CN103632073A - Method and device used for controlling terminal application permission - Google Patents
Method and device used for controlling terminal application permission Download PDFInfo
- Publication number
- CN103632073A CN103632073A CN201310652369.6A CN201310652369A CN103632073A CN 103632073 A CN103632073 A CN 103632073A CN 201310652369 A CN201310652369 A CN 201310652369A CN 103632073 A CN103632073 A CN 103632073A
- Authority
- CN
- China
- Prior art keywords
- application
- security
- security permission
- application class
- class
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a method and a device used for controlling the terminal application permission. The method comprises the following steps of detecting a permission request emitted when an application is installed in a terminal; when the phenomenon that the permission request is detected is responded, determining the application classification to which the application belongs, and determining a security permission range corresponding to the application classification; and when the phenomenon that the permission request exceeds the security permission range is responded, stopping installing the application. According to the embodiment of the invention, the permission can be effectively prevented from exceeding the range when the application is installed.
Description
Technical field
The present invention relates to moving communicating field, more specifically, relate to a kind of method and apparatus for control terminal application permission.
Background technology
In recent years, the use of mobile terminal was more and more universal.As used herein, term " mobile terminal " can refer to the various equipment with radio communication function such as smart phone, wireless PDA, laptop computer, flat computer.Various application can be installed on these mobile terminals to use numerous functions, for example, send and receive e-mail, access social networks, electronic business transaction, game, etc.The experience of user to terminal enriched in these application, but also brought security risk.Therefore, need to control the authority of these application.
At present, mobile application is installed in Android (Android) terminal and mainly carries out in the following manner control of authority.One class mode can comprise: before issue application, application source code is packaged in installation kit together with authority configuration file; Or for the authority of application is carried out to unified management, the part using rights parameters configuration information as application program compiles together with application run time version.Another kind of mode can comprise: when needs carry out control of authority, send renewal authority notify by device management server to mobile terminal, make mobile terminal use new authority application program update existing application.From the angle of security control, the former belongs to obviate mechanism, before may there is authority safety problem, carries out precaution measure, and the latter belongs to update mechanism afterwards.
Generally speaking, the control of the existing legal power safety aspect for mobile terminal application can be classified as: defense mechanism in advance, and the stage before application is mounted and moves takes safety measures; And, remedy mechanism afterwards, after application is mounted, by the safety detection means outside application, carries out the judgement aspect legal power safety and define.The shortcoming of these two kinds of modes is all not provide applies safety detection and protection in the thing of installing, the security that cannot provide application to install.
Therefore, need a kind of method and apparatus of control terminal application permission, security when it can guarantee application installation effectively.
Summary of the invention
To achieve these goals, the invention provides a kind of scheme of controlling terminal applies authority when application is installed, a kind of improved mount scheme of controlling terminal applies authority when application is installed is correspondingly provided.According to the embodiment of the present invention, can in installation process, just avoid applying the problem that too requires authority or illegally apply for authority.Preferably, according to some embodiments of the present invention, can also upgrade application installation kit, with generate restriction application undue/the safe installation kit of illegal authority request, thereby can finally realize the normal function use that the safety of application is installed and guaranteed to apply.
According to an aspect of the present invention, provide a kind of method for dynamic controlling terminal application permission.Described method can comprise: the authority request of sending while application being installed in sense terminals; In response to described authority request being detected, determine the application class that described application belongs to and determine security permission scope corresponding to described application class; And exceed described security permission scope in response to described authority request, stop the installation of described application.
In some embodiments of the invention, described method can also comprise: in response to described authority request, exceed described security permission scope, notify application described in user to violate legal power safety regulation.
In some embodiments of the invention, described method can also comprise: whether prompting user carries out security update to the installation kit of described application; And if receive the confirmation the user input of carrying out security update, request server carries out security update to obtain the installation kit of the safety of described application to the installation kit of described application.
In some embodiments of the invention, can determine the application class that described application belongs to by following manner: the application class list of inquiry terminal this locality, with the application class of determining that described application belongs to; And in the situation that local application class list does not comprise described application, to cloud server, inquire about the application class that described application belongs to.
In some embodiments of the invention, can determine the security permission scope that described application class is corresponding by following manner: the security permission list of inquiry terminal this locality, with the security permission scope of determining that described application class is corresponding; And in the situation that local security permission list does not comprise described application class, to cloud server, inquire about security permission scope corresponding to described application class.
According to a further aspect in the invention, provide a kind of device for dynamic controlling terminal application permission.Described device can comprise: installation action monitoring module, is configured to: the authority request of sending while application being installed in sense terminals; Scope check module, is configured to: in response to described authority request being detected, determine the application class that described application belongs to and determine security permission scope corresponding to described application class; And control of authority module, be configured to: in response to described authority request, exceed described security permission scope, stop the installation of described application.
According to some embodiments of the present invention, described device can also comprise notification module.Described notification module can be configured to: in response to described authority request, exceed described security permission scope, notify application described in user to violate legal power safety regulation.
According to some embodiments of the present invention, described device can also comprise installing repacks module.Described installation is repacked module and can be configured to: whether prompting user carries out security update to the installation kit of described application; And if receive the confirmation user's input of carrying out security update, request server carries out security update to obtain the installation kit of the safety of described application to the installation kit of described application.
According to some embodiments of the present invention, described scope check module comprises that applicating category checks submodule and security permission range check submodule.Described applicating category checks that submodule can be configured to: the application class list of inquiry terminal this locality, with the application class of determining that described application belongs to; And in the situation that local application class list does not comprise described application, to cloud server, inquire about the application class that described application belongs to.Described security permission range check submodule can be configured to: the security permission list of inquiry terminal this locality, with the security permission scope of determining that described application class is corresponding; And in the situation that local security permission list does not comprise described application class, to cloud server, inquire about security permission scope corresponding to described application class.
Accompanying drawing explanation
By below in conjunction with accompanying drawing explanation the preferred embodiments of the present invention, will make of the present invention above-mentioned and other objects, features and advantages are clearer, wherein:
Fig. 1 schematically shows according to the schematic diagram of the application scenarios of mobile communication system of the present invention;
Fig. 2 schematically show according to the embodiment of the present invention for control the process flow diagram of the method for terminal applies authority when application is installed;
Fig. 3 schematically shown according to the embodiment of the present invention for control the block diagram of the equipment of terminal applies authority when application is installed; And
Fig. 4 A and 4B show according to controlling the schematic diagram of the process of application permission in the application installation process on Android mobile phone of the embodiment of the present invention example.
In institute of the present invention drawings attached, same or analogous structure all identifies with same or analogous Reference numeral.
Embodiment
Referring now to accompanying drawing, describe the present invention in detail, shown in the drawings of illustrative embodiment of the present invention, so that those skilled in the art can realize the present invention.Being noted that the following drawings and example do not mean that limits the scope of the present invention to single embodiment, on the contrary by exchange and combine described in some or all of different embodiment or shown in element to form other embodiment be also possible.In addition, in the situation that can partially or completely realizing element-specific of the present invention by known tip assemblies, to only describe in these known tip assemblies in order to understand part assembly essential to the invention, and by the detailed description of omitting other parts in these known tip assemblies, so that the present invention is more outstanding.Unless pointed out separately herein, otherwise those skilled in the art should understand that: existing although some embodiments of the present invention are described as with software real form, but the present invention is not limited to this, but also can realize with the combination of hardware, software and hardware, and vice versa.Unless explicit state separately herein, otherwise in this manual, it is restrictive the embodiment that shows single component should not being considered as, but the invention is intended to comprise other embodiment that comprise a plurality of same components, and vice versa.In addition the equivalent current and that develop in the future that, the present invention comprises the known tip assemblies of quoting as signal herein.
Fig. 1 shows the schematic diagram of the communication system 100 that can realize therein the embodiment of the present invention.As shown in Figure 1, system 100 can comprise server 110 and terminal 120.
Terminal 120 can be the mobile terminal that such as mobile phone, flat computer, laptop computer, PDA(Personal Digital Assistant) etc. has wireless communication ability.Alternatively, terminal 120 can be also the equipment wired networked capabilities and that inconvenience is moved that has such as desk-top computer.According to the device for dynamic controlling terminal application permission of the embodiment of the present invention, can be arranged on the form of client terminal 120.This client can software form be arranged on voluntarily in terminal 120, or can with the form of hardware or firmware, be arranged in terminal 120 by terminal production firm.Should be appreciated that, although a terminal 120 is only shown in figure, can have two or more terminals 120.Although the Android mobile phone of hereinafter mainly usining is described the embodiment of the present invention as the example of terminal 120, the invention is not restricted to this.In embodiments of the present invention, the operating system of terminal 120 can include but not limited to Android, iOS, Windows Mobile, Symbian, Windows Phone, Blackberry OS etc.
As shown in the figure, terminal 120 is communicated by letter with server 110 via network 130.This network 130 can be wireless network, also can be cable network, such as but not limited to: 2G, 3G, 4G, 5G(are as WCDMA, CDMA1100, TD-SCDMA, LTE etc.) mobile communications network, internet, cable LAN or WLAN (wireless local area network) etc.
Fig. 2 schematically show according to the embodiment of the present invention for control the process flow diagram of the method 200 of terminal applies authority when application is installed.Method 200 can be brought in execution by the client according to the embodiment of the present invention who installs in terminal 120.This client can automatically start when terminal 120 is opened, or can initiatively be started by user.When client is moved, it is by the application Installation Events continuing on monitor terminal 120.
When starting application is installed in terminal 120, client will monitor this Installation Events, and start manner of execution 200, carry out legal power safety inspection.The installation kit of this application can be for example to download in the mobile application market from internet, or can obtain by other means can be used for terminal 120.
In step S210, the authority request of sending while application being installed in sense terminals 120.If detect when application is installed and sent authority request, method 200 advances to step S220.
In step S220, determine the application class that this application is affiliated.In a preferred embodiment of the invention, for example, on safe cloud server (server 110), safeguard application class list completely, and in terminal this locality, only safeguard incomplete application class list to adapt to the storer of end limited capacity.Preferably, in the most frequently used application class of terminal local maintenance (Often Used Categroies is called for short OUC) list.This this locality application class list for example can be left the assigned address on terminal memory in file mode.This document can be clear text file, can be also encrypt file.
In the example of the embodiment of the present invention, in step S220, the application class under the application in this installation is determined in application class list (for example, the most frequently used application class list) that can first inquiry terminal this locality.If do not find this application in the application class list of terminal this locality, the application class belonging to cloud server 110 these application of inquiry.
In the example of the embodiment of the present invention, application class list can regular update.Preferably, in step S220, can first read the timestamp of local application class list, according to this timestamp, judge whether the application class list of terminal this locality needs to upgrade.For example, if needed (mistiming of current time and this timestamp has surpassed the update cycle), terminal 120 can communicate with safe cloud server 110 renewal of local application class list.Then, to the application class of this application of application class list query after the renewal of this this locality.If do not find the application class of this application, then the application class belonging to cloud server 110 these application of inquiry.
Should be appreciated that, in other embodiment of the present invention, if the memory capacity in terminal 120 is enough, can in terminal 120, safeguard application class list completely, and can regularly synchronize with the application class list on server 110.In this case, in step S220, only the application class under the application in this installation is determined in the application class list of inquiry terminal this locality.If do not inquire the application class of this application in this locality, think and inquire about unsuccessfully, no longer to server, inquire about.
Alternatively, in other embodiment of the present invention, in terminal 120, do not store application class list.So, in step S220, can be directly to server 110 inquiries the application class under this application in installing.
If do not find the application class of this application in step S220, method 200 finishes.Alternatively, can point out in this case the security permission scope of this application of user unclear, whether proceed the installation of this application.If determined the application class of this application in step S220, method 200 advances to step S230.
In step S230, determine the security permission scope that this application class is corresponding.In a preferred embodiment of the invention, for example, on safe cloud server (server 110), safeguard (the Safe Permission List of security permission list completely, be called for short SPL), and in terminal this locality, only safeguard incomplete SPL to adapt to the storer of end limited capacity.Preferably, in the security permission list of the most frequently used application class of terminal local maintenance.This local security authority list for example can be left the assigned address on terminal memory in file mode.This document can be clear text file, can be also encrypt file.
In the example of the embodiment of the present invention, in step S230, the security permission scope that this application class is corresponding is determined in security permission list that can first inquiry terminal this locality.If do not find this application class in the security permission list of terminal this locality, to security permission scope corresponding to cloud server 110 this application class of inquiry.
In the example of the embodiment of the present invention, security permission list can regular update.Preferably, in step S230, can first read the timestamp of local security authority list, according to this timestamp, judge whether the security permission list of terminal this locality needs to upgrade.For example, if needed (mistiming of current time and this timestamp has surpassed the update cycle), terminal 120 can communicate with safe cloud server 110 renewal of local security permission list.Then, to security permission scope corresponding to this application class of security permission list query after the renewal of this this locality.If do not find security permission scope corresponding to this application class, then to security permission scope corresponding to cloud server 110 this application class of inquiry.
Should be appreciated that, in other embodiment of the present invention, if the memory capacity in terminal 120 is enough, can in terminal 120, safeguard security permission range list completely, and can regularly synchronize with the security permission range list on server 110.In this case, in step S230, only the security permission range list of inquiry terminal this locality is determined the security permission scope that this application class is corresponding.If do not inquire the security permission scope of this application class in this locality, think and inquire about unsuccessfully, no longer to server, inquire about.
Alternatively, in other embodiment of the present invention, not storage security extent of competence list in terminal 120.So, in step S230, can be directly to security permission scope corresponding to server 110 this application class of inquiry.
If finally do not find security permission scope corresponding to this application class in step S230, method 200 finishes.Alternatively, can point out in this case the security permission scope of this application of user unclear, whether proceed the installation of this application.If determined the security permission scope that this application class is corresponding in step S230, method 200 advances to step S240.
In step S240, whether the authority request detecting in determining step S210 exceeds security permission scope definite in step S230.If exceeded, stop the installation of described application.If do not exceeded, method 200 directly finishes, and continues the installation process of this application.
Alternatively, if judge that at step S240 the authority request of sending in this application installation has exceeded this and applied corresponding security permission scope,, except stoping the installation of application, can also notify user to apply and violate legal power safety regulation.Described notice for example can be by showing text message or playing verbal messages by loudspeaker and realize on display.
Alternatively, method 200 can also comprise the step of upgrading application installation kit.Particularly, if judge that at step S240 this authority request has exceeded this security permission scope, can point out user whether the installation kit of this application to be carried out to security update.If receive the confirmation user's input of carrying out security update, (for example ask cloud server, server 110) installation kit of this application is carried out to security update, as cleaning exceeds the authority request of security permission scope, thereby obtain the installation kit of the safety of this application.So terminal 120 can be installed this application with this safe installation kit, the final safety that realizes application is installed and is guaranteed that the normal function of application is used.
Preferably, server 110 can arrange legal power safety cleaning (Safety Clean is called for short SC) sign in the installation kit of the safety generating.Correspondingly, method 200 can comprise pre-inspection operations before step S210.In this pre-inspection operations, check in application installation kit whether comprise that SC indicates.If this SC sign detected, skip safety inspection process (being step S210-240), directly enter application installation procedure.If this SC sign do not detected, perform step S210-240, carry out safety inspection process.
Fig. 3 schematically show according to the embodiment of the present invention for control the block diagram of the device 300 of terminal applies authority when application is installed.As shown in the figure, installing 300 can comprise: installation action monitoring module 310, scope check module 320, control of authority module 330 and storage unit 340.
Installation action monitoring module 310 can be configured to: the authority request of sending while application being installed in sense terminals.
Scope check module 320 can be configured to: in response to described authority request being detected, determine the application class that this application belongs to and determine security permission scope corresponding to this application class.Alternatively, this scope check module 320 can comprise that applicating category checks submodule and security permission range check submodule.This applicating category checks the application class list that submodule can first inquiry terminal this locality, with the application class of determining that this application belongs to.In the situation that local application class list does not comprise described application, then inquire about to cloud server the application class that described application belongs to.This security permission range check submodule can first inquiry terminal this locality security permission list, with the security permission scope of determining that this application class is corresponding.In the situation that local security permission list does not comprise this application class, then inquire about security permission scope corresponding to this application class to cloud server.
Control of authority module 330 can be configured to: the authority request of sending when the application that detects in response to installation action monitoring module 310 is installed exceed that scope check module 320 determines this apply corresponding security permission scope, stop the continuation of this application to be installed.
Alternatively, this device 300 can also comprise notification module.In the situation that the authority request that the application detecting is sent while installing exceeds this, apply corresponding security permission scope, can notify user should apply violation legal power safety by notification module and stipulate.This notification module such as can be by showing text message or playing the modes such as language notice by loudspeaker and notify user on display.
Alternatively, this device 300 can also comprise installing and repacks module.In the situation that the authority request of sending in determining application installation exceeds this, apply corresponding security permission scope, can repack module prompting user by installation and whether the installation kit of this application be carried out to security update.If user confirms to carry out, request server carries out security update to the installation kit of this application, and the installation kit of the safety of this application of returning of reception server.This safe installation kit will no longer comprise authority request super scope or illegal.
As mentioned above, server 110 can arrange legal power safety cleaning (Safety Clean is called for short SC) sign in the installation kit of the safety generating.Correspondingly, installing 300 can also preliminary examination module.This preliminary examination module can check in application installation kit whether comprise that SC indicates in advance, and if this SC sign detected, skip safety inspection process, directly enter installation procedure, otherwise carry out safety inspection process (as the step S210-240 in method 200).
Installation action monitoring module 310, scope check module 320, control of authority module 330 can realize respectively step S210, S220 and S230, the S240 in said method 200.Module is repacked in notification module, installation, preliminary examination module can realize respectively the notifying process in said method 200, step, the pre-inspection operations of renewal application installation kit.Do not repeat them here.
As already mentioned above, install 300 assemblies that can be used as client or this client and be arranged in terminal 120.This client can software form be arranged on voluntarily in terminal 120, or can with the form of hardware or firmware, be arranged in terminal 120 by terminal production firm.This client can automatically start when terminal 120 is opened, or can initiatively be started by user.When client is moved, it can manner of execution 200.
Hereinafter with reference Fig. 4 be take mobile phone that the present invention is applied to use Android operating system and is introduced a specific implementation example of the present invention as example.But should be appreciated that the present invention is not limited thereto.
Fig. 4 A and 4B show according to controlling the schematic diagram of the process 400 of application permission in the application installation process on Android mobile phone of the embodiment of the present invention example.
In this embodiment, security permission administrative mechanism when application is installed (Permission Management Service is called for short PMS) will be designed to move with backstage method of service.Meanwhile, this PMS has cooperated when application is installed to the inspection of application permission and control in connection with application class inspection service (ACS) and security permission list update service (PLS).Between PMS, ACS and PLS three, can communicate by SOCKET mechanism.
When this process 400 starts from system startup (being mobile phone start).In step S401, after starting system core service, start PMS.PMS can be used Java, C++ and AndroidNDK in conjunction with developing.Can call the kernel system call interfaces that Android provides by JNI mode, the authority request action realizing when application is installed is monitored.PMS mainly comprises installation action monitoring (AIM) and scope check control (APC) these two functions, can also comprise installing and repack (ARP) function.
In step S402, start ACS.ACS can develop by Java, and it completes the inquiry request of application class.In this example, in the most frequently used application class list of local maintenance (OUC) information, and in the tabulation completely of safe high in the clouds server maintenance.Wherein, OUC is used expressly and leaves assigned address in file (F1) mode, as/sdcard/appinstallcheck/oftenUsedCategory.
Started ACS in step S402 after, in step S403, by reading the timestamp information in F1 file, judge whether OUC needs to upgrade.If do not needed, this process advances to step S405.If needed, this process advances to step S404.
In step S404, communicated the renewal of OUC with safe cloud server.Then, advance to step S405.
In step S405, OUC content is loaded in internal memory by Hash figure (HASHMAP) mode.
In step S406, start PLS.PLS can develop by Java, and it completes the inquiry request to security permission list (SPL).In this example, in local maintenance SPL information.This SPL information source, in safe cloud server, can be used expressly and leave assigned address in file (F2) mode, as/sdcard/appinstallcheck/secPrivelegeList.
Start PLS in step S406 after, in step S407, by reading the timestamp information in F2 file, judge whether SPL needs to upgrade.If do not needed, this process advances to step S409.If needed, this process advances to step S408.
In step S408, communicated the renewal of SPL with safe cloud server.Then, advance to step S409.
In step S409, SPL content is loaded in internal memory by HASHMAP mode.
In step S410, PMS detects application startup event is installed.For example, when user starts to install from GOOGLE PLYER or other third party Android application market down load application (APP1) installation kits, PMS will detect this application startup event will be installed.So this process advances to step S411, start AIM, monitor in this application installation process whether send authority request.While sending authority application action in finding application installation process, this process advances to step S412, enables APC.After APC enables, will take over installation process, this process advances to step S414.
In step S413, APC sends APP1 classified inquiry request to ACS.
In step S414, ACS, by inquiry OUC, returns to APC by the classified information of APP1 (AC).
If in step S414, ACS inquiry OUC failure, this process advances to step S415.In step S415, ACS will send inquiry request to safe cloud server, obtain the classified information (AC) of APP1, and return to APC.
At APC, obtain after the AC information of APP1, this process advances to step S416.In step S416, APC sends the inquiry for the security permission list information of APP1 place classification to PLS.
In step S417, PLS inquires about in SPL according to the AC information of APP1, and the security permission that this classification is allowed (Safe Permission is called for short SP) information returns to APC.
If in step S417, PLS inquiry SPL failure, this process advances to step S418.In step S418, PLS will send inquiry request to safe cloud server, obtain SP information corresponding to this AC information, and return to APC.
At APC, obtain after the SP information of APP1, this process advances to step S419.In step S419, APC inquires about according to ACS and PLS cooperation the SP information of returning, and when APP1 is installed, the authority information (A_SP) of request carries out security detection.If detect the authority request of finding in A_SP, all drop among SP, process advances to step S420, and APC proceeds this application installation process of permission.After installation finishes, this process is returned to step S410 and is waited for next application installation startup event.
If detected in step S419, find that A_SP has the authority request outside SP scope, this process advances to step S421, judges that APP1 exists undue authority request.So APC according to surpassing the rights request message of SP scope in A_SP, is used notification message mode to inform that user should apply violation legal power safety requirement and will stop application installation process.
In optional step S422, can point out user whether to need application installation kit to carry out the security update of authority request.If user selects not carry out the security update of installation kit, this process advances to step S423, finishes the installation process of APP1.Alternatively, APC can be recorded to whole installation process in the journal file of assigned address.This document content can be deposited by clear-text way, as be stored in/sdcard/appinstallcheck/apcChkLog.
If APC receives that user determines the acknowledge message that the authority request of installation kit is carried out to security update, this process advances to step S424.
In step S424, first APC stops the installation process of current APP1.Then, to ARP, send application the request of repacking is installed.ARP receives after request, and APP1 installation kit is uploaded to safe cloud server.
In step S425, server completes the safety of APP1 installation authority is arranged, upgraded and repacks, and realizes the legal power safety cleaning of APP1, forms new installation kit S_APP1.Preferably, the assigned address in S_APP1 adds legal power safety cleaning (SC) sign.Then, server returns to ARP by new installation kit S_APP1.
In step S426, ARP is after receiving the ARP of server passback and completing bag integrity checking, and calling system installation function, starts the installation of SAPP1.In this installation process, if _ find that in bag, assigned address exists SC sign, no longer repeat safety inspection process, directly enter application installation procedure.APC can be recorded to whole installation process in the journal file of assigned address, and file content can be deposited by clear-text way.For example can be stored as/sdcard/appinstallcheck/apcChkLog.
Then, this process is returned to step S410 and is waited for that startup is installed in application next time.
With reference to accompanying drawing 4, introduced the process 400 of controlling application permission in the application installation process on Android mobile phone above.In this example, AIM can be carried out by above-mentioned installation action monitoring module 310.APC can by above-mentioned scope check module 320 and control of authority module 330, the two be realized.ARP can repack module by above-mentioned installation and realize.Do not repeat them here.
Should be appreciated that, process 400 shows the detection of authority request when application is installed and numerous details of follow-up security measures, but can in the situation that there is no these details, realize the embodiment of the present invention.
Above invention has been described in conjunction with the preferred embodiments.It will be understood by those skilled in the art that the method and apparatus illustrating is only exemplary above.Method of the present invention is not limited to step and the order illustrating above.Device of the present invention can comprise the parts more more or less than the parts that illustrate.Those skilled in the art can carry out many variations and modification according to the instruction of illustrated embodiment.
Device of the present invention and parts thereof can be by such as VLSI (very large scale integrated circuit) or gate array, realize such as the semiconductor of logic chip, transistor etc. or such as the hardware circuit of the programmable hardware device of field programmable gate array, programmable logic device etc., also can use the software of being carried out by various types of processors to realize, also can be realized by the combination of above-mentioned hardware circuit and software.
The present invention can realize plurality of advantages.Scheme provided by the invention guarantees can avoid application too require authority or illegally apply for authority in installation process, has improved security.And, by secure cloud backstage mechanism, in the situation that being permitted, user require configuration carry out security modification and repack to the authority of application, and the use of normal function is installed and guaranteed to the final safety that realizes application.
Although it should be appreciated by those skilled in the art that by specific embodiment and described the present invention, scope of the present invention is not limited to these specific embodiments.Scope of the present invention is limited by claims and any equivalents thereof.
Claims (10)
1. for a method for dynamic controlling terminal application permission, comprising:
The authority request of sending while application being installed in sense terminals;
In response to described authority request being detected, determine the application class that described application belongs to and determine security permission scope corresponding to described application class; And
In response to described authority request, exceed described security permission scope, stop the installation of described application.
2. method according to claim 1, also comprises:
In response to described authority request, exceed described security permission scope, notify application described in user to violate legal power safety regulation.
3. method according to claim 1, also comprises:
Whether prompting user carries out security update to the installation kit of described application; And
If receive the confirmation user's input of carrying out security update, request server carries out security update to obtain the installation kit of the safety of described application to the installation kit of described application.
4. according to the method described in any one in claim 1-3, wherein determine that the application class that described application belongs to comprises:
The application class list of inquiry terminal this locality, with the application class of determining that described application belongs to; And
In the situation that local application class list does not comprise described application, to cloud server, inquire about the application class that described application belongs to.
5. according to the method described in any one in claim 1-3, wherein determine that security permission scope corresponding to described application class comprises:
The security permission list of inquiry terminal this locality, with the security permission scope of determining that described application class is corresponding; And
In the situation that local security permission list does not comprise described application class, to cloud server, inquire about security permission scope corresponding to described application class.
6. for a device for dynamic controlling terminal application permission, comprising:
Installation action monitoring module, is configured to: the authority request of sending while application being installed in sense terminals;
Scope check module, is configured to: in response to described authority request being detected, determine the application class that described application belongs to and determine security permission scope corresponding to described application class; And
Control of authority module, is configured to: in response to described authority request, exceed described security permission scope, stop the installation of described application.
7. device according to claim 6, also comprises:
Notification module, is configured to: in response to described authority request, exceed described security permission scope, notify application described in user to violate legal power safety regulation.
8. device according to claim 6, also comprises:
Module is repacked in installation, is configured to:
Whether prompting user carries out security update to the installation kit of described application; And
If receive the confirmation user's input of carrying out security update, request server carries out security update to obtain the installation kit of the safety of described application to the installation kit of described application.
9. according to the device described in any one in claim 6-8, wherein said scope check module comprises that applicating category checks submodule, and described applicating category checks that submodule is configured to:
The application class list of inquiry terminal this locality, with the application class of determining that described application belongs to; And
In the situation that local application class list does not comprise described application, to cloud server, inquire about the application class that described application belongs to.
10. according to the device described in any one in claim 6-8, wherein said scope check module comprises security permission range check submodule, and described security permission range check submodule is configured to:
The security permission list of inquiry terminal this locality, with the security permission scope of determining that described application class is corresponding; And
In the situation that local security permission list does not comprise described application class, to cloud server, inquire about security permission scope corresponding to described application class.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310652369.6A CN103632073A (en) | 2013-12-05 | 2013-12-05 | Method and device used for controlling terminal application permission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310652369.6A CN103632073A (en) | 2013-12-05 | 2013-12-05 | Method and device used for controlling terminal application permission |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103632073A true CN103632073A (en) | 2014-03-12 |
Family
ID=50213111
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310652369.6A Pending CN103632073A (en) | 2013-12-05 | 2013-12-05 | Method and device used for controlling terminal application permission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103632073A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905651A (en) * | 2014-04-30 | 2014-07-02 | 北京邮电大学 | Method and system for application permission management in intelligent terminal |
| CN104079584A (en) * | 2014-05-12 | 2014-10-01 | 芮琨 | Android platform application permission cloud filtering method |
| CN104252374A (en) * | 2014-10-17 | 2014-12-31 | 北京奇虎科技有限公司 | Program control method and device on basis of architecture change |
| CN104820791A (en) * | 2015-05-19 | 2015-08-05 | 新华瑞德(北京)网络科技有限公司 | Application software authority control method and system |
| CN105335649A (en) * | 2015-10-14 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Intelligent terminal application program authority management method and system |
| WO2016155102A1 (en) * | 2015-03-30 | 2016-10-06 | 中兴通讯股份有限公司 | Terminal data protection method, terminal and device |
| CN106778230A (en) * | 2016-12-01 | 2017-05-31 | 深圳天珑无线科技有限公司 | A kind of method and device of record |
| CN104361281B (en) * | 2014-11-17 | 2017-06-09 | 西安电子科技大学 | A kind of solution of Android platform phishing attack |
| CN107333150A (en) * | 2017-08-15 | 2017-11-07 | 四川长虹电器股份有限公司 | The method that management and control is installed in Android intelligent television application |
| CN108064383A (en) * | 2017-10-25 | 2018-05-22 | 福建联迪商用设备有限公司 | A kind of management-control method, terminal and the POS terminal of application program permission |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050223223A1 (en) * | 2004-04-01 | 2005-10-06 | Fujitsu Limited | Authentication apparatus and authentication method |
| CN1841401A (en) * | 2005-03-30 | 2006-10-04 | Lg电子株式会社 | Mobile communications terminal having a security function and method thereof |
| CN101577869A (en) * | 2009-06-02 | 2009-11-11 | 中兴通讯股份有限公司 | Method and device for downloading data by wireless terminal |
| US20110167050A1 (en) * | 2004-12-03 | 2011-07-07 | Fortinet, Inc. | Secure system for allowing the execution of authorized computer program code |
| CN102170495A (en) * | 2011-04-07 | 2011-08-31 | 宇龙计算机通信科技(深圳)有限公司 | Mobile phone application classification management method and device |
| CN102195992A (en) * | 2010-11-01 | 2011-09-21 | 卡巴斯基实验室封闭式股份公司 | System and method for performing anti-virus scanning for the data downloaded from network |
| CN102930190A (en) * | 2012-10-25 | 2013-02-13 | 中科方德软件有限公司 | Method for preventing user from acquiring super user permission in Android system |
| CN103020515A (en) * | 2012-12-26 | 2013-04-03 | 中国人民解放军国防科学技术大学 | Application program execution permission control method for operating system |
| CN103324506A (en) * | 2013-06-24 | 2013-09-25 | 上海天奕达电子科技有限公司 | Method and mobile phone for controlling installation of Android applications |
-
2013
- 2013-12-05 CN CN201310652369.6A patent/CN103632073A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050223223A1 (en) * | 2004-04-01 | 2005-10-06 | Fujitsu Limited | Authentication apparatus and authentication method |
| US20110167050A1 (en) * | 2004-12-03 | 2011-07-07 | Fortinet, Inc. | Secure system for allowing the execution of authorized computer program code |
| CN1841401A (en) * | 2005-03-30 | 2006-10-04 | Lg电子株式会社 | Mobile communications terminal having a security function and method thereof |
| CN101577869A (en) * | 2009-06-02 | 2009-11-11 | 中兴通讯股份有限公司 | Method and device for downloading data by wireless terminal |
| CN102195992A (en) * | 2010-11-01 | 2011-09-21 | 卡巴斯基实验室封闭式股份公司 | System and method for performing anti-virus scanning for the data downloaded from network |
| CN102170495A (en) * | 2011-04-07 | 2011-08-31 | 宇龙计算机通信科技(深圳)有限公司 | Mobile phone application classification management method and device |
| CN102930190A (en) * | 2012-10-25 | 2013-02-13 | 中科方德软件有限公司 | Method for preventing user from acquiring super user permission in Android system |
| CN103020515A (en) * | 2012-12-26 | 2013-04-03 | 中国人民解放军国防科学技术大学 | Application program execution permission control method for operating system |
| CN103324506A (en) * | 2013-06-24 | 2013-09-25 | 上海天奕达电子科技有限公司 | Method and mobile phone for controlling installation of Android applications |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905651A (en) * | 2014-04-30 | 2014-07-02 | 北京邮电大学 | Method and system for application permission management in intelligent terminal |
| CN104079584A (en) * | 2014-05-12 | 2014-10-01 | 芮琨 | Android platform application permission cloud filtering method |
| CN104252374A (en) * | 2014-10-17 | 2014-12-31 | 北京奇虎科技有限公司 | Program control method and device on basis of architecture change |
| CN104252374B (en) * | 2014-10-17 | 2018-04-20 | 北京奇虎科技有限公司 | The program management-control method and device changed based on framework |
| CN104361281B (en) * | 2014-11-17 | 2017-06-09 | 西安电子科技大学 | A kind of solution of Android platform phishing attack |
| WO2016155102A1 (en) * | 2015-03-30 | 2016-10-06 | 中兴通讯股份有限公司 | Terminal data protection method, terminal and device |
| CN104820791A (en) * | 2015-05-19 | 2015-08-05 | 新华瑞德(北京)网络科技有限公司 | Application software authority control method and system |
| CN104820791B (en) * | 2015-05-19 | 2017-12-15 | 大唐网络有限公司 | The authority control method and system of application software |
| CN105335649A (en) * | 2015-10-14 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Intelligent terminal application program authority management method and system |
| CN106778230A (en) * | 2016-12-01 | 2017-05-31 | 深圳天珑无线科技有限公司 | A kind of method and device of record |
| CN107333150A (en) * | 2017-08-15 | 2017-11-07 | 四川长虹电器股份有限公司 | The method that management and control is installed in Android intelligent television application |
| CN108064383A (en) * | 2017-10-25 | 2018-05-22 | 福建联迪商用设备有限公司 | A kind of management-control method, terminal and the POS terminal of application program permission |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103632073A (en) | Method and device used for controlling terminal application permission | |
| US11237817B2 (en) | Operating system update management for enrolled devices | |
| EP2973187B1 (en) | One-touch device personalization | |
| CN105474678B (en) | For the concentration selection application license of mobile device | |
| KR101672227B1 (en) | Multimodal computing device | |
| US10169589B2 (en) | Securely booting a computer from a user trusted device | |
| US20160357959A1 (en) | Location-Based Configuration Profile Toggling | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| CN103632089A (en) | Security detection method, device and system of application installation package | |
| US20180131721A1 (en) | Enforcing enterprise requirements for devices registered with a registration service | |
| CN111079091A (en) | Software security management method and device, terminal and server | |
| CN104715001A (en) | Method and system performing wirite operation on shared resource in cluster of data processing system | |
| CN108351922B (en) | Method, system, and medium for applying rights management policies to protected files | |
| US11334338B2 (en) | Operating system update management | |
| CN105122260A (en) | Context based switching to a secure operating system environment | |
| US11661189B2 (en) | Upgrade of network equipment | |
| US10802821B2 (en) | Firmware management | |
| US10152383B2 (en) | Expedited device backup, wipe, and enrollment | |
| US10019577B2 (en) | Hardware hardened advanced threat protection | |
| US11288341B2 (en) | Information handling system license management through NFC | |
| CN116541184A (en) | Multi-protocol application framework system | |
| US20200128016A1 (en) | Managing access to vulnerability data at scale | |
| JP6282204B2 (en) | System and method for monitoring access to network in secure site | |
| WO2005103909A1 (en) | Security maintenance method, data accumulation device, security maintenance server, and recording medium containing the program | |
| US20200210598A1 (en) | Systems and methods for generating policy coverage information for security-enhanced information handling systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140312 |