JP2014048866A - Execution method of application program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine whether an application program has been tampered or not to automatically register applications which have been not tampered, with an execution permission list.SOLUTION: An instruction to start an application is received to confirm validity of signature information by an OS (S7), and further, validity of secret information generated on the basis of the signature information is confirmed by the application itself (S9). In a case of successful validity confirmation in both of the OS and the application, the application is determined to be not tampered, and an identification code of the application is automatically registered with an execution permission list (S14), and then the execution of the application is continued (S12). If the application is determined to be tampered, the execution of the application is stopped (S11). A monitoring program independent of the application is operated in parallel by multitask processing of the OS, and a user is made to answer whether an application not registered with the list should be registered or not if the application has been started. The application is registered when the user answers that it should be registered, but the execution of the application is stopped when the user answers that it should not be registered.

Description

  The present invention relates to an application program execution method, and more particularly to a technique for executing a process for detecting falsification of an application program.

  In recent years, various types of electronic devices such as personal computers, smart phones, electronic tablets and the like have become widespread, and various application programs are used in these various electronic devices. For this reason, the number of application programs used in the real world is enormous and is expected to increase rapidly in the future. On the other hand, application programs are distributed in a form that is stored and provided in an optical recording medium or IC memory, or in which only a data file is transmitted online via the Internet. Various application programs obtained through various routes can be installed and used in electronic devices.

  Thus, in the present situation where a huge number of application programs are provided in various distribution forms, the application program being distributed is likely to be a target of falsification by a malicious cracker. For example, a cracker can obtain any application program via the Internet, and after tampering with the obtained application program, it is stored again via the Internet or various recording media for redistribution. can do.

  It is difficult for a general user to distinguish whether an application program distributed in the real world is a genuine application program provided by a legitimate provider or has been altered by a cracker. In particular, if a falsified application program is distributed as a file with the same file name as a legitimate application program, it is very difficult for general users to distinguish between the two, and both must be confused. .

  Damage caused by executing a falsified application program varies depending on the contents of the falsification. For example, when tampering with a virus is performed, files in the user's electronic device are destroyed, personal information is leaked to the outside, and serious damage occurs. On the other hand, if tampering is performed that replaces image data or text data, even if the damage is not as great as that of a virus, the information that is presented will not be the original information, causing confusion to the user. become.

  Moreover, the damage caused by the spread of such altered application programs extends not only to general users but also to content providers. For example, when a legitimate application program distributed by company A, which is a content provider, has been falsified by a cracker and the falsified application program is redistributed as if it were a legitimate product of company A. Let's think about it. In this case, if the user who installed the altered application program believes that the program is a legitimate product provided by Company A, Company A will receive an unfair evaluation. For example, if a flaw occurs in the operation of the program due to tampering, or content that is contrary to public order and morals is displayed, the user's evaluation of the product of Company A will be reduced, and Company A will suffer reputational damage. Become.

  Thus, in order for a content provider to distribute an application program, install it on an electronic device of a general user, and execute it, it is essential to prevent tampering by a cracker. Usually, in order to prevent tampering of digital data, a digital signature technique is used. For example, Patent Literature 1 below discloses a system that detects the presence or absence of tampering by applying an electronic signature to data in a memory of a mobile phone and checking the data. Patent Document 2 discloses a system that monitors whether an application program in an information processing apparatus has been tampered with using an electronic signature or a hash value.

  On the other hand, the following Patent Document 3 and Patent Document 4 disclose a technique in which an application program to be executed is registered in advance, and processing for not permitting execution of an unregistered program is disclosed. If this technology is used, only those that can be determined as safe application programs that are not likely to be tampered with are registered in advance, and execution of application programs that are likely to be tampered with can be suppressed.

JP 2007-293847 A International Publication No. WO2008-047830 JP 2002-304318 A JP 2005-157429 A

  As described above, in order to prevent falsification of digital data, applying a digital signature to the digital data is used in various industrial fields, as described in the above-mentioned Patent Documents 1 and 2. It is also used to prevent falsification of application programs distributed to electronic devices. For example, in the case of a smartphone that employs Android (registered trademark) as an OS, the application program to be installed is stipulated by the specification that an electronic signature is always added, and an application program without an electronic signature is added. In addition, an application program having an inconsistency in the added electronic signature is determined as an illegal program by the OS, and execution is not permitted.

  However, the digital signature guarantees the content of the data to be signed to the last, and does not guarantee the identity of the signer. For this reason, after falsifying the contents of the application program, the cracker newly creates an electronic signature with the altered application program as the signature target data and signing itself as the signer. The application program can be redistributed. As described above, when the electronic signature is falsified, the terminal device using the above-described Android (registered trademark) as an OS cannot perform effective falsification detection.

  On the other hand, as described in the above-mentioned Patent Documents 3 and 4, only the application program registered in advance is operated so as to permit its execution, as long as appropriate registration work is performed. The execution of the altered program can be prevented. However, in practice, it is difficult for the user to correctly determine whether the distributed program has been tampered with, and even if it turns out that the program has not been tampered with, Since it is necessary for the user to perform an operation of individually registering this, a burden is imposed on the user.

  Therefore, the present invention can perform effective tampering detection even when tampering with an electronic signature is performed, and further, does not impose a burden of registration work on a user for an application program that has been determined not to tamper. Another object of the present invention is to provide a method of executing an application program that is automatically registered in the execution permission list.

(1) According to a first aspect of the present invention, there is provided an application program execution method in which a computer executes an application program.
An input stage in which a computer inputs a data file containing an application program to be executed;
A tampering determination stage in which the computer determines whether the input application program has been tampered with;
A list automatic registration stage in which an identification code of an application program that has been determined that the computer has not been falsified in the falsification determination stage,
A startup application recognition stage in which the computer recognizes the identification code of the application program in the startup state;
A registration presence / absence determination step in which the computer determines whether or not the identification code recognized in the activation app recognition step is registered in the execution permission list;
When the computer is determined to be unregistered in the registration presence / absence determination step, a registration inquiry step for inquiring the user whether to register the unregistered app;
If the computer responds that the user has registered as a response to the inquiry, the identification code of the unregistered application is registered in the execution permission list, the execution of the application is permitted, and the response that the application is not registered If there is a response processing stage to stop the execution of the unregistered application,
And
At the input stage, a data file including an application program with a falsification check function, signature information, and confidential information or location information indicating the location is input,
The signature information is information obtained by electronic signature processing using the application program as signature target data.
Confidential information is information obtained by extracting a predetermined portion of the data constituting the application program with falsification check function and signature information as the data to be concealed and performing the concealment process on the extracted data to be concealed ,
The falsification determination stage includes a first confirmation stage for confirming whether or not falsification is performed based on the signature information, and a second confirmation stage for confirming whether or not falsification is performed based on the confidential information.
The application program with a falsification check function includes a falsification check routine for confirming the validity of the confidential information for the data to be concealed in consideration of the processing process performed in the concealment process, and executes the falsification check routine. Thus, the second confirmation step is performed.

(2) According to a second aspect of the present invention, in the method for executing an application program according to the first aspect described above,
Using a pair of keys that have the property that data encrypted using one key can be decrypted using the other key,
Confidential information is information obtained by encrypting the data to be concealed using one key,
The falsification check routine uses the other key to decrypt the confidential information included in the data file input at the input stage or the confidential information obtained based on the location information included in the data file input at the input stage. When the data to be concealed obtained by this decryption matches the data to be concealed extracted from the data file input at the input stage, it is confirmed that there is no falsification.

(3) According to a third aspect of the present invention, in the method for executing an application program according to the first aspect described above,
The confidential information is information created by performing a digest process that applies a one-way function using a predetermined specific key as a parameter to the data to be concealed,
Information obtained by the digest check process using the specific key for the data to be concealed extracted from the data file input by the falsification check routine is included in the data file input at the input stage. If the confidential information is the same as the confidential information acquired based on the location information included in the confidential information or the data file input in the input stage, it is confirmed that there is no falsification.

(4) According to a fourth aspect of the present invention, in the method for executing an application program according to the first to third aspects described above,
A computer that executes an application program under the management of an OS program executes the first confirmation stage based on the OS program, and executes the second confirmation stage based on a falsification check routine in the application program. Is.

(5) According to a fifth aspect of the present invention, in the method for executing an application program according to the fourth aspect described above,
The OS program has a multitask processing function for executing a plurality of application programs while switching at a predetermined timing.
A computer executes a list automatic registration stage, a startup application recognition stage, a registration presence / absence judgment stage, a registration inquiry stage, and an answer processing stage by a monitoring program prepared as one of application programs.

(6) According to a sixth aspect of the present invention, in the method for executing an application program according to the fifth aspect described above,
The computer executes a process of recording log information indicating an identification code, start time, and end time for each application program by the OS program,
When the computer executes the activated application recognition stage by the monitoring program, the identification code of the activated application program is recognized by referring to the log information.

(7) According to a seventh aspect of the present invention, in the method for executing an application program according to the first to sixth aspects described above,
In the list automatic registration stage, answer processing stage, and activated application recognition stage, application programs having different versions are processed using different identification codes.

(8) An eighth aspect of the present invention provides an application program execution method according to the seventh aspect described above,
Even application programs included in data files having the same file name are recognized as different versions if the hash values are different.

(9) According to a ninth aspect of the present invention, in the method for executing an application program according to the first to eighth aspects described above,
When registering to the execution permission list in the list automatic registration stage or answer processing stage, the computer performs registration to the execution permission list stored in the external storage device or server device,
In the registration presence / absence determination stage, the computer makes a determination by referring to an execution permission list stored in an external storage device or server device.

(10) According to a tenth aspect of the present invention, in the method for executing an application program according to the first to ninth aspects described above,
When registering to the execution permission list at the list automatic registration stage or answer processing stage, the computer performs the process of encrypting the execution permission list,
At the registration presence / absence determination stage, the computer decrypts the encrypted execution permission list and refers to the contents.

(11) An eleventh aspect of the present invention is the application program execution method according to the first to tenth aspects described above,
When registering to the execution permission list in the list automatic registration stage or answer processing stage, the computer registers a predetermined check code included in the data file input in the input stage together with the identification code,
At the registration presence / absence determination stage, the computer checks whether the check code included in the data file matches the check code registered in the execution permission list, and the execution permission list is obtained on condition that the match is confirmed. It is determined that it is registered in.

(12) According to a twelfth aspect of the present invention, in the method for executing an application program according to the first to tenth aspects described above,
When registering to the execution permission list in the list automatic registration stage or answer processing stage, the computer uses a one-way function for the predetermined information contained in the data file input in the input stage together with the identification code. Register the check code obtained by performing the digest process that works
At the registration presence / absence determination stage, the computer registers the check code obtained by performing the digest processing that causes the one-way function to act on the predetermined information included in the data file, and the execution permission list. The check code is matched with the check code, and it is determined that the check code is registered in the execution permission list on condition that the match is confirmed.

  (13) According to a thirteenth aspect of the present invention, a monitoring program used in the application program execution method according to the fifth or sixth aspect described above is independently distributed.

  In the execution method of the application program according to the present invention, the application program is input as a data file including signature information and confidential information or location information indicating the location, and not only the validity of the signature information but also the confidential information Validity is also confirmed. For this reason, not only the falsification of the application package itself but also the falsification of the signature information can be detected, and even when the digital signature is falsified, effective falsification detection is possible. Moreover, since the application program includes a falsification check routine for determining whether or not the application program itself has been falsified, falsification can be detected by executing the application program. In addition, when it is determined that the file has not been tampered with, automatic registration to the execution permission list is performed, so that the user need not perform registration work.

It is a block diagram which shows the distribution method of the conventional general application program which added signature information. It is a block diagram which shows the specific preparation method of the file 20 for distribution shown in FIG. FIG. 3 is a block diagram showing processing for confirming the validity of signature information 22 for the distribution file 20 shown in FIG. 2. It is a block diagram which shows the falsification process which the cracker X tries with respect to the conventional distribution method shown in FIG. It is a block diagram which shows the basic principle of the distribution method of the application program which concerns on this invention. It is a block diagram which shows the process which confirms the correctness of the signature information 22A and the confidential information 23A about the distribution file 20A shown in FIG. It is a flowchart which shows the basic procedure of the distribution execution method of the application program which concerns on this invention. FIG. 6 is a block diagram showing a tampering process attempted by cracker X for the distribution method according to the present invention shown in FIG. 5. It is a block diagram which shows the variation of the distribution method which concerns on basic embodiment of this invention shown in FIG. FIG. 6 is a block diagram showing another variation of the distribution method according to the basic embodiment of the present invention shown in FIG. 5. FIG. 6 is a block diagram showing a specific example using information encrypted as confidential information 23A in the distribution method according to the present invention shown in FIG. 12 is a block diagram showing processing for confirming the validity of signature information 22A and the validity of confidential information 23A for the distribution file 20A shown in FIG. FIG. 6 is a block diagram showing a specific example in which digested information is used as confidential information 23A in the distribution method according to the present invention shown in FIG. It is a block diagram which shows the process which confirms the correctness of the signature information 22A and the confidential information 23A about the distribution file 20A shown in FIG. It is a block diagram which shows the basic composition of the file creation apparatus for application program distribution concerning this invention. It is a block diagram which shows the modification of the distribution execution method of the application program which concerns on this invention. It is a flowchart which shows the procedure of the monitoring routine of the monitoring program utilized with the execution method of the application program which concerns on this invention. It is a figure which shows an example of the log information utilized for recognition of a starting application in the starting application recognition step S21 shown in FIG. It is a figure which shows an example of the execution permission list utilized with the execution method of the application program which concerns on this invention. It is a figure which shows an example of the message screen shown to a user by registration inquiry step S24 shown in FIG. It is a flowchart which shows the process sequence when starting the normal application which does not have a self-tampering check function. It is a flowchart which shows the process sequence when starting the application which has a self-tampering check function.

  Hereinafter, the present invention will be described based on the illustrated embodiments. The application program execution method according to the present invention is an invention described in Japanese Patent Application No. 2012-099139 (filed on April 24, 2012, patent approved on June 28, 2012 based on accelerated examination) It is assumed that the application program distribution execution method and falsification detection method are used. Therefore, §1 to §8 describe the application program distribution execution method and falsification detection method according to the invention of the prior application, and §9 and §10 use the same to execute the application program according to the present invention. Will be explained. The embodiments described in §1 to §8 are the same as the embodiments described in §1 to §8 of the prior application.

<<< §1. General distribution method for adding signature information >>>
Here, for convenience of explanation, a conventional general distribution method of application programs to which signature information is added will be briefly described. FIG. 1 is a block diagram showing such a conventional distribution method. Here, as a specific example, a case where an application program is distributed to a smartphone or a tablet electronic device (so-called Android terminal) that employs Android (registered trademark) as an OS will be described as an example.

  A global standard specification has been established for the data structure and distribution form of application programs for Android devices, and all general application programs are created and distributed based on this standard specification. Become.

  Specifically, the program provider A (content provider) first creates an application program 10 having a data structure as shown in the upper part of FIG. In the standard specification of Android, the application program 10 is basically composed of a program body 11, a resource data 12, a subroutine group 13, and an auxiliary file 14 as shown in the figure. Are added or some of them are omitted (for example, in the case where the program body 11 does not use a subroutine, the subroutine group 13 is unnecessary).

  Here, the program main body 11 is a file after compiling a program described in Java (registered trademark), and is an element constituting the center of the application program. When the application program 10 is activated, instruction codes are sequentially executed from the top of the program main body 11.

  The resource data 12 is a data group of images and character strings used as necessary by the program body 11. Image data is prepared as a data file described in various formats such as JPEG format, GIF format, BMP format, and PNG format. Similarly, character string data is a data file described in various formats such as XML format. Prepared as.

  On the other hand, the subroutine group 13 is composed of a general-purpose subroutine program group called “Shared Object”. Each subroutine is called by a subroutine call instruction from the program body 11 and executes a predetermined process according to each role. When the called subroutine program completes its mission, control returns to the program in the program body 11 again. When making a subroutine call, the program body 11 can pass some data as an argument to the subroutine as necessary, and each subroutine program delivers the execution result to the program body 11 as necessary. Can do.

  The auxiliary file 14 is an XML format file describing auxiliary information generally called “manifest”. Here, permission information when executing the application program on the Android terminal (for example, whether the program makes an Internet connection, whether to refer to GPS information, whether to use a telephone function, Are recorded). This permission information is presented to the user at the time of installation or activation of the application program, and the installation or activation is performed only when the user inputs a confirmation that the user agrees with the permission information.

  Although the basic data structure of the Android terminal application program 10 has been described above, the application program 10 cannot be distributed as it is. According to the standard specification of Android, when the application program 10 is distributed, a packaging process and a signature information adding process are required.

  The packaging process is mainly a process of compressing individual files constituting the application program 10 and combining them into one package (otherwise, an intermediate compilation process is also performed), as shown in the middle part of FIG. In addition, the application program 10 is combined into one application package 21 by performing the packaging process. Through the compression process, the data capacity of the application package 21 is reduced as compared with the capacity of the original application program 10 and is in a form suitable for distribution.

  On the other hand, the signature information adding process is a process in which the program provider A uses the application package 21 as signature target data D to apply its own signature, and the signature information 22 of A is created by this process. Specifically, an electronic signature process using a public key cryptosystem is employed, and the signature target data D (that is, the application package 21) is used with the first key K (a1) of the program provider A. A process for creating a signature value S (A) is performed, and A signature information 22 including the created signature value S (A) and the second key K (a2) of the program provider A is created. . In FIG. 1, a part surrounded by a thick line indicates a part to be the signature target data D, and the signature information 22 is information indicating that the program provider A has signed the data in the thick line frame. It will be.

  Here, the first key K (a1) and the second key K (a2) are digital data having a relationship between the secret key and the public key in the public key cryptosystem, and are encrypted using one of the keys. The data can be decrypted using the other key. Usually, a private key is used as the first key K (a1) and a public key is used as the second key K (a2). According to the standard specification of Android, the former is kept secret and the latter is made public. However, in the present application, they are simply referred to as a first key K (a1) and a second key K (a2).

  The signature information 22 of A created in this way is information for the program provider A to guarantee the contents of the application package 21 to be signed. If the contents of the application package 21 are falsified, As will be described later, a mismatch occurs between the signature information 22 of A and tampering detection using the signature information 22 of A becomes possible.

  The distribution file 20 is a file configured by adding the A signature information 22 to the application package 21. The program provider A performs the above-described packaging process and signature information addition process on the application program 10 to create a distribution file 20, and distributes it to a large number of users U1, U2, U3 via the Internet or the like. Will do. Of course, it is also possible to distribute it in a state stored in an optical recording medium, an IC memory or the like.

  In the Android specification, the distribution file 20 having such a data structure is called an APK file, and all application programs distributed to Android terminals need to be distributed in the form of this APK file. In other words, Android specifications require that signature information be added to all application programs to be distributed. On Android devices, when a distributed APK file is executed, falsification detection based on the signature information is performed. Will be done.

  FIG. 2 is a block diagram showing a specific method for creating the distribution file 20 shown in FIG. 1, in particular, a specific method for creating the signature information 22. In the signature information addition processing, first, irreversible transformation is performed by applying the hash function HASH to the signature target data D (that is, the application package 21), and a hash value H = HASH (D) is obtained. The hash function is a typical one-way function, and a unique hash value H is always obtained for the original data D. Conversely, the original data D is restored from the hash value H. It has a nature that cannot be done. For this reason, the hash value H can have an extremely small data capacity compared to the original data D (in the example shown, all data constituting the application package 21).

  Next, the hash value H is encrypted by using an encryption algorithm of a public key cryptosystem using the first key K (a1) of the program provider A to obtain a signature value S (A). That is, the signature value S (A) is data obtained by encrypting the hash value H, and the original hash value H is obtained by performing decryption using the second key K (a2) of the program provider A. Will be. Eventually, using the application package 21 as the signature target data D, the digital signature process using encryption using the first key K (a1) of the program provider A is performed to generate the signature value S (A). The signature information 22 of A is created by the signature value S (A) and the second key K (a2) of the program provider A.

  As described above, the distribution file (APK file) 20 is a file in which the signature information 22 of A is added to the application package 21, and for the Android terminal, the application program 10 is a file having such a format. Will be distributed. Here, for convenience, it is assumed that the distribution file 20 is distributed as a game application file having a file name “PatGame.apk” (the file name extension .apk is an APK file). It is shown that).

  When the distribution file 20 is executed, as described above, falsification detection based on the signature information (validity confirmation of the signature information 22) is performed. FIG. 3 is a block diagram showing the validity confirmation process of the signature information 22 executed in the Android terminal.

  The distribution file 20 having the file name “PatGame.apk” obtained by the Android terminal includes an application package 21 and A signature information 22. Here, the signature information 22 includes the signature value S (A) and the second key K (a2) of A, and as described above, the signature value S (A) with respect to the signature value S (A). The original hash value H can be obtained by performing a decryption process using the second key K (a2). In FIG. 3, the hash value obtained by decoding the signature value S (A) is referred to as a hash value H1.

  On the other hand, the application package 21 (signature target data D) is subjected to irreversible transformation using the hash function HASH shown in FIG. 2 to obtain a hash value H = HASH (D). In FIG. 3, the hash value obtained by such irreversible transformation is referred to as a hash value H2. If the contents of the application package 21 included in the distribution file 20 having the file name “PatGame.apk” obtained by the Android terminal are completely the same as the contents of the application package 21 shown in the upper part of FIG. If there are, the hash values H1 and H2 should match.

  Therefore, if an Android terminal used by the user U executes a process for confirming a match between the hash values H1 and H2, it can be determined whether or not the application package 21 has been tampered with. The Android OS performs such a match check before executing the application program. If the two do not match, it is determined that some alteration has been made to the application package 21, and the execution of the application program is executed. It has a function to cancel.

<<< §2. Specific problems of conventional distribution methods >>
As described in §1, application programs for Android terminals are widely distributed in the form of a distribution file (APK file) 20 as shown in FIG. 1, so that general users U1, U2, U3 It can be easily obtained by downloading it via the Internet or the like. This means that a malicious cracker X can easily obtain the distribution file 20. Therefore, it is easy for the cracker X to tamper with the obtained distribution file 20 and redistribute it via the Internet or the like.

  Moreover, since the specification of the APK file is widely disclosed, from the standpoint of Cracker X, it is easy to tamper with and easy to redistribute. . In particular, it is very easy to tamper with the resource data 12 and the auxiliary file 14 among the elements constituting the application program 10.

  For example, the image data file and the character string data file constituting the resource data 12 are data described in a very general file format such as JPEG format, GIF format, BMP format, PNG format, XML format, etc. Falsification is possible just by rewriting the contents of or changing the file. For this reason, it is possible to easily perform alterations such as replacing the original image with an obscene image or replacing the original character string with an inappropriate character string. In addition, if tampering is performed that replaces the image of the “YES button” and the image of the “NO button”, at first glance, the fact of tampering will not be noticed, but “YES” and “NO” on the user's answer input screen This will cause a serious problem that only the display will be replaced.

  On the other hand, the auxiliary file 14 (manifest file) is also composed of easy-to-read character string data written in the XML format, and thus is easily subject to falsification. Specifically, the auxiliary file 14 includes permission information such as whether the application program makes an Internet connection, whether to reference GPS information, and whether to use a telephone function. If this information is tampered with, an operation not permitted by the user is executed. For example, if an application program that has permission information that “performs” to use the Internet connection and the telephone function is further altered such that permission information that “performs” GPS information is added, The operation of “referencing GPS information”, which is not permitted in the permission information, is executed, and there is a possibility that damage such as leakage of GPS information to the outside may occur.

  Damage caused by such tampering extends not only to users but also to content providers. For example, a user U who has heard the reputation of the application program “PatGame.apk” distributed by the program provider A downloads and executes a falsified file instead of the regular distribution file of the program. Let's think about the case. Cracker X usually redistributes a file that has been falsified with the same file name as the original file, so if you just check the file name “PatGame.apk”, whether it is a genuine file or a falsified file Cannot be identified.

  In this case, for example, in the case where a noticeable alteration has been made such that the original logo image of the program provider A has been replaced with an obscene image, the user has altered the application program being executed. It can be recognized that However, in the case where the user is unaware of falsification, the program provider A will be responsible for the malfunction of the application program. If such an unfair evaluation is disseminated via the Internet or the like, the program provider A will suffer reputation damage.

  Of course, according to the specification of Android, as described in §1, signature information 22 is added to the distribution file 20 together with the application package 21, and the application package 21 follows the procedure shown in FIG. The validity of the signature information 22 is confirmed. Therefore, if the cracker X simply replaces the image file or the character string file in the resource data 12 with another file or rewrites the permission information in the auxiliary file 14, a mismatch occurs in the confirmation processing shown in FIG. The fact of tampering can be detected.

  That is, in the example shown in FIG. 3, when the cracker X rewrites the contents of the application package 21, the signature target data D changes to D ′, and thus the obtained hash value H2 also changes. As a result, a mismatch occurs with the hash value H1 obtained by decrypting the signature value S (A) created based on the signature target data D, and the fact of falsification is detected.

  As described above, in the conventional distribution method described in §1, it is possible to detect tampering performed only on the application package 21. However, if the signature information 22 has been tampered with, it cannot be detected. The reason will be described below.

  Here, it is assumed that the cracker X has obtained the regular distribution file 20 distributed by the program provider A as shown in FIG. FIG. 4 is a block diagram showing a tampering process attempted by cracker X for the regular distribution file 20 obtained in this way. The cracker X first performs decompression processing on the application package 21 included in the obtained distribution file 20 to restore the original application program 10. Since the packaging process is basically a file compression process, the original application program 10 can be easily restored by performing a decompression process corresponding to the compression process. As described in §1, the application program 10 is configured by the elements of the program body 11, the resource data 12, the subroutine group 13, and the auxiliary file 14 (in addition, some elements may be added). is there).

  Although the cracker X will tamper with each of these elements, as described above, tampering with the resource data 12 and the auxiliary file 14 is very easy, and data file replacement and text data rewriting are easy. This can be done by a simple task. Therefore, here, it is assumed that the cracker X has altered the resource data 12 to the resource data 12X and the auxiliary file 14 to the auxiliary file 14X as illustrated. Although the program body 11 and the subroutine group 13 have not been tampered with, the application program 10X including the tampered resource data 12X and the tampered auxiliary file 14X no longer performs normal operations.

  Subsequently, the cracker X performs a repackaging process on the application program 10X, and generates a falsified application package 21X. By simply replacing the generated application package 21X with the regular application package 21 in the regular distribution file 20, the fact of falsification is detected by the normal falsification detection process performed on the Android terminal. That is, a mismatch occurs in the process of confirming the validity of the signature information 22 of A.

  However, the cracker X can create the signature information 22X of X by performing a signature with the altered application package 21X as the signature target data D ′ and signing itself as the signer. Specifically, using the first key K (x1) of the cracker X, a process for creating a signature value S (X) for the signature target data D ′ (that is, the altered application package 21X) is performed. The signature information 22X of X including the signature value S (X) thus made and the second key K (x2) of the cracker X may be created.

  If the program provider A manages the first key K (a1) as a secret key, the cracker X cannot obtain the first key K (a1) of A. The signer A cannot sign the tampered signature target data D ′. However, the cracker X can sign as the signer X using the first key K (x1) of his / her own, and the signature value S (X) obtained in this way is added to the cracker X. It is possible to create X signature information 22X by adding its own second key K (x2). The signature information 22X created in this way is information that should be called a resignature by the cracker X, and has validity for the falsified application package 21X.

  Thus, if the cracker X adds the X signature information 22X to the altered application package 21X, the altered distribution file 20X can be obtained. If the distribution file 20X is redistributed as an APK file having the file name “PatGame.apk”, it is possible to disseminate a falsified file that cannot be distinguished from a regular APK file at first glance.

  Android specifications are widely available, and various tools for supporting the creation of APK files are also widely used. For example, a tool for creating the application package 21 by packaging the application program 10, a tool for creating the APK file 20 by adding the signature information 22 of an arbitrary person to the application package 21, and decompressing the application package 21 in the APK file 20 Tools for restoring the original application program 10 can be obtained from various sites on the Internet, and the cracker X uses these tools to execute the falsification process shown in FIG. An APK file 20X can be created.

  In this way, when the signature information 22 is tampered with the application package 21, the conventional tampering detection method shown in FIG. 3 cannot detect tampering. That is, in the distribution file 20X shown in FIG. 4, the X signature information 22X is information obtained by the cracker X signing with the application package 21X as the signature target data D ′. In this tamper detection method, a coincidence confirmation can be obtained without any trouble. Therefore, if the general user U downloads the falsified distribution file 20X to the Android terminal and executes it, the falsified application program 10X is executed as a regular application program.

  As described above, if the altered application package 21 is re-signed by the cracker X and replaced by the signature information obtained by the re-signing, the validity of the signature information is ensured. For this reason, it is not possible to detect falsification using the general falsification detection function of Android devices. This is because the Android specification doesn't detect falsification by checking the identity of the signer in the first place. That is, since the Android terminal cannot distinguish between the program provider A and the cracker X, which are legitimate content providers, the signer is either A or X, but the data to be signed and the signature information If consistency can be confirmed in the meantime, it must be judged that there is no falsification.

  Of course, the identity of the signer can be confirmed by making an inquiry to the authentication server or the like. When an electronic application to a public office or an electronic commerce is performed, a process of inquiring an authentication server and confirming the identity of the signer is usually performed. However, in the case of an Android terminal, at least the falsification determination process at the time of executing the application program is not designed to perform the identity verification of the signer. This seems to make it possible to run application programs without any trouble even when the Android device is offline (inquiries to external authentication servers are not possible).

  As described above, when an application program is distributed to a terminal device that performs signature information match verification but does not perform identity verification of the signer, if the signature information is falsified, effective falsification is performed. Detection cannot be performed. The present invention provides an effective method for distributing and executing a new application program to cope with such problems.

<<< §3. Distribution execution method according to basic embodiment of the present invention >>
The principle of the basic embodiment shown here is that the distribution file 20 shown in FIG. 1 performs some marking on the signature information 22 of A before distribution, and at the time of execution, uses this marking. In other words, whether or not the signature information 22 of A is falsified is detected. Even if the cracker X replaces the signature information 22 of A with the signature information 22X of X by the method shown in FIG. 4, it is detected that the signature information is replaced if any traces related to the signature information 22 of A are marked. be able to.

  However, if the content of the marking is detected by the cracker X, tampering including the marking is performed. Therefore, in the present invention, the marking target is concealed by a specific method so that the cracker X does not detect the marking content, and the validity of the marking content is confirmed based on the concealed information. A method of incorporating a falsification check routine into the application program 10 itself is adopted. Hereinafter, the basic principle will be described in detail.

  FIG. 5 is a block diagram showing the basic principle of the application program distribution method according to the basic embodiment of the present invention. In this method, the program provider A prepares an application program 10A shown in FIG. 5 instead of the application program 10 shown in FIG. 1, and packages it to create an application package 21A. The application program 10A is obtained by replacing the program body 11 in the application program 10 with the program body 11A, and replacing the subroutine group 13 with the subroutine group 13A.

  The subroutine group 13A is obtained by adding a falsification check routine F to the subroutine group 13. The falsification check routine F is a subroutine program having a function of confirming whether or not the signature information 22A of A is falsified based on an algorithm to be described later, and includes a first specific key K (s1). Yes. This first specific key K (s1) is an indispensable key for checking whether or not the signature information 22A of A is falsified.

  On the other hand, the program body 11A, when a subroutine call instruction for calling the falsification check routine F and a determination result “falsification exists” are returned from the falsification check routine F to a predetermined location of the program body 11 And an instruction to stop execution of the instruction group. Therefore, when the determination result “No falsification” is returned from the falsification check routine F, the program body 11A continues to execute the subsequent instruction group. When the determination result “has falsification” is returned, the subsequent execution of the instruction group is stopped and the application program 10A is terminated.

  After all, the application program 10A is basically a program having a processing function equivalent to that of the application program 10, but can be said to be a program to which a self-falsification check function using a falsification check routine F is added. When the application program 10A is executed in the Android terminal, the falsification check process by the falsification check routine F is executed to determine whether or not the signature information 22A has been falsified. Then, when the determination result that there is falsification is obtained, the execution of the application program 10A is stopped. Therefore, in practice, a subroutine call instruction for calling the falsification check routine F is incorporated in front of the instruction group for performing the original function of the application program in the program main body 11A, and falsification is performed at the initial stage of execution of the application program 10A. The check routine F is preferably executed.

  Subsequently, similarly to the conventional method described in §1, the encryption using the program provider A's first key K (a1) is used with the application package 21A obtained by packaging as the signature target data D. The digital signature process is performed to generate a signature value S (A), and signature information 22A including the signature value S (A) and the second key K (a2) of the program provider A is created.

  In the basic embodiment described here, the signature information 22A of A is further extracted as the data to be concealed C (in FIG. 5, the data to be concealed C is indicated by a thick line frame). On the other hand, the concealment process using the second specific key K (s2) is performed to create the concealment information 23A. A specific method of the concealment process will be described with reference to an example in §6. The first specific key K (s1) having a special relationship with the second specific key K (s2) (that is, the falsification check routine F) As long as the process satisfies the condition that the validity of the confidential information 23A with respect to the data C to be concealed can be confirmed only by using a key embedded in the data, any process is adopted as the concealment process. (As will be described later, the same common specific key K (s0) may be used as the first specific key K (s1) and the second specific key K (s2)).

  When the confidential information 23A is created in this way, the program provider A creates a distribution file 20A including the application package 21A, the signature information 22A of the A, and the confidential information 23A, and distributes it as an APK file. That's fine. Here, the A signature information 22A is an electronic signature by the program provider A used to confirm that the application package 21A has not been tampered with, and the confidential information 23A is the A signature information 22A that has been tampered with. This is marking information that is used to confirm that it is not. The Android terminal can detect not only the application package 21A but also the A signature information 22A by checking the validity of the A signature information 22A and the validity of the confidential information 23A. it can.

  FIG. 6 is a block diagram showing processing for confirming the validity of the signature information 22A and the validity of the confidential information 23A for the distribution file 20A shown in FIG. When the user U installs the distribution file 20A on the Android terminal and tries to execute it, a process for confirming the validity of the signature information 22A of A is executed by the basic function of the Android OS before executing the application program 10A. Is done.

  That is, as described in §1, first, the signature value S (A) and the second key K (a2) of A are extracted from the signature information 22A, and the second value of A is extracted from the signature value S (A). The process of obtaining the hash value H1 is performed by performing the decryption process using the key K (a2). Subsequently, the application package 21A (signature target data D) is subjected to an irreversible transformation using a hash function HASH to obtain a hash value H2. And the process which confirms whether the hash value H1 and the hash value H2 correspond is performed. Here, such a confirmation process is referred to as a first confirmation stage. In the first confirmation stage, processing for confirming the validity of the signature information 22A for the application package 21A is performed.

  If the legitimacy of the signature information 22A can be confirmed in the first confirmation stage, the Android OS determines that the application package 21A has not been tampered with, and executes the application program 10A included therein. However, since the subroutine call instruction for calling the falsification check routine F is incorporated in the program body 11A, which is a component of the application program 10A, as described above, the falsification check routine F is executed by executing the application program 10A. Will be executed.

  Here, the tampering check routine F uses the first specific key K (s1) built in to store the confidential information 23A for the confidential data C (in this example, the signature information 22A of A). A process for confirming validity is performed. Here, such a confirmation process is referred to as a second confirmation stage. As described above, the concealment information 23A is information obtained by performing concealment processing using the second specific key K (s2) on the concealment target data C, and the concealment target data C (A The validity of the confidential information 23A with respect to the signature information 22A) can be confirmed using the first specific key K (s1).

  The falsification check routine F returns the result of the second confirmation stage executed in this way to the program main body 11A as the execution result of the subroutine. When a positive determination result (determination result indicating that the validity of the confidential information 23A is confirmed) is returned from the falsification check routine F, the program body 11A continues to execute the subsequent instruction group. However, if a negative execution result (determination result that the validity of the confidential information 23A has not been confirmed) is returned, the subsequent execution of the instruction group is stopped.

  Thus, in the Android terminal, the validity of the signature information 22A for the application package 21A is confirmed in the first confirmation stage, and the validity of the confidential information 23A for the signature information 22A is confirmed in the second confirmation stage. Only in this case, the application program 10A is normally executed.

  FIG. 7 is a flowchart showing the basic procedure of the basic embodiment shown here. This basic procedure is a procedure of an application program distribution execution method constituted by a distribution process for distributing an application program and an execution process for executing the distributed application program. As illustrated, in the first half of the distribution process, steps S1 to S5 are executed, and in the second half of the execution process, steps S6 to S12 are executed. Hereinafter, the contents of these steps will be described in order.

  Here, for convenience, the first half distribution process (steps S1 to S5) is executed by a computer used by the program provider A, and the second half execution process (steps S6 to S12) is an application execution computer used by the user U. The following description will be given on the assumption that it is executed by (an Android terminal such as a smart phone). The steps S1 to S5 constituting the first half of the distribution process are not necessarily executed by the same computer, but the steps S6 to S12 constituting the second half of the execution process are for executing the same application used by the user U. It will be executed on the computer.

  First, in the packaging stage of step S1, as shown in FIG. 5, the application program 10A including the first specific key K (s1) is subjected to packaging processing including at least compression processing, and the application package 21A is obtained. Processing to create is performed. Here, the application program 10A to be packaged includes an alteration check routine F for executing the second confirmation stage shown in FIG. 6, and the first specific key K (s1) is This is included in the falsification check routine F.

  In particular, when distributed to Android terminals, according to the specifications, the application program 10A includes a program main body 11A, a subroutine group 13A called from the program main body 11A, resource data 12 including images and character strings, An auxiliary file 14 (manifest file) made up of XML format data is included, and in the packaging stage of step S1, packaging processing including ZIP compression processing is executed.

  In the subsequent signature information creation stage of step S2, as shown in FIG. 5, the application package 21A created in step S1 is used as signature target data D, and encryption using the first key K (a1) of the program provider A is performed. A signature value S (A) is generated by performing an electronic signature process using the encryption, and A signature information 22A including the signature value S (A) and the second key K (a2) of the program provider A is obtained. The process to create is executed. Here, as the first key K (a1) and the second key K (a2) of the program provider A, a pair of keys used in the public key cryptosystem, that is, encryption using one key is performed. A pair of keys having a property that the decrypted data can be decrypted using the other key is used.

  Next, in the secret information creation stage of step S3, the signature information 22A of A is extracted as the concealment target data C, and concealment using the second specific key K (s2) is performed on the extracted concealment target data C. The process of creating the confidential information 23A by performing the conversion process is executed. Here, as the first specific key K (s1) and the second specific key K (s2), the validity of the data subjected to the concealment process using one key can be confirmed using the other key. A pair of keys having properties is used (both may be the same common key as described later).

  As the concealment process executed in step S3, as described above, the concealment information 23A is uniquely set to the original concealment target data C by some arithmetic process using the second specific key K (s2). If it is a process that can be determined and satisfies the condition that only the first specific key K (s1) can be used to confirm the validity of the confidential information 23A with respect to the concealment target data C, Any processing is acceptable. A specific example of the concealment process is illustrated in §6.

  On the other hand, in the distribution file creation stage in step S4, the application package 21A created in step S1, the signature information 22A created in step S2, and the confidential information 23A created in step S3 are collected. A distribution file 20A is created. When distributing to an Android terminal, a distribution file 20A (APK file with an extension .apk) having an APK format is generated at the distribution file creation stage.

  Since the APK file is a file compressed in the ZIP compression format, when the APK file is created in the distribution file creation stage in step S4, the confidential information is stored in the comment area in the ZIP compression format. 23A can be recorded. Since this comment area is originally an area provided so that the creator of the APK file can write an arbitrary comment sentence, the data constituting the confidential information 23A is recorded instead of the comment sentence. However, no trouble occurs. In other words, the distribution file 20A according to the present invention in which the confidential information 23A is recorded in the comment area satisfies the conditions as an APK file that conforms to the specifications of Android, and can be distributed to an Android terminal as it is. Rather, it will be handled as an APK file by AndroidOS.

  At the end of the distribution process, the file output stage of step S5 is performed. At this stage, the distribution file 20A created in step S4 (in the example shown here, an APK file according to the Android specification) is output for distribution. For example, if output to a distribution Web server or the like, the distribution file 20A is distributed to general users via the Internet, and is recorded and output on a physical recording medium such as an optical recording medium or IC memory. Then, the distribution file 20A is distributed in a state stored in such a physical recording medium.

  Next, the second half execution process will be described. First, in the file input stage of step S6, the distribution file 20A distributed by the first half distribution process is input by the application execution computer used by the user U. For example, when the user U is using an Android terminal, the distribution file 20A is taken into the Android terminal by giving an instruction to download the distribution file 20A from the APK file distribution site via the Internet. Further, with the consent of the user U, the distribution file 20A is installed. In the case of an Android terminal, such processing is executed by the basic function of the OS program.

  The subsequent steps after step S7 are performed when the user U or another application or service gives an execution instruction for the application program (distribution file 20A) installed in step S6 (the first application program is changed). In the case of having the function of starting the second application program, not when the user U gives an instruction to execute the first application program, but after that, the first application program When the process of starting the application program 2 is executed, the steps after step S7 are performed.)

  First, in step S7, the first confirmation stage shown in FIG. 6 is performed. In the first confirmation stage, processing for confirming the validity of the signature information 22A for the application package 21A is performed. That is, for the distribution file 20A input in step S6, a signature verification process using decryption using the second key K (a2) of the program provider A included in the A signature information 22A is performed. The validity of the signature information 22A for the application package 21A is confirmed.

  Specifically, as described with reference to FIG. 6, the signature value S (A) and the second key K (a2) of A are extracted from the signature information 22A, and A is applied to the signature value S (A). A hash value H1 is obtained by performing a decryption process using the second key K (a2), and an irreversible transformation is performed on the application package 21A (signature target data D) by applying a hash function HASH. H2 is obtained, and a match between the hash value H1 and the hash value H2 is confirmed. In the case of an Android terminal, this first confirmation stage is also executed by the basic function of the OS program.

  If a positive result is obtained in the first confirmation stage of step S7, that is, if the validity of the signature information 22A for the application package 21A is confirmed, the process proceeds to step S9 via step S8, Two confirmation steps are performed. On the other hand, if a negative result is obtained in the first confirmation stage of step S7, that is, if the validity of the signature information 22A for the application package 21A is not confirmed, “There is falsification”. The process proceeds to step S11 via step S8, and the execution of the application is stopped.

  In the case of an Android terminal, the branch process in step S8 is also executed by the basic function of the OS program. That is, when a positive result is obtained in step S7, the OS program performs a process of starting the application program 10A, and when a negative result is obtained in step S7, the OS program is the application program 10A. Cancel startup. Such processing is processing based on the standard specification of AndroidOS.

  In step S9, the second confirmation stage shown in FIG. 6 is performed. In this second confirmation stage, processing for confirming the validity of the confidential information 23A with respect to the signature information 22A is performed. That is, A's signature information 22A and confidential information 23A, which are the confidential data C, are extracted from the distribution file 20A input in step S6, and the validity of the confidential information 23A for the confidential data C is confirmed. Actually, the process of the second confirmation stage is performed by the falsification check routine F included in the application program 10A obtained by expanding the application package 21A.

  As described above, the falsification check routine F incorporates the first specific key K (s1), and the validity of the confidential information 23A for the data C to be concealed using the first specific key K (s1). Check sex. Specific processing for confirming validity will be described with reference to §6. Since the falsification check routine F is a subroutine incorporated in the application program 10A, the process in step S9 is a process executed by the application program 10A.

  If a positive result is obtained in the second confirmation stage of step S9, that is, if the validity of the confidential information 23A for the confidential data C is confirmed, the process proceeds to step S12 via step S10. Then, an execution stage for continuing the processing of the application program 10A is performed. On the other hand, if a negative result is obtained in the second confirmation step of step S9, that is, if the validity of the confidential information 23A for the confidential data C is not confirmed, “There is tampering”. Is determined, and the process proceeds to step S11 via step S10, and the execution of the application is stopped.

  Eventually, step S8 and step S10 constitute a tampering determination stage in which it is determined that “tampered” or “not tampered”. That is, regarding the distribution file 20A input in step S6, if a positive result is obtained in both the first confirmation stage in step S7 and the second confirmation stage in step S9, “no falsification” is indicated. When a determination is made and a negative result is obtained in at least one of the first confirmation stage and the second confirmation stage, it is determined that “tampering exists”.

  If it is determined in this tampering determination stage that “no tampering” is obtained, the process proceeds to step S12, and an execution stage in which the distributed application program 10A is normally executed is performed. Is determined, the process proceeds to step S11, and the execution of the distributed application program 10A is stopped.

  Thus, when the execution process uses an application execution computer that executes an application program under the management of the OS program, the first confirmation step of step S7 is executed based on the OS program, and the second of step S9. This division of roles can be performed in such a manner that the confirmation stage is executed based on a falsification check routine in the application program. If the OS program originally has a function for performing the first confirmation step, such as an Android terminal, it is troublesome to separately prepare a program for performing the first confirmation step by performing such a division of roles. Can be omitted.

  In the case of an Android terminal, the first confirmation stage of step S7 is executed by the basic function of the OS program, and execution stop processing when branching to step S11 based on the determination that “tampered” is made in step S8 is OS It will be executed by the program. In this case, although the user U is instructed to start the application program 10A, the application program 10A is not yet started. Therefore, the execution cancellation process when branching from step S8 to step S11 is a process in which the OS program rejects the activation of the application program 10A regardless of an instruction from the user U.

  On the other hand, the second confirmation stage of step S9 is a process executed by the falsification check routine in the application program 10A after the application program 10A is activated. More specifically, the falsification check routine F in the subroutine group 13A is called as a subroutine from the program body 11A in the application program 10A, and the second confirmation stage is executed as a process in the subroutine. Become. Therefore, the execution cancellation process when branching from step S10 to step S11 is a process in which the application program 10A itself stops the execution of the subsequent processes and terminates (a process for returning control to the OS program). Of course, if it is determined in step S10 that “no falsification”, processing in the execution stage of step S12, that is, processing in which the application program 10A continuously executes the subsequent processing is performed.

  In short, in the embodiment shown in FIG. 7, after the first confirmation step (step S7) based on the OS program is performed, the second confirmation step (step S9) based on the falsification check routine F in the application program is executed. In the case where a negative result is obtained in the first confirmation stage, the falsification determination stage (step S8) accompanied by the determination that there is falsification is executed by the OS program, and the second confirmation stage. Without performing (Step S9), the execution of the application program as the determination target is stopped under the management of the OS program (Step S11).

  On the other hand, if an affirmative result is obtained in the first confirmation stage (step S7), the application program that is the determination target is executed under the management of the OS program to execute the second confirmation stage (step S9). )I do. If a negative result is obtained in the second confirmation stage, the application program itself performs a tampering determination stage (step S10) involving determination that tampering has occurred. Subsequent processing is stopped (step S11). Further, when a positive result is obtained in the second confirmation stage (step S9), the application program itself executes a tampering judgment stage (step S10) accompanied by a judgment that there is no tampering, and the application program The subsequent processing is subsequently executed by itself (step S12).

<<< §4. Tamper detection according to a basic embodiment of the present invention >>>
Here, when the cracker X obtains the distribution file 20A created by the method shown in FIG. 5 and redistributes the file by falsifying it, the falsification is detected by any method on the Android terminal. Let's explain what.

  FIG. 8 is a block diagram showing a tampering process attempted by cracker X for the distribution method shown in FIG. First, the cracker X performs an expansion process on the application package 21A included in the obtained distribution file 20A, restores the original application program 10A, and falsifies the contents.

  The upper part of FIG. 8 is a diagram showing the application program 10X ′ after such tampering. As described in §2, among the components of the application program 10 for the Android terminal, the resource data 12 and the auxiliary file 14 can be easily falsified. Therefore, again, assume that the cracker X has altered the resource data 12 and the auxiliary file 14. The resource data 12X and the auxiliary file 14X shown in FIG. 8 have been falsified by the cracker X. Subsequently, the cracker X performs repackaging processing on the application program 10X ′ to generate a falsified application package 21X ′.

  If the cracker X replaces and redistributes the application package 21X 'generated in this way with the regular application package 21A in the regular distribution file 20A, the fact of falsification is detected by the normal falsification detection process performed on the Android terminal. Is detected as described in §2. That is, a mismatch occurs in the process of confirming the validity of the A signature information 22A. Also in the present invention, the falsification is detected by the OS program in the first confirmation stage of step S7 in the execution process shown in FIG.

  Therefore, consider the case where the cracker X has also altered the signature information. That is, as shown in the lower part of FIG. 8, the cracker X uses the first key K (x1) of its own to sign the signature value S (for the signature target data D ′ (that is, the altered application package 21X ′). X ′) is generated, X signature information 22X ′ including the generated signature value S (X ′) and its own second key K (x2) is generated, and the application package is falsified. By adding X signature information 22X ′ to 21X ′, a falsified distribution file 20X ′ is created.

  If the signature information is tampered in this way, re-signing by the cracker X is performed, so that the X signature information 22X ′ has the validity for the signature target data D ′. Therefore, in the conventional method, falsification cannot be detected for the distribution file 20X ′ created in this way. Also in the present invention, such falsification cannot be detected in the first confirmation stage of step S7 in the execution process shown in FIG.

  However, confidential information 23A is further added to the distribution file 20A distributed by the method according to the present invention, and the validity of the confidential information 23A is confirmed at the second confirmation stage of step S9. The The secret information 23A is information obtained by concealing the data C to be concealed (in this example, the signature information 22A of A) using the second specific key K (s2), as shown in the lower part of FIG. However, if the second specific key K (s2) is managed in a secret state, the cracker X cannot obtain it. Accordingly, the cracker X performs the concealment process using the second specific key K (s2) using the X signature information 22X ′ created by itself as the concealment target data C ′, and the falsified concealment information 23X is obtained. It cannot be created. In the lower part of FIG. 8, the part marked with “x” indicates a process that the cracker X cannot actually perform or information that the cracker X cannot create.

  Eventually, the cracker X keeps the secret information in the created distribution file 20X ′ as it is (the secret information 23A), deletes it, or creates a new one. There is no choice but to replace it with arbitrary confidential information. Regardless of which method is used, since the validity cannot be confirmed in the second confirmation stage of step S9 in the execution process shown in FIG. 7, tampering is detected.

  That is, if the original state is left as it is, a process of confirming the validity of the confidential information 23A for the X signature information 22X ′ is performed in the second confirmation stage. Since the information is valid for the A signature information 22A, the validity for the X signature information 22X 'cannot be confirmed. On the other hand, when the confidential information is deleted, since there is no object for the validity confirmation for the signature information 22X ′ of X, the validity confirmation process cannot be performed in the first place. In addition, when replaced with newly created arbitrary confidential information, the confidential information after the replacement is obtained by concealing the signature information 22X ′ of X using the second specific key K (s2). As long as it does not coincide with the information (in other words, the information whose validity is confirmed using the first specific key K (s1)), the validity is not confirmed in the second confirmation stage.

  Eventually, even if the cracker X performs falsification on the application package 10A and the signature information 22A, if falsification is not performed on the confidential information 23A, the falsification is detected in the second confirmation stage. Execution of the application program is stopped and the process after falsification detection is not executed normally. As described above, according to the distribution execution method of the application program according to the present invention, it is possible to perform effective tampering detection even when tampering with the electronic signature is performed. It becomes possible to cancel execution of.

  Of course, the falsification detection function by the application program distribution execution method according to the present invention is not 100% complete. Theoretically, it is possible to perform tampering that passes both the first confirmation stage and the second confirmation stage.

  For example, if the location of the first specific key K (s1) can be specified by analyzing the subroutine group 13A, the first specific key K (s1) is rewritten to another key. It is possible to perform falsification so that the legitimacy is confirmed in the second confirmation stage. Further, if the code group constituting the falsification check routine F can be specified by analyzing the subroutine group 13A, the falsification check routine F itself is falsified, so that the second confirmation is performed in any case. It is also possible to prevent tampering detection at the stage. Alternatively, if the location of the subroutine call instruction that calls the falsification check routine F can be specified by analyzing the program main body 11A, the subroutine call instruction is rewritten to another meaningless instruction, thereby falsification. It is possible to prevent the check routine F from being executed.

  In this way, after analyzing the contents of the program in the program main body 11A and the program in the subroutine group 13A one by one, the second confirmation step is avoided in an illegal manner for the program main body 11A and the subroutine group 13A. When such alterations are made, the present invention cannot detect alterations (of course, second alterations such as alteration of a subroutine other than the alteration check routine, alteration of a program body other than the portion calling the alteration check routine, etc.) If the alteration is such that execution of the confirmation stage is not avoided, the alteration can be detected by the present invention.) However, actually, in order to falsify the program main body 11A and the subroutine group 13A, it is necessary for a cracker with advanced knowledge about the program to perform work with sufficient time and labor. On the other hand, falsification of the resource data 12 and the auxiliary file 14 can be performed by a cracker having some knowledge of the APK file, and does not require time and labor.

  The main object of the present invention is to provide an effective detection method for tampering that can be performed relatively easily as described above. In practice, many of the tampered application programs are detected. It has a sufficient effect. In particular, in the basic embodiment described so far, the falsification check routine F is incorporated in the application program 10A as one subroutine in the subroutine group 13A, so that the second confirmation stage is performed. There is no need to prepare another program. That is, a falsification check routine F that determines whether or not the distribution file 20A has been falsified is incorporated, and the computer that executes the falsification check routine F has a separate check for falsification. There is no need to prepare a simple application.

  Generally, if an application for tampering check is separately prepared, an extra cost is required for managing and distributing the application. Therefore, if the method of incorporating the falsification check routine F into the application program 10A as in the basic embodiment described so far is adopted, it is not necessary to manage or distribute the falsification check program separately. Since it is sufficient to manage and distribute only the application program 10A, there is an advantage that extra costs can be reduced. Further, the falsification check can be performed on the application execution computer side by executing only the application program 10A. That is, when attention is paid to a series of flow of distribution, installation and execution of application programs, it becomes possible to detect falsification by applying the present invention without obstructing the conventional flow.

  For example, when the present invention is applied to an application program distributed to an Android terminal, the falsification check routine F for determining whether or not the obtained distribution file 20A (that is, APK file) has been falsified is the APK file. Since it is included in the Android OS, the Android OS executes the first confirmation step on the APK file as usual to confirm the validity of the signature information, and then executes the application program included in the APK file. You just need to do the processing. The Android terminal can handle the APK file according to the present invention in the same way as a general APK file, and the second confirmation stage is performed by executing the APK file, so that no special function is required for the Android terminal. In addition, when performing the second confirmation stage, there is no need to process an inquiry to an external authentication server, and the falsification check routine F is in an offline state (a state where communication with the outside is blocked). However, the processing function can be performed without any trouble.

<<< §5. Variation of data to be concealed >>>
In the distribution execution method according to the basic embodiment of the present invention described in § 3, the entire signature information 22A of A (that is, the signature values S (A) and A Using the second key K (a2)) as the concealment target data C, concealment processing using the second specific key K (s2) is performed to create the concealment information 23A. The secret information 23A created in this way is information that leaves a trace of the signature information 22A of A, and the signature information of A is obtained by a predetermined confirmation method using the first specific key K (s2). It has a unique property that it is possible to confirm the validity of 22A.

  If the confidential information 23A having such properties is included in the distribution file 20A, a process for confirming the validity of the confidential information 23A with respect to the signature information 22A of A (second confirmation process) is performed. It is possible to confirm whether or not the signature information 22A is falsified.

  However, the concealment target data C used for carrying out the present invention is not necessarily limited to the A signature information 22A. Here, some variations of the concealment target data C will be described.

  FIG. 9 is a block diagram showing a variation of the distribution method according to the basic embodiment of the present invention shown in FIG. The only difference from the embodiment shown in FIG. 5 is the method of setting the concealment target data C. In the example shown in FIG. 5, the entire signature information 22A of A is set as the concealment target data C as shown by being surrounded by a thick line frame. However, in the variation shown in FIG. , Only the data constituting the second key K (a2) of A included in the signature information 22A of A is set as the concealment target data C.

  Therefore, in the case of the variation shown in FIG. 9, the second key K (a2) of A is concealed using the second specific key K (s2) in the secret information creation stage in step S3 of FIG. The secret information 23A ′ is created. Further, in the second confirmation stage of step S9, instead of confirming the validity of the confidential information 23A with respect to the signature information 22A of A, the second key K (a2) of A which is the data C to be concealed in this variation The validity of the confidential information 23A ′ is confirmed.

  As described above, even when the second key K (a2) of A is used as the concealment target data C instead of the signature information 22A of A, it is necessary to detect whether or not the signature information has been tampered with. There will be no hindrance. In the first place, the signature information 22A of A indicates that the program provider A guarantees the contents of the application package 21A as the signature target data D, and the trace of the program provider A is the second key K ( It is recorded as a2). When the cracker X tampers with the signature information, the signature information 22A of A is replaced with the signature information 22X ′ of X as shown in FIG. (A2) is also replaced with the second key K (x2) of X.

  Therefore, the second key K (a2) of A is set as the data C to be concealed, and is concealed to create the concealment information 23A ′. In the second confirmation stage, the second key K ( Even if the validity of the confidential information 23A ′ for a2) is confirmed, it is possible to detect whether the signature information has been tampered with. When the second key K (a2) of A is replaced with the second key K (x2) of X, the confidential information 23A ′ uses the second key K (a2) of A as the data C to be concealed. Therefore, the validity of the replaced second key K (x2) of X cannot be confirmed.

  Eventually, if data including at least the second key K (a2) of the program provider A is used as the concealment target data C, even if the cracker X performs falsification on the signature information, the second This can be detected in the confirmation stage. As long as the second specific key K (s2) is not obtained, the cracker X is a secret that can be confirmed by the falsification check routine F (a routine for confirming the validity by the first specific key K (s1)). Since the information 23X cannot be created, even if the A signature information 22A is completely replaced with the X signature information 22X ′, tampering detection at the second confirmation stage cannot be avoided.

  As described above, the signature information 22A of A can be set as the concealment target data C as in the example shown in FIG. 5, and the second key K (a2 of A) can be set as in the variation shown in FIG. ) Can be set as the concealment target data C, and various other variations can be employed.

  FIG. 10 is a block diagram showing another variation. In this variation, the entire data constituting both the application package 21A and the signature information 22A of A is set as the concealment target data C as shown by being surrounded by a thick line frame. Therefore, in the case of this variation, the confidential information 23A ″ is created by concealing the entire data in the portion surrounded by the thick line frame in the drawing using the second specific key K (s2). In the second confirmation stage, the validity of the secret information 23A ″ for the entire data in the portion surrounded by the bold frame is confirmed.

  Even in the variation shown in FIG. 10, since the second key K (a2) of A is included in the data C to be concealed, the cracker X performs falsification to replace the signature information 22A of A with the signature information 22X ′ of X. Even if it does, tampering detection in the second confirmation stage will function effectively.

  Eventually, in order to leave a trace of the signature of the program provider A in the distribution file 20A in some form, in the secret information creation stage of step S3 in FIG. 7, in the data constituting the application package 21A and the signature information 22A Then, a predetermined part including the second key K (a2) of the program provider is extracted as the concealment target data C, and the second specific key K (s2) is used for the extracted concealment target data C. Concealment processing may be performed to create confidential information.

  The example shown in FIG. 5 is an example in which the entire data constituting the signature information 22A is set as the concealment target data C and the secret information 23A is created, and the example shown in FIG. 9 is a program provided in the signature information 22A. FIG. 10 shows an example in which confidential information 23A ′ is created by setting the data constituting the second key K (a2) of the user as the confidential data C, and the example shown in FIG. 10 includes the application package 21A, the signature information 22A, This is an example in which the secret data 23A ″ is created by setting the entire data constituting both of the data to be concealed.

  In order to achieve the purpose of leaving the trace signed by the program provider A, only the second key K (a2) of the program provider is concealed with the data C to be concealed as in the example shown in FIG. This is the simplest and most direct method. From this point of view, the example shown in FIG. 5 and the example shown in FIG. 10 can be said to be redundant methods. However, from the viewpoint of leaving some trace regarding the application package 21A in addition to the trace signed by the program provider A, the example shown in FIG. 5 and the example shown in FIG. 10 are meaningful methods.

  For example, in the example shown in FIG. 10, both the application package 21A and the signature information 22A surrounded by a thick frame are set as the data C to be concealed. Since the validity of 23A ″ is confirmed, it is possible to perform both falsification detection for the application package 21A and falsification detection for the signature information 22A.

  In the basic embodiment shown in FIG. 5, falsification detection for the application package 21A is performed in the first confirmation stage using the signature information 22A of A, and falsification detection for the signature information 22A is performed using the confidential information 23A. In the case of the variation shown in FIG. 10, tampering detection for the application package 21A is performed in the first confirmation stage using the signature information 22A of A and the confidential information 23A ″. This is also repeated in the second confirmation stage using.

  In the embodiments described so far, the process in the second confirmation stage has been regarded as a process for detecting falsification of the signature information. However, as described above, the process in the second confirmation stage is performed by the application package 21A. It can also be used to detect tampering.

  Therefore, if the processing in the second confirmation stage is used only for falsification detection for the application package 21A, not for falsification detection of the signature information, the concealment target data C does not necessarily include the second data of the program provider A. The key K (a2) need not be included. For example, when only the part of the application package 21A is set as the concealment target data C and the concealment information 23A ′ ″ is created, tampering detection for the signature information 22A of A cannot be performed in the second confirmation stage. However, it is possible to detect falsification for the application package 21A.

  After all, the basic technical idea of the present invention can be understood as a method for detecting falsification of an application program. In this falsification detection method, the computer uses an application program 10A (in the case of the embodiment described so far, packaged application package 21A), signature information 22A, and confidential information 23A (for each of the above-described variations). In this case, there is an input stage for inputting a data file including 23A ′, 23A ″, 23A ′ ″) and a determination stage for determining whether or not the application program 10A has been tampered with. .

  Here, the signature information 22A is information obtained by electronic signature processing using the application program 10A (or application package 21A) as signature target data D, and the confidential information 23A (or 23A ′, 23A ″, 23A). '' ') Extracts a predetermined portion of the data constituting the application program 10A (or application package 21A) and signature information 22A as the concealment target data C, and conceals the extracted concealment target data C. This is information obtained by processing.

  In the determination stage, the first confirmation stage for confirming the presence / absence of falsification based on the signature information 22A and the presence / absence of falsification based on the confidential information 23A (or 23A ′, 23A ″, 23A ′ ″). A tampering check for confirming the validity of the confidential information for the data C to be concealed in consideration of the processing process performed in the concealment process. A routine is included, and the second confirmation step is performed by executing this tampering check routine.

  In the embodiments described so far, such a falsification detection method is incorporated into the application program distribution execution method, and a predetermined part including the second key K (a2) of the program provider is concealed. Used as C and executed by the computer executing the application program under the control of the OS program, the first confirmation stage is executed based on the OS program, and the second confirmation stage is executed based on the falsification check routine in the application program It will be an example of doing so.

<<< §6. Specific Embodiment of Concealment Processing >>>
Here, a specific embodiment of the concealment process performed in the concealment information creation stage (step S3 in FIG. 7) in the present invention will be described. As shown in FIG. 5, in the secret information creation stage in the present invention, the concealment process using the second specific key K (s2) is performed on the data C to be concealed, and the secret information 23A is created. The Here, the concealment information 23A is some data that is uniquely determined when the concealment target data C and the second specific key K (s2) are given, and the first specific key K ( By the predetermined check process using s1), the validity of the confidential information 23A with respect to the confidential data C is confirmed.

  In order to conceal the concealment target data C and create the concealment information 23A, the second specific key K (s2) is required. Therefore, if the second specific key K (s2) is secretly managed, the cracker X cannot generate the secret information 23A. Further, the concealment information 23A is literally “information that conceals the original concealment target data C”, and the original concealment target data C cannot be restored using only the concealment information 23A. Hereinafter, a specific method of concealment processing for creating the concealment information 23A having such properties will be described.

  The following description is for an example (example in FIG. 5) in which the signature information 22A of A is set as the concealment target data C, as in the basic embodiment described in §3. The specific processing method of the concealment process described below is also effective for variations (for example, examples of FIGS. 9 and 10) in which various settings are made for the concealment target data C as described in §5. is there.

<6-1: Encryption processing>
The first process suitable for the concealment process in the present invention is an encryption process. When the encryption process is used as the concealment process, the relationship between the concealment target data C and the concealment information 23A is obtained by encrypting the former and obtaining the latter by decrypting the latter. Become a relationship.

  In order to perform such encryption and decryption, it is preferable to use a public key cryptosystem. In the public key cryptosystem, a pair of keys having a property that data encrypted using one key can be decrypted using the other key is used. Accordingly, the confidential information 23A is obtained by encrypting the confidential data C using one key, and the tampering check routine F decrypts the confidential information 23A using the other key, When the data to be concealed obtained by this decryption matches the data to be concealed C extracted from the data file 20A input at the input stage, it is confirmed that there is no falsification.

  FIG. 11 is a block diagram showing a specific embodiment in which encrypted information is used as the confidential information 23A in the distribution method shown in FIG. In this embodiment, the program provider A receives the assistance of the program guarantor G when distributing the distribution file 20A. The program guarantor G may be a public institution or a private company, but an organization that has social credibility and the ability to safely manage keys will play its role. It is preferable to do this.

  As described above, when the encryption process using the public key cryptosystem is adopted as the concealment process, the first specific key K (s1) and the second specific key K (s2) shown in FIG. A pair of keys having the property that data encrypted using one key can be decrypted using the other key is used. In the example shown in FIG. 11, the first key K (g1) of the program guarantor G is used as the first specific key K (s1), and the second key K (g2) of the program guarantor G is used as the second key. This is an example used as the specific key K (s2). More specifically, the public key of the program guarantor G may be used as the first key K (g1), and the secret key of the program guarantor G may be used as the second key K (g2). However, the present invention can be implemented even if the public key and the secret key are used interchangeably.

  The program guarantor G creates in advance a falsification check routine F having its own first key K (g1) built therein, and uses this falsification check routine F and its second key K (g2). The recorded medium may be lent to the program provider A. Then, the program provider A can create the distribution file 20A using this medium. Therefore, in the embodiment shown here, the signature information 22A of A serves as information to be added by the program provider A to guarantee the contents of the application package 21A by using its own key. 23A serves as information to be added by the program guarantor G to guarantee the content of the signature information 22A of A using its own key.

  The program provider A first creates an application program 10 as shown in the upper part of FIG. 1 by the same method as before. Subsequently, the falsification check routine F is read from the medium borrowed from the program guarantor G and added to the subroutine group 13, thereby creating a subroutine group 13A as shown in the upper part of FIG. In addition, based on the subroutine call instruction for calling the falsification check routine F in the program body 11 and the execution result returned from the falsification check routine F, a processing program that continues or stops the execution of the program (“falsification”). If "None" is returned, the program will continue to run, and if "Tampered" is returned, the program will be suspended. A program body 11A is created.

  Through such a process, an application program 10A as shown in the upper part of FIG. 11 can be created. In this application program 10A, a falsification check routine F including the first key K (g1) of the program guarantor G is incorporated. When the application program 10A is prepared in this way, it is packaged in the same manner as in the conventional method (a dedicated program for creating an APK file may be used) to create an application package 21A (the packaging stage in step S1 in FIG. 7). . Next, the program provider A uses the application package 21A as signature target data D, performs electronic signature processing using its own first key K (a1), and creates A signature information 22A (FIG. 7). Step S2 of signature information creation step).

  Subsequently, the second key K (g2) of G is read from the medium borrowed from the program guarantor G, the signature information 22A of A is used as the concealment target data C, and the second key K of G ( The concealment process using g2) is performed to create the concealment information 23A (the concealment information creation stage of step S3 in FIG. 7). In the case of the embodiment shown in FIG. 11, since the encryption process is adopted as the concealment process, the second specific key (that is, the second key K of the program guarantor G (g2 )), The encryption information 23A is encrypted and the confidential information 23A is created.

  Finally, the distribution file 20A (APK file) can be created by collecting the signature information 22A and the confidential information 23A of the application packages 21A and A (distribution file creation stage in step S4 in FIG. 7). Therefore, this may be output to a Web server or a physical medium (file output stage in step S5 in FIG. 7) and distributed by any method.

  On the other hand, the application execution computer (Android terminal) obtains the distribution file 20A (APK file) created by such a method (file input stage in step S6 in FIG. 7) and executes it. First, the validity of the signature information 22A is confirmed by the function of the OS program (the first confirmation stage of step S7 in FIG. 7), and then the falsification check routine F incorporated in the distribution file 20A is executed. The validity of the confidential information 23A is confirmed by the function (second confirmation stage of step S9 in FIG. 7).

  FIG. 12 is a block diagram showing processing for confirming the validity of the signature information 22A and the validity of the confidential information 23A for the distribution file 20A shown in FIG.

  First, the validity of the signature information 22A (first confirmation stage) is performed as follows, as described above. First, the signature value S (A) and the second key K (a2) of A are extracted from the signature information 22A, and the signature value S (A) is decrypted using the second key K (a2) of A. By performing the processing, the hash value H1 is obtained. Next, the application package 21A (signature target data D) is subjected to an irreversible transformation using a hash function HASH to obtain a hash value H2. When the process of confirming whether or not the hash value H1 and the hash value H2 match is performed, the first confirmation stage is completed.

  On the other hand, the validity (second confirmation stage) of the confidential information 23A is confirmed by utilizing the basic principle of the public key cryptosystem. That is, in the embodiment shown here, the first key K (g1) and the second key K (g2) of the program guarantor G constitute a pair of keys in the public key cryptosystem, and the second key The data encrypted using the first key K (g2) can be decrypted using the first key K (g1). Therefore, the falsification check routine F executes the process of the second confirmation stage by the following method.

  First, as shown in FIG. 12, the secret information 23A extracted from the input distribution file 20A is decrypted using the first key K (g1) of the program guarantor G built in the falsification check routine F. The original concealment target data C is obtained. Subsequently, the concealment target data C obtained by this decryption and the concealment target data C extracted from the input distribution file 20A (in this example, the signature information 22A of A) match. In addition, it may be confirmed that the confidential information 23A is valid.

  After all, in the method described here, the data C to be concealed is concealed by a method called encryption, and is added to the distribution file 20A in the form of concealment information 23A and distributed, and the application execution computer (Android terminal) It can be said that the method of detecting the presence or absence of falsification by confirming that the result of decrypting the confidential information 23A matches the confidential data C. Since the cracker X cannot obtain the second key K (g2) of the program guarantor G used for encryption, the secret information 23A cannot be falsified.

<6-2: Digest processing>
The second process suitable for the concealment process in the present invention is a digest process. When digest processing is used as the concealment processing, the relationship between the concealment target data C and the concealment information 23A is such that the latter can be obtained by digesting the former.

  Here, digesting is a process of obtaining another information that can be uniquely determined based on the original information by performing a calculation process that reduces the amount of information from the original information. Specifically, a process for applying some one-way function to the data constituting the original information may be performed. In this case, the concealment information 23A is obtained by subjecting the concealment target data C to digest processing that applies a one-way function using a predetermined specific key as a parameter. Information obtained by performing the same process as the digest process using the same key as the specific key on the concealment target data C extracted from the data file 20A input at the input stage is obtained at the input stage. If it matches the confidential information 20A included in the input data file 20A, it is confirmed that there is no falsification.

  FIG. 13 is a block diagram showing a specific example in which digested information is used as the confidential information 23A in the distribution method shown in FIG. Also in this embodiment, the program provider A receives the assistance of the program guarantor G when distributing the distribution file 20A. However, the same common specific key K (s0) is used as the first specific key K (s1) and the second specific key K (s2).

  The program guarantor G creates in advance a falsification check routine F containing a common specific key K (s0) that it manages in a secret state, and this falsification check routine F and the common specific key K ( The medium on which s0) is recorded may be lent to the program provider A. Then, the program provider A can create the distribution file 20A using this medium.

  Specifically, the program provider A uses the medium borrowed from the program guarantor G as in the embodiment employing the above-described encryption processing, and uses the application program 10A as shown in the upper part of FIG. create. In this application program 10A, a falsification check routine F including the common specific key K (s0) of the program guarantor G is incorporated.

  When the application program 10A is prepared in this way, it is packaged to create an application package 21A. Then, the program provider A uses the application package 21A as signature target data D, performs electronic signature processing using its own first key K (a1), and creates A signature information 22A.

  Subsequently, the common specific key K (s0) is read from the medium borrowed from the program guarantor G, and the concealment process using the common specific key K (s0) is performed using the A signature information 22A as the concealment target data C. The secret information 23A is created. In the embodiment shown in FIG. 13, since the digest process is adopted as the concealment process, the digest process for the concealment target data C is performed using the common specific key K (s0) at the secret information creation stage. The secret information 23A is created.

  As described above, the digesting process is a process in which a one-way function using the common specific key K (s0) as a parameter is applied to the concealment target data C. Specifically, a process of applying a hash function using the common specific key K (s0) as a parameter is performed, and the obtained hash value may be used as the confidential information 23A.

  Finally, the distribution information 20A (APK file) may be generated by distributing the signature information 22A and the confidential information 23A of the application packages 21A and A together.

  On the other hand, the application execution computer (Android terminal) performs the method shown in the block diagram of FIG. 14 on the distribution file 20A (APK file) created by such a method, and the validity and confidential information of the signature information 22A. Processing for confirming the validity of 23A is performed.

  Here, confirmation of the validity of the signature information 22A (first confirmation stage) is exactly the same as the embodiments described so far. That is, the signature value S (A) is decrypted using the second key K (a2) of A to obtain the hash value H1, and the application package 21A (signature target data D) is processed. On the other hand, a process for obtaining a hash value H2 by performing an irreversible transformation using the hash function HASH is performed, and a process for confirming whether or not the hash value H1 and the hash value H2 match each other is performed.

  On the other hand, in the confirmation of the validity of the confidential information 23A (second confirmation stage), whether or not the same result is obtained by executing exactly the same processing as the processing performed when the program provider A creates the confidential information 23A. Is done by checking.

  Specifically, first, the concealment target data C (in this example, the signature information 22A of A) and the common specific key K (s0) incorporated in the falsification check routine F are extracted from the input distribution file 20A. To do. Then, a digest process using the extracted common specific key K (s0) (the same process as the process performed at the secret information creation stage of the distribution process) is executed on the extracted concealment target data C. In other words, as in the distribution process, a hash function may be obtained by performing a process of applying a hash function using the common specific key K (s0) as a parameter. When the hash value obtained by the digest processing matches the confidential information 23A included in the input distribution file 20A, it is confirmed that the confidential information 23A is valid. .

  Eventually, the method described here conceals the data C to be concealed by a method of digesting, adding it to the distribution file 20A in the form of concealment information 23A, and the application execution computer (Android terminal) It can be said that a method of detecting the presence / absence of falsification by digesting the concealment target data C by the same method and confirming that it matches the concealment information 23A added. Since the cracker X cannot obtain the common specific key K (s0) of the program guarantor G used for digesting, the secret information 23A cannot be falsified.

  When encryption is adopted as the concealment process, the obtained concealment information includes information necessary for restoring the original concealment target data C by decryption. Therefore, if the amount of information of the original concealment target data C is large, the amount of information of the obtained confidential information also increases. For this reason, for example, when the data including the signature information 22A of the application packages 21A and A is used as the concealment target data C as in the example shown in FIG. 10, the data capacity of the obtained confidential information 23A ″ is considerably large. This increases the size of the distribution file 20A ″.

  On the other hand, when digesting is adopted as the concealment process, it is not necessary to restore the original concealment target data C from the obtained concealment information, so that it is possible to greatly reduce the amount of information of the concealment information. is there. Therefore, for example, as shown in the example of FIG. 10, even when the concealment target data C having a considerably large data capacity is set, if the digesting is employed, the data capacity of the obtained confidential information 23A ″ is reduced. This can prevent the enlargement of the distribution file 20A ″.

<6-3: Other concealment processing>
As described above, the encryption process and the digest process are illustrated as specific embodiments of the concealment process in the present invention. However, in carrying out the present invention, the specific form of the concealment process includes these two processes. It is not limited.

  The concealment process in the present invention is a process based on the premise that the first specific key K (s1) and the second specific key K (s2) having a special relationship with each other are used. By performing some arithmetic processing using the key K (s2), the secret information 23A can be uniquely determined for the original data C to be concealed, and by using the first specific key K (s1) Any process can be adopted as the concealment process as long as the process satisfies the condition that the validity of the concealment information 23A with respect to the concealment target data C can be confirmed (that is, it can be confirmed that it has not been tampered with). It doesn't matter.

  In the above-described encryption processing, the first specific key K (s1) and the second specific key K (s2) are keys having a special relationship with each other as “a pair of keys used in the public key cryptosystem”. Will be adopted. In the digest process described above, the first specific key K (s1) and the second specific key K (s2) have a special relationship with each other as “the same common specific key K (s0)”. Key will be adopted.

<<< §7. Distribution file creation device >>>
Next, the basic configuration and operation of the distribution file creation apparatus according to the present invention will be described based on the embodiment shown in FIG. The apparatus shown in the block diagram of FIG. 15 is an apparatus for creating a distribution file of an application program, and has a function of executing the distribution process (steps S1 to S5) shown in FIG. Here, the configuration and operation of the apparatus will be described by taking as an example the case where the program provider A creates a distribution file (APK file) for distribution to an Android terminal using this apparatus.

  In the block diagram of FIG. 15, rectangular blocks indicate basic components of the distribution file creation apparatus, and elliptic blocks indicate information (programs, data, files) handled by these basic components. . In addition, about the individual information shown by an elliptical block, the code | symbol same as the code | symbol used by the description so far is attached | subjected.

  As shown in the figure, this creating apparatus has three storage units 110, 120, and 130. The application program storage unit 110 is a unit for storing the application program 10 to be distributed. The application program 10 to be distributed here corresponds to the form shown in the upper part of FIG. 1 and refers to an application program in a state before packaging or processing specific to the present invention.

  As already described, according to the Android specification, the application program 10 includes a program body 11, resource data 12 including images and character strings, a subroutine group 13 called from the program body 11, and XML format data. Auxiliary file (manifest file) 14.

  On the other hand, the falsification check routine storage unit 120 is a unit that stores a falsification check routine F containing the first specific key K (s1), and the key storage unit 130 includes the second specific key K (s2), a program The unit stores the first key K (a1) of the provider A and the second key K (a2) of the program provider A. Of course, the “key” in the present application is data consisting of a specific character or code arrangement managed by a specific person, and the key storage unit 130 is a component having a function of recording such data. Any form can be used.

  Here, the first key K (a1) and the second key K (a2) of the program provider A have the property that data encrypted using one key can be decrypted using the other key. A pair of keys, more specifically, a public key and a private key of the program provider A itself (a pair of keys used for a public key cryptosystem). On the other hand, the first specific key K (s1) and the second specific key K (s2) confirm the validity of the data subjected to the concealment process using one key using the other key. It is a pair or the same key having a property that can be performed, and may be a key managed by the program provider A itself. However, as described in §6, when the embodiment in which the program guarantor G intervenes is adopted, This is a key managed by the program guarantor G.

  The falsification check routine adding unit 140 is a unit that performs processing for adding the falsification check routine F stored in the falsification check routine storage unit 120 to the application program 10 stored in the application program storage unit 110. That is, the alteration check routine F is added to the subroutine group 13 in the application program 10 shown in the upper part of FIG. 1, and the process of creating the subroutine group 13A shown in the upper part of FIG. 5 is executed.

  On the other hand, the program provider A continues or cancels the execution of the program based on the subroutine call instruction for calling the falsification check routine F to the application program 10 and the execution result returned from the falsification check routine F. A program main body 11A shown in the upper part of FIG.

  Note that the process of changing the application program 10 to the application program 10A may be performed not by the manual operation by the program provider A but by the automatic operation by the falsification check routine adding unit 140. Specifically, if the subroutine call instruction and the continuation stop processing program described above are prepared in advance in the alteration check routine adding unit 140, these are stored in predetermined locations (for example, the top of the program, Android Depending on the specifications, the unit 140 itself can be provided with a function of being automatically inserted (for example, immediately after completion of the essential initial setting process). Then, all the processes for changing the application program 10 to the application program 10 </ b> A can be performed automatically by the falsification check routine adding unit 140.

  Of course, if an application program including the program body 11A (a program in which the subroutine call instruction and the continuation stop processing program described above are incorporated) is prepared in the application program storage unit 110, a falsification check routine addition unit is prepared. 140 only needs to add the falsification check routine F to the subroutine group 13 to create the subroutine group 13A.

  The packaging process unit 150 performs a process of creating an application package 21A by performing a packaging process including at least a compression process on the application program 10A to which the falsification check routine F is added. According to the Android specification, a packaging process including a ZIP type compression process is executed.

  The signature information creation unit 160 uses the application package 21A created in this way as signature target data, performs electronic signature processing using encryption using the first key K (a1) of the program provider A, and performs a signature value S. (A) is generated, and A signature information 22A including the signature value S (A) and the second key K (a2) of the program provider is created.

  On the other hand, the secret information creation unit 170 extracts a predetermined portion including the second key of the program provider A from the data constituting the application package 21A and the signature information 22A as the secret data C, and extracts the secret Concealment processing using the second specific key K (s2) is performed on the data to be activated C to create confidential information 23A.

  In the case of the embodiment shown in FIG. 5, since the signature information 22A of A is set as the concealment target data C, as shown in FIG. 15, the secret information creation unit 170 has the signature created by the signature information creation unit 160. The entire data constituting the information 22A is set as the concealment target data C, and the process of creating the confidential information 23A is performed. Of course, when the variation shown in FIG. 9 is adopted, the concealment information creation unit 170 may conceal only the data portion constituting the second key K (a2) of the program provider A included in the signature information 22A. When the variation shown in FIG. 10 is adopted, the confidential information creation unit 170 uses the entire data constituting both the application package 21A and the signature information 22A as the confidential data C. Become.

  The distribution file creation unit 180 collects the application package 21A, the signature information 22A, and the confidential information 23A, thereby creating a distribution file 20A as shown in the lower part of FIG. If it is based on the Android specification, a process of creating a distribution file having an APK format is performed. As described above, the APK file that employs the ZIP compression format is provided with a comment area where any comment text can be written. Therefore, if the confidential information 23A is recorded in this comment area, The distribution file 20A satisfies the conditions as an APK file that conforms to the Android specification. The distribution file 20A can be distributed as digital data stored in a data recording medium, or can be distributed in the form of digital data via a network such as the Internet.

  The distribution file (APK file) 20A distributed in this way includes a falsification check routine F for determining whether or not it is falsified by using the added confidential information 23A. In the computer, the falsification can be detected by executing the falsification check routine F.

  As already described, the falsification check routine F extracts the concealment target data C and the concealment information 23A from the distribution file 20A, and incorporates the validity of the concealment information 23A for the concealment target data C. When the specific key K (s1) is used for confirmation and the validity cannot be confirmed, the application program has a function of determining that the application program has been tampered with. In addition, when it is determined that the application program has been tampered with, it also has a function of performing processing for stopping execution of subsequent processing of the application program.

  As a specific method of the concealment process performed when the concealment information creation unit 170 creates the concealment information 23A, the encryption process described in §6-1 and the digestion process described in §6-2 are adopted. do it.

  In the case of adopting encryption processing, as the first specific key K (s1) and the second specific key K (s2), the property that data encrypted using one key can be decrypted using the other key A pair of keys having a key (a pair of keys used in the public key cryptosystem) is prepared, and the secret information creation unit 170 uses the second specific key K (s2) to encrypt the secret data C And secret information 23A may be created.

  In the embodiment in which the program guarantor G is interposed, the first specific key K (s1) is the first key K (g1) (for example, public key) of the program guarantor G, and the second specific key K is used. Using (s2) the second key K (g2) (for example, a secret key) of the program guarantor G, the data encrypted using the second key K (g2) of G is What is necessary is just to enable it to decrypt using the key K (g1). The secret information creation unit 170 creates the secret information 23A by performing the encryption process on the secret data C using the second key K (s2) of G.

  On the other hand, the tampering check routine storage unit 120 decrypts the confidential information 23A using the first specific key K (s1) (that is, the first key K (g1) of the program guarantor G), A falsification check routine having a function of confirming that the concealment information 23A is valid when the obtained concealment target data C and the concealment target data C extracted from the distribution file 20A match. Prepare F.

  On the other hand, when the digesting process is adopted, the same common specific key K (s0) is used as the first specific key K (s1) and the second specific key K (s2), and the confidential information is used. The creation unit 170 may create the confidential information 23 </ b> A by performing a digest process that applies a one-way function using the common specific key K (s <b> 0) as a parameter to the confidential data C. Specifically, a hash value obtained by performing a digest process that applies a hash function using the common specific key K (s0) as a parameter may be used as the secret information 23A.

  In this case, the falsification check routine storage unit 120 extracts the concealment target data C and the common specific key K (s0) from the distribution file 20A, and extracts the extracted common specific key for the concealment target data C. Information obtained by applying digest processing using K (s0) (exactly the same processing as digest processing executed by the confidential information creating unit 170) is identical to the confidential information 23A included in the distribution file 20A. If it has been done, a falsification check routine F having a function of confirming that the confidential information 23A is valid may be prepared.

  The distribution file creation apparatus shown in FIG. 15 is actually configured by incorporating a dedicated program or data into a general-purpose computer. In this case, each component shown by a rectangular block in FIG. 15 is not necessarily configured by one identical computer, and each component is distributed and arranged in a plurality of computers that can be connected to each other via a network. It doesn't matter.

<<< §8. Other variations >>
Finally, some modifications that can be applied to the various embodiments described so far will be described.

<8-1: Canceling process when tampering is detected>
In the case of the basic embodiment shown in FIG. 5, the application program 10A includes a program main body 11A and a subroutine group 13A called from the program main body 11A. A check routine F is included.

  Here, when the alteration check routine F is called from the program main body 11A, it executes a second confirmation stage for confirming the validity of the confidential information 23A with respect to the confidential data C, and the execution result is obtained. It has a function of returning to the program body 11A as a subroutine execution result.

  On the other hand, the program body 11A includes a subroutine call instruction for calling the falsification check routine F and a continuation cancellation program for continuing or canceling the subsequent processing in accordance with the execution result returned from the falsification check routine F. It has been incorporated. If the execution result returned from the falsification check routine F is a positive result, the subsequent stop program continues to execute the subsequent instruction group, and if the execution result is negative, the subsequent instruction group is executed. Cancels execution of.

  Thus, in the embodiments described so far, the falsification check routine F has only a function of executing the second confirmation stage for confirming the validity of the confidential information 23A and reporting the result to the program main body 11A. I did not. In other words, when falsification is detected in the second confirmation stage, the falsification check routine F performs a process of returning a negative execution result to the program main body 11A and is executed by the continuation cancellation program in the program main body 11A. Thereafter, the execution of the instruction group is stopped. In other words, the application program cancellation process is executed only as a function of the program main body 11A (specifically, a program in the program main body 11A is used to end the application, and the control is performed by the OS). Will be returned to the program).

  In general, the subroutine program that constitutes the subroutine group 13A is a program that is called and executed by the program body 11A. When the execution of the subroutine is completed, the instruction group in the original program body 11A is continuously executed. Will be. Therefore, normally, when a subroutine is called from the program main body 11A, the execution target code of the CPU temporarily moves to the code in the subroutine, and returns to the code in the program main body 11A again when the subroutine ends. become. The embodiments described so far are processes based on such general principles, and even when falsification is detected by the falsification check routine F, the program main body 11A performs the process of terminating the application. .

  However, the application termination process when tampering is detected is not necessarily performed by the program main body 11A, and may be performed by the tampering check routine F. As described above, according to the general principle, when processing of a subroutine is completed, control should be returned to the program body 11A that called the subroutine, but when falsification is detected by the falsification check routine F In any case, since it is necessary to terminate the application, it is possible to adopt an operation of performing the process of terminating the application by the falsification check routine F itself without returning the control to the program main body 11A.

  When such an operation is adopted, the program body 11A continues to receive a subroutine call instruction for calling the falsification check routine F and subsequent instruction groups when a positive result is returned from the falsification check routine F. A function for incorporating a program to be executed and returning to the falsification check routine F, if the execution result of the second confirmation stage is an affirmative result, to the program body 11A as a subroutine execution result. If the execution result of the second confirmation stage is a negative result, a function for stopping the execution of the application program (a function for terminating the application and returning control to the OS program) is incorporated. Just keep it.

  The execution of the falsification check routine F is preferably performed as early as possible so that falsification can be detected as soon as possible. Therefore, in practice, the program body 11A has a subroutine call instruction for calling the falsification check routine F before a group of instructions for performing the original function of the application program (for example, at the head of the program body 11A). It is preferable that tampering is detected before the instruction group related to the original function of the application program is executed.

<8-2: Loan form by program guarantor G>
In §7, the embodiment in which the program guarantor G intervenes was described. Thus, when the program guarantor G intervenes, the first specific key K (s1) and the second specific key K (s2) are keys provided from the program guarantor G, and the tampering check routine F Is also a program provided by the program guarantor G.

  In this case, the program guarantor G causes the computer to execute the functions of the falsification check routine F, the second specific key K (s2), and the units 140, 150, 160, 170, and 180 shown in FIG. A digital data recording medium including the above program may be lent to the program provider A. Then, the program provider A can configure the distribution file creation apparatus shown in FIG. 15 by installing the data and programs recorded in the recording medium in a general-purpose computer (program provision). As for the first key K (a1) and the second key K (a2) of the person A, it is necessary to incorporate the key managed by the user A into the key storage unit 130).

  The falsification check routine F including the first specific key K (s1) and the second specific key K (s2) are information that the program guarantor G should originally manage in a secret state. It is preferable to lend the program provider A in a state where it is stored in an electronic token (for example, an IC card or a USB memory) with sufficient security so that the program provider A cannot directly access it. .

<8-3: Embedding identification code of program provider>
As described above, when the embodiment in which the program guarantor G intervenes is adopted, the program guarantor G provides the same service not only to the program provider A but also to other program providers B and C. It is common to provide. In such a case, it is preferable to embed the identification code of each program provider (content provider) in the falsification check routine F that is lent to each program provider A, B, C.

  Then, when each program provider A, B, C constructs a distribution file creation device as shown in FIG. 15 using a general-purpose computer, it is stored in the falsification check routine storage unit 120. Since the identification codes of the program providers A, B, and C are embedded in the falsification check routine F, the falsification check routine F included in the distribution file 20A created by each program provider A, B, and C If the distribution file 20A is analyzed, it is possible to confirm which program provider created the file.

  For example, the program guarantor G applies the identification codes ID (A), ID (B), ID (C) of the program providers A, B, and C to the falsification check routine F that is lent to the program providers A, B, and C, respectively. ) (The simplest embedding method is to include the identification code ID (A), ID (B), ID (C) in the file name of the falsification check routine F). The falsification check routines F (A), F (B), and F (C) can be distinguished from each other. Then, it can be confirmed which falsification check routine F lent to the program provider is included in the distribution file 20A, so that the falsification check routine F itself may leak. Even if a situation arises, the location of responsibility can be clarified.

<8-4: Division of roles in the first and second confirmation stages>
In the embodiments described so far, the first confirmation stage for confirming the validity of the signature information 22A for the application package 21A (stage for confirming that the application package 21A has not been tampered with using the signature information 22A). Is executed by the OS program of the computer for executing the application to confirm the validity of the confidential information 23A with respect to the confidential data C (the confidential information 23A indicates that the signature information 22A has not been tampered with). The division of roles is performed such that the step of using and confirming is executed by the falsification check program included in the application package 21A.

  Such division of roles is extremely effective in an environment where an Android-specific application is distributed and executed on an Android terminal. That is, if the above roles are divided, it is not necessary to modify the Android terminal side to implement the present invention, and it is sufficient to create an APK file to be distributed with the apparatus shown in FIG.

  However, since the application of the present invention is not limited to the distribution and execution of the current Android-specific application, the above division of roles is not essential to the present invention.

  For example, if the Android specification is changed in the future and a program for executing the second confirmation stage is incorporated in the Android OS itself, each distributed application package 20A has a first specific key K (s1 ) Need only be incorporated, and the rest of the falsification check routine F need not be incorporated. In this case, the second confirmation stage is executed by the OS program, and application cancellation processing when tampering is detected is also executed by the OS program. In other words, both the first confirmation stage and the second confirmation stage are performed by the OS program.

  Conversely, if the Android specification changes in the future, and the processing function that performs the first confirmation stage is excluded from the current Android OS functions, both the first confirmation stage and the second confirmation stage are performed. It is also possible to perform it on the application program side.

<8-5: Modification of secret information delivery method>
In the application program distribution execution method according to the present invention, first, confidential information is created in the distribution process, and subsequently, in the execution process, the presence / absence of tampering using the confidential information is determined. Therefore, it is necessary to transfer the confidential information created in the distribution process to the execution process in some way. In the embodiment described so far, the confidential information is delivered together with the distribution file by incorporating the generated confidential information into the distribution file created in the distribution file creation stage.

  For example, in the embodiment shown in FIG. 5, the confidential information 23A is distributed in a state of being incorporated in the distribution file 20A. In the embodiment shown in FIG. 9, the confidential information 23A ′ is distributed. In the embodiment shown in FIG. 10, the confidential information 23A ″ is distributed in a state incorporated in the distribution file 20A ″. . As described above, if the confidential information is incorporated into the distribution file, the application execution computer can also acquire the confidential information when the distribution file is obtained.

  However, the method of delivering confidential information is not necessarily limited to the method of incorporating it in the distribution file. Here, a modified example of the secret information delivery method will be described. FIG. 16 is a block diagram showing a modified example of the basic embodiment shown in FIG. 5 in which the secret information delivery method is changed. The upper part of the figure shows the distribution process executed by the program provider A, and the lower part shows the execution process executed by the user U. A feature of this modification is that a secret information 23A created in the distribution process is transferred to the execution process via the server 30.

  That is, in the case of the basic embodiment shown in FIG. 5, the confidential information 23A is incorporated and distributed in the distribution file 20A. However, in the modified example shown in FIG. Instead, the location information 24A indicating the location of the confidential information 23A is incorporated into the distribution file 20AA and distributed. The only difference between the distribution file 20A shown in FIG. 5 and the distribution file 20AA shown in FIG. 16 is that the former confidential information 23A is location information 24A in the latter. In general, in a case where the data capacity of the confidential information 23A increases, if the confidential information 23A is incorporated into the distribution file 20A, the data capacity of the distribution file 20A also increases. In such a case, if the modification shown in FIG. 16 is adopted, the distribution file 20AA can be created by incorporating the location information 24A having a smaller data capacity than the confidential information 23A. Convenient because capacity can be reduced.

  The server 30 may be any server as long as the application execution computer can be accessed via the network. In the example shown here, an arbitrary file server connected to the Internet is used as the server 30. The location information 24A is information for specifying the storage location of the server 30 and the confidential information 23A therein. Specifically, a URL indicating the storage location of the confidential information 23A may be used as the location information 24A. After all, in the modification shown in FIG. 16, the program provider A distributes the distribution file 20AA in which the location information 24A is incorporated. On the other hand, the user U can obtain the location information 24A (in this example, the URL indicating the storage location of the confidential information 23A) by obtaining the distribution file 20AA. It becomes possible to access the Internet by using it and obtain the confidential information 23A.

  Thus, also in this modified example, the point that the confidential information 23A is handed over from the program provider A to the user U is the same as the embodiment described so far, and therefore, falsification using the confidential information 23A is performed. The presence / absence determination process may be performed in the same manner as in the embodiments described so far. In short, in the distribution file creation stage in the distribution process of the present invention, a distribution file including an application package, signature information, and location information indicating the location of confidential information or confidential information may be generated. In the second confirmation stage, the data to be concealed and the confidential information may be obtained based on the input distribution file, and the validity of the confidential information with respect to the data to be concealed may be confirmed.

  When the distribution file 20A including the confidential information 23A is generated at the distribution file creation stage (in the case of the embodiment shown in FIG. 5), the confidential information 23A is directly extracted from the distribution file 20A at the second confirmation stage. By doing so, the confidential information 23A can be obtained. On the other hand, when the process of storing the confidential information 23A in a predetermined storage location (server 30) is performed and the distribution file 20AA including the location information 24A indicating the storage location is created in the distribution file creation stage. (In the case of the modification shown in FIG. 16), in the second confirmation stage, the location information 24A is extracted from the distribution file 20AA, and the storage location (server 30) is recognized based on the location information 24A. By extracting the confidential information 23A from the (server 30), the confidential information can be obtained.

  Note that the process of obtaining the confidential information 23A from the server 30 may be performed each time the application execution computer executes the second confirmation step for the application included in the distribution file 20AA. In practice, the storage location for storing the confidential information of each input distribution file in the application execution computer (for example, the storage location assigned to the application in the nonvolatile memory in the application execution computer) Area), and once the confidential information 23A is obtained, it is preferably stored in the storage location, and from the next time, it is preferable to use the confidential information 23A stored in the storage location. . Then, after the confidential information 23A is stored in the storage location, the application can be activated even in a state where the connection to the Internet is not possible.

  That is, when the application execution computer executes the second confirmation step, if the necessary confidential information 23A is not stored in a predetermined storage location, the location information 24A is extracted from the distribution file 20AA, Based on the location information 24A, the storage location (server 30) is recognized, and the confidential information 23A is extracted from the storage location (server 30), thereby obtaining the confidential information and executing the acquired confidential information 23A as an application. The process of saving in the storage location in the computer for use may be performed. When the application execution computer executes the second confirmation stage, if the necessary confidential information 23A is stored in the storage location in the computer, the confidential information 23A is extracted from the storage location. Thus, the confidential information may be obtained.

  Of course, the modification described here is applicable not only to the basic embodiment shown in FIG. 5 but also to other embodiments. Further, in the distribution process, when the confidential information 23A is stored in an arbitrary server, it is not always necessary to store the confidential information 23A in one server 30, and it may be distributed and stored in a plurality of locations. For example, the confidential information 23A is divided into three files, the first divided file is stored in the first server 31, the second divided file is stored in the second server 32, and the third divided file is stored in the first file. The storage method of storing in the third server 33 may be adopted. In this case, the location information 24A is information indicating these three storage locations. In this case, if the location information 24A also includes information indicating the division method, the execution process performs a synthesis process with reference to the division method on the individual divided files obtained from the three locations. The secret information 23A can be restored.

  When adopting the modification described here, it is necessary to make some changes to the distribution file creation apparatus shown in FIG. In the case of the distribution file creation device described in §7, the distribution file creation unit 180 creates the distribution file 20A including the confidential information 23A and stores the falsification check routine stored in the falsification check routine storage unit 120. F is to obtain the confidential information by extracting the confidential information 23A from the distribution file 20A.

  On the other hand, when the modification described here is adopted, the distribution file creation unit 180 stores the secret information 23A created by the secret information creation unit 170 in a predetermined storage location (for example, the server 30 in FIG. 16). ), A distribution file 20AA including location information 24A indicating the storage location is created, and the falsification check routine F stored in the falsification check routine storage unit 120 is read from the distribution file 20AA. The location information 24A is extracted, the storage location (for example, the server 30 in FIG. 16) is recognized based on the location information 24A, and the confidential information 23A is extracted from the recognized storage location, thereby obtaining the confidential information. You can do it.

  Further, when securing the storage location of the confidential information 23A in the application execution computer, the falsification check routine F stored in the falsification check routine storage unit 120 is the computer executing the falsification check routine. If the confidential information 23A is not stored in the storage location of the confidential information provided within, the location information 24A is extracted from the distribution file 20AA, the storage location is recognized based on the location information 24A, and this storage is stored. When the confidential information 23A is extracted from the location, the confidential information is obtained, and the obtained confidential information 23A is stored in a storage location. When the confidential information 23A is stored in the storage location, The confidential information 23A is extracted from the storage location to obtain the confidential information. It should be so.

<<< §9. Execution control based on execution permission list >>>
The application program execution method according to the present invention is characterized in that, in the application program execution process, an execution control method that permits execution of only an application program registered in advance in the execution permission list is §1. The falsification detection method described in .about.§8 is executed, and the application program in which falsification is not detected is automatically registered in the list. First, a specific method for controlling the execution of an application program based on the execution permission list will be described.

  Here, as in the example described so far, an application example to a smart phone or a tablet electronic device (so-called Android terminal) adopting Android (registered trademark) as an OS will be described. In this case, the data file (data file including the application program with a tamper check function) given to the Android terminal is distributed in the form of a distribution file 20A (APK file) as shown in FIG. 5, for example. become. In the embodiment described here, a dedicated program is prepared for performing control based on the execution permission list in the execution terminal of the application program. This program is one of application programs that operate under the management of the OS, and its role is to monitor and control the operation of other application programs exclusively. Therefore, in the present application, this program is called a “monitoring program” in distinction from other application programs. Further, in the following description, an “application program” simply means an application program excluding a “monitoring program”.

  Many OSs including Android have a multitask processing function for executing a plurality of application programs in parallel. Of course, a general CPU has only a function for executing one application program at the same time, but an OS program having a multitask processing function is executed by the CPU while sequentially switching a plurality of application programs at a predetermined timing. Can be performed. Therefore, by making a plurality of application programs active at the same time and switching them in a time division manner, it is possible to perform control as if the plurality of application programs are being executed simultaneously.

  In the case of the embodiment described here, the monitoring program is always maintained in the activated state as a so-called “resident program” and monitors other application programs. As described above, under OS control having a multitask processing function, a plurality of application programs can be activated at the same time. Therefore, even if the monitoring program is always kept activated, other application programs can be activated. There will be no hindrance. In order to prevent the monitoring program itself from being attacked and tampered with, it is practically preferable to use a monitoring program subjected to some tamper resistance processing.

  FIG. 17 is a flowchart showing the procedure of the monitoring routine executed by the monitoring program incorporated in the application program execution terminal. “Heading program (1)” is described in the title section to indicate that the procedure shown here is the procedure of the monitoring routine included in the monitoring program. As will be described later, this monitoring program includes a procedure of a list automatic registration routine indicated as “monitoring program (2)”.

  First, in step S21, an activated application recognition stage for recognizing an identification code of an application program currently in an activated state is executed. A general OS such as Android has a processing function for recording log information indicating an identification code, start time, and end time for each application program. Therefore, when executing the activation application recognition step S21 by the monitoring program, the identification code of the application program currently in the activated state can be recognized by referring to the log information.

  FIG. 18 is a diagram illustrating an example of log information created by the Android OS. In this example, file names of application programs such as AP3, AP1, and AP6 are used as identification codes that specify individual applications. One line of data in which this identification code, one of activation and termination operations, and date and time are arranged constitutes a unit log, and a plurality of such unit logs are arranged in time series. Log information is configured by the aggregate.

  Specifically, the unit log on the first line indicates that the application AP3 specified by the identification code “AP3” was started at 16:51 on July 21, 2012, and the unit log on the second line Indicates that the application AP1 specified by the identification code “AP1” was started at 16:58 on July 21, 2012, and the unit log on the third line is specified by the identification code “AP1”. The application AP1 has been terminated at 17:14 on July 21, 2012, and the unit log on the fourth line shows that the application AP6 identified by the identification code “AP6” The unit log on the fifth line indicates that the application AP3 identified by the identification code “AP3” was completed at 17:53 on July 21, 2012. It is shown that was. Eventually, when log information as shown in the figure is obtained, it is recognized that only the application AP 6 is in an activated state.

  The Android OS records log information as shown in the OS recording area every time an installed application program is activated or terminated. Of course, since the monitoring program is one of the application programs, a log indicating activation and termination of the monitoring program itself is recorded as log information.

  On the other hand, an execution permission list illustrated in FIG. 19 is prepared in the monitoring program recording area. This execution permission list is a list in which identification codes of application programs that are permitted to be executed are recorded. In other words, the execution permission list is called a “white list”. In the example shown in FIG. 19A, the file names of application programs such as AP1, AP2, and AP3 are used as identification codes for identifying individual applications, and the execution permission list is configured by enumerating these identification codes.

  On the other hand, the example shown in FIG. 19 (b) uses an application program file name with the version number added in parentheses as an identification code. Different identification codes are assigned and distinguished from each other. For example, even if the application program has the same file name AP1, the identification code AP1 (1.0) is assigned to the version 1.0 program, and the identification code AP1 (2) is assigned to the version 2.0 program. .0) are assigned and are handled as different application programs. In the case of handling the versions separately, an identification code to which a version number is added is also used for the log information shown in FIG. 18 as AP1 (1.0).

  If the identification code of the application program that is currently activated (hereinafter simply referred to as the activation application) can be recognized in the activation application recognition step S21 shown in FIG. 17, then the recognized identification code is added to the execution permission list. A registration presence / absence determination step is performed to determine whether or not it is registered. That is, in step S22, an execution permission list as shown in FIG. 19A is referred to, and in step S23, it is determined whether or not the recognized activation application identification code is listed. When a plurality of activated apps are recognized in step S21, the processing in step S22 and subsequent steps is repeatedly executed for each activated app via step S28.

  As described above, when the log information as shown in FIG. 18 is obtained, the application AP6 is recognized as the activation application. Therefore, in step S22, the identification code AP6 is posted by referring to the execution permission list. It is determined whether or not. Here, if an execution permission list as shown in FIG. 19A is prepared, since the identification code AP6 is posted, the activation application AP6 is determined to be a registered application program. As a result, the process proceeds from step S23 to step S28.

  On the other hand, when it is determined that it is unregistered in the registration presence / absence determination step, that is, when it is determined that it is not listed in the list in step S23, the process proceeds to step S24 and a registration inquiry step is performed. For example, when the application program AP7 is recognized as a startup application from the log information, the identification code AP7 is not listed in the execution permission list shown in FIG. As a result, the process proceeds from step S23 to step S24, and the registration inquiry stage is executed.

  In the registration inquiry stage of step S24, a process of inquiring the user whether or not to register the unregistered application AP7 in the execution permission list is performed. For example, a process of presenting a message screen as shown in FIG. 20 on the display screen of the Android terminal may be performed. The user responds to such an inquiry on the message screen by tapping the “Register” button or the “Do not register” button. The answer “register” corresponds to an instruction to register and execute the unregistered application AP7, and the answer “do not register” corresponds to an instruction not to register and execute the unregistered application AP7.

  When the user taps one of the buttons and makes an answer to the inquiry, an answer processing stage is performed based on the answer. That is, if there is an answer to register by tapping the “Register” button, the process proceeds from step S25 to step S26, and processing for newly registering the identification code of the unregistered application AP7 in the execution permission list is performed. Done. In this case, the application AP7 in the activated state is officially permitted to be executed and continues to be executed as it is. On the other hand, if there is a reply indicating that registration is not performed by tapping the “not register” button, the process proceeds from step S25 to step S27, and processing for stopping execution of the unregistered application AP7 is performed.

  The processes in steps S22 to S27 described above are repeatedly executed through step S28 until the processes for all the activated applications are completed. When the processes for all activated applications are completed, the process proceeds from step S28 to step S29, and the process from step S21 is repeated again unless an end instruction for the monitoring program is given. As described above, this monitoring program is originally always maintained in the activated state as a “resident program” and should monitor other application programs. Therefore, normally, the user does not give an end instruction for the monitoring program, and the process of returning from step S29 to step S21 is repeated.

  As described above, under OS control having a multitask processing function, a plurality of application programs that are simultaneously activated are sequentially executed while being switched at a predetermined timing. Therefore, even in the procedure of the monitoring routine by the monitoring program shown in FIG. 17, there is a procedure that is interrupted when the control is interrupted at a certain point, control is transferred to the execution of another application program, and control returns to the monitoring program again. The process of being resumed is repeated.

  However, since the switching period of the application program by the multitask processing is on the order of about msec, it seems that a plurality of application programs including the monitoring program are operating simultaneously from the viewpoint of the user. For example, when the new application program AP7 is activated, the application AP7 is recognized as an activated application when the control is transferred to the monitoring program, and the registration inquiry step in step S24 is performed. Therefore, from the viewpoint of the user, when an operation for starting the application AP7 is performed, a message screen as shown in FIG. 20 is immediately displayed, so that there is no sense of incongruity that the operation has been switched to the processing operation of the monitoring program.

  Note that both the monitoring program and the application AP7 are equivalent in terms of application programs, and both are programs that operate under the control of the OS program. However, by using the function of the OS, one application program can be changed from the other application program to the other application program. Can be forcibly terminated. The execution stop processing in step S27 may be performed by using the OS function to forcibly terminate the application AP7 from the monitoring program. Specifically, if a command for forcibly terminating the application AP7 is delivered from the monitoring program to the OS, the application AP7 can be forcibly terminated and the execution can be stopped by the control function of the OS.

  Eventually, the monitoring program continuously executes the monitoring routine shown in FIG. 17 to perform a process of constantly monitoring whether or not an unregistered application not registered in the execution permission list has been activated. If the registered application is in the activated state, the registration inquiry step of step S24 is executed, and depending on the user's answer, the unregistered application is registered and allowed to execute or executed without being registered. Either stop or take one of the processes. Thus, it is possible to control such that only application programs registered in the execution permission list are permitted to be executed.

  The monitoring routine procedure by the monitoring program has been described above with reference to the flowchart of FIG. Next, let's explain the relationship with the monitoring program, describing the procedure for starting each application program.

  First, the processing procedure when starting the “normal application” will be described with reference to the flowchart of FIG. Here, the “normal application” refers to a conventional general application program (for example, the application program 10 shown in FIG. 1) that does not have a self-tampering check function. The application program is activated under the control of the OS. That is, when an instruction to start a specific application program is given, the OS performs an operation for preparing an environment for executing the specific application program. When the preparation is completed, the routine of the specific application program is executed.

  The flowchart of FIG. 21 shows a processing procedure when an activation instruction is given to the “normal application”. The activation instruction is given by an activation operation by the user, for example. In the case of an Android terminal, when the user performs an operation of tapping an icon of a specific application program on the home screen, an activation instruction for the program is given. As described above, the activation instruction is not necessarily given by the user, and in some cases, it may be given by the OS or another application program.

  In fact, the procedures of steps S7, S8, S11, and S12 shown in FIG. 21 are the same as the procedures of the same symbols shown as the execution process in the flowchart of FIG. The parentheses described in indicate the program that is the execution subject of each procedure.

  First, in step S7, the first confirmation stage shown in FIG. 6 is performed by the OS program. This first confirmation stage is a process of confirming the validity of the signature information 22A for the application package 21A, and details thereof are as described in §3. If a negative result is obtained in the first confirmation stage, that is, if the validity of the signature information is not confirmed, it is determined that “tampered”, and the process proceeds to step S11 via step S8. The execution of the application is stopped. That is, the execution is blocked by the OS before the routine included in the application program is executed. On the other hand, when a positive result is obtained in the first confirmation stage, the process proceeds to step S12 through step S8, and the application program is executed. As described above, in the case of an Android terminal, the processes in steps S7, S8, and S11 are processes based on the standard specification of the OS program.

  Next, a processing procedure when starting “an app having a self-tampering check function” will be described with reference to a flowchart of FIG. The “application having a self-tampering check function” here includes a tampering check routine F as in the application program 10A shown in FIG. 5, and the present invention has a function of performing tampering check processing by itself. Refers to a specific application program.

  The flowchart of FIG. 22 shows a processing procedure when an activation instruction is given to “an app having a self-tampering check function”. Also in this case, the activation instruction may be given by the user, or may be given by the OS or another application program. Of the procedures shown in FIG. 22, the procedures of steps S7 to S12 are the same as the procedures of the same reference numerals shown as the execution process in the flowchart of FIG. On the other hand, the procedures of steps S13 and S14 are procedures of a list automatic registration routine by the monitoring program. Also in FIG. 22, the parentheses written on the right side of each step indicate a program that is an execution subject of each procedure. The fact that “monitoring program (2)” is written next to steps S13 and S14 indicates that these procedures are procedures of a list automatic registration routine included in the monitoring program.

  In short, the procedure shown in the flowchart of FIG. 22 is obtained by adding steps S13 and S14 to the procedure after step S7 in the flowchart of FIG. As described in §3, when an activation instruction is given to “an app having a self-tampering check function”, the OS program first executes the first confirmation step S7 for confirming the validity of the signature information. . If a result of no falsification is obtained, the application is activated, and a second confirmation step S9 for confirming the validity of the confidential information is performed by itself. The procedure of these steps S7 to S10 constitutes a tampering determination stage. If a positive determination is made in step S10, the validity of both the signature information and the confidential information is confirmed. In the end, the determination result that there was no falsification was obtained. On the other hand, if a negative determination is made in either step S8 or S10, a determination result indicating that there is a falsification is obtained in the falsification determination stage, and the process proceeds to step S11. Execution of “application with function” is stopped.

  The procedure of steps S13 and S14 is a procedure of a list automatic registration stage for registering an identification code of an application program that has been determined not to be falsified in the falsification determination stage in the execution permission list. It will be executed by the registration routine. That is, in step S13, it is determined whether or not the identification code of the “app having the self-falsification check function” has already been registered in the execution permission list. The process proceeds to S12, but if it is not registered, the process proceeds to Step S12 after the identification code is registered in the execution permission list in Step S14. In any case, the application is executed in step S12, and the identification code of the application is registered in the execution permission list.

  Note that, in the flowchart of FIG. 22, for convenience of explanation, a state in which each procedure is executed in the order of steps S10 → S13 → S14 → S12 is shown, but in actuality, an application having a self-tampering check function Since the monitoring program and the monitoring program are operating in parallel by the multitask processing function of the OS program, this flowchart does not necessarily indicate a time-series order. For example, if an affirmative determination is made in step S10, the application program gives a registration command to hand over its identification code and register it in the execution permission list to the monitoring program, and the execution stage of step S12 as it is Can be done. On the other hand, the monitoring program that has received the registration command may execute the list automatic registration stage (steps S13 and S14) for the delivered identification code. Alternatively, when the monitoring program detects that the application has been started through step S8, the monitoring program temporarily stops execution of the application, skips steps S9 and S10, and determines whether or not step S13 has been registered. You may make it judge. In this case, if the application has been registered in the execution permission list, the process proceeds to step S12. If the application has not been registered, the process may return to step S9.

  Next, let's look at the relationship between each application program and the monitoring program. First, consider the case where a conventional “normal application” is started for the first time. In this case, as shown in the flowchart of FIG. 21, the signature information is confirmed in the first confirmation stage of step S7. If it is determined that there is no falsification, the “normal application” is activated in step S12. And its execution is started. However, since the monitoring program is executed in parallel, the activation of the “normal application” is recognized in step S21 in the flowchart of FIG. Since the “normal application” is an unregistered application that is not registered in the execution permission list, the registration inquiry stage in step S24 is executed, and a message as illustrated in FIG. A selection is made. Of course, at this time, the “normal application” is also in the activated state, but the illustrated message is presented when the OS is switched to the monitoring program by the multitask processing function of the OS.

  Eventually, when the user taps an icon from the home screen or application screen to start an unregistered "normal application", or an unregistered "normal application" starts based on an instruction from another application program A message as shown in FIG. 20 is presented, and the user is forced to select whether or not to register in the execution permission list. In the case of the “normal application”, since the validity of the signature information is once confirmed, the user can recognize the safety of the “normal application” to some extent. However, as described above, since the signature information itself may be falsified, the security is not so high. Therefore, the user balances the merits that will be obtained by executing the app and the demerits of damage that would be incurred if tampered, and selects either “Register” or “Do not register” Will do.

  If the user determines that the execution of the application may be permitted, the user may tap the “Register” button. Then, in step S26, the identification code of the application is registered in the execution permission list, and thereafter, no message as shown in FIG. 20 is presented for the application. On the other hand, if the user determines that it is better not to permit the execution of the application at least at that time, a “do not register” button may be tapped. If it does so, execution of the said application will be stopped by step S27, and it will be left in the unregistered state. In this case, every time the application is activated, a message as shown in FIG. 20 is presented.

  As described above, the monitoring program constantly monitors the application program in the activated state, and if it is detected that the unregistered application is in the activated state, the user is asked to make a decision in the registration inquiry stage in step S24. For example, the program to be executed can be limited to only programs registered in the execution permission list by the user's intention.

  However, in practice, the above operation has not always been successful. The first reason is that it is difficult for general users to determine whether or not individual application programs have been tampered with. For general users, the information that the clues to evaluate the reliability of application programs are prominent software, software supplied by a reliable vendor, or software downloaded from a reliable site However, these clues are useless when software falsified by crackers is distributed. Therefore, in practice, it is extremely difficult for a general user to determine whether or not each application program has been tampered with.

  The second reason is that it is complicated for a general user to manually register an unregistered application in the execution permission list in response to a message as shown in FIG. However, it is because it becomes customary to tap the “Register” button. Of course, application programs preinstalled at the factory of Android devices (programs with guaranteed safety) can be added to the execution permission list from the beginning, so that users can register manually at the first startup. However, the “normal application” downloaded by the user after purchasing the terminal must be manually registered at the first activation.

  If the “application having a self-tampering check function” according to the present invention is used, the above problem can be solved. That is, when “an app having a self-tampering check function” is activated for the first time, as shown in the flowchart of FIG. When it is determined that there is finally no falsification, the list automatic registration stage (steps S13 and S14) is executed by the monitoring program. Thereby, the identification code of the application is automatically registered in the execution permission list. On the other hand, in the monitoring program executed in parallel, the activation of the “app having a self-tampering check function” is recognized in step S21 in the flowchart of FIG. 17, but it is determined as a registered app in step S23. The registration inquiry step S24 is not executed.

  Eventually, the user taps an icon on the home screen or application screen to start an unregistered “App with self-tampering check function”, or an unregistered “self-tampering check function based on instructions from other application programs” When the “app having“ ”is activated, if the application is not falsified, the execution is continued as it is (if it has been falsified, execution is stopped in step S11 of FIG. 22). That is, since the message as shown in FIG. 20 is not presented to the user, it is not necessary for the user to select “register” / “not register”.

  Of course, the determination result in the tampering determination stage (steps S7 to S10) is not necessarily a result with 100% accuracy, but is a result with much higher accuracy than the determination by a general user. This is a sufficiently reliable result. In addition, automatic registration to the execution permission list is performed based on such a sufficiently reliable result. Thus, the user does not need to determine the presence or absence of tampering or perform a complicated manual registration operation. In this way, if the “app having a self-tampering check function” according to the present invention is executed on a device in which a monitoring program is introduced, the application program that is determined not to be tampered is burdened with a registration work on the user. There is an advantage that automatic registration to the execution permission list can be performed without the need.

<<< §10. Variation of execution control based on execution permission list >>>
Finally, some modified examples for performing execution control based on the execution permission list described in §9 will be described.

<10-1: Differentiation of application program versions>
The execution permission list used in the present invention should be a “white list” on which an identification code for specifying an application program permitted to be executed is posted. FIG. 19A shows an example in which the file name of each application program is used as an identification code, and FIG. 19B shows an example in which a code with a version number added to the file name is used.

  In general, when an upgraded version of an application program is provided, a form in which only a differential data file is distributed is used, or a form in which a new version of a data file is distributed is used. In the latter case, the new version of the program is an entirely separate program from the old version of the program, and is therefore preferably handled as a separate application program on the execution permission list. Therefore, in practice, as shown in the example shown in FIG. 19B, different identification codes are assigned to the respective versions, and the versions are different in the list automatic registration stage, the answer processing stage, and the activation application recognition stage. The application program is preferably processed using different identification codes.

  In order to ensure that different versions of application programs are identified, even if the application programs included in the data file with the same file name have different hash values, they should be recognized as different versions. Good. In general, if the contents of data constituting the application program are not completely the same, the hash values are not the same. Therefore, for example, if a hash value of data constituting an application program (which may be the whole APK file or a part thereof) is used as an identification code of the application program, the identification of application programs of different versions is possible. The code can be reliably distinguished.

<10-2: Storage location of execution permission list>
In the case of the embodiment using the Android terminal described above, the execution permission list is information accessed by a monitoring program that operates as a “resident program” in the Android terminal, and therefore is stored in a storage device in the Android terminal. Is the most common. However, the storage location of the execution permission list is not necessarily limited to the Android terminal. For example, it is executed on an external storage device connected to the Android terminal or a server apparatus accessed via the network from the Android terminal. You can store the allow list.

  In this case, when performing registration to the execution permission list at the list automatic registration stage and the answer processing stage, a computer such as an Android terminal performs registration with respect to the execution permission list stored in an external storage device or server device, In the registration presence / absence determination stage, the execution permission list stored in the external storage device or server device is referred to.

<10-3: Encryption of execution permission list>
In the application program execution method described in §9, the execution permission list plays an important role. If this execution permission list is altered by some unauthorized operation, the original execution control function by the monitoring program is lost. It will be broken. Therefore, in order to perform control with higher reliability, it is only necessary to take an encryption measure for the execution permission list.

  Specifically, when performing registration in the execution permission list in the list automatic registration stage or the answer processing stage, a process for encrypting the execution permission list may be performed. For example, an identification code to be registered in the execution permission list or a check code to be described later may be individually encrypted and registered, or a new identification code or check code may be registered with the execution permission list decrypted. The execution permission list after registration may be encrypted again. In the registration presence / absence determination stage, the encrypted execution permission list is decrypted and the contents are referred to. For encryption and decryption, a dedicated key included in the monitoring program may be used.

<10-4: Add check code>
Another method for increasing the reliability of the execution permission list is to register some check code in addition to the identification code. That is, when registering in the execution permission list in the list automatic registration stage or the answer processing stage, some data included in the data file input in the input stage is registered as a check code together with the identification code, At the registration presence / absence determination stage, the check code included in the data file is checked for a match with the check code registered in the execution permission list, and is registered in the execution permission list on the condition that the matching is confirmed. What is necessary is just to make a determination to the effect.

  For example, in the case of the APK file 20A shown in FIG. 5, when “A second key K (a2)” (program provider's public key) is used as a check code and the application program is registered in the execution permission list. In addition to the identification code, “A second key K (a2)” is registered as a check code. In the registration presence / absence determination step (steps S22 and S23 in FIG. 17), if it is confirmed that both the identification code and the check code are registered in the execution permission list, “registered” is determined. This determination may be made.

  If the identification code is posted but the check code does not match, some illegal act against the execution permission list (for example, an identification code posted on the execution permission list in an unauthorized manner) It may be determined that there is a possibility that an action (such as rewriting the ID code of another application) has been performed.

  Of course, the check code is not limited to the public key of the program provider, and various other information can be used as the check code. For example, in the case of the APK file 20A shown in FIG. 5, in addition to “A second key K (a2)” (public key of the program provider), the entire A signature information 22A and the entire APK file 20A are used as check codes. You can use it.

  However, if the entire A signature information 22A or the entire APK file 20A is used as it is as a check code, the data capacity of the check code becomes enormous, and the data capacity of the execution permission list for registering the check code also becomes enormous. turn into. Therefore, practically, a predetermined function such as a hash function is applied to predetermined information (for example, the entire signature information 22A of A and the entire APK file 20A shown in FIG. 5) included in the data file input at the input stage. A digest process for applying a directional function may be performed, and the data obtained as a result may be registered as a check code.

  In this case, in the registration presence / absence determination step, a check code obtained by performing a digesting process that causes the one-way function to act on the predetermined information included in the data file, and an execution permission list A match with the registered check code is confirmed, and on the condition that the match is confirmed, it is determined that the check code is registered in the execution permission list. In addition, what is necessary is just to use the exclusive key contained in the monitoring program for digesting.

<10-5: Replacement of monitoring program>
In the embodiment described so far, the monitoring program includes a monitoring routine (procedure shown as the monitoring program (1)) shown in the flowchart of FIG. 17 and a list automatic registration stage routine (monitoring program (2) shown in the flowchart of FIG. However, the monitoring program (1) and the monitoring program (2) may, of course, be configured by separate programs.

  Further, the procedure of the monitoring program (2) can be incorporated in “an app having a self-tampering check function”. In this case, the procedure of steps S13 and S14 shown in FIG. 22 is executed by “an app having a self-tampering check function”, and the application program itself has a function of checking its own tampering. Is registered in the execution permission list.

  Alternatively, the procedures of the monitoring program (1) and the monitoring program (2) can be incorporated into the OS program. In this case, all the processes described as the role of the monitoring program in the embodiments described so far are executed by the OS program.

  However, since the currently provided Android OS does not have the functions of the monitoring programs (1) and (2), when implementing the present invention using the current Android terminal, Thus, it is preferable to prepare an application program that functions as a monitoring program. In short, if the OS program of the terminal device has a multitask processing function that allows a plurality of application programs to be executed while switching at a predetermined timing, the list automatic registration stage is performed by a monitoring program prepared as one of the application programs. The activation application recognition stage, the registration presence / absence determination stage, the registration inquiry stage, and the answer processing stage can be executed.

10: Application program 10A: Application program 10X, 10X ': Tampered application program 11: Program body 11A: Program body 12: Resource data 12X: Tampered resource data 13: Subroutine group 13A: Subroutine group 14: Auxiliary File 14X: Tampered auxiliary file 20: Distribution file 20A, 20A ', 20A'', 20AA: Distribution file 20X, 20X': Tampered distribution file 21: Application package 21A: Application package 21X, 21X ' : Falsified application package 22: A signature information 22A: A signature information 22X, 22X ′: X signature information 23A, 23A ′, 23A ″: confidential information 23X: falsified confidentiality Information 24A: Location information 30: Server 110: Application program storage unit 120: Tamper check routine storage unit 130: Key storage unit 140: Tamper check routine addition unit 150: Packaging processing unit 160: Signature information creation unit 170: Secret information creation Unit 180: Distribution file creation unit A: Program providers AP1 to AP7: Application program file names C, C ': Concealment target data D, D': Signature target data F: Tamper check routine G: Program guarantor H , H1, H2: Hash value K (a1): A first key K (a2): A second key K (g1): G first key K (g2): G second Key K (s0): Common specific key K (s1): First specific key K (s2): Second specific key K ( 1): X first key K (x2): X second key S (A): Signature value S (X), S (X ′): Signature value S1 to S29: Steps U in the flowchart, U1-U3: User X: Cracker

Eventually, even if the cracker X performs falsification on the application package 21A and the signature information 22A, if falsification is not performed on the confidential information 23A, the falsification is detected in the second confirmation stage. Execution of the application program is stopped and the process after falsification detection is not executed normally. As described above, according to the distribution execution method of the application program according to the present invention, it is possible to perform effective tampering detection even when tampering with the electronic signature is performed. It becomes possible to cancel execution of.

<<< §5. Variation of data to be concealed >>>
In the distribution execution method according to the basic embodiment of the present invention described in § 3, the entire signature information 22A of A (that is, the signature values S (A) and A Using the second key K (a2)) as the concealment target data C, concealment processing using the second specific key K (s2) is performed to create the concealment information 23A. The secret information 23A created in this way is information that leaves a trace of the signature information 22A of A, and the signature information of A is obtained by a predetermined confirmation method using the first specific key K (s1). It has a unique property that it is possible to confirm the validity of 22A.

If the confidential information 23A having such properties is included in the distribution file 20A, a process (second confirmation stage) for confirming the validity of the confidential information 23A with respect to the signature information 22A of A is performed. It is possible to confirm whether or not the signature information 22A is falsified.

Claims (13)

A computer is a method for executing an application program,
An input stage in which a computer inputs a data file containing an application program to be executed;
A tampering determination stage in which the computer determines whether the input application program has been tampered with;
A list automatic registration stage in which the computer registers the identification code of the application program in which it is determined in the falsification determination stage that it has not been falsified in the execution permission list;
A startup application recognition stage in which the computer recognizes the identification code of the application program in the startup state;
A registration presence / absence determination step in which the computer determines whether or not the identification code recognized in the activation application recognition step is registered in the execution permission list;
If the computer is determined to be unregistered in the registration presence / absence determination step, a registration inquiry step for inquiring the user whether or not to register the unregistered app;
When the computer responds to the inquiry as to the user's response, the computer registers the unregistered application identification code in the execution permission list, permits execution of the application, and does not register If there is an answer to that effect, an answer processing stage for stopping execution of the unregistered application,
Have
In the input step, a data file including an application program with a falsification check function, signature information, and confidential information or location information indicating the location is input,
The signature information is information obtained by electronic signature processing using the application program as signature target data,
The concealment information is obtained by extracting a predetermined portion of the data constituting the falsification check function application program and the signature information as concealment target data and performing concealment processing on the extracted concealment target data. Information,
The falsification determining step includes a first confirmation step of confirming whether or not falsification is performed based on the signature information, and a second confirmation step of confirming whether or not falsification is performed based on the confidential information.
The application program with a falsification check function includes a falsification check routine for confirming the validity of the confidential information with respect to the data to be concealed in consideration of a processing process performed in the concealment process. A method for executing an application program, wherein the second confirmation step is performed by executing a check routine. In the execution method of the application program of Claim 1,
Using a pair of keys that have the property that data encrypted using one key can be decrypted using the other key,
The secret information is information obtained by encrypting the data to be concealed using the one key,
The tampering check routine decrypts the confidential information included in the data file input in the input stage or the confidential information obtained based on the location information included in the data file input in the input stage using the other key. An application program characterized by confirming that there is no falsification when the data to be concealed obtained by this decryption and the data to be concealed extracted from the data file input at the input stage match. How to run In the execution method of the application program of Claim 1,
The confidential information is information created by performing a digest process that applies a one-way function using a predetermined specific key as a parameter to the data to be concealed,
The data file input at the input stage includes information obtained by performing the digest processing using the specific key on the data to be concealed extracted from the data file input at the input stage by the falsification check routine Execution of an application program that confirms that there is no falsification if it matches the confidential information obtained based on the location information contained in the data information entered at the input stage Method. In the execution method of the application program in any one of Claims 1-3,
A computer that executes an application program under the management of an OS program executes a first confirmation step based on the OS program, and executes a second confirmation step based on a falsification check routine in the application program. An application program execution method. In the execution method of the application program of Claim 4,
The OS program has a multitask processing function for executing a plurality of application programs while switching at a predetermined timing.
Execution of an application program characterized in that a computer executes a list automatic registration stage, a startup application recognition stage, a registration presence / absence judgment stage, a registration inquiry stage, and an answer processing stage by a monitoring program prepared as one of the application programs Method. In the execution method of the application program of Claim 5,
The computer executes a process of recording log information indicating an identification code, start time, and end time for each application program by the OS program,
A method for executing an application program, wherein the computer recognizes an identification code of an application program in an activated state by referring to the log information when the activated application recognition step is executed by the monitoring program. In the execution method of the application program in any one of Claims 1-6,
A method for executing an application program, wherein different versions of application programs are processed using different identification codes in the list automatic registration stage, answer processing stage, and activated application recognition stage. In the execution method of the application program of Claim 7,
An application program execution method characterized in that even if application programs included in a data file having the same file name have different hash values, they are recognized as different versions. In the execution method of the application program in any one of Claims 1-8,
When registering to the execution permission list in the list automatic registration stage or answer processing stage, the computer performs registration to the execution permission list stored in the external storage device or server device,
A method for executing an application program, characterized in that, in a registration presence / absence determination step, a computer makes a determination by referring to an execution permission list stored in the external storage device or server device. In the execution method of the application program in any one of Claims 1-9,
When registering to the execution permission list at the list automatic registration stage or answer processing stage, the computer performs the process of encrypting the execution permission list,
A method for executing an application program, characterized in that, in a registration presence / absence determination step, a computer decrypts an encrypted execution permission list and refers to the contents. In the execution method of the application program in any one of Claims 1-10,
When registering to the execution permission list in the list automatic registration stage or answer processing stage, the computer registers a predetermined check code included in the data file input in the input stage together with the identification code,
At the registration presence / absence determination stage, the computer checks whether the check code included in the data file matches the check code registered in the execution permission list, and the execution permission list is obtained on condition that the match is confirmed. A method for executing an application program, characterized in that it is determined that the application program has been registered. In the execution method of the application program in any one of Claims 1-10,
When registering to the execution permission list in the list automatic registration stage or answer processing stage, the computer uses a one-way function for the predetermined information contained in the data file input in the input stage together with the identification code. Register the check code obtained by performing the digest process that works
In the registration presence / absence determination stage, the computer registers the check code obtained by performing the digest processing that causes the one-way function to act on the predetermined information included in the data file and the execution permission list. A method for executing an application program, comprising: confirming a match with a check code that is registered, and determining that the check code is registered in the execution permission list on condition that the match is confirmed.   The monitoring program used for the execution method of the application program of Claim 5 or 6.

Images