CN104573435A - Method for terminal authority management and terminal - Google Patents
Method for terminal authority management and terminal Download PDFInfo
- Publication number
- CN104573435A CN104573435A CN201310481309.2A CN201310481309A CN104573435A CN 104573435 A CN104573435 A CN 104573435A CN 201310481309 A CN201310481309 A CN 201310481309A CN 104573435 A CN104573435 A CN 104573435A
- Authority
- CN
- China
- Prior art keywords
- white list
- application
- terminal
- application white
- clouds
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention provides a method for terminal authority management and a corresponding terminal. The method comprises the following steps: a) monitoring an authority request on the terminal; b) comparing an application which initiates the authority request with an application white list which is maintained on the terminal; c) executing corresponding authority management according to a comparison result.
Description
Technical field
The present invention relates to terminal management field, relate more specifically to the method for rights management that performs in terminal and corresponding terminal.
Background technology
Along with the increased popularity of mobile terminal, it has become indispensable important component part in the productive life of modern society.Therefore, the Information Security on mobile terminal just becomes extensively concerned problem.On current main flow mobile terminal (particularly based on the intelligent terminal of Android platform), ROOT authority (authority also has (and being not limited to) keeper (Administrator) authority etc. similarly) whether can be used for application, mainly by artificial (user) participation method, judging whether to authorize application can ROOT access rights.
As known to those skilled in the art, ROOT authority represents the highest weight limit in a system usually, when having this authority, third party application can carry out any resource (such as, the resource such as network, storage, calculating) in system distributing, process, operation etc.And existing this inspection application being required to ROOT authority, be too dependent on artificial judgment: for professional user, they can describe from authority and take relatively careful operation; And for amateur (common) user; they usually can be ignored this authority and describe; thus cause the undue mandate to application; make some application obtain this ROOT authority that should not obtain, bring the illegal act of the infringement user legitimate rights and interests such as potential such as privacy is stolen, positional information illegally obtains, critical system data secret feedback.
Such as, the map application of a malice may to the responsive storage area of user's request except " location " resource (such as when installing and/or run, store subscriber identity information, bank account, credit card information, telephone directory etc.) access limit, and then cause sensitive data to leak, and make user benefit impaired.
Summary of the invention
In order to solve the problem, provide according to the method for terminal authorization management of the present invention and corresponding terminal.
According to a first aspect of the invention, a kind of method for administration authority performed in terminal is provided.The method comprises: a) monitor the authority request in described terminal; B) application initiating described authority request and the application white list safeguarded in terminal are compared; And
C) according to the result of described comparison, corresponding rights management is performed.
In certain embodiments, step c) comprising: if the result of described comparison be described in be applied in described application white list, then permit described authority request; If the result of described comparison be described application not in described application white list, then to user's alarm of described terminal.
In certain embodiments, described application white list is obtained from server by described terminal.
In certain embodiments, described terminal regularly or when starting upgrades described application white list.
In certain embodiments, described terminal is regularly or upgrade described application white list when starting and comprise: the timestamp of the application white list on the timestamp of more described application white list or version number and server or version number, to determine whether to need to upgrade described application white list; If need to upgrade, then download up-to-date application white list from server, and upgrade the described application white list in described terminal based on the application white list downloaded; If do not need to upgrade, then terminate renewal process.
In certain embodiments, the described application white list upgraded in described terminal based on the application white list downloaded comprises: back up the described application white list in described terminal; Completeness and efficiency verification is carried out to the application white list downloaded; And if check results is correct, then replace the upper described application white list of described terminal with the application white list downloaded; If check results is incorrect, then terminate described renewal process.
In certain embodiments, the relevant information in described renewal process is preserved with log mode.
In certain embodiments, step a) comprising: raise the monitoring module in order to background service mode operation, to monitor the authority request in described terminal in described terminal.
In certain embodiments, also comprise " high in the clouds check " label entry relevant respectively to each application in described application white list, be used to indicate the authority request checking respective application whether beyond the clouds.
In certain embodiments, step c) comprising: if the result of described comparison be described in be applied in described application white list, then check " high in the clouds inspection " label entry applied described in described application white list: if the instruction of described " high in the clouds inspection " label entry needs to check beyond the clouds the authority request of described application, then send to high in the clouds the request of inspection, and check result from high in the clouds, and perform corresponding rights management; If the instruction of described " high in the clouds inspection " label entry does not need the authority request checking described application beyond the clouds, then permit described authority request.
In certain embodiments, step b) comprising: the digital digest value calculating described application; And the digital digest value respectively applied in the digital digest value calculated and described application white list is compared, to determine described application whether in described application white list.
In certain embodiments, described terminal provides user interface, following at least one item is set for user: whether carry out application white list updating; Whether carry out high in the clouds inspection; And whether carry out high in the clouds log analysis.
According to a second aspect of the invention, a kind of terminal for administration authority is provided.This terminal comprises: monitoring unit, for monitoring the authority request in described terminal; Comparing unit, for comparing the application initiating described authority request and the application white list safeguarded in terminal; And administrative unit, for the result according to described comparison, perform corresponding rights management.
In certain embodiments, described administrative unit is used for: if the result of described comparison be described in be applied in described application white list, then permit described authority request; If the result of described comparison be described application not in described application white list, then to user's alarm of described terminal.
In certain embodiments, described application white list is obtained from server by described terminal.
In certain embodiments, also comprise: updating block, for regularly or when starting upgrading described application white list.
In certain embodiments, the timestamp of the application white list of described updating block also on: the timestamp of more described application white list or version number and server or version number, to determine whether to need to upgrade described application white list; If need to upgrade, then download up-to-date application white list from server, and upgrade the described application white list in described terminal based on the application white list downloaded; If do not need to upgrade, then terminate renewal process.
In certain embodiments, described updating block also for: back up the described application white list in described terminal; Completeness and efficiency verification is carried out to the application white list downloaded; And if check results is correct, then replace the upper described application white list of described terminal with the application white list downloaded; If check results is incorrect, then terminate described renewal process.
In certain embodiments, described updating block is also for being preserved the relevant information in described renewal process with log mode.
In certain embodiments, described monitoring unit for: run in described terminal with backstage service mode, to monitor the authority request in described terminal.
In certain embodiments, also comprise " high in the clouds check " label entry relevant respectively to each application in described application white list, be used to indicate the authority request checking respective application whether beyond the clouds.
In certain embodiments, described administrative unit is used for: if the result of described comparison be described in be applied in described application white list, then check " high in the clouds inspection " label entry applied described in described application white list: if the instruction of described " high in the clouds inspection " label entry needs to check beyond the clouds the authority request of described application, then send to high in the clouds the request of inspection, and check result from high in the clouds, and perform corresponding rights management; If the instruction of described " high in the clouds inspection " label entry does not need the authority request checking described application beyond the clouds, then permit described authority request.
In certain embodiments, described comparing unit is used for: the digital digest value calculating described application; And the digital digest value respectively applied in the digital digest value calculated and described application white list is compared, to determine described application whether in described application white list.
In certain embodiments, described terminal also comprises user interface, arranges following at least one item for user: whether carry out application white list updating; Whether carry out high in the clouds inspection; And whether carry out high in the clouds log analysis.
The method of the application of the invention and terminal, can carry out the detection of ROOT authority request automatically, ensures that the application of safety obtains authority, and reduce user misses mandate situation to malicious application, and then the data security of protection user.
Accompanying drawing explanation
By the preferred embodiments of the present invention being described below in conjunction with accompanying drawing, above-mentioned and other objects, features and advantages of the present invention will be made clearly, wherein:
Fig. 1 shows the schematic diagram of the example application scene according to the system for terminal authorization management of the present invention.
Fig. 2 shows the example rights management flow process according to the embodiment of the present invention.
Fig. 3 shows the process flow diagram of the exemplary method for terminal authorization management according to the embodiment of the present invention.
Fig. 4 shows the block diagram of the exemplary terminal of method according to execution Fig. 3 of the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, eliminating in the course of the description is unnecessary details and function for the present invention, causes obscure to prevent the understanding of the present invention.Below, be applied to the scene of mobile radio system for the present invention, to invention has been detailed description.But the present invention is not limited thereto, the present invention also can be applied to fixed communications, wired communication system, or is applied to any mixed structure of mobile radio system, fixed communications, wired communication system etc.With regard to mobile communication system, the present invention is not limited to the concrete communication protocol of each involved mobile communication terminal, 2G, 3G, 4G, 5G network can be included, but is not limited to, WCDMA, CDMA2000, TD-SCDMA system etc., different mobile terminals can adopt the anti-view of identical communication, also can adopt different communication protocol.In addition, the present invention is not limited to the specific operating system of mobile terminal, can include, but is not limited to iOS, Windows Mobile, Symbian, Android etc., different mobile terminals can adopt identical operating system, also can adopt different operating system.
Fig. 1 shows the schematic diagram of the application scenarios according to the system 1000 for terminal authorization management of the present invention.As shown in Figure 1, system 1000 can comprise terminal 100 and server 200.For the sake of clarity, illustrate only a terminal 100 and a server 200 in figure, but the present invention is not limited thereto, can comprise the terminal and/or server etc. of two or more numbers.Terminal 100 can belong to user or can by user operation.Terminal 100 can be communicated by communication network 300 with server 200.The example of communication network 300 can include, but is not limited to: internet, mobile communications network, permanent haulage line (as xDSL, optical fiber etc.) etc.
In the embodiment shown in fig. 1, in order to administration authority on the terminal 100, will install on the terminal 100 by rights management client 150 (hereinafter referred to as client 150) according to an embodiment of the invention.Client 150 can by user in the form of software in vain row be arranged in terminal 100, or can be arranged in terminal 100 with the form of hardware or firmware by production firm.In certain embodiments, client 150 can be such as download from network after user have purchased terminal 100 be specifically designed to application software of the present invention.In further embodiments, client 150 can be the application program be such as pre-installed in firmware or example, in hardware by production firm in terminal 100.In other embodiment, client 150 can be the hardware module or terminal 100 itself of being produced by production firm.
As mentioned before, on the terminal 100, when applying installation and/or application (service) runs, application all likely initiates ROOT authority request, to obtain ROOT authority.In one embodiment, terminal 100 can adopt as hereafter composition graphs 1 and Fig. 2 described terminal on the example flow of ROOT rights management.
1),
service starts
First, when the system in terminal 100 starts, except the system service of key, preferentially can start and detect service (hereinafter referred to as S1) according to the white list of the embodiment of the present invention, to guarantee before needing monitored all application starts, S1 has just brought into operation and has monitored all ROOT authority request.
In addition, in one embodiment, S1 can use Android NDK (NativeDevelopment Kit, i.e. local kit) develop, and can JNI (JavaNative Interface be passed through, i.e. Java local interface) mode calls the core system calling interface that Android system provides, and thus realizes function of the present invention.Certainly, S1 also can use other modes to develop and realize, and the present invention is not limited thereto.
2)
white list updating
In one embodiment, S1, when starting, first can initiate renewal process.At no point in the update process, S1 first can by the timestamp of current whitelist file that comparison terminal 100 is preserved and remote server (such as, server 200) on the timestamp of up-to-date whitelist file, judge whether to need to upgrade the white list of this locality.If find that local time stamp stabs early than remote time, then show that local whitelist file needs to upgrade.Next, S1 and long-range white list server will carry out communication, and download up-to-date whitelist file to the temp directory of specifying.In one embodiment, communication can be undertaken by HTTP (or optional HTTPS) mode.Certainly, in other embodiments, communication also can be undertaken by other communication protocols, includes, but is not limited to: FTP, SFTP, TFTP etc.
In one embodiment, after downloading up-to-date white list success, first existing (this locality) whitelist file in terminal 100 can be carried out backup operation.Like this, can ensure, if upgrade unsuccessfully, the whitelist file of backup can be used recover, and can not cause without white list can serious consequence.
In addition, S1 can carry out basic completeness and efficiency verification to the whitelist file after download.Such as, can verify the digital signature of the whitelist file after download and digital digest, to guarantee its completeness and efficiency.After the up-to-date whitelist file confirming to download is errorless, the renewal whitelist file under temp directory can be saved to intended target path, such as, replace the whitelist file in terminal 100.
In addition, can by the renewal relevant information of generation in renewal process (comprise upgrade inspections, renewal rewards theory, checking procedure etc.) with log mode in addition record.Such as, in Android system, can by renewal relevant information to give tacit consent to WARNING and ERROR rank as daily record in addition record.Daily record can be left in under the catalogue of white list peer by plaintext text mode, such as, "/sdcard/whitelist/update.10g " in system.
3)
white list loads
After S1 executes white list updating operation, updated local whitelist file can be read, and can adopt HASH MAP mode in internal memory, set up the list queue of white list list items.In one embodiment, MAP form can be as described below:
< applies (service) name digital digest >
Wherein, the digital digest value of " digital digest " field corresponding application before being, can use such as with the digital digest value that MD5, SHA1 scheduling algorithm obtains.This digital digest value may be used for identifying different application and/or service.
In addition, white list listing file can leave system SD assigned address in ciphertext file mode, such as "/sdcard/whitelist/list.data ".In one embodiment, AES encryption algorithm can be used.Certainly, the present invention is not limited thereto, also can use other cryptographic algorithm, such as DES, 3DES, elliptic curve cryptography etc.
4)
the detection of authority request and interception
After loading white list, S1 can call and monitor module (unit), and ROOT authority request behavior when running the application installation in terminal 100, application is monitored.This monitoring module can adopt background service (service) mode to run.
Due in Android system, application usually can in the following ways to system request ROOT authority:
Process p=Runtime.getRuntime.exec(″su″);
Therefore, in one embodiment, such as, by amendment order " su " (also can be other ROOT authority request orders, " sudo " etc.), and the solution realizing the embodiment of the present invention according to the control of authority module of the embodiment of the present invention can be inserted in its treatment scheme.In another embodiment, also by the getRuntime.exec method of amendment Runtime class, the order of calling can be judged.If judge that the order of calling is the ROOT authority request order of " su " and so on, then can insert the solution realizing the embodiment of the present invention according to the control of authority module of the embodiment of the present invention in the getRuntime.exec method of Runtime class equally.Certainly, the invention is not restricted to the method for above-mentioned detection and interception ROOT authority request.
5)
white list mates
When S1 has found the ROOT authority request produced when application is installed or application (service) (such as, application A1) runs, S1 will take over this solicit operation by such as aforesaid way.Then for the application initiating ROOT authority request, matching check is carried out to the white list of current loading.In one embodiment, matching check can be carried out in the following manner: the digital digest (MD5, SHA1 etc.) first calculating the application producing this ROOT authority request; Then the digital digest respectively applied in this digital digest and white list is compared; If find the digital digest that there is identical (coupling), then determine that this is applied in white list; Otherwise, then determine that this application is not in white list.In another embodiment, also can simply by comparing the apply names of this application or compare apply names and digital digest to carry out matching check simultaneously.Certainly, the invention is not restricted to above-mentioned matching check mode, also can adopt any other matching way.
If find that this application or service A1 be not in the white list list of terminal 100, so S1 can stop current ROOT authority request, and can calling system message interface, carries out alarm by Pop-up message window mode to user.
In one embodiment, if find that this application or service A1 are present in white list, then can check " high in the clouds inspection " mark of the respective application in white list list, this mark indicates and is applied on cloud server checks further the need of for this.If this mark is set as needing further high in the clouds to check, then S1 can send request to high in the clouds white list server (such as, server 200), requires to carry out up-to-date white list inspection to the A1 of the current ROOT of sending authority request.The information such as title, digital digest of A1 can be comprised in this request, judge A1 whether beyond the clouds in white list for cloud server.If this A1 is present in the up-to-date white list of cloud server, so S1 will decontrol the ROOT authority request (that is, returning common ROOT authority request flow process) that A1 sends, and A1 can be allowed the subsequent access request of information resources.
Certainly, in other embodiments, when judging that application A1 is not in the white list of terminal 100 this locality, also can initiate high in the clouds checking process according to default " high in the clouds inspection " mark to cloud server, the present invention is not limited thereto.
In addition, all daily records produced in white list testing process can be left in under the catalogue of white list peer by plaintext text mode, such as "/sdcard/whitelist/check.log ".
In addition, during S1 is run, need each parameter configuration checked, administration configuration can be carried out by special user interface for user.This user interface at least can include, but is not limited to upgrade setting, three parts such as setting and log management are detected in high in the clouds.Upgrade to arrange to set and check relevant switch to the need of carrying out upgrading.High in the clouds is detected to arrange and can be set the need of carrying out the inspection of further high in the clouds, this arranges and can arrange separately for each application in white list list, also can arrange for set of applications, default setting can be there is in addition, should be used for for non-existent in white list list as mentioned above.Log management can set the way to manage of daily record and/or analyze the need of the further high in the clouds of carrying out daily record.As mentioned above, it is local that the daily record produced in all stages that S1 runs can be kept at terminal 100.When set by log management need to daily record carry out further high in the clouds to analyze time, these daily records can be submitted to remote analysis server (such as, server 200), for Analysis server analysis.This user interface can use Java language and Android SDK to develop.
In addition, data based on the safe Sample Storehouse in this white list cloud platform that can provide based on third party's security service provider.Thus the continuous updating of cloud platform Sample Storehouse can ensure the accuracy of white list mechanism, reduce the possibility reporting or fail to report generation by mistake.
By using above-mentioned rights management flow process, proposing and relating to the white list testing mechanism that the ROOT authority request in two stages when (service) runs was installed and applied in application.It does not need artificial participation, automatically carries out request safety detection, ensures that the application be only present in this locality or high in the clouds white list is just allowed to the access behavior obtaining ROOT authority and read the privacy relevant to user terminal and key message data.
Fig. 3 shows the process flow diagram of the method 400 for managing application program according to the embodiment of the present invention.As shown in Figure 3, method 400 can comprise step S410, S420 and S430.According to the present invention, some steps of method 400 can perform separately or combine execution, and can executed in parallel or order perform, be not limited to shown in Fig. 3 concrete operations order.In certain embodiments, method 400 can terminal 100 as shown in Figure 1 or the client 150 be arranged in terminal 100 perform.
Fig. 4 shows the block diagram of the exemplary terminal 100 for rights management according to the embodiment of the present invention.As shown in Figure 4, terminal 100 can comprise: monitoring unit 110, comparing unit 120 and administrative unit 130.
Monitoring unit 110 is for the authority request in monitor terminal 100.Monitoring unit 110 can be the CPU (central processing unit) (CPU), digital signal processor (DSP), microprocessor, microcontroller etc. of terminal 100, it by being responsible for the module of processing authority request in the system of amendment terminal 100, can carry out the authority request in monitor terminal 100.
Comparing unit 120 is for comparing the application initiating authority request with the application white list safeguarded on the terminal 100.Comparing unit 120 can be the CPU (central processing unit) (CPU), digital signal processor (DSP), microprocessor, microcontroller etc. of terminal 100, it can match with the storer of terminal 100 (RAM, SD card etc.), by the application initiating authority request with in terminal 100 storer on the application white list safeguarded compare, to determine whether this application is applying in white list.
Administrative unit 130, for the result according to comparison, performs corresponding rights management.Administrative unit 130 can be the CPU (central processing unit) (CPU), digital signal processor (DSP), microprocessor, microcontroller etc. of terminal 100, it can match with the storer of terminal 100 (RAM, SD card etc.), according to the result of comparison, perform corresponding rights management, thus allow by the authority request of the application initiation in application white list, or to the authority request that user's prompting is initiated by the application not in white list.
In addition, terminal 100 can also comprise other unit shown in Fig. 4 end, such as updating block.In certain embodiments, updating block may be used for regularly or the more new opplication white list when starting.
Below with reference to Fig. 3 and Fig. 4, be described in detail according to the method 400 for administration authority on the terminal 100 of the embodiment of the present invention and terminal 100.
Method 400 starts from step S410, in step S410, can be carried out the authority request in monitor terminal 100 by the monitoring unit 110 of terminal 100.
In the step s 420, by the comparing unit 120 of terminal 100, the application initiating authority request can be compared with the application white list safeguarded on the terminal 100.
In step S430, by the administrative unit 130 of terminal 100 according to the result of comparison, corresponding rights management can be performed.
In certain embodiments, step S430 can comprise: if the result of comparison is applied in application white list, then permissions request; If the result of comparison applies not in application white list, then to user's alarm of terminal 100.
In certain embodiments, apply white list to be obtained from server 200 by terminal 100.
In certain embodiments, terminal 100 updating block can regularly or when starting more new opplication white list.
In certain embodiments, more new opplication white list comprises regularly or when starting: the updating block of terminal 100 can compare timestamp or the version number of the application white list on the timestamp of application white list or version number and server 200, to determine whether to need more new opplication white list; If need to upgrade, then download up-to-date application white list from server 200, and carry out the application white list on more new terminal 100 based on the application white list downloaded; If do not need to upgrade, then terminate renewal process.
In certain embodiments, the application white list come on more new terminal 100 based on the application white list downloaded comprises: the updating block of terminal 100 can application white list in back-up terminals 100; Completeness and efficiency verification is carried out to the application white list downloaded; And if check results is correct, then replace the upper application white list of terminal 100 with the application white list downloaded; If check results is incorrect, then terminate renewal process.
In certain embodiments, the relevant information in renewal process can be preserved with log mode by the updating block of terminal 100.
In certain embodiments, step S410 can comprise: call the monitoring module run with backstage service mode on the terminal 100, with the authority request in monitor terminal 100.
In certain embodiments, " high in the clouds check " label entry relevant respectively to each application can also be comprised in application white list, be used to indicate the authority request checking respective application whether beyond the clouds.
In certain embodiments, step S430 can comprise: if the result of comparison is applied in application white list, then check " high in the clouds inspection " label entry applied in application white list: if the instruction of " high in the clouds inspection " label entry needs to check beyond the clouds the authority request of application, then send to high in the clouds the request of inspection, and check result from high in the clouds, and perform corresponding rights management; If the instruction of " high in the clouds inspection " label entry does not need the authority request checking application beyond the clouds, then permissions request.
In certain embodiments, step S420 can comprise: the digital digest value of computing application; And the digital digest value calculated and each digital digest value applied in application white list are compared, to determine whether application is applying in white list.
In certain embodiments, user interface can be provided on the terminal 100, following at least one item is set for user: whether carry out application white list updating; Whether carry out high in the clouds inspection; And whether carry out high in the clouds log analysis.
So far invention has been described in conjunction with the preferred embodiments.Should be appreciated that, those skilled in the art without departing from the spirit and scope of the present invention, can carry out various other change, replacement and interpolation.Therefore, scope of the present invention is not limited to above-mentioned specific embodiment, and should be limited by claims.
Claims (24)
1. the method for administration authority performed in terminal, comprising:
A) authority request in described terminal is monitored;
B) application initiating described authority request and the application white list safeguarded in terminal are compared; And
C) according to the result of described comparison, corresponding rights management is performed.
2. method according to claim 1, wherein, step c) comprising:
If the result of described comparison is applied in described application white list described in being, then permit described authority request;
If the result of described comparison be described application not in described application white list, then to user's alarm of described terminal.
3. method according to claim 1, wherein, described application white list is obtained from server by described terminal.
4. method according to claim 1, wherein, described terminal regularly or when starting upgrades described application white list.
5. method according to claim 4, wherein, described terminal regularly or upgrade described application white list when starting and comprise:
The timestamp of the application white list on the timestamp of more described application white list or version number and server or version number, to determine whether to need to upgrade described application white list;
If need to upgrade, then download up-to-date application white list from server, and upgrade the described application white list in described terminal based on the application white list downloaded;
If do not need to upgrade, then terminate renewal process.
6. method according to claim 5, wherein, the described application white list upgraded in described terminal based on the application white list downloaded comprises:
Back up the described application white list in described terminal;
Completeness and efficiency verification is carried out to the application white list downloaded; And
If check results is correct, then replace the described application white list in described terminal with the application white list downloaded;
If check results is incorrect, then terminate described renewal process.
7. method according to claim 6, wherein, is preserved the relevant information in described renewal process with log mode.
8. method according to claim 1, wherein, step a) comprising:
The monitoring module in order to background service mode operation is raised, to monitor the authority request in described terminal in described terminal.
9. method according to claim 1, wherein, also comprises " high in the clouds check " label entry relevant respectively to each application, is used to indicate the authority request checking respective application whether beyond the clouds in described application white list.
10. method according to claim 9, wherein, step c) comprising:
If the result of described comparison is applied in described application white list described in being, then check " high in the clouds inspection " label entry applied described in described application white list:
If the instruction of described " high in the clouds inspection " label entry needs the authority request checking described application beyond the clouds, then send to high in the clouds the request of inspection, and check result from high in the clouds, and perform corresponding rights management;
If the instruction of described " high in the clouds inspection " label entry does not need the authority request checking described application beyond the clouds, then permit described authority request.
11. methods according to claim 1, wherein, step b) comprising:
Calculate the digital digest value of described application; And
The digital digest value respectively applied in the digital digest value calculated and described application white list is compared, to determine described application whether in described application white list.
12. methods according to claim 1, wherein, described terminal provide user interface, arrange following at least one item for user:
Whether carry out application white list updating;
Whether carry out high in the clouds inspection; And
Whether carry out high in the clouds log analysis.
13. 1 kinds, for the terminal of administration authority, comprising:
Monitoring unit, for monitoring the authority request in described terminal;
Comparing unit, for comparing the application initiating described authority request and the application white list safeguarded in terminal; And
Administrative unit, for the result according to described comparison, performs corresponding rights management.
14. terminals according to claim 13, wherein, described administrative unit is used for:
If the result of described comparison is applied in described application white list described in being, then permit described authority request;
If the result of described comparison be described application not in described application white list, then to user's alarm of described terminal.
15. terminals according to claim 13, wherein, described application white list is obtained from server by described terminal.
16. terminals according to claim 13, also comprise: updating block, for regularly or when starting upgrading described application white list.
17. terminals according to claim 16, wherein, described updating block also for:
The timestamp of the application white list on the timestamp of more described application white list or version number and server or version number, to determine whether to need to upgrade described application white list;
If need to upgrade, then download up-to-date application white list from server, and upgrade the described application white list in described terminal based on the application white list downloaded;
If do not need to upgrade, then terminate renewal process.
18. terminals according to claim 17, wherein, described updating block also for:
Back up the described application white list in described terminal;
Completeness and efficiency verification is carried out to the application white list downloaded; And
If check results is correct, then replace the upper described application white list of described terminal with the application white list downloaded;
If check results is incorrect, then terminate described renewal process.
19. terminals according to claim 18, wherein, described updating block is also for being preserved the relevant information in described renewal process with log mode.
20. terminals according to claim 13, wherein, described monitoring unit is used for:
Run in described terminal with backstage service mode, to monitor the authority request in described terminal.
21. terminals according to claim 13, wherein, also comprise " high in the clouds check " label entry relevant respectively to each application, are used to indicate the authority request checking respective application whether beyond the clouds in described application white list.
22. terminals according to claim 21, wherein, described administrative unit is used for:
If the result of described comparison is applied in described application white list described in being, then check " high in the clouds inspection " label entry applied described in described application white list:
If the instruction of described " high in the clouds inspection " label entry needs the authority request checking described application beyond the clouds, then send to high in the clouds the request of inspection, and check result from high in the clouds, and perform corresponding rights management;
If the instruction of described " high in the clouds inspection " label entry does not need the authority request checking described application beyond the clouds, then permit described authority request.
23. terminals according to claim 21, wherein, described comparing unit is used for:
Calculate the digital digest value of described application; And
The digital digest value respectively applied in the digital digest value calculated and described application white list is compared, to determine described application whether in described application white list.
24. terminals according to claim 13, wherein, described terminal also comprises user interface, arranges following at least one item for user:
Whether carry out application white list updating;
Whether carry out high in the clouds inspection; And
Whether carry out high in the clouds log analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310481309.2A CN104573435A (en) | 2013-10-15 | 2013-10-15 | Method for terminal authority management and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310481309.2A CN104573435A (en) | 2013-10-15 | 2013-10-15 | Method for terminal authority management and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104573435A true CN104573435A (en) | 2015-04-29 |
Family
ID=53089477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310481309.2A Pending CN104573435A (en) | 2013-10-15 | 2013-10-15 | Method for terminal authority management and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104573435A (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105045625A (en) * | 2015-07-17 | 2015-11-11 | 上海斐讯数据通信技术有限公司 | Method for root authority management and control in Android platform |
| CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
| CN106302966A (en) * | 2015-05-29 | 2017-01-04 | 北京京东尚科信息技术有限公司 | Application head of a family's control system under mobile phone operating system and method |
| CN106355080A (en) * | 2016-08-29 | 2017-01-25 | 上海航盛实业有限公司 | Data security access method and system for vehicular information system |
| CN106529312A (en) * | 2016-10-25 | 2017-03-22 | 广东欧珀移动通信有限公司 | Method and device for permission control of mobile terminal, and mobile terminal |
| CN106778228A (en) * | 2016-11-22 | 2017-05-31 | 北京奇虎科技有限公司 | Control the method and device of application call |
| CN106850590A (en) * | 2017-01-13 | 2017-06-13 | 北京神州泰岳信息安全技术有限公司 | Software white list management method and system |
| CN106933633A (en) * | 2017-03-14 | 2017-07-07 | 北京奇虎科技有限公司 | Right management method, device and mobile terminal |
| CN107181719A (en) * | 2016-03-10 | 2017-09-19 | 阿里巴巴集团控股有限公司 | The detection method and device of a kind of trojan horse program |
| CN107346389A (en) * | 2017-06-20 | 2017-11-14 | 北京东方棱镜科技有限公司 | The detection method and system of mobile terminal abnormal behaviour |
| CN107358091A (en) * | 2017-06-28 | 2017-11-17 | 努比亚技术有限公司 | A kind of System right management method, mobile terminal and computer-readable recording medium |
| CN108197490A (en) * | 2017-12-28 | 2018-06-22 | 努比亚技术有限公司 | Prevent malice from obtaining the method and terminal of authorized user message |
| CN108365972A (en) * | 2018-01-11 | 2018-08-03 | 福建联迪商用设备有限公司 | Terminal applies management method, computer storage media |
| CN108647070A (en) * | 2018-04-18 | 2018-10-12 | Oppo广东移动通信有限公司 | Information prompting method, device, mobile terminal and computer-readable medium |
| CN110489940A (en) * | 2019-08-12 | 2019-11-22 | 北京猎户星空科技有限公司 | The right management method and device of robot control class application program |
| CN112040444A (en) * | 2020-09-03 | 2020-12-04 | 中国第一汽车股份有限公司 | Control method, device, equipment and storage medium |
| CN112948287A (en) * | 2021-03-29 | 2021-06-11 | 成都新易盛通信技术股份有限公司 | SD card read-write method and system based on Hashmap caching mechanism |
| CN113742675A (en) * | 2021-09-10 | 2021-12-03 | 深圳市闪联信息技术有限公司 | USB storage medium safety management system and method based on IoT equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100629453B1 (en) * | 2005-08-03 | 2006-09-27 | 에스케이 텔레콤주식회사 | Method and system for controlling application run on personal computer by using mobile telecommunication terminal |
| CN101163149A (en) * | 2006-10-13 | 2008-04-16 | 华为技术有限公司 | Network storage system and network storage content access control method |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| CN102123382A (en) * | 2010-12-24 | 2011-07-13 | 北京三星通信技术研究有限公司 | Use and management method of network data services of application programs and electronic equipment |
| CN102413220A (en) * | 2011-11-24 | 2012-04-11 | 中兴通讯股份有限公司 | Method for controlling right of using connection function and mobile terminal |
| CN102420902A (en) * | 2011-11-24 | 2012-04-18 | 中兴通讯股份有限公司 | Method for classification management over right of using functions and mobile terminal |
| CN103218564A (en) * | 2013-04-01 | 2013-07-24 | 广东欧珀移动通信有限公司 | Mobile terminal protection method and mobile terminal protection device |
-
2013
- 2013-10-15 CN CN201310481309.2A patent/CN104573435A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100629453B1 (en) * | 2005-08-03 | 2006-09-27 | 에스케이 텔레콤주식회사 | Method and system for controlling application run on personal computer by using mobile telecommunication terminal |
| CN101163149A (en) * | 2006-10-13 | 2008-04-16 | 华为技术有限公司 | Network storage system and network storage content access control method |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| CN102123382A (en) * | 2010-12-24 | 2011-07-13 | 北京三星通信技术研究有限公司 | Use and management method of network data services of application programs and electronic equipment |
| CN102413220A (en) * | 2011-11-24 | 2012-04-11 | 中兴通讯股份有限公司 | Method for controlling right of using connection function and mobile terminal |
| CN102420902A (en) * | 2011-11-24 | 2012-04-18 | 中兴通讯股份有限公司 | Method for classification management over right of using functions and mobile terminal |
| CN103218564A (en) * | 2013-04-01 | 2013-07-24 | 广东欧珀移动通信有限公司 | Mobile terminal protection method and mobile terminal protection device |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302966A (en) * | 2015-05-29 | 2017-01-04 | 北京京东尚科信息技术有限公司 | Application head of a family's control system under mobile phone operating system and method |
| CN105045625A (en) * | 2015-07-17 | 2015-11-11 | 上海斐讯数据通信技术有限公司 | Method for root authority management and control in Android platform |
| CN105045625B (en) * | 2015-07-17 | 2018-07-31 | 上海斐讯数据通信技术有限公司 | Root authority management-control method under a kind of Android platform |
| CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
| CN107181719A (en) * | 2016-03-10 | 2017-09-19 | 阿里巴巴集团控股有限公司 | The detection method and device of a kind of trojan horse program |
| CN106355080A (en) * | 2016-08-29 | 2017-01-25 | 上海航盛实业有限公司 | Data security access method and system for vehicular information system |
| CN106529312A (en) * | 2016-10-25 | 2017-03-22 | 广东欧珀移动通信有限公司 | Method and device for permission control of mobile terminal, and mobile terminal |
| CN106529312B (en) * | 2016-10-25 | 2019-08-06 | Oppo广东移动通信有限公司 | A kind of authority control method of mobile terminal, device and mobile terminal |
| CN106778228A (en) * | 2016-11-22 | 2017-05-31 | 北京奇虎科技有限公司 | Control the method and device of application call |
| CN106850590A (en) * | 2017-01-13 | 2017-06-13 | 北京神州泰岳信息安全技术有限公司 | Software white list management method and system |
| CN106850590B (en) * | 2017-01-13 | 2020-10-23 | 北京神州泰岳信息安全技术有限公司 | Software white list management method and system |
| CN106933633A (en) * | 2017-03-14 | 2017-07-07 | 北京奇虎科技有限公司 | Right management method, device and mobile terminal |
| CN107346389A (en) * | 2017-06-20 | 2017-11-14 | 北京东方棱镜科技有限公司 | The detection method and system of mobile terminal abnormal behaviour |
| CN107346389B (en) * | 2017-06-20 | 2021-02-19 | 北京东方棱镜科技有限公司 | Method and system for detecting abnormal behavior of mobile terminal |
| CN107358091A (en) * | 2017-06-28 | 2017-11-17 | 努比亚技术有限公司 | A kind of System right management method, mobile terminal and computer-readable recording medium |
| CN108197490A (en) * | 2017-12-28 | 2018-06-22 | 努比亚技术有限公司 | Prevent malice from obtaining the method and terminal of authorized user message |
| CN108365972A (en) * | 2018-01-11 | 2018-08-03 | 福建联迪商用设备有限公司 | Terminal applies management method, computer storage media |
| CN108647070A (en) * | 2018-04-18 | 2018-10-12 | Oppo广东移动通信有限公司 | Information prompting method, device, mobile terminal and computer-readable medium |
| CN110489940A (en) * | 2019-08-12 | 2019-11-22 | 北京猎户星空科技有限公司 | The right management method and device of robot control class application program |
| CN112040444A (en) * | 2020-09-03 | 2020-12-04 | 中国第一汽车股份有限公司 | Control method, device, equipment and storage medium |
| CN112948287A (en) * | 2021-03-29 | 2021-06-11 | 成都新易盛通信技术股份有限公司 | SD card read-write method and system based on Hashmap caching mechanism |
| CN112948287B (en) * | 2021-03-29 | 2023-06-20 | 成都新易盛通信技术股份有限公司 | SD card read-write method and system based on Hashmap caching mechanism |
| CN113742675A (en) * | 2021-09-10 | 2021-12-03 | 深圳市闪联信息技术有限公司 | USB storage medium safety management system and method based on IoT equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104573435A (en) | Method for terminal authority management and terminal | |
| CN103886260B (en) | A kind of application program management-control method based on dual signature sign test technology | |
| CN109977086B (en) | Method for sharing application between terminals and terminal | |
| US20150113520A1 (en) | Method for confirming correction program and information processing apparatus | |
| US20140150096A1 (en) | Method for assuring integrity of mobile applications and apparatus using the method | |
| CN111209558B (en) | Internet of things equipment identity authentication method and system based on block chain | |
| CN103778367A (en) | Method and terminal for detecting safety of application installation package based on application certificate and auxiliary server | |
| US20080141380A1 (en) | Software component, software component management method, and software component management system | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| CN104751049A (en) | Application program installing method and mobile terminal | |
| CN113646761A (en) | Providing application security, authentication and feature analysis to applications | |
| CN107294924B (en) | Vulnerability detection method, device and system | |
| CN111224826B (en) | Configuration updating method, device, system and medium based on distributed system | |
| CN111177715A (en) | Mobile App vulnerability detection method and device | |
| CN116340956B (en) | Trusted protection optimization method and device for electric embedded terminal equipment | |
| US10621334B2 (en) | Electronic device and system | |
| US11503053B2 (en) | Security management of an autonomous vehicle | |
| CN102968588B (en) | Intelligent terminal system | |
| CN109474924A (en) | A kind of restoration methods, device, computer equipment and the storage medium of lock network file | |
| CN113228555B (en) | Method, system and apparatus for unified security configuration management | |
| Choi et al. | Large-scale analysis of remote code injection attacks in android apps | |
| CN105100030B (en) | Access control method, system and device | |
| CN107689934B (en) | Method, server and client for guaranteeing information security | |
| WO2017220014A1 (en) | System permission management method and apparatus, and intelligent terminal | |
| CN114629658A (en) | Application signature method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150429 |
|
| WD01 | Invention patent application deemed withdrawn after publication |