CN111666564B - Application program safe starting method and device, computer equipment and storage medium - Google Patents
Application program safe starting method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111666564B CN111666564B CN202010405714.6A CN202010405714A CN111666564B CN 111666564 B CN111666564 B CN 111666564B CN 202010405714 A CN202010405714 A CN 202010405714A CN 111666564 B CN111666564 B CN 111666564B
- Authority
- CN
- China
- Prior art keywords
- check code
- decompression
- file
- application program
- resource file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000006837 decompression Effects 0.000 claims abstract description 238
- 230000006835 compression Effects 0.000 claims description 145
- 238000007906 compression Methods 0.000 claims description 145
- 238000012795 verification Methods 0.000 claims description 42
- 238000004590 computer program Methods 0.000 claims description 28
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 2
- 238000013473 artificial intelligence Methods 0.000 abstract description 3
- 238000004422 calculation algorithm Methods 0.000 description 19
- 244000035744 Hura crepitans Species 0.000 description 16
- 230000005540 biological transmission Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 230000000737 periodic effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001174 ascending effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The application relates to the technical field of artificial intelligence, in particular to a method and a device for safely starting an application program, computer equipment and a storage medium. The method comprises the following steps: receiving an application program starting request, wherein the application program starting request carries an application program identifier; inquiring whether the application program corresponding to the application program identifier is operated for the first time; when the application program is not operated for the first time, acquiring a decompressed resource file corresponding to the application program identifier; calculating an actual decompression check code of the decompression resource file; acquiring a download decompression check code of a decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server and is used for identifying the decompression resource file; judging whether the actual decompression check code is consistent with the downloaded decompression check code; when the actual decompression check code is consistent with the downloaded decompression check code, starting the application program, and adopting the method can ensure the data security of the application program. The privacy information such as downloading decompression check codes can be stored in the blockchain.
Description
Technical Field
The present disclosure relates to the field of artificial intelligence technologies, and in particular, to a method and apparatus for securely starting an application program, a computer device, and a storage medium.
Background
With the development of computer technology, there is an increasing demand for downloading files on a network, so it is becoming more and more important how to ensure the security of downloading files from the network.
In the conventional technology, an application program file is downloaded from a network according to an obtained download address, but the security of the obtained application program file cannot be ensured, for example, when an applet resource is downloaded from the network, the applet resource needs to be decompressed into a hosting sandbox, but the applet resource cannot be ensured not to be tampered in the hosting sandbox, so that the security of the file is lower.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an application secure startup method, apparatus, computer device, and storage medium that can improve application data security.
A method for securely launching an application, the method comprising:
receiving an application program starting request, wherein the application program starting request carries an application program identifier;
inquiring whether the application program corresponding to the application program identifier is operated for the first time;
When the application program is not operated for the first time, acquiring a decompressed resource file corresponding to the application program identifier;
calculating an actual decompression check code of the decompression resource file;
acquiring a download decompression check code of the decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server and used for identifying the decompression resource file;
judging whether the actual decompression check code is consistent with the downloaded decompression check code;
and starting the application program when the actual decompression check code is consistent with the downloaded decompression check code.
In one embodiment, the decompressed resource file includes a plurality of decompressed subfiles, and calculating an actual decompressed check code of the decompressed resource file includes:
obtaining a subfile identification corresponding to each decompressed subfile and a subfile check code;
and combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
In one embodiment, after querying whether the application program identifier corresponds to the application program running for the first time, the method further includes:
when the application program is operated for the first time, acquiring a compressed resource file corresponding to the application program identification;
Calculating an actual compression check code of the compression resource file;
acquiring a download compression check code of a compression resource file corresponding to an application program downloaded from a server in advance;
judging whether the actual compression check code is consistent with the downloaded compression check code or not;
when the actual compression check code is consistent with the downloaded compression check code, judging that the compressed resource file is a safe compressed file;
and when the compressed resource file is a safe compressed file, decompressing the safe compressed file to obtain a decompressed resource file, and starting an application program according to the decompressed file.
In one embodiment, when the application is running for the first time, obtaining the compressed resource file corresponding to the application identifier includes:
when the application program runs for the first time, generating an encrypted symmetric key, and sending the symmetric key to a server, wherein the symmetric key is used for indicating a download address, a download decompression check code and a download compression check code of the application program to be encrypted by the server to generate an encrypted service file;
receiving an encrypted service file returned by a server; decrypting the encrypted service file through the symmetric key to obtain the service file;
acquiring a download address corresponding to an application program from a service file;
And downloading according to the download address to obtain the compressed resource file.
In one embodiment, the method for obtaining the download decompression check code and the download compression check code includes:
and extracting a download decompression check code and a download compression check code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression check code and the download compression check code are stored in a block chain.
In one embodiment, sending the symmetric key to the server includes:
and encrypting the symmetric key through the public key of the asymmetric key and then sending the encrypted symmetric key to the server so that the server obtains the symmetric key through decryption through the private key corresponding to the public key of the asymmetric key.
In one embodiment, after determining whether the actual compression check code is consistent with the downloaded compression check code, the method further includes:
when the actual compression check code is inconsistent with the downloaded compression check code, judging that the compression resource file is an unsafe compression resource file; generating warning information for unsafe compressed resource files;
after judging whether the actual decompression check code is consistent with the downloaded decompression check code, the method further comprises the following steps:
when the actual decompression check code is inconsistent with the downloaded decompression check code, judging that the decompression resource file is an unsafe decompression resource file; and generating warning information for the unsafe decompressed resource file.
An application secure launch apparatus, the apparatus comprising:
the request receiving module is used for receiving an application program starting request, wherein the application program starting request carries an application program identifier;
the query module is used for querying whether the application program corresponding to the application program identifier is operated for the first time;
the decompressed file acquisition module is used for acquiring a decompressed resource file corresponding to the application program identifier when the application program is not operated for the first time;
the actual decompression check code calculation module is used for calculating the actual decompression check code of the decompression resource file;
the download decompression check code acquisition module is used for acquiring the download decompression check code of the decompression resource file, wherein the download decompression check code is a check code downloaded in advance from a server and used for identifying the decompression resource file;
the judging module is used for judging whether the actual decompression check code is consistent with the downloaded decompression check code;
and the starting module is used for starting the application program when the actual decompression check code is consistent with the downloaded decompression check code.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method described above when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the above method.
The application program safe starting method, the device, the computer equipment and the storage medium receive an application program starting request, wherein the application program starting request carries an application program identifier; inquiring whether the application program corresponding to the application program identifier is operated for the first time; when the application program is not operated for the first time, acquiring a resource file corresponding to the application program identifier; calculating an actual decompression check code of the resource file; acquiring a download decompression check code of a decompressed resource file corresponding to an application program downloaded from a server in advance; and when the actual decompression check code is consistent with the downloaded decompression check code, starting the application program. And when the application program is not operated for the first time, the safety check is carried out on the decompressed resource file, and the application program is operated again on the premise of ensuring the safety of the resource file, so that the safety of data is ensured.
Drawings
FIG. 1 is an application environment diagram of an application launch method in one embodiment;
FIG. 2 is a flow chart of an application launch method according to one embodiment;
FIG. 3 is a flowchart of an application program starting method according to another embodiment;
FIG. 4 is a timing diagram of an application launch method according to another embodiment;
FIG. 5 is a block diagram of an application launch device in one embodiment;
fig. 6 is an internal structural diagram of a terminal device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The application program safe starting method provided by the application program safe starting method can be applied to an application environment shown in the figure 1. Wherein the terminal 102 communicates with the server 104 via a network. The terminal 102 receives an application program starting request, wherein the application program starting request carries an application program identifier; inquiring whether the application program corresponding to the application program identifier is operated for the first time; when the application program is not operated for the first time, acquiring a decompressed resource file corresponding to the application program identifier; calculating an actual decompression check code of the decompression resource file; acquiring a download decompression check code of a decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server 104 and is used for identifying the decompression resource file; judging whether the actual decompression check code is consistent with the downloaded decompression check code; and starting the application program when the actual decompression check code is consistent with the downloaded decompression check code. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smartphones, tablet computers, and portable wearable devices, and the server 104 may be implemented by a stand-alone server or a server cluster composed of a plurality of servers.
In one embodiment, as shown in fig. 2, there is provided an application secure start method, which is illustrated by taking the terminal in fig. 1 as an example, and includes the following steps:
step 210, an application program start request is received, where the application program start request carries an application program identifier.
Specifically, the user may trigger an application on the terminal to generate an application start request, and after receiving the application start request sent by the user, the terminal extracts an application identifier carried in the application start request, so as to locate a corresponding application according to the application identifier. The application identifier is used to uniquely identify an application, for example, may be a program name or an application number of the application, and is not limited herein. In one embodiment, the application may be an applet or the like, without limitation.
In another embodiment, the application start request may also be automatically generated in the terminal, for example, may be adapted to an operation service such as a periodic verification or a periodic security check of the application, specifically, a preset start time for starting the application may be preset, and when the preset start time is reached, the application start request is automatically triggered, so as to ensure that the periodic security check of the application is completed by the start service of the periodically executed application.
Step 220, query application program identification whether the corresponding application program is running for the first time.
The first running may refer to the first running of the application in the terminal, or may refer to the terminal having no relevant history data about the application, although the application is not first running in the terminal. Specifically, the terminal may search the corresponding historical data in the terminal according to the obtained application identifier, determine that the application is not running for the first time when the historical data corresponding to the application identifier is found, and determine that the application is running for the first time when the historical data corresponding to the application identifier is not found by the terminal.
When the application program is an applet, the terminal downloads the applet resource file corresponding to the applet from the server through the network, and decompresses the downloaded applet resource file into the hosting sandbox to execute the applet operation in the hosting sandbox. Specifically, when the terminal receives a starting request about the applet, whether historical download data about the applet exists in a host sandbox is searched, when the historical download data is searched, the applet is judged to be not operated for the first time, and when the historical download data is not searched, the applet is judged to be operated for the first time. In other embodiments, the resource file downloaded from the server may be stored in a database corresponding to the terminal, for example, a local database may be a cloud database, which is not limited herein.
In step 230, when the application is not running for the first time, the decompressed resource file corresponding to the application identifier is obtained.
The decompressed resource file may be a data resource corresponding to the running application. Specifically, after the terminal finds the historical download data corresponding to the application program identifier in the database corresponding to the terminal according to the application program identifier, the terminal determines that the application program is not operated for the first time, and then obtains the decompressed resource file corresponding to the application program identifier from the database corresponding to the terminal. When the application program corresponds to the applet, the terminal database may be a hosting sandbox in the terminal, where the hosting sandbox stores a resource file running the applet, and may include a compressed resource file and a decompressed resource file obtained by decompressing the compressed resource file.
Specifically, when the applet is not running in the terminal for the first time, the host sandbox of the terminal may store the compressed resource file related to the applet or the decompressed resource file after decompression, so that the compressed resource file corresponding to the application program does not need to be downloaded from the server through the network again, the corresponding compressed resource file can be directly found from the host sandbox, and then the terminal may decompress the compressed resource file to obtain the decompressed resource file after decompression, or the corresponding decompressed resource file is directly found from the host sandbox.
When the terminal receives the application program starting request and then judges that the application program is not running for the first time, the corresponding application program can be started first, or the decompressed resource file corresponding to the application program is obtained while the application program is started, the decompressed resource file is subjected to security check, when the verification is passed, the application program is continuously started, and when the verification is failed, the terminal is directly forbidden to continuously execute the corresponding application program, the terminal is stopped from sending a security warning prompt to the non-secure file of the decompressed resource file.
Step 240, calculating the actual decompression check code of the decompressed resource file.
Specifically, the check code may be used to uniquely identify a resource file, for example, the check code may be an MD5 check code, and MD5 is a 32-bit character string, which may be used as a unique characteristic value of the resource file to determine the uniqueness of the resource file, so that the MD5 check code may be used to determine the security of the resource file, for example, to determine whether the resource file is modified. Specifically, after the terminal obtains the decompressed resource file, a preset verification algorithm may be used to obtain an actual decompressed verification code corresponding to the decompressed resource file, for example, when the verification code corresponds to the MD5 verification code, the preset MD5 verification algorithm may be used to obtain the actual decompressed verification code corresponding to the decompressed resource file locally. In other embodiments, the actual decompression check code of the decompressed resource file may also be calculated using feature recognition techniques in the field of artificial intelligence.
Step 250, obtaining a download decompression check code of the decompressed resource file, wherein the download decompression check code is a check code downloaded in advance from a server and used for identifying the decompressed resource file.
And the server stores a check code related to the decompressed resource file in advance, marks the check code as a download decompressed check code, and uses the download decompressed check code to uniquely identify the decompressed resource file. Specifically, the terminal obtains a corresponding decompression resource file in a local hosting sandbox, then calculates an actual decompression check code corresponding to the decompression resource file locally, then obtains a download decompression check code related to the decompression resource file from the server, and then compares the actual decompression check code with the download decompression check code to verify whether the decompression resource file in the server and the locally stored decompression resource file obtained from the hosting sandbox by the terminal are the same decompression resource file.
Specifically, the server performs one-time MD5 on the decompressed resource file to be uploaded to obtain a downloaded compressed MD5 value, so as to perform unique identification on the resource file to be uploaded, then the server returns the downloaded decompressed MD5 value to the terminal, so that when the terminal downloads the decompressed resource file from the server, the server performs one-time MD5 locally, then the server returns to the downloaded decompressed MD5 to match with the locally generated actual decompressed MD5, if the character strings are identical, the decompressed resource file acquired by the terminal is correct, if the character strings are different, the decompressed resource file is modified, and the decompressed resource file acquired by the terminal is unsafe.
Step 260, determining whether the actual decompression check code is consistent with the downloaded decompression check code.
Specifically, the terminal compares the actual decompression check code with one of the characters in the download decompression check code, when all the characters are identical, the actual decompression check code is judged to be identical to the download decompression check code, and when any one of the characters in the actual decompression check code and the download decompression check code is inconsistent, the actual decompression check code is judged to be inconsistent with the download decompression check code. In specific implementation, the characters in the actual decompression check code and the downloaded decompression check code can be sequentially compared according to a certain sequence, and when any one character is inconsistent, an inconsistent conclusion is directly obtained without comparing all the characters.
In step 270, when the actual decompression check code is consistent with the downloaded decompression check code, the application is started.
Specifically, when the actual decompression check code is consistent with the downloaded decompression check code, it is indicated that the decompression resource file acquired by the terminal is consistent with the decompression resource file uploaded by the server, that is, the decompression resource file acquired by the terminal is the decompression resource file uploaded by the server in advance, and the decompression resource file which is not tampered can be executed at this time. Otherwise, when the actual decompression check code is inconsistent with the downloaded decompression check code, it is indicated that the decompression resource file acquired by the terminal and the decompression resource file uploaded by the server in advance are not the same file, that is, the situation that the decompression resource file is tampered or lost occurs in data transmission between the server and the terminal, or the decompression resource file is tampered in a host sandbox, at the moment, warning information should be sent to prompt the terminal that the application program is at risk or the terminal is directly prohibited from starting the corresponding application program.
In this embodiment, security verification is performed on the decompressed resource file after decompression, so as to ensure the security of the decompressed resource file, and when the decompressed resource is determined to be safe data, a corresponding application program is run again, so that the security of the data is ensured. Further, by comparing the actual compression check code obtained by the terminal with the downloaded compression check code downloaded from the server, the security of the data after decompression corresponding to the application program is ensured, man-in-the-middle attack or data tampering is prevented, and the cost and difficulty of malicious attack of a hacker are improved. And when the application program is not operated for the first time, the decompression resource file corresponding to the application program is directly acquired, and the compressed resource file is not required to be downloaded from the server for multiple times and then decompressed, so that the starting speed of the application program such as an applet is improved, and the network resource of the terminal is saved.
In one embodiment, the decompressed resource file includes a plurality of decompressed subfiles, and calculating an actual decompressed check code of the decompressed resource file includes: the sub-file identification and the sub-file check code corresponding to each decompressed sub-file are obtained; and combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
The decompressed resource file is a data file corresponding to the running corresponding application program, specifically, the resource file after decompression may be a folder, and the folder may further include a plurality of subfolders and a plurality of decompressed subfolders. When the security verification is performed on the plurality of files, the sub-file identifiers, such as file names, corresponding to the decompressed sub-files can be obtained, the sub-file verification codes corresponding to the decompressed sub-files are obtained, and then the actual decompressed verification codes corresponding to the decompressed resource files are obtained by combining the sub-file identifiers and the sub-file verification codes through a preset algorithm. If the preset algorithm can count all the individual files in the folder, the names of the files are sorted in ascending order, and the names of the files are sorted in the order of "file 1: MD5 of file 1, file 2 name: the MD5 and …' forms of the file 2 are spliced into character strings, MD5 corresponding to the decompressed resource file is obtained, and then MD5 is carried out on the character strings. It should be noted that, the preset algorithm is preset by the terminal and the server, that is, the download decompression check code of the decompression resource file is generated in the server in advance according to the preset algorithm, then when the terminal obtains the decompression resource file, the MD5 of the decompression resource is locally performed to obtain the actual decompression resource file, and then the consistency check of the actual decompression check code and the download decompression check code is executed. The preset algorithm may be other algorithms that are pre-agreed, and is not limited herein.
In this embodiment, considering that the decompressed resource file includes a plurality of files after decompression, and each file has a corresponding file check code, in order to implement security check on the plurality of files, the check codes corresponding to the plurality of files are generated through a preset algorithm, and the preset algorithm is pre-agreed by the terminal and the server, and has various forms, so that the files are prevented from being stolen, and further the security of the decompressed resource file is ensured. And whether the decompressed file in the folder is modified or not can be known by checking the security of the decompressed resource file.
As shown in fig. 3, another method flow diagram for starting an application program is provided, including: after inquiring whether the application program is executed for the first time, the method further comprises the following steps:
in step 310, when the application is running for the first time, a compressed resource file corresponding to the application identifier is obtained.
Specifically, an application program starting request is received, the application program starting request carries an application program identifier, whether an application program corresponding to the application program identifier is operated for the first time is inquired, and when the application program is operated for the first time, a compressed resource file corresponding to the application program identifier is obtained.
Specifically, when the terminal does not find the historical download data corresponding to the application program identifier from the corresponding host sandbox or other databases, the terminal judges that the application program is operated for the first time, and then downloads the compressed resource file corresponding to the application program identifier from the server. If the terminal can locate the resource to be downloaded according to the acquired download address and the download address, the terminal downloads the file of the resource to be downloaded to obtain the compressed resource file.
At step 320, the actual compression check code of the compressed resource file is calculated.
Specifically, after the terminal obtains the compressed resource file, a preset verification algorithm may be used to obtain an actual compression verification code corresponding to the compressed resource file, for example, when the verification code corresponds to the MD5 verification code, the preset MD5 verification algorithm may be used to obtain the actual compression verification code corresponding to the compressed resource file locally. It should be noted that, the compressed resource file may be a file with a suffix name of zip, and corresponds to a file, and may directly perform MD5 verification.
Step 330, obtaining the download compression check code of the compression resource file corresponding to the application program downloaded from the server in advance.
The server stores a check code related to the compressed resource file in advance, marks the check code as a downloaded compressed check code, and uses the downloaded compressed check code to uniquely identify the compressed resource file. Specifically, after the terminal server downloads the corresponding compressed resource file, the actual compression check code corresponding to the compressed resource file is calculated locally, then the terminal obtains the downloaded compression check code related to the compressed resource file from the server, and then the actual compression check code and the downloaded compression check code can be compared to verify whether the compressed resource file in the server and the compressed resource file obtained by the terminal are the same compressed resource file.
Specifically, the server performs MD5 on the compressed resource file to be uploaded to obtain a downloaded compressed MD5 value, so as to uniquely identify the resource file to be uploaded, and then the server returns the downloaded compressed MD5 value to the terminal, so that when the terminal downloads the compressed resource file from the server, MD5 is performed locally, and then the server returns the downloaded compressed MD5 to be matched with the locally generated actual compressed MD5, if the character strings are the same, it is indicated that the compressed resource file acquired by the terminal is correct, if the character strings are different, it is indicated that the compressed resource file is modified, and the compressed resource file acquired by the terminal is unsafe.
Step 340, determining whether the actual compression check code is consistent with the downloaded compression check code.
Specifically, the terminal compares the actual compression check code with the characters in the downloaded compression check code, when all the characters are identical, the actual compression check code is judged to be identical with the downloaded compression check code, and when any character in the actual compression check code is inconsistent with the characters in the downloaded compression check code, the actual compression check code is judged to be inconsistent with the downloaded compression check code. In specific implementation, the characters in the actual compression check code and the downloaded compression check code can be compared in sequence according to a certain sequence, and when any one character is inconsistent, an inconsistent conclusion is directly obtained without comparing all the characters.
And step 350, when the actual compression check code is consistent with the downloaded compression check code, determining that the compressed resource file is a safe compressed file.
Specifically, when the actual compression check code is consistent with the downloaded compression check code, it is indicated that the compression resource file acquired by the terminal is consistent with the compression resource file uploaded by the server, that is, the compression resource file acquired by the terminal is the compression resource file uploaded by the server in advance and is not tampered, and at this time, the step of starting the application program can be executed. Otherwise, when the actual compression check code is inconsistent with the downloaded compression check code, it is indicated that the compression resource file acquired by the terminal is not the same file as the compression resource file uploaded by the server in advance, that is, the situation that the compression resource file is tampered or lost occurs in data transmission between the server and the terminal, and at this time, warning information should be sent to prompt the terminal that the application program is at risk or directly prohibit the terminal from starting the corresponding application program.
And 360, when the compressed resource file is a safe compressed file, decompressing the safe compressed file to obtain a decompressed resource file, and starting an application program according to the decompressed resource file.
Specifically, when the terminal judges that the compressed resource file is a safe compressed file, decompressing the safe compressed file to obtain a decompressed resource file, then executing security verification on the decompressed resource file, and when the decompressed resource file is also a safe decompressed file, starting an application program.
In this embodiment, after the terminal downloads the compressed resource file corresponding to the application program for the first time, security verification, such as MD5 verification, is performed on the compressed resource file, when the security verification is passed, the compressed resource file is decompressed to obtain a decompressed resource file, and if the security verification of the compressed resource file is not passed, it is indicated that the compressed resource file is modified, and if error processing is performed, the user terminal can be refused to start the application program, so that the security of the data is ensured.
In one embodiment, after determining whether the actual compression check code is consistent with the downloaded compression check code, the method further includes: when the actual compression check code is inconsistent with the downloaded compression check code, judging that the compression resource file is an unsafe compression resource file; and generating warning information for the unsafe compressed resource file.
In one embodiment, after determining whether the actual decompression check code is consistent with the downloaded decompression check code, the method further includes: when the actual decompression check code is inconsistent with the downloaded decompression check code, judging that the decompression resource file is an unsafe decompression resource file; and generating warning information for the unsafe decompressed resource file.
In one embodiment, when the application is running for the first time, obtaining the compressed resource file corresponding to the application identifier includes: when the application program runs for the first time, an encrypted symmetric key is generated, the symmetric key is sent to the server, and the symmetric key is used for indicating the server to encrypt the download address, the download decompression check code and the download compression check code of the application program to generate an encrypted service file. Receiving an encrypted service file returned by a server; decrypting the encrypted service file through the symmetric key to obtain the service file; acquiring a download address corresponding to an application program from a service file; and downloading according to the download address to obtain the compressed resource file.
Specifically, when the terminal determines that the application is running for the first time, it needs to acquire a compressed resource file related to starting the application from a server through a network, and specifically, the terminal needs to provide a download address for downloading the compressed resource file, a download compression check code for the compressed resource file, and a decompression resource check code from the server. The download address is used for downloading the corresponding compressed resource file, the download compression check code is used for checking the security of the downloaded compressed resource file, and the download decompression check code is used for checking the security of the decompressed resource file generated after the compressed resource file is decompressed, for example, whether the decompressed resource file is modified in the hosting sandbox or not is checked.
Further, the terminal communicates with the server through the network, and in the process that the server sends the download address and the check code to the terminal, the security of the network data transmission process needs to be ensured, that is, the transmitted data is not tampered. Specifically, the terminal may generate a symmetric key according to a preset rule, and send the symmetric key to the server, so that the server encrypts the download address, the download decompression check code and the download compression check code of the application program according to the received symmetric key to generate an encrypted service file, and sends the encrypted service file to the terminal by encrypting the service file, thereby improving the security of the data transmission process. The symmetric encryption is characterized in that encryption keys and decryption keys are identical, so that the encryption and decryption efficiency is high, and the data transmission efficiency is not affected. It should be noted that, in other embodiments, the terminal may also generate the encrypted service file by using other encryption algorithms, such as an asymmetric encryption algorithm, which is not limited in this embodiment.
In particular, the symmetric key may be an AES encryption algorithm, in particular the symmetric key may be dynamically randomly generated, the step of generating the symmetric key may comprise: firstly randomly generating a character string abcdefghijklmijnonqrstuvwxyzabcdefghijklmnop qrpuvwxyz 0123456789, then using a round-robin algorithm such as a code algorithm which can be a 16 times round, randomly taking a certain letter in the character string each time, and splicing the taken letters to generate a character string, and using the character string as a randomly generated 16-bit symmetric key. And the terminal sends the symmetric key to the server to instruct the server to encrypt the service data by using the symmetric key to generate an encrypted service file, then decrypts the encrypted service data according to the symmetric key to generate service data, and then uses the service data to execute the step of starting the application program. The data transmission safety is ensured by encrypting by using the symmetric key and sending the encrypted file to the terminal, and the symmetric key has simple algorithm and does not influence the data transmission efficiency.
In order to further ensure that the symmetric key is not tampered during network transmission, encrypting the symmetric key again, for example, an RSA encryption technology may be used to encrypt and transmit the symmetric key, where the RSA encryption technology is an asymmetric encryption, that is, the encryption and decryption corresponding keys are different, specifically, RSA has two keys, namely a public key and a private key, uses the public key to encrypt, and uses the private key to decrypt.
In one embodiment, sending the symmetric key to the server includes: and encrypting the symmetric key through the public key of the asymmetric key and then sending the encrypted symmetric key to the server so that the server obtains the symmetric key through decryption through the private key corresponding to the public key of the asymmetric key.
Specifically, the public key of the asymmetric secret key is stored in the terminal code, and is only used for encryption, stored in the terminal code or transmitted through a network, even if a hacker takes the public key, the public key can only be used for encryption and can not be used for decryption, so that the public key of the asymmetric secret key is not required to be decompiled by illegal personnel to acquire the public key, and the private key of the asymmetric secret key is in a background server. Specifically, the terminal encrypts a symmetric key such as an AES key by using a public key of the asymmetric key, sends the encrypted data to the background server, and the background server decrypts by using a private key corresponding to the public key of the asymmetric key to obtain a symmetric key corresponding to AES, thereby completing the transfer of AES keys between the terminal and the background server. The AES is encrypted by RSA and then data transmission is carried out, and only a smaller data volume such as a key symmetric key is encrypted, so that the data transmission efficiency is not affected.
In one embodiment, the method for obtaining the download decompression check code and the download compression check code includes: and extracting a download decompression check code and a download compression check code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression check code and the download compression check code are stored in a block chain.
Specifically, obtaining a download decompression check code of a decompression resource file corresponding to an application program downloaded in advance from a server includes: acquiring a download decompression check code corresponding to the application program from the decompressed service file; the method for acquiring the download compression check code of the compression resource file corresponding to the application program downloaded from the server in advance comprises the following steps: and acquiring a download compression check code corresponding to the application program from the decompressed service file.
If the download address returned by the background server is http:// fcloud.pic.com.cn/f/ios_app.zip, the returned download compression MD5 is 6ea84e6330f55248cbb5b06fbcf95d59. After receiving the download address and the MD5 data, the terminal downloads the compressed resource file to the terminal, such as a mobile phone, then verifies the downloaded compressed resource file and MD5 to obtain the corresponding actual compressed MD5, where the actual compressed MD5 may be 6ea84e6330f55248cbb5b06fbcf95d59, then compares the actual compressed MD5 with the downloaded compressed MD5 returned by the background server, if the comparison result is consistent, it is indicated that the downloaded compressed resource file is not modified and can be used, and if the value pair of MD5 is not consistent, it is indicated that the download packet and the expected result are inconsistent, and the local flow is terminated.
It should be emphasized that, in order to further ensure the privacy and security of the download decompression check code and the download compression check code, the download decompression check code and the download compression check code may also be stored in a node of a blockchain, and when the security check of the application program needs to be performed by using the download decompression check code and the download compression check code, the download decompression check code and the download compression check code are directly obtained from the corresponding blockchain nodes, so as to ensure the security of the obtained information.
As shown in fig. 4, a timing diagram of an application launch method is provided. Specifically, the method comprises the following steps:
and the terminal, such as a mobile phone terminal, randomly generates an AES key result as A, and then encrypts the key A by using an RSA public key to obtain a decryption result B. The terminal sends B to a background server, the background server decrypts B by using an RSA private key to obtain a result A, the background server encrypts the service data to be sent by using A to obtain C, the C is sent to the terminal, the terminal decrypts C by using A to obtain decrypted service data, and meanwhile the service data to be sent is encrypted by using A to obtain encrypted service data and sent to the background server.
When an application corresponds to an applet, the resource file of the applet package is typically downloaded over a network and decompressed into the hosting sandbox because of the greater number of hosts, without excluding the hosting developer from modifying the applet resource, or because the resource is modified due to the hosting code. In order to ensure the correctness of the resource, the MD5 authentication is generally performed after downloading, but the MD5 in the interface cannot be prevented from being modified, and the decompressed resource cannot be prevented from being modified, which would result in unsafe resource of the applet package. In the embodiment, the security check is performed on the compressed resource file and the decompressed resource file through the check code, so that the security of the file is ensured, and the security of data is further ensured. And the data encryption is carried out in the process of data transmission between the terminal and the server, so that the safety of data transmission is further ensured, and the safety of small program resources is improved.
It should be understood that, although the steps in the flowcharts of fig. 2-4 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 2-4 may include multiple steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the steps or stages in other steps or other steps.
In one embodiment, as shown in fig. 5, there is provided a block diagram of an application secure launch apparatus, including: the device comprises a request receiving module 510, a query module 520, a decompressed file obtaining module 530, an actual decompressed verification code calculating module 540, a downloaded decompressed verification code obtaining module 550, a judging module 560 and a starting module 570, wherein:
the request receiving module 510 is configured to receive an application program start request, where the application program start request carries an application program identifier.
And the query module 520 is configured to query whether the application program identifier corresponds to the application program running for the first time.
The decompressed file obtaining module 530 is configured to obtain, when the application is not running for the first time, a decompressed resource file corresponding to the application identifier.
The actual decompression check code calculation module 540 is configured to calculate an actual decompression check code of the decompressed resource file.
The download decompression check code obtaining module 550 is configured to obtain a download decompression check code of the decompressed resource file, where the download decompression check code is a check code downloaded in advance from the server and used for identifying the decompressed resource file.
The judging module 560 is configured to judge whether the actual decompression check code is consistent with the downloaded decompression check code;
The first starting module 570 is configured to start the application when the actual decompression check code is consistent with the downloaded decompression check code.
In one embodiment, the actual decompression check code calculation module 540 includes:
the file verification acquiring unit is used for acquiring the subfile identification and the subfile verification code corresponding to each decompressed subfile.
And the actual decompression check code calculation unit is used for combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
In one embodiment, the application secure launch apparatus further comprises:
and the compressed resource file acquisition module is used for acquiring the compressed resource file corresponding to the application program identifier when the application program is operated for the first time.
And the actual compression check code calculating module is used for calculating the actual compression check code of the compression resource file.
And the download compression check code acquisition module is used for acquiring the download compression check code of the compression resource file corresponding to the application program downloaded from the server in advance.
And the compressed file judging module is used for judging whether the actual compressed check code is consistent with the downloaded compressed check code.
And the compressed file judging module is used for judging that the compressed resource file is a safe compressed file when the actual compressed check code is consistent with the downloaded compressed check code.
And the second starting module is used for decompressing the safe compressed file to obtain a decompressed resource file when the compressed resource file is the safe compressed file, and starting an application program according to the decompressed file.
In one embodiment, the compressed resource file acquisition module includes:
and the encryption service file generation unit is used for generating an encrypted symmetric key when the application program runs for the first time, sending the symmetric key to the server, and indicating the server to encrypt the download address, the download decompression check code and the download compression check code of the application program to generate an encryption service file.
And the encrypted service file receiving unit is used for receiving the encrypted service file returned by the server.
And the service file acquisition unit is used for decrypting the encrypted service file through the symmetric key to obtain the service file.
The download address acquisition unit is used for acquiring the download address corresponding to the application program from the service file.
And the compressed file downloading unit is used for downloading according to the downloading address to obtain the compressed resource file.
In one embodiment, an application secure launch apparatus includes:
and the verification code extraction module is used for extracting a download decompression verification code and a download compression verification code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression verification code and the download compression verification code are stored in the blockchain.
In one embodiment, the encrypted service file generating unit includes:
and the symmetric key acquisition subunit is used for encrypting the symmetric key through the public key of the asymmetric key and then sending the encrypted symmetric key to the server so that the server can obtain the symmetric key through decryption through the private key corresponding to the public key of the asymmetric key.
In one embodiment, the application secure launch apparatus further comprises:
the first warning module is used for judging that the compressed resource file is an unsafe compressed resource file when the actual compressed check code is inconsistent with the downloaded compressed check code; and generating warning information for the unsafe compressed resource file.
The second warning module is used for judging that the decompressed resource file is an unsafe decompressed resource file when the actual decompressed check code is inconsistent with the downloaded decompressed check code; and generating warning information for the unsafe decompressed resource file.
The specific limitation of the application secure launch apparatus may be referred to as limitation of the application secure launch method hereinabove, and will not be described herein. The modules in the application program safety starting device can be realized in whole or in part by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements a method for secure initiation of an application. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of: receiving an application program starting request, wherein the application program starting request carries an application program identifier; inquiring whether the application program corresponding to the application program identifier is operated for the first time; when the application program is not operated for the first time, acquiring a decompressed resource file corresponding to the application program identifier; calculating an actual decompression check code of the decompression resource file; acquiring a download decompression check code of a decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server and is used for identifying the decompression resource file; judging whether the actual decompression check code is consistent with the downloaded decompression check code; and starting the application program when the actual decompression check code is consistent with the downloaded decompression check code.
In one embodiment, the decompressed resource file includes a plurality of decompressed subfiles, and the processor is further configured to, when executing the computer program, implement the step of calculating an actual decompressed check code of the decompressed resource file: obtaining a subfile identification corresponding to each decompressed subfile and a subfile check code; and combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
In one embodiment, when the processor executes the computer program, the method further includes the step of querying whether the application program corresponding to the application program identifier is executed for the first time, where the step is further used for: when the application program is operated for the first time, acquiring a compressed resource file corresponding to the application program identification; calculating an actual compression check code of the compression resource file; acquiring a download compression check code of a compression resource file corresponding to an application program downloaded from a server in advance; judging whether the actual compression check code is consistent with the downloaded compression check code or not; when the actual compression check code is consistent with the downloaded compression check code, judging that the compressed resource file is a safe compressed file; and when the compressed resource file is a safe compressed file, decompressing the safe compressed file to obtain a decompressed resource file, and starting an application program according to the decompressed file.
In one embodiment, the step of obtaining the compressed resource file corresponding to the application identifier when the application is running for the first time is further performed when the processor executes the computer program: when the application program runs for the first time, generating an encrypted symmetric key, and sending the symmetric key to a server, wherein the symmetric key is used for indicating a download address, a download decompression check code and a download compression check code of the application program to be encrypted by the server to generate an encrypted service file; receiving an encrypted service file returned by a server; decrypting the encrypted service file through the symmetric key to obtain the service file; acquiring a download address corresponding to an application program from a service file; and downloading according to the download address to obtain the compressed resource file.
In one embodiment, the steps of implementing the method for obtaining the download decompression check code and the download compression check code when the processor executes the computer program are further used for: and extracting a download decompression check code and a download compression check code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression check code and the download compression check code are stored in a block chain.
In one embodiment, the processor when executing the computer program performs the step of sending the symmetric key to the server is further configured to: and encrypting the symmetric key through the public key of the asymmetric key and then sending the encrypted symmetric key to the server so that the server obtains the symmetric key through decryption through the private key corresponding to the public key of the asymmetric key.
In one embodiment, the processor when executing the computer program is further configured to: when the actual compression check code is inconsistent with the downloaded compression check code, judging that the compression resource file is an unsafe compression resource file; generating warning information for unsafe compressed resource files;
the processor is further configured to, when executing the computer program, perform the step of determining whether the actual decompression check code is consistent with the downloaded decompression check code: when the actual decompression check code is inconsistent with the downloaded decompression check code, judging that the decompression resource file is an unsafe decompression resource file; and generating warning information for the unsafe decompressed resource file.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: receiving an application program starting request, wherein the application program starting request carries an application program identifier; inquiring whether the application program corresponding to the application program identifier is operated for the first time; when the application program is not operated for the first time, acquiring a decompressed resource file corresponding to the application program identifier; calculating an actual decompression check code of the decompression resource file; acquiring a download decompression check code of a decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server and is used for identifying the decompression resource file; judging whether the actual decompression check code is consistent with the downloaded decompression check code; and starting the application program when the actual decompression check code is consistent with the downloaded decompression check code.
In one embodiment, the decompressed resource file includes a plurality of decompressed subfiles, and the computer program when executed by the processor is further configured to: obtaining a subfile identification corresponding to each decompressed subfile and a subfile check code; and combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
In one embodiment, the method further comprises the step of querying whether the application program corresponding to the application program identifier is executed for the first time when the computer program is executed by the processor: when the application program is operated for the first time, acquiring a compressed resource file corresponding to the application program identification; calculating an actual compression check code of the compression resource file; acquiring a download compression check code of a compression resource file corresponding to an application program downloaded from a server in advance; judging whether the actual compression check code is consistent with the downloaded compression check code or not; when the actual compression check code is consistent with the downloaded compression check code, judging that the compressed resource file is a safe compressed file; and when the compressed resource file is a safe compressed file, decompressing the safe compressed file to obtain a decompressed resource file, and starting an application program according to the decompressed file.
In one embodiment, the computer program when executed by the processor, further performs the step of obtaining a compressed resource file corresponding to the application identifier when the application is first run: when the application program runs for the first time, generating an encrypted symmetric key, and sending the symmetric key to a server, wherein the symmetric key is used for indicating a download address, a download decompression check code and a download compression check code of the application program to be encrypted by the server to generate an encrypted service file; receiving an encrypted service file returned by a server; decrypting the encrypted service file through the symmetric key to obtain the service file; acquiring a download address corresponding to an application program from a service file; and downloading according to the download address to obtain the compressed resource file.
In one embodiment, the computer program when executed by the processor is further configured to implement the steps of downloading the decompression check code and downloading the acquisition mode of the compression check code: and extracting a download decompression check code and a download compression check code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression check code and the download compression check code are stored in a block chain.
In one embodiment, the computer program when executed by the processor performs the step of sending the symmetric key to the server further for: and encrypting the symmetric key through the public key of the asymmetric key and then sending the encrypted symmetric key to the server so that the server obtains the symmetric key through decryption through the private key corresponding to the public key of the asymmetric key.
In one embodiment, the computer program when executed by the processor is further configured to, when executed by the processor, perform the following steps of determining whether the actual compression check code is consistent with the downloaded compression check code: when the actual compression check code is inconsistent with the downloaded compression check code, judging that the compression resource file is an unsafe compression resource file; and generating warning information for the unsafe compressed resource file. The computer program when executed by the processor is further configured to implement the step of determining whether the actual decompression check code is identical to the downloaded decompression check code, after that: when the actual decompression check code is inconsistent with the downloaded decompression check code, judging that the decompression resource file is an unsafe decompression resource file; and generating warning information for the unsafe decompressed resource file.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples represent only a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (10)
1. A method for securely launching an application, the method comprising:
receiving an application program starting request, wherein the application program starting request carries an application program identifier;
inquiring whether the application program corresponding to the application program identifier is operated for the first time;
when the application program is not operated for the first time, acquiring a decompressed resource file corresponding to the application program identifier; the decompressed resource file is a data resource corresponding to an operating application program;
Calculating an actual decompression check code of the decompression resource file;
acquiring a download decompression check code of the decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server and used for identifying the decompression resource file;
judging whether the actual decompression check code is consistent with the download decompression check code or not;
when the actual decompression check code is consistent with the downloaded decompression check code, starting the application program;
after the query of whether the application program identifier corresponds to the application program running for the first time, the method further comprises:
when the application program runs for the first time, generating an encrypted symmetric key, and sending the symmetric key to a server, wherein the symmetric key is used for indicating the server to encrypt a download address, the download decompression check code and the download compression check code of the application program to generate an encrypted service file;
receiving the encrypted service file returned by the server;
decrypting the encrypted service file through the symmetric key to obtain a service file;
acquiring a download address corresponding to the application program from the service file;
downloading according to the downloading address to obtain a compressed resource file;
Calculating an actual compression check code of the compression resource file;
acquiring a download compression check code of a compression resource file corresponding to the application program downloaded from a server in advance;
judging whether the actual compression check code is consistent with the downloaded compression check code or not;
when the actual compression check code is consistent with the downloaded compression check code, judging that the compressed resource file is a safe compressed file;
and when the compressed resource file is a safe compressed file, decompressing the safe compressed file to obtain a decompressed resource file, and starting an application program according to the decompressed resource file.
2. The method of claim 1, wherein the decompressed resource file comprises a plurality of decompressed subfiles; the calculating the actual decompression check code of the decompressed resource file comprises the following steps:
obtaining a subfile identifier corresponding to each decompressed subfile and a subfile check code;
and combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
3. The method according to claim 1 or 2, wherein the acquiring manner of the download decompression check code and the download compression check code includes:
And extracting the download decompression check code and the download compression check code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression check code and the download compression check code are stored in a block chain.
4. The method according to claim 1 or 2, wherein said sending the symmetric key to a server comprises:
and encrypting the symmetric key through the public key of the asymmetric key and then sending the encrypted symmetric key to the server so that the server obtains the symmetric key through decryption through the private key corresponding to the public key of the asymmetric key.
5. The method of claim 1, wherein after said determining whether the actual compression check code is consistent with the downloaded compression check code, further comprising:
when the actual compression check code is inconsistent with the downloaded compression check code, judging that the compression resource file is an unsafe compression resource file;
generating warning information for the unsafe compressed resource file;
after the judging whether the actual decompression check code is consistent with the download decompression check code, the method further comprises the following steps:
when the actual decompression check code is inconsistent with the download decompression check code, judging that the decompression resource file is an unsafe decompression resource file;
And generating warning information for the unsafe decompressed resource file.
6. An application secure launch apparatus, the apparatus comprising:
the request receiving module is used for receiving an application program starting request, wherein the application program starting request carries an application program identifier;
the query module is used for querying whether the application program corresponding to the application program identifier is operated for the first time;
the decompressed file acquisition module is used for acquiring a decompressed resource file corresponding to the application program identifier when the application program is not operated for the first time; the decompressed resource file is a data resource corresponding to an operating application program;
the actual decompression check code calculation module is used for calculating the actual decompression check code of the decompression resource file;
the download decompression check code acquisition module is used for acquiring a download decompression check code of the decompression resource file, wherein the download decompression check code is a check code which is downloaded in advance from a server and used for identifying the decompression resource file;
the judging module is used for judging whether the actual decompression check code is consistent with the download decompression check code or not;
the starting module is used for starting the application program when the actual decompression check code is consistent with the download decompression check code;
The device further comprises:
the compressed resource file acquisition module is used for generating an encrypted symmetric key when the application program runs for the first time, and sending the symmetric key to the server, wherein the symmetric key is used for indicating the server to encrypt a download address, the download decompression check code and the download compression check code of the application program to generate an encrypted service file; receiving the encrypted service file returned by the server; decrypting the encrypted service file through the symmetric key to obtain a service file; acquiring a download address corresponding to the application program from the service file; downloading according to the downloading address to obtain a compressed resource file;
the actual compression check code calculating module is used for calculating the actual compression check code of the compression resource file;
the download compression check code acquisition module is used for acquiring the download compression check code of the compression resource file corresponding to the application program downloaded from the server in advance;
the compressed file judging module is used for judging whether the actual compressed check code is consistent with the downloaded compressed check code or not;
the compressed file judging module is used for judging that the compressed resource file is a safe compressed file when the actual compressed check code is consistent with the downloaded compressed check code;
And the second starting module is used for decompressing the safe compressed file to obtain a decompressed resource file when the compressed resource file is the safe compressed file, and starting an application program according to the decompressed resource file.
7. The apparatus of claim 6, wherein the decompressed resource file comprises a plurality of decompressed subfiles; the actual decompression check code calculation module comprises:
the file verification acquisition unit is used for acquiring the sub-file identification and the sub-file verification code corresponding to each decompressed sub-file;
and the actual decompression check code calculation unit is used for combining the sub-file identifiers and the sub-file check codes according to a preset rule to obtain the actual decompression check codes corresponding to the decompression resource files.
8. The apparatus according to claim 6 or 7, characterized in that the apparatus further comprises:
and the verification code extraction module is used for extracting the download decompression verification code and the download compression verification code from the service file obtained by decrypting the encrypted service file through the symmetric key, wherein the download decompression verification code and the download compression verification code are stored in a block chain.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 5 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 5.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010405714.6A CN111666564B (en) | 2020-05-14 | 2020-05-14 | Application program safe starting method and device, computer equipment and storage medium |
| PCT/CN2020/098856 WO2021114614A1 (en) | 2020-05-14 | 2020-06-29 | Application program secure startup method and apparatus, computer device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010405714.6A CN111666564B (en) | 2020-05-14 | 2020-05-14 | Application program safe starting method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111666564A CN111666564A (en) | 2020-09-15 |
| CN111666564B true CN111666564B (en) | 2024-02-02 |
Family
ID=72382589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010405714.6A Active CN111666564B (en) | 2020-05-14 | 2020-05-14 | Application program safe starting method and device, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN111666564B (en) |
| WO (1) | WO2021114614A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112163412B (en) * | 2020-09-30 | 2024-02-09 | 善恒展创(深圳)发展合伙企业(有限合伙) | Data verification method and device, electronic equipment and storage medium |
| CN112379905A (en) * | 2020-11-20 | 2021-02-19 | 惠州Tcl移动通信有限公司 | Kernel upgrading method and device, terminal and storage medium |
| CN112732365A (en) * | 2021-01-28 | 2021-04-30 | 北京字跳网络技术有限公司 | Method and device for starting pre-installed application program, electronic equipment and storage medium |
| CN112597485B (en) * | 2021-03-01 | 2021-06-08 | 腾讯科技(深圳)有限公司 | Information checking method, device and equipment based on block chain and storage medium |
| CN115022091B (en) * | 2022-08-04 | 2022-12-16 | 亿次网联(杭州)科技有限公司 | Autonomous authorization method and system based on digital certificate |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6711709B1 (en) * | 1998-06-24 | 2004-03-23 | Unisys Corporation | Integrated block checking system for rapid file transfer of compressed data |
| CN106778099A (en) * | 2016-11-29 | 2017-05-31 | 北京奇虎科技有限公司 | The generation method and device of anti-tamper APK, install and operation method and device |
| CN108647041A (en) * | 2018-04-02 | 2018-10-12 | 金证财富南京科技有限公司 | A kind of hot update mechanism of the locals mixed type APP web resource |
| CN108810894A (en) * | 2018-05-31 | 2018-11-13 | 康键信息技术(深圳)有限公司 | Authorization terminal method, apparatus, computer equipment and storage medium |
| CN110308924A (en) * | 2019-05-24 | 2019-10-08 | 平安银行股份有限公司 | Application program update method, apparatus, electronic equipment and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9055093B2 (en) * | 2005-10-21 | 2015-06-09 | Kevin R. Borders | Method, system and computer program product for detecting at least one of security threats and undesirable computer files |
| CN104778060A (en) * | 2015-04-07 | 2015-07-15 | 珠海全志科技股份有限公司 | Rapid and safe starting method for embedded Linux system |
| CN106815135B (en) * | 2015-11-30 | 2021-04-06 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and device |
| US10303899B2 (en) * | 2016-08-11 | 2019-05-28 | Intel Corporation | Secure public cloud with protected guest-verified host control |
| CN107273172A (en) * | 2017-07-14 | 2017-10-20 | 银联商务有限公司 | A kind of data handling system based on business packet, method and device |
| CN110162964B (en) * | 2019-05-29 | 2021-09-24 | 中国银行股份有限公司 | Method, device and system for checking file tampering |
-
2020
- 2020-05-14 CN CN202010405714.6A patent/CN111666564B/en active Active
- 2020-06-29 WO PCT/CN2020/098856 patent/WO2021114614A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6711709B1 (en) * | 1998-06-24 | 2004-03-23 | Unisys Corporation | Integrated block checking system for rapid file transfer of compressed data |
| CN106778099A (en) * | 2016-11-29 | 2017-05-31 | 北京奇虎科技有限公司 | The generation method and device of anti-tamper APK, install and operation method and device |
| CN108647041A (en) * | 2018-04-02 | 2018-10-12 | 金证财富南京科技有限公司 | A kind of hot update mechanism of the locals mixed type APP web resource |
| CN108810894A (en) * | 2018-05-31 | 2018-11-13 | 康键信息技术(深圳)有限公司 | Authorization terminal method, apparatus, computer equipment and storage medium |
| CN110308924A (en) * | 2019-05-24 | 2019-10-08 | 平安银行股份有限公司 | Application program update method, apparatus, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111666564A (en) | 2020-09-15 |
| WO2021114614A1 (en) | 2021-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111666564B (en) | Application program safe starting method and device, computer equipment and storage medium | |
| CN109684790B (en) | Software starting method, software authorization verification method, device and storage medium | |
| US10721080B2 (en) | Key-attestation-contingent certificate issuance | |
| US11539690B2 (en) | Authentication system, authentication method, and application providing method | |
| US10474823B2 (en) | Controlled secure code authentication | |
| CN106657152B (en) | Authentication method, server and access control device | |
| US11258792B2 (en) | Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium | |
| CN112019493B (en) | Identity authentication method, identity authentication device, computer equipment and medium | |
| CN109194625B (en) | Client application protection method and device based on cloud server and storage medium | |
| KR101744747B1 (en) | Mobile terminal, terminal and method for authentication using security cookie | |
| CN112257086B (en) | User privacy data protection method and electronic equipment | |
| CN112559993B (en) | Identity authentication method, device and system and electronic equipment | |
| JP6967449B2 (en) | Methods for security checks, devices, terminals and servers | |
| CN107040520B (en) | Cloud computing data sharing system and method | |
| US20160330030A1 (en) | User Terminal For Detecting Forgery Of Application Program Based On Hash Value And Method Of Detecting Forgery Of Application Program Using The Same | |
| CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| CN112800393A (en) | Authorization authentication method, software development kit generation method, device and electronic equipment | |
| CN107548542B (en) | User authentication method with enhanced integrity and security | |
| CN111224826B (en) | Configuration updating method, device, system and medium based on distributed system | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN111400771A (en) | Target partition checking method and device, storage medium and computer equipment | |
| CN111628985A (en) | Security access control method, security access control device, computer equipment and storage medium | |
| CN115361198A (en) | Decryption method, encryption method, device, computer equipment and storage medium | |
| CN114745115A (en) | Information transmission method and device, computer equipment and storage medium | |
| CN114244620A (en) | Board card network access verification method and device and board card control center |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |