CN110140124B

CN110140124B - Packet applications share data using the same key

Info

Publication number: CN110140124B
Application number: CN201780082026.7A
Authority: CN
Inventors: 杨李军; 熊晟; 王奇
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2017-12-29
Filing date: 2017-12-29
Publication date: 2021-04-20
Anticipated expiration: 2037-12-29
Also published as: CN110140124A; WO2019127468A1

Abstract

The application provides a data processing method and a terminal, relates to the technical field of communication, and is beneficial to improving the security of data in an application program in the terminal. The method is applied to a terminal, a first application process, a second application process and a key management process are operated on the terminal, and the method specifically comprises the following steps: the second application process sends an access request to the first application process, wherein the access request is used for requesting to access third data of the first application process; the key management process receives a decryption request for decrypting the third data; if the key management process determines whether the second application process is in the process group in which the first application process is located according to the decryption request. And if so, the key management process decrypts the third data by using the decryption key corresponding to the process packet to obtain fourth data, and returns the fourth data. If not, the key management process does not decrypt and returns third data.

Description

Packet applications share data using the same key

Technical Field

The present application relates to the field of communications technologies, and in particular, to a data processing method and a terminal.

Background

The application programs on the terminal run in independent process spaces, and the data and functions of the processes are isolated from each other. If the processes need to communicate, the accessed process needs to perform permission verification on the accessed process. And if the verification is successful, the access process is allowed to access, which indicates that the access process has the access right. Otherwise, the access process is not allowed to access if the access process does not have the access right.

Therefore, at present, the terminal guarantees the communication security between the processes through the authority mechanism. However, in the process of authorization by the accessed process, a situation of false authorization is easy to occur. For example: the user may be induced to install and authorize the virus application. Then, the virus application can check the authority of other processes (accessed processes), that is, data of other applications and even key information can be freely accessed, which may cause harm to users.

Disclosure of Invention

The data processing method and the terminal can improve the data security in the application process on the terminal.

In a first aspect, a data processing method provided in the present application may be applied to a terminal, where the terminal runs a first application process, a second application process, and a key management process. The method specifically comprises the following steps: the second application process sends an access request to the first application process, wherein the access request is used for requesting to access third data of the first application process; the key management process receives a decryption request for decrypting the third data; if the key management process determines that the second application process is in the process group where the first application process is located according to the decryption request, the key management process decrypts the third data by using the decryption key corresponding to the process group where the first application process is located to obtain fourth data; in response to the decryption request, the key management process returns fourth data.

Wherein the terminal has N process groups; each of the N process groups comprises at least one process, and at least one process group comprises two or more processes; wherein N is an integer greater than 1 or equal to 1; the N process groups correspond to the M decryption keys, and each process group corresponds to one decryption key; wherein M is a positive integer, and N is M.

The first application process is one of processes run by the first application program, and the first application program may be any application on the terminal, and is a program and data set that can execute a certain service function, for example: short message application, Mei Tuo application, Taobao application, and the like.

The second application process may be another process in the first application program, different from the first application process, or one process in the second application program, different from the second application program.

In some embodiments, the second application process needs to obtain the right to access the first application process in advance.

In some embodiments, the first data may be data that needs to be encrypted, for example, data determined according to a business property of the first application process or the first application program, for example, important, critical, and sensitive data in the first application process or the first application program.

In some embodiments, the key management module determines a packet corresponding to the third application process according to information such as a service type or a download source of the third application process, establishes a corresponding relationship between the identifier of the third application process and the identifier of the packet, and stores the identifier of the third application process and the identifier of the packet locally.

Therefore, when the second application process and the first application process belong to the same process group, the key management process decrypts the third data by using the decryption key corresponding to the process group in which the first application process is located, so that the second application process obtains the decrypted third data, namely the fourth data. The data of the first application process can be accessed only when the second application process and the first application process belong to the same process group, and the data security in the first application process is improved.

In one possible design, the key management process receives a decryption request for decrypting the third data, specifically, the key management process receives a decryption request sent by the first application process according to the access request. The step of returning the fourth data by the key management process is specifically as follows: the key management process returns fourth data to the first application process. The first application process sends the fourth data to the second application process.

It can be seen that the terminal may be a second application process accessing the first application process, and the first application process requesting decryption of the third data from the key management process. After the key management process decrypts the third data, the decrypted third data, that is, the fourth data, may be sent to the second application process through the first application process. Therefore, the embodiment of the application provides a method for accessing third data of a first application process by a second application process.

In one possible design, if the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends third data to the first application process; the first application process sends the third data to the second application process.

Therefore, when the second application process and the first application process are not in the same process group, the key management process does not decrypt the third data, and the third data is directly sent to the second application process through the first application process, so that the data security of the first application process is facilitated.

In a possible design, if the second application process is not in the group, the key management module may also directly reject the decryption request of the first application process for the third data, and end the process.

In one possible design, after the second application process sends the access request to the first application process, before the key management process receives a decryption request requesting decryption of the third data, the method further includes: the second application process receives third data sent by the first application process; the receiving, by the key management process, a decryption request for decrypting the third data specifically includes: the key management process receives a decryption request sent by the second application process; the step of returning the fourth data by the key management process is specifically as follows: the key management process returns the fourth data to the second application process.

As can be seen, when the second application process accesses the data of the first application process, the terminal may first obtain the data encrypted by the first application process, that is, the third data, and then request the key management process to decrypt the third data by the second application process. After the key management process decrypts the third data, the decrypted third data, that is, the fourth data, may be sent to the second application process. Therefore, the embodiment of the application provides a method for accessing third data of a first application process by a second application process.

In one possible design, the key management process sends the third data to the second application process if the key management process determines that the second application process is not within the process group in which the first application process is located.

Therefore, when the second application process and the first application process are not grouped in the same process, the key management process does not decrypt the third data and directly sends the third data to the second application process, and the data security of the first application process is facilitated.

In one possible design, before the key management process decrypts the third data using the decryption key corresponding to the process packet in which the first application process is located, to obtain the fourth data, the method further includes: the key management process acquires an identifier of a first application process; the key management process determines the identifier of the process group in which the first application process is located according to the identifier of the first application process; and the key management process acquires a decryption key corresponding to the process group in which the first application process is located according to the identifier of the process group in which the first application process is located.

Therefore, the application provides a method for acquiring a decryption key corresponding to a process group in which a first application process is located by a terminal.

In one possible design, the first application process requests the key management process to encrypt the first data; the key management process determines the process group where the first application process is located according to the request; the key management process encrypts the first data by using an encryption key corresponding to a process group in which the first application process is positioned to generate second data; the N process groups correspond to the M encryption keys, and each process group corresponds to one encryption key; the key management process sends the second data to the first application process.

Therefore, the method for encrypting the application processes in the same process group by using the same encryption key is realized, and the data security in the application processes is favorably improved.

In one possible design, the first application process saves the second data.

In some embodiments, the first application process stores the second data in an encrypted store in the first application process. The encrypted storage area is a specific storage space in the first application process and is specially used for storing the data encrypted by the key management module.

In one possible design, the determining, by the key management process according to the request, the process group in which the first application process is located includes: the key management process acquires an identifier of a first application process; the key management process determines the identifier of the process group in which the first application process is located according to the identifier of the first application process; and the key management process acquires an encryption key corresponding to the process group in which the first application process is located according to the identifier of the process group in which the first application process is located.

In a second aspect, a terminal includes a first application module, a second application module, and a key management module, where the second application module is configured to send an access request to the first application module, and the access request is used to request to access third data of a first application process; the key management module is used for receiving a decryption request for requesting to decrypt the third data; the key management module is further used for decrypting the third data by using a decryption key corresponding to the process group in which the first application process is located to obtain fourth data if the key management module determines that the second application process is in the process group in which the first application process is located according to the decryption request; and the key management module is also used for responding to the decryption request and returning fourth data.

In one possible design, the key management module is further configured to receive a decryption request sent by the first application module according to the access request: the key management module is also used for returning fourth data to the first application program module; and the first application program module is used for sending the fourth data to the second application program module.

In one possible design, the key management module is further configured to send third data to the first application program module if the key management module determines that the second application process is not in the process group in which the first process is located; the first application program module is also used for sending third data to the second application program module.

In one possible design, the second application module is further configured to receive third data sent by the first application module; the key management module is also used for receiving a decryption request sent by the second application program module; and the key management module is also used for returning fourth data to the second application program module.

In a possible design, the key management module is further configured to send third data to the second application program module if the key management module determines that the second application process is not in the process group in which the first application process is located.

In one possible design, the key management module is further configured to obtain an identifier of the first application module; the key management module is also used for determining the identifier of the process group where the first application program module is located according to the identifier of the first application program module; and the key management module is further used for acquiring a decryption key corresponding to the process group in which the first application program module is located according to the identifier of the process group in which the first application program module is located.

In one possible design, the first application module is further configured to request the key management module to encrypt the first data; the key management module is also used for determining the process group where the first application program module is located according to the request; the key management module is also used for encrypting the first data by using an encryption key corresponding to the process group where the first application program module is located to generate second data; the N process groups correspond to the M encryption keys, and each process group corresponds to one encryption key; and the key management module is also used for sending second data to the first application program module.

In one possible design, the first application module is further configured to store the second data.

In one possible design, the key management module is further configured to obtain an identifier of the first application module; the key management module is also used for determining the identifier of the process group where the first application program module is located according to the identifier of the first application program module; and the key management module is further used for acquiring an encryption key corresponding to the process group in which the first application program module is located according to the identifier of the process group in which the first application program module is located.

A third aspect is a terminal, comprising: a processor, a memory and a touch screen, the memory and the touch screen being coupled to the processor, the memory being adapted to store computer program code comprising computer instructions which, when executed by the processor, cause the terminal to perform the method of data processing as in any one of the possible design methods of the first aspect.

A fourth aspect is a computer storage medium comprising computer instructions which, when run on a terminal, cause the terminal to perform a method of data processing according to any one of the possible design methods of the first aspect.

A fifth aspect is a computer program product for causing a computer to perform a method of any one of the possible design method data processing of the first aspect when the computer program product is run on the computer.

Drawings

Fig. 1 is a schematic diagram of a hardware structure of a terminal provided in the present application;

fig. 2 is a first flowchart illustrating a data processing method provided in the present application;

FIG. 3 is a diagram illustrating a memory space of a process provided herein;

fig. 4 is a schematic flowchart illustrating a data processing method according to the present application;

fig. 5 is a schematic flow chart diagram of a data processing method provided in the present application;

fig. 6 is a schematic diagram of a software structure of a terminal provided in the present application;

fig. 7 is a fourth schematic flowchart of a data processing method provided in the present application;

fig. 8 is a fifth flowchart illustrating a data processing method provided in the present application;

fig. 9 is a sixth schematic flowchart of a data processing method provided in the present application;

fig. 10 is a seventh flowchart illustrating a data processing method provided in the present application;

fig. 11 is a schematic flowchart eight of a data processing method provided in the present application;

fig. 12 is a first schematic diagram illustrating a terminal according to the present application;

fig. 13 is a schematic diagram illustrating a composition of a terminal according to the present application.

Detailed Description

In the following, the terms "first", "second" are used for descriptive purposes only and are not to be understood as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.

First, in order to better understand the technical solution of the present application, a brief description is given to a communication mechanism between applications.

When the terminal installs the application programs, a unique User Identifier (UID) or Process Identifier (PID) is allocated to each application program and is permanently maintained. When communicating between different applications, an adhesive (Binder) mechanism is employed. The Binder mechanism is based on a Client/server (C/S) architecture. Specifically, the accessed application program is used as a service (server) side, and the accessed application program is used as a Client (Client) side. The Client side sends the accessed task to the Server side, and the Server side can judge whether the Client side meets the access authority or not according to the UID/PID according to the authority control strategy. Only the Client terminal applying for the specific authority can access the Server terminal.

Currently, the authority control is often performed by popping up an authority inquiry dialog box to allow a user to select whether to operate or not. The permissions are divided into installation permissions and dynamic permissions. Installation authority means that when an application program is installed for the first time, all authorities related to the whole application program are queried once, for example: the Android system of the previous version at Android 6.0, also known as Android M. The dynamic permission is that in the running process of the application program, which permission resize frame is needed to inquire whether the user gives the corresponding permission, for example: android system of Android M and later versions.

It should be noted that, for some malicious applications, it may be possible to obtain the access rights of some important applications directly by declaring as an application that does not support dynamic rights, and avoiding the consent of the user, so as to obtain the key data of these important applications, which brings loss to the user. Therefore, the application provides a data processing method, the application programs installed on the terminal are grouped through the terminal, and the application programs in the same group use the same key to encrypt the key data when running. Thus, the data encrypted by the application program in the same packet can only be decrypted by other application programs in the packet. Therefore, even if a malicious application program obtains the access right of the application program, the encrypted data cannot be decrypted because the malicious application program is not in the same group, and the data security of the user can be ensured.

For example, the terminal in the present application may be a mobile phone (such as the mobile phone 100 shown in fig. 1), a tablet Computer, a Personal Computer (PC), a Personal Digital Assistant (PDA), a smart watch, a netbook, a wearable electronic device, an Augmented Reality (AR) device, a Virtual Reality (VR) device, and the like, in which an application program may be installed and an application program icon may be displayed.

As shown in fig. 1, taking the mobile phone 100 as the terminal for example, the mobile phone 100 may specifically include:

the processor 101 is a control center of the cellular phone 100, connects various parts of the cellular phone 100 using various interfaces and lines, and performs various functions of the cellular phone 100 and processes data by running or executing an application program stored in the memory 103 and calling data stored in the memory 103. In some embodiments, processor 101 may include one or more processing units; for example, the processor 101 may be an kylin 960 chip manufactured by Huanti technologies, Inc.

The rf circuit 102 may be used for receiving and transmitting wireless signals during the transmission and reception of information or calls. In particular, the rf circuit 102 may receive downlink data of the base station and then process the received downlink data to the processor 101; in addition, data relating to uplink is transmitted to the base station. Typically, the radio frequency circuitry includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. In addition, the radio frequency circuitry 102 may also communicate with other devices via wireless communication. The wireless communication may use any communication standard or protocol including, but not limited to, global system for mobile communications, general packet radio service, code division multiple access, wideband code division multiple access, long term evolution, email, short message service, and the like.

The memory 103 is used for storing application programs and data, and the processor 101 executes various functions and data processing of the mobile phone 100 by running the application programs and data stored in the memory 103. The memory 103 mainly includes a program storage area and a data storage area, wherein the program storage area can store an operating system and application programs (such as a sound playing function and an image playing function) required by at least one function; the storage data area may store data (e.g., audio data, a phonebook, etc.) created from use of the handset 100. In addition, the Memory 103 may include a high-speed Random Access Memory (RAM), and may further include a nonvolatile Memory, such as a magnetic disk storage device, a flash Memory device, or other volatile solid-state storage device. The memory 103 may store various operating systems, such as those developed by apple Inc

Operating System, developed by Google

An operating system, etc. The memory 103 may be independent and connected to the processor 101 through the communication bus; the memory 103 may also be integrated with the processor 101.

The touch screen 104 may specifically include a touch pad 104-1 and a display 104-2.

Wherein the touch pad 104-1 can capture touch events on or near the touch pad 104-1 by a user of the cell phone 100 (e.g., user operation on or near the touch pad 104-1 using any suitable object such as a finger, a stylus, etc.) and transmit the captured touch information to other devices (e.g., the processor 101). Among them, a touch event of a user near the touch pad 104-1 can be called a hover touch; hover touch may refer to a user not having to directly contact the touchpad in order to select, move, or drag a target (e.g., an icon, etc.), but rather only having to be in proximity to the device in order to perform a desired function. In addition, the touch pad 104-1 can be implemented by various types, such as resistive, capacitive, infrared, and surface acoustic wave.

Display (also referred to as a display screen) 104-2 may be used to display information entered by or provided to the user as well as various menus for handset 100. The display 104-2 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The trackpad 104-1 may be overlaid on the display 104-2, and when the trackpad 104-1 detects a touch event thereon or nearby, it is communicated to the processor 101 to determine the type of touch event, and the processor 101 may then provide a corresponding visual output on the display 104-2 based on the type of touch event. Although in FIG. 1, the touch pad 104-1 and the display screen 104-2 are shown as two separate components to implement the input and output functions of the cell phone 100, in some embodiments, the touch pad 104-1 and the display screen 104-2 may be integrated to implement the input and output functions of the cell phone 100. It is understood that the touch screen 104 is formed by stacking multiple layers of materials, and only the touch pad (layer) and the display screen (layer) are shown in the embodiment of the present application, and other layers are not described in the embodiment of the present application. In addition, the touch pad 104-1 may be disposed on the front surface of the mobile phone 100 in a full panel manner, and the display screen 104-2 may also be disposed on the front surface of the mobile phone 100 in a full panel manner, so that a frameless structure can be implemented on the front surface of the mobile phone.

In addition, the mobile phone 100 may also have a fingerprint recognition function. For example, the fingerprint identifier 112 may be disposed on the back side of the handset 100 (e.g., below the rear facing camera), or the fingerprint identifier 112 may be disposed on the front side of the handset 100 (e.g., below the touch screen 104). For another example, the fingerprint acquisition device 112 may be configured in the touch screen 104 to realize the fingerprint identification function, i.e., the fingerprint acquisition device 112 may be integrated with the touch screen 104 to realize the fingerprint identification function of the mobile phone 100. In this case, the fingerprint acquisition device 112 is disposed in the touch screen 104, may be a part of the touch screen 104, and may be disposed in the touch screen 104 in other manners. The main component of the fingerprint acquisition device 112 in the present embodiment is a fingerprint sensor, which may employ any type of sensing technology, including but not limited to optical, capacitive, piezoelectric, or ultrasonic sensing technologies, among others.

The handset 100 may also include a bluetooth device 105 for enabling data exchange between the handset 100 and other short-range devices (e.g., cell phones, smart watches, etc.).

The handset 100 may also include at least one sensor 106, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display of the touch screen 104 according to the brightness of ambient light, and a proximity sensor that turns off the power of the display when the mobile phone 100 is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone 100, further description is omitted here.

The WiFi device 107 is used for providing the mobile phone 100 with network access conforming to WiFi related standard protocols, and the mobile phone 100 can access to a WiFi access point through the WiFi device 107, thereby helping a user to send and receive e-mails, browse web pages, access streaming media and the like, and providing the user with wireless broadband internet access. In other embodiments, the WiFi device 107 may also be a WiFi wireless access point, which may provide WiFi network access for other devices.

And a positioning device 108 for providing a geographical position for the handset 100. It can be understood that the Positioning device 108 may specifically be a receiver of a Global Positioning System (GPS) or a Positioning System such as the beidou satellite navigation System, russian GLONASS, and the like. After receiving the geographical location transmitted by the positioning system, the positioning device 108 transmits the information to the processor 101 for processing or transmits the information to the memory 103 for storage. In some other embodiments, the Positioning device 108 may also be an Assisted Global Positioning System (AGPS) receiver that assists the Positioning device 108 in performing ranging and Positioning services by acting as an assistance server, in which case the assistance server provides Positioning assistance by communicating with the Positioning device 108 (i.e., GPS receiver) of the apparatus, such as the handset 100, over a wireless communication network. In some other embodiments, the positioning device 108 may also be a WiFi access point based positioning technology. Since each WiFi Access point has a globally unique (Media Access Control, MAC) address, the device can scan and collect broadcast signals of surrounding WiFi Access points when the WiFi is turned on, so that the MAC address broadcasted by the WiFi Access point can be acquired; the device sends the data (such as MAC address) capable of identifying the WiFi access points to the location server through the wireless communication network, the location server retrieves the geographical location of each WiFi access point, and calculates the geographical location of the device and sends the geographical location of the device to the positioning device 108 of the device according to the strength of the WiFi broadcast signal.

The audio circuitry 109, speaker 113, microphone 114 can provide an audio interface between a user and the handset 100. The audio circuit 109 may transmit the electrical signal converted from the received audio data to the speaker 113, and convert the electrical signal into a sound signal by the speaker 113 for output; on the other hand, the microphone 114 converts the collected sound signal into an electrical signal, converts the electrical signal into audio data after being received by the audio circuit 109, and outputs the audio data to the RF circuit 102 to be transmitted to, for example, another cellular phone, or outputs the audio data to the memory 103 for further processing.

Peripheral interface 110, which is used to provide various interfaces for external input/output devices (e.g., keyboard, mouse, external display, external memory, SIM card, etc.). For example, the mouse is connected through a Universal Serial Bus (USB) interface, and the Subscriber Identity Module (SIM) card provided by a telecom operator is connected through a metal contact on a SIM card slot. Peripheral interface 110 may be used to couple the aforementioned external input/output peripherals to processor 101 and memory 103.

The mobile phone 100 may further include a power supply device 111 (such as a battery and a power management chip) for supplying power to each component, and the battery may be logically connected to the processor 101 through the power management chip, so as to implement functions of managing charging, discharging, and power consumption through the power supply device 111.

Although not shown in fig. 1, the mobile phone 100 may further include a camera (front camera and/or rear camera), a flash, a micro-projector, a Near Field Communication (NFC) device, etc., which will not be described in detail herein.

The methods in the following embodiments can be implemented in the mobile phone 100 having the above hardware structure.

As shown in fig. 2, a flowchart of a data processing method provided by the present application is provided, where the method includes an encryption process for data, and the method is applicable to a terminal, where the terminal runs a first application process and a key management process, and the method specifically includes:

s101, generating first data by the first application process.

In some embodiments, the first data may be data that needs to be encrypted, for example, data determined according to a business property of the first application process or the first application program, for example, important, critical, and sensitive data in the first application process or the first application program. For example, if the first application program is a short message application, the first data may be information such as an account number, a password, an authentication code, and a content of a short message. Specifically, the first data may be the entire short message content including the key data, or may be part of the content in one short message content, and only the key data, which is not limited in the embodiment of the present application. If the first data is the data that needs to be encrypted, the first application process needs to request the key management module to encrypt the first data, i.e., step S102 is executed.

In some embodiments, the first data may be data that does not need to be encrypted, for example, data that is determined to not need to be encrypted according to a business property of the first application process or the first application program, and the first application process may store the first data directly, that is, without performing the following steps.

S102, the first application process requests the key management module to encrypt the first data, and the request message carries the first data.

The key management module is mainly used for performing encryption and decryption processes on specific data in each application process, creating and managing encryption and decryption keys of each group, and the like. The key management module, when running, may also be referred to as a key management process.

S103, the key management module encrypts the first data to generate second data.

Specifically, when the key management module is called by the first application process, the key management module may acquire the identifier of the caller, that is, the identifier of the first application process, based on the binder inter-process communication mechanism. The identification of the first application process may be the PID of the first application process or the UID of the first application program. Then, the key management module may determine the group corresponding to the first application process according to the identifier of the first application process, and obtain the identifier of the group corresponding to the first application process. And then, acquiring an encryption key corresponding to the first application process according to the identifier of the group corresponding to the first application process. And finally, the key management module encrypts the first data according to the acquired encryption key to obtain second data. The second data is the data after the first data is encrypted and is a ciphertext.

It should be noted that the first application process may correspond to a packet, and the packet corresponds to an encryption key, and then the first application process corresponds to an encryption key. The key management module then encrypts the first data using the one encryption key. The first application process may also correspond to a plurality of packets corresponding to a plurality of encryption keys, and the first application process then corresponds to a plurality of encryption keys. The key management module then encrypts the first data using the plurality of encryption keys. The embodiments of the present application are not limited.

It should be noted that the packet herein may also be referred to as a process packet. One or more processes running in the terminal may be grouped with respect to one or more processes. And the one or more process packets correspond to one or more encryption keys, respectively.

For example, it is assumed that the application processes running on the terminal can be divided into three process groups, namely, a process group a, a process group B, and a process group C. Then, the process group a, the process group B, and the process group C may correspond to different encryption keys, or the process group a and the process group B may correspond to one same encryption key, and the process group C may correspond to another different encryption key, or the process group a, the process group B, and the process group C may correspond to one same encryption key. The embodiment of the present application does not limit the correspondence between the process packet and the encryption key.

S104, the key management module sends the second data to the first application process.

S105, the first application process saves the second data.

Specifically, the first application process stores the second data in an encrypted storage area in the first application process. The encrypted storage area is a specific storage space in the first application process and is specially used for storing the data encrypted by the key management module.

Illustratively, as shown in fig. 3, it is a space diagram of the first application process. The space of the first application process comprises: stack (stack), heap (heap), bbs (block Started by symbol) section, data section (data segment) section, code section (code/text segment).

The BBS section, the data section and the code section all belong to static memory allocation, are used for storing codes, global variables and static variables, and have a fixed function. The stack is automatically assigned and released by the operating system, is used to deposit local variables of the first application process, and is also used to pass parameters and return values.

The heap is allocated and released by the first application process and is used for storing the memory space segment dynamically allocated in the running process of the first application process. In this embodiment of the present application, when the first application process runs for the first time, a segment of memory space may be allocated at the heap for storing the data encrypted by the key encryption module, that is, the encrypted storage area.

Therefore, in the embodiment of the application, in the running process of the first application process, the group corresponding to the first application process is determined, the encryption key corresponding to the group is obtained, the data of the first application process is encrypted by using the encryption key and stored in the specific encryption storage area, and the security of the key data of the application program is improved.

As shown in fig. 4, a flowchart of a method for processing data provided in an embodiment of the present application is provided, where the method includes a process of decrypting data, and specifically includes:

s201, the second application process requests the first application process to access third data of the first application process.

In some embodiments, the second application process needs to obtain the right to access the first application process in advance, which is shown as S201 a. Specifically, the second application process may send a request for applying for the access right to the first application process, and the first application process authorizes the second application process. Or the first application process directly authorizes the second application process and allows the second application process to access the data of the first application process. The second application process may also have a permission to access the first application process by default, which is not limited in the embodiment of the present application.

The second application process may then read the data of the first application process, including the third data. For example, the second application process may read all data in the first application process, or may read data associated with the second application process, which is not limited in the embodiment of the present application.

For example, it is assumed that the first application process is a process in a short message application, the second application process is a process in a beauty group application, and the beauty group application has an access right of the short message application. Then the mei rou application may read all the short message contents in the short message application, or the mei rou application may read the short message contents in the short message application, which are associated with the mei rou application, for example: and the American group application sends verification code information to the short message application, and the like.

S202, the first application process determines that the third data is stored in the encrypted storage area.

Specifically, the first application process determines whether the third data is stored in the encrypted storage area according to the index corresponding to the acquired third data. And if the third data is not stored in the encrypted storage area, the third data is plaintext, and the first application process sends the third data to the second application process. If the third data is stored in the encrypted storage area, the third data is a ciphertext, and the first application process further needs to decrypt the third data, that is, step S203 is executed.

S203, the first application process requests the key management module to decrypt the third data, and the request carries the identifier of the second application process and the third data.

Specifically, when the first application process is called by the second application process, the first application process may obtain an identifier of the calling program, that is, an identifier of the second application process.

S204, the key management module determines whether the second application process is in a group corresponding to the first application process according to the identifier of the second application process, and if so, executes S205; otherwise, the key management module does not decrypt the third data and directly returns the third data.

Specifically, when the key management module is called by the first application process, the key management module may obtain an identifier of the caller, that is, an identifier of the first application process. The key management module may determine, according to the identifier of the first application process, a group corresponding to the first application process and an identifier of an application program included in the group. Further, the key management module may determine whether the second application process is in the group based on the identification of the second application process. If the second application process is in the packet, the key management module decrypts the third data, i.e., performs step S205. And if the second application process is not in the group, the key management module does not decrypt the third data and directly returns the third data to the first application process. If the second application process is not in the group, the key management module may also directly reject the decryption request of the first application process for the third data, and the process is ended.

In other words, when the second application process accesses the first application process, even if the second application process has the access right, but the second application process and the first application process do not belong to the same group, the second application process cannot obtain the plaintext of the data stored in the encrypted storage area by the first application process. Therefore, if the second application process is a malicious program, even if the user is induced to authorize the second application process to access the first application process, the second application process cannot obtain the encrypted data of the first application process, and the security of the encrypted data in the first application process is improved.

S205, the key management module decrypts the third data to obtain fourth data.

Specifically, the key management module obtains a decryption key corresponding to the packet according to the packet corresponding to the first application process. And decrypting the third data by using the acquired decryption key to obtain fourth data. And the fourth data is the data decrypted by the third data and is a plaintext.

It should also be noted that the first application process may correspond to a packet, and the packet corresponds to a decryption key, and then the first application process corresponds to a decryption key. The key management module then decrypts the third data using the one decryption key. The first application process may also correspond to a plurality of packets, each of which corresponds to a decryption key, and then the first application process corresponds to a plurality of decryption keys. The key management module then decrypts the third data using the plurality of decryption keys. The embodiments of the present application are not limited.

S206, the key management module sends fourth data to the first application process.

And S207, the first application process sends fourth data to the second application process.

Therefore, in the embodiment of the present application, when the second application process needs to access the encrypted data of the first application process, the first application process needs to apply the key management module to decrypt the encrypted data. The key management module needs to determine whether the second application process is in the corresponding packet of the first application process, and if so, the key management module decrypts the encrypted data and returns the decrypted data to the first application process. Therefore, the situation that the second application process can directly read the data of the first application process after mistakenly acquiring the authority of accessing the first application process is avoided, and the safety of the data of the first application process is improved.

It should be further noted that, in this embodiment of the application, the second application process may apply for decrypting the third data from the key management module through the first application process. The second application process may also directly apply for decrypting the third data from the key management module, that is, steps S202 to S207 may be replaced with steps S301 to S305.

As shown in fig. 5, a flowchart of a data processing method provided in an embodiment of the present application is shown, where the method includes steps S201, S301 to S305, which are specifically as follows:

s301, the first application process returns the third data to the second application process.

If the third data is stored in the encrypted storage area of the first application process, and the third data is a ciphertext, the first application process needs to decrypt the third data, that is, step S302 is executed. And if the third data is stored in the non-encrypted storage area of the first application process, the third data is plaintext, namely the data to be finally acquired by the first application process.

S302, the second application process requests the key management module to decrypt the third data, and the request carries the third data and the identifier of the first application process.

It should be noted that, when the second application process is called by the first application process, the second application process may obtain an identifier of the caller, that is, an identifier of the first application process.

S303, the key management module determines whether the second application process is in the group corresponding to the first application process. If yes, go to S304; otherwise, the key management module does not decrypt the third data and directly returns the third data to the first application process.

Specifically, when the key management module is called by the second application process, the key management module may also obtain the identifier of the second application process. Then, the key management module determines the packet corresponding to the first application process and the identifier of the application process included in the packet according to the identifier of the first application process carried in the request. Further, the key management module may determine whether the second application process is in the group based on the identification of the second application process. If the second application process is in the packet, the key management module decrypts the third data, i.e. performs step S304. And if the second application process is not in the group, the key management module does not decrypt the third data and directly returns the third data to the first application process. If the second application process is not in the group, the key management module may also directly reject the decryption request of the second application process for the third data, and the process is ended.

S304, the key management module decrypts the third data to obtain fourth data.

Step S205 can be referred to in this step, and details are not repeated.

S305, the key management module sends fourth data to the second application process.

Therefore, in the embodiment of the application, after the second application process acquires the encrypted data of the first application process, the second application process can apply to the key management module for decrypting the encrypted data. The key management module needs to determine whether the second application process is in the corresponding packet of the first application process, and if so, the key management module decrypts the encrypted data and returns the decrypted data to the first application process. Therefore, the situation that the second application process can directly read the data of the first application process after mistakenly acquiring the authority of accessing the first application process is avoided, and the safety of the data of the first application process is improved.

Illustratively, as shown in fig. 6, a schematic composition diagram of a terminal provided in the embodiment of the present application is shown, where the terminal includes a plurality of application processes 601 to 604, a key management module 605, and a secure storage module 606.

The terminal groups the application processes, and the application processes in the same group use the same key to encrypt and decrypt the specific data, that is, the application processes in the same group can access the specific data mutually. The grouping method will be described in detail below. For example: application process 601 and application process 602 are the first grouped processes. Application process 603 and application process 604 are processes for the second packet.

A key management module 605, configured to perform encryption and decryption processes on specific data in each application process, create and manage encryption and decryption keys of each packet, and the like. Specifically, the key management module 605 further includes a packet management module 60501 and an encryption module 60502.

The grouping management module 60501 is configured to group application processes according to a grouping policy, where the grouping management module 60502 may automatically generate the grouping policy, or may receive a setting of a user to update the grouping policy, and the grouping policy is not limited in this application. The group management module 60502 may also request the encryption module 60502 to create a key for the group, establish a correspondence of the application with the group, and/or the key, and so on. The encryption module 60502 is configured to create a new key pair for the packet, and encrypt and decrypt data of the application process.

A secure storage module 606, configured to store the encrypted and decrypted key generated by the key management module 605, so as to ensure security of key storage.

The following explains the technical solution provided by the present application in detail by taking an example in which the data processing method provided by the present application is applied to a terminal as shown in fig. 6.

First, a grouping policy of application processes will be explained. The terminal may group the application processes according to the source, the service type, and the like of the application program corresponding to the application process.

Illustratively, the grouping policy may be grouping according to a download source of the application. In particular, applications downloaded from an application market in the terminal may be classified into one group, since the applications are audited on the shelf and can be considered trusted applications. Applications downloaded from other means, not through the application marketplace, that may be considered untrusted, may be divided into another group.

The grouping policy may also be, for example, grouping according to a specific traffic type of the application. Specifically, when the applications downloaded from the application marketplace are up-loaded, the application marketplace classifies the applications, such as: office, shopping, social, entertainment, news, etc. Then, the applications may be grouped according to the classifications, for example, the applications of the same type are divided into one group, or several types of applications are divided into one group, which is not limited in the embodiment of the present application.

It should be noted that, when the application program is downloaded by the terminal, the application market also issues the source information and the service type of the application program to the terminal, so that the terminal groups the application program according to the information, or the application market sends the classification information of the application program to the terminal. Fig. 7 is a schematic diagram illustrating the process of publishing, on-shelf auditing, classifying, and downloading an application.

In some embodiments, after an application developer or a user finds that an application program has a malicious behavior, the application program can be reported to an application market, and the application market is reviewed and regrouped again. Fig. 8 is a schematic flow chart illustrating a process of re-auditing the application for loading.

For example, the grouping policy may specify that certain applications are to be grouped into a group according to a user's setting. The grouping policy may also be a combination of the above various grouping policies, and the embodiment of the present application is not limited.

After the terminal determines the grouping strategy, the terminal groups the application programs according to the grouping strategy and determines a secret key for each group. Specifically, as shown in fig. 9, a schematic flow chart of a data processing method provided in the embodiment of the present application is shown, where the method specifically includes:

s401, after detecting that the third application program is installed, the terminal notifies the grouping management module to group the third application process corresponding to the third application program.

The third application program is a new application program which needs to be installed by the terminal, and the third application program is different from the first application program and the second application program.

It should be noted that, the terminal may also notify the group management module after detecting that the user requests to install the third application, which is not limited in the embodiment of the present application.

It should be noted that, there are two types of applications installed on the terminal, and one type is an application preset by the terminal, such as a short message application, a camera application, a browser application, and the like. The application programs can be automatically installed by triggering the terminal by the system when the terminal is started for the first time. Another category is where the user downloads the installation himself, for example: a beauty application, a pay application, etc., which are installed with a user's operation triggering terminal. In any installation mode, the terminal may notify the grouping management module after the application is installed or after the application starts to be installed.

S402, grouping the third application process according to the grouping strategy by the grouping management module.

Specifically, the group management determines a group corresponding to the third application process according to the service type of the third application process or the information such as the download source, and establishes a corresponding relationship between the identifier of the third application process and the identifier of the group, and stores the identifier of the third application process and the identifier of the group locally.

Further, if the third application process is the first installed application program in the group, the group management module requests the encryption module to create a new group key pair for the group, that is, step S403 is executed. If the third application process is not the first installed application program in the group, the group management module directly establishes a corresponding relationship between the third application process and the group and the key, that is, executes step S406.

For example, assume that the third application process is a beauty group application, and the group corresponding to the third application process is a shopping group. Then, when the installation of the beauty group application is completed or when the terminal receives a request of the user to install the beauty group application, the grouping management module is notified. The group management module divides the beauty group application into shopping groups. If the beauty group application is the first installed application within a shopping group, the encryption module is requested at the group management module to create a key pair for the shopping group. If the Mei Tuan application is not the first installed application program in the shopping group, the group management module directly establishes the corresponding relation between the Mei Tuan application and the shopping group and the key of the shopping group.

S403, the group management module sends a request to the encryption module to create a key pair for the group corresponding to the third application process.

Wherein, the request carries the identifier of the packet corresponding to the third application process.

And S403a, the encryption module creates a key pair for the group corresponding to the third application process.

S404, the encryption module stores the created key pair in the safe storage module.

For example, in the android system, the secure storage module may include a keystore (keystore) and a keymaster. Wherein, the keystore is used for storing the index of the key pair and providing an interface for other applications to use the key pair. The keymaster is used for storing the content of the key pair and encrypting and decrypting the data. Specifically, the encryption module can store the created key pair in the keymaster through the keymaster, and the storage security of the key pair can be improved because the keymaster is physically isolated from the keymaster.

S405, the encryption module returns the information of the created key pair to the grouping management module.

Wherein, the information of the key pair may include a corresponding relationship between the group identifier and the index of the key pair.

For example, the encryption module may return a correspondence between the packet identifier and the index of the key pair to the packet management module. When the encryption module needs to encrypt, the corresponding encryption key can be searched from the secure storage module according to the index of the key pair, and the searched encryption key is used for encrypting. When the encryption module needs to decrypt, the corresponding decryption key can be searched from the secure storage module according to the index of the key pair, and decryption is performed by adopting the searched decryption key.

Step S405 may also be executed before or simultaneously with step S404, and the embodiment of the present application does not limit the order relationship between steps S404 and S405.

S406, the grouping management module establishes a corresponding relation between the third application process and the grouping and key pair.

Illustratively, the grouping management module establishes a correspondence between the identifier of the third application process, the grouping identifier, and the key pair index according to a correspondence between the grouping identifier and the key pair index returned by the encryption module, and a correspondence between the identifier of the locally existing third application process and the grouping identifier.

It should be noted that if the application program in a certain group sends a change, for example, a certain application program changes from one group to another group, the group management module needs to update the correspondence between the application program and the group and the key pair.

For example, assuming that a malicious application is sent in a packet, the malicious application can be removed from the packet and switched to another packet, and the malicious application is no longer allowed to access data of other applications in the packet. Alternatively, through evaluation of the nature of the traffic, an application may be found that is not necessarily within a packet, and may be removed from the packet and switched to another packet.

Therefore, the embodiments of the present application provide a data processing method, which can group applications, create a key pair for the group, and establish a correspondence between the application and the group and the key pair, so that the applications in the same group can use the same key to perform encryption and decryption.

Further, steps S102 to S104 in the encryption process of the data are refined, and then steps S102 to S104 may be replaced by steps S501 to S507, as shown in fig. 10, the data processing method provided in the embodiment of the present application further specifically includes:

s501, the grouping management module receives first data sent by a first application process.

Specifically, the grouping management module is called by the first application process, and the grouping management module may obtain an identifier of the first application process.

S502, the grouping management module obtains an encryption key or an index of a key pair corresponding to the first application process according to the identifier of the first application process.

For example, the grouping management module searches the grouping identifier corresponding to the identifier of the first application process according to the identifier of the first application process, and further determines the encryption key or the index of the key pair corresponding to the grouping identifier according to the grouping identifier. And the index of the searched encryption key or key pair corresponds to the encryption key or key pair corresponding to the first application process.

S503, the grouping management module sends the first data and the acquired encryption key or the index of the key pair to the encryption module.

S504, the encryption module reads the encryption key corresponding to the first application process from the secure storage module according to the encryption key or the index of the key pair.

And S505, the encryption module encrypts the first data according to the acquired encryption key to obtain second data.

S506, the encryption module sends the obtained second data to the grouping management module.

And S507, the grouping management module sends the second data to the first application process.

Further, steps S203 to S206 in the decryption process of the data are refined, and then steps S203 to S206 may be replaced by steps S601 to S607, as shown in fig. 11, the data processing method provided in the embodiment of the present application further specifically includes:

s601, the first application process requests the grouping management module to decrypt the third data, and the request carries the identifier of the second application process and the third data.

S602, the grouping management module determines whether the second application process is in the grouping corresponding to the first application process according to the identification of the second application process. If yes, go to step S603. Otherwise, the packet management module does not request the encryption module to decrypt the third data, but directly returns the third data to the first application process.

Specifically, when the group management module is called by the first application process, the group management module may obtain an identifier of the caller, that is, an identifier of the first application process. The grouping management module may determine, according to the identifier of the first application process, a grouping corresponding to the first application process and an identifier of an application program included in the grouping. Further, the group management module may determine whether the second application process is in the group based on the identification of the second application process. If the second application process is in the packet, the packet management module requests the encryption module to decrypt the third data, i.e., step S603 is executed. If the second application process is not in the group, the group management module does not request the encryption module to decrypt the third data, but directly returns the third data to the first application process, and the first application process returns the third data to the second application process.

S603, the grouping management module obtains a decryption key or an index of a key pair corresponding to the first application process according to the identifier of the first application process.

For example, the grouping management module searches the grouping identifier corresponding to the identifier of the first application process according to the identifier of the first application process, and further determines the decryption key or the index of the key pair corresponding to the grouping identifier according to the grouping identifier. And the index of the searched decryption key or key pair corresponds to the encryption key or key pair corresponding to the first application process.

S604, the grouping management module sends the third data and the acquired decryption key or the index of the key pair to the encryption module.

S605, the encryption module reads the decryption key corresponding to the first application process from the secure storage module according to the decryption key or the index of the key pair.

And S606, the encryption module decrypts the third data according to the acquired decryption key to obtain fourth data.

And the fourth data is the data decrypted by the third data and is a plaintext.

And S607, the encryption module sends the obtained fourth data to the grouping management module.

And S608, the grouping management module sends the fourth data to the first application process.

It is to be understood that the above-mentioned terminal and the like include hardware structures and/or software modules corresponding to the respective functions for realizing the above-mentioned functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.

In the embodiment of the present application, the terminal and the like may be divided into functional modules according to the method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, the division of the modules in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation.

Fig. 12 shows a possible structure diagram of the terminal involved in the above embodiment in the case of dividing each functional module by corresponding functions. As shown in fig. 12, the terminal 1200 includes: a first application module 1201, a second application module 1202, and a key management module 1203.

Wherein the first application module 1201 is configured to support the terminal to perform S101, S102, and S105 in fig. 2, S202, S203, and S207 in fig. 4, S302 in fig. 5, S501 in fig. 10, S601 in fig. 11, and/or other processes for the techniques described herein. The second application module 1202 is used to support the terminal in performing S201a and S201 in fig. 4, and/or other processes for the techniques described herein. The key management module 1203 is configured to enable the terminal to perform S103 and S104 in fig. 2, S204-S206 in fig. 4, S303-S305 in fig. 5, S402-S406 in fig. 9, S502-S507 in fig. 10, S602-S608 in fig. 11, and/or other processes for the techniques described herein.

All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.

Of course, the terminal 1200 may further include a secure storage unit 1204 for storing the grouping information, the encryption key, the decryption key, and the like in the present application. The terminal 1200 may also include a communication unit for the terminal to interact with other devices. Moreover, the functions that can be specifically implemented by the above-mentioned functional units also include, but are not limited to, the functions corresponding to the method steps described in the above examples, and the detailed description of the corresponding method steps may be referred to for the detailed description of other units of the terminal 1200, which is not described herein again in this embodiment of the present application.

In the case of an integrated unit, the first application module 1201, the second application module 1202, and the key management module 1203 may be integrated together and may be a processing module of the terminal. The communication unit may be a communication module of the terminal, such as an RF circuit, a WiFi module, or a bluetooth module. The secure storage unit may be a storage module of the terminal.

Fig. 13 shows a schematic diagram of a possible structure of the terminal involved in the above embodiment. The terminal 1300 includes: a processing module 1301, a storage module 1302, and a communication module 1303. The processing module 1301 is used for controlling and managing the actions of the terminal. A storage module 1302, configured to store program codes and data of the terminal. The communication module 1303 is used for communicating with other terminals. The Processing module 1301 may be a Processor or a controller, such as a Central Processing Unit (CPU), a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others. The communication module 1303 may be a transceiver, a transceiver circuit, a communication interface, or the like. The storage module 1302 may be a memory.

When the processing module 1301 is a processor (such as the processor 101 shown in fig. 1), the communication module 1303 is an RF transceiver circuit (such as the RF circuit 102 shown in fig. 1), and the storage module 1302 is a memory (such as the memory 103 shown in fig. 1), the terminal provided in the embodiment of the present application may be the terminal 100 shown in fig. 1. The communication module 1303 may include not only an RF circuit, but also a WiFi module and a bluetooth module. The communication modules such as the RF circuit, WiFi module, and bluetooth module may be collectively referred to as a communication interface. Wherein the processor, the communication interface, and the memory may be coupled together by a bus.

Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a processor to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: flash memory, removable hard drive, read only memory, random access memory, magnetic or optical disk, and the like.

The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method for processing data, wherein the method is applied to a terminal, and the terminal runs a first application process, a second application process and a key management process, and the method comprises:

the second application process sends an access request to the first application process, wherein the access request is used for requesting to access third data of the first application process;

the key management process receives a decryption request requesting decryption of the third data;

if the key management process determines that the second application process is in the process group where the first application process is located according to the decryption request, the key management process decrypts the third data by using a decryption key corresponding to the process group where the first application process is located to obtain fourth data;

in response to the decryption request, the key management process returns the fourth data;

wherein the terminal has N process groups; each of the N process groups comprises at least one process, and at least one process group comprises two or more processes; wherein N is an integer greater than 1 or equal to 1; the N process groups correspond to M decryption keys, and each process group corresponds to one decryption key; wherein M is a positive integer, and N ═ M.

2. Method according to claim 1, characterized in that said key management process receives a decryption request requesting decryption of said third data, in particular

The key management process receives the decryption request sent by the first application process according to the access request;

the step of returning the fourth data by the key management process specifically includes:

the key management process returns the fourth data to the first application process;

the method further comprises the following steps:

the first application process sends the fourth data to the second application process.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

if the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends the third data to the first application process;

the first application process sends the third data to the second application process.

4. The method of claim 1, wherein after the second application process sends the access request to the first application process, before the key management process receives a decryption request requesting decryption of the third data, the method further comprising:

the second application process receives the third data sent by the first application process;

the receiving, by the key management process, a decryption request for decrypting the third data specifically includes:

the key management process receives the decryption request sent by the second application process;

the key management process returns the fourth data to the second application process.

5. The method of claim 4, further comprising:

and if the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends the third data to the second application process.

6. The method according to claim 1, wherein before the key management process decrypts the third data using the decryption key corresponding to the process packet in which the first application process is located, so as to obtain fourth data, the method further comprises:

the key management process acquires an identifier of the first application process;

the key management process determines the identifier of the process group in which the first application process is located according to the identifier of the first application process;

and the key management process acquires a decryption key corresponding to the process group in which the first application process is located according to the identifier of the process group in which the first application process is located.

7. The method of claim 1, further comprising:

the first application process requests the key management process to encrypt first data;

the key management process determines the process group of the first application process according to the request;

the key management process encrypts the first data by using an encryption key corresponding to the process group where the first application process is located to generate second data; the N process groups correspond to M encryption keys, and each process group corresponds to an encryption key corresponding to a decryption key thereof;

the key management process sends the second data to the first application process.

8. The method of claim 7, wherein after the key management process sends the second data to the first application process, the method further comprises:

the first application process saves the second data.

9. The method of claim 8, wherein the key management process determining the process group in which the first application process is located according to the request comprises:

and the key management process acquires an encryption key corresponding to the process group in which the first application process is located according to the identifier of the process group in which the first application process is located.

10. A terminal comprising a first application module, a second application module and a key management module,

the second application program module is used for sending an access request to the first application program module, and the access request is used for requesting to access third data of the first application process;

the key management module is used for receiving a decryption request for requesting to decrypt the third data;

the key management module is further configured to decrypt the third data by using a decryption key corresponding to the process group in which the first application process is located, if the key management module determines that the second application process is in the process group in which the first application process is located according to the decryption request, so as to obtain fourth data;

the key management module is further configured to return the fourth data in response to the decryption request;

11. The terminal of claim 10,

the key management module is further configured to receive the decryption request sent by the first application module according to the access request:

the key management module is further configured to return the fourth data to the first application program module;

the first application program module is configured to send the fourth data to the second application program module.

12. The terminal according to claim 10 or 11, wherein the key management module is further configured to send the third data to the first application program module if the key management module determines that the second application process is not in the process group in which the first application process is located;

the first application program module is further configured to send the third data to the second application program module.

13. The terminal of claim 10,

the second application program module is further configured to receive the third data sent by the first application program module;

the key management module is further configured to receive the decryption request sent by the second application module;

the key management module is further configured to return the fourth data to the second application module.

14. The terminal of claim 13, wherein the key management module is further configured to send the third data to the second application program module if the key management module determines that the second application process is not in the process group in which the first application process is located.

15. The terminal of claim 10,

the key management module is further used for acquiring the identifier of the first application program module;

the key management module is further configured to determine, according to the identifier of the first application program module, an identifier of a process group in which the first application program module is located;

the key management module is further configured to obtain a decryption key corresponding to the process group in which the first application program module is located according to the identifier of the process group in which the first application program module is located.

16. The terminal of claim 10,

the first application program module is also used for requesting the key management module to encrypt first data;

the key management module is further used for determining the process group where the first application program module is located according to the request;

the key management module is further configured to encrypt the first data by using an encryption key corresponding to the process packet in which the first application module is located, so as to generate second data; the N process groups correspond to M encryption keys, and each process group corresponds to an encryption key corresponding to a decryption key thereof;

the key management module is further configured to send the second data to the first application module.

17. The terminal of claim 16,

the first application program module is further configured to store the second data.

18. The terminal of claim 17,

the key management module is further configured to obtain an encryption key corresponding to the process group in which the first application program module is located according to the identifier of the process group in which the first application program module is located.

19. A terminal, comprising: a processor, a memory and a touch screen, the memory and the touch screen being coupled to the processor, the memory for storing computer program code, the computer program code comprising computer instructions which, when read from the memory by the processor, perform a method of data processing according to any of claims 1-9.

20. A computer storage medium comprising computer instructions which, when run on a terminal, cause the terminal to perform a method of data processing according to any one of claims 1-9.