CN115935300A - Application program protection method - Google Patents
Application program protection method Download PDFInfo
- Publication number
- CN115935300A CN115935300A CN202211599628.9A CN202211599628A CN115935300A CN 115935300 A CN115935300 A CN 115935300A CN 202211599628 A CN202211599628 A CN 202211599628A CN 115935300 A CN115935300 A CN 115935300A
- Authority
- CN
- China
- Prior art keywords
- key
- program code
- target
- public key
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a protection method of an application program, and belongs to the technical field of computers. The method comprises the following steps: the terminal equipment receives an object program code of an object application program sent by the server, wherein the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first secret key; the terminal equipment sends a public key corresponding to the confidential calculation running environment to the server; the server receives a public key corresponding to the confidential running environment sent by the terminal device, and encrypts the first secret key according to the public key to obtain an encrypted second secret key; the server sends a second key to the terminal equipment; the terminal equipment receives a second key returned by the server, and decrypts the second key to obtain a first key; and the terminal equipment decrypts the target program code according to the first secret key to obtain an initial program code, and the initial program code is operated through the confidential computing operation environment. The method can ensure the confidentiality of the initial program code of the target application program.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a protection method for an application program.
Background
An application is a computer program that is run in a user mode in the non-secure world, can interact with a user, and has a visual user interface for performing one or more specific tasks. Because the application installation package is not encrypted and is installed and operated in a non-secure world, the program code of the application is at risk of being maliciously stolen and tampered by a user.
Therefore, a protection method for an application program is needed to prevent the program code of the application program from being stolen and tampered, and further protect the confidentiality and integrity of the application program.
Disclosure of Invention
The embodiment of the application provides a method for protecting an application program. The technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a method for protecting an application program, where the method includes:
the method comprises the steps that terminal equipment receives an object program code of an object application program sent by a server, wherein the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first secret key;
the terminal equipment sends a public key corresponding to the confidential computing running environment to the server;
the server receives a public key corresponding to the confidential computing operating environment sent by the terminal equipment, and encrypts the first secret key according to the public key to obtain an encrypted second secret key;
the server sends the second key to the terminal equipment;
the terminal equipment receives a second key returned by the server, and decrypts the second key to obtain the first key;
and the terminal equipment decrypts the target program code according to the first secret key to obtain the initial program code, and the initial program code is operated through the confidential computing operating environment.
In a second aspect, an embodiment of the present application provides a method for protecting an application program, where the method includes:
receiving an object program code of an object application program sent by a server, wherein the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first secret key;
sending a public key corresponding to the confidential computing operating environment to the server;
receiving a second secret key returned by the server, wherein the second secret key is obtained by encrypting the first secret key based on the public key;
decrypting the second key to obtain the first key;
and decrypting the target program code according to the first secret key to obtain the initial program code, and operating the initial program code through the confidential computing operating environment.
In a possible implementation manner, the decrypting the second key to obtain the first key includes:
acquiring a private key corresponding to the confidential computing operating environment;
and decrypting the second key according to the private key to obtain the first key.
In one possible implementation, the method further includes:
determining a first signature corresponding to the public key;
the sending the public key corresponding to the confidential computing operating environment to the server includes:
and sending a public key corresponding to the confidential computing operating environment and the first signature to the server, wherein the first signature is used for the server to determine whether the public key is changed.
In one possible implementation, the method further includes:
obtaining target information, wherein the target information comprises relevant information of the target program code, relevant information of the confidential computing operating environment and the public key;
determining a second signature corresponding to the target information;
the sending the public key corresponding to the confidential computing operating environment to the server includes:
sending the target information and the second signature to the server, wherein the related information of the target program code is used for the server to determine whether the target program code is changed or not, the related information of the confidential computing and operating environment is used for the server to determine the type of the confidential computing and operating environment, and the second signature is used for the server to determine whether the target information is changed or not.
In a third aspect, an embodiment of the present application provides a method for protecting an application program, where the method includes:
receiving a public key corresponding to a confidential computing operating environment sent by terminal equipment;
encrypting the first key according to the public key to obtain an encrypted second key;
and sending the second key to the terminal equipment, wherein the second key is used for the terminal equipment to determine the first key, decrypting an object program code of the object application program according to the first key to obtain an initial program code, and operating the initial program code through the confidential operating environment, wherein the object program code is a program code obtained after encrypting the initial program code based on the first key.
In a possible implementation manner, the receiving a public key corresponding to the confidential computing operating environment sent by the terminal device includes:
receiving a public key and a first signature which are sent by terminal equipment and correspond to a confidential computing operating environment;
the encrypting the first key according to the public key to obtain an encrypted second key includes:
verifying the public key according to the first signature;
and based on the verification passing of the public key, encrypting the first secret key according to the public key to obtain an encrypted second secret key.
In a possible implementation manner, the verifying the public key according to the first signature includes:
determining a first reference signature corresponding to the public key;
determining that the public key is verified based on the first signature being the same as the first reference signature;
determining that the public key verification fails based on the first signature and the first reference signature being different.
In a possible implementation manner, the receiving a public key corresponding to the confidential computing operating environment sent by the terminal device includes:
receiving target information and a second signature which are sent by a terminal device, wherein the target information comprises the relevant information of the confidential computing running environment, the relevant information of the target program code and the public key;
the encrypting the first secret key according to the public key to obtain an encrypted second secret key comprises:
verifying the target information according to the second signature;
analyzing the target information based on the verification passing of the target information to obtain the relevant information of the confidential computing running environment, the relevant information of the target program code and the public key;
and based on the related information of the confidential computing running environment, indicating that the type of the confidential computing running environment is a target type, and indicating that the target program code is not changed by the related information of the target program code, encrypting the first secret key according to the public key to obtain an encrypted second secret key.
In one possible implementation, the method further includes:
acquiring an initial program code of the target application program;
and encrypting the initial program code according to the first key to obtain the target program code.
In one possible implementation manner, a plurality of statements in the initial program code correspond to statement types;
the encrypting the initial program code according to the first key to obtain the target program code includes:
determining a target statement in the initial program code based on statement types corresponding to a plurality of statements in the initial program code, wherein the statement type of the target statement meets the requirement of type;
encrypting the target statement according to the first key to obtain an encrypted target statement;
and taking the program code comprising the target statement after encryption and the statements except the target statement in the initial program code as the target program code.
In a fourth aspect, an embodiment of the present application provides an apparatus for protecting an application, where the apparatus includes:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an object program code of an object application program sent by a server, and the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first secret key;
the sending module is used for sending a public key corresponding to the confidential computing running environment to the server;
the receiving module is further configured to receive a second key returned by the server, where the second key is obtained by encrypting the first key based on the public key;
the decryption module is used for decrypting the second secret key to obtain the first secret key;
the decryption module is further configured to decrypt the object program code according to the first key to obtain the initial program code, and run the initial program code through the confidential computing operating environment.
In a possible implementation manner, the decryption module is configured to obtain a private key corresponding to the confidential computing operating environment; and decrypting the second key according to the private key to obtain the first key.
In one possible implementation, the apparatus further includes:
a determining module, configured to determine a first signature corresponding to the public key;
the sending module is configured to send, to the server, a public key and the first signature that correspond to the confidential computing environment, where the first signature is used by the server to determine whether the public key changes.
In a possible implementation manner, the determining module is further configured to obtain target information, where the target information includes information related to the target program code, information related to the confidential computing operating environment, and the public key; determining a second signature corresponding to the target information;
the sending module is configured to send the target information and the second signature to the server, where the information related to the target program code is used by the server to determine whether the target program code has changed, the information related to the confidential computing operating environment is used by the server to determine the type of the confidential computing operating environment, and the second signature is used by the server to determine whether the target information has changed.
In a fifth aspect, an embodiment of the present application provides an apparatus for protecting an application, where the apparatus includes:
the receiving module is used for receiving a public key corresponding to the confidential computing operating environment sent by the terminal equipment;
the encryption module is used for encrypting the first secret key according to the public key to obtain an encrypted second secret key;
a sending module, configured to send the second key to the terminal device, where the second key is used by the terminal device to determine the first key, decrypt, according to the first key, an object program code of the object application program to obtain the initial program code, and run, through the secret operating environment, the initial program code, where the object program code is obtained by encrypting the initial program code based on the first key.
In a possible implementation manner, the receiving module is configured to receive a public key and a first signature, which are sent by a terminal device and correspond to a confidential computing operating environment;
the device further comprises:
the verification module is used for verifying the public key according to the first signature;
and the encryption module is used for encrypting the first secret key according to the public key based on the verification passing of the public key to obtain an encrypted second secret key.
In a possible implementation manner, the verification module is configured to determine a first reference signature corresponding to the public key; determining that the public key is verified based on the first signature being the same as the first reference signature; determining that the public key verification fails based on the first signature and the first reference signature being different.
In a possible implementation manner, the receiving module is configured to receive target information and a second signature sent by a terminal device, where the target information includes information related to the confidential computing operating environment, information related to the target program code, and the public key;
the verification module is used for verifying the target information according to the second signature; analyzing the target information based on the target information verification pass to obtain the related information of the confidential computing operating environment, the related information of the target program code and the public key;
the encryption module is used for indicating the type of the confidential computing running environment to be a target type based on the relevant information of the confidential computing running environment, indicating that the target program code is not changed by the relevant information of the target program code, and encrypting the first secret key according to the public key to obtain an encrypted second secret key.
In one possible implementation, the apparatus further includes:
the acquisition module is used for acquiring an initial program code of the target application program;
the encryption module is further configured to encrypt the initial program code according to the first key to obtain the target program code.
In one possible implementation manner, a plurality of statements in the initial program code correspond to statement types;
the encryption module is used for determining a target statement in the initial program code based on statement types corresponding to a plurality of statements in the initial program code, wherein the statement type of the target statement meets the requirement of type; encrypting the target statement according to the first key to obtain an encrypted target statement; and taking the program code comprising the target statement after encryption and the statements except the target statement in the initial program code as the target program code.
In a sixth aspect, an embodiment of the present application provides an electronic device, where the electronic device includes a processor and a memory, where the memory stores at least one program code, and the at least one program code is loaded and executed by the processor, so as to enable the electronic device to implement the method for protecting an application program according to any implementation manner of the second aspect and/or the second aspect, or to enable the electronic device to implement the method for protecting an application program according to any implementation manner of the third aspect and/or the third aspect.
In a seventh aspect, there is further provided a computer-readable storage medium, where at least one program code is stored, and the at least one program code is loaded and executed by a processor, so as to enable a computer to implement any one of the above-mentioned application protection methods.
In an eighth aspect, a computer program or a computer program product is further provided, where at least one computer instruction is stored, and the at least one computer instruction is loaded and executed by a processor, so as to enable a computer to implement the protection method for any one of the above-mentioned application programs.
In a ninth aspect, a system for protecting an application program is further provided, where the system includes a terminal device and a server, the terminal device is configured to execute the method for protecting an application program according to any implementation manner of the second aspect and/or the second aspect, and the server is configured to execute the method for protecting an application program according to any implementation manner of the third aspect and/or the third aspect.
The technical scheme provided by the embodiment of the application at least has the following beneficial effects:
after the target program code of the target application program is obtained, the second secret key is obtained by sending a public key corresponding to the confidential computing operating environment to the server due to the fact that the target program code is encrypted; and determining a first key according to the second key, and further decrypting the target program code according to the first key to obtain the initial program code capable of running in the terminal equipment. The method can ensure that the initial program code of the target application program is not stolen and tampered, and ensure the integrity and confidentiality of the initial program code of the target application program, thereby protecting the target application program.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic diagram of an implementation environment of a protection method for an application program according to an embodiment of the present application;
fig. 2 is a flowchart of a method for protecting an application according to an embodiment of the present application;
FIG. 3 is a flowchart of a method for displaying a page by referring to an application program according to an embodiment of the present application;
fig. 4 is a flowchart of a method for protecting an application according to an embodiment of the present application;
fig. 5 is a flowchart of a method for protecting an application according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a protection device for an application according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a protection device for an application according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a terminal device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of an implementation environment of a method for protecting an application program according to an embodiment of the present application, where as shown in fig. 1, the implementation environment includes: a terminal device 101 and a server 102.
The terminal device 101 is any electronic device product capable of performing human-Computer interaction with a user through one or more modes such as a keyboard, a touch pad, a touch screen, a remote controller, voice interaction, or handwriting equipment, for example, a PC (Personal Computer), a mobile phone, a smart phone, a PDA (Personal Digital Assistant), a wearable device, a PPC (Pocket PC), a tablet Computer, a smart car, a smart television, a smart speaker, and the like. The server 102 may be one server, a server cluster composed of a plurality of server units, or a cloud computing service center. The terminal apparatus 101 establishes a communication connection with the server 102 through a wired network or a wireless network.
The protection method of the application program provided by the embodiment of the application program is realized through the interaction between the terminal device 101 and the server 102.
Those skilled in the art will appreciate that the terminal device 101 and the server 102 are only examples, and other existing or future terminal devices or servers, as applicable to the present application, are also included within the scope of the present application and are hereby incorporated by reference.
An embodiment of the present application provides a method for protecting an application, which may be applied to the foregoing implementation environment, and the embodiment of the present application provides a method for protecting an application, which is illustrated by taking a flowchart of the method for protecting an application, provided in the embodiment of the present application, shown in fig. 2 as an example, and may be described by interaction between the terminal device 101 and the server 102 in fig. 1. As shown in fig. 2, the method includes the following steps 201 to 209.
In step 201, the server obtains the initial program code of the target application.
In a possible implementation manner, a developer of a target application writes an initial program code of the target application, and after the writing is completed, the developer sends the initial program code of the target application to a server through a terminal device used by the developer, so that the server obtains the initial program code of the target application, and then stores the initial program code of the target application through the server.
The code language of the initial program code may be any type of language, which is not limited in the embodiments of the present application. Illustratively, the code language of the initial program code includes, but is not limited to, any one of Python language (a computer programming language), java language (a computer programming language), C language (a computer programming language), objective-C language (a computer programming language).
In step 202, the server encrypts the initial program code according to the first key to obtain the target program code.
After the initial program code of the target application program is received by the server, the initial program code of the target application program is stored in the storage space of the server. Optionally, in order to avoid that the initial program code stored in the storage space of the server is changed (stolen or tampered), the server may further encrypt the initial program code of the target application according to the first key, so as to obtain the target program code of the target application. The first key is a tool for encrypting and decrypting data.
In the embodiment of the present application, a manner of encrypting the initial program code of the target application according to the first key to obtain the target program code of the target application is not limited. Illustratively, the following two implementation manners are provided to encrypt the initial program code of the target application according to the first key, so as to obtain the target program code of the target application.
In the first implementation manner, the server encrypts each statement in the initial program code of the target application program according to the first key to obtain the target program code of the target application program.
The initial program code of the target application program comprises a plurality of statements, the server encrypts each statement according to the first key to obtain each encrypted statement, and the program code comprising each encrypted statement is used as the target program code of the target application program. The encryption process of each statement is similar, and this is not limited in this embodiment of the present application.
In the second implementation manner, the server determines a target statement in the initial program code based on statement types corresponding to a plurality of statements in the initial program code, encrypts the target statement according to the first key to obtain an encrypted target statement, and takes a program code including the encrypted target statement and the statement except the target statement in the initial program code as the target program code.
The statement type of the target statement meets the type requirement, that is, the statement type of the target statement is an important statement in the initial program code. Optionally, the developer of the target application adds a statement type to each statement when writing the initial program code of the target application, or the developer of the target application adds a statement type to a more critical statement in the initial program code when writing the initial program code of the target application.
After the target statement is determined, the target statement is encrypted only according to the first key, and statements except the target statement in the initial program code do not need to be encrypted according to the first key, so that the program code comprising the encrypted target statement and the statements except the target statement in the initial program code is used as the target program code.
In a possible implementation manner, after the target program code of the target application program is acquired, the server correspondingly stores the program identifier of the target application program and the target program code of the target application program. Alternatively, the server uploads the object code of the target application to the application store so that the user can obtain the object code of the target application. The program identifier may be any identifier that can uniquely represent one program, and this is not limited in this embodiment of the application. For example, the program identification of the target application is the program name of the target application.
In step 203, the server transmits the object code of the object application to the terminal device.
In a possible implementation manner, a reference application for installing a target application is installed and run in the terminal device, and the reference application may be of any type, which is not limited in this embodiment of the present application. The terminal device displays relevant information of the reference application program, where the relevant information of the reference application program may be an icon capable of representing the reference application program or a program name of the reference application program, and this is not limited in this embodiment of the present application.
When a target object using a terminal device wants to install a target application, the target object selects related information of a reference application. The terminal equipment receives a trigger operation aiming at the relevant information of the reference application program, displays a display page of the reference application program, and displays the relevant information of the target application program and an installation control corresponding to the target application program in the display page of the reference application program, wherein the installation control corresponding to the target application program is used for acquiring a target program code of the target application program. Fig. 3 is a schematic display diagram of a presentation page of a reference application provided in an embodiment of the present application, where an icon 301 of a target application, a name 302 of the target application, and an installation control 303 corresponding to the target application are displayed. Icons, names and corresponding installation controls for other applications may also be displayed in fig. 3.
And responding to the triggering operation of the installation control corresponding to the target application program, and sending a program code acquisition request to the server by the terminal equipment, wherein the program code acquisition request carries the program identifier of the target application program. The server receives the program code acquisition request, and analyzes the program code acquisition request to obtain a program identifier of the target application program; the server stores the object program code of each application program and the corresponding relation between the program identification of each application program and the object program code of each application program. And the server acquires the target program code of the target application program according to the corresponding relation among the program identifier of the target application program, the program identifier of each application program and the target program code of each application program. And the server sends the target program code of the target application program to the terminal equipment so that the terminal equipment can obtain the target program code of the target application program. The target program code is obtained by encrypting the initial program code of the target application program based on the first secret key.
In one possible implementation, a search control is also displayed in the presentation page of the reference application, such as the search control shown as the control 304 in fig. 3. When the related information of the target application program is not displayed in the display page of the reference application program, the target object inputs the program name of the target application program in the search control, and then the related information of the target application program and the installation control corresponding to the target application program are displayed in the display page of the reference application program, so that the terminal equipment can acquire the target program code of the target application program.
In step 204, the terminal device receives the target program code of the target application program transmitted by the server, and transmits the public key corresponding to the confidential computing environment to the server.
In a possible implementation manner, the terminal device includes a Management Monitor (RMM), the Management Monitor can control a confidential computing operating environment (real VM), and one application corresponds to one confidential computing operating environment. And after the target program code of the target application program is obtained, starting a confidential computing running environment corresponding to the target application program, and running the initial program code of the target application program through the confidential computing running environment.
After the terminal device determines the confidential computing operation environment, a public key and a private key corresponding to the confidential computing operation environment are stored in the confidential computing operation environment, the terminal device obtains the public key corresponding to the confidential computing operation environment, and the public key corresponding to the confidential computing operation environment is sent to the server.
Optionally, the terminal device may further determine a first signature corresponding to the public key, and send the public key and the first signature corresponding to the confidential computing environment to the server, where the first signature is used by the server to determine whether the public key changes, that is, whether the public key is tampered during transmission. The first signature corresponding to the public key may refer to information obtained by encrypting the digest value of the public key with the third key. The third key terminal device and the server are both aware of it.
The terminal device may send the public key to the server first, and then send the first signature to the server, may also send the first signature to the server first, and then send the public key to the server, and may also send the public key and the first signature to the server at the same time.
The terminal equipment can also obtain target information, wherein the target information comprises related information of a target program code, related information of a confidential computing operating environment and a public key; and determining a second signature corresponding to the target information, and sending the target information and the second signature to the server. The relevant information of the target program code is used for the server to determine whether the target program code is changed; the relevant information of the confidential computing running environment is used for the server to determine the type of the confidential computing running environment; the second signature is used for the server to determine whether the target information is changed, namely whether the target information is tampered in the transmission process. The determination process of the second signature corresponding to the target information is similar to that of the first signature corresponding to the public key, which is not limited in the embodiment of the present application.
The terminal device may send the target information to the server first, and then send the second signature to the server, may send the second signature to the server first, and then send the target information to the server, and may also send the target information and the second signature to the server at the same time.
In step 205, the server receives the public key corresponding to the confidential computing operating environment sent by the terminal device, and encrypts the first secret key according to the public key to obtain an encrypted second secret key.
In a possible implementation manner, after receiving a public key corresponding to the confidential computing operating environment sent by the terminal device, the server encrypts the first secret key according to the public key to obtain an encrypted second secret key.
Or the server receives a public key and a first signature which are sent by the terminal device and correspond to the confidential computing operating environment, verifies the public key according to the first signature, passes verification based on the public key, and encrypts the first secret key according to the public key to obtain an encrypted second secret key.
Wherein, according to the first signature, the process of verifying the public key comprises: determining a first reference signature corresponding to the public key; and determining that the public key passes verification based on the first signature and the first reference signature, wherein the public key passes verification and indicates that the public key is not tampered in the transmission process. And determining that the public key verification fails based on the first signature and the first reference signature being different, wherein the failure of the public key verification indicates that the public key is tampered in the transmission process. Optionally, a process of determining the first reference signature corresponding to the public key is similar to the process of determining the first signature corresponding to the public key, and is not described herein again.
Or the server receives target information and a second signature sent by the terminal equipment, wherein the target information comprises related information of a confidential computing running environment, related information of a target program code and a public key; verifying the target information according to the second signature; analyzing the target information based on the verification passing of the target information to obtain the relevant information of the confidential computing running environment, the relevant information of the target program code and a public key; and based on the relevant information of the confidential computing running environment, indicating that the type of the confidential computing running environment is the target type, and indicating that the target program code is not changed by the relevant information of the target program code, encrypting the first secret key according to the public key to obtain an encrypted second secret key.
The target type of the confidential computing running environment means that the confidential computing running environment is an environment on a real hardware platform (ARM-CCA platform). According to the second signature, the process of verifying the target information comprises the following steps: determining a second reference signature corresponding to the target information; and determining that the target information passes verification based on the second signature and the second reference signature, wherein the target information passes verification and indicates that the target information is not tampered in the transmission process. And determining that the target information fails to be verified based on the second signature being different from the second reference signature, wherein the failure of the target information to be verified indicates that the target information is tampered during transmission. Optionally, a process of determining the second reference signature corresponding to the target information is similar to the process of determining the second signature corresponding to the target information, and is not described herein again.
In step 206, the server sends the second key to the terminal device.
After the server acquires the second key, the server may immediately send the second key to the terminal device, or send the second key to the terminal device after waiting for a period of time. The period of time may be any time length, which is not limited in the embodiment of the present application. Illustratively, the period of time is 3 seconds.
In step 207, the terminal device receives the second key sent by the server, and decrypts the second key to obtain the first key.
In a possible implementation manner, the process of decrypting the second key to obtain the first key includes: acquiring a private key corresponding to a confidential computing operating environment; and decrypting the second key based on the private key to obtain the first key.
Optionally, each computing operating environment managed by the terminal device may generate a public key and a private key, and the public key and the private key generated by any computing operating environment are matched. The terminal device stores the public key and the private key generated by each computing operation environment, the environment identification of each computing operation environment, and the corresponding relation between the public key and the private key generated by each computing operation environment. And after receiving the second secret key sent by the server, the terminal equipment acquires the private key corresponding to the confidential computing operation environment according to the environment identification of the confidential computing operation environment, the environment identification of each computing operation environment and the corresponding relationship between the public key and the private key generated by each computing operation environment. Of course, the terminal device may also obtain the private key corresponding to the confidential computing operating environment before receiving the second key sent by the server, and the obtaining timing of the private key corresponding to the confidential computing operating environment is not limited in the embodiment of the present application.
In step 208, the terminal device decrypts the target program code according to the first key to obtain the initial program code.
In a possible implementation manner, after the terminal device acquires the first key, the target program code is analyzed according to the first key, so as to obtain an initial program code.
After the terminal device obtains the initial program code, the first key can be deleted to prevent the first key from being leaked, so that the initial program code is stolen and tampered.
In step 209, the terminal device installs the target application by running the initial program code through the confidential computing environment.
After the terminal device obtains the initial program code, the terminal device runs the initial program code through the confidential computing running environment, and after the initial program code is run, the target application program is installed in the terminal device.
After the target program code of the target application program is obtained, the second secret key is obtained by sending a public key corresponding to the confidential computing running environment to the server because the target program code is encrypted; and determining a first key according to the second key, and further decrypting the target program code according to the first key to obtain the initial program code capable of running in the terminal equipment. The method can ensure that the initial program code of the target application program is not stolen and tampered, and ensure the integrity and confidentiality of the initial program code of the target application program, thereby protecting the target application program.
Fig. 4 is a flowchart of a method for protecting an application program according to an embodiment of the present application, where the method is executable by the terminal device 101 in fig. 1. As shown in fig. 4, the method includes the following steps.
In step 401, an object program code of the object application sent by the server is received, where the object program code is a program code obtained by encrypting an initial program code of the object application based on the first key.
In a possible implementation manner, the process of receiving the object program code of the object application program sent by the server is similar to the process of step 204, and is not described herein again.
In step 402, a public key corresponding to the confidential computing operating environment is sent to the server.
In a possible implementation manner, the process of sending the public key corresponding to the confidential computing operating environment to the server is similar to the process of step 204, and is not described herein again.
In step 403, a second key returned by the server is received, where the second key is obtained by encrypting the first key based on the public key.
In a possible implementation manner, the process of receiving the second key returned by the server is similar to the process of step 207, and is not described herein again.
In step 404, the second key is decrypted to obtain the first key.
In a possible implementation manner, the process of decrypting the second key to obtain the first key is similar to the process of step 207, and is not described herein again.
In step 405, the target program code is decrypted according to the first key to obtain an initial program code, and the initial program code is executed through the confidential computing environment.
In a possible implementation manner, the process of decrypting the target program code according to the first key to obtain the initial program code is similar to the process of step 208, and the process of running the initial program code through the secret computing running environment is similar to the process of step 209, which are not described herein again.
After the target program code of the target application program is obtained, the second secret key is obtained by sending a public key corresponding to a confidential computing running environment to a server because the target program code is encrypted; and determining the first key according to the second key, and further decrypting the target program code according to the first key to obtain the initial program code capable of running in the terminal equipment. The method can ensure that the initial program code of the target application program is not stolen and tampered, and ensure the integrity and confidentiality of the initial program code of the target application program, thereby protecting the target application program.
Fig. 5 is a flowchart of a method for protecting an application program according to an embodiment of the present application, where the method may be performed by the server 102 in fig. 1. As shown in fig. 5, the method includes the following steps.
In step 501, a public key corresponding to the confidential computing operating environment transmitted by the terminal device is received.
In a possible implementation manner, the process of receiving the public key corresponding to the confidential computing operating environment sent by the terminal device is similar to the process of step 205, and is not described again here.
In step 502, the first key is encrypted according to the public key to obtain an encrypted second key.
In a possible implementation manner, the process of encrypting the first key according to the public key to obtain the encrypted second key is similar to the process of step 205, and is not described herein again.
In step 503, the second key is sent to the terminal device.
The second key is used for the terminal device to determine the first key, the target program code of the target application program is decrypted according to the first key to obtain the initial program code, the initial program code is operated through the confidential operating environment, and the target program code is the program code obtained after the initial program code is encrypted based on the first key.
In a possible implementation manner, the process of sending the second key to the terminal device is similar to the process in step 206, and is not described herein again.
The method includes the steps of encrypting a first secret key according to a public key corresponding to a secret computing running environment sent by terminal equipment to obtain a second secret key, and further sending the second secret key to the terminal equipment so that the terminal equipment can determine the first secret key according to the second secret key to decrypt target program codes to obtain initial program codes capable of running in the terminal equipment. The method can ensure that the initial program code of the target application program is not stolen and tampered, and ensure the integrity and confidentiality of the initial program code of the target application program, thereby protecting the target application program.
Fig. 6 is a schematic structural diagram of an application protection apparatus according to an embodiment of the present application, and as shown in fig. 6, the apparatus includes:
a receiving module 601, configured to receive an object program code of an object application program sent by a server, where the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first key;
a sending module 602, configured to send a public key corresponding to the confidential computing operating environment to the server;
the receiving module 601 is further configured to receive a second secret key returned by the server, where the second secret key is a secret key obtained by encrypting the first secret key based on a public key;
the decryption module 603 is configured to decrypt the second key to obtain a first key;
the decryption module 603 is further configured to decrypt the target program code according to the first key to obtain an initial program code, and run the initial program code through the confidential computing environment.
In a possible implementation manner, the decryption module 603 is configured to obtain a private key corresponding to the confidential computing operating environment; and decrypting the second key according to the private key to obtain the first key.
In one possible implementation, the apparatus further includes:
the determining module is used for determining a first signature corresponding to the public key;
the sending module 602 is configured to send, to the server, a public key and a first signature corresponding to the confidential computing operating environment, where the first signature is used by the server to determine whether the public key changes.
In a possible implementation manner, the determining module is further configured to obtain target information, where the target information includes information related to a target program code, information related to a confidential computing operating environment, and a public key; determining a second signature corresponding to the target information;
a sending module 602, configured to send, to the server, target information and a second signature, where the target information is used by the server to determine whether the target program code has changed, the relevant information of the confidential computing operating environment is used by the server to determine the type of the confidential computing operating environment, and the second signature is used by the server to determine whether the target information has changed.
After the device acquires the target program code of the target application program, the device acquires a second secret key by sending a public key corresponding to the confidential computing operating environment to the server because the target program code is encrypted; and determining the first key according to the second key, and further decrypting the target program code according to the first key to obtain the initial program code capable of running in the terminal equipment. The method can ensure that the initial program code of the target application program is not stolen and tampered, ensure the safety and confidentiality of the initial program code of the target application program and further protect the target application program.
Fig. 7 is a schematic structural diagram of an application protection device according to an embodiment of the present application, and as shown in fig. 7, the application protection device includes:
a receiving module 701, configured to receive a public key corresponding to a confidential computing operating environment sent by a terminal device;
an encryption module 702, configured to encrypt the first key according to the public key to obtain an encrypted second key;
a sending module 703 is configured to send a second key to the terminal device, where the second key is used by the terminal device to determine the first key, decrypt the object program code of the object application according to the first key to obtain an initial program code, and run the initial program code through the confidential computing environment, where the object program code is obtained by encrypting the initial program code based on the first key.
In a possible implementation manner, the receiving module 701 is configured to receive a public key and a first signature corresponding to a confidential computing operating environment sent by a terminal device;
the device still includes:
the verification module is used for verifying the public key according to the first signature;
the encryption module 702 is configured to encrypt the first key according to the public key based on the verification of the public key, so as to obtain an encrypted second key.
In a possible implementation manner, the verification module is configured to determine a first reference signature corresponding to the public key; determining that the public key passes verification based on the first signature and the first reference signature being the same; determining that the public key verification fails based on the first signature being different from the first reference signature.
In a possible implementation manner, the receiving module 701 is configured to receive target information and a second signature sent by a terminal device, where the target information includes information related to a confidential computing operating environment, information related to a target program code, and a public key;
the verification module is used for verifying the target information according to the second signature; analyzing the target information based on the passing of the target information verification to obtain the relevant information of the confidential computing operating environment, the relevant information of the target program code and a public key;
the encryption module 702 is configured to indicate that the type of the confidential computing operating environment is the target type based on the related information of the confidential computing operating environment, indicate that the target program code has not changed based on the related information of the target program code, and encrypt the first key according to the public key to obtain an encrypted second key.
In one possible implementation, the apparatus further includes:
the acquisition module is used for acquiring an initial program code of the target application program;
the encryption module 702 is further configured to encrypt the initial program code according to the first key to obtain the target program code.
In one possible implementation, a plurality of statements in the initial program code correspond to statement types;
an encryption module 702, configured to determine a target statement in an initial program code based on statement types corresponding to multiple statements in the initial program code, where the statement type of the target statement meets a type requirement; encrypting the target statement according to the first key to obtain an encrypted target statement; and taking the program code comprising the target statement after encryption and the statements except the target statement in the initial program code as the target program code.
The device encrypts the first secret key according to the public key corresponding to the confidential calculation running environment sent by the terminal device to obtain a second secret key, and then sends the second secret key to the terminal device, so that the terminal device determines the first secret key according to the second secret key to decrypt the target program code to obtain the initial program code capable of running in the terminal device. The method can ensure that the initial program code of the target application program is not tampered, ensure the safety and confidentiality of the initial program code of the target application program and further protect the target application program.
It should be understood that, when the above-mentioned apparatus is provided to implement its functions, it is only illustrated by the division of the above-mentioned functional modules, and in practical applications, the above-mentioned functions may be distributed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Fig. 8 shows a block diagram of a terminal device 800 according to an exemplary embodiment of the present application. The terminal device 800 may be a portable mobile terminal such as: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion video Experts compression standard Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion video Experts compression standard Audio Layer 4), a notebook computer, or a desktop computer. The terminal device 800 may also be referred to by other names such as user equipment, portable terminal, laptop terminal, desktop terminal, etc.
In general, the terminal device 800 includes: a processor 801 and a memory 802.
The processor 801 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so forth. The processor 801 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 801 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 801 may be integrated with a GPU (Graphics Processing Unit) which is responsible for rendering and drawing the content required to be displayed by the display screen. In some embodiments, the processor 801 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
In some embodiments, the terminal device 800 may further include: a peripheral interface 803 and at least one peripheral. The processor 801, memory 802, and peripheral interface 803 may be connected by buses or signal lines. Various peripheral devices may be connected to peripheral interface 803 by a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of a radio frequency circuit 804, a display screen 805, a camera assembly 806, an audio circuit 807, a positioning assembly 808, and a power supply 809.
The peripheral interface 803 may be used to connect at least one peripheral device related to I/O (Input/Output) to the processor 801 and the memory 802. In some embodiments, the processor 801, memory 802, and peripheral interface 803 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 801, the memory 802, and the peripheral interface 803 may be implemented on separate chips or circuit boards, which is not limited by the present embodiment.
The Radio Frequency circuit 804 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 804 communicates with a communication network and other communication devices via electromagnetic signals. The rf circuit 804 converts an electrical signal into an electromagnetic signal to be transmitted, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 804 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuit 804 may communicate with other terminal devices via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: the world wide web, metropolitan area networks, intranets, generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the radio frequency circuit 804 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.
The display 805 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 805 is a touch display, the display 805 also has the ability to capture touch signals on or above the surface of the display 805. The touch signal may be input to the processor 801 as a control signal for processing. At this point, the display 805 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 805 may be one, and is disposed on the front panel of the terminal device 800; in other embodiments, the number of the display screens 805 may be at least two, and each of the at least two display screens is disposed on a different surface of the terminal device 800 or is in a folding design; in other embodiments, the display 805 may be a flexible display, disposed on a curved surface or a folded surface of the terminal device 800. Even further, the display 805 may be configured as a non-rectangular irregular figure, i.e., a shaped screen. The Display 805 can be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), and other materials.
The camera assembly 806 is used to capture images or video. Optionally, camera assembly 806 includes a front camera and a rear camera. In general, a front camera is provided on a front panel of the terminal apparatus 800, and a rear camera is provided on a rear surface of the terminal apparatus 800. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 806 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.
The audio circuitry 807 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 801 for processing or inputting the electric signals to the radio frequency circuit 804 to achieve voice communication. For the purpose of stereo sound collection or noise reduction, a plurality of microphones may be provided at different positions of the terminal device 800. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 801 or the radio frequency circuit 804 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuitry 807 may also include a headphone jack.
The positioning component 808 is used to locate the current geographic Location of the terminal device 800 to implement navigation or LBS (Location Based Service). The Positioning component 808 may be a Positioning component based on the GPS (Global Positioning System) in the united states, the beidou System in china, the graves System in russia, or the galileo System in the european union.
The power supply 809 is used to supply power to various components in the terminal apparatus 800. The power source 809 may be ac, dc, disposable or rechargeable. When the power supply 809 includes a rechargeable battery, the rechargeable battery can be a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, terminal device 800 also includes one or more sensors 810. The one or more sensors 810 include, but are not limited to: acceleration sensor 811, gyro sensor 812, pressure sensor 813, fingerprint sensor 814, optical sensor 815 and proximity sensor 816.
The acceleration sensor 811 can detect the magnitude of acceleration in three coordinate axes of the coordinate system established with the terminal apparatus 800. For example, the acceleration sensor 811 may be used to detect components of the gravitational acceleration in three coordinate axes. The processor 801 may control the display 805 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 811. The acceleration sensor 811 may also be used for acquisition of motion data of a game or a user.
The gyro sensor 812 may detect a body direction and a rotation angle of the terminal device 800, and the gyro sensor 812 may cooperate with the acceleration sensor 811 to acquire a 3D motion of the user on the terminal device 800. From the data collected by the gyro sensor 812, the processor 801 may implement the following functions: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.
Pressure sensors 813 may be disposed on the side bezel of terminal device 800 and/or underneath display screen 805. When the pressure sensor 813 is arranged on the side frame of the terminal device 800, the holding signal of the user to the terminal device 800 can be detected, and the processor 801 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 813. When the pressure sensor 813 is disposed at a lower layer of the display screen 805, the processor 801 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 805. The operability control comprises at least one of a button control, a scroll bar control, an icon control, and a menu control.
The fingerprint sensor 814 is used for collecting a fingerprint of the user, and the processor 801 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 814, or the fingerprint sensor 814 identifies the identity of the user according to the collected fingerprint. Upon identifying the user as a trusted identity, the processor 801 authorizes the user to perform relevant sensitive operations, including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. Fingerprint sensor 814 may be disposed on the front, back, or side of terminal device 800. When a physical button or a vendor Logo is provided on the terminal device 800, the fingerprint sensor 814 may be integrated with the physical button or the vendor Logo.
The optical sensor 815 is used to collect the ambient light intensity. In one embodiment, processor 801 may control the display brightness of display 805 based on the ambient light intensity collected by optical sensor 815. Specifically, when the ambient light intensity is high, the display brightness of the display screen 805 is increased; when the ambient light intensity is low, the display brightness of the display 805 is adjusted down. In another embodiment, the processor 801 may also dynamically adjust the shooting parameters of the camera assembly 806 based on the ambient light intensity collected by the optical sensor 815.
A proximity sensor 816, also called a distance sensor, is typically provided on the front panel of the terminal device 800. The proximity sensor 816 is used to collect the distance between the user and the front surface of the terminal device 800. In one embodiment, when the proximity sensor 816 detects that the distance between the user and the front surface of the terminal device 800 gradually decreases, the processor 801 controls the display 805 to switch from the bright screen state to the dark screen state; when the proximity sensor 816 detects that the distance between the user and the front surface of the terminal device 800 becomes gradually larger, the display screen 805 is controlled by the processor 801 to switch from the screen-on state to the screen-on state.
Those skilled in the art will appreciate that the configuration shown in fig. 8 is not limiting of terminal device 800 and may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.
Fig. 9 is a schematic structural diagram of a server provided in this embodiment of the present application, where the server 900 may generate a relatively large difference due to a difference in configuration or performance, and may include one or more processors (CPUs) 901 and one or more memories 902, where the one or more memories 902 store at least one program code, and the at least one program code is loaded and executed by the one or more processors 901 to implement the method for protecting an application program provided in the method embodiment shown in fig. 5. Certainly, the server 900 may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input and output, and the server 900 may also include other components for implementing device functions, which are not described herein again.
In an exemplary embodiment, there is also provided a computer-readable storage medium having at least one program code stored therein, the at least one program code being loaded and executed by a processor to cause a computer to implement the method for protecting an application program of any one of the above.
Alternatively, the computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a Compact Disc Read-Only Memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and the like.
Optionally, a system for protecting an application program is further provided, where the system includes a terminal device and a server, the terminal device is configured to execute the method for protecting the application program shown in fig. 4, and the server is configured to execute the method for protecting the application program shown in fig. 5.
In an exemplary embodiment, there is also provided a computer program or a computer program product having at least one computer instruction stored therein, the at least one computer instruction being loaded and executed by a processor to cause a computer to implement the method for protecting an application program of any of the above.
It should be noted that information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data for analysis, stored data, presented data, etc.), and signals referred to in this application are authorized by the user or sufficiently authorized by various parties, and the collection, use, and processing of the relevant data is required to comply with relevant laws and regulations and standards in relevant countries and regions. For example, the initial program code referred to in this application is obtained with sufficient authorization.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated object, indicating that there may be three relationships, for example, a and/or B, which may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The above description is only exemplary of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements and the like that are made within the principles of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method for protecting an application, the method comprising:
the method comprises the steps that terminal equipment receives an object program code of an object application program sent by a server, wherein the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first secret key;
the terminal equipment sends a public key corresponding to the confidential computing running environment to the server;
the server receives a public key corresponding to a confidential computing running environment sent by the terminal device, and encrypts the first secret key according to the public key to obtain an encrypted second secret key;
the server sends the second key to the terminal equipment;
the terminal equipment receives a second key returned by the server, and decrypts the second key to obtain the first key;
and the terminal equipment decrypts the target program code according to the first secret key to obtain the initial program code, and the initial program code is operated through the confidential computing running environment.
2. A protection method of an application program is applied to a terminal device, and the method comprises the following steps:
receiving an object program code of an object application program sent by a server, wherein the object program code is a program code obtained by encrypting an initial program code of the object application program based on a first secret key;
sending a public key corresponding to the confidential computing running environment to the server;
receiving a second secret key returned by the server, wherein the second secret key is obtained by encrypting the first secret key based on the public key;
decrypting the second key to obtain the first key;
and decrypting the target program code according to the first secret key to obtain the initial program code, and operating the initial program code through the confidential computing operating environment.
3. The method of claim 2, wherein decrypting the second key to obtain the first key comprises:
acquiring a private key corresponding to the confidential computing operating environment;
and decrypting the second key according to the private key to obtain the first key.
4. A method according to claim 2 or 3, characterized in that the method further comprises:
determining a first signature corresponding to the public key;
the sending the public key corresponding to the confidential computing operating environment to the server includes:
and sending a public key corresponding to the confidential computing running environment and the first signature to the server, wherein the first signature is used for the server to determine whether the public key changes.
5. A method according to claim 2 or 3, characterized in that the method further comprises:
acquiring target information, wherein the target information comprises the relevant information of the target program code, the relevant information of the confidential computing operating environment and the public key;
determining a second signature corresponding to the target information;
the sending the public key corresponding to the confidential computing operating environment to the server includes:
sending the target information and the second signature to the server, wherein the relevant information of the target program code is used for the server to determine whether the target program code is changed, the relevant information of the confidential computing running environment is used for the server to determine the type of the confidential computing running environment, and the second signature is used for the server to determine whether the target information is changed.
6. A protection method of an application program is applied to a server, and the method comprises the following steps:
receiving a public key corresponding to a confidential calculation operation environment sent by terminal equipment;
encrypting the first key according to the public key to obtain an encrypted second key;
and sending the second key to the terminal equipment, wherein the second key is used for determining the first key by the terminal equipment, decrypting an object program code of the object application program according to the first key to obtain an initial program code, and operating the initial program code through the confidential operating environment, wherein the object program code is a program code obtained after encrypting the initial program code based on the first key.
7. The method according to claim 6, wherein the receiving of the public key corresponding to the confidential computing operating environment sent by the terminal device comprises:
receiving a public key and a first signature which are sent by terminal equipment and correspond to a confidential computing running environment;
the encrypting the first key according to the public key to obtain an encrypted second key includes:
verifying the public key according to the first signature;
and based on the verification passing of the public key, encrypting the first secret key according to the public key to obtain an encrypted second secret key.
8. The method of claim 7, wherein the verifying the public key according to the first signature comprises:
determining a first reference signature corresponding to the public key;
determining that the public key is verified based on the first signature being the same as the first reference signature;
determining that the public key verification fails based on the first signature and the first reference signature being different.
9. The method according to claim 6, wherein the receiving of the public key corresponding to the confidential computing operating environment sent by the terminal device comprises:
receiving target information and a second signature sent by a terminal device, wherein the target information comprises the relevant information of the confidential computing and operating environment, the relevant information of the target program code and the public key;
the encrypting the first key according to the public key to obtain an encrypted second key includes:
verifying the target information according to the second signature;
analyzing the target information based on the target information verification pass to obtain the related information of the confidential computing operating environment, the related information of the target program code and the public key;
and based on the related information of the confidential computing operating environment, indicating that the type of the confidential computing operating environment is a target type, and indicating that the target program code is not changed by the related information of the target program code, and encrypting the first secret key according to the public key to obtain an encrypted second secret key.
10. The method according to any one of claims 6 to 9, further comprising:
acquiring an initial program code of the target application program;
and encrypting the initial program code according to the first key to obtain the target program code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211599628.9A CN115935300A (en) | 2022-12-12 | 2022-12-12 | Application program protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211599628.9A CN115935300A (en) | 2022-12-12 | 2022-12-12 | Application program protection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115935300A true CN115935300A (en) | 2023-04-07 |
Family
ID=86655505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211599628.9A Pending CN115935300A (en) | 2022-12-12 | 2022-12-12 | Application program protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115935300A (en) |
-
2022
- 2022-12-12 CN CN202211599628.9A patent/CN115935300A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111444528B (en) | Data security protection method, device and storage medium | |
| CN110674022B (en) | Behavior data acquisition method and device and storage medium | |
| CN107959727B (en) | Method and device for communication between webpage and client | |
| CN110837473A (en) | Application program debugging method, device, terminal and storage medium | |
| CN112256320B (en) | Version number generation method, device, terminal and storage medium | |
| CN110851823B (en) | Data access method, device, terminal and storage medium | |
| CN111062323A (en) | Face image transmission method, numerical value transfer method, device and electronic equipment | |
| CN111193702B (en) | Method and device for data encryption transmission | |
| CN111241499A (en) | Application program login method, device, terminal and storage medium | |
| CN111062725B (en) | Face payment method, device and system and computer readable storage medium | |
| CN110677262B (en) | Information notarization method, device and system based on blockchain | |
| CN111191227A (en) | Method and device for preventing malicious code from executing | |
| CN111881423B (en) | Method, device and system for authorizing restricted function use | |
| CN112528311B (en) | Data management method, device and terminal | |
| CN115329309A (en) | Verification method, verification device, electronic equipment and storage medium | |
| CN114386066A (en) | Application reinforcement method and device | |
| CN112764824B (en) | Method, device, equipment and storage medium for triggering identity verification in application program | |
| CN111131619B (en) | Account switching processing method, device and system | |
| CN108683684B (en) | Method, device and system for logging in target instant messaging application | |
| CN113076452A (en) | Application classification method, device, equipment and computer readable storage medium | |
| CN115935300A (en) | Application program protection method | |
| CN112995159B (en) | Information processing method, device, terminal and computer readable storage medium | |
| CN110968549A (en) | File storage method and device, electronic equipment and medium | |
| CN112564908B (en) | Device registration method and device, electronic device, server and readable storage medium | |
| CN108970122B (en) | Method, device, terminal and storage medium for preventing plug-in |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |