CN105100095A - Secure interaction method and apparatus for mobile terminal application program - Google Patents
Secure interaction method and apparatus for mobile terminal application program Download PDFInfo
- Publication number
- CN105100095A CN105100095A CN201510423080.6A CN201510423080A CN105100095A CN 105100095 A CN105100095 A CN 105100095A CN 201510423080 A CN201510423080 A CN 201510423080A CN 105100095 A CN105100095 A CN 105100095A
- Authority
- CN
- China
- Prior art keywords
- application program
- identification information
- white list
- communication tunnel
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a secure interaction method for a mobile terminal application program. The method comprises: obtaining identifier information for determining an application program identity in unique mode; according to the identifier information, determining whether the application program is stored into a preset white list; and establishing a communication channel based on a virtual private network protocol for the application program stored into the preset white list. Meanwhile, the invention also provides a secure interaction apparatus for a mobile terminal application program. According to the invention, because a communication channel can be established for an application program selectively, secure interaction of the application programs can be guaranteed under the circumstances that the accessed network is not processed by safety confirmation or is not safe, thereby preventing the private data of the user from being stolen during the transmission process.
Description
Technical field
The present invention relates to moving communicating field, specifically, the present invention relates to a kind of application program for mobile terminal safety interacting method and device.
Background technology
Along with the development of application program for mobile terminal, there is increasing application program, and application program is providing in the process of service for user, networking is needed to communicate with its server, due to the set meal limited flow that mobile network provides, limit the use of user, so user prefers the wireless network connecting unrestricted use usually, if but in communication process, were connected to unsafe WLAN (wireless local area network), certain risk could be caused.The WiFi router of fishing function is implanted as being connected to, the packet sent in communication process just may be held as a hostage, cause the information leakage of user, particularly for some application as important in Alipay, micro-letter, Net silver etc., information leakage can bring extreme loss to user.For this insecure communication situation, android system provides VPN service, but when the flow of all application is all served by VPN, so will inevitably exceed the disposal ability of vpn server, cause network congestion, the application of user is experienced and is deteriorated.Therefore, how institute's access network without safety verification or and ensure the secure interactive of application program in unsafe situation, avoid significant data or information leakage, become problem demanding prompt solution.
Summary of the invention
Object of the present invention is intended to solve at least one problem above-mentioned, provides a kind of application program for mobile terminal safety interacting method and device.
To achieve these goals, the invention provides a kind of application program for mobile terminal safety interacting method, comprise the following steps:
Obtain the identification information being used for uniqueness determination application identity;
Judge whether application program is present in default white list according to described identification information;
For the application program be present in default white list sets up the communication tunnel based on virtual private fidonetFido.
Concrete, the described identification information for uniqueness determination application program comprises the UID of application program.
Optionally, described communication tunnel is based on any one protocol realization in PPTP, L2TP, IPSec.
Concrete, described white list is for recording the identification information of the application program setting up communication tunnel.
Further, also comprise step: receive the selected instruction of user to set up applications, by the identification information recording of selected application program in described white list.
Further, also comprise step: when application program is not present in described default white list, do not set up communication tunnel, directly communicate with its destination server through WLAN (wireless local area network).
Concrete, the described step setting up communication tunnel comprises:
VPN service sends connection request to vpn server;
Set up the connection between VPN service and vpn server;
Described VPN service and vpn server carry out communicating determining setting up communication protocol, cryptographic algorithm, key and the relevant parameter information that tunnel adopts.
Concrete, setting up VPN service described in the forward direction system registry of communication tunnel.
Further, before execution this method step, detect and judge the fail safe of the network that mobile terminal accesses.
Preferably, only described communication tunnel is set up to accessing the current connection application program being judged as the mobile device of unsafe public network.
Concrete, after setting up communication tunnel, the interapplication communications packet transmitted through communication tunnel is encrypted.
Preferably, the encryption of described interapplication communications packet adopts rivest, shamir, adelman.
Further, also comprising step: provide a user interface, whether set up communication tunnel for inquiry, being chosen to be according to determining whether to set up described communication tunnel with user.
Preferably, before obtaining the identification information of application program, by the legitimacy of bag name and/or signature verification application program.
Further, further comprising the steps of: by remote interface to white list described in cloud server acquisition request, set up communication tunnel to determine whether application program according to this white list.
A kind of application program for mobile terminal secure interactive device, comprising:
Identification information acquisition module: for obtaining the identification information for uniqueness determination application identity;
Judge module: for judging whether application program is present in default white list according to described identification information;
Communication tunnel sets up module: for setting up the communication tunnel based on virtual private fidonetFido for the application program be present in default white list.
Concrete, the described identification information for uniqueness determination application program comprises the UID of application program.
Optionally, described communication tunnel is based on any one protocol realization in PPTP, L2TP, IPSec.
Concrete, described white list is for recording the identification information of the application program setting up communication tunnel.
Further, also comprise the first interactive module, be configured to receive the selected instruction of user to set up applications, by the identification information recording of selected application program in described white list.
Further, when application program is not present in described default white list, do not set up communication tunnel, directly communicate with its destination server through WLAN (wireless local area network).
Concrete, the concrete steps that described communication tunnel sets up module execution comprise:
VPN service sends connection request to vpn server;
Set up the connection between VPN service and vpn server;
Described VPN service and vpn server carry out the communication protocol, cryptographic algorithm, key and the relevant parameter information that communicate to determine to adopt.
Further, also comprise service register module, before setting up module in executive communication tunnel, to VPN service described in system registry.
Further, described device also comprises detection module, for detect before device of the present invention and to judge the fail safe of the network that mobile terminal accesses performing.
Preferably, only described communication tunnel is set up to accessing the current connection application program being judged as the mobile device of unsafe public network.
Further, also comprise encrypting module, after being configured to set up communication tunnel, the interapplication communications packet transmitted through communication tunnel is encrypted.
Preferably, the encryption of the communication data packet of described application programs adopts rivest, shamir, adelman.
Further, also comprising the second interactive module, be configured to provide a user interface, whether set up communication tunnel for inquiry, being chosen to be according to determining whether to set up described communication tunnel with user.
Further, also comprise authentication module, perform before acquisition module, by the legitimacy of bag name and/or signature verification application program.
Further, also comprise remote interaction module, for by remote interface to white list described in cloud server acquisition request, set up communication tunnel to determine whether application program according to this white list.
Compared to existing technology, the solution of the present invention has the following advantages:
First, the present invention utilizes the VPN framework of android system, for application program provides a public VPN service, safeguard a white list, to the application program be present in white list, secure transmission tunnel is provided by the communication tunnel set up based on VPN service, make application program for user service is provided time, selectively for application program provides communication tunnel, make it can carry out secure interactive by this communication tunnel and its server, ensure the safety of user profile in transmitting procedure, the private data of user is prevented to be stolen, thus, be no more than the disposal ability of server, even if when network environment has certain risk, still can ensure the secure interactive of application program, the related data of protection user.
Secondly, the present invention's legitimacy of application programs before setting up communication tunnel detects, to avoid illegal or malicious application by safety communication tunnel interactive information.Meanwhile, provide user interface for illegal application program, to point out user to process illegal application program, and provide corresponding processing item button, to guide user, respective handling is performed to malice or illegal program.Thus, can improve and set up to needing the resolution that communication tunnel carries out the application program of secure interactive, for user provides Intelligent Service, to guide user to make rational process to illegal application program, improve user experience.
Moreover white list of the present invention can combine with the large data technique in high in the clouds, and utilize the advantage of large data, safeguard and upgrade the content of white list in time, Timeliness coverage hides the application program of risk, makes network environment safer.
The aspect that the present invention adds and advantage will part provide in the following description, and these will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become obvious and easy understand from the following description of the accompanying drawings of embodiments, wherein:
Fig. 1 is the principle schematic of application program for mobile terminal safety interacting method of the present invention
Fig. 2 is the structured flowchart of application program for mobile terminal secure interactive device of the present invention
Fig. 3 is the program realization flow schematic diagram of application program for mobile terminal safety interacting method of the present invention
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Those skilled in the art of the present technique are appreciated that unless expressly stated, and singulative used herein " ", " one ", " described " and " being somebody's turn to do " also can comprise plural form.Should be further understood that, the wording used in specification of the present invention " comprises " and refers to there is described feature, integer, step, operation, element and/or assembly, but does not get rid of and exist or add other features one or more, integer, step, operation, element, assembly and/or their group.Should be appreciated that, when we claim element to be " connected " or " coupling " to another element time, it can be directly connected or coupled to other elements, or also can there is intermediary element.In addition, " connection " used herein or " coupling " can comprise wireless connections or wirelessly to couple.Wording "and/or" used herein comprises one or more whole or arbitrary unit listing item be associated and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (comprising technical term and scientific terminology), have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.It should also be understood that, those terms defined in such as general dictionary, should be understood to that there is the meaning consistent with the meaning in the context of prior art, unless and by specific definitions as here, otherwise can not explain by idealized or too formal implication.
Those skilled in the art of the present technique are appreciated that, here used " terminal ", " terminal equipment " had both comprised the equipment of wireless signal receiver, it only possesses the equipment of the wireless signal receiver without emissivities, comprise again the equipment receiving and launch hardware, it has and on bidirectional communication link, can perform the reception of two-way communication and launch the equipment of hardware.This equipment can comprise: honeycomb or other communication equipments, its honeycomb or other communication equipment of having single line display or multi-line display or not having multi-line display; PCS (PersonalCommunicationsService, PCS Personal Communications System), it can combine voice, data processing, fax and/or its communication ability; PDA (PersonalDigitalAssistant, personal digital assistant), it can comprise radio frequency receiver, beep-pager, the Internet/intranet access, web browser, notepad, calendar and/or GPS (GlobalPositioningSystem, global positioning system) receiver; Conventional laptop and/or palmtop computer or other equipment, it has and/or comprises the conventional laptop of radio frequency receiver and/or palmtop computer or other equipment.Here used " terminal ", " terminal equipment " can be portable, can transport, be arranged in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured at local runtime, and/or with distribution form, any other position operating in the earth and/or space is run.Here used " terminal ", " terminal equipment " can also be communication terminal, access terminals, music/video playback terminal, can be such as PDA, MID (MobileInternetDevice, mobile internet device) and/or there is the mobile phone of music/video playing function, also can be the equipment such as intelligent television, Set Top Box.
Those skilled in the art of the present technique are appreciated that used remote network devices here, and it includes but not limited to the cloud that computer, network host, single network server, multiple webserver collection or multiple server are formed.At this, cloud is formed by based on a large amount of computer of cloud computing (CloudComputing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computer collection.In embodiments of the invention, realize communicating by any communication mode between remote network devices, terminal equipment with WNS server, include but not limited to, the mobile communication based on 3GPP, LTE, WIMAX, the computer network communication based on TCP/IP, udp protocol and the low coverage wireless transmission method based on bluetooth, infrared transmission standard.
Along with the development of the Internet, communication security becomes and becomes more and more important, and wherein for the communication security of mobile terminal, the Communication Security Problem of third-party application is one of sixty-four dollar question.Usually, fail-safe software can provide the testing result that some mobile devices are connected to wireless router process, but the process of route and Internet communication can not be power, can only be responsible for safety by encryption VPN, and current VPN service is all generally the service that individual authorizes.And access public network and carry out in the process communicated; be easy to by hacker, communication data packet be tackled; the private data of user is got with this; particularly user utilizes public network to carry out in the process of mobile payment; be easy to be stolen the packet such as account, password, identifying code of mobile payment; further decoding obtains data wherein; thus bring irreparable loss to user; based on this; be encrypted with the communication process of method provided by the invention to third party application, to realize the protection to user data.
First, first detect the fail safe of the network of customer mobile terminal access, the detection module that specifically can be realized by the present invention performs described testing process.Usually, network connection type generally includes the mobile communications network (as CDMA, TD-CDMA, LTE etc.) of the various network formats that mobile operator provides, WLAN (wireless local area network) (as WiFi).For WLAN (wireless local area network), be divided into again refined net and public network.And some public networks are often provided by the Wi-Fi hotspot of malice, when mobile terminal accesses this network, easily by the packet of intercept communication, thus obtain the privacy information of user.Therefore, can first detect the network of access, whether the DNS specifically being detected the WAN mouth of router by fail-safe software is maliciously tampered, and whether the DNS of the DHCP service of router is tampered, and whether router allows to be remotely controlled.
When the network current access of mobile terminal being detected is the wireless common transmission network that there is information leakage risk, when being unsafe public network, the method that the application program of mobile terminal adopts the embodiment of the present invention to provide carries out information interaction, to avoid the information of user to be stolen, ensure the safety of privacy of user data.Application program for mobile terminal safety interacting method of the present invention specifically comprises the following steps:
S11, obtain and be used for the identification information of uniqueness determination application identity;
UID is different from usually described user ID, because android system is single user system, therefore do not need to determine user identity by UID, android system is in order to manage application program, for each application assigned UID, realize sharing of data with UID, and be used for the identity of recognition application.Therefore, the UID uniqueness by obtaining application program determines its identity.Specifically by performing following Code obtaining:
packageManagerpm=getPackageManager();
ApplicationInfoai=pm.getApplicationInfo(“com.gesoft.bit.lavendercloud”,packageManager.GET_ACTIVITIES);
stringuid=ai.uid;
Certainly, the UID of described application program is the citing of application programs identification information, the server domain name etc. as the bag name of application program, communication port, access can also be comprised, anyly uniquely can determine that the information of this application program can as identification information of the present invention.
Wherein, before obtaining the identification information of application program, the legitimacy of first application programs is verified, determines by the bag name of verifying application programs and/or signature.In a particular embodiment, the bag name of application program or signature are uploaded to cloud server by remote interface, certification is carried out by the signature of cloud server application programs, concrete steps are: extract any a section in signature, hash value is carried out to it, the correct hash value of preserving in this hash value and cloud server is contrasted, if consistent, authentication success, this application program is legal; If inconsistent, authentification failure, this application program is illegal.Cloud server can also according to the valid application program listing of statistic record in advance, and inquiry needs to verify whether the application program of legitimacy is present in this list, if existed, this application program is legal, and if there is no then this application program is illegal.
Certainly, the above-mentioned proof procedure to bag name and/or signature also can by client executing corresponding in mobile terminal, to determine the legitimacy of application program.
In a particular embodiment, when determining that application program is illegal, then the process option of operation of display reminding message and correspondence.Preferably, with the form Graphics Processing option of operation of button in the embodiment of the present invention, namely show the treatment button that each process option of operation is corresponding, when user triggers corresponding process option of operation, receive the input instruction of user at the treatment button place of correspondence.If receive the triggering command of user according to prompting message input at the treatment button place of correspondence, then perform corresponding process according to triggering command application programs.Wherein, described treatment button can, for stopping the button that application program is run, can be the button of unloading application program, can for installing the button of legal application program, also can for continuing the button using this application program, the embodiment of the present invention is not limited in any way this.Correspondingly, if run in termination application program the triggering command that button place receives user, then the operation of current application program is stopped; If in the triggering command that unloading application buttons place receives user, then unload current application program; If receive the instruction that user triggers at the legal application buttons place of installation, then unload current application program and the legal copy of corresponding installation current application program; If continuing to use the button place of application program to receive the triggering command of user, then keep the running status of current application program.
In addition, in embodiments of the present invention, the legitimacy of described application program also comprises this application program and whether there is security risk.If according to preset rule detection in the installation kit of application program, there is rogue program, then by this application program identification for application program can be unloaded; If go out in application program to comprise advertisement according to the rule detection preset, play window supervisor, then by this application program identification for application program can be unloaded; If detect that application program is the important application paying the users such as class according to preset rules, be then the application program that can not unload by this application program identification, and send information based on this to user, carry out respective handling to guide its application programs.
S12, judge whether application program is present in default white list according to described identification information;
Whether the identification information judgment application program for uniqueness determination application identity according to above-mentioned acquisition is present in default white list, and wherein, described default white list is for recording the identification information of the application program setting up communication tunnel.
Described white list pre-sets generation by user, specifically can provide a user interface, receive the selected instruction of user to set up applications, by the identification information recording of selected application program in described white list, to set up described communication tunnel to the application program in this white list.When getting the current identification information run application, inquiring about it and whether being present in default white list, really whether to set up safety communication tunnel to this application program.
In other embodiments, described white list can also be added up by cloud server and determine, what cloud server recording user usually set allows the identification information such as application program UID, port, bag name setting up described communication tunnel, by the identification information recording of those application programs in white list, and white list described in regular update.Meanwhile, also comprise important third party application user used, if the identification information recording of the application programs such as Alipay, Web bank, micro-letter is in white list, set up those application programs to be passed through by default the application that communication tunnel carries out information transmission.When judging whether application program is present in default white list according to the identification information obtained, by remote interface to the corresponding white list of cloud server acquisition request, whether the application program of inquiring about described judgement is present in default white list, to determine whether to set up communication tunnel for this application program.
S13, set up communication tunnel based on virtual private fidonetFido for being present in application program in default white list.
In order to realize the foundation to communication tunnel, the method for the invention is served to system registry VPN in advance, to be obtained the control of foundation and maintain communications tunnel by this service.Wherein, described communication tunnel refers to the communication tunnel based on Virtual Private Network protocol realization, specifically, can adopt any one protocol realization in PPTP, L2TP, IPSec.In a particular embodiment, based on android system set up VPN service principle as follows:
1, application program uses socket by Packet Generation to the real network equipment;
2, system is by iptables, and use NAT, all packets are forwarded to TUN virtual network device, and port is tun0;
3, system VPN service routine is opened TUN equipment and is read corresponding data, obtains all IP bags be forwarded on TUN virtual network device;
4, the IP packet of VPN service routine to above-mentioned acquisition processes, and is sent by the real network equipment.
Based on above-mentioned principle, the Vpnservice framework provided by android system, utilize the API that system provides, obtain all IP packets of application program, to process IP packet, carry out being connected alternately with far-end vpn server, realize the IP packet of application program to carry out safe transmission through communication tunnel.
In a particular embodiment, whether described VPN service, before not setting up described communication tunnel, first to user interface bullet frame, can set up communication tunnel to current application program to point out user.When user selects to set up described communication tunnel, by the corresponding function of this VPN service calling system, set up the communication tunnel based on virtual private fidonetFido; Otherwise, do not set up communication tunnel.That is, the control whether setting up described communication tunnel gives user, is chosen to be according to determining whether set up described communication tunnel with user.
In a particular embodiment, the establishment step of described communication tunnel is as follows:
Step 1:VPN service sends connection request to vpn server;
Step 2: set up the connection between VPN service and vpn server;
Step 3: described VPN serves and vpn server carries out communicating communication protocol, cryptographic algorithm, key and the relevant parameter information determining to adopt.
After setting up above-mentioned communication tunnel, according to above-mentioned steps 3, the communication data packet of the application program of carrying out Signal transmissions based on this communication tunnel is determined that cryptographic algorithm is encrypted, and according to the communication protocol that step 3 is determined, communication data packet is carried out Reseal, wrap in safe transmission in the communication tunnel of foundation to make the enciphered data after encapsulation.Wherein, the cryptographic algorithm being encrypted employing to the communication data packet of described application program is rivest, shamir, adelman.
If application program does not belong to the application program in default white list, then do not set up described communication tunnel, directly the packet of this application program is transferred to its destination server through WLAN (wireless local area network), to complete the communication between application program and its destination server.
Further, for the present invention but not for a certain specific embodiment, can by strengthening the protection strengthening application program for mobile terminal communication security to the identification of network environment.As WiFi access point can be divided into two classes, one is the proprietary access point with certain fail safe, environment access point as privately owned in office, family etc.; Two is the public network access points used in public places, as dining room, coffee shop, and the access point etc. that each operator provides.The method of the invention can independently or in the application of such as 360 free WiFi and so on to combine use; the fail safe of Sampling network access point; if be public network access point; then force to pay class application to the such as Alipay of mobile terminal etc. or other important application set up described communication tunnel; also the application program bullet frame prompting user of protection can be needed based on other; selected whether to set up communication tunnel to corresponding application program by user, thus to guarantee that application program that mobile terminal is installed carries out the fail safe communicated in the public network that there is information leakage.And for the Network Access Point of the higher private environment of fail safe, the relevant item that pre-sets can be provided, independently determine that whether being defaulted as corresponding application program sets up the remote transmission that communication tunnel carries out data by user.
Fig. 3 is the schematic flow sheet of the embody rule embodiment realized based on the method for the invention, discloses the method for the invention principle for concrete further.Below in conjunction with the design logic of the whole program of wherein disclosed process description, realize the inventive method for reference:
1, detect the network whether safety of mobile terminal access, if the network security of access, then perform step 7; If there is risk, then continue to perform according to the order of sequence.
2, whether verifying application programs is legal, if legal, continues to perform according to the order of sequence; If do not conform to rule to perform step 8;
3, the identification information of application program is obtained;
4, judge whether described application program is present in default white list, if existed, then continue to perform according to the order of sequence; If there is no, then step 9 is performed;
5, for application program sets up the safety communication tunnel based on virtual private fidonetFido;
6, based on the packet of safety communication tunnel transfer application set up to its destination server;
7, provide relevant and pre-set item, determine whether be the remote transmission that corresponding application program sets up that communication tunnel carries out data by user.
8, the process option of operation of display reminding message and correspondence, to receive the corresponding triggering command of user, application programs does respective handling.
9, communication tunnel is not set up to this application program, directly its packet is sent to the destination server of application program through WLAN (wireless local area network).
In order to be described further the method for the invention in a modular manner, the invention provides a kind of device of application program for mobile terminal secure interactive, comprise identification information acquisition module 11, judge module 12, communication tunnel set up module 13, wherein,
Identification information acquisition module 11, for obtaining the identification information for uniqueness determination application identity;
UID is different from usually described user ID, because android system is single user system, therefore do not need to determine user identity by UID, android system is in order to manage application program, for each application assigned UID, realize sharing of data with UID, and be used for the identity of recognition application.Therefore, identification information acquisition module 11 determines its identity by the UID uniqueness obtaining application program.Specifically by performing following Code obtaining:
packageManagerpm=getPackageManager();
ApplicationInfoai=pm.getApplicationInfo(“com.gesoft.bit.lavendercloud”,packageManager.GET_ACTIVITIES);
stringuid=ai.uid;
Certainly, the UID of described application program is the citing of application programs identification information, the server domain name etc. as the bag name of application program, communication port, access can also be comprised, anyly uniquely can determine that the information of this application program can as identification information of the present invention.
Wherein, before obtaining the identification information of application program, the legitimacy of first application programs is verified, determines that whether application program is legal by authentication module by the bag name of verifying application programs and/or signature.In a particular embodiment, the bag name of application program or signature are uploaded to cloud server by remote interface, certification is carried out by the signature of cloud server application programs, concrete steps are: extract any a section in signature, hash value is carried out to it, the correct hash value of preserving in this hash value and cloud server is contrasted, if consistent, authentication success, this application program is legal; If inconsistent, authentification failure, this application program is illegal.Cloud server can also according to the valid application program listing of statistic record in advance, and inquiry needs to verify whether the application program of legitimacy is present in this list, if existed, this application program is legal, and if there is no then this application program is illegal.
Certainly, the above-mentioned process carrying out verifying based on bag name and/or signature application programs also can be performed by the authentication module of client corresponding in mobile terminal, to determine the legitimacy of application program.
In a particular embodiment, when determining that application program is illegal, then the process operation type selecting of display reminding message and correspondence.Preferably, with the form Graphics Processing of button operation type selecting in the embodiment of the present invention, namely show the treatment button that each process option of operation is corresponding, when user triggers corresponding process option of operation, receive the input instruction of user at the treatment button place of correspondence.If receive the triggering command of user according to prompting message input at the treatment button place of correspondence, then perform corresponding process according to triggering command application programs.Wherein, described treatment button can, for stopping the button that application program is run, can be the button of unloading application program, can for installing the button of legal application program, also can for continuing the button using this application program, the embodiment of the present invention is not limited in any way this.Correspondingly, if run in termination application program the triggering command that button place receives user, then the operation of current application program is stopped; If in the triggering command that unloading application buttons place receives user, then unload current application program; If receive the instruction that user triggers at the legal application buttons place of installation, then unload current application program and the legal copy of corresponding installation current application program; If continuing to use the button place of application program to receive the triggering command of user, then keep the running status of current application program.
In addition, in embodiments of the present invention, the legitimacy of described application program also comprises this application program and whether there is security risk.If according to preset rule detection in the installation kit of application program, there is rogue program, then by this application program identification for application program can be unloaded; If go out in application program to comprise advertisement according to the rule detection preset, play window supervisor, then by this application program identification for application program can be unloaded; If detect that application program is the important application paying the users such as class according to preset rules, be then the application program that can not unload by this application program identification, and send information based on this to user, carry out respective handling to guide its application programs.
According to described identification information, judge module 12, for judging whether application program is present in default white list;
By the judge module 12 of device of the present invention, whether the identification information judgment application program for uniqueness determination application identity according to above-mentioned acquisition is present in default white list, wherein, described default white list is for recording the identification information of the application program setting up communication tunnel.
Described white list pre-sets generation by user, specifically performed by the first interactive module, one user interface is provided, receive the selected instruction of user to set up applications, by the identification information recording of selected application program in described white list, to set up described communication tunnel to the application program in this white list.When getting the current identification information run application, inquiring about it and whether being present in default white list, whether being really that this application program sets up safety communication tunnel.
In other embodiments, described white list can also be added up by cloud server and determine, what cloud server recording user usually set allows the identification information such as application program UID, port, bag name setting up described communication tunnel, by the identification information recording of those application programs in white list, and white list described in regular update.Meanwhile, also comprise important third party application user used, if the identification information recording of the application programs such as Alipay, Web bank, micro-letter is in white list, set up those application programs to be passed through by default the application that communication tunnel carries out information transmission.When judging whether application program is present in default white list according to the identification information obtained, can by remote interaction module by remote interface to the corresponding white list of cloud server acquisition request, whether the application program of inquiring about described judgement is present in default white list, to determine whether to set up communication tunnel for this application program.
Communication tunnel sets up module 13, for setting up the communication tunnel based on virtual private fidonetFido for the application program be present in default white list.
In order to realize the foundation to communication tunnel, served to system registry VPN in advance by registration service module, to be obtained the control of foundation and maintain communications tunnel by this service.Wherein, described communication tunnel refers to the communication tunnel based on Virtual Private Network protocol realization, specifically, can adopt any one protocol realization in PPTP, L2TP, IPSec.In a particular embodiment, based on android system set up VPN service principle as follows:
1, application program uses socket by Packet Generation to the real network equipment;
2, system is by iptables, and use NAT, all packets are forwarded to TUN virtual network device, and port is tun0;
3, system VPN service routine is opened TUN equipment and is read corresponding data, obtains all IP bags be forwarded on TUN virtual network device;
4, the IP packet of VPN service routine to above-mentioned acquisition processes, and is sent by the real network equipment.
Based on above-mentioned principle, the Vpnservice framework provided by android system, utilize the API that system provides, obtain all IP packets of application program, to process IP packet, carry out being connected alternately with far-end vpn server, realize the IP packet of application program to carry out safe transmission through communication tunnel.
In a particular embodiment, whether described VPN service, before not setting up described communication tunnel, by the second interactive module first to user interface bullet frame, sets up communication tunnel to current application program to point out user.When user selects to set up described communication tunnel, by the corresponding function of this VPN service calling system, set up the communication tunnel based on virtual private fidonetFido; Otherwise, do not set up communication tunnel.That is, the control whether setting up described communication tunnel gives user, is chosen to be according to determining whether set up described communication tunnel with user.
In a particular embodiment, described communication tunnel set up module 13 perform concrete steps as follows:
Step 1:VPN service sends connection request to vpn server;
Step 2: set up the connection between VPN service and vpn server;
Step 3: described VPN serves and vpn server carries out communicating communication protocol, cryptographic algorithm, key and the relevant parameter information determining to adopt.
After setting up above-mentioned communication tunnel, according to above-mentioned steps 3, the communication data packet of the application program of carrying out Signal transmissions based on this communication tunnel is determined that cryptographic algorithm is encrypted by encrypting module, communication data packet is carried out Reseal by the communication protocol simultaneously determined according to step 3, wraps in safe transmission in the communication tunnel of foundation to make the enciphered data after encapsulation.Wherein, the cryptographic algorithm being encrypted employing to the communication data packet of described application program is rivest, shamir, adelman.
If application program does not belong to the application program in default white list, then do not set up described communication tunnel, directly the packet of this application program is transferred to its destination server through WLAN (wireless local area network), to complete the communication between application program and its destination server.
For ease of understanding the present invention more intuitively, introduce as follows one with the inventive method or device realize application scenarios.
In the mobile phone terminal achieving method of the present invention or device, implement fail-safe software of the present invention by one and register a described VPN service, to realize the information transmission between vpn server to android system.By fail-safe software, the internet security that the machine accesses is detected, for the network that there is risk, prompting user permission sets up the safety communication tunnel based on virtual private fidonetFido to the application program of current operation, or is directly transmitted by the communication tunnel of the packet of the application program in default white list through setting up.Before setting up communication tunnel, security sweep is implemented by the installation file of fail-safe software application programs, and there is high in the clouds interface function, the characteristic information of the machine installation file can be transferred to cloud server by remote interface, and wait and return corresponding determination information, according to the fail safe of determination information determination installation file.With the fail safe prompting user according to installation file, respective handling is done to it.Fail-safe software obviously also has the function being provided visible user interface by structure Activity assembly, a window interface is provided, whether legal the relevant information of display application program and information, selected how to process current application program by user, to realize man-machine interaction.
When user runs application, under the effect of method of the present invention or device, application program can not be carried out alternately with its destination server at once, but waits the process of method of the present invention or device.If the application program of current operation is present in default white list or for paying the important application such as class, then method of the present invention or device silently play a role, for those application programs set up safety communication tunnel to guarantee the safe transmission of information.When the installation file of this application program is judged to be illegal by fail-safe software, fail-safe software ejects a prompting interface, the installation file of this application program of prompting user is illegal, and provides corresponding processing item button, triggers the corresponding button to perform the respective handling of application programs by user.Thus, realize application programs and set up safety communication tunnel targetedly, to ensure the security of private data transmission of user.
The above is only some embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. an application program for mobile terminal safety interacting method, is characterized in that, comprises the following steps:
Obtain the identification information being used for uniqueness determination application identity;
Judge whether application program is present in default white list according to described identification information;
For the application program be present in default white list sets up the communication tunnel based on virtual private fidonetFido.
2. method according to claim 1, is characterized in that, the described identification information for uniqueness determination application identity comprises the UID of application program.
3. method according to claim 1, is characterized in that, described communication tunnel is based on any one protocol realization in PPTP, L2TP, IPSec.
4. method according to claim 1, is characterized in that, described white list is for recording the identification information of the application program setting up communication tunnel.
5. method according to claim 4, is characterized in that, also comprises step: receive the selected instruction of user to set up applications, by the identification information recording of selected application program in described white list.
6. an application program for mobile terminal secure interactive device, is characterized in that, comprising:
Identification information acquisition module: for obtaining the identification information for uniqueness determination application identity;
Judge module: for judging whether application program is present in default white list according to described identification information;
Communication tunnel sets up module: for setting up the communication tunnel based on virtual private fidonetFido for the application program be present in default white list.
7. device according to claim 6, is characterized in that, the described identification information for uniqueness determination application identity comprises the UID of application program.
8. device according to claim 6, is characterized in that, described communication tunnel is based on any one protocol realization in PPTP, L2TP, IPSec.
9. device according to claim 6, is characterized in that, described white list is for recording the identification information of the application program setting up communication tunnel.
10. device according to claim 9, is characterized in that, also comprises the first interactive module, is configured to receive the selected instruction of user to set up applications, by the identification information recording of selected application program in described white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510423080.6A CN105100095A (en) | 2015-07-17 | 2015-07-17 | Secure interaction method and apparatus for mobile terminal application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510423080.6A CN105100095A (en) | 2015-07-17 | 2015-07-17 | Secure interaction method and apparatus for mobile terminal application program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105100095A true CN105100095A (en) | 2015-11-25 |
Family
ID=54579640
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510423080.6A Pending CN105100095A (en) | 2015-07-17 | 2015-07-17 | Secure interaction method and apparatus for mobile terminal application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105100095A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105530255A (en) * | 2015-12-16 | 2016-04-27 | 网宿科技股份有限公司 | Method and device for verifying request data |
| CN106789909A (en) * | 2016-11-22 | 2017-05-31 | 北京奇虎科技有限公司 | The network data transmission method of application program, apparatus and system |
| CN106817377A (en) * | 2017-03-27 | 2017-06-09 | 努比亚技术有限公司 | A kind of data encryption device, decryption device and method |
| CN106888186A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | Mobile terminal payment class application security method of payment and device |
| CN106888184A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | Mobile terminal payment class application security method of payment and device |
| CN106937282A (en) * | 2015-12-29 | 2017-07-07 | 北界创想(北京)软件有限公司 | VPN access method and system based on mobile terminal |
| CN107197077A (en) * | 2016-03-15 | 2017-09-22 | 阿里巴巴集团控股有限公司 | Communication between devices methods, devices and systems |
| CN107294800A (en) * | 2016-04-11 | 2017-10-24 | 深圳平安讯科技术有限公司 | Network data access control method and system based on Mobile operating system |
| CN107332872A (en) * | 2017-05-23 | 2017-11-07 | 成都联宇云安科技有限公司 | A kind of method that Android device network agile management and control is realized based on VPN connections |
| CN107948121A (en) * | 2016-10-12 | 2018-04-20 | 深圳市百米生活股份有限公司 | One kind is based on the encrypted Internet Security method and system of WiFi |
| CN108011896A (en) * | 2017-12-26 | 2018-05-08 | 珠海市君天电子科技有限公司 | Safety communicating method, device and electronic equipment based on application program |
| CN108092947A (en) * | 2016-11-23 | 2018-05-29 | 腾讯科技(深圳)有限公司 | A kind of method and device that identity discriminating is carried out to third-party application |
| CN108306872A (en) * | 2018-01-24 | 2018-07-20 | 腾讯科技(深圳)有限公司 | Network request processing method, device, computer equipment and storage medium |
| CN109167715A (en) * | 2018-10-08 | 2019-01-08 | 北京爱普安信息技术有限公司 | A kind of network management-control method and system |
| CN110674491A (en) * | 2019-09-29 | 2020-01-10 | 上海淇玥信息技术有限公司 | Method and device for real-time evidence obtaining of android application and electronic equipment |
| CN111107078A (en) * | 2019-12-16 | 2020-05-05 | 深圳前海达闼云端智能科技有限公司 | Application access method, robot control unit, server and storage medium |
| CN111800330A (en) * | 2020-06-30 | 2020-10-20 | 苏州瑞立思科技有限公司 | Proxy acceleration method and system for peripheral network traffic based on wireless access point |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856524A (en) * | 2012-12-04 | 2014-06-11 | 中山大学深圳研究院 | Method and system for identifying legal content on basis of white list of user agent |
| CN104008482A (en) * | 2014-06-10 | 2014-08-27 | 北京奇虎科技有限公司 | Mobile terminal and payment method and device based on mobile terminal |
| CN104463569A (en) * | 2014-11-11 | 2015-03-25 | 北京奇虎科技有限公司 | Secure connection payment method and device |
| CN104580185A (en) * | 2014-12-30 | 2015-04-29 | 北京工业大学 | Method and system for network access control |
-
2015
- 2015-07-17 CN CN201510423080.6A patent/CN105100095A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856524A (en) * | 2012-12-04 | 2014-06-11 | 中山大学深圳研究院 | Method and system for identifying legal content on basis of white list of user agent |
| CN104008482A (en) * | 2014-06-10 | 2014-08-27 | 北京奇虎科技有限公司 | Mobile terminal and payment method and device based on mobile terminal |
| CN104463569A (en) * | 2014-11-11 | 2015-03-25 | 北京奇虎科技有限公司 | Secure connection payment method and device |
| CN104580185A (en) * | 2014-12-30 | 2015-04-29 | 北京工业大学 | Method and system for network access control |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106888186A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | Mobile terminal payment class application security method of payment and device |
| CN106888184A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | Mobile terminal payment class application security method of payment and device |
| CN105530255B (en) * | 2015-12-16 | 2019-03-29 | 网宿科技股份有限公司 | The method and device of checking request data |
| CN105530255A (en) * | 2015-12-16 | 2016-04-27 | 网宿科技股份有限公司 | Method and device for verifying request data |
| CN106937282A (en) * | 2015-12-29 | 2017-07-07 | 北界创想(北京)软件有限公司 | VPN access method and system based on mobile terminal |
| CN107197077A (en) * | 2016-03-15 | 2017-09-22 | 阿里巴巴集团控股有限公司 | Communication between devices methods, devices and systems |
| CN107294800B (en) * | 2016-04-11 | 2021-02-26 | 深圳平安通信科技有限公司 | Network data access control method and system based on mobile operating system |
| CN107294800A (en) * | 2016-04-11 | 2017-10-24 | 深圳平安讯科技术有限公司 | Network data access control method and system based on Mobile operating system |
| CN107948121A (en) * | 2016-10-12 | 2018-04-20 | 深圳市百米生活股份有限公司 | One kind is based on the encrypted Internet Security method and system of WiFi |
| CN106789909A (en) * | 2016-11-22 | 2017-05-31 | 北京奇虎科技有限公司 | The network data transmission method of application program, apparatus and system |
| CN108092947B (en) * | 2016-11-23 | 2020-12-04 | 腾讯科技(深圳)有限公司 | Method and device for identity authentication of third-party application |
| CN108092947A (en) * | 2016-11-23 | 2018-05-29 | 腾讯科技(深圳)有限公司 | A kind of method and device that identity discriminating is carried out to third-party application |
| CN106817377A (en) * | 2017-03-27 | 2017-06-09 | 努比亚技术有限公司 | A kind of data encryption device, decryption device and method |
| CN107332872A (en) * | 2017-05-23 | 2017-11-07 | 成都联宇云安科技有限公司 | A kind of method that Android device network agile management and control is realized based on VPN connections |
| CN108011896A (en) * | 2017-12-26 | 2018-05-08 | 珠海市君天电子科技有限公司 | Safety communicating method, device and electronic equipment based on application program |
| CN108306872B (en) * | 2018-01-24 | 2022-03-18 | 腾讯科技(深圳)有限公司 | Network request processing method and device, computer equipment and storage medium |
| CN108306872A (en) * | 2018-01-24 | 2018-07-20 | 腾讯科技(深圳)有限公司 | Network request processing method, device, computer equipment and storage medium |
| CN109167715A (en) * | 2018-10-08 | 2019-01-08 | 北京爱普安信息技术有限公司 | A kind of network management-control method and system |
| CN110674491A (en) * | 2019-09-29 | 2020-01-10 | 上海淇玥信息技术有限公司 | Method and device for real-time evidence obtaining of android application and electronic equipment |
| CN110674491B (en) * | 2019-09-29 | 2022-02-01 | 上海淇玥信息技术有限公司 | Method and device for real-time evidence obtaining of android application and electronic equipment |
| CN111107078A (en) * | 2019-12-16 | 2020-05-05 | 深圳前海达闼云端智能科技有限公司 | Application access method, robot control unit, server and storage medium |
| CN111107078B (en) * | 2019-12-16 | 2023-04-07 | 达闼机器人股份有限公司 | Application access method, robot control unit, server and storage medium |
| CN111800330A (en) * | 2020-06-30 | 2020-10-20 | 苏州瑞立思科技有限公司 | Proxy acceleration method and system for peripheral network traffic based on wireless access point |
| CN111800330B (en) * | 2020-06-30 | 2021-12-03 | 苏州瑞立思科技有限公司 | Proxy acceleration method and system for peripheral network traffic based on wireless access point |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105100095A (en) | Secure interaction method and apparatus for mobile terminal application program | |
| CN107005442B (en) | Method and apparatus for remote access | |
| US8997208B2 (en) | Gateway device for terminating a large volume of VPN connections | |
| US9674173B2 (en) | Automatic certificate enrollment in a special-purpose appliance | |
| CN102316093B (en) | Dual-Mode Multi-Service VPN Network Client for Mobile Device | |
| US9769172B2 (en) | Method of accessing a network securely from a personal device, a personal device, a network server and an access point | |
| US9225685B2 (en) | Forcing all mobile network traffic over a secure tunnel connection | |
| US9219709B2 (en) | Multi-wrapped virtual private network | |
| US20100197293A1 (en) | Remote computer access authentication using a mobile device | |
| US9210128B2 (en) | Filtering of applications for access to an enterprise network | |
| CN106376003A (en) | Method and device for detecting wireless local area network connection and wireless local area network data transmission | |
| CN101986598B (en) | Authentication method, server and system | |
| CN107005534A (en) | Secure connection is set up | |
| US20150121076A1 (en) | Simplifying ike process in a gateway to enable datapath scaling using a two tier cache configuration | |
| CN106888184A (en) | Mobile terminal payment class application security method of payment and device | |
| CN103916394A (en) | Data transmission method and system under public wifi environment | |
| EP2706717A1 (en) | Method and devices for registering a client to a server | |
| Dorobantu et al. | Security threats in IoT | |
| KR101214613B1 (en) | Security method and security system based on proxy for identifying connector credibly | |
| Juhász et al. | WiFi vulnerability caused by SSID forgery in the IEEE 802.11 protocol | |
| CN106888186A (en) | Mobile terminal payment class application security method of payment and device | |
| CN114363031A (en) | Network access method and device | |
| CN106878989A (en) | A kind of connection control method and device | |
| Lee et al. | Man-in-the-middle Attacks Detection Scheme on Smartphone using 3G network | |
| CN106686583A (en) | Method and device for safe communication in WiFi environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151125 |