CN112671715B - Method and device for guaranteeing data security communication of application - Google Patents
Method and device for guaranteeing data security communication of application Download PDFInfo
- Publication number
- CN112671715B CN112671715B CN202011395524.7A CN202011395524A CN112671715B CN 112671715 B CN112671715 B CN 112671715B CN 202011395524 A CN202011395524 A CN 202011395524A CN 112671715 B CN112671715 B CN 112671715B
- Authority
- CN
- China
- Prior art keywords
- data
- library
- wind control
- application
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000004891 communication Methods 0.000 title claims abstract description 42
- 230000003993 interaction Effects 0.000 claims abstract description 43
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 24
- 230000015654 memory Effects 0.000 claims description 38
- 238000001514 detection method Methods 0.000 claims description 27
- 230000002787 reinforcement Effects 0.000 claims description 5
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims 1
- 238000011156 evaluation Methods 0.000 abstract 1
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000005291 magnetic effect Effects 0.000 description 6
- 238000011217 control strategy Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Abstract
The application aims to provide a method and a device for guaranteeing data security communication of an application, wherein the method comprises the following steps: encrypting the business data call Jni interface through a so library reinforced by a specific algorithm; sending the encrypted data and the wind control level returned from the so library to a service server; the method comprises the steps of receiving data returned from a service server, if the risk exists, the returned data is the risk level obtained by the service server through the evaluation of the wind control server, and if the risk does not exist, the returned data is encrypted interaction data obtained by encrypting the service data to be interacted by the service server; and calling Jni the encrypted interaction data, decrypting through the so library to obtain the interaction data, and completing the data security communication. Compared with the prior art, the method and the device have the advantages that the so library is reinforced through the specific algorithm, the running environment of the application is detected, the wind control server is timely informed, the risk wind control server can prevent the service server from issuing service contents to the application, and the service data is guaranteed not to be intercepted.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a technique for securing data security communications for applications.
Background
For communication between an application and a service server, the scheme in the industry is generally that network communication of the application is encrypted, a native library is shelled, but communication content is grabbed and cracked, the native library is decompiled after being shelled and is dynamically debugged to grab binary data, most application holders cannot find the problems and prevent further leakage of the data.
Disclosure of Invention
An object of the present application is to provide a method and apparatus for securing data security communications of an application.
According to one aspect of the present application, there is provided a method for securing data security communications of an application at a business layer, wherein the method comprises:
encrypting a business data call Jni interface through a corresponding so (shared object) library, wherein the so library is reinforced by a specific algorithm;
sending the encrypted data and the wind control level returned from the so library to a corresponding service server, wherein the wind control level is obtained by the so library through detecting an operation environment;
The data returned from the service server is received, if the risk exists, the returned data is the risk level estimated by the service server based on the wind control level, and if the risk does not exist, the returned data is the encrypted interaction data obtained by encrypting the service data to be interacted by the service server;
and calling the Jni interface to decrypt the encrypted interaction data through the so library to obtain decrypted interaction data, thereby completing data security communication.
According to one aspect of the present application, there is provided a method for securing data security communication of an application in a service server, wherein the method comprises:
receiving encryption data and wind control levels sent by a corresponding service layer, wherein the wind control levels are obtained by detecting an operation environment by the so library;
the wind control level is sent to a corresponding wind control server, and risk levels which are fed back by the wind control server and are estimated based on the wind control level are received;
if the risk exists, the risk level is fed back to the service layer, if the risk does not exist, service data to be interacted are prepared and encrypted, and the encrypted interaction data after encryption are returned to the service layer.
According to one aspect of the present application, there is provided an apparatus for securing data secure communication of an application, wherein the apparatus comprises:
processor and method for controlling the same
A memory arranged to store computer executable instructions which, when executed, cause the processor to perform the method of any of the above claims.
According to one aspect of the present application, there is provided a computer readable medium storing instructions that, when executed by a computer, cause the computer to perform the operations of the method of any one of the above.
According to one aspect of the present application, there is provided an apparatus for securing data security communication of an application at a traffic layer, wherein the apparatus includes:
the first calling device is used for encrypting the business data calling Jni interface through the corresponding so library, wherein the so library is reinforced by a specific algorithm;
the first sending device is used for sending the encrypted data and the wind control level returned from the so library to the corresponding service server, wherein the wind control level is obtained by the so library through detecting the operation environment;
the first receiving device is used for receiving the data returned from the service server, if the risk exists, the returned data is the risk level estimated by the service server based on the wind control level, and if the risk does not exist, the returned data is the encrypted interaction data obtained by encrypting the service data to be interacted by the service server;
And the second calling device is used for calling the Jni interface to decrypt the encrypted interaction data through the so library to obtain decrypted interaction data, so that data security communication is completed.
According to one aspect of the present application, there is provided an apparatus for securing data security communication of an application in a service server, wherein the apparatus comprises:
the second receiving device is used for receiving the encrypted data and the wind control level sent by the corresponding service layer, wherein the wind control level is obtained by detecting the running environment through the so library;
the second sending device is used for sending the wind control level to a corresponding wind control server and receiving a risk level which is fed back by the wind control server and is estimated based on the wind control level;
and the third sending device is used for feeding back the risk level to the service layer if the risk exists, preparing the service data to be interacted and encrypting the service data, and feeding back the encrypted interaction data to the service layer if the risk does not exist.
Compared with the prior art, the method and the device have the advantages that the so library is reinforced through a specific algorithm, the running environment of the application is detected, the wind control server is timely informed of the complete wind control strategy, the service content is prevented from being issued to the application by the service server due to the occurrence of risks, and the service data of the service server are prevented from being intercepted.
Furthermore, the so library is reinforced by a specific algorithm, a private virtual machine instruction is written to replace an assembly instruction in the original so library, and meanwhile, an environment detection code is injected, so that the running environment of an application can be detected, the application cannot be unshelled easily and cannot be interrupted, and a method for debugging the content of the so by tampering with an ARM assembly instruction is not effective.
Further, if information leakage already occurs, the service layer collects geographical position information and network related information of a cracking person and reports the geographical position information and the network related information to the wind control server, and then the geographical position information, the network related information and the like of a terminal machine of illegal actions can be queried through querying the wind control server, legal responsibility can be effectively tracked, and service loss can be recovered.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:
FIG. 1 illustrates a method flow diagram for securing data communications of an application at a business layer, according to one embodiment of the present application;
FIG. 2 illustrates a method flow diagram for securing data security communications of an application in a business server, according to one embodiment of the present application;
FIG. 3 illustrates a device architecture diagram for securing data communications of an application at a business layer, according to one embodiment of the present application;
FIG. 4 illustrates an apparatus block diagram for securing data security communications of an application in a service server according to one embodiment of the present application;
FIG. 5 illustrates a flow diagram for securing data security communications of an application in accordance with one embodiment of the present application;
FIG. 6 illustrates an exemplary system that may be used to implement various embodiments described herein.
The same or similar reference numbers in the drawings refer to the same or similar parts.
Detailed Description
The present application is described in further detail below with reference to the accompanying drawings.
In one typical configuration of the present application, the terminal, the devices of the services network, and the trusted party each include one or more processors (e.g., central processing units (Central Processing Unit, CPU)), input/output interfaces, network interfaces, and memory.
The Memory may include non-volatile Memory in a computer readable medium, random access Memory (Random Access Memory, RAM) and/or non-volatile Memory, etc., such as Read Only Memory (ROM) or Flash Memory (Flash Memory). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase-Change Memory (PCM), programmable Random Access Memory (Programmable Random Access Memory, PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (Dynamic Random Access Memory, DRAM), other types of Random Access Memory (RAM), read-Only Memory (ROM), electrically erasable programmable read-Only Memory (EEPROM), flash Memory or other Memory technology, read-Only Memory (Compact Disc Read-Only Memory, CD-ROM), digital versatile disks (Digital Versatile Disc, DVD) or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device.
The device referred to in the present application includes, but is not limited to, a user device, a network device, or a device formed by integrating a user device and a network device through a network. The user equipment includes, but is not limited to, any mobile electronic product which can perform man-machine interaction with a user (for example, perform man-machine interaction through a touch pad), such as a smart phone, a tablet computer and the like, and the mobile electronic product can adopt any operating system, such as an Android operating system, an iOS operating system and the like. The network device includes an electronic device capable of automatically performing numerical calculation and information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a programmable logic device (Programmable Logic Device, PLD), a field programmable gate array (Field Programmable Gate Array, FPGA), a digital signal processor (Digital Signal Processor, DSP), an embedded device, and the like. The network device includes, but is not limited to, a computer, a network host, a single network server, a plurality of network server sets, or a cloud of servers; here, the Cloud is composed of a large number of computers or network servers based on Cloud Computing (Cloud Computing), which is a kind of distributed Computing, a virtual supercomputer composed of a group of loosely coupled computer sets. Including but not limited to the internet, wide area networks, metropolitan area networks, local area networks, VPN networks, wireless Ad Hoc networks (Ad Hoc networks), and the like. Preferably, the device may be a program running on the user device, the network device, or a device formed by integrating the user device and the network device, the touch terminal, or the network device and the touch terminal through a network.
Of course, those skilled in the art will appreciate that the above-described devices are merely examples, and that other devices now known or hereafter may be present as appropriate for the application, are intended to be within the scope of the present application and are incorporated herein by reference.
In the description of the present application, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
Fig. 1 shows a flowchart of a method for securing data security communications of an application at a business layer according to one embodiment of the present application, the method including steps S11, S12, S13, S14. In step S11, the service layer encrypts the service data call Jni interface through the corresponding so library, where the so library is reinforced by a specific algorithm; in step S12, the service layer sends the encrypted data and the wind control level returned from the so library to the corresponding service server, where the wind control level is obtained by the so library through detecting the operation environment; in step S13, the service layer receives data returned from the service server, if there is a risk, the returned data is a risk level estimated by the service server based on the wind control level, and if there is no risk, the returned data is encrypted interaction data obtained by encrypting the service data to be interacted by the service server; in step S14, the service layer calls the Jni interface to decrypt the encrypted interaction data through the so library, and obtains decrypted interaction data, thereby completing data security communication.
In step S11, when an application, such as an android application, has service data to be encrypted, the service layer of the application calls a corresponding so library through a Jni interface, and sends the service data to the so library for encryption, wherein the so library is reinforced by a specific algorithm, and the reinforced so library is not easy to unshelling.
In some embodiments, the so library is algorithm-specific hardened, including: converting assembly instructions in the original so library into newly written private virtual machine instructions; inserting detection codes for detecting the running environment; and packaging the new file into a so library to obtain the so library reinforced by the specific algorithm.
For example, the reinforcement tool pre-writes a set of private virtual machine instructions, converts the standard ARM assembly instructions in the original so library into the pre-written private virtual machine instructions, then adds detection codes for detecting the running environment, for example, detection codes for detecting the debugging state, detection codes for detecting the running state of the virtual machine, and the like, and packages the new file into the so library to obtain the so library reinforced by the specific algorithm. The so library is reinforced by a specific algorithm, a private virtual machine instruction is written, the virtual machine instruction is not easy to unshelling and cannot be interrupted, and a method for debugging the content of the so library by tampering with the ARM assembly instruction is not effective.
The business data is encrypted by the so library reinforced by the specific algorithm, so that encrypted data is obtained, the wind control level is obtained by detecting the running environment, and the encrypted data and the wind control level are returned to the business layer.
In step S12, the service layer sends the encrypted data and the air control level received from the so library, for example, through the https interface, to the corresponding service server, where the air control level is obtained by the so library through detecting the running environment. The business layer sends the wind control level obtained by the detection of the so library to the business server, and the business server can continuously transmit the wind control level to the corresponding wind control server to evaluate the risk of the running environment of the application.
In some embodiments, the detection code for detecting the running environment inserted when the so library is hardened includes detection code for detecting a debug state and/or detection code for detecting a virtual machine running state. Then, when the so library detects the running environment, the so library executes the detection code for detecting the debug status to detect whether it is debugged, or the so library executes the detection code for detecting the running status of the virtual machine to detect whether it is running in the virtual machine, thereby obtaining the wind control level, and returns the wind control level and the encrypted data obtained by encrypting the service data by the so library to the service layer.
In step S13, the service layer receives data returned from the service server, where the data returned by the service server is determined based on its interaction with the wind control server, that is, the service server forwards the wind control level received from the service layer to the wind control server, and the wind control server evaluates the risk level of the running environment of the application according to the wind control level and returns the risk level to the service server. If there is a risk, the service server will not prepare service data to be returned to the service layer of the application, but only return the risk level to the service layer, that is, the data returned by the service layer from the service server is the risk level estimated by the service server from the corresponding wind control server based on the wind control level. If there is no risk, the service server determines the service data to be interacted to be returned to the service layer, encrypts the service data to obtain encrypted interaction data, and returns the encrypted interaction data to the service layer, for example, the service server returns the encrypted interaction data to the service layer in an original way through the https interface, that is, the service layer receives the encrypted interaction data obtained by encrypting the service data to be interacted from the service server. The wind control server has a complete wind control strategy, and if the risk is judged to exist, the service server is prevented from transmitting the service data to the application, so that the service data of the service server is ensured not to be intercepted.
In some embodiments, the method further comprises step S15. In step S15, when the data returned from the service server received by the service layer is a risk level, the application information of the current application is collected and reported to the wind control server.
Here, when there is a risk, the service server simply returns the risk level to the service layer, and the service layer knows that the running environment of the current application is at risk, so in step S15, the service layer starts an information collecting task, collects application information of the current application, including but not limited to various information such as geographical location information, device information, network information, etc., for example, obtains the geographical location information of the current application through a system function, and reports the application information to the wind control server. The wind control server collects information of various risk sources reported by different terminals, so that if information leakage occurs later, the geographic position, network information and the like of the terminal machine with illegal actions can be obtained by inquiring the wind control server, thereby effectively tracing legal responsibility and recovering service loss.
In some embodiments, the application information includes at least any one of:
The geographical position information of the current application is located;
and the network information used by the current application.
The geographical position information of the current application can be obtained through devices such as a self-contained GPS (Global Positioning System ) and the like on the terminal of the current application, and the service layer can obtain the corresponding geographical position information by calling the interfaces corresponding to the devices or modules; the network information used by the current application is, for example, various information such as network IP and Mac address of the terminal where the application is located.
It will be appreciated by those skilled in the art that the above application information is merely exemplary, and that other application information that may be present in the present invention or may be present in the future is applicable to the present embodiment, and is also included in the scope of the present embodiment and is incorporated herein by reference.
In some embodiments, in step S15, the service layer encrypts the collected application information of the current application by calling the Jni interface through the so library, and sends the encrypted application information to the wind control server through calling the https information collection interface defined by the wind control server.
In step S14, the service layer receives the encrypted interaction data returned by the corresponding service server, and calls the Jni interface to decrypt the encrypted interaction data through the so library, so as to obtain decrypted interaction data, thereby completing data security communication.
According to the embodiment, the so library is reinforced by a specific algorithm, the running environment of the application is detected, the wind control server is timely informed of the running environment, the wind control server has a complete wind control strategy, the service content is prevented from being issued to the application by the service server due to the occurrence of risk, and the service data of the service server are ensured not to be intercepted.
Furthermore, the so library is reinforced by a specific algorithm, a private virtual machine instruction is written to replace an assembly instruction in the original so library, and meanwhile, an environment detection code is injected, so that the running environment of an application can be detected, the application cannot be unshelled easily and cannot be interrupted, and a method for debugging the content of the so by tampering with an ARM assembly instruction is not effective.
Further, if information leakage already occurs, the service layer collects geographical position information and network related information of a cracking person and reports the geographical position information and the network related information to the wind control server, and then the geographical position information, the network related information and the like of a terminal machine of illegal actions can be queried through querying the wind control server, legal responsibility can be effectively tracked, and service loss can be recovered.
Fig. 2 shows a flowchart of a method for securing data security communication of an application in a service server according to an embodiment of the present application, the method comprising steps S21, S22, S23. In step S21, the service server receives encrypted data and a wind control level sent by a corresponding service layer, where the wind control level is obtained by detecting an operating environment from the so library; in step S22, the service server sends the wind control level to a corresponding wind control server, and receives a risk level which is fed back by the wind control server and is estimated based on the wind control level; in step S23, if there is a risk, the service server feeds back the risk level to the service layer, if there is no risk, prepares the service data to be interacted with and encrypts, and returns the encrypted interaction data to the service layer.
In some embodiments, in step S21, the service server receives encrypted data and the wind control level sent by the corresponding service layer through the https interface; the service server decrypts the encrypted data to obtain decrypted data, and in step S23, if no risk is determined, the service server prepares the service data to be interacted based on the decrypted data, encrypts the service data to be interacted to obtain encrypted interaction data, and returns the encrypted interaction data to the service layer in an original path through the https interface.
An embodiment of interactions among a business layer, a so library, a business server, and a wind control server is shown in fig. 5:
the service layer of the android application needs to communicate with a corresponding service server to transfer service data;
the service layer prepares service data and calls a Jni interface for encryption, wherein a so library to which the interface belongs is reinforced by a specific algorithm;
code for executing security detection in the so library is used for checking whether the running environment is safe or not, including whether the running environment is debugged or not, whether the running environment runs in the virtual machine or not, obtaining the air control level and encrypting service data needing to be encrypted;
The so library returns the encrypted data and the wind control level to the business layer;
the service layer sends the encrypted data and the wind control level to a corresponding service server through an https interface;
after receiving the data, the service server firstly sends the wind control level to the wind control server and waits for the feedback of the wind control server;
the wind control server has a complete wind control strategy, evaluates the risk level according to the wind control level sent by the service server, and feeds back the risk level to the service server;
the business server receives the risk level fed back by the wind control server, if the risk exists, business data cannot be prepared to be fed back to a business layer of the android application, and the risk level is fed back only;
after receiving the fed back risk level, the business layer collects the geographical position information of the current application, the used network information and other application information, and reports the information to the wind control server;
if the risk level fed back by the wind control server is displayed without risk, the service server prepares the service data to be interacted according to the previously received service data and encrypts the service data, and returns the encrypted interaction data to the applied service layer through the https original path;
after receiving the encrypted interaction data returned by the service server, the service layer calls the Jni interface to enable the so library to decrypt the encrypted interaction data, complete one complete service data interaction is achieved, and then the service layer can execute corresponding service logic.
FIG. 3 illustrates a device architecture diagram for secure communication of data at a business layer provisioning application, according to one embodiment of the present application; the device 1 is located in a traffic layer and comprises a first invoking device 31, a first transmitting device 32, a first receiving device 33, and a second invoking device 34. The first calling device 31 encrypts the service data call Jni interface through a corresponding so library, wherein the so library is reinforced by a specific algorithm; the first sending device 32 sends the encrypted data and the wind control level returned from the so library to the corresponding service server, wherein the wind control level is obtained by the so library through detecting the operation environment; the first receiving device 33 receives the data returned from the service server, if there is a risk, the returned data is the risk level estimated by the service server based on the wind control level, if there is no risk, the returned data is encrypted interaction data obtained by encrypting the service data to be interacted by the service server; the second calling device 34 calls the encrypted interaction data to the Jni interface to decrypt through the so library, and obtains decrypted interaction data, so that data security communication is completed. Here, the specific embodiments of the first calling device 31, the first transmitting device 32, the first receiving device 33, and the second calling device 34 shown in fig. 3 are the same as or similar to the specific embodiments of the foregoing steps S11, S12, S13, and S14, respectively, so that the detailed description thereof will be omitted herein, and the detailed description thereof will be omitted herein.
In some embodiments, the apparatus 1 further includes a reporting device (not shown), where the reporting device collects application information of the current application when the data returned from the service server is received as a risk level, and reports the application information to the wind control server.
When there is a risk, the service server simply returns the risk level to the service layer, and the service layer knows that the running environment of the current application is at risk, so that the reporting device of the service layer starts an information collecting task, collects application information of the current application, including but not limited to various information such as geographic location information, equipment information, network information and the like, for example, obtains the geographic location information of the current application through a system function, and reports the application information to the wind control server. The wind control server collects information of various risk sources reported by different terminals, so that if information leakage occurs later, the geographic position, network information and the like of the terminal machine with illegal actions can be obtained by inquiring the wind control server, thereby effectively tracing legal responsibility and recovering service loss.
In some embodiments, the application information includes at least any one of:
The geographical position information of the current application is located;
and the network information used by the current application.
The geographical location information of the current application can be obtained through devices such as a self-contained GPS (Global Positioning System ) and the like on the terminal of the current application, and the reporting device obtains the corresponding geographical location information by calling the corresponding interfaces of the devices or modules; the network information used by the current application is, for example, various information such as network IP and Mac address of the terminal where the application is located.
It will be appreciated by those skilled in the art that the above application information is merely exemplary, and that other application information that may be present in the present invention or may be present in the future is applicable to the present embodiment, and is also included in the scope of the present embodiment and is incorporated herein by reference.
In some embodiments, the reporting device calls the Jni interface to encrypt the collected application information of the current application through the so library, and sends the encrypted application information to the wind control server through calling the https information collection interface defined by the wind control server.
In some embodiments, the apparatus 1 further comprises a reinforcement means (not shown) that converts assembly instructions within the original so library into newly written private virtual machine instructions; inserting detection codes for detecting the running environment; and packaging the new file into a so library to obtain the so library reinforced by the specific algorithm.
For example, the reinforcement device pre-writes a set of private virtual machine instructions, converts the standard ARM assembly instructions in the original so library into the pre-written private virtual machine instructions, then adds detection codes for detecting the running environment, for example, detection codes for detecting the debugging state, detection codes for detecting the running state of the virtual machine, and the like, and packages the new file into the so library to obtain the so library reinforced by the specific algorithm. The so library is reinforced by a specific algorithm, a private virtual machine instruction is written, the virtual machine instruction is not easy to unshelling and cannot be interrupted, and a method for debugging the content of the so library by tampering with the ARM assembly instruction is not effective.
The business data is encrypted by the so library reinforced by the specific algorithm, so that encrypted data is obtained, the wind control level is obtained by detecting the running environment, and the encrypted data and the wind control level are returned to the business layer.
In some embodiments, the detection code for detecting the running environment inserted by the reinforcement device when reinforcing the so library includes detection code for detecting a debug state and/or detection code for detecting a virtual machine running state. Then, when the so library detects the running environment, the so library executes the detection code for detecting the debug status to detect whether it is debugged, or the so library executes the detection code for detecting the running status of the virtual machine to detect whether it is running in the virtual machine, thereby obtaining the wind control level, and returns the wind control level and the encrypted data obtained by encrypting the service data by the so library to the service layer.
FIG. 4 illustrates a device architecture diagram for securing data security communications of an application in a traffic server, according to one embodiment of the present application; the device 2 is located in a service server and comprises a second receiving means 41, a second transmitting means 42, and a third transmitting means 43. The second receiving device 41 receives the encrypted data sent by the corresponding service layer and the wind control level, wherein the wind control level is obtained by detecting the running environment by the so library; the second sending device 42 sends the wind control level to a corresponding wind control server, and receives a risk level which is fed back by the wind control server and is estimated based on the wind control level; if there is a risk, the third sending device 43 feeds back the risk level to the service layer, if there is no risk, the third sending device 43 prepares the service data to be interacted with and encrypts, and returns the encrypted interaction data to the service layer. Here, the specific embodiments of the second receiving device 41, the second transmitting device 42, and the third transmitting device 43 shown in fig. 4 are the same as or similar to the specific embodiments of the foregoing step S21, step S22, and step S23, respectively, and are not described in detail herein, and are incorporated by reference.
FIG. 6 illustrates an exemplary system that may be used to implement various embodiments described herein;
in some embodiments, as shown in fig. 6, the system 300 can function as any of the devices of the various described embodiments. In some embodiments, system 300 can include one or more computer-readable media (e.g., system memory or NVM/storage 320) having instructions and one or more processors (e.g., processor(s) 305) coupled with the one or more computer-readable media and configured to execute the instructions to implement the modules to perform the actions described herein.
For one embodiment, the system control module 310 may include any suitable interface controller to provide any suitable interface to at least one of the processor(s) 305 and/or any suitable device or component in communication with the system control module 310.
The system control module 310 may include a memory controller module 330 to provide an interface to the system memory 315. Memory controller module 330 may be a hardware module, a software module, and/or a firmware module.
The system memory 315 may be used, for example, to load and store data and/or instructions for the system 300. For one embodiment, system memory 315 may include any suitable volatile memory, such as, for example, a suitable DRAM. In some embodiments, the system memory 315 may comprise a double data rate type four synchronous dynamic random access memory (DDR 4 SDRAM).
For one embodiment, system control module 310 may include one or more input/output (I/O) controllers to provide an interface to NVM/storage 320 and communication interface(s) 325.
For example, NVM/storage 320 may be used to store data and/or instructions. NVM/storage 320 may include any suitable nonvolatile memory (e.g., flash memory) and/or may include any suitable nonvolatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives).
NVM/storage 320 may include storage resources that are physically part of the device on which system 300 is installed or which may be accessed by the device without being part of the device. For example, NVM/storage 320 may be accessed over a network via communication interface(s) 325.
Communication interface(s) 325 may provide an interface for system 300 to communicate over one or more networks and/or with any other suitable device. The system 300 may wirelessly communicate with one or more components of a wireless network in accordance with any of one or more wireless network standards and/or protocols.
For one embodiment, at least one of the processor(s) 305 may be packaged together with logic of one or more controllers (e.g., memory controller module 330) of the system control module 310. For one embodiment, at least one of the processor(s) 305 may be packaged together with logic of one or more controllers of the system control module 310 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 305 may be integrated on the same die as logic of one or more controllers of the system control module 310. For one embodiment, at least one of the processor(s) 305 may be integrated on the same die with logic of one or more controllers of the system control module 310 to form a system on chip (SoC).
In various embodiments, the system 300 may be, but is not limited to being: a server, workstation, desktop computing device, or mobile computing device (e.g., laptop computing device, handheld computing device, tablet, netbook, etc.). In various embodiments, system 300 may have more or fewer components and/or different architectures. For example, in some embodiments, system 300 includes one or more cameras, keyboards, liquid Crystal Display (LCD) screens (including touch screen displays), non-volatile memory ports, multiple antennas, graphics chips, application Specific Integrated Circuits (ASICs), and speakers.
In addition to the methods and apparatus described in the above embodiments, the present application also provides a computer-readable storage medium storing computer code which, when executed, performs a method as described in any one of the preceding claims.
The present application also provides a computer program product which, when executed by a computer device, performs a method as claimed in any preceding claim.
The present application also provides a computer device comprising:
one or more processors;
a memory for storing one or more computer programs;
the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any preceding claim.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, using Application Specific Integrated Circuits (ASIC), a general purpose computer or any other similar hardware device. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions as described above. Likewise, the software programs of the present application (including associated data structures) may be stored on a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. In addition, some steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
Furthermore, portions of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application by way of operation of the computer. Those skilled in the art will appreciate that the form of computer program instructions present in a computer readable medium includes, but is not limited to, source files, executable files, installation package files, etc., and accordingly, the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
Communication media includes media whereby a communication signal containing, for example, computer readable instructions, data structures, program modules, or other data, is transferred from one system to another. Communication media may include conductive transmission media such as electrical cables and wires (e.g., optical fibers, coaxial, etc.) and wireless (non-conductive transmission) media capable of transmitting energy waves, such as acoustic, electromagnetic, RF, microwave, and infrared. Computer readable instructions, data structures, program modules, or other data may be embodied as a modulated data signal, for example, in a wireless medium, such as a carrier wave or similar mechanism, such as that embodied as part of spread spectrum technology. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. The modulation may be analog, digital or hybrid modulation techniques.
By way of example, and not limitation, computer-readable storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. For example, computer-readable storage media include, but are not limited to, volatile memory, such as random access memory (RAM, DRAM, SRAM); and nonvolatile memory such as flash memory, various read only memory (ROM, PROM, EPROM, EEPROM), magnetic and ferromagnetic/ferroelectric memory (MRAM, feRAM); and magnetic and optical storage devices (hard disk, tape, CD, DVD); or other now known media or later developed computer-readable information/data that can be stored for use by a computer system.
An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to operate a method and/or a solution according to the embodiments of the present application as described above.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the apparatus claims can also be implemented by means of one unit or means in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.
Claims (12)
1. A method for securing data security communications of an application at a business layer, wherein the method comprises:
encrypting the service data call Jni interface through a corresponding so library, wherein the so library is reinforced by a specific algorithm;
sending the encrypted data and the wind control level returned from the so library to a corresponding service server, wherein the wind control level is obtained by the so library through detecting the running environment of an application, and the detecting the running environment of the application comprises detecting whether the application is debugged or not;
the data returned from the service server is received, if the risk exists, the returned data is the risk level estimated by the service server based on the wind control level, and if the risk does not exist, the returned data is the encrypted interaction data obtained by encrypting the service data to be interacted by the service server;
and calling the Jni interface to decrypt the encrypted interaction data through the so library to obtain decrypted interaction data, thereby completing data security communication.
2. The method of claim 1, wherein the method further comprises:
and when the data returned from the service server is the risk level, collecting the application information of the current application and reporting the application information to the wind control server.
3. The method of claim 2, wherein the application information includes at least any one of:
the geographical position information of the current application is located;
and the network information used by the current application.
4. A method according to claim 2 or 3, wherein the reporting to the wind control server comprises:
and calling the Jni interface to encrypt the collected application information of the current application through the so library, and sending the encrypted application information to the wind control server.
5. The method of claim 1, wherein the algorithm-specific reinforcement of the so library comprises:
converting assembly instructions in the original so library into newly written private virtual machine instructions;
inserting detection codes for detecting the running environment;
and packaging the new file into a so library to obtain the so library reinforced by the specific algorithm.
6. The method of claim 5, wherein the detection code for detecting a running environment includes detection code for detecting a debug state and/or detection code for detecting a virtual machine running state; wherein, the wind control level is obtained by the so library through detecting the operation environment and comprises the following steps:
and the so library executes the detection code to detect whether the software is debugged and/or run in the virtual machine, and the wind control level is obtained.
7. The method of claim 1, wherein the sending the encrypted data received back from the so library and the wind control level to the corresponding service server, wherein the wind control level is derived by the so library by detecting an operating environment comprises:
the encryption data and the wind control level returned from the so library are sent to the corresponding service server through an https interface;
the data received from the service server returns, if there is a risk, the returned data is a risk level estimated by the service server based on the wind control level, if there is no risk, the returned data is encrypted interaction data obtained by encrypting the service data to be interacted by the service server, including:
and if the risk does not exist, the encrypted interactive data returned from the service server through the https interface is received.
8. A method for securing data secure communications of an application in a service server, wherein the method comprises:
receiving encryption data and a wind control level sent by a corresponding service layer, wherein the wind control level is obtained by a so library through detecting the running environment of an application, and detecting the running environment of the application comprises detecting whether the application is debugged or not;
The wind control level is sent to a corresponding wind control server, and risk levels which are fed back by the wind control server and are estimated based on the wind control level are received;
if the risk exists, the risk level is fed back to the service layer, if the risk does not exist, service data to be interacted are prepared and encrypted, and the encrypted interaction data after encryption are returned to the service layer.
9. The method of claim 8, wherein the receiving the encrypted data sent by the corresponding business layer and the wind control level, wherein the wind control level is obtained by the so library by detecting an operating environment comprises:
receiving encrypted data and an air control level sent by a corresponding service layer through an https interface;
if the risk exists, feeding back the risk level to the service layer, and if the risk does not exist, preparing the service data to be interacted and encrypting, and returning the encrypted interaction data to the service layer comprises the following steps:
and if the risk does not exist, returning the encrypted interaction data to the service layer through an https interface original path.
10. An apparatus for securing data security communications of an application at a business layer, wherein the apparatus comprises:
processor and method for controlling the same
A memory arranged to store computer executable instructions which, when executed, cause the processor to perform the method of any of claims 1 to 7.
11. An apparatus for securing data secure communications of an application in a service server, wherein the apparatus comprises:
processor and method for controlling the same
A memory arranged to store computer executable instructions which, when executed, cause the processor to perform the method of claim 8 or 9.
12. A computer readable medium storing instructions which, when executed by a computer, cause the computer to perform the operations of the method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011395524.7A CN112671715B (en) | 2020-12-03 | 2020-12-03 | Method and device for guaranteeing data security communication of application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011395524.7A CN112671715B (en) | 2020-12-03 | 2020-12-03 | Method and device for guaranteeing data security communication of application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671715A CN112671715A (en) | 2021-04-16 |
| CN112671715B true CN112671715B (en) | 2023-05-09 |
Family
ID=75402562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011395524.7A Active CN112671715B (en) | 2020-12-03 | 2020-12-03 | Method and device for guaranteeing data security communication of application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671715B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114357488B (en) * | 2022-01-04 | 2022-09-16 | 深圳市智百威科技发展有限公司 | Data encryption system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107169324A (en) * | 2017-05-12 | 2017-09-15 | 北京理工大学 | A kind of Android application reinforcement means based on dynamic encryption and decryption |
| CN110175067A (en) * | 2019-03-05 | 2019-08-27 | 广东电网有限责任公司信息中心 | A kind of mobile application tank force three-dimensional defence method and system |
| CN110765470A (en) * | 2019-09-19 | 2020-02-07 | 平安科技(深圳)有限公司 | Method and device for realizing safety keyboard, computer equipment and storage medium |
| CN111401901A (en) * | 2020-03-23 | 2020-07-10 | 腾讯科技(深圳)有限公司 | Authentication method and device of biological payment device, computer device and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105701423B (en) * | 2015-12-31 | 2018-11-02 | 深圳前海微众银行股份有限公司 | Date storage method and device applied to high in the clouds payment transaction |
| US10841222B2 (en) * | 2016-07-05 | 2020-11-17 | Ologn Technologies Ag | Systems, apparatuses and methods for network packet management |
| CN106778103B (en) * | 2016-12-30 | 2020-03-13 | 上海掌门科技有限公司 | Reinforcement method, system and decryption method for preventing reverse cracking of android application program |
| CN107766728A (en) * | 2017-08-28 | 2018-03-06 | 国家电网公司 | Mobile application security managing device, method and mobile operation safety protection system |
| CN108108973A (en) * | 2017-12-01 | 2018-06-01 | 北京三快在线科技有限公司 | Business risk control method and device |
| CN108021805A (en) * | 2017-12-18 | 2018-05-11 | 上海众人网络安全技术有限公司 | Detect method, apparatus, equipment and the storage medium of Android application program running environment |
-
2020
- 2020-12-03 CN CN202011395524.7A patent/CN112671715B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107169324A (en) * | 2017-05-12 | 2017-09-15 | 北京理工大学 | A kind of Android application reinforcement means based on dynamic encryption and decryption |
| CN110175067A (en) * | 2019-03-05 | 2019-08-27 | 广东电网有限责任公司信息中心 | A kind of mobile application tank force three-dimensional defence method and system |
| CN110765470A (en) * | 2019-09-19 | 2020-02-07 | 平安科技(深圳)有限公司 | Method and device for realizing safety keyboard, computer equipment and storage medium |
| CN111401901A (en) * | 2020-03-23 | 2020-07-10 | 腾讯科技(深圳)有限公司 | Authentication method and device of biological payment device, computer device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671715A (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10917394B2 (en) | Data operations using a proxy encryption key | |
| EP3329413A1 (en) | Techniques to secure computation data in a computing environment | |
| WO2022237123A1 (en) | Method and apparatus for acquiring blockchain data, electronic device, and storage medium | |
| CN109818910B (en) | Data transmission method, device and medium | |
| CN107590396B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN109450620B (en) | Method for sharing security application in mobile terminal and mobile terminal | |
| CN110765395B (en) | Method and equipment for providing novel information | |
| CN113014670A (en) | Method, device, medium and program product for pushing order information | |
| CN110780887A (en) | Method and equipment for providing application installation package | |
| CN112671715B (en) | Method and device for guaranteeing data security communication of application | |
| CN106293688B (en) | A kind of processing method of web-page requests, device and system | |
| CN109992489B (en) | Method and device for monitoring execution behavior of application in user equipment | |
| US11716354B2 (en) | Determination of compliance with security technical implementation guide standards | |
| CN109710280B (en) | Method and equipment for installing application on user equipment | |
| CN112968899B (en) | Method and equipment for encrypted communication | |
| US8838955B2 (en) | Two-way, secure, data communication within critical infrastructures | |
| CN110286920B (en) | Method and device for installing application | |
| CN111182050A (en) | Method and equipment for realizing communication between application and server | |
| WO2022237600A1 (en) | Information proxy method and apparatus | |
| CN113099025B (en) | Method and device for adding friends in social application | |
| CN112559203A (en) | Method and device for realizing data exchange between service layer and so library | |
| CN110321205B (en) | Method and equipment for managing hosted program in hosted program | |
| CN110430046B (en) | Cloud environment-oriented trusted platform module two-stage key copying method | |
| KR101737747B1 (en) | Improving tamper resistance of aggregated data | |
| CN113114681A (en) | Test message processing method, device, computer system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231107 Address after: 312500 Wangjiangshan Village, Nanming Street, Xinchang County, Shaoxing City, Zhejiang Province Patentee after: Shaoxing Jilian Technology Co.,Ltd. Address before: 200120 2, building 979, Yun Han Road, mud town, Pudong New Area, Shanghai Patentee before: SHANGHAI LIANSHANG NETWORK TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |