KR102333425B1 - Method and apparatus to sandbox run-time android applications with lightweight container - Google Patents

Abstract

A method and apparatus for creating an application container are provided. The method includes: selecting a target application from among a plurality of applications included in the electronic device; obtaining a policy file corresponding to the target application; determining whether the policy file includes a category of the target application; and executing the application container containing the target application.

Description

METHOD AND APPARATUS TO SANDBOX RUN-TIME ANDROID APPLICATIONS WITH LIGHTWEIGHT CONTAINER

The present disclosure relates to an apparatus and method for sandboxing Android applications at run-time into a lightweight container. Specifically, the present disclosure relates to an apparatus and method for classifying at least one Android application into a group of sandboxes at runtime.

Mobile terminals have been developed that provide wireless communication between users. With the advancement of technology, wireless terminals are now providing many additional features beyond simple phone calls. For example, mobile terminals now have alarms, short messaging service (SMS), multimedia message service (MMS), remote control of E-mail, games, short-range communication, image capture using an onboard digital camera. It provides additional functions such as a ring function, a multimedia function for providing audio and video content, a scheduling function, and other similar functions.

In addition, mobile terminals may provide the functions described above or may run applications that may provide at least one of other functions or operations on the mobile terminals. For example, such applications may include a music playback application, a video playback application, a photo gallery application, a gaming application, a social networking application, an internet browsing application, a file management application, a cloud service application, and any other similar or suitable applications, functions, or It may include at least one of the operations. However, the user of at least one of the mobile terminal's operating system (OS), such as the Android OS or any other similar or suitable OS, classifies the applications into groups included in a sandbox, either at runtime or in other words. At runtime, it is possible to ensure that the applications in the sandbox and the respective application data and code execution for those applications are separated from the rest of the mobile terminal. Accordingly, applications in the sandbox can be shared only with other applications included in the sandbox. However, sandboxes may not provide adequate separation between applications included in the sandbox and applications excluded from the sandbox.

The above-described information is merely presented as background information to help the understanding of the present disclosure. No judgment has been made, and no claim has been made as to whether any of the foregoing can be applied as prior art to the present disclosure.

Aspects of the present disclosure are intended to solve at least the problems and/or disadvantages described above, and to provide at least the advantages described below. Accordingly, one aspect of the present disclosure is to provide an apparatus and method for creating an application container.

According to an aspect of the present disclosure, a method of creating an application container is provided. The method includes selecting a target application from among a plurality of applications included in the electronic device; obtaining a policy file corresponding to the target application; determining whether the policy file includes a category of the target application; and running an application container containing the target application.

According to another aspect of the present disclosure, an electronic device for generating an application container is provided. The device includes: a display configured to display at least one application included in the electronic device; and selecting a target application from among at least one application included in the electronic device, acquiring a policy file corresponding to the target application, determining whether the policy file includes a category of the target application, and an application container including the target application A processor configured to execute

Other aspects, advantages, and outstanding features of the present disclosure will become apparent to those skilled in the art from the following detailed description taken in conjunction with the accompanying drawings and disclosing various embodiments of the present disclosure.

The foregoing and other aspects, features, and advantages of the present disclosure will become more apparent from the following description taken in conjunction with the accompanying drawings. Among the accompanying drawings,
1 is a diagram illustrating a network environment including an electronic device according to various embodiments of the present disclosure;
2 is a diagram illustrating a structure for execution of a PerAppContainer according to various embodiments of the present disclosure;
3 is a diagram illustrating a method of executing PerAppContainer according to various embodiments of the present disclosure; and
4 is a block diagram illustrating hardware according to various embodiments of the present disclosure;

Various aspects of the present disclosure will be described in detail with reference to the accompanying drawings. Such description is by way of example only and is not intended to limit the scope of the present disclosure.

The detailed description with reference to the accompanying drawings is provided to provide a comprehensive understanding of various embodiments of the present disclosure as defined by the claims and their equivalents. The detailed description includes several specific specifications that aid such understanding, but the specifications are to be regarded as illustrative only. Accordingly, those skilled in the art will recognize that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of the present disclosure. In addition, for simplicity and clarity, descriptions of well-known functions and configurations will be omitted.

The terms and words used in the following description and claims are not limited to the bibliographical meaning, but are merely used by the present inventors to enable a clear and consistent understanding of the present disclosure. Accordingly, it will be apparent to those skilled in the art that the following description of various embodiments of the present disclosure is provided for purposes of illustration only, and not to limit the present disclosure, which is defined by the appended claims and their equivalents. will be.

It should be understood that the singular forms "a", "an", and "the" include plural referents unless the context clearly dictates otherwise. Thus, for example, reference to "a component surface" includes reference to one or more of such surfaces.

The term “substantially” does not mean that the described feature, parameter, or value needs to be precisely achieved, but rather a deviation including, for example, tolerances, measurement errors, limits of measurement accuracy, and other factors known to those skilled in the art. This means that changes or variations can occur in an amount that does not exclude the effect that the characteristic is intended to provide.

Terms used in the present disclosure are used to describe various embodiments of the present disclosure, and are not intended to limit the present disclosure. The singular forms are intended to include the plural forms unless the context clearly indicates that the plural forms are not intended.

Unless defined otherwise, all terms used in this disclosure, including technical or scientific terms, have the meaning commonly understood by one of ordinary skill in the art. Common terms that may be defined in the dictionary should be understood to have meanings that are not inconsistent with their context, and should not be construed as exaggeratedly idealistic or limited in form unless explicitly defined otherwise in the present disclosure.

According to various embodiments of the present disclosure, an electronic device may include a communication function. For example, the electronic device includes a smart phone, a tablet PC (Personal Computer), a mobile phone, a video phone, an e-book reader, a desktop PC, a laptop PC, a netbook PC, a personal digital assistant (PDA), a portable multimedia player (PMP), MPEG (Moving Picture Expert Group) audio layer 3 (MP3) players, mobile medical devices, cameras, wearable devices (eg, head mounted devices (HMDs), electronic garments, electronic bracelets, electronic necklaces, electronic accessories, electronic tattoo, or smart watch).

According to various embodiments of the present disclosure, the electronic device may be a smart home appliance having a communication function. Smart home appliances include, for example, televisions, DVD (Digital Video Disk) players, audio devices, refrigerators, air conditioners, vacuum cleaners, ovens, microwaves, washing machines, dryers, air purifiers, set-top boxes, TV boxes (eg, Samsung HomeSync™, Apple TV™). , or Google TV™), a game console, an electronic dictionary, an electronic key, a camcorder, an electronic photo album, or the like.

According to various embodiments of the present disclosure, an electronic device may include a medical device (eg, a Magnetic Resonance Angiography (MRA) device, a Magnetic Resonance Imaging (MRI) device, a Computed Tomography (CT) device, an imaging device, or an ultrasound device), a navigation device, and a navigation device. Device, Global Positioning System (GPS) receiver, EDR (Event Data Recorder), FDR (Flight Data Recorder), automotive infotainment device, ship electronic device (eg, ship navigation device, gyroscope, or compass), avionics device, security devices, industrial or domestic robots, and the like.

According to various embodiments of the present disclosure, an electronic device includes furniture including a communication function, a part of a building/structure, an electronic bulletin board, an electronic mission receiving device, a projector, and various measuring devices (eg, a water meter, an electricity meter, a gas meter, or an electromagnetic wave measuring device).

According to various embodiments of the present disclosure, the electronic device may be any combination of the aforementioned devices. In addition, it will be apparent to those skilled in the art that the electronic device according to various embodiments of the present disclosure is not limited to the above-described devices.

Various embodiments of the present disclosure include an apparatus and method for sandboxing Android applications at runtime into a lightweight container.

For example, the user of the mobile terminal classifies at least one application, which may also be referred to as an Android application, into a group in a sandbox at runtime, and includes application data corresponding to the at least one application included in the sandbox and There may be instances where it may be necessary to ensure that code execution is separated from code execution and at least one of the applications of the electronic device not included in the sandbox and application data corresponding to at least one of those applications or elements.

More specifically, a user may need to group at least one office application at runtime, such as a word processing application and a spreadsheet application. Resources such as data and sockets generated by the grouped applications may be shared only with the grouped applications, and may not be shared with applications that do not belong to the grouped application. Components of grouped applications cannot be launched by any application that is not included in the grouped applications. For example, by grouping at least one banking application, such as an application for monitoring and maintaining a bank account corresponding to the user, and an application corresponding to a credit account, the user groups the applications included in the at least one banking application and at least one prevent other applications from accessing the resources used by the group of at least one banking application, such that any component level communication is blocked between applications excluded from the group of banking applications, and thus the group is considered to be sandboxed; can do. In other words, applications included in the group of at least one banking application are blocked from communicating at the component level with applications excluded from the group of at least one banking application.

However, prior art methods of sandboxing a group of applications for inclusion in the sandbox may not provide a secure environment and do not provide a strong separation between applications included in the sandbox and applications excluded from the sandbox. may not be In addition, the prior art version of Security Enhancements for Android (SEAndroid) classifies a number of Android applications into a sandbox group, which can also be referred to as a sandbox, so that the applications do not belong to the sandbox group. Provides a kernel and middleware Mandatory Access-Control (MMAC) mechanism that prevents it from being started by . Data segregation and protection are supported by SEAndroid policy (SEPolicy). However, the sandbox according to the prior art version of SEAndroid must be preset at least one of the time of construction or the time of updating the SE Linux (SELinux) policy, and the prior art version of SEAndroid groups applications to form a sandbox at runtime. classification is not supported. Additionally, according to the prior art version of SEAndroid, although grouped applications can be run or executed in a virtual machine, running multiple virtual machines in a mobile terminal is not Problems can be troublesome. Also, it can be difficult to start up virtual machines on-demand during runtime.

1 illustrates a network environment including an electronic device according to various embodiments of the present disclosure.

Referring to FIG. 1 , a network environment 100 includes an electronic device 101 . The electronic device 101 includes a bus 110 , a processor 120 , a memory 130 , an input/output (I/O) interface 140 , a display 150 , a communication interface 160 , a sandbox module 170 , and the like. may include However, the present disclosure is not limited thereto, and the sandbox module 170 includes other elements of the electronic device 101 , such as the processor 120 , and/or any other similar and/or sandbox module 170 that may be included. / or may be included in the appropriate element.

The bus 110 may be a hardware device including a circuit, may connect the aforementioned components, and may enable communication between the aforementioned components. For example, the bus 110 may connect components of the electronic device 101 to transmit and/or receive control messages and/or other information to be transmitted between the connected components.

The processor 120 receives commands from, for example, other components, such as the memory 130 , the I/O interface 140 , the display 150 , the communication interface 160 , the sandbox module 170 , and the like. , interprets the received command, and may perform calculations and/or data processing according to the interpreted command.

Memory 130 may be, for example, received from and/or from other components such as processor 120 , I/O interface 140 , display 150 , communication interface 160 , sandbox module 170 , etc. or may store commands and/or data generated by or the like. For example, the memory 130 may include programming modules such as a kernel 131 , middleware 132 , an application programming interface (API) 133 , and an application 134 . Each of the programming modules described above may include a combination of at least two of software, firmware, and hardware.

Kernel 131 includes system resources that can be used to execute operations or functions implemented in other programming modules such as middleware 132, API 133, application 134, etc., for example, bus 110, The processor 120 , the memory 130 , and the like may be controlled and/or managed. Kernel 131 may provide an interface that allows middleware 132 , API 133 , application 134 , etc. to access individual components of electronic device 101 , or otherwise facilitates it. .

Middleware 132 may be a medium and/or any suitable hardware and/or software that enables kernel 131 to communicate with API 133 , applications 134 , and the like to send and receive data. Middleware 132 may control work requests generated by and/or corresponding to application 134 . For example, scheduling of such work requests, load balancing, and the like may be performed. For example, the middleware 132 gives priority to the application 134 for using system resources (eg, the bus 110 , the processor 120 , the memory 130 , etc.) of the electronic device 101 . By assigning it is possible to control the work requests by the application 9134).

The API 133 may be an interface that controls functions that the application 134 may provide, such as the kernel 131 and the middleware 132 . For example, the API 133 may include at least one interface and/or function, for example, a command, for file control, window control, video processing, text control, and the like.

According to various embodiments of the present disclosure, the application 134 is a short message service (SMS) application, a multimedia messaging service (MMS) application, an e-mail application, a calendar application, an alarm application, such as an exercise amount application, a blood sugar level Health care applications such as measurement applications, environmental information applications such as applications that can provide barometric pressure, humidity and temperature information, instant messaging applications, call applications, internet browsing applications, gaming applications, media playback applications, images/videos capture applications, file management applications, and the like. Additionally and/or alternatively, the application 134 may be an application related to information exchange between the electronic device 101 and an external electronic device, for example, the electronic device 104 . For example, the application 134 related to information exchange may include a notification relay application capable of providing a certain type of information to an external electronic device, a device management application capable of managing the external electronic device, and the like. have.

For example, the notification relay application may include other applications included in the electronic device 101 , for example, an SMS/MMS application, an e-mail application, a health care application, an environment information application, an instant messaging application, a call application, and an Internet browsing application. , a game application, a media playback application, an image/video capture application, a file management application, and the like, to an external electronic device, for example, the electronic device 104 . Additionally, the notification relay application may provide, for example, a notification of reception from an external electronic device, for example, the electronic device 104 , and may provide the notification to the user.

In one example, the device management application enables functions related to at least a part of the external electronic device in communication with the electronic device 101 , for example, the external electronic device itself and/or at least one component of the external electronic device. It is possible to manage ring (enabling) or disabling (disabling), control the brightness and/or resolution of the display of the external electronic device 104 , and an application or external electronic device operated in the external electronic device 104 . It may control the services provided by the device 104 , such as voice calling services, messaging services, and the like.

According to various embodiments of the present disclosure, as an example, the application 134 includes at least one application determined according to a characteristic of an external electronic device, for example, the external electronic device 104 , for example, an electronic device type. can do. For example, if the external electronic device is a Moving Picture Expert Group (MPEG) audio layer 3 (MP3) player, the application 134 may include at least one application related to music reproduction. As another example, if the external electronic device is a mobile medical device, the application 134 may be a health care related application. According to various embodiments of the present disclosure, the application 134 is an application preloaded in the electronic device 101 and an application received from an external electronic device, for example, the external electronic device 104 , the server 106 , or the like. may include at least one of

The I/O interface 140 may receive, for example, at least one of commands and/or data from a user. The I/O interface 140 may send commands and/or data to the processor 120 , the memory 130 , the communication interface 160 , the sandbox module 170 , and the like via the bus 110 . For example, the I/O interface 140 may provide data related to a user input, such as a user input received through a touch screen, to the processor 120 . The I/O interface 140 may I/O commands and/or data received over the bus 110 from, for example, the processor 120 , the memory 130 , the communication interface 160 , the sandbox module 170 , and the like. The output may be through a device, for example, a speaker (not shown), a display (not shown), or the like. For example, the I/O interface 140 may output voice data, for example, voice data processed by the processor 120 through a speaker.

The display 150 may display various types of information, for example, multimedia, text data, and the like to the user. For example, the display 150 may display a graphical user interface (GUI) that is a means for allowing a user to interact with the electronic device 101 .

The communication interface 160 may provide communication between the electronic device 101 and one or more external electronic devices, for example, the external electronic device 104 or the server 106 . For example, the communication interface 160 may communicate with an external electronic device by establishing a connection with the network 162 using wireless and/or wired communication. In one example, the communication interface 160 may include Wi-Fi, Bluetooth, Near Field Communication (NFC), Global Positioning System (GPS), cellular communication, such as Long Term Evolution (LTE), LTE-A (LTE). Advanced), Code Division Multiple Access (CDMA), Wideband CDMA (WCDMA), Universal Telecommunications System (UMTS), Wireless Broadband (WiBro), Global System for Mobile Communications (GSM), etc. can communicate Additionally and/or alternatively, for example, the communication interface 150 may be, for example, Universal Serial Bus (USB), High Definition Multimedia Interface (HDMI), Recommended Standard 232 (RS-232), Plain Old Telephone Service (POTS). ) may be communicated through wired communication, which may be at least one of.

According to various embodiments of the present disclosure, the network 162 may be a telecommunication network. For example, the communication network may include at least one of a computer network, the Internet, the Internet of Things, and a telephone network. A protocol for communication between the electronic device 101 and an external electronic device, for example, a transport layer protocol, a data link protocol, a physical layer protocol, etc. is an application 134 , an API 133 , a middleware 132 , and a kernel 131 . , may be supported by at least one of the communication interface 160 , and the like.

The sandbox module 170 may process at least some of the information received from, for example, other components, for example, the processor 120 , the memory 130 , the I/O interface 140 , the communication interface 160 , and the like. and various information and services may be provided to the user in various ways. For example, the sandbox module 170 performs at least some of the functions of the electronic device 101 to communicate and/or connect to another electronic device, for example, the external electronic device 104 , the server 106 , and the like to the processor 120 . can be controlled via or independently. 2 is a sandbox module 170 that can provide a PerAppContainer, also referred to as MyContainer, to include at least one application to be executed at runtime in a container separated by an application program interface (API). will provide additional information regarding

2 illustrates a structure for executing PerAppContainer according to various embodiments of the present disclosure.

Referring to FIG. 2 , any other similar and/or suitable element, unit, hardware device, and/or hardware unit, such as sandbox module 170 and/or processor 120 of electronic device 101 , may create a PerAppContainer can provide PerAppContainer provides a sandbox at runtime to at least one application, such as an Android application, to separate the at least one application and corresponding application data and code execution between the at least one application and other applications not included in the sandbox. In order to do this, the at least one application can be run in a container environment separated by an API call, in other words, it can be executed.

For example, in the case of Samsung Knox 2.0 that provides a security service, PerAppContainer may include a Multi-Level Security/Multi-Category Security (MLS/MCS) policy for SEAndroid. In particular, SEAndroid security ensures that applications are operated or executed in a separate environment, untrusted applications cannot access data and other individual objects of the target application, and interactions between the target application and other untrusted applications are blocked. The target application is assigned to a dedicated category to ensure that the policy guarantees it.

According to the prior art comprising a Mobile Device management (MDM) container, an Android application is re-packaged, for example by redexing and/or application wrapping techniques. may be, or otherwise developed by a dedicated Software Development Kit (SDK). Therefore, in the MDM container of the prior art, the downloaded application, in other words any arbitrary application within the container, cannot be operated and/or executed.

On the other hand, according to an embodiment of the present disclosure, PerAppContainer is a method of running a downloaded application or any other similar and/or suitable application in a lightweight container using SEAndroid Manager Service (SEAMS). provides

PerAppContainer according to an embodiment of the present disclosure may be created or terminated by calling a SEAMS API, for example, by a call generated by an Android application of at least one of an MDM client or MyContainerManager. Using a user interface (UI) provided by MyContainerManager, the user may select at least one of the applications installed on the electronic device 101 to form MyContainerManager at runtime. Additionally, the MDM client can perform the operations of MyContainerManager without requiring user input.

Android applications in MyContainer cannot be started, ie, operated or executed by any applications located outside of MyContainer, in other words not included in MyContainer, which is a Mandatory Access Control implemented in the Activity Manager Service. Control (MAC) may be enforced by a mechanism. Therefore, resources created by any application contained in MyContainer cannot be accessed by any application excluded from MyContainer, in other words any application outside of MyContainer, because such applications are This is because it is blocked by the Multiple Categories Security (MCS) mechanism.

Specifically, by an authorized call, which may be an API call that ServiceKeeper 201 authorizes to an MDM client, SEAMS may create a new category for the target application, and in the electronic device 101 The policy file can be updated to specify that the application is to be assigned to the new category, and the target application's data file objects can be re-labeled according to the new category.

After SEAMS creates a new category for the target application and completes the above steps, when the application is restarted next, Android's Package Manager Service (PMS) searches for an updated policy file. It ensures that Zygote, which includes core libraries common to applications included in the electronic device 101 , assigns a new category as part of the security context of the application processes. By default security policy providing both kernel level isolation and middleware level isolation, application processes are separated at both the kernel level and the middleware level. More details on how target applications are separated by policy enforcement at the middleware and kernel level can be found in the policy-based container IDF.

As shown in FIG. 2 , the structure for the execution of the PerAppContainer represents a high level view of operating the PerAppContainer. When MDM client is authorized by ServiceKeeper 201, MDM client calls SEAMS API 202 to MyContainer1 209 containing applications App1 203, App2 204, and App3 205 Many, including Appl 203 - App6 208, which can run or run in separate containers, such as MyContainer2 210, which includes and applications App4 206, App5 207, and App6 208 You can assign a unique category to any one of the applications of Additionally, multiple PerAppContainers, in other words, one or more instances of PerAppContainer, may be operated concurrently in a device such as electronic device 101 , each instance of a PerAppContainer or PerAppContainer for a single instance of a banking application It may be for at least one of a different application type, such as a PerAppContainer for games or a PerAppContainer for any suitable or similar instance or group of applications. However, an application may only be assigned to a single PerAppContainer at any one time.

3 illustrates a method of executing PerAppContainer according to various embodiments of the present disclosure.

Referring to FIG. 3 , in operation 301, a user may select a target application, which may also be referred to as a target app. For example, the electronic device 101 may display at least one application through the display 150 , and the user of the electronic device 101 may display at least one target application among the at least one application displayed on the display 150 , for example. For example, you can select at least one target app. However, various embodiments of the present disclosure are not limited thereto, and any suitable application that can be executed by the electronic device 101 may be selected as the target application.

Next, in operation 302 , the electronic device 101 may obtain a policy file corresponding to the target application selected by the user. The policy file may contain information corresponding to the target application selected by the user and any other similar or suitable information corresponding to the target application selected by the user, such as application names, digital certificates, and related categories. The policy file may be modified or changed based on a changing environment of a device such as the electronic device 101 or according to a user's needs. The policy file may be stored in memory 130 or may be obtained from at least one of memory 130 or any other similar or suitable source that has stored the policy file.

In operation 303, the electronic device 101 determines whether the policy file includes information indicating the category of the target app. For example, if the target app is related to the actions of a mobile medical device, the policy file may include information indicating that the category of the target app is “health care application”, as another example, if the target app is related to the actions of an MP3 player related to, the target app may be included in the “music play” category. However, the present disclosure is not limited thereto, and the category of the target app may be any similar or suitable type of category of applications that may be executed in the electronic device 101 .

If the electronic device 101 determines that the policy file does not include information indicating the category of the target app in operation 303, the electronic device 101 may generate new category information on the target app in operation 304 . For example, the electronic device 101 may display at least one category on the display 150 to allow the user of the electronic device 101 to select a category of the target app from among the displayed at least one category. Additionally or alternatively, the user of the electronic device 101 via the I/O interface 140 , the display 150 , or any similar or suitable method for entering a category of the target app You can also enter a category for the app.

Next, in operation 305 , the electronic device 101 may update the policy file with the category of the target app. For example, the electronic device 101 may update the policy file to designate that the target app be assigned to a new category input by the user. Next, in operation 306 , the electronic device 101 may relabel the data file objects of the target app according to a new category.

Returning to operation 303, if the electronic device determines that the policy file includes information indicating the category of the target app, the electronic device 101 adds the target app to the Appcontainer in correspondence with the policy file according to the category of the target app In order to do so, the process proceeds to operation 308. Next, in operation 307 , the electronic device 101 executes an Appcontainer including the target app.

4 illustrates a block diagram of hardware according to various embodiments of the present disclosure.

Referring to FIG. 4 , the electronic device 401 may be, for example, a part or the whole of the electronic device 101 . Referring to FIG. 4 , the electronic device 401 includes at least one application processor (AP) 410 , a communication module 420 , a subscriber identification module (SIM) card 424 , a memory 430 , and a sensor. module 440 , input module 450 , display module 460 , interface 470 , audio module 480 , camera module 490 , power management module 495 , battery 496 , indicator 497 . , a motor 498, and the like.

The AP 410 may control one or more hardware or software components connected to the AP 410 , and may process and/or calculate data including multimedia data. For example, the AP 410 may be implemented as a system-on-chip (SoC). The AP 410 may include a graphics processing unit (GPU) (not shown).

The communication module 420 , for example, the communication interface 160 , may transmit/receive data in communication between the electronic device 101 and other electronic devices, for example, the electronic device 104 , the server 106 , and the like. For example, the communication module 420 includes a cellular module 421, a Wi-Fi module 423, a Bluetooth module 425, a GPS module 427, an NFC module 428, a radio frequency (RF) module ( 429) and the like.

The cellular module 421 provides services such as voice call, video call, and short message service (SMS) < Internet service through a communication network, for example, LTE, LTE-A, CDMA, WCDMA, UMTS, WiBro, GSM, etc. can do. For example, the cellular module 421 may use a Subscriber Identity Module (SIM) card, such as the SIM card 424 , to differentiate and authenticate electronic devices within a communication network. According to various embodiments of the present disclosure, the cellular module 421 may perform at least some of the functions of the AP 410 . For example, the cellular module 421 may perform at least a part of multimedia control functions.

According to various embodiments of the present disclosure, the communication interface 420 and/or the cellular module 421 may include a communication processor (CP). For example, the cellular module 421 may be implemented as an SoC.

Although FIG. 4 shows components such as the cellular module 421, for example, the CP, the memory 430, and the power management module 495 as components separate from the AP 410, various implementations of the present disclosure According to examples, the AP 410 may include or be integrated with one or more of the components described above, for example, the cellular module 421 .

According to various embodiments of the present disclosure, the AP 410, the cellular module 421, for example, the CP, etc. loads the commands and/or data received from the non-volatile memory and other components into the volatile memory. The instructions and/or data may be processed. The AP 410 , the cellular module 421 , the communication interface 420 , etc. stores at least one of data received from at least one of the other components and data generated by at least one of the other components to the non-volatile memory. can be saved

The Wi-Fi module 423, the Bluetooth module 425, the GPS module 427, the NFC module 428, etc. each include, for example, at least one processor capable of processing data received and transmitted by the respective modules. can 4 shows the cellular module 421 , the Wi-Fi module 423 , the Bluetooth module 425 , the GPS module 427 , and the NFC module 428 as separate blocks, various implementations of the present disclosure According to examples, any combination of cellular module 421 , Wi-Fi module 423 , Bluetooth module 425 , GPS module 427 , NFC module 428 , etc., for example a combination of two or more It may also be included in an integrated circuit (IC) or IC package. For example, at least some of the processors corresponding to the cellular module 421 , the Wi-Fi module 423 , the Bluetooth module 425 , the GPS module 427 , the NFC module 428 and the like may be implemented as a single SoC. . For example, a CP corresponding to the cellular module 421 and a Wi-Fi processor corresponding to the Wi-Fi module 423 may be implemented as a single SoC.

The RF module 429 may transmit and receive RF signals, for example. Although not shown, the RF module 429 may include a transceiver, a power amplifier module (PAM), a frequency filter, a low noise amplifier (LNA), and the like. The RF module 429 may include one or more elements, such as a conductor or a conducting wire, for transmitting and receiving electromagnetic waves (EM waves) in free space, for example. 4 shows the cellular module 421 , the Wi-Fi module 423 , the Bluetooth module 425 , the GPS module 427 , and the NFC module 428 as sharing one RF module 429 with each other and However, according to various embodiments of the present disclosure, at least one of the cellular module 421, the Wi-Fi module 423, the Bluetooth module 425, the GPS module 427, the NFC module 428, etc. is a separate RF signals may be transmitted/received through the RF module.

The SIM card 424 may be a card implementing a subscriber identification module (SIM), and may be inserted into a slot installed at a designated location of the electronic device. The SIM card 1224 may include a unique identifier (eg, Integrated Circuit Card Identifier (ICCID)), subscriber information (eg, International Mobile Subscriber Identity (IMSI)), and the like.

The memory 430 , for example, the memory 130 , may include an internal memory 432 , an external memory 434 , or a combination thereof.

According to various embodiments of the present disclosure, the embedded memory 432 is, for example, a volatile memory (eg, Dynamic Random Access Memory (DRAM), Static RAM (SRAM), and/or Synchronous Dynamic RAM (SDRAM)), non-volatile memory Volatile memory (e.g. One Time Programmable Read Only Memory (OTPROM), programmable ROM (PROM), Erasable and Programmable ROM (EPROM), Electrically Erasable and Programmable ROM (EEPROM), mask ROM, flash ROM, NAND flash memory, NOR flash memory) and the like.

According to various embodiments of the present disclosure, the internal memory 432 may be a solid state drive (SSD). For example, the external memory 434 may be a flash drive, for example, a CF (Compact Flash) drive, SD (Secure Digital), micro SD (micro Secure Digital), Mini SD (mini Secure Digital), or xD (extreme) drive. Digital), a memory stick, or the like. The external memory 434 may be functionally connected to the electronic device 401 through various interfaces. According to various embodiments of the present disclosure, the electronic device 401 may include a recording device and/or a recording medium such as a hard disk drive (HDD).

The sensor module 440 may measure physical/environmental characteristics, detect an operating state related to the electronic device 401, etc., and convert the measured and/or sensed information into a signal such as an electrical signal or an electromagnetic signal. have. For example, the sensor module 440 may include a gesture sensor 440A, a gyro sensor 440B, a barometric pressure sensor 440C, a magnetic sensor 440D, an acceleration sensor 440E, a grip sensor 440F, a proximity sensor 440G, It may include at least one of an RGB sensor 440H, a biometric sensor 440I, a temperature/humidity sensor 440J, an illuminance sensor 440K, and an Ultra Violet (UV) sensor 440M. The sensor module 440 may detect an operating state of the electronic device and/or measure a physical characteristic, and may convert the sensed or measured information into an electrical signal. Additionally or alternatively, the sensor module 440 may include, for example, an electrical nose sensor (not shown), an electromyography sensor (not shown), an electroencephalogram sensor (not shown), an EEG sensor (not shown); It may also include an electrocardiogram sensor (not shown), an infrared (IR) sensor (not shown), an eye scanning sensor (eg, an iris sensor; not shown), a fingerprint sensor (not shown), and the like. have. The sensor module 440 may also include a control circuit for controlling at least one sensor included therein.

The input module 450 may include a touch panel 452 , a pen sensor 454 , a key 456 , an ultrasonic input device 458 , and the like.

For example, the touch panel 452 may sense a touch input using a capacitive type, a pressure sensitive type, an infrared type, an ultrasonic type, or the like. Touch panel 452 may also include a touch panel controller (not shown). For example, a capacitive touch panel may sense a proximity input, eg, a hovering input, in addition to or as an alternative to physical touch input. The touch panel 452 may also include a tactile layer. According to various embodiments of the present disclosure, the touch panel 452 may provide haptic feedback to the user by using a tactile layer.

For example, the pen sensor 454 may be implemented using the same or similar method as receiving a touch input from a user or a separate detection sheet (eg, a digitizer). For example, key 456 may be a keypad, touch key, or the like. For example, the ultrasound input device 458 may be a device configured to check data by detecting an ultrasound signal generated by a device capable of generating an ultrasound signal using a microphone (eg, the microphone 488 ). The ultrasound input device 458 may wirelessly sense data.

According to various embodiments of the present disclosure, the electronic device 401 may receive a user input from an external device connected to the electronic device 401 using the communication module 401, for example, a network, a computer, or a server. have.

The display module 460 , for example the display 150 , may include a panel 462 , a hologram device 464 , a projector 466 , and the like. For example, the panel 462 may be a liquid-crystal display (LCD), an active-matrix organic light-emitting diode (AM-OLED) display, or the like. For example, the panel 462 may be implemented to be flexible, transparent, and/or wearable. The panel 462 and the touch panel 452 may be implemented as a single module. The hologram device 464 may provide a stereoscopic image. For example, the hologram device 464 may provide a stereoscopic image in the air using interference of light waves. The projector 466 may provide an image by projecting light onto a surface, for example, a wall, a screen, or the like. For example, the surface may be located inside or outside the electronic device 401 . According to various embodiments of the present disclosure, the display module 460 may also include a control circuit for controlling the panel 462 , the hologram device 464 , the projector 466 , and the like.

The interface 470 may include, for example, a High-Definition Multimedia Interface (HDMI) 472 , a USB 474 , an optical interface 476 , a D-subminiature (D-sub) 478 , and the like. . For example, interface 470 may be part of communication interface 420 . Additionally or alternatively, the interface 470 may include, for example, at least one of a Mobile High-Definition Link (MHL) interface, a Secure Digital (SD)/Multi-Media Card (MMC) interface, an Infrared Data Association (IrDA) standard interface, and the like. may contain one.

Audio module 480 may encode/decode sound into electrical signals and vice versa. According to various embodiments of the present disclosure, at least a portion of the audio module 480 may be a portion of the I/O interface 140 . For example, the audio module 480 may encode/decode voice information input to or output from the speaker 482 , the receiver 484 , the earphone 486 , the microphone 488 , and the like.

The camera module 491 may capture a still image and/or a moving image. According to various embodiments of the present disclosure, the camera module 491 includes at least one image sensor (eg, a front sensor module, a rear sensor module, etc.; not shown), an image signal processor (ISP). ; not shown), and a flash (eg, LED, xenon lamp, etc.; not shown).

The power management module 495 may manage power of the electronic device 401 . Although not shown, the power management module 495 may include, for example, a power management integrated circuit (PMIC), a charger integrated circuit (IC), a battery gauge, a fuel gauge, and the like.

For example, the PMIC may be mounted on an integrated circuit or SoC semiconductor. The charging method of the electronic device 410 may include wired charging and wireless charging. The charger IC may charge a battery and prevent an overvoltage or overcurrent from the charger from flowing into the electronic device 401 or the like. According to various embodiments of the present disclosure, the charging IC may include at least one of a wired charging IC and a wireless charging IC. For example, the wireless charging IC may be a magnetic resonance method, a magnetic induction method, an electromagnetic wave method, or the like. For example, the wireless charger may include circuits such as a coil loop, a resonance circuit, and a rectifier. For example, the battery gauge may measure a remaining amount of the battery 496 , a voltage during charging, a temperature, and the like. For example, the battery 496 may supply power to the electronic device 401 . For example, the battery 496 may be a rechargeable battery, a solar battery, or the like.

The indicator 497 may display at least one state of the electronic device 401 or a part thereof (eg, the AP 410 ), for example, a booting state, a message state, a charging state, and the like. Motor 498 may convert electrical signals into mechanical vibrations.

Although not shown, the electronic device 401 may include at least one device for supporting a mobile television (mobile TV), for example, a graphics processing unit (GPU). An apparatus for supporting mobile TV may support processing of media data according to standards such as Digital Multimedia Broadcasting (DMB), Digital Video Broadcasting (DVB), and media flow.

It should be understood that various embodiments of the present disclosure according to the claims and description of the present specification may be implemented in the form of hardware, software, or a combination of hardware and software.

Any such software may be stored in a non-transitory computer-readable storage medium. The non-transitory computer-readable storage medium stores one or more programs (software modules), the one or more programs instructions that, when executed by one or more processors of the electronic device, cause the electronic device to perform the method of the present disclosure include those

Any such software, whether erasable or rewritable, may be in the form of volatile and/or non-volatile storage devices, such as storage devices such as ROM, or memory, CDs, CDs, such as RAM, memory chips, devices or integrated circuits; It may be stored in the form of an optically or magnetically readable medium such as a DVD, magnetic disk, or magnetic tape. It should be appreciated that the storage devices and storage media are various embodiments of a machine-readable non-transitory storage medium suitable for storing a program or programs comprising instructions that, when executed, implement various embodiments of the present disclosure. Accordingly, various embodiments include a program comprising code for implementing an apparatus or method as claimed in any one of the claims herein, and a machine-readable storage device storing such a program.

While the present disclosure has been shown and described with reference to its various embodiments, those skilled in the art may make various changes in form and detail in this disclosure without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. You will understand that it can be done. The various embodiments of the present disclosure are described by way of example only, and are not intended to limit the scope of the present disclosure. Accordingly, the scope of the present disclosure should be construed to cover any and all modifications that may be made without departing from the spirit of the present disclosure.

101. 104. 401: electronic device 110: bus
120: processor 130: memory
140: I/O interface 150: display
160: communication interface 170: sandbox module

Claims (20)

A method of creating an application container, comprising:
identifying, by a processor of the electronic device, selection of a target application from among a plurality of applications displayed on a display unit of the electronic device;
obtaining, by the processor, a policy file corresponding to the target application;
identifying, by the processor, category information for the target application based on the policy file;
generating, by the processor, an application container corresponding to the category of the target application;
assigning, by the processor, a category of the target application to a security context; and
executing, by the processor, the target application in the application container;
the data file objects of the target application are labeled according to the category of the target application;
The security context provides kernel level separation and middleware level separation of data file objects of the target application. The method of claim 1 , further comprising, by the processor, generating category information for the target application, including the category of the target application. The method of claim 2 , wherein the generating of the category information for the target application comprises receiving a user input indicating a category of the target application. The method of claim 3, wherein the receiving of the user input indicating the category of the target application comprises receiving a user input for selecting one category from among at least one predetermined category or receiving a user input corresponding to a new category. A method comprising at least one of receiving. 5. The method of claim 4, further comprising assigning, by the processor, the target application to one of the at least one predefined category or to at least one of the new category. 6. The method of claim 5,
updating, by the processor, the policy file corresponding to the target application to include a category of the target application and to correspond to the category information; and
updating, by the processor, data file objects corresponding to the target application to be associated with a category of the target application. The method of claim 1 , wherein another application included in the category of the target application does not share any of resources, information, application data and code execution with applications not included in the category of the target application. The method of claim 1 , wherein the policy file includes information corresponding to the target application selected by a user. The method of claim 8 , wherein the information included in the policy file is at least one of an application name corresponding to the selected target application, a digital certificate, and a related category. The method of claim 8 , wherein the policy file is at least one of a policy file that is modified and changed based on a changing environment of the electronic device and a policy file that is modified and changed according to the needs of a user of the electronic device. An electronic device for creating an application container, comprising:
display unit; and
A processor comprising:
controlling the display unit to display at least one application included in the electronic device;
identify a selection of a target application among the at least one application included in the electronic device;
obtain a policy file corresponding to the target application;
identify category information for the target application based on the policy file;
create an application container corresponding to the category of the target application;
assign a category of the target application to a security context;
configured to run the target application in the application container;
the data file objects of the target application are labeled according to the category of the target application;
The security context provides kernel-level separation and middleware-level separation of data file objects of the target application. The electronic device of claim 11 , wherein the processor is further configured to generate category information for the target application including a category of the target application. 13. The method of claim 12, wherein the processor is further configured to receive a user input indicating a category of the target application;
The display unit is further configured to receive a touch input corresponding to the user input. The electronic device of claim 13 , wherein the processor is further configured to receive at least one of a user input for selecting one category from among at least one predetermined category and a user input corresponding to a new category. 15. The electronic device of claim 14, wherein the processor is further configured to assign the target application to one of the at least one predefined category and to at least one of the new category. 16. The method of claim 15, wherein the processor is further configured to: update the policy file corresponding to the target application to include a category of the target application and to correspond to the category information;
and the processor is further configured to update data file objects corresponding to the target application to be associated with a category of the target application. The electronic device of claim 11 , wherein the processor is further configured to not share any of resources, information, application data and code execution with applications not included in the category of the target application. The electronic device of claim 11 , wherein the policy file includes information corresponding to the target application selected by a user. The electronic device of claim 18 , wherein the information included in the policy file is at least one of an application name corresponding to the selected target application, a digital certificate, and a related category. The electronic device of claim 18 , wherein the policy file is at least one of a policy file that is modified and changed based on a changing environment of the electronic device and a policy file that is modified and changed according to the needs of a user of the electronic device.

Images