the sensitive information permission selection option, allowing the application to obtain the virtual sensitive information permission, and record the permission information in the permission configuration table.
  10. 一种具有应用权限控制的终端,所述终端包括处理器;其中:A terminal having application authority control, the terminal comprising a processor; wherein:
    所述处理器设置为:接受应用获取敏感信息请求;基于所述请求,根据所述应用获取敏感信息的权限,允许所述应用获取终端中的真实敏感信息或虚拟敏感信息;其中,所述权限通过权限配置表配置,包括允许应用访问真实敏感信息的第一权限,以及允许应用访问虚拟敏感信息的第二权限。The processor is configured to: accept an application to obtain a sensitive information request; and, according to the request, obtain the real sensitive information or the virtual sensitive information in the terminal according to the permission of the application to acquire the sensitive information; wherein the permission Configuration through the rights configuration table, including the first permission to allow the application to access the real sensitive information, and the second permission to allow the application to access the virtual sensitive information.
  11. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现如权利要求1至7中任一权利要求所述的应用权限控制方法。 A computer readable storage medium storing computer executable instructions, the computer executable instructions being executed to implement the application authority control method according to any one of claims 1 to 7.
PCT/CN2017/103182 2016-09-28 2017-09-25 Application permission control method and device, and terminal WO2018059351A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610856894.3A CN107871062A (en) 2016-09-28 2016-09-28 A kind of application permission control method, device and terminal
CN201610856894.3 2016-09-28

Publications (1)

Publication Number Publication Date
WO2018059351A1 true WO2018059351A1 (en) 2018-04-05

Family

ID=61750721

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/103182 WO2018059351A1 (en) 2016-09-28 2017-09-25 Application permission control method and device, and terminal

Country Status (2)

Country Link
CN (1) CN107871062A (en)
WO (1) WO2018059351A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084047A (en) * 2019-03-20 2019-08-02 努比亚技术有限公司 A kind of access right control method, terminal and computer readable storage medium
CN111143089A (en) * 2019-12-23 2020-05-12 飞天诚信科技股份有限公司 Method and device for calling third-party library dynamic lifting authority by application program
CN111984340A (en) * 2020-08-20 2020-11-24 北京像素软件科技股份有限公司 Application program starting method and device, readable storage medium and electronic equipment
CN113449332A (en) * 2020-03-24 2021-09-28 中国电信股份有限公司 Access right monitoring method and device and computer readable storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108932435A (en) * 2018-07-05 2018-12-04 宇龙计算机通信科技(深圳)有限公司 A kind of information security management method, terminal device and computer readable storage medium
CN110737911A (en) * 2018-07-19 2020-01-31 中国电信股份有限公司 Data processing method, device and computer readable storage medium
CN110619221B (en) * 2019-08-09 2023-10-31 深圳市轱辘车联数据技术有限公司 Virtual authorization method, device, terminal equipment and storage medium
CN110765426A (en) * 2019-10-22 2020-02-07 深圳市康冠智能科技有限公司 Equipment permission setting method, device, equipment and computer storage medium
CN113378225A (en) * 2021-06-24 2021-09-10 平安普惠企业管理有限公司 Online sensitive data acquisition method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686722A (en) * 2012-09-13 2014-03-26 中兴通讯股份有限公司 Access control method and device
CN104636647A (en) * 2015-03-17 2015-05-20 南开大学 Sensitive information protection method based on virtualization technology
CN104683336A (en) * 2015-02-12 2015-06-03 中国科学院信息工程研究所 Security-region-based method and system for protecting Android private data
CN105704094A (en) * 2014-11-25 2016-06-22 杭州华三通信技术有限公司 Application access authority control method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809390A (en) * 2014-01-26 2015-07-29 中兴通讯股份有限公司 Safe operation method and device of system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686722A (en) * 2012-09-13 2014-03-26 中兴通讯股份有限公司 Access control method and device
CN105704094A (en) * 2014-11-25 2016-06-22 杭州华三通信技术有限公司 Application access authority control method and device
CN104683336A (en) * 2015-02-12 2015-06-03 中国科学院信息工程研究所 Security-region-based method and system for protecting Android private data
CN104636647A (en) * 2015-03-17 2015-05-20 南开大学 Sensitive information protection method based on virtualization technology

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084047A (en) * 2019-03-20 2019-08-02 努比亚技术有限公司 A kind of access right control method, terminal and computer readable storage medium
CN111143089A (en) * 2019-12-23 2020-05-12 飞天诚信科技股份有限公司 Method and device for calling third-party library dynamic lifting authority by application program
CN111143089B (en) * 2019-12-23 2023-11-07 飞天诚信科技股份有限公司 Method and device for dynamically improving authority of application program calling third party library
CN113449332A (en) * 2020-03-24 2021-09-28 中国电信股份有限公司 Access right monitoring method and device and computer readable storage medium
CN111984340A (en) * 2020-08-20 2020-11-24 北京像素软件科技股份有限公司 Application program starting method and device, readable storage medium and electronic equipment
CN111984340B (en) * 2020-08-20 2024-05-14 北京像素软件科技股份有限公司 Application program starting method and device, readable storage medium and electronic equipment

Also Published As

Publication number Publication date
CN107871062A (en) 2018-04-03

Similar Documents

Publication Publication Date Title
WO2018059351A1 (en) Application permission control method and device, and terminal
US10635793B2 (en) Restricted accounts on a mobile platform
US20160232374A1 (en) Permission control method and apparatus
US11604791B2 (en) Automatic resource ownership assignment systems and methods
US11514157B2 (en) Multi-user device
US20110173679A1 (en) Resource access based on multiple scope levels
US10877903B2 (en) Protected memory area
US8190636B2 (en) Method, apparatus and computer program product for providing object privilege modification
WO2013039649A1 (en) Securing data usage in computing devices
US9830099B1 (en) Secure erase of storage devices
US10831915B2 (en) Method and system for isolating application data access
WO2014190875A1 (en) System function call method, apparatus and terminal
CN111523098A (en) Data authority management method and device
US8621647B1 (en) Restricting privileges of first privileged process in operating system using second privileged process
CN109145621B (en) Document management method and device
CN115374481A (en) Data desensitization processing method and device, storage medium and electronic equipment
US9330016B2 (en) Systems and methods for managing read-only memory
EP3635604A2 (en) Access policies based on hdfs extended attributes
GB2515736A (en) Controlling access to one or more datasets of an operating system in use
EP3151154B1 (en) Data access control based on storage validation
US11175833B2 (en) Method for controlling a data storage device based on a user profile, and associated data storage device
US9754121B2 (en) System and methods for live masking file system access control entries
US9591553B1 (en) Content access based on mobile device geographical location
US11640249B2 (en) Access verification on portable mass storage devices
CN117785315A (en) Initialization configuration method, device, equipment and medium of multi-tenant system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17854801

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17854801

Country of ref document: EP

Kind code of ref document: A1