CN108494734A - A kind of safety moving office procedure based on SDK - Google Patents
A kind of safety moving office procedure based on SDK Download PDFInfo
- Publication number
- CN108494734A CN108494734A CN201810148496.5A CN201810148496A CN108494734A CN 108494734 A CN108494734 A CN 108494734A CN 201810148496 A CN201810148496 A CN 201810148496A CN 108494734 A CN108494734 A CN 108494734A
- Authority
- CN
- China
- Prior art keywords
- app
- byoa
- sdk
- key
- enterprise
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
The invention discloses a kind of safety moving office procedure based on SDK.The present invention allows user that third party App is freely used to carry out secure composition to enterprise document by way of the embedded SDK in App.Illustrate S BYOA overall architectures and operational process first, then introduces thirdly big major function is:S BYOA Implementation of File Transfer flows, S BYOA detect enterprise document malice remote backup, and S BYOA prevent enterprise document malice is local from preserving.The present invention makes security protection to most common enterprise document editor, it is proposed the enterprise document edit scenario based on SDK, under conditions of not changing original undertaking's file system, it realizes third party App and obtains enterprise document safely, it prevents from revealing enterprise document in editor, and App malice save files are prevented, achieve the purpose that safety moving is handled official business.
Description
Technical field
The invention belongs to BYOA (Bring Your Own Apps) mobile office technical fields, specially a kind of to be based on SDK
Safety moving office procedure, a kind of arbitrary App of realization based on SDK edits the safety moving office procedure of enterprise document.
Technical background
2014, Earley was put forward for the first time the concept of Bring Your Own Apps (BYOA):Enterprise staff can make
Enterprise document is browsed with personal favorite arbitrary application, is edited;While ensureing that business data is not revealed, user is protected
Personal privacy information, realizes safe mobile office.Existing BYOA implementation methods mainly have following two:(1) BYOA is established
The shops App, united analysis manage App safety;This method can prevent the attack of malice App, but its analysis method category
In static code analysis, for dynamic operation system (such as iOS), call malicious code can be with by script when malice App operations
Around the judgement of static analysis.(2) by improving App sandbox structures, sandbox structure is divided into navigation, is stored, three portions are set
Point, malice App can not find the local file of specified App, thus the safety of effective protection local manufacturing enterprises data, but the party
The data of sandbox are not encrypted in method, and when device losses or when being stolen, attacker can be obtained by way of data backup
Data in taking equipment.In addition, from the experimental results, modification sandbox structure causes the collapse rate of App to increase.
Invention content
In view of the deficiencies of the prior art, it is an object of the present invention to provide a kind of safety moving office procedure based on SDK.
BYOA mobile offices include enterprise document editor, employee's communication, file-sharing, staff's benefits etc..The present invention passes through
The mode of embedded SDK, allows user that third party App is freely used to carry out secure composition to enterprise document in App.
To achieve the goals above, the present invention is to realize by the following technical solutions:
The premise that the present invention implements is structure S-BYOA frameworks, and S-BYOA frameworks include:
(1)E-Server:Enterprise has server by oneself, is managed and preserves to file, is responsible for worker's certification and life
At, management and distributing user key.
(2)S-BYOA-App:Mounted on the mobile security office App of user terminal, it is responsible for secure storage part key, enterprise
File security browses, and malice preserves detection.
(3)S-BYOA-SDK:It is embedded in the safety moving office SDK of third party App, for convenience of describing, hereinafter referred
SDK, cooperation S-BYOA-App realize that enterprise document monitoring and safe transmission, malice preserve detection and delete.
(4)Third-Party-App:The third party App of integrated SDK, can edit enterprise document.
(5) third party App servers:The server of the original original business of third party App is provided, it is unrelated with enterprise document, under
Literary abbreviation App servers.
(6)S-BYOA-Server:Safety moving Office Service device, it is remote in conjunction with S-BYOA-SDK detection third party App malice
Journey backup file, notice enterprise timely processing.
Its operational process is as follows:User selects enterprise document to be edited in S-BYOA-App, and selects to use third
Square App is edited.Third party App obtains enterprise document by S-BYOA-SDK from enterprise servers, carries out file decryption and complete
Integrity verification, and file is opened into edlin.S-BYOA servers detect in real time third party App when editing enterprise document whether
Enterprise document content is leaked in the presence of malice, is had, notice enterprise is intercepted, nothing then forwards proper network data.It is literary when having edited enterprise
After part, whether the sandbox that S-BYOA-App detects third party App by S-BYOA-SDK maliciously preserves enterprise document.It is compiled in App
When collecting enterprise document, it is responsible for that the network request of App will be sent to guiding BS.
A kind of safety moving office procedure based on SDK, includes the following steps:
Implementation of File Transfer in step 1.S-BYOA:Transmission file is encrypted using AES, using hash algorithm to text
Part integrality is verified;It is implemented as follows:
1-1. employee logins corporate authentication system by S-BYOA-App, and S-BYOA is secret from E-Server request PHE users
Key generates parameter, and generates employee corresponding pk and sk;When employee initiates the request of editing files F, S-BYOA-App will be literary
The F_id and employee UserId of part F is sent to E-Server;
1-2.E-Server generates the download link url of file F, and enterprise document, should by malice repetitive requests in order to prevent
Link can only be requested once, then randomly generate the key key of an AES encryption, and use the PHE encryption keys of server
Pk encrypts to obtain keys(formula 1), then by key, keys, url carry out a hash algorithm obtain Hcontrol(formula 2), most
E-Server is by key afterwardss、url、HcontrolIt is sent to S-BYOA-App;
keys=PHEpk(key) (1)
Hcontrol=H (url, key, keyS) (2)
After 1-3.S-BYOA-App receives the data of E-Server returns, decrypt to obtain key (formula 3) using employee sk,
Then by key, keys, url carry out a hash algorithm again, whether verify data is tampered in transmission process;
Key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App://key+url } arouse target Third-Party-
App, and key and url are transmitted to SDK;
1-5.SDK initiates the request that file F is downloaded according to url to E-Server, and adds and obtained when SDK starts
It after Token, E-Server receive request, first verifies that whether SDK normally starts, is then come using the key generated in step 1-2
File F (formula 4) is encrypted, file F, which is then carried out hash algorithm, obtains HF(formula 5), finally by FSAnd HFIt is sent to SDK;
FS=AESkey(F) (4)
HF=H (F) (5)
1-6.SDK receives FSAfter, it decrypts to obtain file F using key is obtained in step 1-3, and to the file F after decryption
A Hash is carried out again, judges whether file is tampered in transmission process;If it find that distorting, SDK passes through URL Scheme
Mechanism jumps to S-BYOA-App, informs that user file is damaged, re-request file;
After the completion of 1-7. works as Document Editing, the process that file uploads is similar with acquisition, and SDK randomly generates a key to add
Ciphertext part, and encrypted file is sent to E-Server, SDK deletes enterprise in Third-Party-App after the completion of transmission
File, and pass through URL Scheme mechanism { S-BYOA-App://key } key is sent to S-BYOA-App, S-BYOA-App is used
The public key E of serverpkKey is encrypted, encrypted key is then sent to E-Server;
Step 2.S-BYOA detects enterprise document malice remote backup
App network flows when editing enterprise document are oriented to S- by characteristic when being run by SDK combination mobile systems
BYOA servers detect whether to have the case where leakage, then notify enterprise if there is leakage, instead by S-BYOA servers
It, carries out data forwarding;
S-BYOA- is revised as in the addresses host that App all-networks are asked by 2-1.SDK by NSURLProtocol
The address of Server, while employee userId and enterprise id are enclosed, realize network flow monitoring;
In the network request packet that 2-2.S-BYOA-Server is sent to its server according to Third-Party-App
The Non-control information for whether including Third-Party-App, to judge whether malice remote backup, if including non-controlling
Then there is malice remote backup in information;
2-3. navigates to corresponding enterprise and employee if there is malice remote backup, using userId and enterprise id;
Step 3.S-BYOA prevents enterprise document malice is local from preserving
The local threat for preserving enterprise document of App malice in order to prevent monitors by SDK and manages the function of sandbox,
When editor completes backed off after random, notifies user to delete the enterprise document in Third-Party-A pp, be implemented as follows:
3-1. sandbox Fileviews:S-BYOA-App passes through { Third-Party-App://searc h } to Third-
Party-App initiates Fileview request, and SDK traverses All Files information in the App sandboxs, and filename is spliced into character
String, then pass through { S-BYOA-App:// filename character string } again readjustment arrive the interfaces S-BYOA-App, while by filename character
String is transmitted to S-BYOA-App;S-BYOA-App is split filename character string after receiving and is shown to user;
3-2. deleting:S-BYOA-App passes through { Third-Party-App://delete/ filenames } to Third-
Party-App initiates removal request, and Third-Party-App receives removal request, and segmentation filename character string, which obtains, to need to delete
The filename removed, SDK, which is called, deletes interface deletion specified file, and { S-BYOA-App is recalled after deleting successfully://success
Or error the result of deletion returned into S-BYOA-App.
The present invention has the beneficial effect that:
The present invention has researched and analysed safety most outstanding in existing Bring Your Own Apps (BYOA) method and has asked
A kind of topic, it is proposed that safety moving office procedure based on SDK.The invention allows to use by way of the embedded SDK in App
Family freely uses third party App to carry out secure composition to enterprise document;It is not necessary to modify original file system, Maintenance free App for enterprise
Safety moving office can be realized in white list, and S-BYOA has the characteristics that deployment and maintenance cost is low.
Safety moving office proposed by the present invention is protected mainly for enterprise document, and is obtained from App, editor, this
Ground preserves enterprise document three phases and is protected.Major function includes:
(1) App obtains safely enterprise document
(2) detection App whether malice remote backup enterprise document
(3) whether malice locally preserves enterprise document to detection App
The present invention makes security protection to most common enterprise document editor, proposes the enterprise document editing side based on SDK
Case realizes third party App and obtains enterprise document safely, prevent from editing under conditions of not changing original undertaking's file system
When reveal enterprise document, and prevent App malice save files, achieve the purpose that safety moving is handled official business.
Description of the drawings
Fig. 1 S-BYOA Organization Charts;
Fig. 2 enterprise document transfer process;
Fig. 3 App network traffic securities monitor flow chart;
Process is checked and deleted to Fig. 4 App sandboxs;
Specific implementation mode
To make the technical means, the creative features, the aims and the efficiencies achieved by the present invention be easy to understand, with reference to
The present invention is further illustrated for attached drawing.
S-BYOA frameworks content is as shown in Figure 1, the overall architecture of S-BYOA includes by enterprise servers Enterprise
Server (E-Server), S-BYOA servers (S-BYOA-Server), safety moving office auxiliary App (S-BYOA-App),
Arbitrary third party App (Third-Party-App), S-BYOA-SDK (SDK), have for each section below third party's App servers
Body function:
(1)E-Server:Enterprise has server by oneself, is managed and preserves to file, is responsible for worker's certification and life
At, management and distributing user key.
(2)S-BYOA-App:Mounted on the mobile security office App of user terminal, it is responsible for secure storage part key, enterprise
File security browses and malice preserves detection.
(3)S-BYOA-SDK:It is embedded in the safety moving office SDK of third party App, for convenience of describing, hereinafter referred
SDK, cooperation S-BYOA-App realize that enterprise document monitoring and safe transmission, malice preserve detection and delete.
(4)Third-Party-App:The third party App of integrated SDK, can edit enterprise document.
(5) third party App servers:The server of the original original business of third party App is provided, it is unrelated with enterprise document, under
Literary abbreviation App servers.
(6)S-BYOA-Server:Safety moving Office Service device, it is remote in conjunction with S-BYOA-SDK detection third party App malice
Journey backup file, notice enterprise timely processing.
The operational process of this framework:
User selects enterprise document to be edited in S-BYOA-App, and selects to edit using third party App.2. the
Tripartite App obtains enterprise document by S-BYOA-SDK from enterprise servers, carries out file decryption and integrity verification, and beat
Open file is into edlin.3. S-BYOA servers detect third party App and are let out with the presence or absence of malice when editing enterprise document in real time
Enterprise document content is leaked, is had, notice enterprise (process is 4.) is intercepted, without then forwarding proper network data (i.e. process 5.).6. working as volume
After having collected enterprise document, whether the sandbox that S-BYOA-App detects third party App by S-BYOA-SDK maliciously preserves enterprise's text
Part.When App edits enterprise document, it is responsible for that the network request of App will be sent to guiding BS.
The flow of Implementation of File Transfer in step 1.S-BYOA
As shown in Fig. 2, in order to ensure that enterprise document can be safely from E-Server to App, the present invention is using AES to passing
Defeated file is encrypted, and is verified to file integrality using hash algorithm.
1-1. employee logins corporate authentication system by S-BYOA-App, and S-BYOA is secret from E-Server request PHE users
Key generates parameter, and generates employee corresponding pk and sk.When employee initiates the request of editing files F, S-BYOA-App will be literary
The F_id and employee UserId of part F is sent to E-Server.
1-2.E-Server generates the download link url of file F, and enterprise document, should by malice repetitive requests in order to prevent
Link can only be requested once, then randomly generate the key key of an AES encryption, and use the PHE encryption keys of server
Pk encrypts to obtain keys(formula 1), then by key, keys, url carry out a hash algorithm obtain Hcontrol(formula 2), most
E-Server is by key afterwardss、url、HcontrolIt is sent to S-BYOA-App.
keys=PHEpk(key) (1)
Hcontrol=H (url, key, keyS) (2)
After 1-3.S-BYOA-App receives the data of E-Server returns, decrypt to obtain key (formula 3) using employee sk,
Then by key, keys, url carry out a hash algorithm again, whether verify data is tampered in transmission process.
Key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App://key+url } arouse target Third-Party-
App, and key and url are transmitted to SDK.
1-5.SDK initiates the request that file F is downloaded according to url to E-Server, and adds and obtained when SDK starts
It after Token, E-Server receive request, first verifies that whether SDK normally starts, is then come using the key generated in step 1-2
File F (formula 4) is encrypted, file F, which is then carried out hash algorithm, obtains HF(formula 5), finally by FSAnd HFIt is sent to SDK.
FS=AESkey(F) (4)
HF=H (F) (5)
1-6.SDK receives FSAfter, it decrypts to obtain file F using key is obtained in step 1-3, and to the file F after decryption
A Hash is carried out again, judges whether file is tampered in transmission process.If it find that distorting, SDK passes through URL Scheme
Mechanism jumps to S-BYOA-App, informs that user file is damaged, re-request file.
After the completion of 1-7. works as Document Editing, the process that file uploads is similar with acquisition, and SDK randomly generates a key to add
Ciphertext part, and encrypted file is sent to E-Server, SDK deletes enterprise in Third-Party-App after the completion of transmission
File, and pass through URL Scheme mechanism { S-BYOA-App://key } key is sent to S-BYOA-App, S-BYOA-App
With the public key E of serverpkKey is encrypted, encrypted key is then sent to E-Server.
Step 2.S-BYOA detects enterprise document malice remote backup
As shown in figure 3, characteristic when being run by SDK combination mobile systems, App network flows when by editor's enterprise document
Amount is oriented to S-BYOA servers, detects whether to have the case where leakage by S-BYOA servers, then lead to if there is leakage
Enterprise is known, conversely, carrying out data forwarding, as shown in Figure 3;The App refers to the arbitrary App for capableing of editing files, and its
State is when editing enterprise document.
S-BYOA- is revised as in the addresses host that App all-networks are asked by 2-1.SDK by NSURLProtocol
The address of Server, while employee userId and enterprise id are enclosed, realize network flow monitoring.
In the network request packet that 2-2.S-BYOA-Server is sent to its server according to Third-Party-App
Whether comprising Third-Party-App Non-control information (such as big data upload, file, picture upload etc. contents), to sentence
It is disconnected to whether there is malice remote backup, if including Non-control information, there are malice remote backups;
2-3. navigates to corresponding enterprise and employee if there is malice remote backup, using userId and enterprise id.
Step 3.S-BYOA prevents enterprise document malice is local from preserving
As shown in figure 4, the local threat for preserving enterprise document of App malice in order to prevent.It is monitored and is managed by SDK and is husky
The function of box when completing backed off after random, notifies user to delete the enterprise document in Third-P arty-App.Detailed process such as Fig. 4
It is shown:
3-1. sandbox Fileviews:S-BYOA-App passes through { Third-Party-App://searc h } to Third-
Party-App initiates Fileview request, and SDK traverses All Files information in the App sandboxs, and filename is spliced into character
String, then pass through { S-BYOA-App:// filename character string } again readjustment arrive the interfaces S-BYOA-App, while by filename character
String is transmitted to S-BYOA-App.S-BYOA-App is split filename character string after receiving and is shown to user;Described
App refers to the arbitrary App for capableing of editing files.
The filename is spliced into character string, and splicing is as follows:
It is that identification marks with additional character, filename is spliced, such as:Filename A* filename B* filename C, with
" * " splices filename.
The filename character string is split, and cutting procedure is as follows:Additional character when splicing is that identification is marked
Note, is split filename, such as:Filename A* filename B* filename C, are split filename with " * ".
3-2. deleting:S-BYOA-App passes through { Third-Party-App://delete/ filenames } to Third-
Party-App initiates removal request, and Third-Party-App receives removal request, and segmentation filename character string, which obtains, to need to delete
The filename removed, SDK, which is called, deletes interface deletion specified file, and { S-BYOA-App is recalled after deleting successfully://success
Or error the result of deletion returned into S-BYOA-App.
S-BYOA parameter lookup tables.
。
Claims (3)
1. a kind of safety moving office procedure based on SDK, it is characterised in that include the following steps:
Implementation of File Transfer in step 1.S-BYOA:Transmission file is encrypted using AES, it is complete to file using hash algorithm
Whole property is verified;It is implemented as follows:
1-1. employee logins corporate authentication system by S-BYOA-App, and S-BYOA gives birth to from E-Server request PHE user's secret keys
At parameter, and generate employee corresponding pk and sk;When employee initiates the request of editing files F, S-BYOA-App is by file F's
F_id and employee UserId are sent to E-Server;
1-2.E-Server generates the download link url of file F, and enterprise document is by malice repetitive requests, the link in order to prevent
It can only be requested once, then randomly generate the key key of an AES encryption, and add using the PHE encryption keys pk of server
It is close to obtain keys(formula 1), then by key, keys, url carry out a hash algorithm obtain Hcontrol(formula 2), last E-
Server is by keys、url、HcontrolIt is sent to S-BYOA-App;
keys=PHEpk(key) (1)
Hcontrol=H (url, key, keyS) (2)
After 1-3.S-BYOA-App receives the data of E-Server returns, decrypt to obtain key (formula 3) using employee sk, then
By key, keys, url carry out a hash algorithm again, whether verify data is tampered in transmission process;
Key=PHEsk(keys) (3)
1-4.S-BYOA-App uses { Third-Party-App://key+url } arouse target Third-Party-App, and will
Key and url are transmitted to SDK;
1-5.SDK initiates the request that file F is downloaded according to url to E-Server, and adds the Token obtained when SDK starts,
It after E-Server receives request, first verifies that whether SDK normally starts, then encrypts text using the key generated in step 1-2
Then file F is carried out hash algorithm and obtains H by part F (formula 4)F(formula 5), finally by FSAnd HFIt is sent to SDK;
FS=AESkey(F) (4)
HF=H (F) (5)
1-6.SDK receives FSAfter, decrypt to obtain file F using key is obtained in step 1-3, and to the file F after decryption again into
Hash of row, judges whether file is tampered in transmission process;If it find that distorting, SDK passes through URL Scheme mechanism
S-BYOA-App is jumped to, informs that user file is damaged, re-request file;
After the completion of 1-7. works as Document Editing, the process that file uploads is similar with acquisition, and SDK randomly generates a key to encrypt text
Part, and encrypted file is sent to E-Server, SDK deletes enterprise document in Third-Party-App after the completion of transmission,
And pass through URL Scheme mechanism { S-BYOA-App://key } key is sent to S-BYOA-App, S-BYOA-App services
The public key E of devicepkKey is encrypted, encrypted key is then sent to E-Server;
Step 2.S-BYOA detects enterprise document malice remote backup
App network flows when editing enterprise document are oriented to S-BYOA clothes by characteristic when being run by SDK combination mobile systems
Business device detects whether to have the case where leakage, enterprise is then notified if there is leakage by S-BYOA servers, conversely, into
Row data forwarding;
S-BYOA-Server's is revised as in the addresses host that App all-networks are asked by 2-1.SDK by NSURLProtocol
Address, while employee userId and enterprise id are enclosed, realize network flow monitoring;
In the network request packet that 2-2.S-BYOA-Server is sent to its server according to Third-Party-App whether
The Non-control information for including Third-Party-App, to judge whether malice remote backup, if including non-controlling is believed
, then there is malice remote backup in breath;
2-3. navigates to corresponding enterprise and employee if there is malice remote backup, using userId and enterprise id;
Step 3.S-BYOA prevents enterprise document malice is local from preserving
The local threat for preserving enterprise document of App malice in order to prevent is monitored and is managed by SDK the function of sandbox, editing
When completing backed off after random, notifies user to delete the enterprise document in Third-Party-App, be implemented as follows:
3-1. sandbox Fileviews:S-BYOA-App passes through { Third-Party-App://search } to Third-Party-
App initiates Fileview request, and SDK traverses All Files information in the App sandboxs, and filename is spliced into character string, then
Pass through { S-BYOA-App:// filename character string } readjustment arrives the interfaces S-BYOA-App again, while filename character string being passed
To S-BYOA-App;S-BYOA-App is split filename character string after receiving and is shown to user;
3-2. deleting:S-BYOA-App passes through { Third-Party-App://delete/ filenames } to Third-Party-App
Removal request is initiated, Third-Party-App receives removal request, and segmentation filename character string obtains the file for needing to delete
Name, SDK, which is called, deletes interface deletion specified file, and { S-BYOA-App is recalled after deleting successfully://success or error }
The result of deletion is returned into S-BYOA-App.
2. a kind of safety moving office procedure based on SDK according to claim 1, it is characterised in that this method is based on S-
BYOA frameworks, S-BYOA frameworks include by enterprise servers Enterprise Server (E-Server), S-BYOA servers
(S-BYOA-Server), safety moving office auxiliary App (S-BYOA-App), arbitrary third party App (Third-Party-
App), S-BYOA-SDK (SDK), third party's App servers:
(1)E-Server:Enterprise has server by oneself, is managed and preserves to file, is responsible for worker's certification and generates, manages
Reason and distributing user key;
(2)S-BYOA-App:Mounted on the mobile security office App of user terminal, it is responsible for secure storage part key, enterprise document
Safety browsing and malice preserve detection;
(3)S-BYOA-SDK:Safety moving the office SDK, cooperation S-BYOA-App for being embedded in third party App realize enterprise's text
Part monitors and safe transmission, and malice preserves detection and deletes;
(4)Third-Party-App:The third party App of integrated SDK, can edit enterprise document;
(5) third party App servers:The server of the original original business of third party App is provided;
(6)S-BYOA-Server:Safety moving Office Service device, it is long-range standby in conjunction with S-BYOA-SDK detection third party App malice
Part file, notice enterprise timely processing.
3. a kind of safety moving office procedure based on SDK according to claim 2, it is characterised in that S-BYOA frameworks
Operational process is as follows:
User selects enterprise document to be edited in S-BYOA-App, and selects to edit using third party App;Third party App
Enterprise document is obtained from enterprise servers by S-BYOA-SDK, carries out file decryption and integrity verification, and open file
Into edlin;S-BYOA servers detect third party App when editing enterprise document with the presence or absence of malice leakage enterprise text in real time
Part content, has, and intercepts notice enterprise, and nothing then forwards proper network data;After having edited enterprise document, S-BYOA-App is logical
Whether the sandbox for crossing S-BYOA-SDK detection third parties App maliciously preserves enterprise document;When App edits enterprise document, it is responsible for
It is oriented to BS by the network request of App to be sent to.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810148496.5A CN108494734B (en) | 2018-02-13 | 2018-02-13 | Safe mobile office method based on SDK |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810148496.5A CN108494734B (en) | 2018-02-13 | 2018-02-13 | Safe mobile office method based on SDK |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108494734A true CN108494734A (en) | 2018-09-04 |
CN108494734B CN108494734B (en) | 2020-11-17 |
Family
ID=63340594
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810148496.5A Active CN108494734B (en) | 2018-02-13 | 2018-02-13 | Safe mobile office method based on SDK |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108494734B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104469767A (en) * | 2014-10-28 | 2015-03-25 | 杭州电子科技大学 | Implementation method for integrated security protection subsystem of mobile office system |
US20160269926A1 (en) * | 2013-10-08 | 2016-09-15 | Alef Mobitech Inc. | Systems and methods for providing mobility aspects to applications in the cloud |
CN106446673A (en) * | 2016-09-18 | 2017-02-22 | 深圳市深信服电子科技有限公司 | Application isolation method and terminal device |
CN106936686A (en) * | 2015-12-31 | 2017-07-07 | 北京北信源软件股份有限公司 | A kind of immediate communication platform for supporting safety moving to handle official business |
-
2018
- 2018-02-13 CN CN201810148496.5A patent/CN108494734B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160269926A1 (en) * | 2013-10-08 | 2016-09-15 | Alef Mobitech Inc. | Systems and methods for providing mobility aspects to applications in the cloud |
CN104469767A (en) * | 2014-10-28 | 2015-03-25 | 杭州电子科技大学 | Implementation method for integrated security protection subsystem of mobile office system |
CN106936686A (en) * | 2015-12-31 | 2017-07-07 | 北京北信源软件股份有限公司 | A kind of immediate communication platform for supporting safety moving to handle official business |
CN106446673A (en) * | 2016-09-18 | 2017-02-22 | 深圳市深信服电子科技有限公司 | Application isolation method and terminal device |
Also Published As
Publication number | Publication date |
---|---|
CN108494734B (en) | 2020-11-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106302449B (en) | A kind of storage of ciphertext and the open cloud service method of searching ciphertext and system | |
US9537864B2 (en) | Encryption system using web browsers and untrusted web servers | |
US9961030B2 (en) | Method and system for sender-controlled messaging and content sharing | |
CN105027493B (en) | Safety moving application connection bus | |
CN103107889B (en) | A kind of cloud computing environment data encryption storage system and method that can search for | |
US9552492B2 (en) | Secure application access system | |
US20160234209A1 (en) | Secure user credential access system | |
US7313823B2 (en) | Anti-alternation system for web-content | |
US9246885B2 (en) | System, method, apparatus and computer programs for securely using public services for private or enterprise purposes | |
US20070101124A1 (en) | Secure provisioning of digital content | |
CN104348914B (en) | A kind of tamper resistant systems file syn chronizing system and its method | |
CN103457733A (en) | Data sharing method and system under cloud computing environment | |
US9665731B2 (en) | Preventing content data leak on mobile devices | |
CN105429962B (en) | A kind of general go-between service construction method and system towards encryption data | |
CN105119928B (en) | Data transmission method, device, system and the security server of Android intelligent terminal | |
CN107463848B (en) | Application-oriented ciphertext search method, device, proxy server and system | |
Meye et al. | A secure two-phase data deduplication scheme | |
Xiong et al. | A secure document self-destruction scheme: an ABE approach | |
CN105072134A (en) | Cloud disk system file secure transmission method based on three-level key | |
US20100169638A1 (en) | Communication system having message encryption | |
CN107094075A (en) | A kind of data block dynamic operation method based on convergent encryption | |
CN111970232A (en) | Safe access system of intelligent service robot of electric power business hall | |
CN113626859A (en) | Method, system, device and medium for supporting encryption protection of key escrow personal file | |
CN105187379B (en) | Password based on multi-party mutual mistrust splits management method | |
CN108494734A (en) | A kind of safety moving office procedure based on SDK |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230907 Address after: Room 2002, Zone A, Huazhou Business Center, No. 1038 Jiangnan Avenue, Changhe Street, Binjiang District, Hangzhou City, Zhejiang Province, 310051 Patentee after: Zhejiang Qiangua Information Technology Co.,Ltd. Address before: 310018 No. 2 street, Xiasha Higher Education Zone, Hangzhou, Zhejiang Patentee before: HANGZHOU DIANZI University |
|
TR01 | Transfer of patent right |