CN106897611A - Secure virtual mobile applications running environment system and method and application without root authority - Google Patents

Secure virtual mobile applications running environment system and method and application without root authority Download PDF

Info

Publication number
CN106897611A
CN106897611A CN201710122674.2A CN201710122674A CN106897611A CN 106897611 A CN106897611 A CN 106897611A CN 201710122674 A CN201710122674 A CN 201710122674A CN 106897611 A CN106897611 A CN 106897611A
Authority
CN
China
Prior art keywords
app
application
target
program
hook
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710122674.2A
Other languages
Chinese (zh)
Inventor
金光
韩皓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201710122674.2A priority Critical patent/CN106897611A/en
Publication of CN106897611A publication Critical patent/CN106897611A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a kind of secure virtual mobile applications running environment system and method without root authority and application.User opens virtual execution environment control program, selection fortune target mobile applications;Container process loaded targets application program;Container process sets hook, and by hook method Dynamic Interception target program and communication and the interface interchange of operating system;Agency service is asked by the communication intercepted and captured and interface interchange, and proxy target program and operating system are interacted;Security module analyzes the interaction of target program and Mobile operating system, and carries out dynamic mandatory control to interaction by agency service;Log pattern records all system access times and content, is that further safety analysis provides the foundation.The present invention for it is a kind of can run directly in existing Android system in, the secure virtual environment of supporting and protect target mobile process to run, operation expense is low, is not required to obtain root authority, without changing existing Android system, with compared with highly compatible and applicability.

Description

Without the secure virtual mobile applications running environment system and method for root authority With application
Technical field
The invention belongs to Intelligent mobile equipment field of information security technology, and in particular to one kind is without root authority in Android (Android) secure virtual running environment (the Virtual Execution of mobile applications (APP) operation are supported under Environment), especially a kind of secure virtual mobile applications running environment system and method without root authority with Using.
Background technology
Safety moving virtual execution environment of the present invention refers to one operation of mobile APP of virtualization, makes target APP In thinking that its own runs directly in operating system, and by its a kind of abstract, system with mobile system remainder security isolation First, virtual running environment.
With mobile phone viruses in recent years and for mobile terminal rogue program gusher formula break out, based on Intel Virtualization Technology New type of safe realize receive much concern.By the virtualization to mobile-terminal platform and system resource, can monitor in virtual ring In border run mobile APP inside and its interacted with the various of operating system, and by target APP and mobile system carry out safely every From, can finally allow user operational objective APP in controllable environment, its interacting with system is controlled, prevent malicious act Produce.
It is currently able to generally be realized by explaining with switch target programmed instruction for the Intel Virtualization Technology of mobile terminal Virtualization.The method is high to mobile terminal performance requirement, and expense is big.Separately there is a class method by changing Android system system framework (Framework) or provide a Java Virtual Machine changed carry out operational objective APP and security monitoring carried out to it.The method Need modification bottom Mobile operating system and operate under System Privileges higher, such as root authority.An also class method is led to Directly modification program codes are crossed, or by changing the entrance of target program come the operation of monitoring objective APP.Such method Need that target APP digital signature is changed and repacked, therefore run counter to the statutory authority of APP and law wind may be faced Danger.Additionally, more and more APP developers ensure the integrality of program by remote validation (Remote Attestation), Prevent the illegal modifications to program.These limitations increased the lower deployment cost and operation expense of existing method, and greatly reduce The compatibility of existing method.
The content of the invention
Goal of the invention:In order to overcome the deficiencies in the prior art, the present invention to provide a kind of peace without root authority Complete virtual mobile applications running environment, there is provided during one kind can run directly in existing Android system, support mobile process fortune Capable secure virtual environmental system and its method of work and application.System and method operation expense is low, it is not necessary to obtain root Authority, without changing existing Android system, without changing target program, with compatibility higher.
Technical scheme:To achieve the above object, the present invention is adopted the following technical scheme that:
System and method of the invention are by the communication between Dynamic Interception application program and operating system, agent operation system Unite and target program is communicated so that application program and Android operation system both sides are unaware of the presence of other side, And both sides are carried out into security isolation, it is finally completed application program and is run in controllable virtual execution environment.
A kind of secure virtual mobile applications running environment system without root authority, including with lower module:
Container (Container) scheduler module:For operational objective application program;
Hook (Hook) method module:For intercept and capture in container process run destination application and operating system it Between communication and interface interchange;
Service agent module:For realizing the interface between operating system and application program, and run in agent container Destination application and operating system interact;
Daily record (Log) module:For the time of all communications and content between the operating system for recording destination application, Safety analysis so as to after;
Security control rule module:For authorizing for control targe application program authority, the access to system resource, and behaviour Make the communication between system;
The container process module, hook method module and service agent module are sequentially connected;Log pattern passes through and hook Submodule connects to record the running log of target program, and safety control module is deployed in hook by the safety regulation for defining Carry out access of the control targe program to system resource in submodule and service agent module.
Further, a series of hooks are put in the container process module transported to intercept and capture and substitute destination application Action and behavior during row, the hook include:
Binder hooks:The system service capture that destination application is obtained and the peace that the system offer is provided again Tall and erect system service agency gets on;
Java method hook:The Java language programmed logic inside destination application is intercepted and captured, is rewritten pregnable (vulnerable) programmed logic, and target movement APP and Android system also have the part IPC friendships that other processes are carried out Mutually;
ELF hooks:Intercept and capture can perform inside destination application and form (Executable and can be linked Linkable Format) body (Native) programmed logic, and target movement APP and Android system also have other processes The part IPC interactions for carrying out.
Further, the security control rule module includes:
Dynamic user-privilege management rule:The authority of destination application is dynamically adjusted to realize the rights management of context aware;
Programmed logic override rules:By the hook loaded in security procedure, and move with reference to programmed logic override rules State repairs the internal flaw of destination application.
The method of the above-mentioned secure virtual mobile applications running environment without root authority, comprises the following steps:
1) user opens virtual execution environment control program, selects operational objective application program;
2) container process loaded targets application program;
3) container process sets hook, and communication by hook method Dynamic Interception target program and operating system and connects Mouth is called;
4) agency service is by the communication intercepted and captured and interface interchange request, proxy target program and system interaction;
5) security module analysis target program and Mobile operating system interaction, and by agency service to these interact into Mobile state control of authority;
6) log pattern records all system access times and content, and carries out further safety analysis.
Further, the system can rewrite destination application, be its one virtual running environment of setting, and Wherein safe operation destination application;The step 2) -4) in the specific method of safe operation destination application be:
1) after container process starts, Binder hooks are set wherein, container process and the communication of system service
It is oriented in the system service agency that the system is founded;
2) interface provided by the system, user's selection target application program is started;
3) the system by Package Manager come needed for structure, running destination application ApplicationInfo and ActivityInfo;
4) ApplicationInfo that the system will have been constructed is sent to container process, makes its bound targets application program, This process starts the application classes of destination application;
5) container process is during bound targets application program, sets Java method hook and ELF hooks, and by journey Sequence logic override rules are loaded;
6) the system notifies that Activity Manager start an Activity agency;
7) the system intercepts and captures the startup for acting on behalf of Activity, and notifies that container process starts the target of destination application Activity;
8) destination application in security procedure is run using the resource that system Activity Manager are created Target Activity.
Further, the internal logic and destination application of the system observable and control targe application program and outer The communication in portion.
The above-mentioned secure virtual mobile applications running environment without root authority, the application in sandbox environment.
The above-mentioned secure virtual mobile applications running environment without root authority, in APP running environment is encrypted Application.
The above-mentioned secure virtual mobile applications running environment without root authority, in the control of authority of context aware In application.
Beneficial effect:Secure virtual mobile applications running environment and method without root authority of the invention with should With compared with prior art, having the advantage that:The present invention is to support movement during one kind can run directly in existing Android system The secure virtual environment and its method of work of program operation, the difference of the system and method and existing mobile terminal Intel Virtualization Technology It is that the method is a stand-alone utility, without operating under root authority, without changing existing Android system, there is provided The controllable secure operating environment of user.
Specific beneficial effect of the invention shows as:
1st, operation program is safer:Target program is isolated operation by the system and technology with mobile system and other programs. User is capable of the access rights of independent dynamic configuration application program, prevents malicious application from being stolen in the case of user is unwitting Take privacy of user.This virtual environment can protect the application program that each runs at it, prevent target program by other malice journeys Sequence steals data.The system and technology can bind some application program to certain specific mobile operational outfit or environment, Prevent destination application from being run under the terminal or unsafe mobile environment of unauthorized.
2nd, operation expense is lower:Because the system and technology to each instruction of target mobile applications without being turned Change and explain, greatly reduce the operation expense of this virtual environment.
3rd, compatibility is higher:Due to that need not operate under root authority, the system and the existing Android environment of technical compatibility, and Support existing Android development environment.Mobile solution developer need not be directed to secure virtual environment secondary development, it is possible to decrease its exploitation Cost.Existing mobile applications directly can run in this virtual execution environment, and improve target mobile applications simultaneously Security performance.
4th, mobile terminal deployment is more convenient:Because the system and technology need not change operating system, facilitate end of the invention End is affixed one's name to, and greatly reduces the cost disposed on mobile terminals.
Brief description of the drawings
Fig. 1 is the system assumption diagram of the system;
Fig. 2 is the flow chart of the operational objective movement APP in the system;
Fig. 3 is the structure chart that sandbox environment is realized in the system;
Fig. 4 is the schematic diagram of the mobile APP of installation and operation encryption in the present system;
Fig. 5 is the schematic diagram of the control of authority for realizing context aware in the present system;
Fig. 6 is Android system assumption diagram;
Fig. 7 is the system one instrument APP of interior operation and intercepts the display figure of advertisement;
Fig. 8 is the display figure that a game APP is run in the system and virtual geographical coordinate is provided;
Fig. 9 is a real-time communication APP while operating in the display figure that the system is inner and outer and is in communication with each other;
Figure 10 is one and obtains display figures of the private information APP in the inner and outer operation of the system.
Specific embodiment
The present invention is further described with reference to the accompanying drawings and examples.
First, system scenarios
The technical problems to be solved by the invention are to provide system and method and the application of a kind of safe operation movement APP. System and method provides system suitability higher, without root authority or modification bottom Android system, it is possible to provide one The mobile APP of virtual environment operation, and effectively improve the security of mobile APP.
Fig. 1 is the system assumption diagram of the system.The system consists of the following components:
1st, container process:The system needs to produce a security procedure to be used as a container by Android system (container) operational objective movement APP is carried out.Because container process is produced by the system, the system can be entered to container process The management and control of row full powers.Then the system needs to put a series of hooks (hook) to intercept and capture (intercept) and substitute Target movement APP actions and behavior in the process of running, to realize the purpose of safety and virtualization.
2nd, Binder hooks:Android system provides Binder mechanism as main process communication mechanism (IPC).Under Android Mobile APP need by Binder mechanism come with obtain Android system service.The system needs to be set in security procedure The system service that target movement APP is obtained is captured and is directed to the Android system clothes of the system offer again by Binder hooks Business agency gets on.
3rd, Java method hook:Under Android environment, mobile APP is realized and compiled by Java language.The system needs Java method hook is set in security procedure to intercept and capture the programmed logic inside target movement APP, rewrites pregnable program Logic, and target movement APP and Android system also have the part IPC interactions that other processes are carried out.
4th, ELF hooks:Mobile APP under the Android environment of part uses executable and can link form (Executable And Linkable Format, ELF) perform the code of body (Native).The system needs to be set in security procedure ELF hooks come intercept and capture target movement APP inside programmed logic, and target movement APP and Android system also have other processes The IPC interactions for carrying out.
5th, system service agency:Android system provides a series of services (for example, Service Manager and Activity Manager) and by Binder mechanism and mobile APP interact to meet mobile APP needs.System and method provides a series of System service is acted on behalf of, and the interaction that target moves APP and Android system service is captured these system services agency to carry out Treatment, can so meet the demand of safety and virtualization.
6th, dynamic user-privilege management rule:Android system provides a series of static rules to control to move the authority of APP.It is based on The system realizes the virtualized environment of APP operations, and system and method carrys out dynamic and adjusts target using dynamic user-privilege management rule The authority of APP is realizing the rights management of context aware (context aware).
7th, programmed logic override rules:Some movements APP has potential safety hazard caused by the logic flaw of inside.The system and Method is come in dynamic restoring target movement APP by the hook that is loaded in security procedure with reference to programmed logic override rules Portion's defect.
8th, program log:System and method can capture and record mesh by the hook loaded in security procedure State inside the interaction of the mobile APP of mark and Android system and target movement APP.System and method can be moved to target The program log of APP carries out further safety analysis.
For Android environment, system and method is an independent mobile APP, and need not obtain root authority Or modification Android first floor system, therefore with compatibility higher.Based on part described above, system and method provides real Now and provide the virtual mobile APP running environment of safety.
2nd, target moves the start-up course of APP
System and method is provided and realizes a kind of virtual environment of the mobile APP of safe operation.Under Android environment The interface of mobile APP realize that Fig. 2 is illustrated to start in this virtual environment and a target and run movement by Activity The flow chart of the Activity of APP.The part of other movements APP, shown in their start-up courses under the system and Fig. 2 It is similar.Specific Booting sequence is as follows:
1) for Android environment, the system is an independent APP, therefore firstly the need of startup the system;
2) system service agency is created, and allows agency in running background;
3) container process is created;
4) after container process starts, Binder hooks are set wherein, the communication of container process and system service is led During the system service founded to the system is acted on behalf of;
5) interface provided by the system, user's selection target moves APP to start;
6) the system constructed by Package Manager target movement APP ApplicationInfo and ActivityInfo;
7) ApplicationInfo that the system will have been constructed is sent to container process, makes its binding (bind) target APP, this process starts the application classes that target moves APP;
8) container process sets Java method hook and ELF hooks during bound targets movement APP, and by journey Sequence logic override rules are loaded;
9) the system notifies that Activity Manager start an Activity agency;
10) the system intercepts and captures the startup for acting on behalf of Activity, and notifies that container process starts the target that target moves APP Activity;
11) the target movement APP in security procedure is run using the resource that system Activity Manager are created Target Activity.
Since then, target movement APP can run in the container process of the system control, and and user mutual.Because container Under the control of the system, by the hook of system and method setting, simultaneously control targe moves APP to the system observable to process Internal logic and target APP and outside communication.Therefore, for target movement APP, the system creates one virtually Running environment.For mobile system, it is that the system starts and run an Activity agency, and mobile system is simultaneously Do not know that a target APP runs under this virtual environment, so as to mobile system and target APP have been carried out into security isolation.
3rd, embodiment
1. sandbox (Sandbox) environment
The mobile APP of malice obtains invalid information by attacking mobile system.For unknown APP, sandbox provides one The running environment isolated with the machine mobile system.If unknown APP is malice, this APP can only attack sandbox, it is impossible to attack True mobile system.Fig. 3 shows the structure chart that sandbox environment is realized in the system and invention.What system and method was provided Sandbox environment operates in security procedure the mobile APP of unknown true intention.This movement APP can contain malicious code.This is System and method are all intercepted and captured the communication of this unknown APP and outside by the hook for setting.The communication that the system will can be intercepted and captured is accused Know user, and whether point out this time extraneous communication of user this unknown APP is malice.Such unknown APP is malice, and this is maliciously APP can only be attacked the system, and the machine bottom mobile system can't be attacked.By the prompting of the system, User would know that malice APP information, and unloading elimination attack influence is carried out on malice APP.
2. APP running environment is encrypted
Some movements APP needs to be run under level of security mobile environment higher.If a mobile environment itself has Potential safety hazard (a such as smart mobile phone by root), this mobile environment can be held as a hostage and attack operation movement thereon APP.Mobile APP mounted thereto for example is leaked into attacker carries out reverse-engineering (Reverse Engineering) point Analysis.The APP running environment of one encryption can effectively solve such attack, and provide extra security performance.Recognized by encryption Card, keeper can control certain movement APP runs under which mobile device.Even if certain mobile environment has potential safety hazard, This mobile environment also cannot make attack to operating in the mobile APP under encryption environment.
The system needs to provide installation and operation of two modules to assist encryption APP.1) Package Manager agencies The installation of main treatment APP and the metamessage (Meta Information) of decryption and offer APP, for example ApplicationInfo and ActivityInfo;2) mobile APP starting modules need offer graphical interfaces to be exchanged with user, assist User's selection target is helped to move APP.The system also needs to a safety certification and key management module, and this module can be reused The Keystore services that system is provided.Fig. 4 describes one schematic diagram of encryption APP of installation and operation under the system.One The APP of encryption needs to be encrypted by system manager or APP developer, and provides digital signature and certificate.APP is encrypted when one After downloading and being installed to the system, Package Manager agencies need to be inquired about to safety certification/key management module and true Recognize digital signature and certificate.As digital authenticating cannot pass through, then this APP cannot continue to install.The work of mobile APP starting modules is such as Shown in Fig. 2.After user's selection target APP, Package Manager are acted on behalf of to safety certification/key management module query key, And decrypt target APP.As it was previously stated, Package Manager agencies need to construct ApplicationInfo and ActivityInfo Deng metamessage, comprising the code information of decryption APP in this metamessage, and security procedure is sent to by mobile APP starting modules Start target APP.In this way, a mobile APP of encryption can be installed and run under the system.
3. the control of authority (permission control) of context aware (context-aware)
Android is static for the control of authority of mobile APP.Under Android system, the developer of an APP needs statement The authority of system resource is used needed for the APP of its exploitation.After this APP is installed, Android user may decide that authorize or Person revokes certain authority of this APP.The control of authority of context aware can further improve the security of the running environment of APP.Reason By as follows:1) control of authority of context aware is dynamic, its authority for adjusting APP come dynamic by context aware;2) scene The control of authority of perception can automatic management, its authority that dynamic adjustment APP in ground is automated by default safety regulation;3) Many malice APP are ceased by the authority that user authorizes to attack the mobile system of user or steal user's private ownership, scene sense The control of authority known can effectively prevent the attack of such Malware.
Fig. 5 describes the schematic diagram of the control of authority that context aware is realized in the system and invention.The system and invention Isolated with the machine mobile system by moving APP and operating in security procedure target.By a series of hooks, the system will Target moves access captures of the APP to system resource.As shown in figure 5, the system is by realizing that it is right to carry out that system service is acted on behalf of The scene of target movement APP is perceived, and dynamic control of authority is made to it.Target moves visits of the APP to system resource Ask system service agency's capture that request will be realized by the system.The system service broker will inquire about dynamic user-privilege management rule, And judged with reference to scene instantly.If agreeing to access of the target APP this time to system resource, the system service broker will visit The system service under true mobile environment is asked, obtains system resource or information, and these resources or information are returned into target to enter Journey.Target APP this visits are such as vetoed, the system service broker can directly refuse request, return to null value or according to rights management The dummy values (dummy value) of rule setting.
4th, System Working Principle/technical background embodiment
The invention of system and method is based on the deep understanding to Android system and related development experience.Fig. 6 shows The system assumption diagram of Android.Android develops mobile APP using Java programming languages.Therefore the mobile APP under Android needs Android Running environment (runtime) support, executable code is converted to by Java code.Early stage Android runtime be Dalvik, after change It is ART.Some movements APP is also required to call ontology library (such as OpenGL etc.).These APP need to use JNI combination body languages Speech (such as C language) will call realization to ontology library.Android is realized based on Linux Kernel, and inherits Linux For the access control (access control) of user.In Android and Linux, root user possesses the access of system highest Authority.Some malice APP obtains root authority to make attack, therefore increasing Android system limit to system by illegal Domestic consumer processed and third party software developer obtain system root authority.Android realizes some and enters in Linux Kernel Cheng Tongxin (IPC) module, including Binder modules.Android provides a series of system service to mobile APP.These Androids System service is mainly interacted by Binder with the mobile APP in Android.Important system service includes in Android:1) Inquiry of the registration and the mobile APP of support of Service Manager centralized management other systems services to system service;2) The installation of the mobile APP of Package Manager management, the metamessage parsing of APP and the inquiry to APP metamessages;3) Activity Manager are responsible for the management of process to mobile APP, and are responsible for that the visual resources of APP are allocated and managed.
5th, experimental result
By test, the virtual execution environment without root authority proposed by the present invention can correctly run domestic and international Android The application program of 50 before ranking in market, including wechat, QQ, Baidu map, footpath between fields footpath between fields, Youtube, Pokemon Go, Facebook, Snapchat etc., have no effect on these application programs and are run while in Android system (outside virtual environment).
Fig. 7 shows that the existing instrument APP of Android in the market directly runs (Fig. 7 .a) and the operation (figure in the system Sectional drawing 7.b).It is emphasized that the system (entitled Safe Box) can be intercepted and captured and dynamic authorization target APP and system The interactive operation safety to improve target APP.In Fig. 7 .a left figures bottom, target APP is loaded and is shown an advertisement bar. In the example of Fig. 7 .b, the system then successfully prevents target APP carrying advertisement bars.Fig. 8 shows one enhancing of Android in the market The sectional drawing that real (Augmented Reality) game Pokemon Go run in the present system.As shown in Fig. 8 .a, the system Support any virtual geographical coordinate of user's selection.Fig. 8 .b and Fig. 8 .c show that the Pokemon Go for running in the present system are correct Operate on geographical coordinate selected by user.Fig. 8 .d are the thumbnail that the game running is proved inside the system.Fig. 9 shows micro- Believe the display figure in the system internal operation.Wechat is only supported at one example of operation on a mobile device originally.But due to The virtualization running environment that the system is realized, the APP can simultaneously run two examples, i.e., one directly on a mobile device Operation, another virtualized environment internal operation realized in the system.As shown in figure 9, in the example of the system internal operation Can correctly run and and outside example communication.Figure 10 shows an acquisition private information movement APP in the system Portion and the sectional drawing of outside operation.As Figure 10 .a show, this movement APP can be obtained where the privately owned equipment I MEI of user and user Geographical position, and show advertisement bar.As shown in Figure 10 .b, this APP run under the virtualized environment that the system is provided can only Obtain virtual pseudo- IMEI number and geography information.As it was previously stated, the system also shields the advertisement bar that this APP shows simultaneously.Separately need It is emphasized that in the example that Figure 10 shows, the system operates in one and is set from the different movement used in previous examples It is standby upper.This shows the outstanding compatibility of the system.
The above is only the preferred embodiment of the present invention, it should be pointed out that:For the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (9)

1. a kind of secure virtual mobile applications running environment system without root authority, it is characterised in that:Including following Module:
Container (Container) scheduler module:For operational objective application program;
Hook (Hook) method module:For intercepting and capturing between the destination application and operating system that are run in container process Communication and interface interchange;
Service agent module:For realizing the interface between operating system and application program, and the mesh run in agent container Mark application program and operating system are interacted;
Daily record (Log) module:For the time of all communications and content between the operating system for recording destination application, so as to Safety analysis afterwards;
Security control rule module:For authorizing for control targe application program authority, the access to system resource, and operation system Communication between system;
The container process module, hook method module and service agent module are sequentially connected;Log pattern passes through and hook mold Block connects to record the running log of target program, and safety control module is deployed in hook mold by the safety regulation for defining Carry out access of the control targe program to system resource in block and service agent module.
2. the secure virtual mobile applications running environment system without root authority according to claim 1, it is special Levy and be:Put a series of hooks in the container process module to intercept and capture and substitute destination application in the process of running Action and behavior, the hook include:
Binder hooks:The system service capture that destination application is obtained and the Android system that the system offer is provided again System service broker get on;
Java method hook:The Java language programmed logic inside destination application is intercepted and captured, is rewritten pregnable (vulnerable) programmed logic, and target movement APP and Android system also have the part IPC friendships that other processes are carried out Mutually;
ELF hooks:Intercept and capture can perform inside destination application and form (Executable and Linkable can be linked Format body (Native) programmed logic), and target movement APP and Android system also have the part that other processes are carried out IPC is interacted.
3. the secure virtual mobile applications running environment system without root authority according to claim 1, it is special Levy and be:The security control rule module includes:
Dynamic user-privilege management rule:The authority of destination application is dynamically adjusted to realize the rights management of context aware;
Programmed logic override rules:By the hook loaded in security procedure, and carry out dynamic repairing with reference to programmed logic override rules The internal flaw of complicated target application program.
4. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3 The method of system, it is characterised in that:Comprise the following steps:
1) user opens virtual execution environment control program, selects operational objective application program;
2) container process loaded targets application program;
3) container process sets hook, and the communication by hook method Dynamic Interception target program and operating system and interface tune With;
4) agency service is by the communication intercepted and captured and interface interchange request, proxy target program and system interaction;
5) interaction of security module analysis target program and Mobile operating system, and these are interacted into action by agency service State control of authority;
6) log pattern records all system access times and content, and carries out further safety analysis.
5. the side of the secure virtual mobile applications running environment system without root authority according to claim 4 Method, it is characterised in that:The system can rewrite destination application, be that it sets a virtual running environment, and at it Middle safe operation destination application;The step 2) -4) in the specific method of safe operation destination application be:
1) after container process starts, Binder hooks are set wherein, the communication of container process and system service is oriented to this In the system service agency that system is founded;
2) interface provided by the system, user's selection target application program is started;
3) the system by Package Manager come the ApplicationInfo needed for structure, running destination application and ActivityInfo;
4) ApplicationInfo that the system will have been constructed is sent to container process, makes its bound targets application program, this mistake Journey starts the application classes of destination application;
5) container process sets Java method hook and ELF hooks, and program is patrolled during bound targets application program Collect override rules loading;
6) the system notifies that Activity Manager start an Activity agency;
7) the system intercepts and captures the startup for acting on behalf of Activity, and notifies that container process starts the target of destination application Activity;
8) destination application in security procedure carrys out operational objective using the resource that system Activity Manager are created Activity。
6. the side of the secure virtual mobile applications running environment system without root authority according to claim 3 Method, it is characterised in that:The internal logic and destination application and outside of the system observable and control targe application program Communication.
7. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3 System, the application in sandbox environment.
8. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3 System, the application in APP running environment is encrypted.
9. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3 System, the application in the control of authority of context aware.
CN201710122674.2A 2017-03-03 2017-03-03 Secure virtual mobile applications running environment system and method and application without root authority Pending CN106897611A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710122674.2A CN106897611A (en) 2017-03-03 2017-03-03 Secure virtual mobile applications running environment system and method and application without root authority

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710122674.2A CN106897611A (en) 2017-03-03 2017-03-03 Secure virtual mobile applications running environment system and method and application without root authority

Publications (1)

Publication Number Publication Date
CN106897611A true CN106897611A (en) 2017-06-27

Family

ID=59185467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710122674.2A Pending CN106897611A (en) 2017-03-03 2017-03-03 Secure virtual mobile applications running environment system and method and application without root authority

Country Status (1)

Country Link
CN (1) CN106897611A (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107577937A (en) * 2017-09-01 2018-01-12 深信服科技股份有限公司 A kind of application program guard method and system
CN107621939A (en) * 2017-09-18 2018-01-23 北京奇虎科技有限公司 A kind of optimizing application method and device
CN107679399A (en) * 2017-10-19 2018-02-09 郑州云海信息技术有限公司 A kind of Malicious Code Detection sandbox system and detection method based on container
CN108287997A (en) * 2018-01-10 2018-07-17 武汉斗鱼网络科技有限公司 Host environment recognition methods, device, medium and the equipment of destination application
CN108563472A (en) * 2018-04-03 2018-09-21 北京奇虎科技有限公司 Based on the service plug loading method and device for more opening application
CN109167782A (en) * 2018-08-31 2019-01-08 国鼎网络空间安全技术有限公司 Private data guard method and system based on intelligent mobile terminal
CN109260701A (en) * 2018-07-10 2019-01-25 广州小鸡快跑网络科技有限公司 A kind of conversion method and device of Android system standard incoming event
CN109325345A (en) * 2018-09-21 2019-02-12 百度在线网络技术(北京)有限公司 Method and apparatus for running third party code in sandbox environment
CN109344652A (en) * 2018-10-08 2019-02-15 北京爱普安信息技术有限公司 A kind of encryption and decryption method and system
CN109933443A (en) * 2019-03-07 2019-06-25 腾讯科技(深圳)有限公司 Inter-process communication methods, device, computer equipment and readable storage medium storing program for executing
CN109992351A (en) * 2017-12-30 2019-07-09 中国移动通信集团贵州有限公司 Fictitious host computer program safety control method, device, equipment and medium
CN110543789A (en) * 2018-05-29 2019-12-06 腾讯科技(深圳)有限公司 method and device for adapting handle and third-party application program and storage medium
CN110807191A (en) * 2019-09-30 2020-02-18 奇安信科技集团股份有限公司 Safe operation method and device of application program
CN111062006A (en) * 2018-10-17 2020-04-24 福建天泉教育科技有限公司 Android system control method and terminal
EP3702949A1 (en) * 2019-02-28 2020-09-02 CrowdStrike, Inc. Container application for android-based devices
CN111796909A (en) * 2020-06-24 2020-10-20 浙江大学 Lightweight mobile application virtualization system
CN111857971A (en) * 2020-07-29 2020-10-30 福建多多云科技有限公司 Method for running executable file under android virtual machine system and storage medium
CN111880987A (en) * 2020-07-09 2020-11-03 青岛海尔科技有限公司 Dynamic monitoring method and device of application program, storage medium and electronic device
CN112199151A (en) * 2020-09-07 2021-01-08 成都安易迅科技有限公司 Application program running method and device
WO2021142720A1 (en) * 2020-01-16 2021-07-22 上海卓悠网络科技有限公司 Method for providing sandboxed environment in android system to protect user privacy
CN113769410A (en) * 2021-08-13 2021-12-10 广州虎牙科技有限公司 Cloud game control method, system and device and computer readable storage medium
WO2022111391A1 (en) * 2020-11-27 2022-06-02 华为技术有限公司 Method for managing communication of untrusted application program, and related apparatus

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060021019A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for federated provisioning
CN102365878A (en) * 2009-01-28 2012-02-29 海德沃特合作I有限公司 Adaptive ambient services
CN104462879A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Root-free running control method and device of application program
WO2016069158A1 (en) * 2014-10-26 2016-05-06 Mcafee, Inc. Security orchestration framework
CN106384045A (en) * 2016-09-12 2017-02-08 电子科技大学 Android storage application sandbox based on application program virtualization, and communication method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060021019A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for federated provisioning
CN102365878A (en) * 2009-01-28 2012-02-29 海德沃特合作I有限公司 Adaptive ambient services
WO2016069158A1 (en) * 2014-10-26 2016-05-06 Mcafee, Inc. Security orchestration framework
CN104462879A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Root-free running control method and device of application program
CN106384045A (en) * 2016-09-12 2017-02-08 电子科技大学 Android storage application sandbox based on application program virtualization, and communication method thereof

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107577937B (en) * 2017-09-01 2021-05-04 深信服科技股份有限公司 Application program protection method and system
CN107577937A (en) * 2017-09-01 2018-01-12 深信服科技股份有限公司 A kind of application program guard method and system
CN107621939A (en) * 2017-09-18 2018-01-23 北京奇虎科技有限公司 A kind of optimizing application method and device
CN107621939B (en) * 2017-09-18 2021-01-29 北京奇虎科技有限公司 Application optimization method and device
CN107679399A (en) * 2017-10-19 2018-02-09 郑州云海信息技术有限公司 A kind of Malicious Code Detection sandbox system and detection method based on container
CN109992351A (en) * 2017-12-30 2019-07-09 中国移动通信集团贵州有限公司 Fictitious host computer program safety control method, device, equipment and medium
CN108287997A (en) * 2018-01-10 2018-07-17 武汉斗鱼网络科技有限公司 Host environment recognition methods, device, medium and the equipment of destination application
CN108287997B (en) * 2018-01-10 2020-07-31 武汉斗鱼网络科技有限公司 Host environment identification method, device, medium and equipment of target application program
CN108563472A (en) * 2018-04-03 2018-09-21 北京奇虎科技有限公司 Based on the service plug loading method and device for more opening application
CN108563472B (en) * 2018-04-03 2021-07-09 北京奇虎科技有限公司 Service plug-in loading method and device based on multi-open application
CN110543789A (en) * 2018-05-29 2019-12-06 腾讯科技(深圳)有限公司 method and device for adapting handle and third-party application program and storage medium
CN109260701A (en) * 2018-07-10 2019-01-25 广州小鸡快跑网络科技有限公司 A kind of conversion method and device of Android system standard incoming event
CN109167782B (en) * 2018-08-31 2021-10-19 国鼎网络空间安全技术有限公司 Privacy data protection method and system based on intelligent mobile terminal
CN109167782A (en) * 2018-08-31 2019-01-08 国鼎网络空间安全技术有限公司 Private data guard method and system based on intelligent mobile terminal
CN109325345A (en) * 2018-09-21 2019-02-12 百度在线网络技术(北京)有限公司 Method and apparatus for running third party code in sandbox environment
CN109344652A (en) * 2018-10-08 2019-02-15 北京爱普安信息技术有限公司 A kind of encryption and decryption method and system
CN111062006B (en) * 2018-10-17 2023-01-10 福建天泉教育科技有限公司 Android system control method and terminal
CN111062006A (en) * 2018-10-17 2020-04-24 福建天泉教育科技有限公司 Android system control method and terminal
US11604688B2 (en) 2019-02-28 2023-03-14 Crowdstrike, Inc. Container application for android-based devices
EP3702949A1 (en) * 2019-02-28 2020-09-02 CrowdStrike, Inc. Container application for android-based devices
US10983849B2 (en) 2019-02-28 2021-04-20 Crowdstrike, Inc. Container application for android-based devices
CN109933443B (en) * 2019-03-07 2021-06-25 腾讯科技(深圳)有限公司 Inter-process communication method and device, computer equipment and readable storage medium
CN109933443A (en) * 2019-03-07 2019-06-25 腾讯科技(深圳)有限公司 Inter-process communication methods, device, computer equipment and readable storage medium storing program for executing
CN110807191A (en) * 2019-09-30 2020-02-18 奇安信科技集团股份有限公司 Safe operation method and device of application program
WO2021142720A1 (en) * 2020-01-16 2021-07-22 上海卓悠网络科技有限公司 Method for providing sandboxed environment in android system to protect user privacy
CN111796909A (en) * 2020-06-24 2020-10-20 浙江大学 Lightweight mobile application virtualization system
CN111796909B (en) * 2020-06-24 2024-04-02 浙江大学 Lightweight mobile application virtualization system
CN111880987A (en) * 2020-07-09 2020-11-03 青岛海尔科技有限公司 Dynamic monitoring method and device of application program, storage medium and electronic device
CN111857971A (en) * 2020-07-29 2020-10-30 福建多多云科技有限公司 Method for running executable file under android virtual machine system and storage medium
CN111857971B (en) * 2020-07-29 2024-03-15 福建多多云科技有限公司 Method for running executable file under android virtual machine system and storage medium
CN112199151A (en) * 2020-09-07 2021-01-08 成都安易迅科技有限公司 Application program running method and device
CN112199151B (en) * 2020-09-07 2023-10-24 成都安易迅科技有限公司 Application program running method and device
WO2022111391A1 (en) * 2020-11-27 2022-06-02 华为技术有限公司 Method for managing communication of untrusted application program, and related apparatus
CN113769410A (en) * 2021-08-13 2021-12-10 广州虎牙科技有限公司 Cloud game control method, system and device and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN106897611A (en) Secure virtual mobile applications running environment system and method and application without root authority
CN105427096B (en) Payment security sandbox implementation method and system and application program monitoring method and system
CN102741824B (en) For the system and method for behavior sandboxed
CN107077565B (en) A kind of configuration method and equipment of safety instruction information
CN101004776B (en) Method and apparatus for protection domain based security
CN104838630A (en) Policy-based application management
CN113986459A (en) Control method and system for container access, electronic equipment and storage medium
CN105610776A (en) Cloud calculating IaaS layer high risk safety loophole detection method and system thereof
CN104641377A (en) Data loss prevention for mobile computing devices
CN104246698A (en) Computer with flexible operating system
CN104239814A (en) Mobile office safety method and mobile office safety system
DE112020000792T5 (en) TRUSTED EXECUTION ENVIRONMENT ACCELERATED BY GRAPHICS PROCESSING UNIT
CN104683394A (en) Cloud computing platform database benchmark test system for new technology and method thereof
CN109690545A (en) The automatic distributing of PLC virtual patch and safe context
CN105373734A (en) Application data protection method and apparatus
CN104268463A (en) Method and device for managing calling authority of camera
CN105550584A (en) RBAC based malicious program interception and processing method in Android platform
CN111209558A (en) Internet of things equipment identity authentication method and system based on block chain
CN106203162A (en) The method for secret protection of a kind of combining the two ways of dredging and plugging and system
CN106372496A (en) Method and system for improving payment terminal application security
CN103345604A (en) Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system
CN104822127A (en) Bluetooth device, data channel real-time management and control method and system thereof
CN103885784B (en) Method for establishing Android platform with security module and plugging function
CN104683382A (en) Benchmark testing system for cloud computing platform database of novel innovative algorithm
Loupos et al. Cognition enabled IoT platform for industrial IoT safety, security and privacy—The chariot project

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170627

RJ01 Rejection of invention patent application after publication