CN110674519B - Data protection method and device, electronic equipment and storage medium - Google Patents

Data protection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN110674519B
CN110674519B CN201910916011.7A CN201910916011A CN110674519B CN 110674519 B CN110674519 B CN 110674519B CN 201910916011 A CN201910916011 A CN 201910916011A CN 110674519 B CN110674519 B CN 110674519B
Authority
CN
China
Prior art keywords
application
hosted application
target
hosted
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910916011.7A
Other languages
Chinese (zh)
Other versions
CN110674519A (en
Inventor
兰伟
孙喜堂
袁辉
孟宪伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tus Guoxin Beijing Information Technology Co ltd
Original Assignee
Tus Guoxin Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tus Guoxin Beijing Information Technology Co ltd filed Critical Tus Guoxin Beijing Information Technology Co ltd
Priority to CN201910916011.7A priority Critical patent/CN110674519B/en
Publication of CN110674519A publication Critical patent/CN110674519A/en
Application granted granted Critical
Publication of CN110674519B publication Critical patent/CN110674519B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)

Abstract

The embodiment of the application provides a data protection method, a data protection device, electronic equipment and a storage medium, wherein the data protection method is applied to a mobile terminal, a host application runs on the mobile terminal, a virtual security space is created for the host application, and at least one hosted application is installed in the virtual security space, and the data protection method comprises the following steps: monitoring, by the hosted application, input/output (I/O) requests of at least one hosted application; determining target data corresponding to the I/O request through the host application under the condition that the I/O request is monitored; the target data is encrypted or decrypted by the host application. According to the embodiment of the application, the data protection effect is achieved under the condition that the original structure of the application is not changed by the virtual security space without modifying the original structure of the hosted application.

Description

Data protection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of data protection, and in particular, to a data protection method and apparatus, an electronic device, and a storage medium.
Background
Along with the rise and development of the mobile internet, the intelligent mobile terminal plays an increasingly important role in daily life and work. However, along with the interpenetration of work and life, how to protect the use of office applications and data generated by the applications by enterprise employees becomes a problem which needs to be solved urgently at present.
In daily work, the mobile terminal can copy and transmit company data randomly through modes of external USB flash disk, mobile hard disk, Bluetooth, various chat tools, mails, network disk and the like, which always causes the problem that the enterprise management layer/information security department is very painful. Especially in some confidential industries, such as government agencies, military, finance, manufacturing units, etc., once information is leaked, immeasurable and significant loss can be caused. Therefore, how to effectively manage the use of the intelligent terminal and protect the data security of the intelligent terminal is the key of the current information security management, and meanwhile, huge challenges are brought.
At present, in the use process of an application in a mobile terminal, data can be stored locally through methods such as a camera, network downloading, copying and pasting, and can be shared and issued through other applications. Moreover, in order to prevent data from being spread out or to encrypt data, a manner of integrating encryption and/or decryption SDK (Software Development Kit) is generally adopted to encrypt data stored locally, so as to prevent data from being spread out or data sharing.
In the process of implementing the present invention, the inventor finds that the data protection method by adopting the integrated SDK in the prior art can modify the structure (or code structure) of the original application.
Disclosure of Invention
An object of the embodiments of the present application is to provide a data protection method, an apparatus, an electronic device, and a storage medium, so as to achieve an effect of implementing data protection without changing an original structure of an application.
In a first aspect, an embodiment of the present application provides a data protection method, where the data protection method is applied to a mobile terminal, a host application runs on the mobile terminal, a virtual security space is created for the host application, and at least one hosted application is installed in the virtual security space, and the data protection method includes: monitoring, by the hosted application, input/output (I/O) requests of at least one hosted application; determining target data corresponding to the I/O request through the host application under the condition that the I/O request is monitored; the target data is encrypted or decrypted by the host application.
According to the embodiment of the application, the host application monitors the I/O request of at least one hosted application, and then determines the target data corresponding to the I/O request through the host application under the condition that the I/O request is monitored, and encrypts or decrypts the target data through the host application, so that the data generated by the hosted application is encrypted and isolated and protected through the virtual security space, data leakage and data random storage can be prevented, and the security of the data is further protected. And because the hosted application in the virtual security space does not need to adjust the original structure of the hosted application, the embodiment of the application can achieve the effect of realizing data protection without changing the original structure of the hosted application.
The embodiment of the application is also realized based on the virtual security space, so that the application data of the hosted application can be transparently encrypted and/or decrypted through the characteristics of the virtual security space, and the application data can be safely encrypted.
In one possible embodiment, each hosted application in the at least one hosted application corresponds to a security algorithm, and the security algorithms corresponding to different hosted applications are different, wherein each security algorithm includes a matching encryption algorithm and decryption algorithm, and the encrypting or decrypting of the target data by the hosted application includes: determining a target hosted application in at least one hosted application corresponding to the target data according to the target data by the host application; determining a target security algorithm corresponding to the target hosted application through the host application according to the target hosted application; and processing the target data by using a target security algorithm through the host application.
Therefore, in the embodiment of the application, in order to ensure the privacy of the data among different hosted applications, different security algorithms can be configured to ensure the security of the data.
In one possible embodiment, each hosted application in the at least one hosted application corresponds to a key, and the keys corresponding to different hosted applications are different, and the encrypting or decrypting the target data by the hosted application includes: determining a target hosted application in at least one hosted application corresponding to the target data according to the target data by the host application; determining a target key corresponding to the target hosted application through the host application according to the target hosted application; and processing the target data by the host application by using the target key.
Therefore, in the embodiment of the application, in order to ensure the privacy of the data, different keys can be configured between different hosted applications to ensure the security of the data.
In one possible embodiment, monitoring, by a hosted application, I/O requests of at least one hosted application includes: I/O requests of at least one hosted application are monitored by the hosted application using a hook mechanism.
Therefore, the embodiment of the application improves the efficiency of acquiring the I/O request of the hosted application through the hook mechanism.
In a second aspect, an embodiment of the present application provides a data protection device, where the data protection device is applied to a mobile terminal, a host application runs on the mobile terminal, a virtual security space is created for the host application, and at least one hosted application is installed in the virtual security space, and the data protection device includes: a monitoring module for monitoring, by the hosted application, input/output I/O requests of at least one hosted application; the determining module is used for determining target data corresponding to the I/O request through the host application under the condition that the I/O request is monitored; and the processing module is used for encrypting or decrypting the target data through the host application.
In one possible embodiment, each hosted application in the at least one hosted application corresponds to a security algorithm, and the security algorithms corresponding to different hosted applications are different, wherein each security algorithm includes a matching encryption algorithm and decryption algorithm, and the processing module includes: the first determining submodule is used for determining a target hosted application in at least one hosted application corresponding to the target data according to the target data through the host application; the second determining submodule is used for determining a target security algorithm corresponding to the target boarder application according to the target boarder application through the host application; and the first processing submodule is used for processing the target data by utilizing a target security algorithm through the host application.
In one possible embodiment, each hosted application in the at least one hosted application corresponds to a key, and the keys corresponding to different hosted applications are different, and the processing module includes: the third determining submodule is used for determining a target hosted application in at least one hosted application corresponding to the target data according to the target data through the host application; the fourth determining submodule is used for determining a target key corresponding to the target hosted application according to the target hosted application through the host application; and the second processing submodule is used for processing the target data by using the target key through the host application.
In one possible embodiment, the monitoring module is further configured to monitor, by the hosted application, the I/O request of the at least one hosted application using a hook mechanism.
In a third aspect, the present application provides an electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the alternative implementations of the first aspect.
In a fourth aspect, the present application provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect or any of the alternative implementations of the first aspect.
In a fifth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart illustrating a data protection method provided in an embodiment of the present application;
fig. 2 shows a specific flowchart of a data protection method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating a data protection apparatus according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
In the prior art, a data protection mode by adopting an integrated SDK mode not only modifies the original application, but also has the problems that a key of an encryption algorithm and/or a decryption algorithm is easy to break, distribution is easy, the efficiency of encryption or decryption is low, and security is low.
Based on this, the embodiments of the present application provide a data protection method, an apparatus, an electronic device, and a storage medium, and since the hosted application in the virtual secure space does not need to adjust its original structure, the embodiments of the present application can achieve an effect of implementing data protection without changing the original structure of the hosted application. And the virtual security space can also encrypt and isolate the data generated by the hosted application, so that data leakage can be prevented, and the security of the data is protected.
The embodiment of the application is also realized based on the virtual security space, so that the application data of the hosted application can be transparently encrypted and/or decrypted through the characteristics of the virtual security space. And the relevant data of the hosted application is isolated from the system data of the mobile terminal, so that the relevant data of the hosted application cannot be transmitted out through other applications, and the safe storage of the data can be realized.
To facilitate understanding of the embodiments of the present application, some terms in the embodiments of the present application are first explained herein as follows:
the host application refers to the running environment of the virtual secure space. That is, the virtual secure space needs to be dependent on the host application, which is used to create the virtual secure space.
It should be understood that, in the embodiment of the present Application, the host Application may be an APP (Application, mobile phone software) (or an operating platform), and a software type of the host Application may be set according to an actual requirement, and the embodiment of the present Application is not limited to this.
For example, the host application may be chat software (such as WeChat and QQ), or may be food ordering software (such as American group takeout and hungry), or may be office software (such as video conference software).
The virtual safe space is a set of running environment established on the operating system, the virtual safe space is not a space which exists independently, but is established when the host application runs, and after the host application runs, a set of virtual running environment is established, and the virtual running environment has an independent isolation space. The characteristics of the virtual secure space are as follows:
1. the virtual secure space may support management of application lifecycle of multiple hosted applications in the virtual secure space, such as installation, running, uninstallation, without any modification. In addition, the virtual secure space also supports simultaneous installation or simultaneous uninstallation of multiple hosted applications, and the embodiments of the present application are not limited thereto.
In addition, all the Application installation packages are more or less encapsulated in a zip format, and when the Application is installed in the virtual secure space, an Application Programming Interface (API) of the system is called to obtain the analyzed Application program, so that the Application installation process of the operating system is simulated.
Furthermore, the virtual security space is provided in a proxy mode for the various services of the operating system, i.e., the virtual security space is an intermediary between hosted applications and the real operating system.
2. The isolation of data of the hosted applications is realized under the condition that a plurality of hosted applications in the virtual security space are not modified (the data generated by the hosted applications in the virtual security space cannot be accessed by the application of the operating system (or outside the virtual security space)), and the isolation is realized by the process (the data is invisible outside the virtual security space after the application in the virtual security space is installed).
That is, operations or actions within the host application are isolated from the operating system, the operating system is not visible, the operating system is only aware of such an application as the host application, but some actions within the host application are not known to the operating system.
In addition, the virtual secure space also supports simultaneous operation of multiple hosted applications, and the embodiments of the present application are not limited thereto.
3. The virtual secure space may enable data storage security (or data encryption storage) of the hosted application without any modification of the hosted application, and runtime security (process isolation) and network transmission security (transmission data encryption) of the hosted application.
Hosted applications refer to applications that can be installed in a virtual secure space.
It should be understood that the hosted application in the embodiment of the present application may be an APP, and the software type of the hosted application may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the hosted application may be chat software, order software, office software, taxi software, or the like.
The HOOK (HOOK, also called HOOK) technique is also called HOOK function, which means that before the system does not call the function, the HOOK program captures the message first, the HOOK function gets control right first, and the HOOK function can process (change) the execution behavior of the function and also can forcibly end the message transfer. In short, the program call of the system is changed into the code fragment executed by the virtual safe space.
Fig. 1 shows a flowchart of a data protection method provided in an embodiment of the present application, where the data protection method may be applied to a mobile terminal, and the method shown in fig. 1 includes:
in step S110, the mobile terminal creates a virtual secure space through the host application.
It should be understood that the mobile terminal may be a mobile phone, a tablet computer, or a laptop computer. That is, the specific device type of the mobile terminal may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
It should also be understood that a virtual secure space may also be referred to as a virtual space, which may also be referred to as a secure virtual space, which may also be referred to as a virtual secure storage space.
In other words, the name of the virtual secure space may be changed according to actual requirements, as long as the virtual secure space is ensured to have the function of the virtual secure space in the embodiment of the present application, and the embodiment of the present application is not limited thereto.
It should also be understood that one mobile terminal may be provided with one host application or multiple host applications, and correspondingly, one mobile terminal may also be provided with multiple virtual security spaces, and after a user displays an interface of a certain host application by operating the mobile terminal, the mobile terminal may run or create a corresponding virtual security space through the host application, which is not limited in this embodiment of the present application.
Specifically, a host application may be run on the mobile terminal, and in the process of running the host application, the host application may create a virtual secure space.
And step S120, the mobile terminal installs at least one hosted application in the virtual security space through the hosted application.
It should be understood that the installation of the hosted application is achieved by loading a software installation package into the virtual secure space and by implementing the installation of the hosted application by the software installation package, and the application is not described in detail herein.
It should be noted that the hosted application of the virtual secure space in the embodiment of the present application does not need to be modified, so that the effects of data security isolation and secure storage are achieved through the virtual secure space, which is obviously different from the need of modifying the application in the data protection method in the prior art.
Specifically, after the virtual secure space is created, the mobile terminal may perform installation of the hosted application in the virtual secure space through the hosted application. Furthermore, in the case of a hosted application installed in the virtual secure space, data generated using the hosted application or hosted application may subsequently be protected by the virtual secure space.
Step S130, the mobile terminal monitors an I/O (Input/Output) request of at least one hosted application through the hosted application.
It should be noted that the I/O request of at least one hosted application may be at least one request of one hosted application, or may be an I/O request of each hosted application in a plurality of hosted applications, and the embodiment of the present application is not limited thereto.
It should be understood that the manner in which the mobile terminal monitors the I/O request of the hosted application through the hosted application may be set according to actual requirements, as long as it is ensured that the I/O request of the hosted application can be monitored, and the embodiment of the present application is not limited thereto.
For example, the mobile terminal may monitor the I/O request of at least one hosted application by the hosting application using a hook mechanism, thereby improving the efficiency of obtaining the I/O request of the hosted application through the hook mechanism.
In addition, messages of a single process may be intercepted through a hook mechanism, and messages of all processes may also be intercepted, which is not limited in this embodiment of the application.
Step S140, in case of monitoring the I/O request, the mobile terminal determines target data corresponding to the I/O request through the host application.
It should be understood that where the I/O request is an input request, the target data may be first data to be written into the virtual secure space, and the first data may be data outside of the virtual secure space. And in the case that the I/O request is an output request, the target data may be second data to be read out from the virtual secure space, and the second data may be data within the virtual secure space. That is, the target data is I/O data.
Specifically, when the I/O request is monitored, the mobile terminal may search for target data corresponding to the I/O request through the host application. The target data may be the first data or the second data, and the embodiment of the application is not limited thereto.
And step S150, the mobile terminal encrypts or decrypts the target data through the host application.
It should be understood that, in the case that the target data is the first data, the mobile terminal encrypts the first data through the host application, so that the secure storage of the data can be realized. And under the condition that the target data is the second data, the mobile terminal decrypts the second data through the host application, so that the data in the virtual secure space can be read.
It should also be understood that the manner in which the mobile terminal encrypts or decrypts the target data may be set according to actual requirements, as long as it is ensured that encryption and decryption of the target data can be achieved, and the embodiment of the present application is not limited to this.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Optionally, each hosted application in the at least one hosted application corresponds to a security algorithm, and the security algorithms corresponding to different hosted applications are different, where each security algorithm includes a matching encryption algorithm and decryption algorithm, and the encrypting or decrypting the target data by the hosted application includes: determining a target hosted application in at least one hosted application corresponding to the target data according to the target data by the host application; determining a target security algorithm corresponding to the target hosted application through the host application according to the target hosted application; and processing the target data by using a target security algorithm through the host application.
It should be understood that the mating encryption and decryption algorithms may be the same algorithm. And the matched encryption algorithm and decryption algorithm may select a specific type of algorithm according to actual requirements, which is not limited in this embodiment of the application.
For example, the matched Encryption algorithm and decryption algorithm may be an Advanced Encryption Standard (AES) algorithm, or a symmetric Encryption algorithm such as Data Encryption Standard (DES), so that Data can be stored in a protective manner.
It should also be understood that processing the target data may be encrypting the target data or may also be decrypting the target data.
Specifically, the mobile terminal may encrypt or decrypt the target data using a security algorithm during the operation of the hosted application, thereby achieving the purpose of protecting the data. After the mobile terminal determines the target data, the mobile terminal may determine a target hosted application corresponding to the target data (e.g., the target data is data corresponding to a certain chat software). Due to the fact that the security algorithms corresponding to different hosted applications are different, the mobile terminal can determine the target security algorithm corresponding to the target hosted application through the file recorded with the one-to-one mapping relation of the hosted applications and the security algorithms. Thus, the mobile terminal processes the target data by the hosted application using the target security algorithm.
Therefore, according to the embodiment of the application, in order to guarantee the privacy of the data among different hosted applications, different security algorithms can be configured to guarantee the security of the data, and the application data can be prevented from being leaked.
That is, the security algorithms corresponding to different hosted applications in the embodiment of the present application may be different, so that leakage of application data can be prevented.
In addition, although the description is given by taking an example in which different hosted applications have different security algorithms, it should be understood by those skilled in the art that different hosted applications may have the same security algorithms, and the embodiments of the present application are not limited thereto.
Optionally, each hosted application in the at least one hosted application corresponds to a key, and the keys corresponding to different hosted applications are different, and the encrypting or decrypting the target data by the hosted application includes: determining a target hosted application in at least one hosted application corresponding to the target data according to the target data by the host application; determining a target key corresponding to the target hosted application through the host application according to the target hosted application; and processing the target data by the host application by using the target key.
It should be understood that the keys may be different keys of the same algorithm, and may also be different keys of different algorithms, and the embodiments of the present application are not limited thereto.
Specifically, the mobile terminal may encrypt or decrypt the target data with the corresponding key during the running of the hosted application, thereby achieving the purpose of protecting the data. After the mobile terminal determines the target data, the mobile terminal may determine a target hosted application corresponding to the target data. Due to the fact that keys corresponding to different hosted applications are different, the mobile terminal can determine the target key corresponding to the target hosted application through the file recorded with the one-to-one mapping relation of the hosted applications and the keys. Thus, the mobile terminal processes the target data by the hosted application using the target key.
In addition, although the description is given by taking an example in which different hosted applications have different keys, it should be understood by those skilled in the art that different hosted applications may have the same key, and the embodiments of the present application are not limited thereto.
Therefore, in the embodiment of the application, in order to ensure the privacy of the data, different keys can be configured between different hosted applications to ensure the security of the data.
That is, the keys corresponding to different hosted applications in the embodiment of the present application may be different, so that the leakage of application data can be prevented.
In summary, in the embodiment of the present application, the host application monitors the I/O request of at least one hosted application, and then determines, when the I/O request is monitored, target data corresponding to the I/O request through the host application, and encrypts or decrypts the target data through the host application, so that data generated by the hosted application is encrypted and isolated and protected through the virtual secure space, thereby preventing data leakage and data from being stored arbitrarily, and further protecting the security of the data. And because the hosted application in the virtual security space does not need to adjust the original structure of the hosted application, the embodiment of the application can achieve the effect of realizing data protection without changing the original structure of the hosted application.
The embodiment of the application is realized based on the virtual security space, so that the application data of the hosted application can be transparently encrypted and/or decrypted through the characteristics of the virtual security space, and the application data can be safely encrypted. And the application data is isolated from the system data of the mobile terminal, so that the application data cannot be spread out through other applications, and the safe storage of the data can be realized.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Fig. 2 shows a specific flowchart of a data protection method provided in an embodiment of the present application, where the method shown in fig. 2 includes:
step S210, install the hosted application in the virtual secure space.
Step S220, run the hosted application in the virtual secure space.
Step S230, during the operation of the hosted application, the dynamic HOOK application operates, and when a file is written or read, the data is encrypted or decrypted by using a dynamic encryption and decryption technique in cooperation with a security algorithm.
And step S240, performing protective storage on the data.
It is to be understood that the above-described data protection method is merely exemplary, and those skilled in the art can make various modifications according to the above-described method. For example, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
Referring to fig. 3, fig. 3 shows a schematic structural diagram of a data protection apparatus 300 provided in an embodiment of the present application, it should be understood that the apparatus 300 corresponds to the method embodiment of fig. 1 or fig. 2, and is capable of performing various steps related to the method embodiment, and specific functions of the apparatus 300 may be referred to the description above, and detailed descriptions are appropriately omitted herein to avoid repetition. The device 300 includes at least one software functional module that can be stored in a memory in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the device 300. Specifically, the apparatus 300 includes: a monitoring module 310 for monitoring, by the hosted application, the I/O requests of the at least one hosted application; a determining module 320, configured to determine, by the host application, target data corresponding to the I/O request when the I/O request is monitored; and the processing module 330 is configured to encrypt or decrypt the target data by the host application.
In one possible embodiment, each hosted application in the at least one hosted application corresponds to a security algorithm, and the security algorithms corresponding to different hosted applications are different, wherein each security algorithm includes a matching encryption algorithm and decryption algorithm, and the processing module 330 includes: a first determining submodule (not shown) for determining, by the host application, a target hosted application of the at least one hosted application corresponding to the target data, based on the target data; a second determining submodule (not shown) for determining, by the hosting application, a target security algorithm corresponding to the target hosted application, based on the target hosted application; a first processing sub-module (not shown) for processing the target data by the host application using the target security algorithm.
In a possible embodiment, each hosted application in the at least one hosted application corresponds to a key, and the keys corresponding to different hosted applications are different, and the processing module 330 includes: a third determining submodule (not shown) for determining, by the host application, a target hosted application of the at least one hosted application corresponding to the target data according to the target data; a fourth determining submodule (not shown) for determining, by the host application, a target key corresponding to the target hosted application according to the target hosted application; and a second processing sub-module (not shown) for processing the target data by the host application using the target key.
In one possible embodiment, the monitoring module 310 is further configured to monitor the I/O request of the at least one hosted application by the hosted application using a hook mechanism.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Fig. 4 is a block diagram of an electronic device 400 according to an embodiment of the present disclosure, as shown in fig. 4. Electronic device 400 may include a processor 410, a communication interface 420, a memory 430, and at least one communication bus 440. Wherein the communication bus 440 is used to enable direct connection communication of these components. In this embodiment, the communication interface 420 of the device in this application is used for performing signaling or data communication with other node devices. The processor 410 may be an integrated circuit chip having signal processing capabilities. The Processor 410 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 410 may be any conventional processor or the like.
The Memory 430 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 430 stores computer readable instructions, and when the computer readable instructions are executed by the processor 410, the electronic device 400 may perform the steps of the method embodiments of fig. 1-2.
The electronic device 400 may further include a memory controller, an input-output unit, an audio unit, and a display unit.
The memory 430, the memory controller, the processor 410, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these components may be electrically coupled to each other via one or more communication buses 440. The processor 410 is used to execute executable modules stored in the memory 430, such as software functional modules or computer programs included in the electronic device 400.
The input and output unit is used for providing input data for a user to realize the interaction of the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g. a user interface) between the electronic device and a user or for displaying image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that the electronic device 400 may include more or fewer components than shown in fig. 4 or may have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
The present application provides a storage medium having a computer program stored thereon, which when executed by a processor performs the method of any of the alternative implementations of fig. 1 or fig. 2.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A data protection method applied to a mobile terminal, wherein a hosted application runs on the mobile terminal, a virtual secure space is created for the hosted application, at least one hosted application is installed in the virtual secure space, the virtual secure space supports installation, running, and uninstallation of each hosted application of the at least one hosted application without modification, and the virtual secure space is an intermediary between the at least one hosted application and a real operating system, the data protection method comprising:
monitoring, by the host application, input/output (I/O) requests of the at least one hosted application;
determining, by the host application, target data corresponding to the I/O request under the condition that the I/O request is monitored;
and encrypting or decrypting the target data through the host application.
2. The method of claim 1, wherein each hosted application of the at least one hosted application corresponds to a security algorithm, and the security algorithms of different hosted applications are different, wherein each security algorithm comprises a complementary encryption algorithm and decryption algorithm, and wherein the encrypting or decrypting the target data by the hosted application comprises:
determining, by the host application, a target hosted application of the at least one hosted application corresponding to the target data according to the target data;
determining a target security algorithm corresponding to the target hosted application according to the target hosted application by the host application;
and processing the target data by the host application by using the target security algorithm.
3. The method of claim 1, wherein each hosted application of the at least one hosted application corresponds to a key, and wherein the keys for different hosted applications are different, and wherein the encrypting or decrypting the target data by the hosted application comprises:
determining, by the host application, a target hosted application of the at least one hosted application corresponding to the target data according to the target data;
determining a target key corresponding to the target hosted application by the host application according to the target hosted application;
and processing the target data by the host application by using the target key.
4. The data protection method of claim 1, wherein said monitoring, by said hosted application, I/O requests of said at least one hosted application comprises:
monitoring, by the hosted application, the I/O request of the at least one hosted application using a hook mechanism.
5. A data protection apparatus applied to a mobile terminal, a hosted application running on the mobile terminal, a virtual secure space created by the hosted application and installed with at least one hosted application, the virtual secure space supporting installation, running and uninstallation of each hosted application of the at least one hosted application without modification, and the virtual secure space being an intermediary between the at least one hosted application and a real operating system, the data protection apparatus comprising:
a monitoring module for monitoring, by the hosted application, input/output I/O requests of the at least one hosted application;
the determining module is used for determining target data corresponding to the I/O request through the host application under the condition that the I/O request is monitored;
and the processing module is used for encrypting or decrypting the target data through the host application.
6. The data protection device of claim 5, wherein each hosted application of said at least one hosted application corresponds to a security algorithm, and wherein the security algorithms of different hosted applications are different, wherein each security algorithm comprises a complementary encryption algorithm and decryption algorithm, and wherein said processing module comprises:
a first determining submodule, configured to determine, by the host application according to the target data, a target hosted application of the at least one hosted application corresponding to the target data;
a second determining submodule, configured to determine, by the host application according to the target hosted application, a target security algorithm corresponding to the target hosted application;
and the first processing submodule is used for processing the target data by utilizing the target security algorithm through the host application.
7. The data protection apparatus of claim 5, wherein each of the at least one hosted application corresponds to a key, and wherein the keys for different hosted applications are different, the processing module comprising:
a third determining submodule, configured to determine, by the host application according to the target data, a target hosted application of the at least one hosted application corresponding to the target data;
a fourth determining submodule, configured to determine, by the host application according to the target hosted application, a target key corresponding to the target hosted application;
and the second processing submodule is used for processing the target data by using the target key through the host application.
8. The data protection device of claim 5, wherein the monitoring module is further configured to monitor the I/O request of the at least one hosted application by the hosted application using a hooking mechanism.
9. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the data protection method of any of claims 1 to 4.
10. A storage medium, having stored thereon a computer program which, when executed by a processor, performs a method of data protection as claimed in any one of claims 1 to 4.
CN201910916011.7A 2019-09-25 2019-09-25 Data protection method and device, electronic equipment and storage medium Active CN110674519B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910916011.7A CN110674519B (en) 2019-09-25 2019-09-25 Data protection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910916011.7A CN110674519B (en) 2019-09-25 2019-09-25 Data protection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110674519A CN110674519A (en) 2020-01-10
CN110674519B true CN110674519B (en) 2021-01-26

Family

ID=69079194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910916011.7A Active CN110674519B (en) 2019-09-25 2019-09-25 Data protection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110674519B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109670332A (en) * 2017-10-13 2019-04-23 哈尔滨安天科技股份有限公司 Using data guard method, device and its equipment
CN107958160A (en) * 2017-11-29 2018-04-24 山东渔翁信息技术股份有限公司 APP data guard methods, equipment, mobile terminal and computer-readable recording medium
CN108897604A (en) * 2018-07-03 2018-11-27 北京思空科技有限公司 A kind of intruding detection system, device and method, computer readable storage medium

Also Published As

Publication number Publication date
CN110674519A (en) 2020-01-10

Similar Documents

Publication Publication Date Title
CN108632284B (en) User data authorization method, medium, device and computing equipment based on block chain
US10708051B2 (en) Controlled access to data in a sandboxed environment
CN111539813B (en) Method, device, equipment and system for backtracking processing of business behaviors
WO2019105290A1 (en) Data processing method, and application method and apparatus of trusted user interface resource data
EP3380979B1 (en) Systems and methods for detecting sensitive information leakage while preserving privacy
US9258122B1 (en) Systems and methods for securing data at third-party storage services
US10650077B2 (en) Providing secure storage of content and controlling content usage by social media applications
US10157290B1 (en) Systems and methods for encrypting files
CN107733639B (en) Key management method, device and readable storage medium
EP2616981A1 (en) Method and system for data security in a cloud computing environment
US11216576B1 (en) Systems, methods, and computer-readable media for utilizing anonymous sharding techniques to protect distributed data
US10511578B2 (en) Technologies for secure content display with panel self-refresh
US10762231B2 (en) Protecting screenshots of applications executing in a protected workspace container provided in a mobile device
CN111132150A (en) Method and device for protecting data, storage medium and electronic equipment
CN111611606B (en) File encryption and decryption method and device
CN110674519B (en) Data protection method and device, electronic equipment and storage medium
KR102368208B1 (en) File leakage prevention based on security file system and commonly used file access interface
CN109995534B (en) Method and device for carrying out security authentication on application program
WO2019134278A1 (en) Chat encryption method and apparatus, chat decryption method and apparatus, electronic terminal and readable storage medium
US11265156B2 (en) Secrets management using key agreement
KR101596479B1 (en) Secure chat method using distributed key exchange protocol and self-defense security
US9537842B2 (en) Secondary communications channel facilitating document security
US11216565B1 (en) Systems and methods for selectively encrypting controlled information for viewing by an augmented reality device
US10044685B2 (en) Securing enterprise data on mobile devices
CN113297605B (en) Copy data management method, apparatus, electronic device, and computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant