WO2023124930A1 - Permission management method and apparatus, storage medium, and electronic device - Google Patents

Permission management method and apparatus, storage medium, and electronic device Download PDF

Info

Publication number
WO2023124930A1
WO2023124930A1 PCT/CN2022/138302 CN2022138302W WO2023124930A1 WO 2023124930 A1 WO2023124930 A1 WO 2023124930A1 CN 2022138302 W CN2022138302 W CN 2022138302W WO 2023124930 A1 WO2023124930 A1 WO 2023124930A1
Authority
WO
WIPO (PCT)
Prior art keywords
host
permission
application
host application
api
Prior art date
Application number
PCT/CN2022/138302
Other languages
French (fr)
Chinese (zh)
Inventor
钟炳鑫
金炼城
Original Assignee
北京有竹居网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京有竹居网络技术有限公司 filed Critical 北京有竹居网络技术有限公司
Publication of WO2023124930A1 publication Critical patent/WO2023124930A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Definitions

  • the present disclosure relates to the technical field of rights management, and in particular, to a rights management method, device, storage medium and electronic equipment.
  • the game box is the main way for the game industry to realize the game platform and distribution.
  • the installation-free gameplay based on virtual middleware has become a common implementation method of game boxes in the industry.
  • the virtual middleware adopts the virtual Android system. Framework, the game application running in the installation-free mode can be installed in the virtual middleware layer.
  • the Android system grants permissions in units of applications. As long as the host application (such as a game box) is authorized, all applications installed in the host can share the permissions obtained by the host. User privacy cannot be guaranteed.
  • the present disclosure provides a rights management method, including:
  • the present disclosure provides a rights management device, including:
  • the first Hook module is used to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API Used to apply for the first permission to the operating system;
  • a permission application management module configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first authority.
  • the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processing device, the steps of the method described in the first aspect are implemented.
  • an electronic device including:
  • a processing device configured to execute the computer program in the storage device to implement the steps of the method in the first aspect.
  • the first Hook function is used to hook the first API call, and the first Hook function first obtains the control right, so as to control the authority from the dimension of the application in the host, so that only when the "operating system grants" is satisfied at the same time Only when the host application permission" and "the user chooses to grant the application permission in the host", the application permission in the host is finally granted.
  • the application permission in the host will not be granted, so that Ensure that the permissions of the host applications installed in the host application cannot be shared.
  • all authorizations require the user to perform an authorization operation. Multiple host applications cannot share permissions with each other without the user's awareness, thereby protecting user privacy.
  • Fig. 1 is a flowchart of a rights management method shown according to an exemplary embodiment
  • Fig. 2 is the specific flowchart of step S120 among Fig. 1;
  • Fig. 3 is another specific flowchart of step S120 in Fig. 1;
  • Fig. 4 is another flowchart of a rights management method according to an exemplary embodiment
  • Fig. 5 is another flowchart of a rights management method according to an exemplary embodiment
  • Fig. 6 is a schematic diagram of implementation of a rights management method according to an exemplary embodiment
  • Fig. 7 is another flowchart of a rights management method according to an exemplary embodiment
  • Fig. 8 is a block diagram of a rights management device according to an exemplary embodiment
  • Fig. 9 is a block diagram of an electronic device according to an exemplary embodiment.
  • the term “comprise” and its variations are open-ended, ie “including but not limited to”.
  • the term “based on” is “based at least in part on”.
  • the term “one embodiment” means “at least one embodiment”; the term “another embodiment” means “at least one further embodiment”; the term “some embodiments” means “at least some embodiments.” Relevant definitions of other terms will be given in the description below.
  • the disclosed embodiments provide a permission management method, which performs permission management and control from the dimension of a single application in a host application.
  • Fig. 1 is a flowchart of a rights management method according to an exemplary embodiment.
  • the rights management method is executed by an electronic device. As shown in Fig. 1, the method includes the following steps:
  • Step S110 intercept the call of the first application program interface (Application Programming Interface, API) by the host application installed in the host application through the first Hook function; wherein, the application in the host applies to the operating system for the first API by calling the first API. a permission.
  • API Application Programming Interface
  • At least one application (called an application in the host) is installed in the host application program.
  • the host application program is a game box
  • the application in the host is a game application installed in the game box.
  • the first API is used to apply for permission from the operating system, and the first permission refers to the permission applied to the operating system by the application in the host calling the first API this time.
  • the first API includes, but is not limited to, requestPermission or requestPermissions.
  • Step S120 when the operating system grants the first permission to the host application and the user grants the first permission to the host application, grant the first permission to the host application.
  • step S120 may include, but is not limited to, any processing flow in FIG. 2 or FIG. 3 .
  • FIG. 2 shows a specific flow chart of executing step S120 after intercepting a call to the first API by an application in the host.
  • step S120 includes:
  • Step S210 apply to the operating system for granting the first permission to the host application; if the operating system grants the first permission to the host application, execute step S220; if the operating system does not grant the first permission to the host application, execute step S240.
  • Step S220 generate an interactive page asking the user whether to grant the first permission to the application in the host; if the user performs an authorization operation to grant the first permission to the application in the host, then perform step S230, if the user makes an authorization operation to the application in the host For the denial operation of granting the first permission, step S240 is executed.
  • Step S230 granting the first permission to the host application.
  • Step S240 refusing to grant the first permission to the application in the host.
  • the first permission is granted to the application in the host.
  • the operating system when the operating system does not grant the host application the first permission, or in response to a user's rejection operation on the interactive page, it refuses to grant the first permission to the host application.
  • the operating system does not grant the first permission to the host application, it can directly refuse to grant the first permission to the application in the host, without having to perform subsequent inquiries whether the user grants permission to the application in the host.
  • the first permission step reduces the interruption to the user.
  • FIG. 3 shows another specific flow chart of executing step S120 after intercepting the call of the first API by the application in the host.
  • step S120 includes:
  • Step S310 generate an interactive page asking the user whether to grant the first permission to the application in the host; if the user performs an authorization operation to grant the first permission to the application in the host, then perform step S320, if the user makes an authorization operation to the application in the host For the denial operation of granting the first permission, step S340 is performed.
  • Step S320 applying to the operating system for granting the first permission to the host application.
  • step S330 After intercepting the call of the first API by the application in the host, first ask the user whether to grant the first permission to the application in the host, and then apply to the operating system for granting the first permission to the application in the host if the user chooses to grant the first permission to the application in the host For the first permission, if the operating system grants the host application the first permission, execute step S330; if the operating system does not grant the host application the first permission, execute step S340.
  • Step S330 granting the first permission to the host application.
  • Step S340 refusing to grant the first permission to the host application.
  • each in-host application is installed in the virtual middleware layer in the host application, only the role of the host application can be known to the system layer, and the role of the in-host application in the host application is agnostic , if the permission management method provided by the embodiment of the present disclosure is not used, the system can only manage the permission at the host application level, and all permissions granted by the system are for the host application and all the permissions installed in the host application. For applications in the host, the system layer cannot implement permission control of a single application dimension. Once the host application is authorized by the system, all applications installed in the host application can obtain the same permissions.
  • the first Hook function is used to hook the first API call, and the first Hook function first obtains the control right, so as to control the authority from the dimension of a single game application, so that only when the "operating system grants the game box" is satisfied at the same time Permission P” and “User chooses to grant the game application permission P” before finally granting the game application permission P.
  • FIG. 4 is another flowchart of a rights management method according to an exemplary embodiment. As shown in FIG. 4, the method further includes the following steps:
  • Step S410 intercepting the call to the second API by the host application installed in the host application program through the second Hook function; wherein, the host application requests the operating system to verify whether it is authorized to have the second permission by calling the second API.
  • the second API is used to request verification permission from the operating system
  • the second permission refers to the permission of the application in the host to call the second API to request verification from the operating system.
  • the second API includes, but is not limited to, checkPermission or checkPermissions.
  • Step S420 in the case that the operating system has granted the second permission to the host application and the user has granted the second permission to the host application, return authorized to the host application, otherwise return unauthorized to the host application .
  • the application in the host invokes the second API to request the operating system to verify whether the second authority is authorized, if the system has authorized the second authority to the host application, it will The application in the host is directly considered to have the second permission. If the system has not authorized the second permission to the host application, it will be considered that the application in the host does not have the second permission.
  • the second Hook function is used to hook the second API call, and the second Hook function first obtains the control right, so as to determine whether the application in the host is granted the second permission from the dimension of a single application, if The application in the host has been granted the second permission through steps S110-S120 before, then return the authorized to the application in the host, otherwise return unauthorized to the application in the host.
  • the operating system has granted the second permission to the host application
  • the user has granted the second permission to the application in the host
  • Authorization otherwise return Unauthorized to the application in the host.
  • FIG. 5 is another flowchart of a rights management method according to an exemplary embodiment. As shown in FIG. 5, the method further includes the following steps:
  • Step S510 intercepting the call of the third API by the host application installed in the host application program through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions.
  • the third API includes but is not limited to camera API, recorder API, API for obtaining International Mobile Equipment Identity (IMEI) and other system APIs that need to be called with corresponding permissions.
  • the camera API is allowed to be called only when the app in the host has the corresponding camera permission.
  • the recorder API is allowed to be called only when the app in the host has the corresponding recording permission.
  • the application is not allowed to call the third API.
  • Step S520 in the case that the operating system has granted the corresponding permission of the third API to the host application, and the user has granted the corresponding permission to the application in the host, allow the application in the host to call the third API, otherwise deny the application in the host The application in the host calls the third API.
  • the host application or application A in the host applies to the operating system for camera permissions. Once the operating system agrees to the application, the host application and all applications in the host can share Camera permissions, so that the camera API can be called and the camera can be started.
  • the third Hook function to hook the third API (such as the camera API) that needs the corresponding authority to call
  • the third Hook function first obtains the control right, so as to determine the host from the dimension of a single application. Whether the application has been granted the camera permission required to call the camera API. If the application in the host has been granted the camera permission through steps S110-S120 before, the application in the host is allowed to call the camera API and start the camera, otherwise the host is rejected
  • the internal application calls the camera API, and returns a call exception or call failure to the host internal application. Specifically, only when the operating system has granted the camera permission to the host application and the user has granted the camera permission to the application in the host, the application in the host can call the camera API and start the camera, otherwise the call will fail.
  • Fig. 6 is a schematic diagram of implementation of the rights management method shown in the above embodiments.
  • the embodiment of the present disclosure utilizes JVM (Java Virtual Machine, Java virtual machine)/ART (Android RunTime) virtual machine Hook technology and C/C++ Hook technology, etc., to the permission-related APIs of the Android system (including The first API and the second API) and each system API (the third API) that requires permission calls are intercepted, and after the interception, permission management is performed with the application in the host as the dimension.
  • JVM Java Virtual Machine, Java virtual machine
  • ART Android RunTime virtual machine Hook technology
  • C/C++ Hook technology etc.
  • the second API After intercepting the second API for verifying whether the second permission is authorized, verify whether the host application that calls the second API is authorized to have the second permission, and the operating system has granted the second permission to the host application, And only when the user has granted the second permission to the application in the host, the authorization is returned to the application in the host, otherwise, the unauthorized is returned to the application in the host.
  • the third API that needs permission to call determine whether the host application that calls the third API this time has the corresponding permission required to call the third API. Specifically, the operating system has granted the corresponding permission to the host application, and The application in the host is allowed to call the third API only when the user has granted the corresponding permission to the application in the host.
  • FIG. 7 is another flowchart of a rights management method according to an exemplary embodiment, so as to solve the above-mentioned problem. As shown in Figure 7, the method includes the following steps:
  • Step S610 using the fourth Hook function to intercept the call of the fourth API by the host application installed in the host application; wherein, the fourth API is used to obtain the information of the installed host application in the host application.
  • the fourth API includes an API for obtaining information about a list of installed applications in the host application, such as getInstalledPackages, getInstalledPackagesAsUser, getInstalledApplications, getInstalledApplicationsAsUser, etc., and also includes an API for obtaining a single installed application in the host application. APIs for information of applications in the host, for example, getPackageInfo, getApplicationInfo, etc.
  • Step S620 returning the self-information of the application in the host to the application in the host.
  • the information of the installed application list in the host application or the information of a single installed application in the host is not returned to the application in the host, but the information of the installed application in the host is returned. Self-information of the application in the host.
  • the embodiment of the present disclosure utilizes Hook technologies such as JVM/ART virtual machine Hook and C/C++ Hook to intercept the fourth API used to obtain the installed host application information in the host application program, so that each host application can It can only perceive its own information, but cannot obtain the information of other host applications, so that multiple host applications installed in the host application are isolated from each other, thereby protecting user privacy.
  • Hook technologies such as JVM/ART virtual machine Hook and C/C++ Hook
  • the API called by the host application is intercepted. Only when the operating system grants the host application permission, and the user also grants the permission to the host application, the actual grant This permission is applied in the host, and the application in the host cannot obtain the user's private information by calling the system API without the user's awareness.
  • each application installed in the host application is isolated from each other, and it is not aware of whether other applications are installed, which effectively improves security.
  • the rights management device 700 includes:
  • the first Hook module 710 is configured to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first The API is used to apply for the first permission to the operating system;
  • a permission application management module 720 configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first authority.
  • the permission application management module 720 is used to:
  • the first permission is granted to the host application.
  • the permission application management module 720 is used to:
  • the device 700 also includes:
  • the second Hook module is used to intercept the call of the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether the authorization has the second permission ;
  • a permission verification management module configured to send the host application the second permission if the operating system has granted the second permission to the host application and the user has granted the second permission to the host application.
  • the internal application returns authorized, otherwise returns unauthorized to the host internal application.
  • the device 700 also includes:
  • the third Hook module is used to intercept the call of the third API by the host application installed in the host application program through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
  • a call permission management module configured to allow the application in the host to call The third API, otherwise deny the application in the host to call the third API.
  • the device 700 also includes:
  • the fourth Hook module is used to intercept the call of the fourth API by the host application installed in the host application through the fourth Hook function; wherein, the fourth API is used to obtain the information of the installed host application in the host application ;
  • An information isolation module configured to return the self-information of the application in the host to the application in the host.
  • an embodiment of the present disclosure further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processing device, the rights management method provided by the embodiment of the present disclosure is implemented.
  • an electronic device including:
  • a processing device configured to execute the computer program in the storage device, so as to implement the rights management method provided by the embodiments of the present disclosure.
  • FIG. 9 it shows a schematic structural diagram of an electronic device 800 suitable for implementing the embodiments of the present disclosure.
  • the electronic equipment in the embodiment of the present disclosure may include but not limited to such as mobile phone, notebook computer, digital broadcast receiver, PDA (personal digital assistant), PAD (tablet computer), PMP (portable multimedia player), vehicle terminal (such as mobile terminals such as car navigation terminals) and fixed terminals such as digital TVs, desktop computers and the like.
  • the electronic device shown in FIG. 9 is only an example, and should not limit the functions and application scope of the embodiments of the present disclosure.
  • an electronic device 800 may include a processing device (such as a central processing unit, a graphics processing unit, etc.) Various appropriate actions and processes are executed by programs in the memory (RAM) 803 .
  • RAM 803 various programs and data necessary for the operation of the electronic device 800 are also stored.
  • the processing device 801, the ROM 802, and the RAM 803 are connected to each other through a bus 804.
  • An input/output (I/O) interface 805 is also connected to the bus 804 .
  • the following devices can be connected to the I/O interface 805: input devices 806 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; including, for example, a liquid crystal display (LCD), speaker, vibration an output device 807 such as a computer; a storage device 808 including, for example, a magnetic tape, a hard disk, etc.; and a communication device 809.
  • the communication means 809 may allow the electronic device 800 to communicate with other devices wirelessly or by wire to exchange data. While FIG. 9 shows electronic device 800 having various means, it is to be understood that implementing or having all of the means shown is not a requirement. More or fewer means may alternatively be implemented or provided.
  • embodiments of the present disclosure include a computer program product, which includes a computer program carried on a non-transitory computer readable medium, where the computer program includes program code for executing the method shown in the flowchart.
  • the computer program may be downloaded and installed from a network via communication means 809, or from storage means 808, or from ROM 802.
  • the processing device 801 the above-mentioned functions defined in the methods of the embodiments of the present disclosure are executed.
  • the computer-readable medium mentioned above in the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the two.
  • a computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
  • a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • a computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium, which can transmit, propagate, or transmit a program for use by or in conjunction with an instruction execution system, apparatus, or device .
  • Program code embodied on a computer readable medium may be transmitted by any appropriate medium, including but not limited to wires, optical cables, RF (radio frequency), etc., or any suitable combination of the above.
  • the above-mentioned computer-readable medium may be included in the above-mentioned electronic device, or may exist independently without being incorporated into the electronic device.
  • the above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the electronic device, the electronic device: uses the first Hook function to intercept the host application installed in the host application program to the first API call; wherein, at least one application in the host is installed in the host application, and the first API is used to apply for a first permission from the operating system; the operating system grants the first permission to the host application If the user grants the first permission to the application in the host, grant the first permission to the application in the host.
  • Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, or combinations thereof, including but not limited to object-oriented programming languages—such as Java, Smalltalk, C++, and Includes conventional procedural programming languages - such as "C" or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (for example, using an Internet service provider to connected via the Internet).
  • LAN local area network
  • WAN wide area network
  • Internet service provider for example, using an Internet service provider to connected via the Internet.
  • each block in a flowchart or block diagram may represent a module, program segment, or portion of code that contains one or more logical functions for implementing specified executable instructions.
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.
  • the modules involved in the embodiments described in the present disclosure may be implemented by software or by hardware. Among them, the name of the module does not constitute a limitation on the module itself under certain circumstances.
  • the first Hook module can also be described as "intercepting the first Hook application installed in the host application through the first Hook function. API call module”.
  • FPGAs Field Programmable Gate Arrays
  • ASICs Application Specific Integrated Circuits
  • ASSPs Application Specific Standard Products
  • SOCs System on Chips
  • CPLD Complex Programmable Logical device
  • a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device.
  • a machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium.
  • a machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing.
  • machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read only memory
  • EPROM or flash memory erasable programmable read only memory
  • CD-ROM compact disk read only memory
  • magnetic storage or any suitable combination of the foregoing.
  • Example 1 provides a rights management method, including:
  • Example 2 provides the method of Example 1, the operating system grants the first permission to the host application, and the user grants the first permission to the host application In the case of the first permission, granting the first permission to the host application includes:
  • the first permission is granted to the host application.
  • Example 3 provides the method of Example 1, the operating system grants the first permission to the host application, and the user grants the first permission to the host application In the case of the first permission, granting the first permission to the host application includes:
  • Example 4 provides the method of Example 1, further comprising:
  • the operating system has granted the second permission to the host application and the user has granted the second permission to the application in the host, return the authorization to the application in the host, otherwise send The in-host application returns Unauthorized.
  • Example 5 provides the method of Example 1, further comprising:
  • the third API is intercepted by the host application installed in the host application through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
  • Example 6 provides the method of Example 1, further comprising:
  • the self information of the application in the host is returned to the application in the host.
  • Example 7 provides a rights management device, including:
  • the first Hook module is used to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API Used to apply for the first permission to the operating system;
  • a permission application management module configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first permission.
  • Example 8 provides the device of Example 7, and the rights application management module is used for:
  • the first permission is granted to the host application.
  • Example 9 provides the device of Example 7, and the rights application management module is used for:
  • Example 10 provides the device of Example 7, further comprising:
  • the second Hook module is used to intercept the call of the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether the authorization has the second permission ;
  • a permission verification management module configured to send the host application the second permission if the operating system has granted the second permission to the host application and the user has granted the second permission to the host application.
  • the internal application returns authorized, otherwise returns unauthorized to the host internal application.
  • Example 11 provides the device of Example 7, further comprising:
  • the third Hook module is used to intercept the call of the third API by the host application installed in the host application program through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
  • a call permission management module configured to allow the application in the host to call The third API, otherwise deny the application in the host to call the third API.
  • Example 12 provides the device of Example 7, further comprising:
  • the fourth Hook module is used to intercept the call of the fourth API by the host application installed in the host application through the fourth Hook function; wherein, the fourth API is used to obtain the information of the installed host application in the host application ;
  • An information isolation module configured to return the self-information of the application in the host to the application in the host.
  • Example 13 provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processing device, the method described in any one of Examples 1 to 6 is implemented. A step of.
  • Example 14 provides an electronic device, comprising:
  • a processing device configured to execute the computer program in the storage device, so as to implement the steps of the method in any one of examples 1 to 6.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The present disclosure relates to a permission management method and apparatus, a storage medium, and an electronic device. The method comprises: intercepting, by means of a first hook function, a call to a first API by an in-host application installed in a host application, at least one in-host application being installed in the host application, and the first API being used for applying for a first permission to an operating system; and granting the first permission to the in-host application under a condition that the operating system grants the first permission to the host application and a user grants the first permission to the in-host application.

Description

权限管理方法、装置、存储介质及电子设备Rights management method, device, storage medium and electronic equipment
本公开要求于2021年12月27日提交的,申请名称为“权限管理方法、装置、存储介质及电子设备”的、中国专利申请号为“202111616976.8”的优先权,该中国专利申请的全部内容通过引用结合在本公开中。This disclosure claims the priority of the Chinese patent application number "202111616976.8" filed on December 27, 2021, with the title of "authority management method, device, storage medium and electronic equipment", and the entire content of the Chinese patent application Incorporated by reference in this disclosure.
技术领域technical field
本公开涉及权限管理技术领域,具体地,涉及一种权限管理方法、装置、存储介质及电子设备。The present disclosure relates to the technical field of rights management, and in particular, to a rights management method, device, storage medium and electronic equipment.
背景技术Background technique
游戏盒子是游戏行业实现游戏平台和分发的主要方式,而利用Android(安卓)的开源特性,以虚拟中间件为基础的免安装游戏玩法成为业内游戏盒子常见实现方式,虚拟中间件采用虚拟Android系统框架,以免安装方式运行的游戏应用可在虚拟中间件层进行安装。但这种免安装玩法存在严重问题,Android系统授予权限是以应用程序为单位的,只要宿主应用程序(如游戏盒子)获得授权后,在宿主内安装的所有应用都可以共享宿主获得的权限,用户隐私无法保障。The game box is the main way for the game industry to realize the game platform and distribution. Using the open source feature of Android (Android), the installation-free gameplay based on virtual middleware has become a common implementation method of game boxes in the industry. The virtual middleware adopts the virtual Android system. Framework, the game application running in the installation-free mode can be installed in the virtual middleware layer. However, there are serious problems in this installation-free gameplay. The Android system grants permissions in units of applications. As long as the host application (such as a game box) is authorized, all applications installed in the host can share the permissions obtained by the host. User privacy cannot be guaranteed.
发明内容Contents of the invention
提供该发明内容部分以便以简要的形式介绍构思,这些构思将在后面的具体实施方式部分被详细描述。该发明内容部分并不旨在标识要求保护的技术方案的关键特征或必要特征,也不旨在用于限制所要求的保护的技术方案的范围。This Summary is provided to introduce a simplified form of concepts that are described in detail later in the Detailed Description. This summary of the invention is not intended to identify key features or essential features of the claimed technical solution, nor is it intended to be used to limit the scope of the claimed technical solution.
第一方面,本公开提供一种权限管理方法,包括:In a first aspect, the present disclosure provides a rights management method, including:
通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;Intercept calls to the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API is used to apply to the operating system for the first API a authority;
在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, and the user grants the first permission to the application in the host, grant the first permission to the application in the host.
第二方面,本公开提供一种权限管理装置,包括:In a second aspect, the present disclosure provides a rights management device, including:
第一Hook模块,用于通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;The first Hook module is used to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API Used to apply for the first permission to the operating system;
权限申请管理模块,用于在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。A permission application management module, configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first authority.
第三方面,本公开提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理装置执行时实现第一方面所述方法的步骤。In a third aspect, the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processing device, the steps of the method described in the first aspect are implemented.
第四方面,本公开提供一种电子设备,包括:In a fourth aspect, the present disclosure provides an electronic device, including:
存储装置,其上存储有计算机程序;a storage device on which a computer program is stored;
处理装置,用于执行所述存储装置中的所述计算机程序,以实现第一方面所述方法的步骤。A processing device configured to execute the computer program in the storage device to implement the steps of the method in the first aspect.
在上述技术方案中,通过第一Hook函数对第一API调用进行Hook,由第一Hook函数先取得控制权,从而从宿主内应用的维度对权限进行管控,使得只有在同时满足“操作系统授予宿主应用程序权限”和“用户选择授予该宿主内应用权限”的情况下,才最终授予该宿主内应用权限,当上述任一项条件不满足时,均不会授予该宿主内应用权限,从而保证宿主应用程序内安装的宿主内应用间的权限不能共享,同时所有授权都需要用户作出授权操作,不能在用户无感知的情况下让多个宿主内应用彼此共享权限,从而保护用户隐私。In the above technical solution, the first Hook function is used to hook the first API call, and the first Hook function first obtains the control right, so as to control the authority from the dimension of the application in the host, so that only when the "operating system grants" is satisfied at the same time Only when the host application permission" and "the user chooses to grant the application permission in the host", the application permission in the host is finally granted. When any of the above conditions is not met, the application permission in the host will not be granted, so that Ensure that the permissions of the host applications installed in the host application cannot be shared. At the same time, all authorizations require the user to perform an authorization operation. Multiple host applications cannot share permissions with each other without the user's awareness, thereby protecting user privacy.
本公开的其他特征和优点将在随后的具体实施方式部分予以详细说明。Other features and advantages of the present disclosure will be described in detail in the detailed description that follows.
附图说明Description of drawings
结合附图并参考以下具体实施方式,本公开各实施例的上述和其他特征、优点及方面将变得更加明显。贯穿附图中,相同或相似的附图标记表示相同或相似的元素。应当理解附图是示意性的,原件和元素不一定按照比例绘制。在附图中:The above and other features, advantages and aspects of the various embodiments of the present disclosure will become more apparent with reference to the following detailed description in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numerals denote the same or similar elements. It should be understood that the drawings are schematic and that elements and elements are not necessarily drawn to scale. In the attached picture:
图1是根据一示例性实施例示出的权限管理方法的流程图;Fig. 1 is a flowchart of a rights management method shown according to an exemplary embodiment;
图2是图1中步骤S120的具体流程图;Fig. 2 is the specific flowchart of step S120 among Fig. 1;
图3是图1中步骤S120的又一具体流程图;Fig. 3 is another specific flowchart of step S120 in Fig. 1;
图4是根据一示例性实施例示出的权限管理方法的又一流程图;Fig. 4 is another flowchart of a rights management method according to an exemplary embodiment;
图5是根据一示例性实施例示出的权限管理方法的又一流程图;Fig. 5 is another flowchart of a rights management method according to an exemplary embodiment;
图6是根据一示例性实施例示出的权限管理方法的实施示意图;Fig. 6 is a schematic diagram of implementation of a rights management method according to an exemplary embodiment;
图7是根据一示例性实施例示出的权限管理方法的又一流程图;Fig. 7 is another flowchart of a rights management method according to an exemplary embodiment;
图8是根据一示例性实施例示出的权限管理装置的框图;Fig. 8 is a block diagram of a rights management device according to an exemplary embodiment;
图9是根据一示例性实施例示出的电子设备的框图。Fig. 9 is a block diagram of an electronic device according to an exemplary embodiment.
具体实施方式Detailed ways
下面将参照附图更详细地描述本公开的实施例。虽然附图中显示了本公开的某些实施例,然而应当理解的是,本公开可以通过各种形式来实现,而且不应该被解释为限于这里阐述的实施例,相反提供这些实施例是为了更加透彻和完整地理解本公开。应当理解的是,本公开的附图及实施例仅用于示例性作用,并非用于限制本公开的保护范围。Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present disclosure are shown in the drawings, it should be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein; A more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for exemplary purposes only, and are not intended to limit the protection scope of the present disclosure.
应当理解,本公开的方法实施方式中记载的各个步骤可以按照不同的顺序执行,和/或并行执行。此外,方法实施方式可以包括附加的步骤和/或省略执行示出的步骤。本公开的 范围在此方面不受限制。It should be understood that the various steps described in the method implementations of the present disclosure may be executed in different orders, and/or executed in parallel. Additionally, method embodiments may include additional steps and/or omit performing illustrated steps. The scope of the present disclosure is not limited in this respect.
本文使用的术语“包括”及其变形是开放性包括,即“包括但不限于”。术语“基于”是“至少部分地基于”。术语“一个实施例”表示“至少一个实施例”;术语“另一实施例”表示“至少一个另外的实施例”;术语“一些实施例”表示“至少一些实施例”。其他术语的相关定义将在下文描述中给出。As used herein, the term "comprise" and its variations are open-ended, ie "including but not limited to". The term "based on" is "based at least in part on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one further embodiment"; the term "some embodiments" means "at least some embodiments." Relevant definitions of other terms will be given in the description below.
需要注意,本公开中提及的“第一”、“第二”等概念仅用于对不同的装置、模块或单元进行区分,并非用于限定这些装置、模块或单元所执行的功能的顺序或者相互依存关系。It should be noted that concepts such as "first" and "second" mentioned in this disclosure are only used to distinguish different devices, modules or units, and are not used to limit the sequence of functions performed by these devices, modules or units or interdependence.
需要注意,本公开中提及的“一个”、“多个”的修饰是示意性而非限制性的,本领域技术人员应当理解,除非在上下文另有明确指出,否则应该理解为“一个或多个”。It should be noted that the modifications of "one" and "multiple" mentioned in the present disclosure are illustrative and not restrictive, and those skilled in the art should understand that unless the context clearly indicates otherwise, it should be understood as "one or more" multiple".
本公开实施方式中的多个装置之间所交互的消息或者信息的名称仅用于说明性的目的,而并不是用于对这些消息或信息的范围进行限制。The names of messages or information exchanged between multiple devices in the embodiments of the present disclosure are used for illustrative purposes only, and are not used to limit the scope of these messages or information.
针对相关技术存在的技术问题,即采用免安装方式在宿主应用程序内安装应用,一旦宿主应用程序获得系统授权后,在宿主应用程序内安装的所有应用都可以共享宿主获得的权限,由此本公开实施例提供一种权限管理方法,从宿主应用程序内的单个应用的维度进行权限管控。Aiming at the technical problems of related technologies, that is, to install applications in the host application without installation, once the host application is authorized by the system, all applications installed in the host application can share the permissions obtained by the host. The disclosed embodiments provide a permission management method, which performs permission management and control from the dimension of a single application in a host application.
图1是根据一示例性实施例示出的权限管理方法的流程图,该权限管理方法由一电子设备执行,如图1所示,该方法包括如下步骤:Fig. 1 is a flowchart of a rights management method according to an exemplary embodiment. The rights management method is executed by an electronic device. As shown in Fig. 1, the method includes the following steps:
步骤S110,通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一应用程序接口(Application Programming Interface,API)的调用;其中,该宿主内应用通过调用第一API向操作系统申请第一权限。Step S110, intercept the call of the first application program interface (Application Programming Interface, API) by the host application installed in the host application through the first Hook function; wherein, the application in the host applies to the operating system for the first API by calling the first API. a permission.
其中,宿主应用程序内安装有至少一个应用(称为宿主内应用)。在一种应用场景中,宿主应用程序为游戏盒子,宿主内应用为在游戏盒子内安装的游戏应用。Wherein, at least one application (called an application in the host) is installed in the host application program. In one application scenario, the host application program is a game box, and the application in the host is a game application installed in the game box.
其中,第一API用于向操作系统申请权限,第一权限是指该宿主内应用本次调用第一API向操作系统所申请的权限。示例性的,第一API包括但不限于,requestPermission或者requestPermissions。Wherein, the first API is used to apply for permission from the operating system, and the first permission refers to the permission applied to the operating system by the application in the host calling the first API this time. Exemplarily, the first API includes, but is not limited to, requestPermission or requestPermissions.
步骤S120,在操作系统对宿主应用程序授予第一权限,且用户对该宿主内应用授予第一权限的情况下,授予该宿主内应用第一权限。Step S120, when the operating system grants the first permission to the host application and the user grants the first permission to the host application, grant the first permission to the host application.
其中,在拦截宿主内应用对第一API的调用后,分别向操作系统申请授予宿主应用程序第一权限、请求用户选择是否对该宿主内应用授予第一权限。在同时满足“操作系统授予宿主应用程序该第一权限”和“用户选择授予该宿主内应用该第一权限”两项条件的情况下,才最终授予该宿主内应用第一权限,当上述任一项条件不满足时,如操作系统不授予宿主应用程序第一权限或用户选择不授予该宿主内应用第一权限时,拒绝授予该宿主内应用第一权 限。在具体的实施方式中,步骤S120可以包括但不限于图2或图3中的任意一种处理流程。Wherein, after intercepting the call of the first API by the application in the host, respectively apply to the operating system for granting the first permission to the application in the host, and request the user to choose whether to grant the first permission to the application in the host. Only when the two conditions of "the operating system grants the first permission to the host application" and "the user chooses to grant the first permission to the host application" are met, the first permission is finally granted to the host application. When any of the above When a condition is not met, such as the operating system does not grant the first permission to the host application or the user chooses not to grant the first permission to the application in the host, refuse to grant the first permission to the application in the host. In a specific implementation manner, step S120 may include, but is not limited to, any processing flow in FIG. 2 or FIG. 3 .
在一示例性实施例中,图2示出了在拦截宿主内应用对第一API的调用后,执行步骤S120的具体流程图,如图2所示,步骤S120包括:In an exemplary embodiment, FIG. 2 shows a specific flow chart of executing step S120 after intercepting a call to the first API by an application in the host. As shown in FIG. 2 , step S120 includes:
步骤S210,向操作系统申请授予宿主应用程序第一权限;若操作系统授予宿主应用程序该第一权限,则执行步骤S220,若操作系统不授予宿主应用程序该第一权限,则执行步骤S240。Step S210, apply to the operating system for granting the first permission to the host application; if the operating system grants the first permission to the host application, execute step S220; if the operating system does not grant the first permission to the host application, execute step S240.
步骤S220,生成询问用户是否针对该宿主内应用授予第一权限的交互页面;若用户针对该宿主内应用作出授予第一权限的授权操作,则执行步骤S230,若用户针对该宿主内应用作出不授予第一权限的拒绝操作,则执行步骤S240。Step S220, generate an interactive page asking the user whether to grant the first permission to the application in the host; if the user performs an authorization operation to grant the first permission to the application in the host, then perform step S230, if the user makes an authorization operation to the application in the host For the denial operation of granting the first permission, step S240 is executed.
在拦截宿主内应用对第一API的调用后,首先向操作系统申请授予宿主应用程序第一权限,在操作系统授予宿主应用程序第一权限的情况下,再询问用户是否授予该宿主内应用第一权限。After intercepting the call of the first API by the application in the host, first apply to the operating system for granting the first permission to the host application, and then ask the user whether to grant the first permission to the application in the host if the operating system grants the first permission to the host application a permission.
步骤S230,授予该宿主内应用第一权限。Step S230, granting the first permission to the host application.
步骤S240,拒绝授予该宿主内应用第一权限。Step S240, refusing to grant the first permission to the application in the host.
其中,响应于用户在交互页面上作出的授权操作,授予该宿主内应用第一权限。Wherein, in response to the authorization operation performed by the user on the interactive page, the first permission is granted to the application in the host.
其中,当操作系统不授予宿主应用程序第一权限,或者响应于用户在交互页面上作出的拒绝操作,拒绝授予该宿主内应用第一权限。Wherein, when the operating system does not grant the host application the first permission, or in response to a user's rejection operation on the interactive page, it refuses to grant the first permission to the host application.
可以理解的,在上述步骤中,在操作系统不授予宿主应用程序第一权限的情况下,可以直接拒绝授予该宿主内应用第一权限,而不必再执行后续询问用户是否对该宿主内应用授予第一权限的步骤,减少对用户的打扰。It can be understood that in the above steps, if the operating system does not grant the first permission to the host application, it can directly refuse to grant the first permission to the application in the host, without having to perform subsequent inquiries whether the user grants permission to the application in the host. The first permission step reduces the interruption to the user.
在一示例性实施例中,图3示出了在拦截宿主内应用对第一API的调用后,执行步骤S120的又一具体流程图,如图3所示,步骤S120包括:In an exemplary embodiment, FIG. 3 shows another specific flow chart of executing step S120 after intercepting the call of the first API by the application in the host. As shown in FIG. 3 , step S120 includes:
步骤S310,生成询问用户是否针对该宿主内应用授予第一权限的交互页面;若用户针对该宿主内应用作出授予第一权限的授权操作,则执行步骤S320,若用户针对该宿主内应用作出不授予第一权限的拒绝操作,则执行步骤S340。Step S310, generate an interactive page asking the user whether to grant the first permission to the application in the host; if the user performs an authorization operation to grant the first permission to the application in the host, then perform step S320, if the user makes an authorization operation to the application in the host For the denial operation of granting the first permission, step S340 is performed.
步骤S320,向操作系统申请授予宿主应用程序第一权限。Step S320, applying to the operating system for granting the first permission to the host application.
在拦截宿主内应用对第一API的调用后,首先询问用户是否授予该宿主内应用第一权限,在用户选择授予该宿主内应用第一权限的情况下,再向操作系统申请授予宿主应用程序第一权限,若操作系统授予宿主应用程序第一权限,则执行步骤S330,若操作系统不授予宿主应用程序第一权限,则执行步骤S340。After intercepting the call of the first API by the application in the host, first ask the user whether to grant the first permission to the application in the host, and then apply to the operating system for granting the first permission to the application in the host if the user chooses to grant the first permission to the application in the host For the first permission, if the operating system grants the host application the first permission, execute step S330; if the operating system does not grant the host application the first permission, execute step S340.
步骤S330,授予该宿主内应用第一权限。Step S330, granting the first permission to the host application.
步骤S340,拒绝授予该宿主内应用第一权限。Step S340, refusing to grant the first permission to the host application.
其中,响应于用户在交互页面上作出的拒绝操作,或者在操作系统不授予宿主应用程序第一权限的情况下,拒绝授予该宿主内应用第一权限。Wherein, in response to the denial operation performed by the user on the interactive page, or in the case that the operating system does not grant the first permission to the host application, deny granting the first permission to the host application.
可以理解的,在上述步骤中,在用户选择不授予该宿主内应用第一权限的情况下,可以直接拒绝授予该宿主内应用第一权限,而不必再执行后续向操作系统申请授予宿主应用程序第一权限的步骤,减少执行不必要步骤。It can be understood that, in the above steps, if the user chooses not to grant the first permission to the application in the host, he can directly refuse to grant the first permission to the application in the host without performing a subsequent application to the operating system for granting the application to the host The steps of the first authority reduce the execution of unnecessary steps.
可以理解的,由于各个宿主内应用是在宿主应用程序内的虚拟中间件层安装,对于系统层而言只能获知宿主应用程序的角色,对于宿主应用程序内的宿主内应用角色是不可知的,如果不采用本公开实施例提供的权限管理方法,那么系统只能做到对宿主应用程序层面的权限管理,系统授予的所有权限,都是给宿主应用程序以及在宿主应用程序内安装的所有宿主内应用的,系统层无法做到单个应用维度的权限管控,一旦宿主应用程序获得系统授权后,所有在宿主应用程序内安装的宿主内应用都能获得同样的权限。It is understandable that since each in-host application is installed in the virtual middleware layer in the host application, only the role of the host application can be known to the system layer, and the role of the in-host application in the host application is agnostic , if the permission management method provided by the embodiment of the present disclosure is not used, the system can only manage the permission at the host application level, and all permissions granted by the system are for the host application and all the permissions installed in the host application. For applications in the host, the system layer cannot implement permission control of a single application dimension. Once the host application is authorized by the system, all applications installed in the host application can obtain the same permissions.
以宿主应用程序为游戏盒子为例,游戏盒子或者游戏盒子内安装的游戏应用A(系统将游戏应用A发起的权限申请默认为是游戏盒子发起的权限申请)向操作系统申请权限P后,在游戏盒子内安装的所有游戏应用都能共享权限P。本公开实施例通过第一Hook函数对第一API调用进行Hook,由第一Hook函数先取得控制权,从而从单个游戏应用的维度对权限进行管控,使得只有在同时满足“操作系统授予游戏盒子权限P”和“用户选择授予该游戏应用权限P”两项条件的情况下,才最终授予该游戏应用权限P,当上述任一项条件不满足时,拒绝授予该游戏应用权限P,从而保证游戏盒子内安装的游戏应用间的权限不能共享,同时所有授权都需要用户作出授权操作,不能在用户无感知的情况下让多个游戏应用彼此共享权限,从而保护用户隐私。Taking the game box as the host application program as an example, after the game box or the game application A installed in the game box (the system defaults the permission application initiated by the game application A as the permission application initiated by the game box) to the operating system after applying for permission P, in All game applications installed in the game box can share the permission P. In the embodiment of the present disclosure, the first Hook function is used to hook the first API call, and the first Hook function first obtains the control right, so as to control the authority from the dimension of a single game application, so that only when the "operating system grants the game box" is satisfied at the same time Permission P” and “User chooses to grant the game application permission P” before finally granting the game application permission P. When any of the above conditions is not met, the game application permission P is refused to be granted, thereby ensuring The permissions of the game applications installed in the game box cannot be shared. At the same time, all authorizations require the user to perform an authorization operation. Multiple game applications cannot share permissions with each other without the user's awareness, thereby protecting user privacy.
在一些实施例中,图4是根据一示例性实施例示出的权限管理方法的又一流程图,如图4所示,该方法还包括如下步骤:In some embodiments, FIG. 4 is another flowchart of a rights management method according to an exemplary embodiment. As shown in FIG. 4, the method further includes the following steps:
步骤S410,通过第二Hook函数拦截宿主应用程序内安装的宿主内应用对第二API的调用;其中,该宿主内应用通过调用第二API向操作系统请求校验是否授权有第二权限。Step S410, intercepting the call to the second API by the host application installed in the host application program through the second Hook function; wherein, the host application requests the operating system to verify whether it is authorized to have the second permission by calling the second API.
其中,第二API用于向操作系统请求校验权限,第二权限是指该宿主内应用本次调用第二API向操作系统请求校验的权限。示例性的,第二API包括但不限于,checkPermission或者checkPermissions。Wherein, the second API is used to request verification permission from the operating system, and the second permission refers to the permission of the application in the host to call the second API to request verification from the operating system. Exemplarily, the second API includes, but is not limited to, checkPermission or checkPermissions.
步骤S420,在操作系统对宿主应用程序已授予第二权限,且用户对该宿主内应用已授予第二权限的情况下,向该宿主内应用返回已授权,否则向该宿主内应用返回未授权。Step S420, in the case that the operating system has granted the second permission to the host application and the user has granted the second permission to the host application, return authorized to the host application, otherwise return unauthorized to the host application .
可以理解的,在采用本技术方案前,当宿主内应用调用第二API向操作系统请求校验是否授权有第二权限时,如果系统对宿主应用程序进行过第二权限的授权,则将会直接认为该宿主内应用具有第二权限,如果系统对宿主应用程序没有进行过第二权限的授权,则将会认 为该宿主内应用不具有第二权限。Understandably, before adopting this technical solution, when the application in the host invokes the second API to request the operating system to verify whether the second authority is authorized, if the system has authorized the second authority to the host application, it will The application in the host is directly considered to have the second permission. If the system has not authorized the second permission to the host application, it will be considered that the application in the host does not have the second permission.
在采用本技术方案后,通过第二Hook函数对第二API调用进行Hook,由第二Hook函数先取得控制权,从而从单个应用的维度确定该宿主内应用是否被授予了第二权限,如果该宿主内应用之前已经通过步骤S110~S120被授予了第二权限,则向该宿主内应用返回已授权,否则向该宿主内应用返回未授权。具体的,在操作系统对宿主应用程序已授予第二权限,且用户针对该宿主内应用已授予第二权限的情况下,确定该宿主内应用具有第二权限,于是向该宿主内应用返回已授权,否则向该宿主内应用返回未授权。After adopting this technical solution, the second Hook function is used to hook the second API call, and the second Hook function first obtains the control right, so as to determine whether the application in the host is granted the second permission from the dimension of a single application, if The application in the host has been granted the second permission through steps S110-S120 before, then return the authorized to the application in the host, otherwise return unauthorized to the application in the host. Specifically, in the case that the operating system has granted the second permission to the host application, and the user has granted the second permission to the application in the host, it is determined that the application in the host has the second permission, and then returned to the application in the host. Authorization, otherwise return Unauthorized to the application in the host.
在一些实施例中,图5是根据一示例性实施例示出的权限管理方法的又一流程图,如图5所示,该方法还包括如下步骤:In some embodiments, FIG. 5 is another flowchart of a rights management method according to an exemplary embodiment. As shown in FIG. 5, the method further includes the following steps:
步骤S510,通过第三Hook函数拦截宿主应用程序内安装的宿主内应用对第三API的调用;其中,第三API为需要对应权限调用的系统API。Step S510, intercepting the call of the third API by the host application installed in the host application program through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions.
其中,第三API包括但不限于相机API、录音器API、获取国际移动设备识别码(International Mobile Equipment Identity,IMEI)的API等需要对应权限调用的系统API。例如相机API,只有该宿主内应用具有对应的相机权限时才被允许调用,例如录音器API,只有该宿主内应用具有对应的录音权限时才被允许调用,当该宿主内应用未被授予对应权限的情况下,不允许该应用调用第三API。Among them, the third API includes but is not limited to camera API, recorder API, API for obtaining International Mobile Equipment Identity (IMEI) and other system APIs that need to be called with corresponding permissions. For example, the camera API is allowed to be called only when the app in the host has the corresponding camera permission. For example, the recorder API is allowed to be called only when the app in the host has the corresponding recording permission. When the app in the host is not granted the corresponding In the case of permissions, the application is not allowed to call the third API.
步骤S520,在操作系统对宿主应用程序已授予该第三API的对应权限,且用户对该宿主内应用已授予该对应权限的情况下,允许该宿主内应用调用该第三API,否则拒绝该宿主内应用调用该第三API。Step S520, in the case that the operating system has granted the corresponding permission of the third API to the host application, and the user has granted the corresponding permission to the application in the host, allow the application in the host to call the third API, otherwise deny the application in the host The application in the host calls the third API.
可以理解的,在采用本技术方案前,宿主应用程序或者宿主内应用A向操作系统申请相机权限,一旦操作系统同意该申请后,宿主应用程序及宿主应用程序内的所有宿主内应用都能共享相机权限,从而都能调用相机API并启动相机。Understandably, before adopting this technical solution, the host application or application A in the host applies to the operating system for camera permissions. Once the operating system agrees to the application, the host application and all applications in the host can share Camera permissions, so that the camera API can be called and the camera can be started.
在采用本技术方案后,通过第三Hook函数对需要对应权限才能调用的第三API(如相机API)进行Hook,由第三Hook函数先取得控制权,从而从单个应用的维度确定该宿主内应用是否被授予了调用该相机API所需的相机权限,如果该宿主内应用之前已经通过步骤S110~S120被授予了相机权限,则允许该宿主内应用调用相机API并启动相机,否则拒绝该宿主内应用调用相机API,向该宿主内应用返回调用异常或者调用失败。具体的,在操作系统对宿主应用程序已授予相机权限,且用户针对该宿主内应用已授予相机权限的情况下,该宿主内应用才能调用相机API并启动相机,否则将会调用失败。After adopting this technical solution, use the third Hook function to hook the third API (such as the camera API) that needs the corresponding authority to call, and the third Hook function first obtains the control right, so as to determine the host from the dimension of a single application. Whether the application has been granted the camera permission required to call the camera API. If the application in the host has been granted the camera permission through steps S110-S120 before, the application in the host is allowed to call the camera API and start the camera, otherwise the host is rejected The internal application calls the camera API, and returns a call exception or call failure to the host internal application. Specifically, only when the operating system has granted the camera permission to the host application and the user has granted the camera permission to the application in the host, the application in the host can call the camera API and start the camera, otherwise the call will fail.
图6是根据以上实施例示出的权限管理方法的实施示意图。如图6所示,本公开实施例利用JVM(Java Virtual Machine,Java虚拟机)/ART(Android RunTime)虚拟机Hook技术和C/C++Hook技术等,对Android系统的权限相关API(包括第一API和第二API)以及每个 需要权限调用的系统API(第三API)进行拦截,在拦截后,以宿主内应用为维度进行权限管理。Fig. 6 is a schematic diagram of implementation of the rights management method shown in the above embodiments. As shown in Figure 6, the embodiment of the present disclosure utilizes JVM (Java Virtual Machine, Java virtual machine)/ART (Android RunTime) virtual machine Hook technology and C/C++ Hook technology, etc., to the permission-related APIs of the Android system (including The first API and the second API) and each system API (the third API) that requires permission calls are intercepted, and after the interception, permission management is performed with the application in the host as the dimension.
在拦截用于申请第一权限的第一API后,分别向操作系统申请授予宿主应用程序第一权限以及请求用户选择是否对该宿主内应用授予第一权限,在同时满足“操作系统授予宿主应用程序第一权限”和“用户选择授予该宿主内应用第一权限”两项条件的情况下,才最终授予该宿主内应用第一权限。在拦截用于校验是否授权有第二权限的第二API后,校验本次调用第二API的宿主内应用是否授权有第二权限,在操作系统对宿主应用程序已授予第二权限,且用户对该宿主内应用已授予第二权限的情况下,才向该宿主内应用返回已授权,否则向该宿主内应用返回未授权。在拦截需要权限调用的第三API后,确定本次调用第三API的宿主内应用是否具有调用该第三API所需的对应权限,具体在操作系统对宿主应用程序已授予该对应权限,且用户针对该宿主内应用已授予该对应权限的情况下,才允许该宿主内应用调用该第三API。After intercepting the first API used to apply for the first permission, apply to the operating system for granting the first permission to the host application and request the user to choose whether to grant the first permission to the application in the host, while satisfying the requirements of "granting the host application by the operating system." Only when the two conditions of "the first permission of the program" and "the user chooses to grant the first permission to the application in the host" are finally granted the first permission to the application in the host. After intercepting the second API for verifying whether the second permission is authorized, verify whether the host application that calls the second API is authorized to have the second permission, and the operating system has granted the second permission to the host application, And only when the user has granted the second permission to the application in the host, the authorization is returned to the application in the host, otherwise, the unauthorized is returned to the application in the host. After intercepting the third API that needs permission to call, determine whether the host application that calls the third API this time has the corresponding permission required to call the third API. Specifically, the operating system has granted the corresponding permission to the host application, and The application in the host is allowed to call the third API only when the user has granted the corresponding permission to the application in the host.
此外值得注意的是,采用免安装方式在宿主应用程序内安装宿主内应用还存在以下问题:宿主内应用在宿主应用程序内的虚拟中间件层安装后,并不相互隔离,每个宿主内应用都可以直接获取到在虚拟中间件层安装的宿主内应用列表的信息或者单个已安装宿主内应用的信息。In addition, it is worth noting that there are still the following problems in the installation-free method of installing host applications in the host application: after the virtual middleware layer in the host application is installed, the host applications are not isolated from each other, and each host application Both can directly obtain the information of the host application list installed in the virtual middleware layer or the information of a single installed host application.
在一些实施例中,图7是根据一示例性实施例示出的权限管理方法的又一流程图,以用于解决上述问题。如图7所示,该方法包括如下步骤:In some embodiments, FIG. 7 is another flowchart of a rights management method according to an exemplary embodiment, so as to solve the above-mentioned problem. As shown in Figure 7, the method includes the following steps:
步骤S610,通过第四Hook函数拦截宿主应用程序内安装的宿主内应用对第四API的调用;其中,第四API用于获取宿主应用程序内已安装宿主内应用的信息。Step S610, using the fourth Hook function to intercept the call of the fourth API by the host application installed in the host application; wherein, the fourth API is used to obtain the information of the installed host application in the host application.
示例性的,第四API包括用于获取宿主应用程序内已安装宿主内应用列表的信息的API,例如有,getInstalledPackages、getInstalledPackagesAsUser、getInstalledApplications、getInstalledApplicationsAsUser等,还包括用于获取宿主应用程序内单个已安装宿主内应用的信息的API,例如有,getPackageInfo、getApplicationInfo等。Exemplarily, the fourth API includes an API for obtaining information about a list of installed applications in the host application, such as getInstalledPackages, getInstalledPackagesAsUser, getInstalledApplications, getInstalledApplicationsAsUser, etc., and also includes an API for obtaining a single installed application in the host application. APIs for information of applications in the host, for example, getPackageInfo, getApplicationInfo, etc.
步骤S620,向该宿主内应用返回该宿主内应用的自身信息。Step S620, returning the self-information of the application in the host to the application in the host.
其中,在拦截到宿主内应用对第四API的调用后,不向该宿主内应用真实返回宿主应用程序内已安装宿主内应用列表的信息或者单个已安装宿主内应用的信息,而是返回该宿主内应用的自身信息。Wherein, after intercepting the call of the fourth API by the application in the host, the information of the installed application list in the host application or the information of a single installed application in the host is not returned to the application in the host, but the information of the installed application in the host is returned. Self-information of the application in the host.
本公开实施例利用JVM/ART虚拟机Hook和C/C++Hook等Hook技术,对用于获取宿主应用程序内已安装宿主内应用信息的第四API进行拦截,让每个宿主内应用都只能感知到自身信息,而无法获得其他宿主内应用的信息,使得宿主应用程序内安装的多个宿主内应用彼此隔离,从而保护用户隐私。The embodiment of the present disclosure utilizes Hook technologies such as JVM/ART virtual machine Hook and C/C++ Hook to intercept the fourth API used to obtain the installed host application information in the host application program, so that each host application can It can only perceive its own information, but cannot obtain the information of other host applications, so that multiple host applications installed in the host application are isolated from each other, thereby protecting user privacy.
综上所述,在本公开实施例中,基于Hook技术拦截宿主内应用调用的API,只有在操作系统授予宿主应用程序权限,且用户对宿主内应用也授予该权限的情况下,才实际授予该宿主内应用该权限,宿主内应用不能在用户无感知的情况下通过调用系统API获取用户隐私信息。此外,宿主应用程序内安装的各个应用相互隔离,无感知其他应用是否安装,有效提高安全性。To sum up, in the embodiment of the present disclosure, based on the Hook technology, the API called by the host application is intercepted. Only when the operating system grants the host application permission, and the user also grants the permission to the host application, the actual grant This permission is applied in the host, and the application in the host cannot obtain the user's private information by calling the system API without the user's awareness. In addition, each application installed in the host application is isolated from each other, and it is not aware of whether other applications are installed, which effectively improves security.
基于同一发明构思,本公开实施例还提供一种权限管理装置,请参照图8,该权限管理装置700包括:Based on the same inventive concept, an embodiment of the present disclosure also provides a rights management device, please refer to FIG. 8 , the rights management device 700 includes:
第一Hook模块710,用于通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;The first Hook module 710 is configured to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first The API is used to apply for the first permission to the operating system;
权限申请管理模块720,用于在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。A permission application management module 720, configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first authority.
在一些实施例中,权限申请管理模块720用于:In some embodiments, the permission application management module 720 is used to:
向所述操作系统申请授予所述宿主应用程序第一权限;Applying to the operating system for granting the first permission to the host application;
在所述操作系统授予所述宿主应用程序所述第一权限的情况下,生成询问用户是否针对所述宿主内应用授予所述第一权限的交互页面;When the operating system grants the host application the first permission, generate an interactive page asking the user whether to grant the first permission to the host application;
响应于用户在所述交互页面上作出的授权操作,授予所述宿主内应用所述第一权限。In response to an authorization operation performed by the user on the interactive page, the first permission is granted to the host application.
在一些实施例中,权限申请管理模块720用于:In some embodiments, the permission application management module 720 is used to:
生成询问用户是否针对所述宿主内应用授予第一权限的交互页面;generating an interactive page asking the user whether to grant the first permission to the application in the host;
响应于用户在所述交互页面上作出的授权操作,向所述操作系统申请授予所述宿主应用程序所述第一权限;In response to an authorization operation performed by the user on the interactive page, apply to the operating system for granting the first permission to the host application;
在所述操作系统授予所述宿主应用程序所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, grant the first permission to the host application.
在一些实施例中,该装置700还包括:In some embodiments, the device 700 also includes:
第二Hook模块,用于通过第二Hook函数拦截宿主应用程序内安装的宿主内应用对第二API的调用;其中,所述第二API用于向操作系统请求校验是否授权有第二权限;The second Hook module is used to intercept the call of the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether the authorization has the second permission ;
权限校验管理模块,用于在所述操作系统对所述宿主应用程序已授予所述第二权限,且用户对所述宿主内应用已授予所述第二权限的情况下,向所述宿主内应用返回已授权,否则向所述宿主内应用返回未授权。A permission verification management module, configured to send the host application the second permission if the operating system has granted the second permission to the host application and the user has granted the second permission to the host application. The internal application returns authorized, otherwise returns unauthorized to the host internal application.
在一些实施例中,该装置700还包括:In some embodiments, the device 700 also includes:
第三Hook模块,用于通过第三Hook函数拦截宿主应用程序内安装的宿主内应用对第三API的调用;其中,所述第三API为需要对应权限调用的系统API;The third Hook module is used to intercept the call of the third API by the host application installed in the host application program through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
调用权限管理模块,用于在所述操作系统对所述宿主应用程序已授予所述对应权限,且用户对所述宿主内应用已授予所述对应权限的情况下,允许所述宿主内应用调用所述第三API,否则拒绝所述宿主内应用调用所述第三API。A call permission management module, configured to allow the application in the host to call The third API, otherwise deny the application in the host to call the third API.
在一些实施例中,该装置700还包括:In some embodiments, the device 700 also includes:
第四Hook模块,用于通过第四Hook函数拦截宿主应用程序内安装的宿主内应用对第四API的调用;其中,所述第四API用于获取宿主应用程序内已安装宿主内应用的信息;The fourth Hook module is used to intercept the call of the fourth API by the host application installed in the host application through the fourth Hook function; wherein, the fourth API is used to obtain the information of the installed host application in the host application ;
信息隔离模块,用于向所述宿主内应用返回所述宿主内应用的自身信息。An information isolation module, configured to return the self-information of the application in the host to the application in the host.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the apparatus in the foregoing embodiments, the specific manner in which each module executes operations has been described in detail in the embodiments related to the method, and will not be described in detail here.
基于同一发明构思,本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理装置执行时实现本公开实施例提供的权限管理方法。Based on the same inventive concept, an embodiment of the present disclosure further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processing device, the rights management method provided by the embodiment of the present disclosure is implemented.
基于同一发明构思,本公开实施例还提供一种电子设备,包括:Based on the same inventive concept, an embodiment of the present disclosure also provides an electronic device, including:
存储装置,其上存储有计算机程序;a storage device on which a computer program is stored;
处理装置,用于执行所述存储装置中的所述计算机程序,以实现本公开实施例提供的权限管理方法。A processing device, configured to execute the computer program in the storage device, so as to implement the rights management method provided by the embodiments of the present disclosure.
下面参考图9,其示出了适于用来实现本公开实施例的电子设备800的结构示意图。本公开实施例中的电子设备可以包括但不限于诸如移动电话、笔记本电脑、数字广播接收器、PDA(个人数字助理)、PAD(平板电脑)、PMP(便携式多媒体播放器)、车载终端(例如车载导航终端)等等的移动终端以及诸如数字TV、台式计算机等等的固定终端。图9示出的电子设备仅仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。Referring to FIG. 9 , it shows a schematic structural diagram of an electronic device 800 suitable for implementing the embodiments of the present disclosure. The electronic equipment in the embodiment of the present disclosure may include but not limited to such as mobile phone, notebook computer, digital broadcast receiver, PDA (personal digital assistant), PAD (tablet computer), PMP (portable multimedia player), vehicle terminal (such as mobile terminals such as car navigation terminals) and fixed terminals such as digital TVs, desktop computers and the like. The electronic device shown in FIG. 9 is only an example, and should not limit the functions and application scope of the embodiments of the present disclosure.
如图9所示,电子设备800可以包括处理装置(例如中央处理器、图形处理器等)801,其可以根据存储在只读存储器(ROM)802中的程序或者从存储装置808加载到随机访问存储器(RAM)803中的程序而执行各种适当的动作和处理。在RAM 803中,还存储有电子设备800操作所需的各种程序和数据。处理装置801、ROM 802以及RAM 803通过总线804彼此相连。输入/输出(I/O)接口805也连接至总线804。As shown in FIG. 9, an electronic device 800 may include a processing device (such as a central processing unit, a graphics processing unit, etc.) Various appropriate actions and processes are executed by programs in the memory (RAM) 803 . In the RAM 803, various programs and data necessary for the operation of the electronic device 800 are also stored. The processing device 801, the ROM 802, and the RAM 803 are connected to each other through a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804 .
通常,以下装置可以连接至I/O接口805:包括例如触摸屏、触摸板、键盘、鼠标、摄像头、麦克风、加速度计、陀螺仪等的输入装置806;包括例如液晶显示器(LCD)、扬声器、振动器等的输出装置807;包括例如磁带、硬盘等的存储装置808;以及通信装置809。通信装置809可以允许电子设备800与其他设备进行无线或有线通信以交换数据。虽然图9示出了具有各种装置的电子设备800,但是应理解的是,并不要求实施或具备所有示出的装置。可以替代地实施或具备更多或更少的装置。Typically, the following devices can be connected to the I/O interface 805: input devices 806 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; including, for example, a liquid crystal display (LCD), speaker, vibration an output device 807 such as a computer; a storage device 808 including, for example, a magnetic tape, a hard disk, etc.; and a communication device 809. The communication means 809 may allow the electronic device 800 to communicate with other devices wirelessly or by wire to exchange data. While FIG. 9 shows electronic device 800 having various means, it is to be understood that implementing or having all of the means shown is not a requirement. More or fewer means may alternatively be implemented or provided.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程 序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在非暂态计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信装置809从网络上被下载和安装,或者从存储装置808被安装,或者从ROM 802被安装。在该计算机程序被处理装置801执行时,执行本公开实施例的方法中限定的上述功能。In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product, which includes a computer program carried on a non-transitory computer readable medium, where the computer program includes program code for executing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network via communication means 809, or from storage means 808, or from ROM 802. When the computer program is executed by the processing device 801, the above-mentioned functions defined in the methods of the embodiments of the present disclosure are executed.
需要说明的是,本公开上述的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本公开中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本公开中,计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读信号介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:电线、光缆、RF(射频)等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium mentioned above in the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present disclosure, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium, which can transmit, propagate, or transmit a program for use by or in conjunction with an instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted by any appropriate medium, including but not limited to wires, optical cables, RF (radio frequency), etc., or any suitable combination of the above.
上述计算机可读介质可以是上述电子设备中所包含的;也可以是单独存在,而未装配入该电子设备中。The above-mentioned computer-readable medium may be included in the above-mentioned electronic device, or may exist independently without being incorporated into the electronic device.
上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被该电子设备执行时,使得该电子设备:通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the electronic device, the electronic device: uses the first Hook function to intercept the host application installed in the host application program to the first API call; wherein, at least one application in the host is installed in the host application, and the first API is used to apply for a first permission from the operating system; the operating system grants the first permission to the host application If the user grants the first permission to the application in the host, grant the first permission to the application in the host.
可以以一种或多种程序设计语言或其组合来编写用于执行本公开的操作的计算机程序代码,上述程序设计语言包括但不限于面向对象的程序设计语言—诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言——诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉 及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)——连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, or combinations thereof, including but not limited to object-oriented programming languages—such as Java, Smalltalk, C++, and Includes conventional procedural programming languages - such as "C" or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In cases involving a remote computer, the remote computer may be connected to the user computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (for example, using an Internet service provider to connected via the Internet).
附图中的流程图和框图,图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that contains one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.
描述于本公开实施例中所涉及到的模块可以通过软件的方式实现,也可以通过硬件的方式来实现。其中,模块的名称在某种情况下并不构成对该模块本身的限定,例如,第一Hook模块还可以被描述为“通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用的模块”。The modules involved in the embodiments described in the present disclosure may be implemented by software or by hardware. Among them, the name of the module does not constitute a limitation on the module itself under certain circumstances. For example, the first Hook module can also be described as "intercepting the first Hook application installed in the host application through the first Hook function. API call module".
本文中以上描述的功能可以至少部分地由一个或多个硬件逻辑部件来执行。例如,非限制性地,可以使用的示范类型的硬件逻辑部件包括:现场可编程门阵列(FPGA)、专用集成电路(ASIC)、专用标准产品(ASSP)、片上系统(SOC)、复杂可编程逻辑设备(CPLD)等等。The functions described herein above may be performed at least in part by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), System on Chips (SOCs), Complex Programmable Logical device (CPLD) and so on.
在本公开的上下文中,机器可读介质可以是有形的介质,其可以包含或存储以供指令执行系统、装置或设备使用或与指令执行系统、装置或设备结合地使用的程序。机器可读介质可以是机器可读信号介质或机器可读储存介质。机器可读介质可以包括但不限于电子的、磁性的、光学的、电磁的、红外的、或半导体系统、装置或设备,或者上述内容的任何合适组合。机器可读存储介质的更具体示例会包括基于一个或多个线的电气连接、便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或快闪存储器)、光纤、便捷式紧凑盘只读存储器(CD-ROM)、光学储存设备、磁储存设备、或上述内容的任何合适组合。In the context of the present disclosure, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.
根据本公开的一个或多个实施例,示例1提供了一种权限管理方法,包括:According to one or more embodiments of the present disclosure, Example 1 provides a rights management method, including:
通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;Intercept calls to the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API is used to apply to the operating system for the first API a authority;
在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, and the user grants the first permission to the application in the host, grant the first permission to the application in the host.
根据本公开的一个或多个实施例,示例2提供了示例1的方法,所述在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限,包括:According to one or more embodiments of the present disclosure, Example 2 provides the method of Example 1, the operating system grants the first permission to the host application, and the user grants the first permission to the host application In the case of the first permission, granting the first permission to the host application includes:
向所述操作系统申请授予所述宿主应用程序第一权限;Applying to the operating system for granting the first permission to the host application;
在所述操作系统授予所述宿主应用程序所述第一权限的情况下,生成询问用户是否针对所述宿主内应用授予所述第一权限的交互页面;When the operating system grants the host application the first permission, generate an interactive page asking the user whether to grant the first permission to the host application;
响应于用户在所述交互页面上作出的授权操作,授予所述宿主内应用所述第一权限。In response to an authorization operation performed by the user on the interactive page, the first permission is granted to the host application.
根据本公开的一个或多个实施例,示例3提供了示例1的方法,所述在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限,包括:According to one or more embodiments of the present disclosure, Example 3 provides the method of Example 1, the operating system grants the first permission to the host application, and the user grants the first permission to the host application In the case of the first permission, granting the first permission to the host application includes:
生成询问用户是否针对所述宿主内应用授予第一权限的交互页面;generating an interactive page asking the user whether to grant the first permission to the application in the host;
响应于用户在所述交互页面上作出的授权操作,向所述操作系统申请授予所述宿主应用程序所述第一权限;In response to an authorization operation performed by the user on the interactive page, apply to the operating system for granting the first permission to the host application;
在所述操作系统授予所述宿主应用程序所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, grant the first permission to the host application.
根据本公开的一个或多个实施例,示例4提供了示例1的方法,还包括:According to one or more embodiments of the present disclosure, Example 4 provides the method of Example 1, further comprising:
通过第二Hook函数拦截宿主应用程序内安装的宿主内应用对第二API的调用;其中,所述第二API用于向操作系统请求校验是否授权有第二权限;Intercepting calls to the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether it is authorized to have the second permission;
在所述操作系统对所述宿主应用程序已授予所述第二权限,且用户对所述宿主内应用已授予所述第二权限的情况下,向所述宿主内应用返回已授权,否则向所述宿主内应用返回未授权。In the case that the operating system has granted the second permission to the host application and the user has granted the second permission to the application in the host, return the authorization to the application in the host, otherwise send The in-host application returns Unauthorized.
根据本公开的一个或多个实施例,示例5提供了示例1的方法,还包括:According to one or more embodiments of the present disclosure, Example 5 provides the method of Example 1, further comprising:
通过第三Hook函数拦截宿主应用程序内安装的宿主内应用对第三API的调用;其中,所述第三API为需要对应权限调用的系统API;The third API is intercepted by the host application installed in the host application through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
在所述操作系统对所述宿主应用程序已授予所述对应权限,且用户对所述宿主内应用已授予所述对应权限的情况下,允许所述宿主内应用调用所述第三API,否则拒绝所述宿主内应用调用所述第三API。In the case that the operating system has granted the corresponding permission to the host application, and the user has granted the corresponding permission to the application in the host, allow the application in the host to call the third API, otherwise Denying the application in the host to call the third API.
根据本公开的一个或多个实施例,示例6提供了示例1的方法,还包括:According to one or more embodiments of the present disclosure, Example 6 provides the method of Example 1, further comprising:
通过第四Hook函数拦截宿主应用程序内安装的宿主内应用对第四API的调用;其中,所述第四API用于获取宿主应用程序内已安装宿主内应用的信息;Intercepting the call of the fourth API by the host application installed in the host application through the fourth Hook function; wherein, the fourth API is used to obtain the information of the installed host application in the host application;
向所述宿主内应用返回所述宿主内应用的自身信息。The self information of the application in the host is returned to the application in the host.
根据本公开的一个或多个实施例,示例7提供了一种权限管理装置,包括:According to one or more embodiments of the present disclosure, Example 7 provides a rights management device, including:
第一Hook模块,用于通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;The first Hook module is used to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API Used to apply for the first permission to the operating system;
权限申请管理模块,用于在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。A permission application management module, configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first permission.
根据本公开的一个或多个实施例,示例8提供了示例7的装置,权限申请管理模块用于:According to one or more embodiments of the present disclosure, Example 8 provides the device of Example 7, and the rights application management module is used for:
向所述操作系统申请授予所述宿主应用程序第一权限;Applying to the operating system for granting the first permission to the host application;
在所述操作系统授予所述宿主应用程序所述第一权限的情况下,生成询问用户是否针对所述宿主内应用授予所述第一权限的交互页面;When the operating system grants the host application the first permission, generate an interactive page asking the user whether to grant the first permission to the host application;
响应于用户在所述交互页面上作出的授权操作,授予所述宿主内应用所述第一权限。In response to an authorization operation performed by the user on the interactive page, the first permission is granted to the host application.
根据本公开的一个或多个实施例,示例9提供了示例7的装置,权限申请管理模块用于:According to one or more embodiments of the present disclosure, Example 9 provides the device of Example 7, and the rights application management module is used for:
生成询问用户是否针对所述宿主内应用授予第一权限的交互页面;generating an interactive page asking the user whether to grant the first permission to the application in the host;
响应于用户在所述交互页面上作出的授权操作,向所述操作系统申请授予所述宿主应用程序所述第一权限;In response to an authorization operation performed by the user on the interactive page, apply to the operating system for granting the first permission to the host application;
在所述操作系统授予所述宿主应用程序所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, grant the first permission to the host application.
根据本公开的一个或多个实施例,示例10提供了示例7的装置,还包括:According to one or more embodiments of the present disclosure, Example 10 provides the device of Example 7, further comprising:
第二Hook模块,用于通过第二Hook函数拦截宿主应用程序内安装的宿主内应用对第二API的调用;其中,所述第二API用于向操作系统请求校验是否授权有第二权限;The second Hook module is used to intercept the call of the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether the authorization has the second permission ;
权限校验管理模块,用于在所述操作系统对所述宿主应用程序已授予所述第二权限,且用户对所述宿主内应用已授予所述第二权限的情况下,向所述宿主内应用返回已授权,否则向所述宿主内应用返回未授权。A permission verification management module, configured to send the host application the second permission if the operating system has granted the second permission to the host application and the user has granted the second permission to the host application. The internal application returns authorized, otherwise returns unauthorized to the host internal application.
根据本公开的一个或多个实施例,示例11提供了示例7的装置,还包括:According to one or more embodiments of the present disclosure, Example 11 provides the device of Example 7, further comprising:
第三Hook模块,用于通过第三Hook函数拦截宿主应用程序内安装的宿主内应用对第三API的调用;其中,所述第三API为需要对应权限调用的系统API;The third Hook module is used to intercept the call of the third API by the host application installed in the host application program through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
调用权限管理模块,用于在所述操作系统对所述宿主应用程序已授予所述对应权限,且用户对所述宿主内应用已授予所述对应权限的情况下,允许所述宿主内应用调用所述第三API,否则拒绝所述宿主内应用调用所述第三API。A call permission management module, configured to allow the application in the host to call The third API, otherwise deny the application in the host to call the third API.
根据本公开的一个或多个实施例,示例12提供了示例7的装置,还包括:According to one or more embodiments of the present disclosure, Example 12 provides the device of Example 7, further comprising:
第四Hook模块,用于通过第四Hook函数拦截宿主应用程序内安装的宿主内应用对第 四API的调用;其中,所述第四API用于获取宿主应用程序内已安装宿主内应用的信息;The fourth Hook module is used to intercept the call of the fourth API by the host application installed in the host application through the fourth Hook function; wherein, the fourth API is used to obtain the information of the installed host application in the host application ;
信息隔离模块,用于向所述宿主内应用返回所述宿主内应用的自身信息。An information isolation module, configured to return the self-information of the application in the host to the application in the host.
根据本公开的一个或多个实施例,示例13提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理装置执行时实现示例1至示例6中任一示例所述方法的步骤。According to one or more embodiments of the present disclosure, Example 13 provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processing device, the method described in any one of Examples 1 to 6 is implemented. A step of.
根据本公开的一个或多个实施例,示例14提供了一种电子设备,包括:According to one or more embodiments of the present disclosure, Example 14 provides an electronic device, comprising:
存储装置,其上存储有计算机程序;a storage device on which a computer program is stored;
处理装置,用于执行所述存储装置中的所述计算机程序,以实现示例1至示例6中任一示例所述方法的步骤。A processing device configured to execute the computer program in the storage device, so as to implement the steps of the method in any one of examples 1 to 6.
以上描述仅为本公开的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本公开中所涉及的公开范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离上述公开构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本公开中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present disclosure and an illustration of the applied technical principle. Those skilled in the art should understand that the disclosure scope involved in this disclosure is not limited to the technical solution formed by the specific combination of the above-mentioned technical features, but also covers the technical solutions formed by the above-mentioned technical features or Other technical solutions formed by any combination of equivalent features. For example, a technical solution formed by replacing the above-mentioned features with (but not limited to) technical features with similar functions disclosed in this disclosure.
此外,虽然采用特定次序描绘了各操作,但是这不应当理解为要求这些操作以所示出的特定次序或以顺序次序执行来执行。在一定环境下,多任务和并行处理可能是有利的。同样地,虽然在上面论述中包含了若干具体实现细节,但是这些不应当被解释为对本公开的范围的限制。在单独的实施例的上下文中描述的某些特征还可以组合地实现在单个实施例中。相反地,在单个实施例的上下文中描述的各种特征也可以单独地或以任何合适的子组合的方式实现在多个实施例中。In addition, while operations are depicted in a particular order, this should not be understood as requiring that the operations be performed in the particular order shown or to be performed in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while the above discussion contains several specific implementation details, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
尽管已经采用特定于结构特征和/或方法逻辑动作的语言描述了本主题,但是应当理解所附权利要求书中所限定的主题未必局限于上面描述的特定特征或动作。相反,上面所描述的特定特征和动作仅仅是实现权利要求书的示例形式。关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are merely example forms of implementing the claims. Regarding the apparatus in the above embodiments, the specific manner in which each module executes operations has been described in detail in the embodiments related to the method, and will not be described in detail here.

Claims (10)

  1. 一种权限管理方法,其包括:A rights management method, which includes:
    通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;Intercept calls to the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API is used to apply to the operating system for the first API a authority;
    在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, and the user grants the first permission to the application in the host, grant the first permission to the application in the host.
  2. 根据权利要求1所述的方法,其中,所述在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限,包括:The method according to claim 1, wherein when the operating system grants the first permission to the host application, and the user grants the first permission to the application in the host, granting Applying the first permission in the host includes:
    向所述操作系统申请授予所述宿主应用程序第一权限;Applying to the operating system for granting the first permission to the host application;
    在所述操作系统授予所述宿主应用程序所述第一权限的情况下,生成询问用户是否针对所述宿主内应用授予所述第一权限的交互页面;When the operating system grants the host application the first permission, generate an interactive page asking the user whether to grant the first permission to the host application;
    响应于用户在所述交互页面上作出的授权操作,授予所述宿主内应用所述第一权限。In response to an authorization operation performed by the user on the interactive page, the first permission is granted to the host application.
  3. 根据权利要求1所述的方法,其中,所述在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限,包括:The method according to claim 1, wherein when the operating system grants the first permission to the host application, and the user grants the first permission to the application in the host, granting Applying the first permission in the host includes:
    生成询问用户是否针对所述宿主内应用授予第一权限的交互页面;generating an interactive page asking the user whether to grant the first permission to the application in the host;
    响应于用户在所述交互页面上作出的授权操作,向所述操作系统申请授予所述宿主应用程序所述第一权限;In response to an authorization operation performed by the user on the interactive page, apply to the operating system for granting the first permission to the host application;
    在所述操作系统授予所述宿主应用程序所述第一权限的情况下,授予所述宿主内应用所述第一权限。When the operating system grants the first permission to the host application, grant the first permission to the host application.
  4. 根据权利要求1所述的方法,其还包括:The method of claim 1, further comprising:
    通过第二Hook函数拦截宿主应用程序内安装的宿主内应用对第二API的调用;其中,所述第二API用于向操作系统请求校验是否授权有第二权限;Intercepting calls to the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether it is authorized to have the second permission;
    在所述操作系统对所述宿主应用程序已授予所述第二权限,且用户对所述宿主内应用已授予所述第二权限的情况下,向所述宿主内应用返回已授权,否则向所述宿主内应用返回未授权。In the case that the operating system has granted the second permission to the host application and the user has granted the second permission to the application in the host, return the authorization to the application in the host, otherwise send The in-host application returns Unauthorized.
  5. 根据权利要求1所述的方法,其还包括:The method of claim 1, further comprising:
    通过第三Hook函数拦截宿主应用程序内安装的宿主内应用对第三API的调用;其中,所述第三API为需要对应权限调用的系统API;The third API is intercepted by the host application installed in the host application through the third Hook function; wherein, the third API is a system API that needs to be called with corresponding permissions;
    在所述操作系统对所述宿主应用程序已授予所述对应权限,且用户对所述宿主内应用已 授予所述对应权限的情况下,允许所述宿主内应用调用所述第三API,否则拒绝所述宿主内应用调用所述第三API。In the case that the operating system has granted the corresponding permission to the host application, and the user has granted the corresponding permission to the application in the host, allow the application in the host to call the third API, otherwise Denying the application in the host to call the third API.
  6. 根据权利要求1所述的方法,其还包括:The method of claim 1, further comprising:
    通过第四Hook函数拦截宿主应用程序内安装的宿主内应用对第四API的调用;其中,所述第四API用于获取宿主应用程序内已安装宿主内应用的信息;Intercepting the call of the fourth API by the host application installed in the host application through the fourth Hook function; wherein, the fourth API is used to obtain the information of the installed host application in the host application;
    向所述宿主内应用返回所述宿主内应用的自身信息。The self information of the application in the host is returned to the application in the host.
  7. 一种权限管理装置,其特征在于,包括:A rights management device, characterized in that it includes:
    第一Hook模块,用于通过第一Hook函数拦截宿主应用程序内安装的宿主内应用对第一API的调用;其中,所述宿主应用程序内安装有至少一个宿主内应用,所述第一API用于向操作系统申请第一权限;The first Hook module is used to intercept the call of the first API by the host application installed in the host application through the first Hook function; wherein, at least one host application is installed in the host application, and the first API Used to apply for the first permission to the operating system;
    权限申请管理模块,用于在所述操作系统对所述宿主应用程序授予所述第一权限,且用户对所述宿主内应用授予所述第一权限的情况下,授予所述宿主内应用所述第一权限。A permission application management module, configured to grant the host application the first permission when the operating system grants the first permission to the host application and the user grants the first permission to the host application the first permission.
  8. 根据权利要求7所述的装置,其还包括:The apparatus of claim 7, further comprising:
    第二Hook模块,用于通过第二Hook函数拦截宿主应用程序内安装的宿主内应用对第二API的调用;其中,所述第二API用于向操作系统请求校验是否授权有第二权限;The second Hook module is used to intercept the call of the second API by the host application installed in the host application program through the second Hook function; wherein, the second API is used to request the operating system to verify whether the authorization has the second permission ;
    权限校验管理模块,用于在所述操作系统对所述宿主应用程序已授予所述第二权限,且用户对所述宿主内应用已授予所述第二权限的情况下,向所述宿主内应用返回已授权,否则向所述宿主内应用返回未授权。A permission verification management module, configured to send the host application the second permission if the operating system has granted the second permission to the host application and the user has granted the second permission to the host application. The internal application returns authorized, otherwise returns unauthorized to the host internal application.
  9. 一种计算机可读存储介质,其上存储有计算机程序,其中,该程序被处理装置执行时实现权利要求1-6中任一项所述方法的步骤。A computer-readable storage medium, on which a computer program is stored, wherein, when the program is executed by a processing device, the steps of the method described in any one of claims 1-6 are implemented.
  10. 一种电子设备,其包括:An electronic device comprising:
    存储装置,其上存储有计算机程序;a storage device on which a computer program is stored;
    处理装置,用于执行所述存储装置中的所述计算机程序,以实现权利要求1-6中任一项所述方法的步骤。A processing device configured to execute the computer program in the storage device to implement the steps of the method according to any one of claims 1-6.
PCT/CN2022/138302 2021-12-27 2022-12-12 Permission management method and apparatus, storage medium, and electronic device WO2023124930A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111616976.8A CN116361777A (en) 2021-12-27 2021-12-27 Authority management method and device, storage medium and electronic equipment
CN202111616976.8 2021-12-27

Publications (1)

Publication Number Publication Date
WO2023124930A1 true WO2023124930A1 (en) 2023-07-06

Family

ID=86937491

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/138302 WO2023124930A1 (en) 2021-12-27 2022-12-12 Permission management method and apparatus, storage medium, and electronic device

Country Status (2)

Country Link
CN (1) CN116361777A (en)
WO (1) WO2023124930A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7020882B1 (en) * 2000-09-14 2006-03-28 International Business Machines Corporation Method, system, and program for remotely manipulating a user interface over a network
CN104376255A (en) * 2014-11-28 2015-02-25 北京奇虎科技有限公司 Application program running control method and device
CN104598809A (en) * 2015-02-13 2015-05-06 北京奇虎科技有限公司 Program monitoring method and defending method thereof, as well as relevant device
CN105912925A (en) * 2016-04-05 2016-08-31 周奇 Method and system for preventing mobile terminal from automatically installing related applications
CN106355079A (en) * 2016-08-18 2017-01-25 北京奇虎科技有限公司 Method and device for optimizing installation of application program and terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7020882B1 (en) * 2000-09-14 2006-03-28 International Business Machines Corporation Method, system, and program for remotely manipulating a user interface over a network
CN104376255A (en) * 2014-11-28 2015-02-25 北京奇虎科技有限公司 Application program running control method and device
CN104598809A (en) * 2015-02-13 2015-05-06 北京奇虎科技有限公司 Program monitoring method and defending method thereof, as well as relevant device
CN105912925A (en) * 2016-04-05 2016-08-31 周奇 Method and system for preventing mobile terminal from automatically installing related applications
CN106355079A (en) * 2016-08-18 2017-01-25 北京奇虎科技有限公司 Method and device for optimizing installation of application program and terminal

Also Published As

Publication number Publication date
CN116361777A (en) 2023-06-30

Similar Documents

Publication Publication Date Title
CN110414268B (en) Access control method, device, equipment and storage medium
JP6397500B2 (en) Selective code integrity enforcement assisted by virtual machine manager
US11381566B2 (en) Isolating network resources in a virtualized environment
US9507961B2 (en) System and method for providing secure access control to a graphics processing unit
CN110546979B (en) Multi-level distributed access control between services and applications
CN106534148A (en) Access control method and device for application
US10831915B2 (en) Method and system for isolating application data access
CN110569667B (en) Access control method and device, computer equipment and storage medium
US20190236312A1 (en) Apparatus and method for tracking access permissions over multiple execution environments
CN112416616B (en) Micro-service calling method and device, electronic equipment and storage medium
WO2023193572A1 (en) Data management method and apparatus, server and storage medium
WO2023241060A1 (en) Data access method and apparatus
WO2023123850A1 (en) Method and apparatus for implementing firmware root of trust, device, and readable storage medium
CN111079125A (en) Method and device for calling third-party library dynamic lifting authority by application program
CN113630253A (en) Login method, device, computer system and readable storage medium
US20150278512A1 (en) Virtualization based intra-block workload isolation
US10719456B2 (en) Method and apparatus for accessing private data in physical memory of electronic device
WO2023185514A1 (en) Message transmission methods and apparatuses, storage medium and electronic device
WO2023124930A1 (en) Permission management method and apparatus, storage medium, and electronic device
CN111291379B (en) Android-based vehicle-mounted system application detection method and device and electronic equipment
CN115694979A (en) Method, device, equipment, medium and program for accessing MQTT (Multi-query Log) by vehicle-mounted terminal
US9003427B2 (en) Methods for managing authority designation of graphical user interfaces
CN114691553A (en) Method and device for accessing accessory device
CN111367590A (en) Interrupt event processing method and device
CN113641966B (en) Application integration method, system, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22914185

Country of ref document: EP

Kind code of ref document: A1