CN104951707A - Sensitive resource access control policy system based on Android platform - Google Patents
Sensitive resource access control policy system based on Android platform Download PDFInfo
- Publication number
- CN104951707A CN104951707A CN201510241188.3A CN201510241188A CN104951707A CN 104951707 A CN104951707 A CN 104951707A CN 201510241188 A CN201510241188 A CN 201510241188A CN 104951707 A CN104951707 A CN 104951707A
- Authority
- CN
- China
- Prior art keywords
- policy
- strategy
- android
- sensitive resource
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Stored Programmes (AREA)
Abstract
A sensitive resource access control policy system based on an Android platform comprises a policy control server, a policy deployment packetizer and a policy configuration module, the policy control server is used for dynamically deploying a policy; the policy deployment packetizer is used for deploying the policy to Android application software and changing code logic of original application software through a mode of injecting a Java bytecode; the policy configuration module is used for providing a user interface which is used for setting the policy, and a user sets a needed control policy according to access configuration rules which are set by the system and writes the same in a configuration file specified by the system. According to the sensitive resource access control policy system based on the Android platform, on the premise of obtaining root authority of the Android system, the access control policy can be dynamically deployed, sensitive resources concerned by the user are protected, at the same time, software can be installed successfully under the partial authority granted to the software, and the purpose that the user can not only use the software but also protect privacy is effectively achieved.
Description
Technical field
To the present invention relates in android system application software to the control of authority of sensitive resource, specifically a kind of based on Android platform by bytecode injection mode, amendment software source code carries out the sensitive resource access control policy system of authority intervention.
Background technology
Market investigating datas display in 2014, Android occupies more than 80% of global smart mobile phone market, and the Android intelligent operating system of increasing income developed by Google obtains and uses the most widely.But due to the confusion of Android applied software market, all kinds of Malware is hidden wherein, waits for an opportunity to steal data, the individual privacy leaking data of Android user is caused to become a very serious problem.
Hold at traditional PC, have accumulated a large amount of malware detection, protection experience and technology, but compared to mobile terminal, these methods there is its limitation.Compared to PC end, mobile terminal stores more individual sensitive data, and the Malware evolutionary rate of mobile terminal is faster.
Due to the customer group that android system is huge, even if make a little system vulnerability, the information leakage problem of huge customer volume all can be caused.The Permission Management Model that primary android system provides is too simple, functionally can not meet the demand of enterprise customer.Such as, Android application software needs to agree to its operating right to each system resource when user installation, once certain authority user does not agree to authorize, then installs failure.These operating rights are also thick dynamics, such as to the access limit of SD card, do not relate to certain file concrete in SD card.
The problem that Android rights concerns and sensitive resource are revealed receives increasing concern, has a large amount of technical schemes to be suggested, is mainly divided into the following aspects:
Malware detection techniques: given a warning to user by the Malware that detects in Android market, solve the Malware producing sensitive resource and reveal from source.Malware detection techniques, by the method for a series of static analysis, finds and detects Android to quote malicious act in software.There is detection wrong report, fail to report and detect the problems such as delayed in the method, the software be namely mounted in subscriber equipment cannot process, and because the diversification of forms of malicious act causes by mistake, report is failed to report.
Sandbox technology: by the process using the instruments such as Ptrace to follow the tracks of Android application software, when operating the function call of sensitive data, Update Table or change behavior reach the protection of sensitive data.The method needs the root authority obtaining android system, obtains root authority itself and also can bring potential potential safety hazard, and be also unacceptable in corporate environment.
Amendment Android operation system: because Android operation system is open source software, customizes corresponding control of authority strategy by the source code revising Android operation system, strengthens the Right control model that Android is primary, carrys out the private data in proterctive equipment.The method technical difficulty is high, for domestic consumer, can not complete corresponding customization.
Based on defect and the problem of these methods above; the present invention proposes the source code being revised Android application software by the mode injected based on Java bytecode; change original code logic, possible malicious act is removed, reach the object of protection private data.
Summary of the invention
For the deficiency of existing dynamic routine verification technique; the present invention proposes a kind of sensitive resource access control policy system based on Android platform; can under the prerequisite of root authority not obtaining android system; fine-grained control of authority strategy is provided; and Dynamical Deployment; there is very high dirigibility, corresponding strategy combination can be customized according to the demand of user simultaneously, the diversity requirement under effectively meeting different user, different scene, sensitive resource protected.
Technical solution of the present invention is as follows:
Based on a sensitive resource access control policy system for Android platform, this system cloud gray model injects on framework in Java bytecode, comprises policy control server, policy deployment packing device, tactful configuration module three main modular, it is characterized in that:
Described policy control server is used for Dynamical Deployment strategy, and when the control of authority strategy preset occurs to change, user submits to and changes so far module, and system will change the strategy implemented automatically.
Described policy deployment packing device is used for by policy deployment to Android application software, by injecting the mode of Java bytecode, changes the code logic of original application software, to reach the restrict access of sensitive resource.
Described tactful configuration module is for providing the user interface of Provisioning Policy, and user, by the authority configuration rule of this default, sets the control strategy needed for oneself, and in the configuration file that specifies of writing system.
Further, described policy control server stores each policy details by a web server, and the Android application software being implemented control strategy can ask this server acquisition strategy detail data when asking sensitive resource.
Further, described policy deployment packing device module comprises policy configuration file parsing module and code injection module;
Further, described policy configuration file parsing module is the tactful configuration syntax of system regulation thus, the configuration file of many strategy combinations, this policy configuration file parsing module receives the policy configuration file of user writing, and is resolved to corresponding tactful injecting codes.
Further, described code injection module according to user's collocation strategy, the Android application software of restriction institute implementation strategy to corresponding sensitive resource operating right, by the data retransmission so far Android application software of having filtered after sensitive resource.
Accompanying drawing explanation
Fig. 1 is the Organization Chart of the sensitive resource access control policy system based on Android platform
Fig. 2. policy configuration file
Fig. 3. give and pol-icy code is injected Android application software and the process of the heavy software packaging of generation
Fig. 4. experiment effect figure
Embodiment
The present embodiment is implemented when premised on technical solution of the present invention, elaborates below to concrete embodiment and operating process.Checking scope of the present invention includes but not limited to these embodiments.
Refer to Fig. 1, Fig. 1 is the Organization Chart of the sensitive resource access control policy system based on Android platform, composition graphs 1, and the idiographic flow of the present embodiment is:
1) user is by policy control server disposition to corresponding server;
2) user provides the policy configuration file of rule shown in Fig. 2;
3) user's regulative strategy disposes packing device, imports policy configuration file and Android application program into policy deployment packing device
4) policy configuration file is translated into corresponding pol-icy code by the policy configuration file parsing module in policy deployment packing device;
5) pol-icy code is injected Android application program by the injection module in policy deployment packing device
6) user provides signature key, and what Sign Policies deployment packing device exported beats again bag routine package;
7) the bag routine package of beating again after signature is mounted to relevant device or is published to privately owned Android market for other user by user
Fig. 2 gives policy configuration file form, comprising:
1) this form is based on XML syntax format;
2) strategy is divided into Global and Private, represents the control of authority strategy for all Android application software and the control of authority strategy for certain Android application software respectively;
3) father's tag names of each strategy represents the sensitive resource type that this strategy is applied, and such as FileSystem representative is for the control strategy of SD card file system file resource;
4) each policy tag represents type, such as File, represents the control strategy for file;
5) label intrinsic parameter specifies the necessary information that this strategy is implemented, and such as filePath specifies this strategy institute for the file path of file, and operation specifies the tactful behavior controlled;
6) label value represents the behavior whether allowing this strategy to control, the behavior that such as true representative allows this strategy to control.
Fig. 3 gives in code injection module and pol-icy code is injected Android application software and the process generating heavy software packaging, is specially:
1) an Android application software is read in and by decoder software decompress(ion);
2) extract the class.dex file after decompress(ion), and convert jar bag to dex2jar instrument;
3) pol-icy code is injected in the jar bag that step 2 generates by Java bytecode implantation tool;
4) other resource file that the jar bag after injection and step 1 solution press out is put into same file folder, and use compressed software to convert thereof into a compressed package;
5) the compressed package signature that step 4 generates by the private cipher key adopting user to provide.
Fig. 4 gives the contrast effect figure that the system proposed based on the present invention carries out the Android application software after policy control and the primary situation of this software, is specially:
1) the figure left side is the primary running software design sketch of Android, and figure the right is for carrying out the running software design sketch after policy control;
2) an address list software is carried out the policy control of the crucial contact person of masked segment by present case, and experiment effect display reaches desired effects, and right figure shows the software after carrying out policy control can not access critical contact person.
Through contrast experiment, the present invention has been issued to the control effects limiting Android application software and access sensitive resource in regular hour and performance penalties, and provides multiple deployment way, and the convenience for the practice of system provides effective guarantee.
It should be noted last that, above embodiment is only in order to illustrate technical scheme of the present invention and unrestricted, although with reference to preferred embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that, can modify to the technical scheme of invention or equivalent replacement, and not departing from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of right of the present invention.
Claims (4)
1., based on a sensitive resource access control policy system for Android platform, this system cloud gray model injects on framework in Java bytecode, it is characterized in that: comprise policy control server, policy deployment packing device and tactful configuration module;
Described policy control server, for Dynamical Deployment strategy, when the control of authority strategy preset occurs to change, user submits to and changes so far policy control server, and system will change the strategy implemented automatically;
Described policy deployment packing device, for by policy deployment to Android application software, and by Java bytecode injection mode, change the code logic of original application software, reach the restrict access of sensitive resource;
Described tactful configuration module, for providing the user interface of Provisioning Policy, user, according to the authority configuration rule of this default, sets the control strategy needed for oneself, and in the configuration file that specifies of writing system.
2. the sensitive resource access control policy system based on Android platform according to claim 1, it is characterized in that: described policy control server stores each policy details by a web server, the Android application software being implemented control strategy can ask this server acquisition strategy detail data when asking sensitive resource.
3. the sensitive resource access control policy system based on Android platform according to claim 1, is characterized in that: described policy deployment packing device comprises policy configuration file parsing module and code injection module;
Described policy configuration file parsing module, for receiving the policy configuration file of user writing, and is resolved to corresponding pol-icy code;
Described code injection module, according to user's collocation strategy, the pol-icy code of correspondence is injected original program, the Android application software of restriction institute implementation strategy to corresponding sensitive resource operating right, by the data retransmission so far Android application software of having filtered after sensitive resource.
4. the sensitive resource access control policy system based on Android platform according to claim 3, is characterized in that: described policy configuration file parsing module is the tactful configuration syntax specified by system, the configuration file of many strategy combinations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510241188.3A CN104951707A (en) | 2015-05-13 | 2015-05-13 | Sensitive resource access control policy system based on Android platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510241188.3A CN104951707A (en) | 2015-05-13 | 2015-05-13 | Sensitive resource access control policy system based on Android platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104951707A true CN104951707A (en) | 2015-09-30 |
Family
ID=54166355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510241188.3A Pending CN104951707A (en) | 2015-05-13 | 2015-05-13 | Sensitive resource access control policy system based on Android platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104951707A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105550584A (en) * | 2015-12-31 | 2016-05-04 | 北京工业大学 | RBAC based malicious program interception and processing method in Android platform |
| CN105553961A (en) * | 2015-12-11 | 2016-05-04 | 北京元心科技有限公司 | Mandatory access control method and system for application program and management server |
| CN107038103A (en) * | 2017-04-14 | 2017-08-11 | 上海交通大学 | Android program monitoring system and method based on bytecode pitching pile |
| CN107103245A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | The right management method and device of file |
| CN111371699A (en) * | 2020-02-28 | 2020-07-03 | 五八有限公司 | Resource current limiting method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| CN104318169A (en) * | 2014-09-26 | 2015-01-28 | 北京网秦天下科技有限公司 | Mobile terminal and method for preventing local file from leakage based on security policy |
| CN104462959A (en) * | 2014-12-04 | 2015-03-25 | 北京奇虎科技有限公司 | Reinforcement protection method, sever and system for android app |
-
2015
- 2015-05-13 CN CN201510241188.3A patent/CN104951707A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| CN104318169A (en) * | 2014-09-26 | 2015-01-28 | 北京网秦天下科技有限公司 | Mobile terminal and method for preventing local file from leakage based on security policy |
| CN104462959A (en) * | 2014-12-04 | 2015-03-25 | 北京奇虎科技有限公司 | Reinforcement protection method, sever and system for android app |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105553961A (en) * | 2015-12-11 | 2016-05-04 | 北京元心科技有限公司 | Mandatory access control method and system for application program and management server |
| CN105553961B (en) * | 2015-12-11 | 2019-06-28 | 北京元心科技有限公司 | Mandatory access control method and system for application program and management server |
| CN105550584A (en) * | 2015-12-31 | 2016-05-04 | 北京工业大学 | RBAC based malicious program interception and processing method in Android platform |
| CN107103245A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | The right management method and device of file |
| CN107038103A (en) * | 2017-04-14 | 2017-08-11 | 上海交通大学 | Android program monitoring system and method based on bytecode pitching pile |
| CN111371699A (en) * | 2020-02-28 | 2020-07-03 | 五八有限公司 | Resource current limiting method and device, electronic equipment and storage medium |
| CN111371699B (en) * | 2020-02-28 | 2023-07-21 | 五八有限公司 | Resource current limiting method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Acar et al. | Sok: Lessons learned from android security research for appified software platforms | |
| CN104951707A (en) | Sensitive resource access control policy system based on Android platform | |
| CN107679393B (en) | Android integrity verification method and device based on trusted execution environment | |
| CN102722665B (en) | Method and system for generating trusted program list based on trusted platform module (TPM)/virtual trusted platform module (VTPM) | |
| WO2019075493A1 (en) | On device structure layout randomization for binary code to enhance security through increased entropy | |
| EP3287932A1 (en) | Data protection method and device | |
| CN107908958B (en) | SELinux security identifier anti-tampering detection method and system | |
| CN108763951A (en) | A kind of guard method of data and device | |
| TWI737172B (en) | Computer system, computer program product and computer implement method for incremental decryption and integrity verification of a secure operating system image | |
| CN104268468A (en) | Protecting method and system of dynamic link library of Android system | |
| CN106897607A (en) | A kind of method for monitoring application program and device | |
| CN102902911A (en) | Method for running third-party codes safely in Java virtual computer | |
| CN102486819B (en) | A kind of hardened system | |
| CN107609394A (en) | Tamper resistant method, storage device and the device of Android installation kits | |
| KR20160117183A (en) | Method of encrypting dll file, system of encrypting dll file performing the same, and storage medium storing the same | |
| CN103309819A (en) | Embedded system and safety managing method for internal storage thereof | |
| CN113255000A (en) | Data access control method and device, electronic equipment and readable storage medium | |
| CN108460254A (en) | Firmware guard method and device | |
| Reeves | Autoscopy Jr.: Intrusion detection for embedded control systems | |
| CN105447398A (en) | Data safety protection method and device | |
| CN109508550A (en) | Privacy of user guard method and system based on SEAndroid | |
| CN103679045A (en) | File security control system and method | |
| CN104751026B (en) | Method for protecting software, software application method and the relevant apparatus of Android system | |
| CN105512553A (en) | Access control method for preventing virtual machine from escaping and attacking | |
| CN105760164A (en) | Method for achieving ACL permission in user space file system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150930 |