CN111523114A - Mobile service application data anti-disclosure system based on security sandbox technology - Google Patents
Mobile service application data anti-disclosure system based on security sandbox technology Download PDFInfo
- Publication number
- CN111523114A CN111523114A CN202010164986.1A CN202010164986A CN111523114A CN 111523114 A CN111523114 A CN 111523114A CN 202010164986 A CN202010164986 A CN 202010164986A CN 111523114 A CN111523114 A CN 111523114A
- Authority
- CN
- China
- Prior art keywords
- sdk
- vsa
- management
- shell file
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 25
- 238000005516 engineering process Methods 0.000 title claims abstract description 15
- 238000000034 method Methods 0.000 claims abstract description 9
- 230000006399 behavior Effects 0.000 claims abstract description 5
- 230000002265 prevention Effects 0.000 claims abstract description 5
- 238000013523 data management Methods 0.000 claims abstract description 4
- 238000012550 audit Methods 0.000 claims abstract description 3
- 238000005538 encapsulation Methods 0.000 claims abstract description 3
- 238000007726 management method Methods 0.000 claims description 45
- 238000004806 packaging method and process Methods 0.000 claims description 4
- 239000007943 implant Substances 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a mobile service application data anti-leakage system based on a security sandbox technology, which comprises a Server end and a user end, wherein the Server end mainly comprises a control Server and a Wrapping Server, and the Server end respectively realizes application encapsulation and energization and pushes different security strategies according to needs to realize the anti-leakage effect of mobile application data; the user side comprises an Engine SDK shell file and a VSA SDK shell file, the VSA SDK shell file is a sandbox SDK shell file and can flexibly achieve authority policy configuration of packaged application behaviors and data or audit data management security policy functions, and the Engine SDK shell file is a policy control Engine and is responsible for the specific implementation process of the security policy of the VSA SDK shell file. After the user side uses the encapsulated new VSA, the protection of data leakage prevention is automatically obtained, data protection is enhanced, and the information safety level is improved.
Description
Technical Field
The invention relates to the field of information technology and safety, in particular to a mobile service application data anti-leakage system based on a safety sandbox technology.
Background
The mobile application of the national grid Liaoning province power company Limited is applied to a plurality of specialties such as marketing, equipment, safety supervision, materials and the like, and the working efficiency and the working quality of company employees are improved. Liaoning mobile applications mainly include two major types, namely intranet mobile applications and extranet mobile applications, wherein the intranet mobile applications provide Android versions, and the extranet mobile applications provide Android versions and iOS versions at the same time. The intranet mobile application is mainly applied to an intranet mobile terminal, a wireless public network and a power wireless private network are used as network channels, and a company information intranet is accessed through an intranet safety access platform. The extranet mobile application is mainly applied to a personal smart phone, the Internet is used as a network channel, a company information extranet is accessed through an extranet security access platform, and specific data interaction is carried out with an information intranet through an isolation device. Because part of company business is completed through the personal smart phone, certain potential safety hazards exist, the potential safety hazards are a risk point of data leakage, and a great number of problems exist in the processes of mobile application development, mobile equipment distribution and mobile business development. Such as the problem of mobile equipment adaptation, the problem of mobile asset management, the problem of mobile service popularization, and the problems of fast update of mobile technology and how to realize smooth transition of software and hardware.
Secure sandbox or Virtual Security Area (VSA): the method is a technology for providing the security protection capability of the mobile application, which is realized at the bottom of the system, and establishes an independent and safe virtual system by adding a shell file to the application under the condition of not acquiring an application source code and not needing Root authority, and establishes a bridge between the application and the system, thereby carrying out all-round management and protection on the application authority, the user using behavior and the like.
According to the invention, the mobile application sandbox technology and the mobile application data anti-disclosure technology are researched, important mobile applications are released through the mobile application security sandbox and are brought into unified management, the management of the whole life cycle of the mobile terminal and the mobile applications is realized, the security management of mobile devices and the mobile applications of a company is enhanced, and the information security management level of the company is improved.
Disclosure of Invention
Aiming at the problems, the invention provides a mobile service application data anti-disclosure system applying a sandbox technology, which releases important mobile applications through a mobile application security sandbox, brings the important mobile applications into unified management, and strengthens the security management of mobile devices and mobile applications of companies.
In order to achieve the above object, the present invention provides a mobile service application data anti-disclosure system based on a secure sandbox technology, comprising: the system comprises a server side and a user side; the Server side comprises a Wrapping Server and a management and control Server, the Wrapping Server is a management background of the web side and packages original applications transmitted to the management background and packages the original applications into VSA applications, the management and control Server is a management background of the web side, and the management and control Server manages management and control APP and VSA SDK shell files in the client side and pushes security policies required by a user to the management and control APP and VSA SDK shell files; the user side comprises an Engine SDK shell file and a VSA SDK shell file, the VSA SDK shell file is a sandbox SDK shell file and comprises a function of realizing authority policy configuration or audit data management security policy on package application behaviors and data, and the Engine SDK shell file is a policy control Engine and is responsible for a specific implementation process of the security policy of the VSA SDK shell file.
In a preferred mode, the VSA SDK shell file is integrated by a management and control APP client independent of the VSA application, and the management and control APP manages security policies of all the VSA applications and pushes the security policies to the VSA applications through the VSA SDK shell file; and if the management and control APP client is not installed in the mobile phone, the management and control Server directly implants the VSA SDK shell file into the VSA application for packaging according to the security policy information set by the user.
In a preferred mode, the security policy includes dynamic watermarking, copy and paste prohibition, sharing prohibition, call prohibition of non-secure application and data encryption and decryption policy.
In a preferred mode, when a VSA application is started, an Engine SDK shell file is initialized first, and then the Engine SDK shell file loads a security policy of the VSA SDK shell file and implements the security policy.
The invention has the beneficial effects that: under the condition that the using habits of a user are not changed, the mobile application is energized through configuration, a safety strategy is implanted, the data leakage prevention effect is realized in an uninductive mode, and after the user mobile terminal uses the packaged VSA application, the data leakage prevention protection is automatically acquired, so that the data protection is enhanced, and the information safety level is improved.
Drawings
FIG. 1 is the working principle of a safety sandbox;
FIG. 2 is the overall architecture of the present invention;
FIG. 3 is a protected mobile application runtime diagram;
fig. 4 is a mobile application data leakage prevention pre-made security policy table;
FIG. 5 is a logic block diagram of Android system security policy watermarking;
FIG. 6 is a logical block diagram of iOS system security policy watermarking;
FIG. 7 is a mobile application secure enablement workflow of the present invention.
Detailed Description
As shown in fig. 1, the security sandbox serves as an independent logical storage space, which divides the enterprise application and the storage area on the device from the individual, and limits the mutual communication of data of the two parties, thereby reinforcing the data security of the enterprise application. The safety sandbox is a logic concept which can help the end user understand a series of safety functions and master the use of the safety functions.
Due to the differences between the OSs and the different methods implemented on the platforms, the operations are slightly different. The security sandbox may provide a multiple layer of cryptographic protection and data encryption. For example, when any APP inside the secure sandbox is used, a second layer of password authentication may be performed while all data going inside the sandbox is stored encrypted.
Remote erasure can be performed when equipment is lost, employees leave jobs, leaks occur, or data is not legally authorized. Meanwhile, when the user erases the personal privacy data, the user is prohibited to delete the personal data of personal photos, short messages and address lists.
As shown in fig. 2, the mobile service application data anti-disclosure system based on the security sandbox technology of the present invention implements the original application casing and pushes the security policy to generate a new VSA application; the method comprises the following steps: the system comprises a server side and a user side; the Server side comprises a Wrapping Server and a management and control Server, the Wrapping Server is a management background of the web side and packages original applications transmitted to the management background and packages the original applications into VSA applications, the management and control Server is a management background of the web side, and the management and control Server manages management and control APP and VSA SDK shell files in the client side and pushes security policies required by a user to the management and control APP and VSA SDK shell files; the user side comprises an Engine SDK shell file and a VSA SDK shell file, the VSA SDK shell file is a sandbox SDK shell file and comprises security policy functions of achieving permission policy configuration of packaged application behaviors and data or auditing data management and the like, and the Engine SDK shell file is a policy control Engine and is responsible for a specific implementation process of security policies of the VSA SDK shell file.
The Engine SDK shell file integrates a shell application program which is communicated with the operating system, and can be communicated with the management control APP to obtain a security policy, and the security policy can also be directly built in the Engine SDK shell file; the integration of the application is completed through the Wrapping Server, and the specific process is that the application program is analyzed- > a shell file is generated- > the integration is completed with the application program- > the application program is output. The VSA SDK shell file is a relatively independent SDK toolkit and is responsible for completing sandboxing of the APP, and comprises an application program reverse synthesis, a ground data encryption module, a built-in isolation interception function and a reconstruction application guide device.
As shown in fig. 3, when the VSA application is started, first, an Engine SDK shell file is initialized, and then the Engine SDK shell file loads the security policy of the VSA SDK shell file and implements the security policy; when an application program passing through a VSA is started, an engine is initialized, a policy module is loaded, a virtual running space is added to the application, for example, characters are copied and pasted in the application, an operating system needs to call an interface of the application program, the application determines whether to intercept the operation according to the configuration of a security policy, and determines whether the operation can be executed.
The VSA SDK shell file is integrated by a management and control APP client side independent of VSA application, and the management and control APP manages security policies of all the VSA applications and pushes the security policies to the VSA applications through the VSA SDK shell file; if the management and control APP client is not installed in the mobile phone, the management and control Server directly implants the VSASDK shell file into VSA application according to the security policy information set by the user for packaging, and at the moment, if the security policy needs to be changed, the security policy can only be changed by upgrading the application version.
As shown in fig. 4, the security policy includes policies such as dynamic watermarking, copy and paste prohibition, sharing prohibition, call prohibition of non-secure application, and data encryption and decryption.
As shown in fig. 5, for the Android system: opening a window by an application, judging the type of the window and determining whether to perform watermarking or not; if the type of processing is determined to be needed, the watermark is added. As shown in fig. 6, for an iOS system: and (5) applying the starting window to perform watermarking processing.
As shown in fig. 7, when packaging, a new signature is generally generated to distinguish different applications. An administrator uploads an application program through a Wrapping Server, and outputs a new application program after setting a security policy, wherein the application program comprises an original application, and a sandbox SDK and a policy control engine are also built in the application program to complete encapsulation and enabling of the application program.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be able to cover the technical solutions and the inventive concepts of the present invention within the technical scope of the present invention.
Claims (4)
1. A mobile service application data anti-disclosure system based on a security sandbox technology, the system comprising: the system comprises a server side and a user side; the Server side comprises a Wrapping Server and a management and control Server, the Wrapping Server is a management background of the web side and packages original applications transmitted to the management background and packages the original applications into VSA applications, the management and control Server is a management background of the web side, and the management and control Server manages management and control APP and VSA SDK shell files in the client side and pushes security policies required by a user to the management and control APP and VSA SDK shell files; the user side comprises an Engine SDK shell file and a VSA SDK shell file, the VSA SDK shell file is a sandbox SDK shell file and comprises a function of realizing authority policy configuration or audit data management security policy on encapsulation application behaviors and data, and the Engine SDK shell file is a policy control Engine and is responsible for a specific implementation process of the VSASDK shell file security policy.
2. The security sandbox technology based mobile services application data leakage prevention system of claim 1 wherein the VSA SDK shell file is integrated by a management APP client independent of the VSA applications, the management APP manages the security policies of all VSA applications and pushes the security policies into the VSA applications through the VSA SDK shell file; and if the management and control APP client is not installed in the mobile phone, the management and control Server directly implants the VSA SDK shell file into the VSA application for packaging according to the security policy information set by the user.
3. The mobile services application data anti-disclosure system based on the secure sandbox technology as claimed in claim 1, wherein the security policy includes dynamic watermarking, copy and paste prohibition, sharing prohibition, call prohibition of non-secure application and data encryption and decryption policy.
4. The system of claim 1, wherein when a VSA application starts, an Engine SDK shell file is initialized, and then the Engine SDK shell file loads the security policy of the VSA SDK shell file and implements the security policy.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010164986.1A CN111523114A (en) | 2020-03-11 | 2020-03-11 | Mobile service application data anti-disclosure system based on security sandbox technology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010164986.1A CN111523114A (en) | 2020-03-11 | 2020-03-11 | Mobile service application data anti-disclosure system based on security sandbox technology |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111523114A true CN111523114A (en) | 2020-08-11 |
Family
ID=71902208
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010164986.1A Pending CN111523114A (en) | 2020-03-11 | 2020-03-11 | Mobile service application data anti-disclosure system based on security sandbox technology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111523114A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112241309A (en) * | 2020-10-21 | 2021-01-19 | 海光信息技术股份有限公司 | Data security method and device, CPU, chip and computer equipment |
CN113419737A (en) * | 2021-06-11 | 2021-09-21 | 广发证券股份有限公司 | Linux seccomp-based quantitative strategy hosting method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8225317B1 (en) * | 2009-04-17 | 2012-07-17 | Symantec Corporation | Insertion and invocation of virtual appliance agents through exception handling regions of virtual machines |
CN105577720A (en) * | 2014-10-15 | 2016-05-11 | 中兴通讯股份有限公司 | Method and system for packaging mobile application |
CN106384045A (en) * | 2016-09-12 | 2017-02-08 | 电子科技大学 | Android storage application sandbox based on application program virtualization, and communication method thereof |
CN107480524A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of security sandbox and its construction method |
CN109800094A (en) * | 2018-12-28 | 2019-05-24 | 北京指掌易科技有限公司 | A method of realizing individually application and the communication of multiple common applications |
CN110149405A (en) * | 2019-05-24 | 2019-08-20 | 北京指掌易科技有限公司 | A kind of method of cloud control mobile terminal application |
-
2020
- 2020-03-11 CN CN202010164986.1A patent/CN111523114A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8225317B1 (en) * | 2009-04-17 | 2012-07-17 | Symantec Corporation | Insertion and invocation of virtual appliance agents through exception handling regions of virtual machines |
CN105577720A (en) * | 2014-10-15 | 2016-05-11 | 中兴通讯股份有限公司 | Method and system for packaging mobile application |
CN106384045A (en) * | 2016-09-12 | 2017-02-08 | 电子科技大学 | Android storage application sandbox based on application program virtualization, and communication method thereof |
CN107480524A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of security sandbox and its construction method |
CN109800094A (en) * | 2018-12-28 | 2019-05-24 | 北京指掌易科技有限公司 | A method of realizing individually application and the communication of multiple common applications |
CN110149405A (en) * | 2019-05-24 | 2019-08-20 | 北京指掌易科技有限公司 | A kind of method of cloud control mobile terminal application |
Non-Patent Citations (1)
Title |
---|
范士喜等: "哈尔滨工业大学(深圳)虚拟安全域守护移动应用", 中国教育网 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112241309A (en) * | 2020-10-21 | 2021-01-19 | 海光信息技术股份有限公司 | Data security method and device, CPU, chip and computer equipment |
CN112241309B (en) * | 2020-10-21 | 2022-04-01 | 海光信息技术股份有限公司 | Data security method and device, CPU, chip and computer equipment |
CN113419737A (en) * | 2021-06-11 | 2021-09-21 | 广发证券股份有限公司 | Linux seccomp-based quantitative strategy hosting method and device |
CN113419737B (en) * | 2021-06-11 | 2023-11-10 | 广发证券股份有限公司 | Quantization strategy hosting method and device based on Linux secomp |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8955142B2 (en) | Secure execution of unsecured apps on a device | |
US8893298B2 (en) | Network linker for secure execution of unsecured apps on a device | |
CN104298916B (en) | Application management method, application management system and user device | |
US8549656B2 (en) | Securing and managing apps on a device | |
US20120304310A1 (en) | Secure execution of unsecured apps on a device | |
CN103413076B (en) | A kind of Android application program divides the method for block protection | |
CN109586963B (en) | Cloud simulation platform security guarantee system, server, terminal and method | |
US20090290704A1 (en) | Method for protecting a cap file for an ic card | |
US20140223426A1 (en) | Method of generating, from an initial package file comprising an application to be secured and an initial configuration file, a package file for securing the application, and associated computer program product and computing device | |
US20150007259A1 (en) | Extensible platform for securing apps on a mobile device using policies and customizable action points | |
CN101853363A (en) | File protection method and system | |
US20200410136A1 (en) | Stacked Encryption | |
CN101814124A (en) | Java-based method for enhancing software security | |
CN111159662A (en) | Data processing method and device | |
CN106650330A (en) | Android application software reinforcement protection method based on DexClassloader | |
CN111523114A (en) | Mobile service application data anti-disclosure system based on security sandbox technology | |
CN102842005B (en) | CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method | |
CN109672519A (en) | A kind of encryption apparatus and its data encryption/decryption method | |
CN111008374A (en) | Block chain-based password processing method, device and medium | |
CN105447398A (en) | Data safety protection method and device | |
KR20160117183A (en) | Method of encrypting dll file, system of encrypting dll file performing the same, and storage medium storing the same | |
CN112559980A (en) | Applet operation capable of embedding numerous arbitrary APPs | |
CN106886718A (en) | A kind of terminal safety protection method, terminal based on credible micro- domain | |
CN111625814B (en) | Processing device, processing method, processing device and storage medium for wind control calculation | |
CN113626149A (en) | Business secret protection method and system based on terminal virtualization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200811 |