CN103870306A

CN103870306A - Method and device for installing application program on basis of intelligent terminal equipment

Info

Publication number: CN103870306A
Application number: CN201410060381.2A
Authority: CN
Inventors: 姚彤; 丁祎
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2014-02-21
Filing date: 2014-02-21
Publication date: 2014-06-18

Abstract

The invention discloses a method and a device for installing an application program on the basis of intelligent terminal equipment. The method comprises the following steps of installing the application program; after monitoring a configuration information file needing to be read by the application program, loading an application-program authorization permission list interface set by the application program to be installed, wherein the application-program authorization permission list interface is an interface for correcting an application-program authorization permission list and comprises one or more action permissions selectively authorized by a user for the application program to be installed; configuring the action permissions of the application program according to the authorization permission included in the loaded application-program authorization permission list interface, and finishing the installation of the application program. By application of the invention, the user security can be improved.

Description

Based on the method and apparatus of intelligent terminal set up applications

Technical field

The present invention relates to Android (Android) platform technology, be specifically related to a kind of method and apparatus based on intelligent terminal set up applications.

Background technology

Android platform is the mobile phone operating system platform of increasing income based on Linux, is made up of operating system, user interface and application program, completely open to third party application.Due to the opening of Android platform, make application developer in the time of developing application, have larger degree of freedom, thereby, a lot of application developers are attracted, the application program of a large amount of Androids based on Android platform is also developed and provided to application developer, the installation kit of this application program is to be called as APK(AndroidPackage with one) form issue, realize the operation of application program by Android installation kit is installed, increasing application program can be carried on Android platform.Android platform, as most popular Mobile operating system platform in the world, has covered billions of mobile terminals and numerous application programs.

Android platform has designed the secure access strategy based on authorizing behavior authority at the beginning of design, in the time that user carries out application program installation, if application program relates to the operation to user security, for example, read the operation of user privacy information, or the operation that may cause customer charge to lose, all needing user's application programs to carry out behavior authorized party can carry out.For instance, if application program needs to carry out the operation that sends note, accesses contact data, reads storing card data etc. and read user privacy information after installation, and while using network connection etc. to increase the operation of customer charge, need to apply for corresponding behavior authority to user when mounted, namely in application program installation process, by mobile terminal, the behavior rights statements that needs subscriber authorisation is shown to user carry out thereby determine whether to authorize this application program by user the access rights that user security operates.

In application program installation process, due to the secure access strategy of Android platform, user, in the time of set up applications, can only authorize the behavior authority of application program on the whole, and intelligent terminal operating system is authorized behavior authority on the whole.Thereby, in the time that application program is installed, show to user after the behavior rights service of application program, user or all behavior rights service of accepting application program are to continue to install this application program, or, can only cancel and this application program is installed and exits this application program and install.For instance, in the time of user installation KC the Internet telephony application program, owing to need to obtaining the corelation behaviour authority of user security information, Android platform is according to the secure access strategy based on behavior authority, display interface at mobile terminal is shown the safe corelation behaviour authority that needs subscriber authorisation, for example, read mobile terminal state and ID, interception is breathed out, direct calling telephone number, editor SMS or MMS, send text message, recording and accurately GPS positional information etc., if subscriber authorisation KC the Internet telephony application program is carried out above-mentioned all safe operations, can proceed to install by clicking next step control of display interface, like this, installing after KC the Internet telephony application program, KC the Internet telephony application program will have authority acquiring user's the user security information such as recorded message and accurate GPS positional information, if user does not authorize KC the Internet telephony application program to carry out above-mentioned all safe operations, can, by clicking the cancellation control of display interface, exit current KC the Internet telephony application installation.

In recent years, utilize Android platform application programs can only authorize on the whole the feature of behavior authority, malicious application for Android platform rolls up, malicious application is in the behavior authority of application subscriber authorisation, increase multiple behavior authorities that affect user security, for example, send note, read contact person, networking, recording, read the behavior authorities such as the accurate GPS positional information of user, bind with the behavior authority that the normal operation of this malicious application is required, and with various tempting names, function and application attracts user installation, simultaneously, in the time that the display interface displaying of mobile terminal needs the safe corelation behaviour authority of subscriber authorisation, the behavior authority that affects user security of increase is placed in to the place that user not too pays close attention to, thereby next step control of clicking display interface by user is proceeded to install, once and install and move this malicious application, mean that user has authorized all behavior authorities of this malicious application application, make user's safety face material risk, and this malicious application is by user's installation, realize and stolen privacy of user, the objects such as malice fee suction.Further, even if user has doubt to the some of them behavior authority of malicious application application, but there is no other selections except abandoning installation.

The potential safety hazard of bringing to user in order to reduce malicious application, existing Android platform provides security application, in order to Initiative Defense and behavior rights management function to be provided, by security of operation application program, can be selected by user the behavior authority of the each application program that needs forbidding, that is to say, by security of operation application program, can offer the super keeper's of user authority (being root authority), make user can utilize super administrator right to revise and upgrade the behavior authority of each application program, thereby make application program in the time of operation, no longer enjoy the behavior authority that user authorizes in this application program process of installation, thereby in subsequent applications, can avoid this application program that user security is formed and threatened.But the method, can not effectively avoid user after set up applications, arrange in the time period before prohibitive behavior authority by security application, the security hidden danger of bringing while operation to user due to application program, user's security information is within this time period, or may be stolen or reveal, thereby bring loss to user, user security is reduced.Further, in some application programs, really exist and experience preferably point, but because worrying the behavior authority of this application program, user may cause the leakage of individual privacy information, this application program is not installed in final selection, like this, not only reduce user's business experience, also brought great economic loss to application developers.

Summary of the invention

In view of the above problems, the present invention has been proposed to a kind of method and apparatus based on intelligent terminal set up applications that overcomes the problems referred to above or address the above problem is at least in part provided.

According to one aspect of the present invention, the method based on intelligent terminal set up applications is provided, the method comprises:

Carry out application program installation, need to read after configuration information file monitoring application program, be loaded as the application program authorization privilege list interface that this application program to be installed arranges, described application program authorization privilege list interface is the interface that is provided for revising the list of application program authorization privilege, includes one or more behavior authorities that user is described application program selective authorization to be installed;

According to the behavior authority of the act of authorization authority configuring application program that comprises of application program authorization privilege list interface loading, and complete the installation of application program.

Preferably, the application program authorization privilege list interface that is loaded as this application program setting to be installed described in comprises:

Resolve the application file bag for set up applications, obtain the application program identification in application file bag;

According to the application program identification of obtaining, the application program authorization privilege list storehouse that inquiry sets in advance, obtains application program authorization privilege list corresponding to this application program identification;

Load the application program authorization privilege list obtaining at installation interface, generate described application program authorization privilege list interface.

Preferably, described application program authorization privilege list storehouse being set comprises:

To each application program, gather and obtain the behavior authority of application program;

The behavior authority of authorizing from the behavior authority of the application program obtained according to user, generates the application program authorization privilege list being stored in application program authorization privilege list storehouse.

Preferably, the behavior authority of obtaining application program described in comprises:

Obtain application file bag by application program official download site;

Resolve the configuration information file in application file bag, obtain the behavior authority that this application program need to be applied for.

Preferably, the configuration information file in described parsing application file bag comprises:

The application file of decompress(ion) based on intelligent terminal, from the application file of decompress(ion), obtain the configuration information file of the global variable description of encryption, and the configuration information file of encrypting is decrypted, obtain the original configuration message file of deciphering, the behavior authority in the original configuration message file of scanning deciphering is described part.

Preferably, utilize the extensible markup language document resolver in Java, the behavior authority of resolving in the original configuration message file of described deciphering is described part.

Preferably, application program authorization privilege list described in application program correspondence one described in each, multiple application program authorization privilege list compositions application program authorization privilege list storehouse.

Preferably, before described behavior authority of authorizing from the authority of the application program obtained according to user, described method further comprises:

The behavior authority of the application program of obtaining is shown.

Preferably, after the described behavior authority of obtaining application program, described method further comprises:

The behavior authority of the application program of obtaining is categorized as to the privacy authority of paying close attention to for reminding user and other authority of directly authorizing according to application program.

Preferably, described method further comprises:

By privacy authority be divided into run application necessary must authority and the optional nonessential authority that runs application, and in mandate, the information that circle's user oriented is shown described inessential authority is set.

Preferably, described method further comprises:

Utilize isolation sandbox and/or, static code analysis and/or, automatic code mark scanning method, the described of application programs application must authority carry out legitimacy and rational checking, to determine whether required requisite authority when application program is moved all of each authority in must authority, if not, by this authority from deleting authority, and show to user as inessential authority.

Preferably, described method further comprises:

The security application that operation sets in advance, the act of authorization authority of application programs is upgraded, so that application program, in the time of follow-up operation, is accessed accordingly according to the act of authorization authority of upgrading.

Preferably, described method further comprises:

In the time monitoring application program access and need the application programming interfaces of behavior authority, Android platform is the record in the application program authorization privilege list of this application program setting according to user, whether the behavior authority that judges access application interface is disabled, if the behavior authority of access application interface is disabled, point out user whether to select amendment by man-machine interface; If user selects act of revision authority, Android platform allows this application program to access described application programming interfaces, otherwise Android platform notifies this application program to exit access.

Preferably, described carry out application program installation before, described method further comprises:

The application file bag corresponding to application program to be installed carries out security sweep, if application file bag to be installed, by security sweep, is carried out the flow process that described application program is installed, otherwise, process ends.

Preferably, described security sweep includes but not limited to trojan horse scanning, ad plug-in scanning, vulnerability scanning.

Preferably, further comprise:

Adopt the application program authorization privilege list interface loading that the installation interface being provided by intelligent terminal operating system in described application program installation process is provided.

By hook, the installation interface redirect being provided by intelligent terminal operating system is pointed to described application program authorization privilege list interface, and confirming or completing after application program authorization privilege list amendment, finish the redirect of the installation interface that described intelligent terminal operating system is provided.

In the source code of intelligent terminal operation platform ccf layer, find the class and the interface that in the configuration information file of application program, need to insert hook, described class and interface are class and the interface that relates to privacy of user authority;

Analyze and revise the source code of described class and interface, make the described class of the hook inserting need to read configuration information file time and interface point to the application program authorization privilege list arranging for this application program to be installed in advance;

The program code segments that operation sets in advance, is loaded into current installation interface by the list of application program authorization privilege, generates described application program authorization privilege list interface.

Preferably, before the described installation that completes application program, described method further comprises:

In interface after the behavior authority of the act of authorization authority configuring application program comprising according to the application program authorization privilege list interface loading, next step control is set needs corresponding class and the interface that inserts hook to point to, and described sensing and described application program read configuration information file to carry out next step control of showing after the behavior authority configuration of application program need the corresponding insertion class of hook identical with the sensing of interface.

Preferably, the behavior authority of the described application program of configuration meets the described demonstration with program authorization permissions list interface.

Preferably, in described configuration information file, include the behavior authority of being authorized described application program by intelligent terminal operating system.

Preferably, the operation platform of described intelligent terminal includes but not limited to Android platform.

A kind of device based on intelligent terminal set up applications is provided according to another aspect of the present invention, and this device comprises: monitoring modular, load-on module and authority configuration module, wherein,

Monitoring modular, for carrying out application program installation, need to read after configuration information file monitoring application program, notice load-on module;

Load-on module, be used for according to the notice receiving, be loaded as the application program authorization privilege list interface that this application program to be installed arranges, described application program authorization privilege list interface is the interface that is provided for revising the list of application program authorization privilege, includes one or more behavior authorities that user is described application program selective authorization to be installed;

Authority configuration module, for the behavior authority of the act of authorization authority configuring application program that comprises of application program authorization privilege list interface according to loading, and completes the installation of application program.

Preferably, described load-on module comprises: resolution unit, query unit and loading unit, wherein,

Resolution unit, resolves the application file bag for set up applications, obtains the application program identification in application file bag;

Query unit, for according to the application program identification of obtaining, inquires about the application program authorization privilege list storehouse setting in advance, and obtains application program authorization privilege list corresponding to this application program identification;

Loading unit, for load the application program authorization privilege list obtaining at installation interface, generates described application program authorization privilege list interface.

Preferably, described load-on module further comprises:

The first taxon, for being categorized as the behavior authority of the application program of obtaining the privacy authority of paying close attention to for reminding user and other authority of directly authorizing according to application program.

Preferably, described load-on module further comprises:

The second taxon, for privacy authority is divided into run application necessary must authority and the optional nonessential authority that runs application, and in mandate, the information that circle's user oriented is shown described inessential authority is set.

Preferably, described load-on module further comprises:

Authentication unit, be used for utilizing isolation sandbox and/or, static code analysis and/or, automatic code mark scanning method, the described of application programs application must authority carry out legitimacy and rational checking, to determine whether required requisite authority when application program is moved all of each authority in must authority, if not, by this authority from deleting authority, and show to user as inessential authority.

Preferably, further comprise:

Display module, for showing the behavior authority of the application program of obtaining.

Preferably, further comprise:

Authority update module, for moving the security application setting in advance, the act of authorization authority of application programs is upgraded, so that application program, in the time of follow-up operation, is accessed accordingly according to the act of authorization authority of upgrading.

Preferably, further comprise:

Security sweep module, carries out security sweep for the application file bag to be installed, if application file bag to be installed, by security sweep, is carried out the flow process of described set up applications file bag, otherwise, process ends.

Preferably, described loading unit comprises: inquire about subelement, reshuffle subelement and interface generation subelement, wherein,

Inquiry subelement, for the source code at intelligent terminal operation platform ccf layer, finds the class and the interface that in the configuration information file of application program, need to insert hook, and described class and interface are class and the interface that relates to privacy of user authority;

Reshuffle subelement, for analyzing and revise the source code of described class and interface, make the described class of the hook inserting need to read configuration information file time and interface point to the application program authorization privilege list arranging for this application program to be installed in advance;

Interface generates subelement, and the program code segments that operation sets in advance, is loaded into current installation interface by the list of application program authorization privilege, generates described application program authorization privilege list interface.

According to the method and apparatus based on intelligent terminal set up applications of the present invention, can be by before set up applications, select and determine and can authorize the behavior authority of this application program and forbid the behavior authority of authorizing, in the time that application program is installed, configure user is the authorization privilege of this application program in advance.Solve thus before set up applications, can forbid that application program obtains the mandate of user to responsive behavior authority, the technical matters that the authorization privilege that adopts user to set in advance after application program is installed carries out corresponding access, obtain the business function that user normally uses this application program to provide both can be provided, beneficial effect that again can effective guarantee user security.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.

Brief description of the drawings

By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skill in the art.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows the method flow of the embodiment of the present invention based on intelligent terminal set up applications; And,

Fig. 2 shows the apparatus structure of the embodiment of the present invention based on intelligent terminal set up applications.

Embodiment

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, but should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can be by the those skilled in the art that conveys to complete the scope of the present disclosure.

Existing during based on intelligent terminal set up applications, owing to thering is the feature of the behavior authority that can only authorize on the whole application program, user can not select behavior rights service according to the demand of own security, as need set up applications, in the behavior rights service that needs subscriber authorisation of showing at the display interface of mobile terminal, all behavior authorities that can only be forced to accept application program are to proceed application program installation, the behavior authority that is the application of default user application programs is all authorized, thereby next step control of clicking display interface by user is proceeded to install, once and install and run application, mean that user has authorized all behavior authorities of this application program, make user's safety will face material risk.And the Initiative Defense that security application provides and rights management function, or can not effectively avoid user after set up applications, arrange before prohibitive behavior authority by security application, the security hidden danger of bringing while operation to user due to application program, reduces user security.

Existing application program, be carried in the configuration information file of application program to the behavior authority of user's application and the configuration information of application programs, because configuration information file is generated by signature by application developer, thereby, can not be by resolving configuration information file, and the configuration information file of resolving is modified and changed the behavior authority of application program.In the embodiment of the present invention, a kind of method based on intelligent terminal set up applications is proposed, by obtaining in advance the behavior authority of each application program, and before application program is installed, behavior authority by the application of user's application programs is carried out selective authorization, user can be needed and security consideration according to the function of own application programs, in the behavior authority of applying in application program, carry out corresponding selection mandate, generate the list of application program authorization privilege, and in application program installation process, trigger the behavior authority having after application program is installed the application program authorization privilege list of generation as application program, thereby both can ensure the business function that user normally uses this application program to provide, again can effective guarantee user security.

Fig. 1 shows the method flow of the embodiment of the present invention based on intelligent terminal set up applications.Referring to Fig. 1, this flow process comprises:

Step 101, carry out application program installation, need to read after configuration information file monitoring application program, be loaded as the application program authorization privilege list interface that this application program to be installed arranges, described application program authorization privilege list interface is the interface that is provided for revising the list of application program authorization privilege, includes one or more behavior authorities that user is described application program selective authorization to be installed;

In this step, the application program authorization privilege list interface that is loaded as this application program setting to be installed comprises:

A11, resolves the application file bag for set up applications, obtains the application program identification in application file bag;

In this step, by resolving application file bag, can obtain the application program identification of carrying out uniquely tagged for application programs.

A12, according to the application program identification of obtaining, the application program authorization privilege list storehouse that inquiry sets in advance, obtains application program authorization privilege list corresponding to this application program identification;

In this step, in the application program authorization privilege list storehouse setting in advance, some application program is to there being an application program authorization privilege list, and the list of application program authorization privilege is taking application program identification as mark.In each application program authorization privilege list, storing user is the behavior authority of this application program mandate in advance.If there is no the behavior authority corresponding to this application program in this list, there is no concrete power limit suggestion, but user still can or forbid to all permission grant.

In the embodiment of the present invention, the application program authorization privilege list storehouse setting in advance can obtain by following method:

To each application program, carry out following steps B11 and B12:

B11, gathers and obtains the behavior authority of application program;

In this step, before a certain application program is installed, need to be in advance for this application program be carried out permission grant.As optional embodiment, can obtain application file bag by application program official download site, also can obtain the application file bag that regular application program provider provides from other approach.For example, obtain application file bag from application program operator website.That is to say, application file bag can be that application developer is uploaded, also can be that application program operator uploads, can also be the legal application file bag of uploading by other channels, as long as can obtain legal application file bag.Like this, obtain application file bag by regular approach, can ensure legitimacy and the rationality of this application program authority, avoid being undertaken after illegal modifications by additive method application programs file bag, make the application program malice application behavior authorities that relate to user security after illegal modifications more.

Be applied after program file bag in download, by resolving the configuration information file in application file bag, can obtain the behavior authority that this application program need to be applied for.

In the embodiment of the present invention, under Android platform, application file bag is APK file, the binary code information that comprised application program in each APK file, resource information, configuration information file etc.Configuration information file is the AndroidManifest.xml file in APK file, is that each application program all must define and comprise, and it has described the information such as the name, version, authority of application program, the library file of quoting.In practical application, the configuration information file of resolving in application file bag comprises: the application file of decompress(ion) based on Android platform, from the application file of decompress(ion), obtain the configuration information file of the global variable description of encryption, it is AndroidManifest.xml file, and the configuration information file of encrypting is decrypted, obtain the original configuration message file of deciphering: AndroiManifest.xml file; Authority in scan A ndroidManifest.xml file is described part, can obtain the behavior permissions list that application program is applied for, the behavior authority comprising in behavior permissions list is the behavior authority of application program.

The statement form of the behavior authority of application program in AndroidManifest.xml file is as follows:

Filename: AndroidManifest.xml

<uses-permissionandroid:name=" rights of using "/>

As optional embodiment, in above-mentioned process of analysis, can use the extend markup language (XML in Java, ExtensibleMarkupLanguage) document parser, the authority of resolving in AndroidManifest.xml file is described part, to obtain the behavior permissions list of application program.Certainly, also can use other XML resolvers, or, use other programming languages, such as the programming language such as C/C++, python exploitation XML resolver, resolves the behavior permissions list of being applied for to obtain corresponding application program to AndroidManifest.xml file.

B12, the behavior authority of the mandate of choosing from the behavior authority of the application program obtained according to user, generates the application program authorization privilege list being stored in application program authorization privilege list storehouse.

In this step, user is from the behavior authority of each application program, according to the business demand of self and security consideration, be respectively each application program and carry out permission grant, according to the act of authorization authority of choosing for each application program, generate application program authorization privilege list that should application program.The corresponding application program authorization privilege list of each application program, the list of application program authorization privilege is carried out mark with application program identification.In the embodiment of the present invention, multiple application program authorization privilege list compositions application program authorization privilege list storehouse, in the list of application program authorization privilege, not only include one or more behavior authorities that user is application program mandate, also include one or more behavior authorities that user forbids mandate for application program, that is to say, behavior authority in the list of application program authorization privilege, its attribute is for authorizing or forbidding authorizing, if the behavior authority of application is in the list of application program authorization privilege, its attribute is for authorizing, the behavior authority access that allows application program to apply for, if the behavior authority of application is in the list of application program authorization privilege, its attribute is authorized for forbidding, refuses the behavior authority access that application program is applied for.

As optional embodiment, the mandate selection operation for the ease of user to behavior authority, before choosing authorization privilege according to user from the behavior authority of the application program obtained, the method can further include:

The behavior authority of the application program of obtaining is shown.

In this step, for user provides to authorize, interface (application program authorization privilege list interface) is set, the behavior authority of showing application program on interface is set in mandate, user arranges on interface the behavior authority of showing is authorized and chosen in mandate.Like this, user can arrange interface by visual mandate, chooses easily required behavior authority and authorizes.

As another optional embodiment, in order to improve the understanding of behavior authority of user's application programs application, the method can further include:

Behavior authority to the application program of obtaining is classified.

In this step, can be for each application program, the behavior authority of obtaining is categorized as to privacy authority and other authority, wherein, for privacy authority, owing to relating to user's privacy, need reminding user to pay close attention to, and for other authority, user can be according to the application of application program, without too much concern, authorize its authority.

In the embodiment of the present invention, privacy authority includes but not limited to following information: (android.permission.SEND_SMS) sends SMS message, accessing Internet (android.permission.INTERNET), (android.permission.READ_SMS) reads SMS message, write short message (android.permission.WRITE_SMS), read address list (android.permission.READ_CONTACTS), the record (android.permission.WRITE_CONTACTS) of reporting, call (android.permission.CALL_PHONE), write system setting (android.permission.WRITE_SYNC_SETTINGS), read positional information, record and read recorded message.Each privacy authority correspondence has a function, and for example, for the authority that sends SMS message, corresponding function is SmsManager.sendTextMe ssage, SmsManager.sendDataMessage, SmsManager.sendMultipartTextMessage etc.

For privacy authority, can be further divided into again essential authority and nonessential authority.Wherein, must authority be run application necessary, by the behavior authority of subscriber authorisation, lack the behavior authority of this mandate, application program cannot normally be moved, if user need to install this application program, essential authority that must application programs application is all authorized, otherwise cannot install.Nonessential authority is the behavior authority of subscriber authorisation that application program needs, but is option, can not affect the operation of application program, if the behavior authority do not obtain subscriber authorisation, do not affect the installation and operation of application program.For example, must authority can comprise: the record of reporting, call etc., nonessential authority can comprise: read positional information, accessing Internet, read recorded message etc.

As optional embodiment, for inessential authority, further in mandate, the information that circle's user oriented is shown this inessential authority is set.Information can be: the suggestion of nonessential authority is cancelled, or authority is optional grant item, please authorizes according to inherently safe strategy etc.Advise that user is in the time authorizing inessential authority, based on the consideration of own personal secrets, careful selection is authorized the behavior authority of application program.

As another optional embodiment, for essential authority, can also verify, whether all necessary when application program is moved to determine all essential authorities, i.e. the essential authority of application programs application is carried out legitimacy and rational checking.Checking method can utilize comprise isolation sandbox and/or, static code analysis and/or, the methods such as automatic code mark scanning, to determine whether required requisite behavior authority when application program is moved all of each behavior authority in must authority, if not, by the behavior authority from deleting authority, and show to user as inessential authority.Wherein, application static code analysis, can search, locate security risk and the leak of the essential authority existence of each application program quickly and accurately.And isolation sandbox utilizes virtual machine technique, clone a certain subregion or all subregions of hard disk in Android platform by virtual machine, and form a shadow, be referred to as shadow mode.Shadow mode and Android plateform system have same architecture and function, user can run application under shadow mode, any operation of application programs, for example, revise file, the various application programs of installation testing (comprising rogue application, virus applications program), be all isolated sandbox and wrap up, the intercepting of malicious application to user privacy information, all be limited in isolating in sandbox, as long as isolation sandbox is closed, just can make the operation that endangers Android platform disappear.Thereby, by isolation sandbox method, the access behavior of monitoring and measuring application program to user data, can determine whether the essential authority of application program relates to privilege abuse, be application program for various purposes, whether applied for this not behavior authority of this application to user.If the mode application of application program by essential authority extra behavior authority, may cause user privacy information to be revealed, thereby, need to be by behavior authority of this extra application from rejecting authority.For example, if a single-play game application program read this behavior authority of subscriber phone, this reads subscriber phone, and this just may belong to the originally behavior authority of this application not of single-play game application program, thus the security of lifting privacy of user.Carrying out legitimacy and rational checking about the essential authority of utilizing the applications of method application programs such as isolation sandbox, static code analysis, automatic code mark scanning, is known technology, omits detailed description at this.

Like this, by the behavior authority of application program is categorized as to privacy authority and other authority, user is paid close attention to the privacy authority wherein relating to, thereby consider whether need application programs to authorize this authority, to ensure privacy of user safety; Further, by privacy authority being divided into essential authority and nonessential authority, make user for nonessential authority, based on the security strategy of self, avoid it to authorize as far as possible, thereby promote privacy of user security; And, for essential authority, carrying out legitimacy and rational checking, the behavior authority of the extra application of malicious application can be rejected, ensure to greatest extent user security.

A13, loads the application program authorization privilege list obtaining at installation interface, generate described application program authorization privilege list interface.

In this step, adopt the application program authorization privilege list interface loading that the installation interface being provided by intelligent terminal operating system in described application program installation process is provided.The application program authorization privilege list interface that is loaded as this application program setting to be installed comprises: by hook, the installation interface redirect being provided by intelligent terminal operating system is pointed to described application program authorization privilege list interface, and confirming or completing after application program authorization privilege list amendment, finish the redirect of the installation interface that described intelligent terminal operating system is provided.Particularly, can in the source code of Android platform framework layer, find application program that the class and the interface that in execution, need to insert hook are installed, these classes and interface are class and the interface that relates to user privacy information, by analyzing and revise the source code of class and interface, make class and the interface of the hook inserting need to read configuration information file time point to the application program authorization privilege list that the embodiment of the present invention sets in advance, but not point to the configuration information file in application file bag, the program code segments that operation sets in advance, the list of application program authorization privilege is loaded into current installation interface, generate described application program authorization privilege list interface, and complete after this application program authorization privilege list interface, the operation after the configuration information file of this application program is read in sensing, make to complete operation after this application program authorization privilege list interface identical with the operation after the existing configuration information file that reads application program.In the interface after the behavior authority of the act of authorization authority configuring application program comprising according to the application program authorization privilege list interface loading, next step control is set needs corresponding class and the interface that inserts hook to point to, and described sensing and described application program read configuration information file to carry out next step control of showing after the behavior authority configuration of application program need the corresponding insertion class of hook identical with the sensing of interface.Realizing the amendment of source code about the function of describing according to the embodiment of the present invention, is known technology, omits detailed description at this.In practical application, mode by amendment source code is replaced the application program erector of the former acquiescence of Android platform, thereby the application program authorization privilege list that realizes the embodiment of the present invention loads, wherein, the method of replacing the former erector of Android platform includes but not limited to several as follows: selecting new erector by user is the erector of Android platform acquiescence, if on the mobile terminal of crossing at Root, can directly replace the former application program mount scheme of Android platform, and in the ROM of mobile terminal, replace the former application program mount scheme of Android platform.

Step 102, according to the behavior authority of the act of authorization authority configuring application program that comprises of application program authorization privilege list interface loading, and completes the installation of application program.

In this step, after application program erector is according to the behavior authority of the good application program of application program authorization privilege list configuration loading, subsequent installation flow process is known technology, omits detailed description at this.

The embodiment of the present invention is in application program installation process, for instance, to user show application program authorization privilege list interface can show in lines, every row is sequentially specific as follows: 11 authorities of this application program, this application program is installed? (the first row); 3 privacy authorities (inessential authority, suggestion is cancelled) (the second row); Read positional information (the third line, read positional information before be provided with optional frame control); Send note (fourth line is provided with optional frame control before transmission note); Call (fifth line is provided with optional frame control before calling); 8 other authorities (the 6th row) etc.; At the lowermost end at interface, be provided with and cancel control, installation control.Like this, after the list of loading application programs authorization privilege, can carry out according to the overall delegated strategy of Android platform the installation of application program, different is, this application program authorization privilege list is that user is the authorization privilege of this application program setting in advance and forbids authority, but not the authority of application in the configuration information file that application file bag carries makes the behavior authority of the described application program of configuration meet the described demonstration with program authorization permissions list interface.

As optional embodiment, in follow-up flow process, if user needs the authorization privilege of application programs to adjust, the method can further include:

Step 103, the security application that operation sets in advance, the authorization privilege of application programs upgrades, so that application program, in the time of follow-up operation, is accessed accordingly according to the authorization privilege upgrading.

In this step, when user installation is well after corresponding application program, if the authorization privilege that needs some functions of application programs or authorize application program upgrades, can pass through security of operation application program, at renewal interface corresponding to security application, selected the behavior authority of the each application program that needs forbidding or mandate by user, corresponding function and authorization privilege with application programs are modified, thereby in the time that application program reruns again, support the access of the amended corresponding function of user and authorization privilege.For example, if forbidden a certain authorization privilege, in the time that application program is moved again, no longer enjoy the authorization privilege that user has been forbidden.

Certainly, in practical application, also can attempt the application programming interfaces (API that access needs authority in application program, ApplicationProgramInterface) time, Android platform is the record in the application program authorization privilege list of this application program setting according to user, whether the authority that judges access API is disabled, if the authority of access API is disabled, this application program can point out user whether to select amendment by man-machine interface; If user selects to revise authority, Android platform allows this application program to access described API, otherwise Android platform notifies this application program to exit access.

As another optional embodiment, can also, before set up applications file bag, carry out security sweep to this application file bag to be installed, to guarantee the security of application file bag to be installed, reduce the probability that malicious application is installed.Like this, the method further comprises:

Application file bag to be installed is carried out to security sweep, if application file bag to be installed, by security sweep, is carried out the flow process of described set up applications file bag, otherwise, process ends.

In this step, before set up applications file bag, by this application file bag is carried out to degree of depth security sweep, degree of depth security sweep includes but not limited to trojan horse scanning, ad plug-in scanning, vulnerability scanning.For example, scan for trojan horse, can be by the feature in the rogue program storehouse of application file bag and pre-stored be mated, in the time that the feature in application file bag and rogue program storehouse matches, pointing out this application file bag is rogue program, and advises that user forbids the installation to this application program.Like this, before set up applications, carry out degree of depth security sweep by treating set up applications file bag, can identify malicious application, greatly reduce user the probability of malicious application is installed by mistake.

From above-mentioned, the method based on Android platform set up applications of the embodiment of the present invention, user, before set up applications, can select and determine and can authorize the behavior authority of this application program and forbid the behavior authority of authorizing.Like this, for some responsive behavior authorities, for example, send note, read the authorities such as contact person, user is before this application program of installation, can forbid that this application program obtains the mandate of user to responsive behavior authority, in application program installation process, adopt and select before this application program of user installation and definite authorization privilege application programs authority is configured.Thereby, even if user installs and has moved malicious application because of carelessness, because corresponding behavior authority is forbidden by user before installation, potential safety hazard loss can be dropped to minimum, the security that effectively improves Android platform.Specifically, the embodiment of the present invention has the rights management mechanism before installation, and, before application program is installed, user can authorize for application program to be installed the behavior authority of selection; And, rights management mechanism after installation,, after application program installation, the behavior authority that allows user to authorize mounted application program is carried out authority amendment, and the authorization privilege of amendment is stored, access accordingly according to the authority of amendment in the time moving for application program.

Fig. 2 shows the apparatus structure of the embodiment of the present invention based on intelligent terminal set up applications.Referring to Fig. 2, this device comprises: monitoring modular, load-on module and authority configuration module, wherein,

In the embodiment of the present invention, monitoring modular can also be further used for needing after the application programming interfaces of behavior authority monitoring application program access, Android platform is the record in the application program authorization privilege list of this application program setting according to user, whether the authority that judges access application interface is disabled, if the authority of access application interface is disabled, point out user whether to select amendment by man-machine interface; If user selects to revise authority, Android platform allows this application program to access described application programming interfaces, otherwise Android platform notifies this application program to exit access.

In the embodiment of the present invention, load-on module comprises: resolution unit, query unit and loading unit (not shown), wherein,

In the embodiment of the present invention, the behavior authority of obtaining application program comprises: obtain application file bag by application program official download site; Resolve the configuration information file in application file bag, obtain the behavior authority that this application program need to be applied for.Wherein, the configuration information file of resolving in application file bag comprises: the application file of decompress(ion) based on intelligent terminal, from the application file of decompress(ion), obtain the configuration information file of the global variable description of encryption, and the configuration information file of encrypting is decrypted, obtain the original configuration message file of deciphering, utilize the authority that the extensible markup language document resolver in Java scans in the original configuration message file of deciphering to describe part.

In the embodiment of the present invention, application program authorization privilege list storehouse is set and comprises: to each application program, gather and obtain the behavior authority of application program; The behavior authority of choosing and authorizing from the behavior authority of the application program obtained according to user, generates the application program authorization privilege list being stored in application program authorization privilege list storehouse.Application program authorization privilege list described in application program correspondence one described in each, multiple application program authorization privilege list compositions application program authorization privilege list storehouse.

Preferably, load-on module can further include:

In practical application, load-on module can further include:

As optional embodiment, load-on module can further include:

Authentication unit, be used for utilizing isolation sandbox and/or, static code analysis and/or, automatic code mark scanning method, the described of application programs application must authority carry out legitimacy and rational checking, to determine whether required requisite behavior authority when application program is moved all of each behavior authority in must authority, if not, by the behavior authority from deleting authority, and show to user as inessential authority.

As optional embodiment, loading unit comprises: inquire about subelement, reshuffle subelement and interface generation subelement, wherein,

As optional embodiment, this device can further include:

As another optional embodiment, this device can further include:

As an optional embodiment again, this device can further include:

In the embodiment of the present invention, security sweep includes but not limited to trojan horse scanning, ad plug-in scanning, vulnerability scanning.

The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.

In the instructions that provided herein, a large amount of details are described.But, can understand, embodiments of the invention can be put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.But, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them in addition multiple submodules or subelement or sub-component.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.

In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature instead of further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.

All parts embodiment of the present invention can realize with hardware, or realizes with the software module of moving on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the device based on intelligent terminal set up applications of the embodiment of the present invention.The present invention can also be embodied as part or all equipment or the device program (for example, computer program and computer program) for carrying out method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.

It should be noted above-described embodiment the present invention will be described instead of limit the invention, and those skilled in the art can design alternative embodiment in the case of not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has multiple such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim of having enumerated some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.

The invention discloses, mono-kind of the A1. method based on intelligent terminal set up applications, comprising:

A2. according to the method described in A1, described in be loaded as this application program setting to be installed application program authorization privilege list interface comprise:

A3. according to the method described in A2, described application program authorization privilege list storehouse is set and comprises:

A4. according to the method described in A3, described in obtain application program behavior authority comprise:

Obtain application file bag by application program official download site;

A5. according to the method described in A4, the configuration information file in described parsing application file bag comprises:

A6. according to the method described in A5, utilize the extensible markup language document resolver in Java, the behavior authority of resolving in the original configuration message file of described deciphering is described part.

A7. according to the method described in A1, application program authorization privilege list described in application program correspondence one described in each, multiple application program authorization privilege lists compositions application program authorization privilege list storehouse.

A8. according to the method described in A3, before described behavior authority of authorizing from the authority of the application program obtained according to user, described method further comprises:

The behavior authority of the application program of obtaining is shown.

A9. according to the method described in A3, after the described behavior authority of obtaining application program, described method further comprises:

A10. according to the method described in A9, described method further comprises:

A11. according to the method described in A10, described method further comprises:

A12. according to the method described in A1, described method further comprises:

A13. according to the method described in A1, described method further comprises:

A14. according to the method described in A1, described carry out application program installation before, described method further comprises:

A15. according to the method described in A14, described security sweep includes but not limited to trojan horse scanning, ad plug-in scanning, vulnerability scanning.

A16. according to the method described in A1, further comprise:

A17. according to the method described in A1, described in be loaded as this application program setting to be installed application program authorization privilege list interface comprise:

A18. according to the method described in A1, described in be loaded as this application program setting to be installed application program authorization privilege list interface comprise:

A19. according to the method described in A1, described carry out application program installation before, described method further comprises:

A20. according to the method described in A1, the behavior authority of the described application program of configuration meets the described demonstration with program authorization permissions list interface.

A21. according to the method described in A1, in described configuration information file, include the behavior authority of being authorized described application program by intelligent terminal operating system.

A22. according to the method described in A1, the operation platform of described intelligent terminal includes but not limited to Android platform.

A23. the device based on intelligent terminal set up applications, this device comprises: monitoring modular, load-on module and authority configuration module, wherein,

A24. according to the device described in A23, described load-on module comprises: resolution unit, query unit and loading unit, wherein,

A25. according to the device described in A24, described load-on module further comprises:

A26. according to the device described in A25, described load-on module further comprises:

A27. according to the device described in A25, described load-on module further comprises:

A28. according to the device described in A23, further comprise:

A29. according to the device described in A23, further comprise:

A30. according to the device described in A23, further comprise:

A31. according to the device described in A24, described loading unit comprises: inquire about subelement, reshuffle subelement and interface generation subelement, wherein,

Claims

1. the method based on intelligent terminal set up applications, comprising:

2. the method for claim 1, described in be loaded as this application program setting to be installed application program authorization privilege list interface comprise:

3. method as claimed in claim 2, arranges described application program authorization privilege list storehouse and comprises:

4. method as claimed in claim 3, described in obtain application program behavior authority comprise:

Obtain application file bag by application program official download site;

5. method as claimed in claim 4, the configuration information file in described parsing application file bag comprises:

6. the method for claim 1, further comprises:

7. the method for claim 1, described in be loaded as this application program setting to be installed application program authorization privilege list interface comprise:

8. the device based on intelligent terminal set up applications, is characterized in that, this device comprises: monitoring modular, load-on module and authority configuration module, wherein,

9. device as claimed in claim 8, is characterized in that, described load-on module comprises: resolution unit, query unit and loading unit, wherein,

10. device as claimed in claim 9, is characterized in that, described load-on module further comprises: