Disclosure of Invention
In order to overcome the defects in the prior art, the technical problem to be solved by the invention is to provide a data transmission method and a data transmission device, which not only solve the problem of data transmission among processes, but also protect the safety of application private data.
In order to solve the above technical problem, the data transmission method of the present invention includes:
in response to receiving a data request issued by a requesting application, checking whether the requesting application and a target application that will process the data request are trusted;
in response to the requesting application and the target application both being trusted, sending the data request to the target application;
responding to the target application return permission session, generating a unique check code and sending the unique check code, the request application information and the target application information to an application authorization center and an application data transmission system;
the application authorization center respectively adds the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the unique check code;
and the application data transmission system transmits data according to the stored unique check code.
As an improvement of the method of the present invention, the step of the application data delivery system performing data delivery according to the unique check code stored therein includes: checking whether the unique check codes provided by the request application and the target application are consistent with the unique check code stored by the application data transmission system; and responding to the consistency between the unique check codes provided by the request application and the target application and the valid unique check codes stored by the application data transmission system, and transmitting data.
As another improvement of the method of the present invention, the method further comprises: and after finishing the data transmission operation, the application data transmission system sets the unique check code as invalid or deletes the unique check code.
As a further improvement of the method of the present invention, the method further comprises: the application data delivery system informs the application authority that the data delivery operation corresponding to the unique check code is completed after the data delivery operation is completed; and the application authorization center removes the authority of the application data transmission system from the sandbox authority of the request application and the target application after receiving the notification.
To solve the above technical problem, a data transfer apparatus according to the present invention includes:
the checking module is used for responding to the received data request sent by the request application, and checking whether the request application and the target application which is to process the data request are credible;
a forwarding module, configured to send the data request to the target application in response to that the requesting application and the target application are both trusted;
the check code generating and sending module is used for responding to the target application and returning the allowed session, generating a unique check code and sending the unique check code, the request application information and the target application information to the application authorization center and the application data transmission system;
the authorization module is used for enabling the application authorization center to respectively add the application data transmission system into sandboxes of the request application and the target application according to the received request application information, the received target application information and the received unique check code;
and the data processing module is used for enabling the application data transmission system to transmit data according to the stored unique check code.
To solve the above technical problem, the tangible computer readable medium of the present invention includes computer program code for executing the data transfer method of the present invention.
To solve the above technical problem, the present invention provides an apparatus, comprising at least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least some of the steps of the data transfer method of the present invention.
According to the invention, the data storage object agreed between the communication processes is taken while the validity of the transmitted data application is verified, and then the data is copied from one process private data space to another data process space according to the dynamic authorization, so that the problem of insecurity caused by the existence of super-authority application is solved, and the security of the application private data is ensured by the strategy that the application data can only be accessed by an authorization system.
Other features and advantages of the present invention will become more apparent from the detailed description of the embodiments of the present invention when taken in conjunction with the accompanying drawings.
Detailed Description
Embodiments and examples of the present invention will be described in detail below with reference to the accompanying drawings.
The scope of applicability of the present invention will become apparent from the detailed description given hereinafter. It should be understood, however, that the detailed description and the specific examples, while indicating preferred embodiments of the invention, are given by way of illustration only.
For convenience of the following description, definitions of some terms are given below.
The sandbox refers to the running environment of each application program, and the sandbox saves all data needed and generated by the running of the application program, and the data cannot be accessed by the outside world.
Fig. 1 shows a flow chart of an embodiment of a data transfer method according to the invention. The steps of the data transmission method between the two applications a and B will be specifically described with reference to the flowchart shown in fig. 1.
In step S102, in response to receiving a data request, such as a data read or transmission request, sent by a requesting application a, the application negotiation center checks whether the requesting application a and a target application B that will process the data request are trusted and legitimate. The determination as to whether it is authentic, legitimate, can be determined by a signature, a unique identification number uid, or the like. For example, an application is considered a trusted, legitimate application as long as the application satisfies one or more of the following conditions: 1) the application signature certificate inquired through the application name signs the system application; 2) inquiring that the installation source of the application is an application store through the name of the application; 3) the application name is used to inquire that the unique identification number uid is in the system uid interval, such as 0-20000. Of course, other determinations may be made as appropriate.
In step S104, the application negotiation center accepts the data request for the legitimate application a and application B processes, and sends the data request to the application B process. If the application B is not operated, the process B can be started and then a corresponding request is sent to the process B; or directly returning negotiation failure to the A process, and ending the processing.
In step S106, it is determined whether the negotiation is successful. If the B-process returns to allow the session, indicating that the negotiation is successful, the process proceeds to step S108. Otherwise, the process proceeds to step S120.
In step S108, the application negotiation center generates a unique check code to indicate that the data transmission session channel is successful, so as to facilitate the subsequent data transmission operation authentication. The unique check code may be generated, for example, based on the uid and the current time of the two applications. Other generation means may be employed as appropriate. And the application negotiation center sends the check code and the uid of the A, B process to the application authorization center and the application data transmission system, and simultaneously feeds back the unique check code to the A, B process.
In step S110, when the application authority receives A, B the uid of the process and the unique check code issued by the application negotiation center, the application data delivery systems are respectively added to the sandboxes of the process A, B, so that they have the right to access A, B the sandboxed data.
In step S112, the application data delivery system takes the check code issued by the negotiation center to store, and starts data processing according to the check code.
In step S120, the process ends.
The invention copies data from one process to another process through the verification of the validity and the legality of data access and the security authentication of data operation related application, thereby solving the problem of data transmission among the processes and protecting the security of application private data.
According to an embodiment of the present invention, the step S112 includes: when the application data delivery system is used for data delivery, it is first checked A, B whether the check code provided by the application is consistent with a valid check code stored in itself. And if the data are consistent, performing data processing operation. Otherwise, the data transmission is not performed, and the process is ended.
Fig. 2 shows a flow chart of another embodiment of a data transfer method according to the present invention, which comprises, in addition to the steps of the method shown in fig. 1, after step S112:
in step S202, the application data delivery system sets the unique check code to invalid after completing the data delivery operation. Alternatively, the unique check code may be deleted after the data transfer operation is completed using the data transfer system.
In step S204, the application data delivery system notifies the application authorization center that the data operation corresponding to the check code is completed.
In step S206, the application authorization center receives the data operation completion event sent by the application data delivery system, and removes the authority of the application data delivery system from the sandbox authority of the A, B application, so as to avoid the attack of invalid check code.
Fig. 3 shows a schematic structural diagram of an embodiment of a data transfer device according to the present invention, the device comprising: a checking module 310, configured to, in response to receiving a data request issued by a requesting application, check whether the requesting application and a target application that will process the data request are trusted; a forwarding module 320, configured to send the data request to the target application in response to that the requesting application and the target application are both trusted; the check code generating and sending module 330 is configured to generate a unique check code in response to the target application returning an allowed session, and send the unique check code, the request application information and the target application information to the application authorization center and the application data transmission system; the authorization module 340 is configured to enable the application authorization center to add the application data delivery system into sandboxes of the request application and the target application respectively according to the received request application information, target application information, and unique check code; and a data processing module 350, configured to enable the application data delivery system to perform data delivery according to the unique check code stored in the application data delivery system. The inspection module 310 may include one or more of: a first determining submodule for determining whether a signed certificate of an application is signed by a system application; a second determination sub-module for determining whether the application is from an application store; and a third determination submodule for determining whether the unique identification uid of the application is within the system uid interval.
According to one embodiment of the apparatus of the present invention, the data processing module 350 includes: a check submodule 352, configured to check whether the unique check codes provided by the request application and the target application are consistent with the unique check code stored in the application data delivery system itself; the data transfer submodule 354 is configured to perform data transfer in response to that the unique check codes provided by the requesting application and the target application are consistent with the valid unique check code stored in the application data transfer system.
Fig. 4 shows a schematic structural diagram of another embodiment of the data transfer device according to the present invention, which includes, in addition to all the modules shown in fig. 3: a setting module 410, configured to enable the application data delivery system to set the unique check code as invalid or deleted after completing the data delivery operation; a notification module 420, configured to enable the application data delivery system to notify the application authority that the data delivery operation corresponding to the unique check code is completed after the data delivery operation is completed; a removing module 430, configured to enable the application authority to remove the permissions of the application data delivery system from the sandbox permissions of the requesting application and the target application after receiving the notification.
The particular features, structures, or characteristics of the various embodiments described herein may be combined as suitable in one or more embodiments of the invention. Additionally, in some cases, the order of steps depicted in the flowcharts and/or in the pipelined process may be modified, as appropriate, and need not be performed exactly in the order depicted. In addition, various aspects of the invention may be implemented using software, hardware, firmware, or a combination thereof, and/or other computer implemented modules or devices that perform the described functions. Software implementations of the present invention may include executable code stored in a computer readable medium and executed by one or more processors. The computer readable medium may include a computer hard drive, ROM, RAM, flash memory, portable computer storage media such as CD-ROM, DVD-ROM, flash drives, and/or other devices, for example, having a Universal Serial Bus (USB) interface, and/or any other suitable tangible or non-transitory computer readable medium or computer memory on which executable code may be stored and executed by a processor. The present invention may be used in conjunction with any suitable operating system.
As used herein, the singular forms "a", "an" and "the" include plural references (i.e., have the meaning "at least one"), unless the context clearly dictates otherwise. It will be further understood that the terms "has," "includes" and/or "including," when used in this specification, specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
The foregoing describes some preferred embodiments of the present invention, but it should be emphasized that the invention is not limited to these embodiments, but can be implemented in other ways within the scope of the inventive subject matter. Various changes and modifications of the present invention can be made by those skilled in the art without departing from the spirit and scope of the present invention, and these changes and modifications still fall within the scope of the present invention.