KR102102220B1 - Permission management process and permission management apparatus - Google Patents

Abstract

The present invention relates to a method, apparatus, and system for managing authorization of an IoT device in an IoT platform connecting Internet of Things (IoT) devices, specifically, to manage authorization currently used by an IoT device in an Android-based IoT platform. Collects information on the IoT device, analyzes the authority used by the IoT device from the collected information, generates authority data including the analyzed authority, and generates the authority data through a server to a user device It relates to technology that can respond to the use of indiscriminate authority by providing technology to provide to

Description

Permission management method and device {PERMISSION MANAGEMENT PROCESS AND PERMISSION MANAGEMENT APPARATUS}

The present invention relates to a method, an apparatus and a system for managing the authority of an IoT device in an IoT platform connecting Internet of Things devices, specifically, managing an authority currently used by an IoT device in an Android-based IoT platform. By doing so, it relates to a technology capable of coping with the use of indiscriminate authority.

Android Things is an Android-based IoT platform developed based on the existing Android platform, and was first released as a developer preview on December 13, 2016. Unlike the IoT platform previously announced by Google, Android Things made it possible to use various technologies such as existing Android services and APIs to increase user accessibility, and it can be easily used by users such as Doorbell and Bluetooth. We provided a sample code to help make development easier.

Since Android Things has the same form as the existing Android platform, Android Things is also likely to have the same security threats that can occur on existing Android devices.

For example, an Android smartphone requests a user's permission to use the application when the application is installed. In the case of an Android smartphone, if the installed application requires excessive authority, the application may perform malicious actions through functions different from the original purpose. If the permission is used excessively, the permission may be used unlike the purpose of the Android platform to protect the device resources through the permission. For example, an application that performs a Bluetooth function may perform other functions such as GPS and text transmission on an Android smartphone.

If the Android Things device uses the same permissions as the existing Android platform and requests excessive permissions from the device, security threats may occur as in the Android smartphone. In general, there are cases where IoT devices do not have a display that shows the status of the device, so the Android Thinking device may not be able to request a dialog box such as a request for permission from the user. Since the user cannot request the permission, the permission declared by the developer can be automatically approved. After being automatically approved, the IoT device reboots and the declared authority can be applied after rebooting.

That is, unlike the Android smartphone, the Android Things device can automatically grant the permission from the system without asking the user for the permission required by the application. In this case, security threats caused by permissions in Android smartphones can also occur in Android Thing, and may be a bigger threat because permissions are automatically granted.

Since Android Things is used as the same platform as Android platform-based devices such as existing Android smartphones, security threats that may occur in existing Android may be the same.

Android applications are easy to distribute due to the re-packaging technique. Repackaging is a technique of repackaging by modifying some source code of an existing application. In general, an attacker inserts malicious code into a famous application and repackages and distributes it. Due to the repackaging technique, many malicious applications are distributed in the Android environment, and malicious applications installed on the user device leak user's personal information or disable the user device.

Since Android Things is also based on the Android platform, security threats due to repackaging may occur in the same way as Android smartphones. When a repackaged malicious application is installed on an Android Thing device, the device has a problem that a permission not related to the original function is declared and through this, a user's personal information may be leaked or a device may malfunction.

The present invention has been derived to solve the above problems, and proposes an invention capable of managing the authority used by an IoT device to perform a specific function in an IoT environment based on the Android Things platform.

In one embodiment of the present invention for solving the above-mentioned problems, a method for managing the authority of an IoT device, comprising: collecting information about the IoT device; Analyzing an authority used by the IoT device from the collected information; Generating authority data including the analyzed authority; And providing the generated authorization data to a user device through a server.

In the rights management method according to an embodiment of the present invention, analyzing the rights includes: searching a manifest file for the IoT device; And collecting a list of rights declared in the manifest file.

In the rights management method according to an embodiment of the present invention, the generating of the rights data may include identifying the rights and functions performed by rights.

In the rights management method according to an embodiment of the present invention, the method may further include classifying rights used for each IoT device by generating the rights data for a plurality of IoT devices.

In the permission management method according to an embodiment of the present invention, the step of collecting information about the IoT device may be performed when the IoT device is first installed or updated in the IoT platform, and the permission data is obtained from the IoT device. It may further include at least one of a name and an updated date.

In another aspect of the present invention, an apparatus for managing authority of an IoT device, including a memory and a processor, wherein the processor collects information about the IoT device; Analyze the authority used by the IoT device from the collected information; Generating authority data including the analyzed authority; A rights management device is provided, configured to provide the generated rights data to a user device through a server.

In the rights management apparatus according to another aspect of the present invention, the processor searches for a manifest file for the IoT device to analyze the authority used by the IoT device from the collected information, and the manifest file It can be configured to collect a list of rights declared within.

In a rights management device according to another aspect of the present invention, the processor may be configured to identify the functions performed by the rights and rights in order to generate the rights data.

In a rights management apparatus according to another aspect of the present invention, the processor may also be configured to classify the rights used for each IoT device by generating the rights data for a plurality of IoT devices.

In the rights management apparatus according to another aspect of the present invention, the processor to collect information about the IoT device can be performed when the IoT device is first installed or updated in the IoT platform, and the rights data is the The IoT device may further include at least one of a name and an updated date.

By using the present invention, it is possible to prevent and prevent security problems that may occur in the future by managing and monitoring the authority used by the IoT device based on the Android Things platform and checking the usage authority of the current IoT device in real time by the user.

The accompanying drawings, which are incorporated herein and constitute a part of this specification, illustrate exemplary embodiments of the invention and, together with the general description given above and the detailed description given below, serve to describe features of the invention.
1 is a schematic diagram of a system for managing authority of an IoT device.
FIG. 2 is a block diagram illustrating a method performed by the authority management system of FIG. 1 for authority management.
3 is a result of authority analysis of the IoT device.
4 is a view showing a window for a user to access the authorization data of each IoT device.
5 is a result of stored data representing a permission list of each IoT device.

Various embodiments will be described in detail with reference to the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or similar parts. References made to specific examples and implementations are for illustrative purposes and are not intended to limit the scope of the invention or claims.

Android Things is an Android-based IoT-only operating system announced by Google. Unlike the IoT platform previously announced by Google, Android Things can use various technologies such as existing Android services and APIs to increase user accessibility and make sample development easier by providing sample codes that users can easily use. Support. Android Things is a developer kit that supports NXP Pico, Intel Edision, and Raspberry Pi 3. Android Things has the same form as the existing Android platform. In the case of AndroidManifest.xml file in the Android Things-based application, it can be configured in the same form as AndroidManifest.xml file used in existing Android smartphones. For example, Android smartphones and Android Things may have information such as permission to use in the form shown in Table 1 below, start activity, etc. in the AndroidManifest.xml file.

<manifest package
<uses-permission android: name = "per_name"/>
<uses-permission android: name = "per_name"/>
<application android: label = "@ string / app_name
<action android: name = "Activity"/>
<category android: name = "Main"/>
<category android: name = "LAUNCHER"/>
<activity android: name = ". StartActivity">
</ application>
</ manifest>

As described above, since Android Things is based on the Android platform, security threats due to repackaging may occur in the same way as Android smartphones. Particularly, in the present invention, in the Android Things IoT environment based on the Android platform, if the user automatically accepts the permission without obtaining consent for the permission use due to the specificity of the IoT device, malicious data such as data leakage as a function not related to the original function In order to prevent a problem that an action may be performed, it may be characterized in that it is possible to manage the authority used by the currently connected Android Things-based IoT device. Therefore, the system proposed in the present invention can analyze the authority used by all devices currently connected to the server when the Android Thins platform-based application is installed or the application used in the corresponding device is modified. In addition, the analyzed authority can be managed for each device to manage what authority is in use for each Android Thinking device, so that it can be checked with the user's mobile. Analysis of the Android Things device and information management of the device can be performed through a Linux server, and information on the device can be provided to users in real time through an Apache web server.

Hereinafter, embodiments of the present invention will be described in more detail with reference to the drawings.

1 is a schematic diagram related to a rights management system 1 for managing rights of an IoT device related to an embodiment of the present invention. The IoT devices 2a to 2n, in particular the Android Things devices 2a to 2n, are connected to the authority management system 1. Analysis and management of the Android thinking devices 2a to 2n can be performed by the rights management system 1, and the rights management system 1 is connected to the mobile device 3 to provide the managed data to the user. have.

Specifically, the permission used by the IoT device can be confirmed through a manifest file inside the IoT device application, such as the AndroidManifest.xml file, as in the Android application. The IoT device does not change the functions required for users due to its hardware characteristics, so even if the application is updated, the required authority does not change significantly. However, the authority management system 1 may also manage authority information for the previous version in addition to the current version, since an authority that is not related to the authority provided by the IoT device may be required to perform the malicious behavior. In this context, the rights management system 1 can collect information about the IoT device when the IoT device is first installed or when there is a change to the application from the IoT device update server.

The permission management system 1 may search the AndroidManifest.xml file based on the information on the input application, and when the AndroidManifest.xml file is searched, may collect information including a permission list used by the device from the file. . That is, the permission management system 1 may perform analysis on the file after searching the AndroidManifest.xml file to collect information on the permission used by the IoT device. When the permission list collection is completed, the permission management system 1 may store permission information together with device information. Thereafter, the authority management system 1 may update the corresponding information so that the user can check with the mobile device 3.

The process performed in the rights management system 1 refers to a block diagram of a method 200 representing steps performed for rights management shown in FIG. 2. The rights management system 1 includes a processor configured to perform the process shown in FIG. 2 and may include a memory capable of storing data processed by the processor.

First, the permission management system may collect application information to analyze a corresponding application when a new IoT device is installed in the Android-based IoT environment or when a patch for IoT is performed. The authority management system may receive an application file (S210).

For example, the input of the IoT device may be performed in the form of an Android application program (APK) file in the permission management system. In the future, analysis on the IoT device may be performed through information on the IoT device input here.

The rights management system may search for a rights management information file including rights management information (S220).

In general, in the case of IoT created based on the Android Thinking Platform, the AndroidManifest.xml file may be located in the app folder under the root folder, but the permission management system searches for all paths in the application because it may not always exist in the same path. You can search for AndroidManifest.xml file by doing. As shown in Table 2 below, the system can write a program with a pseudo code that searches the AndroidManifest.xml file existing inside the IoT application and then collects a list of permissions.

No. authority Rights information One BLUETOOTH Bluetooth
communication access 2 CAMERA Camera devices access 3 INTERNET Application network access 4 READ_EXTERNAL_STORAGE External stroage access 5 RECORD_AUDIO Audioreceiveand
record access 8 … …

When the search for the file is finished, all the AndroidManifest.xml files existing in the IoT device are searched, and the path to the searched AndroidManifest.xml file can be collected in the form of absolute path to perform analysis. 3 is a result of data collected after the path search is finished. The permission management system may analyze the searched permission management information file (S230).

In one embodiment, the permission management system may analyze the retrieved AndroidManifest.xml file in order to perform analysis on the permission used by the IoT device. Android Things may be declared as <uses-permissionandroid: name = "permission name" /> in the same way as existing Android applications. Therefore, the permission management system can collect the corresponding information when there is a declaration in the form of permission declaration among the items existing in the AndroidManifest.xml file. On the other hand, the AndroidThings platform-based application provides sample applications such as Doorbell and Bluetooth for developers to facilitate development. In the sample code, there are two AndroidManifest.xml files in the form of CompanionApp. In some cases, the system analyzes the AndroidManifest.xml file in all paths when analyzing permissions.

The rights management system may store the analyzed rights information (S240).

In one embodiment, when the analysis of the authority used by the IoT device is completed, the authority management system may perform storage of authority information (authority data) for providing information to the user. However, in general, when the permissions used in the Android platform are collected through the analysis of the AndroidManifest.xml file, if the collected data is provided to the user, the user is unlikely to know what action the collected permission list is to perform. have. Therefore, when the authority collection is completed, the authority management system may perform data processing before providing information to the user. In this case, the system may store the authority and the meaning of each authority in a table form, and then match the authority list collected from the IoT device to identify what function is performed for each authority. In order to analyze the functions performed by each authority, the system can write a program through a water code as shown in Table 3 below.

Algorithm Search_Permission
get Permission list
while (Size (Permission list)):
if Permission == table (Permission)
Find permission information
end if
end while
return result_permission

The rights management system can update the stored rights information to the web server (S250). Specifically, when processing of the collected data is completed, the rights management system uses which rights are used to provide services to users for each device. You can organize and save. For example, the authority management system may update the web server in order to provide information of the stored IoT device based on the IoT device to the user through the mobile device. Information about the IoT device may be provided through a web server of a Linux server, and information about the IoT device may be provided so that a user can check each device. The user can access a web server that manages and monitors the IoT device to check information about the IoT device connected to the IoT environment currently connected to the IoT. For example, as shown in FIG. 4, authority information may be accessed through a previously registered ID and password. The saved data is stored in the result folder, which is the top-level folder, and a file including permission information as each IoT device name can be created under the result folder. When accessing the web server, only the registered user can access the server, so when the user accesses the server in real time, it is possible to check information on each device, such as authority and modification date, which exist in the IoT environment.

As an example, the form stored as the IoT device name under the result folder is as shown in FIG. 5, and the function to be performed on the authority name and authority being used by the device is specified in each file. Users can access the result folder on the server to access the data stored on the server, and when they access the result folder, they can see a list of all Android Thing devices currently connected to the server. When checking the list of permissions being used by the device in the Android Things device list, it indicates the contents of the form "android.permission.permission_name" and the meaning of the permission, and if the Android Things device currently connected to the server does not have the permission being used, this You may see a phrase saying you are not authorized.

In this way, the user can check the IoT device list provided by the server and the permission list used by each device, and grasp the action that can be performed through the corresponding permission. When the user can grasp the action that can be performed through the authority, as shown in Table 4 below, the authority that the IoT device is using is unnecessary. Based on this, it is possible to prevent IoT devices from performing malicious actions such as personal information leakage and device control.

device authority Normal authority Reckless powers D1 P1 √ P3 √ P7 √ D2 P2 √ P3 √ P4 √ D3 P2 √ P6 √ D4 P2 √ P5 √ P6 √ P7 √ D5 … … …

The descriptions of the method and process flow diagrams are provided only as illustrative examples and are not intended to imply or imply that the steps of the various embodiments should be performed in the order presented. As those skilled in the art are aware of, the order of the steps in the above-described embodiments may be performed in any order. Words such as "at this time", "therefore", "next", etc. are not intended to limit the order of the steps, and these words are used to guide the reader through the description of the methods.

The various exemplary logic blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various exemplary components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality.

Hardware used to implement various example logics, logic blocks, modules, and circuits described in connection with aspects disclosed herein include general purpose processors, digital signal processors (DSPs), application specific integrated circuits (ASICs), Field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein may be implemented or performed. Further, in one or more example aspects, the described functions may be implemented in hardware, software, firmware, or any combination thereof.

The above description of the disclosed embodiments is provided to enable any person skilled in the art to make and use the present invention. Various changes to these embodiments will be apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments without departing from the spirit or scope of the present invention. Accordingly, the present invention is not intended to be limited to the embodiments presented herein, but rather to be endowed with the broadest scope and principles and novel features disclosed herein that meet the following claims.

1: Rights management system
2a ~ 2n: IoT device
3: Mobile device

Claims (10)

As a method for managing the authority of IoT devices,
Collecting information about the IoT device;
Analyzing an authority used by the IoT device from the collected information;
Generating authority data including the analyzed authority; And
Providing the generated authorization data to a user device through a server;
Including,
The step of generating the authority data,
And identifying a function performed by each authority and authority.
According to claim 1,
The step of analyzing the authority,
Retrieving a manifest file for the IoT device; And
And collecting a list of rights declared in the manifest file.
delete As a method for managing the authority of IoT devices,
Collecting information about the IoT device;
Analyzing an authority used by the IoT device from the collected information;
Generating authority data including the analyzed authority;
Providing the generated authorization data to a user device through a server; And
Classifying the rights used for each IoT device by generating the rights data for a plurality of IoT devices;
Including, rights management method.
As a method for managing the authority of IoT devices,
Collecting information about the IoT device;
Analyzing an authority used by the IoT device from the collected information;
Generating authority data including the analyzed authority; And
Providing the generated authorization data to a user device through a server;
Including,
Collecting information about the IoT device is performed when the IoT device is first installed or updated on the IoT platform,
The authorization data further includes at least one of the name and the updated date of the IoT device.
As a device for managing the authority of IoT devices,
Including memory and processors,
The processor,
Collecting information about the IoT device;
Analyze the authority used by the IoT device from the collected information;
Generating authority data including the analyzed authority;
It is configured to provide the generated authorization data to a user device through a server,
In order for the processor to generate the authorization data,
The authority management device is configured to identify the function performed by the authority and authority.
The method of claim 6,
In order for the processor to analyze the authority used by the IoT device from the collected information,
Search for a manifest file for the IoT device,
A rights management device, configured to collect a list of rights declared in the manifest file.
delete As a device for managing the authority of IoT devices,
Including memory and processors,
The processor,
Collecting information about the IoT device;
Analyze the authority used by the IoT device from the collected information;
Generating authority data including the analyzed authority;
It is configured to provide the generated authorization data to a user device through a server,
The processor also,
A rights management device configured to classify the rights used for each IoT device by generating the rights data for a plurality of IoT devices.

As a device for managing the authority of IoT devices,
Including memory and processors,
The processor,
Collecting information about the IoT device;
Analyze the authority used by the IoT device from the collected information;
Generating authority data including the analyzed authority;
It is configured to provide the generated authorization data to a user device through a server,
Collecting information about the IoT device by the processor is performed when the IoT device is first installed or updated in the IoT platform,
The authorization data further includes at least one of the name and the updated date of the IoT device.

Images