CN106888184A - Mobile terminal payment class application security method of payment and device - Google Patents

Abstract

The present invention provides a kind of mobile terminal payment class application security method of payment, including step：Monitor and pay class application program into payment scene；Whether detection mobile terminal accesses WiFi, to determine whether to set up escape way for the application program；Connection request is sent to vpn server by being serviced to the VPN of system registry in advance, with the escape way between foundation and vpn server；Send payment data to complete delivery operation to remote server based on the escape way.Meanwhile, a kind of mobile terminal payment class application security payment mechanism is also provided, including monitors module, escape way and set up module and payment module.The method of the invention or device make payment class application program carry out secure interactive with its server, it is ensured that the safety of user profile in transmitting procedure by setting up escape way, prevent the private data of user to be stolen.

Description

Mobile terminal payment class application security method of payment and device

Technical field

The present invention relates to moving communicating field, specifically, the present invention relates to a kind of mobile terminal payment Class application security method of payment and its device.

Background technology

With continuing to develop for intelligent mobile terminal, increasing mobile terminal application journey is occurred in that Sequence, and application program during service is provided the user, it is necessary to network and its server is led to Letter, due to the set meal limited flow that mobile network provides, limits the use of user, so generally using Family prefers to connect the unrestricted wireless network for using, such as free WiFi, also therefore promotes and exempts from Take the growth momentum of WiFi, user networks quick using free WiFi instruments and using free WiFi Popularized, look for free WiFi to have become the daily habits of user's mobile Internet access whenever and wherever possible.

But if being connected to unsafe WLAN in communication process, certain wind can be caused Danger.The WiFi routers for implanting fishing function are such as connected to, the packet sent in communication process May be held as a hostage, cause the information leakage of user, especially for some as Alipay, wechat, The important payment class application such as Net silver, information leakage can bring extreme loss to user.Lawless person is led to Cross the hostile networks such as the deception of malice DNS, ARP, ICMP abduction and kidnap means, steal the body of user The sensitive informations such as part, account, transaction, or even process of exchange is kidnapped or fraud of being gone fishing.For This insecure communication situation, android system is serviced there is provided VPN, but when the stream of all applications Amount is all serviced by VPN, then will necessarily be exceeded the disposal ability of vpn server, be caused network Obstruction so that the application experience of user is deteriorated.Therefore, how in institute's access network without safety verification Or and it is dangerous in the case of guarantee payment the secure interactive of class application program, it is to avoid significant data or Information leakage, becomes problem demanding prompt solution.

The content of the invention

The purpose of the present invention aims to solve the problem that above-mentioned at least one problem, there is provided a kind of mobile terminal payment class Application security method of payment and related device, selectively protect to paying class application program Shield, there is provided escape way, avoids bringing excessive to vpn server in the safe colleague that guarantees payment Pressure.

To achieve these goals, the present invention provides a kind of mobile terminal payment class application security branch The method of paying, comprises the following steps：

Monitor and pay class application program into payment scene；

Whether detection mobile terminal accesses WiFi, to determine whether that setting up safety for the application program leads to Road；

Connection request is sent to vpn server by being serviced to the VPN of system registry in advance, to build The vertical escape way and vpn server between；

Send payment data to complete delivery operation to remote server based on the escape way.

Further, it is described also to include the step of set up escape way：

The VPN services are set up after being connected with vpn server and are communicated with determining that setting up passage adopts Communication protocol, AES, key and relevant parameter information.

Optionally, the escape way is based on any one agreement in PPTP, L2TP, IPSec Realize.

Further, it is described set up escape way before also include providing safe DNS service, specific bag Include following steps：

The DNS request packet that the mobile terminal sends is captured, by DNS data bag conversion It is corresponding DNSSEC request data packages；

The DNSSEC request data packages to dns server are sent, is taken with receiving the DNS The DNSSEC response data packets that business device is returned；

The DNSSEC response data packets that the mobile terminal is received are captured, by the DNSSEC Response data packet is converted to corresponding DNS response data packets.

Specifically, using Hook Function capture mobile terminal system application layer dns resolution interface with Obtain DNS request packet.

Further, also including step：One user interface is provided, for asking whether to set up passage, Foundation is chosen to be with user to determine whether to set up the escape way.

Preferably, before the payment class application program is paid, operation of clearing out a gathering place is first carried out.

Preferably, after setting up the escape way, to the payment data bag transmitted through the escape way It is encrypted.

Specifically, the encryption of the payment data bag uses rivest, shamir, adelman.

Further, also including setting up white list, the identification information for recording payment application, The escape way only is set up to the payment application in white list.

Further, also the identification information of payment application is obtained, according to the body including step Part identification information judgment payment application is with the presence or absence of in the white list.

Further, the payment application in white list is increased including receiving user instruction also Plus or deletion action.

Further, user is received to having installed the selected instruction of payment application, by selected payment The identification information recording of application program is in the white list.

Specifically, UID of the identification information of the payment application including the application program, Bag name.

A kind of mobile terminal payment class application security payment mechanism, including：

Monitor module：Class application program into payment scene is paid for monitoring；

Detection module：For detecting whether mobile terminal accesses WiFi, to determine whether the being application Program sets up escape way；

Escape way sets up module：For by being serviced to VPN clothes to the VPN of system registry in advance Business device sends connection request, with the escape way between foundation and vpn server；

Payment module：For sending payment data to complete branch to remote server based on the escape way Pay operation.

Specifically, the escape way is set up the step of module is performed including：

The VPN services are communicated with determining to set up the communication protocols that passage is used with vpn server View, AES, key and relevant parameter information.

Optionally, the passage is based on any one protocol realization in PPTP, L2TP, IPSec.

Further, before escape way sets up module execution, also including DNS service module, use In safe DNS service is provided, following steps are performed：

The DNS request packet that the mobile terminal sends is captured, by DNS data bag conversion It is corresponding DNSSEC request data packages；

The DNSSEC request data packages to dns server are sent, is taken with receiving the DNS The DNSSEC response data packets that business device is returned；

The DNSSEC response data packets that the mobile terminal is received are captured, by the DNSSEC Response data packet is converted to corresponding DNS response data packets.

Specifically, the DNS service module captures mobile terminal system application layer using Hook Function Dns resolution interface obtaining DNS request packet.

Further, also including interactive module, a user interface is configured to supply, for asking whether Passage is set up, being chosen to be foundation with user determines whether to set up the escape way.

Preferably, also including module of clearing out a gathering place, for paying before class application program paid, first hold Capable operation of clearing out a gathering place.

Further, also including encrypting module, after setting up escape way, to the branch through channel transfer Packet is paid to be encrypted.

Specifically, the encryption of the payment data bag uses rivest, shamir, adelman.

Specifically, also including white list module, the identity for recording payment application is set up The white list of information, only sets up the escape way to the payment application in white list.

Further, also including judge module, the identification information for obtaining payment application, Judge that the payment application whether there is in the white list according to the identification information.

Further, the white list module is additionally operable to receive user instruction, should to the payment in white list Increased with program or deletion action.

Further, the white list module is additionally operable to receive user to having installed payment application Selected instruction, by the identification information recording of selected payment application in the white list.

Specifically, UID of the identification information of the payment application including the application program, Bag name.

Compared to existing technology, the solution of the present invention has advantages below：

First, the present invention utilizes the VPN frameworks of android system, exclusively for payment class application journey Sequence provides a public VPN service, is passed by servicing the passage set up offer safety based on VPN Defeated passage so that pay class application program when being paid, can be taken with it by the escape way Business device carries out secure interactive, it is ensured that the safety of user profile in transmitting procedure, prevents the privacy number of user According to being stolen.

Secondly, it is of the invention further for payment process provides safe DNS service, and to communication data It is encrypted, real IP address is changed by safe dns server, prevents malice DNS from robbing Hold communication data；Meanwhile, communication data is encrypted, further enhance the peace of transmission data Quan Xing, is that user brings safer payment to experience.

Furthermore, the present invention sets up white list, to determine the legitimacy of application program before passage is set up, To avoid illegal or malicious application by escape way interactive information.Simultaneously for not conforming to The application program of method provides user interface, to point out user to process illegal application program, and carries For corresponding processing item button, to guide user to perform respective handling to malice or illegal program.By This, can improve the resolution to needing to set up the application program that passage carries out secure interactive, be that user carries For intelligent Service, to guide user that rational treatment is made to illegal application program, user is improved Experience Degree.

Finally, the present invention is only protected to paying class application program, and according to the WiFi's for connecting Security decides whether to automatically turn on escape way, and provides the payment class application program to white list Enter the operation of Mobile state additions and deletions, so as to realize that in the disposal ability no more than vpn server be situation Under, even if network environment has certain risk, still can guarantee that user is pacified by mobile terminal It is complete to pay, protect the related data of user.

The additional aspect of the present invention and advantage will be set forth in part in the description, and these will be from following Description in become obvious, or by it is of the invention practice recognize.

Brief description of the drawings

The above-mentioned and/or additional aspect of the present invention and advantage to embodiment from retouching below in conjunction with the accompanying drawings Be will be apparent in stating and be readily appreciated that, wherein：

Fig. 1 is that the principle of mobile terminal payment class application security method of payment of the present invention is shown It is intended to；

Fig. 2 is the operating method schematic diagram of safe DNS service described in the embodiment of the present invention；

Fig. 3 is the method for building up schematic flow sheet of escape way described in the embodiment of the present invention；

Fig. 4 is the another reality of mobile terminal payment class application security method of payment of the present invention Apply the schematic flow sheet of example；

Fig. 5 is the structural frames of mobile terminal payment class application security payment mechanism of the present invention Figure.

Specific embodiment

Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, its In from start to finish same or similar label represent same or similar element or with same or like The element of function.Embodiment below with reference to Description of Drawings is exemplary, is only used for explaining this Invention, and be not construed as limiting the claims.

Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative used herein " one ", " one ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that Used in specification of the invention wording " including " refer to the presence of the feature, integer, step, behaviour Make, element and/or component, but it is not excluded that in the presence of or add one or more other features, whole Number, step, operation, element, component and/or their group.It should be understood that when we claim element It is " connected " or during " coupled " to another element, it can be directly connected or coupled to other elements, or Can also there is intermediary element in person.Additionally, " connection " used herein or " coupling " can be included wirelessly Connection or wireless coupling.Wording "and/or" used herein includes one or more associated listing The whole or any cell of item and all combination.

Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technical term and scientific terminology), with art of the present invention in those of ordinary skill General understanding identical meaning.It should also be understood that those arts defined in such as general dictionary Language, it should be understood that with the meaning that the meaning in the context with prior art is consistent, and remove It is non-as here by specific definitions, will not otherwise be explained with idealization or excessively formal implication.

Those skilled in the art of the present technique be appreciated that " terminal " used herein above, " terminal device " both Equipment including wireless signal receiver, its wireless signal receiver for only possessing non-emissive ability sets It is standby, and the equipment including receiving and launch hardware, it has and can be performed on bidirectional communication link The reception of two-way communication and the equipment of transmitting hardware.This equipment can include：Honeycomb or other communications Equipment, its have single line display or multi-line display or the honeycomb without multi-line display or Other communication equipments；PCS (Personal Communications Service, PCS Personal Communications System), It can be with combine voice, data processing, fax and/or its communication ability；PDA(Personal Digital Assistant_,Personal digital assistant), its can include radio frequency receiver, pager, mutually The access of networking/Intranet, web browser, notepad, calendar and/or GPS (Global Positioning System, global positioning system) receiver；Conventional laptop and/or palmtop computer or other set It is standby, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or other Equipment." terminal " used herein above, " terminal device " can be portable, can transport, be arranged on In the vehicles (aviation, sea-freight and/or land), or it is suitable for and/or is configured to local Operation, and/or with distribution form, operate in any other position operation in the earth and/or space.This In " terminal ", " terminal device " that is used can also be communication terminal, access terminals, music/video Playback terminal, for example, can be that (Mobile Internet Device, mobile Internet sets for PDA, MID It is standby) and/or mobile phone, or intelligent television, machine top with music/video playing function The equipment such as box.

Those skilled in the art of the present technique are appreciated that remote network devices used herein above, and it includes But it is not limited to computer, network host, single network server, multiple webserver collection or multiple The cloud that server is constituted.Here, cloud is by a large amount of calculating based on cloud computing (Cloud Computing) Machine or the webserver are constituted, wherein, cloud computing is one kind of Distributed Calculation, by the loose coupling of a group One super virtual computer of the computer collection composition of conjunction.In embodiments of the invention, far-end network Can realize communicating by any communication mode between equipment, terminal device and WNS servers, including But it is not limited to, the mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, UDP The computer network communication of agreement and the low coverage side of being wirelessly transferred based on bluetooth, Infrared Transmission standard Formula.

It will be appreciated by those skilled in the art that " application ", " application program " alleged by the present invention, " application software " and the concept of similar statement, is the same concept well known to those skilled in the art, Refer to instructed by series of computation machine and the organic construction of related data resource be suitable to electronics operation meter Calculation machine software.Unless specified, programming language species, rank are not received in this name in itself, also not The operating system or platform of operation of being rely by it is limited.In the nature of things, this genus is not also appointed The terminal of what form is limited.

With the development of internet, communication security becomes to become more and more important, wherein logical for mobile terminal For letter safety, the Communication Security Problem of third-party application is one of sixty-four dollar question.Generally, pacify Full software can provide the testing result that some mobile devices are connected to wireless router process, but to route And the process of Internet communication is helpless, safety, current VPN can only be responsible for by encrypting VPN Service is typically all the personal service for authorizing.And access during public network communicated, hold very much Communication data packet is intercepted by hacker easily, the private data of user, particularly user's profit are got with this During moving payment with public network, it is easy to the account of the mobile payment that is stolen, password, The packets such as identifying code, further decode and obtain data therein, so as to bring irreparable to user Loss, based on this, with the present invention provide method to pay class application program communication process carry out Encryption, to realize the protection to user data.

Refering to shown in Fig. 1, mobile terminal payment class application security method of payment of the present invention has Body is comprised the following steps：

S11, monitoring pay class application program and enter payment scene；

It is described to pay that class application program is various including Alipay, webpage, the wechat etc. to possess payment function Application program, systemic presupposition monitors module, monitors the startup for paying class application program, should when class is paid When being opened with program, system sends broadcast message, and the payment class that monitoring module receives system transmission should The broadcast message started with program, parses to it, obtains the identity mark of the payment class application program Knowledge information.Entrance function to the application program is linked up with, to monitor whether it enters payment scene. Wherein, when monitoring it and carrying out payment scene, corresponding security module is called, is carried out with to system Scanning, determines whether there is hiding background program, if there is caching record information, if In the presence of the program that execution is monitored, and those programs are processed, positive closing or removing are recorded, complete Into the operation of clearing out a gathering place before payment.

Whether S12, detection mobile terminal access WiFi, are pacified with determining whether to be set up for the application program Full tunnel；

Due to user free public WiFi accustomed to using, to save campus network, therefore the present invention is real Example is applied to focus on to set up escape way to the payment behavior for accessing WiFi.Based on this, user is detected first Whether WiFi is accessed, and mobile terminal is accessed various types of networks by usual user's selection, including is moved The various network formats that dynamic operator provides mobile communications network (such as CDMA, TD-CDMA, LTE etc.), WLAN (such as WiFi).Wherein, for WLAN, divide again It is refined net and public network.And some public networks are often provided by the Wi-Fi hotspot of malice, When mobile terminal accesses the network, the packet of communication is easily intercepted, so as to obtain the hidden of user Personal letter ceases, and encrypts WiFi and also easily cracked easily by hacker.Therefore, first to customer mobile terminal The network of access is detected, to determine whether to access WiFi, so as to selectively pass through WiFi The application program of transmission information provides protection.

When detecting network that mobile terminal is currently accessed and being WiFi, the application program of mobile terminal The method provided using the embodiment of the present invention carries out information exchange, is stolen with the information for avoiding user Take, it is ensured that the safety of privacy of user data.Meanwhile, only to access WiFi mobile terminal payment Method sets up escape way to class application program in accordance with the present invention, in the same of protection user information safety When take into account the disposal ability of vpn server, it is to avoid cross multiple utility program and set up what escape way brought Excessive pressure.

S13, by advance to the VPN of system registry service to vpn server send connection request, With the escape way between foundation and vpn server；

In order to realize the foundation to escape way, the method for the invention is in advance to system registry one VPN is serviced, and the control set up with maintenance channel is obtained with by the service.Wherein, the passage Refer to the passage based on Virtual Private Network protocol realization, specifically, can using PPTP, L2TP, Any one protocol realization in IPSec.In a particular embodiment, set up based on android system The principle of VPN services is as follows：

1st, application program delivers a packet to the real network equipment using socket；

2nd, all data, using NAT, are forwarded a packet to TUN virtual nets by system by iptables Network equipment, port is tun0；

3rd, system VPN service routines open TUN equipment and read corresponding data, are owned It is forwarded to the IP bags on TUN virtual network devices；

4th, VPN service routines are processed to the IP packets of above-mentioned acquisition, are set by real network Preparation is seen off.

Based on above-mentioned principle, the Vpnservice frameworks provided by android system, using system The API of offer, obtains all IP packets of application program, is processed with to IP packets, It is attached with distal end vpn server and is interacted, the IP packets of application program is entered in realization through passage Row safe transmission.

In a particular embodiment, the escape way is taken in Preset Time from mobile terminal to VPN Business device sends connection request, and carries out response completion connection by server, if in the Preset Time, Usually it is not connected with 5s successfully, then performs second attended operation automatically, it is logical to set up safety Road.

As shown in Fig. 2 the present invention further provided safe DNS service before escape way is set up. When application program accesses remote server, domain name can be converted into by a domain name resolution server IP address.Domain name resolution server is then by inquiring about root name server, TLD server, power The multistage server node such as prestige name server, obtains the IP of target remote server in a recursive manner Address, and the IP address is transferred to application client.And in the process, it is easy to let out Reveal the information of server ip address, so as to cause the leakage of user profile.Malice DNS generally can be with Personation answer party sends a response data packet for forgery to requesting party, including an IP for mistake Address, so that the packet that requesting party sends is redirected to the server address of mistake, causes user The severe leakage of information.Based on this, it is existing that Internet engineering task force has formulated a set of cooperation The security extension system of DNS systems, i.e. DNSSEC, to solve malice DNS deceptions, abduction etc. Unsafe acts.Wherein, the operation principle of the DNSSEC is as follows：

DNSSEC is the data addition digital signature information in DNS, takes the DNS of each node Business device can be by checking that the digital signature information judges the true of reply data after response message is obtained Reality, thus for DNS data provides source-verify and integrity check.The DNSSEC data Bag is specifically included：Public key for storing checking DNS data；For storing DNS resource records Digital signature；The information such as higher level's authorized signature.

The safe DNS service that the present invention is provided specifically includes following steps：

S101：The DNS request packet that the mobile terminal sends is captured, by the DNS data Bag is converted to corresponding DNSSEC request data packages；

S102：The DNSSEC request data packages to dns server are sent, it is described to receive The DNSSEC response data packets that dns server is returned；

S103：The DNSSEC response data packets that the mobile terminal is received are captured, will be described DNSSEC response data packets are converted to corresponding DNS response data packets.

Wherein, the step of capture DNS request packet, using the advance Hook Function for building, Dns resolution interface to system application layer is linked up with, to capture corresponding DNS request packet. Certainly, the capture DNS request packet can also be by Hook Function to the phase of protocol-driven layer Answer interface to be linked up with, and then obtain corresponding DNS request packet.The embodiment of the present invention passes through For payment process provides safe DNS service, change the real IP address of the remote server for accessing, Prevent malice DNS from kidnapping communication data or maliciously distort IP, so as to avoid user profile from being stolen.

In a particular embodiment, VPN service is not before the passage is set up, can first to User interface bullet frame, that is, provide a user interface, to prompt the user whether to build current application program Vertical passage.When the passage is set up in user's selection, by the corresponding work(of the VPN service calling systems Can, set up the passage based on virtual private fidonetFido；Otherwise, passage is not set up.I.e., if set up The control of the passage gives user, and being chosen to be foundation with user decides whether to set up the passage.

In a particular embodiment, further, the payment class application program is entered with remote server During row payment data is exchanged, first please by DNS by the DNS security service of above-mentioned offer Packet is asked to be converted to corresponding DNSSEC request data packages, and please by the corresponding DNSSEC Ask packet that the DNSSEC number of responses that dns server feedback is received to dns server occurs According to bag, and the corresponding DNSSEC response data packets are converted into DNS response data packets, to obtain Take the IP address of remote server.Set up based on the IP address and the safety between remote server is led to Road, as shown in figure 3, the establishment step of the escape way is as follows：

Step 1：VPN is serviced and is sent connection request to vpn server；

Step 2：The connection set up between VPN services and vpn server；

Step 3：The VPN services are communicated with determining that setting up passage uses with vpn server Communication protocol, AES, key and relevant parameter information.

After setting up above-mentioned escape way so that pay class application program when being paid, can pass through The escape way carries out secure interactive with its server, it is ensured that the safety of user profile in transmitting procedure, The private data of user is prevented to be stolen.

Further, embodiment of the present invention is to carrying out the application program of signal transmission based on the passage Communication data packet determine that AES is encrypted according to above-mentioned steps 3, and determine according to step 3 Communication protocol communication data packet is Resealed so that encapsulation after encryption data bag set up Passage in safe transmission.Wherein, the communication data packet to the application program is encrypted use AES is rivest, shamir, adelman.Thus, the security of transmission data is further enhanced, For user brings safer payment to experience.

Further, believe in order to avoid illegal or malicious application is interacted by escape way Breath, the present invention sets up white list, only right to determine the legitimacy of application program before passage is set up Application program in the white list sets up the escape way.If application program is not belonging to default Application program in white list, then do not set up the escape way, directly by the data of the application program Bag is transmitted to its destination server through WLAN, with complete application program and its destination server it Between communication.Wherein, the white list is used to record the identification information of payment application, should Identification information including the UID of the application program, bag name etc. can uniqueness determine application program The information of identity.

Specifically, the white list pre-sets generation by user, a user interface can be specifically provided, The selected instruction that user pays class application program to having installed is received, by selected payment class application program Identification information recording in the white list, set up institute with to the payment class application program in the white list State escape way.When the identification information of current operation application program is got, whether it is inquired about Whether it is present in default white list, to the application program to set up escape way really.To enter one Step it is user-friendly, improve Experience Degree, also provide the application program in white list is increased or The function of deletion action.Class application program is paid when user is intended to unload certain, or is re-downloaded and is mounted with New payment class application program, can be by being deleted white list or being increased operation, to update white name The information recorded in list.Thus, the white list based on the record is selectively application program and sets up peace Full tunnel, makes the foundation of escape way more rationalize.

User interface is provided simultaneously for illegal application program, to point out user to answer illegal Processed with program, and corresponding processing item button is provided, to guide user to malice or illegal journey Sequence performs respective handling.Thus, can improve carry out the application program of secure interactive to needing to set up passage Resolution, intelligent Service is provided the user, to guide user to make conjunction to illegal application program The treatment of reason, improves user experience.

Further, for of the invention rather than a certain specific embodiment, can be by strengthening to net The identification of network environment and strengthen the protection of application program for mobile terminal communication security.Such as WiFi access points Two classes can be divided into, one is the proprietary access point with certain security, such as office, family's private There is environment access point；Two is the public network access point for using in public places, such as dining room, coffee shop, And the access point of each operator's offer etc..The method of the invention can be exempted from independently or in such as 360 The application of expense WiFi etc is combined and uses, and the security of Network Access Point is detected, if public Network Access Point, then force Alipay to mobile terminal etc. pay class application or other it is important should With setting up the passage, it is also possible to need application program bullet frames prompting user to be protected based on other, by User chooses whether to set up passage to corresponding application program, thus with ensure mobile terminal install should The security communicated in the public network that existence information is revealed with program.And for security compared with The Network Access Point of private environment high, it is possible to provide related pre-sets item, independently determined by user be It is no to be defaulted as corresponding application program and set up passage carrying out the remote transmission of data.

In sum, the present invention is only protected to paying class application program, and according to the WiFi of connection Security decide whether to automatically turn on escape way, and provide to the payment class application journey of white list Sequence enters the operation of Mobile state additions and deletions, so as to realize in the case where user's request is met, it is to avoid to VPN Server causes excessive pressure, prevents it from collapsing.

S14, payment data is sent completing delivery operation to remote server based on the escape way.

By the escape way set up, pay class application program carries out data friendship with its remote server Mutually, the payment information that user is input into by payment interface is obtained, corresponding payment information is packaged into number According to bag, and it is encrypted according to the key arranged with remote server, to generate the packet after encryption, By the escape way and the communication protocol of agreement, the packet is sent to remote server.Remotely Server receives the packet that the payment class application program sends, and it is parsed, and obtains phase The payment data answered, and confirmation treatment is carried out to it, return to response bag.Using the branch with mobile terminal The key for paying class application client agreement is encrypted, the packet after generation encryption, by institute The communication protocol of escape way and agreement is stated, reply data bag is fed back into the client, so that complete Into the payment process.

With reference to shown in Fig. 4, in order to further illustrate method of the present invention using procedural language, Following examples are provided, to describe the principle of the method for the invention by way of procedure, specifically Including：

S201, payment class application program enter to pay scene and complete clears out a gathering place；

S202, judge whether mobile terminal accesses WiFi；If then going to S203, if otherwise going to S211；

S203, ejection indicating risk interface, it is proposed that user is paid using escape way；

Whether S204, user select secure payment passage；If then going to S205, if otherwise going to S211；

Escape way is set up in S205, trial；

Success or not is set up in S206, escape way 5s；If successfully going to S211, if not into Work(goes to S207；

S207, carry out second foundation of escape way automatically；If foundation unsuccessfully goes to S209, If be successfully established going to S208；

S208, ask whether to set up escape way again, S205 is if it is gone to, if otherwise Go to S211；

S209, ejection escape way set up failure prompting interface；

Whether S210, user select that delivery operation wouldn't be carried out；If go to exiting payment scene, Execution delivery operation is gone to if not；

S211, execution delivery operation；

S212, exit payment scene.

Based on the above-mentioned original to mobile terminal payment class application security method of payment of the present invention The explanation that reason is carried out, in order to further modularly explain the method for the invention, with reference to shown in Fig. 5, A kind of mobile terminal payment class application security payment mechanism is provided, including monitors module 11, inspection Module 12, escape way is surveyed to set up in module 13, payment module 14, and Partial Transformation embodiment Described DNS service module 15, interactive module 16, module of clearing out a gathering place 17, encrypting module 18, sentence Disconnected module 19, white list module 20, wherein,

Monitoring module 11 is used to monitor payment class application program into payment scene；

It is described to pay that class application program is various including Alipay, webpage, the wechat etc. to possess payment function Application program, systemic presupposition monitors module 11, monitors the startup for paying class application program, works as payment When class application program is opened, system sends broadcast message, monitors the payment that module receives system transmission The broadcast message of class application program launching, parses to it, obtains the body of the payment class application program Part identification information.Entrance function to the application program is linked up with, to monitor whether it enters payment Scene.Wherein, when monitoring it and carrying out payment scene, corresponding security module is called, with to being System is scanned, and determines whether there is hiding background program, if there is caching record information, With the presence or absence of the program that execution is monitored, and module 17 of clearing out a gathering place is called to process those programs, by force Record is closed or removed to system, completes the operation of clearing out a gathering place before paying.

Detection module 12 is used to detect whether mobile terminal accesses WiFi, to determine whether the being application Program sets up escape way；

When it is WiFi that detection module 12 detects the network that mobile terminal is currently accessed, mobile terminal Application program information exchange is carried out using the method that the embodiment of the present invention is provided, to avoid user's Information is stolen, it is ensured that the safety of privacy of user data.Meanwhile, only to the mobile end of access WiFi Method sets up escape way to the payment class application program at end in accordance with the present invention, in protection user profile The disposal ability of vpn server is taken into account while safe, it is to avoid cross multiple utility program and set up safe logical The excessive pressure that road brings.

Escape way sets up module 13 for by being serviced to VPN to the VPN of system registry in advance Server sends connection request, with the escape way between foundation and vpn server；

In order to realize the foundation to escape way, the method for the invention is in advance to system registry one VPN is serviced, and the control set up with maintenance channel is obtained with by the service.Wherein, the passage Refer to the passage based on Virtual Private Network protocol realization, specifically, can using PPTP, L2TP, Any one protocol realization in IPSec.In a particular embodiment, set up based on android system The principle of VPN services is as follows：

1st, application program delivers a packet to the real network equipment using socket；

2nd, all data, using NAT, are forwarded a packet to TUN virtual nets by system by iptables Network equipment, port is tun0；

3rd, system VPN service routines open TUN equipment and read corresponding data, are owned It is forwarded to the IP bags on TUN virtual network devices；

4th, VPN service routines are processed to the IP packets of above-mentioned acquisition, are set by real network Preparation is seen off.

Based on above-mentioned principle, the Vpnservice frameworks provided by android system, using system The API of offer, obtains all IP packets of application program, is processed with to IP packets, It is attached with distal end vpn server and is interacted, the IP packets of application program is entered in realization through passage Row safe transmission.

In a particular embodiment, the escape way is taken in Preset Time from mobile terminal to VPN Business device sends connection request, and carries out response completion connection by server, if in the Preset Time, Usually it is not connected with 5s successfully, then performs second attended operation automatically, it is logical to set up safety Road.

As shown in Fig. 2 the present invention further provided safe DNS service before escape way is set up. When application program accesses remote server, domain name can be converted into by a domain name resolution server IP address.Domain name resolution server is then by inquiring about root name server, TLD server, power The multistage server node such as prestige name server, obtains the IP of target remote server in a recursive manner Address, and the IP address is transferred to application client.And in the process, it is easy to let out Reveal the information of server ip address, so as to cause the leakage of user profile.Malice DNS generally can be with Personation answer party sends a response data packet for forgery to requesting party, including an IP for mistake Address, so that the packet that requesting party sends is redirected to the server address of mistake, causes user The severe leakage of information.Based on this, it is existing that Internet engineering task force has formulated a set of cooperation The security extension system of DNS systems, i.e. DNSSEC, to solve malice DNS deceptions, abduction etc. Unsafe acts.Wherein, the operation principle of the DNSSEC is as follows：

DNSSEC is the data addition digital signature information in DNS, takes the DNS of each node Business device can be by checking that the digital signature information judges the true of reply data after response message is obtained Reality, thus for DNS data provides source-verify and integrity check.The DNSSEC data Bag is specifically included：Public key for storing checking DNS data；For storing DNS resource records Digital signature；The information such as higher level's authorized signature.

What the DNS service module 15 of device of the present invention was performed comprises the following steps that：

S101：The DNS request packet that the mobile terminal sends is captured, by the DNS data Bag is converted to corresponding DNSSEC request data packages；

S102：The DNSSEC request data packages to dns server are sent, it is described to receive The DNSSEC response data packets that dns server is returned；

S103：The DNSSEC response data packets that the mobile terminal is received are captured, will be described DNSSEC response data packets are converted to corresponding DNS response data packets.

Wherein, the step of DNS service module 15 performs capture DNS request packet, adopts With the advance Hook Function for building, the dns resolution interface to system application layer is linked up with, to catch Obtain corresponding DNS request packet.Certainly, the capture DNS request packet can also pass through Hook Function is linked up with to the corresponding interface of protocol-driven layer, and then obtains corresponding DNS request Packet.The embodiment of the present invention provides safe DNS service by for payment process, changes what is accessed The real IP address of remote server, prevents malice DNS from kidnapping communication data or maliciously distorts IP, So as to avoid user profile from being stolen.

In a particular embodiment, the VPN was serviced before the passage is not set up, by interaction mould Block 16 provides a user interface to user interface bullet frame, to prompt the user whether to answer current Passage is set up with program.Meanwhile, the selected instruction of user is received, i.e., when user's selection sets up described logical During road, by the corresponding function of the VPN service calling systems, set up based on virtual private fidonetFido Passage；Otherwise, passage is not set up.I.e., if the control for setting up the passage gives user, with User is chosen to be foundation and decides whether to set up the passage.

In a particular embodiment, further, the payment class application program is entered with remote server During row payment data is exchanged, first please by DNS by the DNS security service of above-mentioned offer Packet is asked to be converted to corresponding DNSSEC request data packages, and please by the corresponding DNSSEC Ask packet that the DNSSEC number of responses that dns server feedback is received to dns server occurs According to bag, and the corresponding DNSSEC response data packets are converted into DNS response data packets, to obtain Take the IP address of remote server.Set up based on the IP address and the safety between remote server is led to Road, as shown in figure 3, the escape way sets up as follows the step of module 13 sets up escape way：

Step 1：VPN is serviced and is sent connection request to vpn server；

Step 2：The connection set up between VPN services and vpn server；

Step 3：VPN service and vpn server communicate determine use communication protocol, AES, key and relevant parameter information.

After setting up above-mentioned escape way so that pay class application program when being paid, can pass through The escape way carries out secure interactive with its server, it is ensured that the safety of user profile in transmitting procedure, The private data of user is prevented to be stolen.

Further, embodiment of the present invention carries out letter for 18 pairs by encrypting module based on the passage Number transmission application program communication data packet according to above-mentioned steps 3 determine AES be encrypted, And Resealed communication data packet according to the communication protocol that step 3 determines, so that after encapsulation Encryption data bag safe transmission in the passage set up.Wherein, to the communication data of the application program It is rivest, shamir, adelman that bag is encrypted the AES for using.Thus, biography is further enhanced The security of transmission of data, is that user brings safer payment to experience.

Further, believe in order to avoid illegal or malicious application is interacted by escape way Breath, the present invention sets up white list by white list module 20, to determine application before passage is set up The legitimacy of program, only sets up the escape way to the application program in the white list.By judging Module 19 judges the payment application according to the identification information of the payment class application program for obtaining With the presence or absence of in the white list, if application program is not belonging to the application journey in default white list Sequence, then do not set up the escape way, and directly the packet of the application program is passed through WLAN Its destination server is transported to, to complete the communication between application program and its destination server.Wherein, The white list is used to record the identification information of payment application, and the identification information includes UID, bag name of the application program etc. can uniqueness determine the information of application identity.

Specifically, the white list pre-sets generation by user, a user interface can be specifically provided, The selected instruction that user pays class application program to having installed is received, by selected payment class application program Identification information recording in the white list, set up institute with to the payment class application program in the white list State escape way.When the identification information of current operation application program is got, whether it is inquired about Whether it is present in default white list, to the application program to set up escape way really.To enter one Step it is user-friendly, improve Experience Degree, also provide the application program in white list is increased or The function of deletion action.Class application program is paid when user is intended to unload certain, or is re-downloaded and is mounted with New payment class application program, can be by being deleted white list or being increased operation, to update white name The information recorded in list.Thus, the white list based on the record is selectively application program and sets up peace Full tunnel, makes the foundation of escape way more rationalize.

User interface is provided simultaneously for illegal application program, to point out user to answer illegal Processed with program, and corresponding processing item button is provided, to guide user to malice or illegal journey Sequence performs respective handling.Thus, can improve carry out the application program of secure interactive to needing to set up passage Resolution, intelligent Service is provided the user, to guide user to make conjunction to illegal application program The treatment of reason, improves user experience.

Further, for of the invention rather than a certain specific embodiment, can be by strengthening to net The identification of network environment and strengthen the protection of application program for mobile terminal communication security.Such as WiFi access points Two classes can be divided into, one is the proprietary access point with certain security, such as office, family's private There is environment access point；Two is the public network access point for using in public places, such as dining room, coffee shop, And the access point of each operator's offer etc..The method of the invention can be exempted from independently or in such as 360 The application of expense WiFi etc is combined and uses, and the security of Network Access Point is detected, if public Network Access Point, then force Alipay to mobile terminal etc. pay class application or other it is important should With setting up the passage, it is also possible to need application program bullet frames prompting user to be protected based on other, by User chooses whether to set up passage to corresponding application program, thus with ensure mobile terminal install should The security communicated in the public network that existence information is revealed with program.And for security compared with The Network Access Point of private environment high, it is possible to provide related pre-sets item, independently determined by user be It is no to be defaulted as corresponding application program and set up passage carrying out the remote transmission of data.

In sum, the present invention is only protected to paying class application program, and according to the WiFi of connection Security decide whether to automatically turn on escape way, and provide to the payment class application journey of white list Sequence enters the operation of Mobile state additions and deletions, so as to realize in the case where user's request is met, it is to avoid to VPN Server causes excessive pressure, prevents it from collapsing.

Payment module 14 is used to send payment data to complete to remote server based on the escape way Delivery operation.

By the escape way set up, class application call payment module 14 and its long-range clothes are paid Business device carries out data interaction, obtains the payment information that user is input into by payment interface, will prop up accordingly Information encapsulation is paid into packet, and is encrypted according to the key arranged with remote server, to generate Packet after encryption, by the escape way and the communication protocol of agreement, by the packet send to Remote server.Remote server receives the packet that the payment class application program sends, to it Parsed, obtained corresponding payment data, and confirmation treatment is carried out to it, returned to response bag.Adopt The key arranged with the payment class application client with mobile terminal is encrypted, after generation encryption Packet, by the escape way and the communication protocol of agreement, reply data bag is fed back into institute Client is stated, so as to complete the payment process.

The above is only some embodiments of the invention, it is noted that for the art For those of ordinary skill, under the premise without departing from the principles of the invention, some improvement can also be made And retouching, these improvements and modifications also should be regarded as protection scope of the present invention.

Claims (10)

1. a kind of mobile terminal payment class application security method of payment, it is characterised in that including with Lower step：

Monitor and pay class application program into payment scene；

Whether detection mobile terminal accesses WiFi, to determine whether that setting up safety for the application program leads to Road；

Connection request is sent to vpn server by being serviced to the VPN of system registry in advance, to build The vertical escape way and vpn server between；

Send payment data to complete delivery operation to remote server based on the escape way.

2. method according to claim 1, it is characterised in that the step for setting up escape way Suddenly also include：

The VPN services are set up after being connected with vpn server and are communicated with determining that setting up passage adopts Communication protocol, AES, key and relevant parameter information.

3. method according to claim 1, it is characterised in that the escape way be based on PPTP, Any one protocol realization in L2TP, IPSec.

4. method according to claim 1, it is characterised in that it is described set up escape way before Also include providing safe DNS service, specifically include following steps：

The DNS request packet that the mobile terminal sends is captured, by DNS data bag conversion It is corresponding DNSSEC request data packages；

The DNSSEC request data packages to dns server are sent, is taken with receiving the DNS The DNSSEC response data packets that business device is returned；

The DNSSEC response data packets that the mobile terminal is received are captured, by the DNSSEC Response data packet is converted to corresponding DNS response data packets.

5. method according to claim 4, it is characterised in that capture movement using Hook Function The dns resolution interface of terminal system application layer is obtaining DNS request packet.

6. a kind of mobile terminal payment class application security payment mechanism, it is characterised in that including：

Monitor module：Class application program into payment scene is paid for monitoring；

Detection module：For detecting whether mobile terminal accesses WiFi, to determine whether the being application Program sets up escape way；

Escape way sets up module：For by being serviced to VPN clothes to the VPN of system registry in advance Business device sends connection request, with the escape way between foundation and vpn server；

Payment module：For sending payment data to complete branch to remote server based on the escape way Pay operation.

7. device according to claim 6, it is characterised in that the escape way sets up module The step of execution, includes：

The VPN services are communicated with determining to set up the communication protocols that passage is used with vpn server View, AES, key and relevant parameter information.

8. device according to claim 6, it is characterised in that the passage be based on PPTP, Any one protocol realization in L2TP, IPSec.

9. device according to claim 6, it is characterised in that set up module in escape way and hold Before row, also including DNS service module, for providing safe DNS service, following steps are performed：

The DNS request packet that the mobile terminal sends is captured, by DNS data bag conversion It is corresponding DNSSEC request data packages；

The DNSSEC request data packages to dns server are sent, is taken with receiving the DNS The DNSSEC response data packets that business device is returned；

The DNSSEC response data packets that the mobile terminal is received are captured, by the DNSSEC Response data packet is converted to corresponding DNS response data packets.

10. device according to claim 9, it is characterised in that the DNS service module profit The dns resolution interface of mobile terminal system application layer is captured to obtain DNS request number with Hook Function According to bag.