CN104346559A - Authority request response method and device thereof - Google Patents
Authority request response method and device thereof Download PDFInfo
- Publication number
- CN104346559A CN104346559A CN201410696530.4A CN201410696530A CN104346559A CN 104346559 A CN104346559 A CN 104346559A CN 201410696530 A CN201410696530 A CN 201410696530A CN 104346559 A CN104346559 A CN 104346559A
- Authority
- CN
- China
- Prior art keywords
- authority
- authority request
- signature identification
- request
- authentication list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Abstract
The invention discloses an authority request response method, which uses an Android application scene as an example. The authority request response method comprises the following steps of starting a system level communication interface, and monitoring an external authority request through the communication interface; according to the authority request, obtaining a feature identification of a requester, and searching whether the feature identification is in an allowable state or not through a preset certification list; when the feature identification is in the allowable state, applying the authority from the system for the authority request. The authority request response method has the characteristics that by realizing the authority request management function, the communication speed and communication efficiency are high, and the technology is safe and reliable.
Description
Technical field
The present invention relates to the rights management techniques of computer operating system, particularly relate to a kind of authority request response method and corresponding device.
Background technology
Based on the operating system that Uinux is born, from Linux series to the Android operation system of mobile terminal, all there is strict user management mechanism.Wherein, for Android, the highest weight limit account number of system is Root, and the authority of account also represents the highest level of rights management mechanism, can start or stop a process, deletes or adding users, increases or forbids hardware etc.When mobile terminal device dispatches from the factory, manufacturer considers for safety factor, does not generally open Root authority to user.In this case, the Dynamic System that user carries out mobile terminal device, or third-party application such as mobile phone safe software needs to realize some when such as unloading the function of application and so on of dispatching from the factory, and just can be hindered.Therefore, obtain Root authority and just become more and more general.
Current mobile phone safe software on the market, such as " 360 mobile phone assistant ", is equipped with the authority management module provided for mobile phone application usually.After obtaining Root authority, need the management strengthened further authority request, because just realizing the security monitoring to operating system, prevent malicious application from arbitrarily realizing self object, such as ROL request-online people authority, request mobile phone IMEI authority etc., to accomplish both to give user larger operation degree of freedom, technical security can be guaranteed again.
Prior art achieves Root authority management to a great extent, but, also exist following not enough: on the one hand, because the communication mechanism carrying out rights management utilizes the cause be not good at, the efficiency causing Root authority to manage is not high; On the other hand, be too dependent on the function of system, cause the operational efficiency of rights management not high.
Summary of the invention
The object of the present invention is to provide a kind of operational efficiency authority request response method and corresponding device thereof comparatively efficiently.
For realizing object of the present invention, the present invention takes following technical scheme:
A kind of authority request response method provided by the invention, comprises the following steps:
Start the communication interface belonging to system level, monitor outside authority request by this communication interface;
According to the signature identification of this authority request obtaining request side, in preset authentication list, retrieve this signature identification whether be in the state be allowed to;
When this signature identification is for being allowed to state, for this authority request is to system application authority.
Preferably, the communication interface of described system level, refers to Binder mechanism based on Android and the communication service process set up, for initiate the applications process communication of authority request.
Preferably, described signature identification, refers to the UID in android system, and each UID corresponds to an application.
Disclosing according to an embodiment of the present invention, described preset authentication list, stores some signature identifications, and the existence of signature identification in authentication list characterizes this signature identification for the state of being allowed to.
Disclosed according to another embodiment of the present invention, described preset authentication list, store the state recognition field of some signature identifications and each signature identification setting of correspondence, when the corresponding state recognition field of certain signature identification is set to characterize the symbol be allowed to, with this signature identification of this symbolic representation for the state of being allowed to.
Further, when described signature identification be non-be allowed to state time, the authority request described in refusal.
Preferably, this method comprises another step: obtain common authentication table data from remote interface and upgrade local described authentication list.
Further, after this authority request of employing successfully obtains Root authority, the consumer process of this authority request and the communication of service processes are initiated in binding, and service processes is for responding the instruction performing and performed by consumer process request.
Preferably, in local described authentication list, be provided with the type identification of the authority action period for characterizing the user program corresponding with described signature identification, to system applying right in limited time, the authority that corresponding described type identification application is dissimilar.
A kind of authority request responding device provided by the invention, it comprises:
Communication interface, is started by the mode with system level, for monitoring outside authority request;
Retrieval unit, for the signature identification according to this authority request obtaining request side, retrieves this signature identification and whether is in the state be allowed in preset authentication list;
Processing unit, when this signature identification is for being allowed to state, for for this authority request is to system application authority.
Concrete, described communication interface is the Binder mechanism based on Android and the communication service process being placed in system level set up, by obtaining described authority request with applications process communication.
Preferably, described signature identification, refers to the UID in android system, and each UID corresponds to an application.
Disclosing according to an embodiment of the present, described preset authentication list, for storing some signature identifications, the existence of signature identification in authentication list, characterizes this signature identification for the state of being allowed to.
Disclosed according to another embodiment of the present invention, described preset authentication list, for storing the state recognition field of some signature identifications and each signature identification setting of correspondence, when the corresponding state recognition field of certain signature identification is set to characterize the symbol be allowed to, with this signature identification of this symbolic representation for the state of being allowed to.
Further, described processing unit, when described signature identification be non-be allowed to state time, for refusing described authority request.
Preferentially, the present invention includes maintenance unit, for obtaining common authentication table data from remote interface and upgrading local described authentication list.
Further, this device also comprises service processes, and after this authority request of employing successfully obtains Root authority, with the consumer process BOUND communication initiating this authority request, this service processes is for responding the instruction performing and performed by consumer process request.
Preferably, in local described authentication list, be provided with the type identification of the authority action period for characterizing the user program corresponding with described signature identification, to system applying right in limited time, the authority that corresponding described type identification application is dissimilar.
Compared to prior art, the present invention at least tool has the following advantages: the present invention uses based on the communication interface of system level, set up the rights management mechanism based on the authority request of applications, there is quick, the success ratio advantages of higher that communicates, further, by setting up preset authentication list, managing independently the authority request of applications can be realized, from technical standpoint, this authentication list possesses the effect being similar to fire wall, has data centralization, runs the advantages such as efficient, safe and reliable.
The aspect that the present invention adds and advantage will part provide in the following description, and these will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become obvious and easy understand from the following description of the accompanying drawings of embodiments, wherein:
Fig. 1 is the theory diagram of authority request response method of the present invention;
Fig. 2 is the theory diagram of authority request responding device of the present invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Those skilled in the art of the present technique are appreciated that unless expressly stated, and singulative used herein " ", " one ", " described " and " being somebody's turn to do " also can comprise plural form.Should be further understood that, the wording used in instructions of the present invention " comprises " and refers to there is described feature, integer, step, operation, element and/or assembly, but does not get rid of and exist or add other features one or more, integer, step, operation, element, assembly and/or their group.Should be appreciated that, when we claim element to be " connected " or " coupling " to another element time, it can be directly connected or coupled to other elements, or also can there is intermediary element.In addition, " connection " used herein or " coupling " can comprise wireless connections or wirelessly to couple.Wording "and/or" used herein comprises one or more whole or arbitrary unit listing item be associated and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (comprising technical term and scientific terminology), have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.It should also be understood that, those terms defined in such as general dictionary, should be understood to that there is the meaning consistent with the meaning in the context of prior art, unless and by specific definitions as here, otherwise can not explain by idealized or too formal implication.
Those skilled in the art of the present technique are appreciated that, here used " terminal ", " terminal device " had both comprised the equipment of wireless signal receiver, it only possesses the equipment of the wireless signal receiver without emissive ability, comprise again the equipment receiving and launch hardware, it has and on bidirectional communication link, can perform the reception of two-way communication and launch the equipment of hardware.This equipment can comprise: honeycomb or other communication facilitiess, its honeycomb or other communication facilities of having single line display or multi-line display or not having multi-line display; PCS (Personal Communications Service, PCS Personal Communications System), it can combine voice, data processing, fax and/or its communication ability; PDA (Personal Digital Assistant, personal digital assistant), it can comprise radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, calendar and/or GPS (Global Positioning System, GPS) receiver; Conventional laptop and/or palmtop computer or other equipment, it has and/or comprises the conventional laptop of radio frequency receiver and/or palmtop computer or other equipment.Here used " terminal ", " terminal device " can be portable, can transport, be arranged in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured at local runtime, and/or with distribution form, any other position operating in the earth and/or space is run.Here used " terminal ", " terminal device " can also be communication terminal, access terminals, music/video playback terminal, can be such as PDA, MID (Mobile Internet Device, mobile internet device) and/or there is the mobile phone of music/video playing function, also can be the equipment such as intelligent television, Set Top Box.
Those skilled in the art of the present technique are appreciated that, the concepts such as server used here, high in the clouds, remote network devices, have effects equivalent, it includes but not limited to the cloud that computing machine, network host, single network server, multiple webserver collection or multiple server are formed.At this, cloud is formed by based on a large amount of computing machine of cloud computing (Cloud Computing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computing machine collection.In embodiments of the invention, realize communicating by any communication mode between remote network devices, terminal device with WNS server, include but not limited to, the mobile communication based on 3GPP, LTE, WIMAX, the computer network communication based on TCP/IP, udp protocol and the low coverage wireless transmission method based on bluetooth, Infrared Transmission standard.
Those skilled in the art are to be understood that, " application ", " application program ", " application software " alleged by the present invention and the concept of similar statement, be those skilled in the art known same concept, refer to and be suitable for by the instruction of series of computation machine and the organic structure of related data resource the computer software that electronics runs.Unless specified, this name itself, not by programming language kind, rank, also not limited by the operating system of its operation of relying or platform.In the nature of things, this genus also not limited by any type of terminal.
The application scenarios of a kind of authority request response method of the present invention, with based on Unix be basis operating system environment in realize.In order to realize this method, needing this method example to change into application program, obtaining Root authority, install and run in relevant operation system.
As everyone knows, Root authority refers to system manager's authority of Unix type operating system (comprising Linux, Android), is similar to Administrator (keeper) authority in Windows (form) system; File (android system file and user file, do not comprise ROM) nearly all in the mobile device of user can be accessed and revise to Root authority.But, because current mobile terminal system is strict for the management of Root authority, most application or program do not possess Root authority under normal circumstances, therefore need the operation possessing Root authority just cannot perform for some, such as, install or unload the operations such as application; , all need to system application Root authority when this type of operation calls process performs corresponding operating at every turn meanwhile, if but now other application processes using Root authority to carry out associative operation, then the Root authority application of this calling process just cannot be successful; What is more, if user is provided with the operation of forbidding Root authority in systems in which, then relevant calling process just cannot carry out associative operation.Based on this, the present invention proposes only to need to send a Root authority to system and obtains request, specifically by SU (Super User that calling system is built-in, power user) order acquisition Root authority, or by obtain have Root authority shell obtain Root authority and in shell startup process, then, after the Root authority mandate obtaining described system, when other calling process follow-up can be made need to perform associative operation, Root authority is applied for without the need to repeating; Concrete Root authority acquisition process can refer to the Root authority call function of prior art, and the present invention does not repeat them here.Based on above-mentioned guide's knowledge, disclose authority request response method of the present invention in detail below in conjunction with Fig. 1.The method comprises the steps:
S11, start and belong to the communication interface of system level, monitor outside authority request by this communication interface:
Communication interface alleged by the present embodiment, refers to that a program module by realizing with this method runs in internal memory, after realizing proposing power operation foregoing by the corresponding host process in internal memory, to system registry communication service process.For Android, the Binder mechanism that this communication service process provides based on android system, self is registered to System Manager, by the intrinsic Binder mechanism that Android provides, between communication service process and the applications process of its monitoring, set up the line of communication of C/S framework.Specifically, when after the Root authority getting system, for the ease of follow-up realization to the monitoring of outside application process and associative operation function, first the present invention starts the host process formed by running after this method instantiation having and obtain Root authority, described communication service process is inserted in systems in which by host process, such as realize update by system call function ServiceManager.addService, realize the successful operation of the instantiation procedure to this method thus, not only make the host process memory-resident of this method, and the communication interface of system level is also become by the communication service process of its foundation.It should be noted that, described communication service process is by above-mentioned configuration, become the service processes rank of system level, obviously higher than the even described host process of other applications processes and other process etc., these call the authority of its process to its authority, therefore this communication service process can as communication infrastructure, the process calling it for other provides communication support, completion system and other call communication connection between its process.Also can know by inference further thus, other any clients observing the communication specification of communication interface of the present invention, all communicate with communication interface of the present invention by Binder mechanism, obtain corresponding authority.
Therefore, described communication interface, shows as described communication service process in the present embodiment, and its function communicates for the Binder realized between host process with applications process, and this communication mode has the feature of fast and stable.For the care important point of this method, described communication service process is mainly used in the authority request that monitoring applications process is initiated, and namely this authority request generally refers to expects that obtaining Root authority realization asks the power of carrying that the deep layer of system resource is accessed.For this method, except described communication service process can be used for setting up except communication interface, certainly, also other different function can be realized by other process, and these other processes can communicate with applications process by described communication service process, thus the combination of inner and outside completes other special operational instruction.Such as, these other processes can perform one or more operations following, and not by limitation herein: perform the unloading of preset application, the installation of executive utility or unloading, the backup of execution application data or reduction, the enabling or disabling of executive utility.
Described communication interface, after becoming interprocess communication basis, just the monitoring to outside application process can be realized, when applications process needs to obtain Root authority, just can send to system the authority request obtaining Root authority, communication service process rank residing for it is higher, just preferentially can obtain and process this user request.After communication service process obtains this authority request, just can be submitted to host process of the present invention, be done further process by host process.
S12, signature identification according to this authority request obtaining request side, in preset authentication list, retrieve this signature identification whether be in the state be allowed to:
Well-known, to the definition of UID (User Identifier, user ID) in android system, be each specific distinguished symbol of embody rule institute, have unique features, therefore, namely UID is the signature identification of the uniqueness of each embody rule.In the present embodiment, the host process that this method realizes, what forward from communication interface is derived from the authority request of the process of external application, the signature identification of this external application process can be obtained, corresponding application program can be identified further according to this signature identification, and determine whether opened authority request response.
In this step, be also responsible for the maintenance of an authentication list by the host process for realizing this step.This authentication list can adopt implemented in many forms, and various forms of difference is mainly reflected in its internal maps pass and fastens, and below enumerates two kinds of forms for reference:
A, only can store the UID of application program that each acquiescence allows to obtain Root authority, thus, enter the application program corresponding to signature identification of this authentication list, be just regarded as the request expecting to obtain Root authority, be in the state be allowed to, will be met.
B, a status indicator field can be increased in the authentication list of A scheme, for each signature identification correspondence mappings status indicator character, such as, when the status indicator character of the record at certain UID place is " Y ", the authority request characterized corresponding to this UID is the state of being allowed to; When for " N ", the authority request characterized corresponding to this UID is non-ly be allowed to state.
Except above two kinds of modes realize except described authentication list, for the ease of process scheduling, process identification (PID) PID can be increased further, in the life cycle of host process, and when external application carries out sending permission request first, therefrom obtain corresponding PID, be stored in authentication list, contrast when next time initiates authority request for described applications process, be allowed to state with the common authorization decision request of PID and UID.So, further authority request management can be refine to the subprocess of external application.
After the host process realized with this method receives the authority request of communication interface forwarding, extraction UID wherein (and PID, lower same), then go to retrieve in described authentication list with this UID, for mode A, when there is this UID in authentication list, can confirm that the authority request corresponding to described UID should be allowed to, if there is no corresponding UID in authentication list, then characterize this UID and be not allowed to; For mode B, when there is this UID in authentication list and the status identifier of its status indicator field is " Y ", the authority request characterized corresponding to this UID should be allowed to, otherwise, when status identifier is " N ", the authority request characterized corresponding to this UID is not allowed to.
Can find out, adopt authentication list of the present invention, there is the service processes of Root authority by startup after acquisition system Root authority and insert communication service process in system, Root authority is applied for without the need to repeating when the applications process of calling communication service processes can be made to perform corresponding operating, and perform corresponding operating by the host process started, efficiently avoid because Root authority is using or disabled brought operation failure, and then substantially increase the efficiency of data communication.
The acquisition of raw data in described authentication list, can be in the history use procedure of this method, generate according to user's use habit.Such as, user, first for the request of certain external application process, gives a subjectivity instruction allowing it to obtain Root authority, is namely added in this authentication list by host process of the present invention, be labeled as the state being allowed to obtain corresponding authority, follow-up just can exempting from plays window inquiry.Described authentication list also can by remote maintenance, remote communication interface is called by described host process, timing or sporadically download up-to-date authentication list data from high in the clouds, to upgrade local authentication list, large data edge can be played thus, make the data in authentication list have more security.
Adapt to above-mentioned situation, a common authentication list is safeguarded in high in the clouds, the permission made for each program UID by the host process upload user of the program be provided with the inventive method obtains authority whether data, then according to statistical method, each UID is added up, when most users such as 60% allows certain UID can obtain Root authority, mark status indicator word corresponding to this UID for " Y ", otherwise, be labeled as " N ".Local host process is downloaded in this common authentication list by remote interface, compares with the authentication list of this locality, and on the basis of respecting the instruction of user's subjectivity, to add in common authentication list newly-increased is recorded in local authentication list.Certainly, for the sake of security, can in two tables, UID is identical and record that state is different carries out the inquiry of bullet window, see whether user adopts the data of common authentication list, if user selects to be that the respective record of local authentication list replaced in the record of being then correlated with by this UID of common authentication list, if not, then abandon subsequent operation.Can find out, can realize the Dynamic Maintenance to authentication list in this way, the angle that authentication list is realized in technology has played its safety effect greatly.
Be appreciated that, the form of the common authentication list that high in the clouds is safeguarded should be not limited to the field information of described UID, PID, can be generalized to as the program of this communication service process or the signing messages etc. of service are called in its interpolation further, make communication service process can determine whether, into its open Root authority, to strengthen its security protection effect further by the checking initiation program of authority request or the signing messages of service.
It is pointed out that the file layout of described authentication list, both can be the chained list in internal memory, also can be to be stored in local database or the form of text, can be realized flexibly by those skilled in the art.
S13, when this signature identification is for being allowed to state, for this authority request is to system application authority.
By the enforcement of previous step, just can judge whether an authority request be corresponding signature identification is the state of being allowed to, if, the host process that then can be realized by the present invention is the clearance of this authority request, for the Root authority of this authority request system, open Root authority by system to corresponding external application process.And if the result that previous step obtains be corresponding signature identification is the non-state that is allowed to, so, host process can refuse this authority request, by its communication interface externally application process return dummy message, the authority request that applications process is provided is come back after a vain attempt; Or, also directly can return the unsuccessful reply of authority request.
By more than the present invention about its authority request response method, can realize running more efficient rights management mechanism, not only guarantee that the communication between each process is more quick effectively, and on technological layer, by the effect of authentication list, rights management also can be made safer.
Accordingly, the present invention can provide a kind of authority request responding device according to aforesaid method, by the modules that this device realizes, realizes each step of the method respectively, also can realize corresponding function.This device can be concentrated in the mode of logic function on a processor and realize.Refer to Fig. 2, specifically, authority request responding device provided by the invention, comprises communication interface 11, retrieval unit 12 and processing unit 13.
Described communication interface 11, the communication service process run in internal memory by builds, and after realizing proposing power operation foregoing, realizes to system registry communication service process by the corresponding host process in internal memory.For Android, the Binder mechanism that this communication service process provides based on android system, self is registered to System Manager, by the intrinsic Binder mechanism that Android provides, between communication service process and the applications process of its monitoring, set up the line of communication of C/S framework, communication service process just defines described communication interface 11.Specifically, when after the Root authority getting system, for the ease of follow-up realization to the monitoring of outside application process and associative operation function, the present invention inserts described communication service process in systems in which by a host process, such as realize update by system call function ServiceManager.addService, thus, this host process memory-resident can not only be made, and the communication service process set up by it also becomes the communication interface 11 of system level.It should be noted that, described communication service process is by above-mentioned configuration, become the service processes rank of system level, obviously higher than the even described host process of other applications processes and other process etc., these call the authority of its process to its authority, therefore this communication service process can as communication infrastructure, the process calling it for other provides communication support, completion system and other call communication connection between its process.
Therefore, described communication interface 11, shows as described communication service process in the present embodiment, and its function communicates for the Binder realized between host process with applications process, and this communication mode has the feature of fast and stable.For the care important point of this device, described communication service process is mainly used in the authority request that monitoring applications process is initiated, and namely this authority request generally refers to expects that obtaining Root authority realization asks the power of carrying that the deep layer of system resource is accessed.For this device, except described communication service process can be used for setting up except communication interface 11, certainly, also other different function can be realized by other process, and these other processes can communicate with applications process by described communication service process, thus the combination of inner and outside completes other special operational instruction.Such as, these other processes can perform one or more operations following, and not by limitation herein: perform the unloading of preset application, the installation of executive utility or unloading, the backup of execution application data or reduction, the enabling or disabling etc. of executive utility, perform internal memory clearing function etc.
Described communication interface 11, after becoming interprocess communication basis, just the monitoring to outside application process can be realized, when applications process needs to obtain Root authority, just can send to system the authority request obtaining Root authority, communication service process rank residing for it is higher, just preferentially can obtain and process this user request.After communication service process obtains this authority request, just can be submitted to host process of the present invention, be done further process by host process.
Described retrieval unit 12, for the signature identification according to this authority request obtaining request side, retrieves this signature identification and whether is in the state be allowed in preset authentication list.
Well-known, to the definition of UID (User Identifier, user ID) in android system, be each specific distinguished symbol of embody rule institute, have unique features, therefore, namely UID is the signature identification of the uniqueness of each embody rule.In the present embodiment, the host process that this device realizes, what forward from communication interface 11 is derived from the authority request of the process of external application, the signature identification of this external application process can be obtained, corresponding application program can be identified further according to this signature identification, and determine whether opened authority request response.
In this retrieval unit 12, being also responsible for the maintenance of an authentication list by the host process for realizing this retrieval unit 12, building a maintenance unit (not shown) based on this, for safeguarding described authentication list.In logic, this maintenance unit can unite two into one with this retrieval unit 12, also can be separate.This authentication list can adopt implemented in many forms, and various forms of difference is mainly reflected in its internal maps pass and fastens, and below enumerates two kinds of forms for reference:
A, only can store the UID of application program that each acquiescence allows to obtain Root authority, thus, enter the application program corresponding to signature identification of this authentication list, be just regarded as the request expecting to obtain Root authority, be in the state be allowed to, will be met.
B, a status indicator field can be increased in the authentication list of A scheme, for each signature identification correspondence mappings status indicator character, such as, when the status indicator character of the record at certain UID place is " Y ", the authority request characterized corresponding to this UID is the state of being allowed to; When for " N ", the authority request characterized corresponding to this UID is non-ly be allowed to state.
Except above two kinds of modes realize except described authentication list, for the ease of process scheduling, process identification (PID) PID can be increased further, in the life cycle of host process, and when external application carries out sending permission request first, therefrom obtain corresponding PID, be stored in authentication list, contrast when next time initiates authority request for described applications process, be allowed to state with the common authorization decision request of PID and UID.So, further authority request management can be refine to the subprocess of external application.
After the host process realized with this device receives the authority request of communication interface 11 forwarding, extraction UID wherein (and PID, lower same), then go to retrieve in described authentication list with this UID, for mode A, when there is this UID in authentication list, can confirm that the authority request corresponding to described UID should be allowed to, if there is no corresponding UID in authentication list, then characterize this UID and be not allowed to; For mode B, when there is this UID in authentication list and the status identifier of its status indicator field is " Y ", the authority request characterized corresponding to this UID should be allowed to, otherwise, when status identifier is " N ", the authority request characterized corresponding to this UID is not allowed to.
Can find out, adopt authentication list of the present invention, there is the service processes of Root authority by startup after acquisition system Root authority and insert communication service process in system, Root authority is applied for without the need to repeating when the applications process of calling communication service processes can be made to perform corresponding operating, and perform corresponding operating by the host process started, efficiently avoid because Root authority is using or disabled brought operation failure, and then substantially increase the efficiency of data communication.
The maintenance of described authentication list, is realized by described maintenance unit, comprises the data how making authentication list basis of formation data and how to upgrade wherein.
The acquisition of raw data in described authentication list, can be in the history use procedure of this device, generate according to user's use habit.Such as, user, first for the request of certain external application process, gives a subjectivity instruction allowing it to obtain Root authority, is namely added in this authentication list by host process of the present invention, be labeled as the state being allowed to obtain corresponding authority, follow-up just can exempting from plays window inquiry.Described authentication list also can carry out remote maintenance in conjunction with high in the clouds, remote communication interface 11 is called by described host process, timing or sporadically download up-to-date authentication list data from high in the clouds, to upgrade local authentication list, large data edge can be played thus, make the data in authentication list have more security.
Adapt to above-mentioned situation, a common authentication list is safeguarded in high in the clouds, authority whether data are obtained by being provided with the permission made for each program UID with host process upload user of the present invention, then according to statistical method, each UID is added up, when most users such as 60% allows certain UID can obtain Root authority, mark status indicator word corresponding to this UID for " Y ", otherwise, be labeled as " N ".Local host process is downloaded in this common authentication list by remote interface, compares with the authentication list of this locality, and on the basis of respecting the instruction of user's subjectivity, to add in common authentication list newly-increased is recorded in local authentication list.Certainly, for the sake of security, can in two tables, UID is identical and record that state is different carries out the inquiry of bullet window, see whether user adopts the data of common authentication list, if user selects to be that the respective record of local authentication list replaced in the record of being then correlated with by this UID of common authentication list, if not, then abandon subsequent operation.Obviously, these operations of local side, should be dynamically updated module to realize by the authentication list in described maintenance unit, so more meet logical partitioning.Maintenance unit can further include a program upgrade module, dynamically updating of the program realized for the present invention that follows up.Can find out, can realize the Dynamic Maintenance to authentication list in this way, the angle that authentication list is realized in technology has played its safety effect greatly.
It is pointed out that the file layout of described authentication list, both can be the chained list in internal memory, also can be to be stored in local database or the form of text, can be realized flexibly by those skilled in the art.
Described processing unit 13, when this signature identification is for being allowed to state, for for this authority request is to system application authority; When this signature identification is not for being allowed to state, for refusing this authority request.
By the process of retrieval unit 12, just can judge whether an authority request be corresponding signature identification is the state of being allowed to, if, the host process that then can be realized by the present invention is the clearance of this authority request, for the Root authority of this authority request system, open Root authority by system to corresponding external application process.And if the result that retrieval unit 12 obtains be corresponding signature identification is the non-state that is allowed to, so, host process can refuse this authority request, by its communication interface 11 externally application process return dummy message, the authority request that applications process is provided is come back after a vain attempt; Or, also directly can return the unsuccessful reply of authority request.
It should be noted that the obtain manner of Root authority, from the life cycle of authority effect, comprise permanent Root authority and temporary Root authority, as the term suggests, in permanent Root authority situation, application program is authorized once Root, can carry out Root later again and propose power operation; And in temporary Root authority situation, the life cycle of authority effect is the process of once shutting down from starting shooting to of operating system, next time, start still needed to carry out Root.Realization of the present invention not by this classification restriction, but can do the realization of optional program according to these two kinds of different modes.Such as, user interface can be provided whether to carry out permanent Root or interim Root for user is selected, in conjunction with being the type identification whether forever each UID adds Root or interim Root in described local authentication list, then according to different marks, different authority request open treated is done to the user program/process initiating request.
As previously mentioned, the present invention can realize the execution of the subsequent instructions after authority request by service processes.Service processes can be independently, is the convenience illustrated, is called command service process.The related service process realizing rights management as the present invention is after user right request successfully obtains system Root authority, the direct communication between this service processes and the consumer process of initiating authority request can be bound, then, instruction is sent to this service processes, such as: perform the unloading of preset application, the installation of executive utility or unloading, the backup of execution application data or reduction, the enabling or disabling etc. of executive utility, perform internal memory or cache cleaner function etc. by consumer process.This service processes is configured with the function performing these functions, and service processes, by resolving the instruction of consumer process, calls the function corresponding to ownership goal function, realizes corresponding function, thus solves the demand of user.
To sum up, can be found out by the above embodiments, of the present invention realized authority request management function, have communication rapidly and efficiently, the reliable feature of technical security.
The above is only some embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. an authority request response method, is characterized in that, comprises the following steps:
Start the communication interface belonging to system level, monitor outside authority request by this communication interface;
According to the signature identification of this authority request obtaining request side, in preset authentication list, retrieve this signature identification whether be in the state be allowed to;
When this signature identification is for being allowed to state, for this authority request is to system application authority.
2. authority request response method according to claim 1, is characterized in that, the communication interface of described system level, refers to Binder mechanism based on Android and the communication service process set up, for initiate the applications process communication of authority request.
3. authority request response method according to claim 1, is characterized in that, described signature identification refers to the UID in android system, and each UID corresponds to an application.
4. authority request response method according to claim 1, is characterized in that, described preset authentication list, stores some signature identifications, and the existence of signature identification in authentication list characterizes this signature identification for the state of being allowed to.
5. authority request response method according to claim 1, it is characterized in that, described preset authentication list, store the state recognition field of some signature identifications and each signature identification setting of correspondence, when the corresponding state recognition field of certain signature identification is set to characterize the symbol be allowed to, with this signature identification of this symbolic representation for the state of being allowed to.
6. authority request response method as claimed in any of claims 1 to 5, it is characterized in that, it comprises the following steps: obtain common authentication table data from remote interface and upgrade local described authentication list.
7. authority request response method as claimed in any of claims 1 to 5, it is characterized in that, after this authority request of employing successfully obtains Root authority, the consumer process of this authority request and the communication of service processes are initiated in binding, and this service processes is for responding the instruction performing and performed by consumer process request.
8. authority request response method as claimed in any of claims 1 to 5, it is characterized in that, in local described authentication list, be provided with the type identification of the authority action period for characterizing the user program corresponding with described signature identification, to system applying right in limited time, the authority that corresponding described type identification application is dissimilar.
9. an authority request responding device, is characterized in that, it comprises:
Communication interface, is started by the mode with system level, for monitoring outside authority request;
Retrieval unit, for the signature identification according to this authority request obtaining request side, retrieves this signature identification and whether is in the state be allowed in preset authentication list;
Processing unit, when this signature identification is for being allowed to state, for for this authority request is to system application authority.
10. authority request responding device according to claim 9, it is characterized in that, described communication interface is the Binder mechanism based on Android and the communication service process being placed in system level set up, by obtaining described authority request with applications process communication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410696530.4A CN104346559B (en) | 2014-11-26 | 2014-11-26 | Authority request response method and corresponding device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410696530.4A CN104346559B (en) | 2014-11-26 | 2014-11-26 | Authority request response method and corresponding device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104346559A true CN104346559A (en) | 2015-02-11 |
| CN104346559B CN104346559B (en) | 2018-01-02 |
Family
ID=52502140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410696530.4A Active CN104346559B (en) | 2014-11-26 | 2014-11-26 | Authority request response method and corresponding device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104346559B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
| CN105282241A (en) * | 2015-09-28 | 2016-01-27 | 青岛海尔智能家电科技有限公司 | Internet of Things equipment control method and apparatus |
| CN105808536A (en) * | 2014-12-27 | 2016-07-27 | 北京奇虎科技有限公司 | A file processing method and device |
| CN105912930A (en) * | 2016-04-11 | 2016-08-31 | 北京奇虎科技有限公司 | Mobile terminal and system resource safety control method thereof |
| CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
| CN106296129A (en) * | 2016-08-16 | 2017-01-04 | 天脉聚源(北京)传媒科技有限公司 | A kind of status indicator method and device |
| CN106503577A (en) * | 2016-09-28 | 2017-03-15 | 乐视控股(北京)有限公司 | A kind of System right management method, device and corresponding equipment |
| CN106570390A (en) * | 2016-10-27 | 2017-04-19 | 努比亚技术有限公司 | Equipment permission control method and device |
| CN106886715A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | authority request response method and corresponding device |
| CN106886712A (en) * | 2015-12-16 | 2017-06-23 | 北京奇虎科技有限公司 | The method and device of installation procedure |
| CN106919812A (en) * | 2015-12-26 | 2017-07-04 | 腾讯科技(深圳)有限公司 | A kind of application process right management method and device |
| CN107203706A (en) * | 2016-03-16 | 2017-09-26 | 阿里巴巴集团控股有限公司 | The detection method and device of authority inside APP |
| CN107333150A (en) * | 2017-08-15 | 2017-11-07 | 四川长虹电器股份有限公司 | The method that management and control is installed in Android intelligent television application |
| WO2018040972A1 (en) * | 2016-08-31 | 2018-03-08 | 福建联迪商用设备有限公司 | Method and system for improving application security of payment terminal |
| CN109936550A (en) * | 2017-12-18 | 2019-06-25 | 福建天泉教育科技有限公司 | The setting method and terminal of network firewall in a kind of Android system |
| CN115314247A (en) * | 2022-06-30 | 2022-11-08 | 中化学交通建设集团有限公司 | Internet of things equipment management method and related equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102591727A (en) * | 2012-01-04 | 2012-07-18 | 华为终端有限公司 | Method for processing application data and computing node |
| CN103617389A (en) * | 2013-11-08 | 2014-03-05 | 上海天奕达网络科技有限公司 | Terminal rights management method and terminal device |
| CN103826215A (en) * | 2014-02-11 | 2014-05-28 | 北京奇虎科技有限公司 | Method and apparatus for carrying out root authority management at terminal equipment |
| US20140242945A1 (en) * | 2011-11-15 | 2014-08-28 | Beijing Netqin Technology Co., Ltd. | Method and system for monitoring application program of mobile device |
-
2014
- 2014-11-26 CN CN201410696530.4A patent/CN104346559B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140242945A1 (en) * | 2011-11-15 | 2014-08-28 | Beijing Netqin Technology Co., Ltd. | Method and system for monitoring application program of mobile device |
| CN102591727A (en) * | 2012-01-04 | 2012-07-18 | 华为终端有限公司 | Method for processing application data and computing node |
| CN103617389A (en) * | 2013-11-08 | 2014-03-05 | 上海天奕达网络科技有限公司 | Terminal rights management method and terminal device |
| CN103826215A (en) * | 2014-02-11 | 2014-05-28 | 北京奇虎科技有限公司 | Method and apparatus for carrying out root authority management at terminal equipment |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105808536A (en) * | 2014-12-27 | 2016-07-27 | 北京奇虎科技有限公司 | A file processing method and device |
| CN105808536B (en) * | 2014-12-27 | 2021-01-12 | 北京奇虎科技有限公司 | File processing method and device |
| CN105282241A (en) * | 2015-09-28 | 2016-01-27 | 青岛海尔智能家电科技有限公司 | Internet of Things equipment control method and apparatus |
| CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
| CN106886715A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | authority request response method and corresponding device |
| CN106886712A (en) * | 2015-12-16 | 2017-06-23 | 北京奇虎科技有限公司 | The method and device of installation procedure |
| CN106886712B (en) * | 2015-12-16 | 2021-03-19 | 北京奇虎科技有限公司 | Method and device for installing program |
| CN106919812A (en) * | 2015-12-26 | 2017-07-04 | 腾讯科技(深圳)有限公司 | A kind of application process right management method and device |
| CN106919812B (en) * | 2015-12-26 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Application process authority management method and device |
| CN107203706A (en) * | 2016-03-16 | 2017-09-26 | 阿里巴巴集团控股有限公司 | The detection method and device of authority inside APP |
| CN105912930A (en) * | 2016-04-11 | 2016-08-31 | 北京奇虎科技有限公司 | Mobile terminal and system resource safety control method thereof |
| CN105912930B (en) * | 2016-04-11 | 2019-02-01 | 北京奇虎科技有限公司 | Mobile terminal and its system resource method of controlling security |
| CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
| CN106296129A (en) * | 2016-08-16 | 2017-01-04 | 天脉聚源(北京)传媒科技有限公司 | A kind of status indicator method and device |
| WO2018040972A1 (en) * | 2016-08-31 | 2018-03-08 | 福建联迪商用设备有限公司 | Method and system for improving application security of payment terminal |
| CN106503577A (en) * | 2016-09-28 | 2017-03-15 | 乐视控股(北京)有限公司 | A kind of System right management method, device and corresponding equipment |
| CN106570390A (en) * | 2016-10-27 | 2017-04-19 | 努比亚技术有限公司 | Equipment permission control method and device |
| CN107333150A (en) * | 2017-08-15 | 2017-11-07 | 四川长虹电器股份有限公司 | The method that management and control is installed in Android intelligent television application |
| CN109936550A (en) * | 2017-12-18 | 2019-06-25 | 福建天泉教育科技有限公司 | The setting method and terminal of network firewall in a kind of Android system |
| CN115314247A (en) * | 2022-06-30 | 2022-11-08 | 中化学交通建设集团有限公司 | Internet of things equipment management method and related equipment |
| CN115314247B (en) * | 2022-06-30 | 2024-02-09 | 中化学交通建设集团有限公司 | Internet of things equipment management method and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104346559B (en) | 2018-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104346559A (en) | Authority request response method and device thereof | |
| CN104375869A (en) | Self-starting application control method and device | |
| CN100480948C (en) | Mobile terminal, resource access control system of mobile terminal, and resource access control method of mobile terminal | |
| CN109564527B (en) | Security configuration of cloud computing nodes | |
| CN105427096A (en) | Payment security sandbox realization method and system and application program monitoring method and system | |
| CN104376256B (en) | Program process hatching control and device | |
| CN103268438A (en) | Android authority management method and system based on calling chain | |
| CN104375494B (en) | Security sandbox construction method and security sandbox construction device | |
| CN105095746A (en) | Method and device for application program starting authentication | |
| CN104881601A (en) | Floating window display setup, control method and device | |
| CN105550003A (en) | Application updating system and method | |
| CN104580203A (en) | Website malicious program detection method and device | |
| CN105553999A (en) | Application program user behavior analysis and security control method and corresponding device | |
| US11621950B2 (en) | Data processing methods, servers, client devices and media for security authentication | |
| US20040037423A1 (en) | Mobile programs | |
| CN103023943B (en) | Task processing method and device, terminal unit | |
| JP6282204B2 (en) | System and method for monitoring access to network in secure site | |
| CN111416827B (en) | Method for discovering network function NF according to security level | |
| US8474013B2 (en) | Securely managing password access to a computer system | |
| CN104573489A (en) | Method and device for forbidding application to establish desktop icon | |
| CN116049822A (en) | Application program supervision method, system, electronic device and storage medium | |
| CN114301682B (en) | Data processing method, device and terminal equipment | |
| CN104252588A (en) | Working area access controlling method and device | |
| KR100538924B1 (en) | Method for providing Web Service, Remote Storage Service and Remote Control Service based on Peer-to-Peer between a Plurality of Client Terminals and Personal Computers Operated as Server | |
| US11212292B2 (en) | Network access control authorization process chaining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220727 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |