KR20140117164A - Financial service system and method thereof, and apparatus applied to the same - Google Patents

Financial service system and method thereof, and apparatus applied to the same Download PDF

Info

Publication number
KR20140117164A
KR20140117164A KR1020130032254A KR20130032254A KR20140117164A KR 20140117164 A KR20140117164 A KR 20140117164A KR 1020130032254 A KR1020130032254 A KR 1020130032254A KR 20130032254 A KR20130032254 A KR 20130032254A KR 20140117164 A KR20140117164 A KR 20140117164A
Authority
KR
South Korea
Prior art keywords
function
execution
user device
operating area
execution restriction
Prior art date
Application number
KR1020130032254A
Other languages
Korean (ko)
Inventor
장도현
김세현
Original Assignee
에스케이플래닛 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 에스케이플래닛 주식회사 filed Critical 에스케이플래닛 주식회사
Priority to KR1020130032254A priority Critical patent/KR20140117164A/en
Publication of KR20140117164A publication Critical patent/KR20140117164A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Abstract

The present invention discloses a lost processing system and method, and an apparatus applied thereto. That is, it is determined whether the user equipment based on the trust zone (TrustZone) technology requires execution restriction on the function installed in the first operation area, and as a result of the determination, the execution restriction on the function loaded in the first operation area The at least a part of the functions installed in the first operating area in the second operating area can be prevented from being executed irrespective of whether or not the execution request is received so that the isolated execution environment which is not exposed from the security threat and the hardware security Technology, it is possible to prevent illegal use through initialization (routing) of the user device as well as prevention of the risk of leakage of personal information due to loss.

Description

TECHNICAL FIELD [0001] The present invention relates to a lost-processing system and a method thereof, and a device applied to the lost-

The present invention relates to a method for restricting execution of some of the functions mounted on a user device that receives a lost notification based on TrustZone technology.

In recent years, smartphones have been expanding explosively due to the development of hardware such as application processors and displays, the emergence of mobile operating systems, and the revitalization of the open market.

However, in the case of mobile terminals such as smart phones, the openness of the operating system, the risk of leakage of personal information (eg address book, text messages, financial information, certificates, etc.) due to the open market ecosystem that anyone can develop and participate in, In addition to being able to reproduce security threats on existing PCs, such as terminal malfunctions, excessive charging, and possible attacks on mobile networks, new types of security threats exist in wireless communication environments.

Particularly, when a smartphone is lost, the risk of leakage of personal information out of the above-mentioned security threat elements may be doubled, and further problems such as illegal use through initialization of a smart phone may occur.

Accordingly, there is a need for a security platform technology capable of providing reliability in a mobile environment in order to protect users and network assets from security threats caused by the loss of a smartphone.

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and an object of the present invention is to determine whether a user equipment based on TrustZone technology is required to perform an execution restriction on a function installed in a first operation area If it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, the function of at least a part of the functions installed in the first operation region in the second operation region, By preventing unauthorized use through initialization (routing) of the user device as well as preventing the risk of leakage of personal information due to loss through the combination of isolated execution environment that is not exposed from security threats and hardware security technology .

According to a first aspect of the present invention, there is provided a user apparatus comprising: a determination unit determining whether an execution restriction is required for a function installed in a first operation region; And if it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, the function of at least a part of the functions installed in the first operation region in the second operation region, And a control unit for causing the control unit not to execute the program.

More specifically, the control unit verifies an execution request for a function loaded in the first operation region, or determines whether or not to block the execution request, and determines at least a part of functions installed in the first operation region Is not executed.

More specifically, the user device may further include a sensing unit operable to sense that a function mounted on the first operating area is executed in response to the execution request, wherein the determining unit determines, in the sensing unit, When it is detected that the specified specific function is executed, it is determined whether execution restriction is required for the function loaded in the first operation region.

More specifically, the user device further includes an interlocking unit that interlocks with a management apparatus that manages a lost-processing object in a state where a lost-report has been received, and the determination unit determines that the user apparatus is the loss- It is determined that execution restriction on a function mounted on the first operation region is required.

More specifically, the user device may further include a first operating system mounted on the first operating area and a second operating system mounted on the second operating area, and the first operating system may be mounted on the first operating area, Wherein the second operating system comprises an API for supporting the execution of a function installed in the second operating area, (Application Programmer Interface).

More specifically, the specific function designated in connection with the execution restriction includes at least one of a booting function and a security release function.

According to a second aspect of the present invention, there is provided a method of operating a user device, the method comprising: determining whether execution restriction is required for a function installed in a first operating area; And if it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, the function of at least a part of the functions installed in the first operation region in the second operation region, And a control step of causing the computer not to execute the program.

More specifically, the controlling step includes the steps of: verifying an execution request for a function loaded in the first operating area, or determining whether to block the execution request; So that the function is not executed.

More specifically, the method may further include a detecting step of detecting, before the determining step, that a function mounted on the first operating area is executed according to the execution request, And determines whether an execution restriction is required for a function loaded in the first operation region when it is detected that a predetermined function previously designated in connection with the execution restriction is executed.

More specifically, the method may further include an interlocking step of interlocking with a management apparatus that manages a loss processing object in a state in which a lost notification has been received prior to the determination step, When it is determined that the device is the object of the loss processing, it is determined that execution restriction on the function loaded in the first operation region is required.

More specifically, the specific function designated in connection with the execution restriction includes at least one of a booting function and a security release function.

According to the lost processing system and method of the present invention, and the apparatus applied thereto, it is possible to determine whether a user device based on TrustZone technology requires execution restriction on a function installed in the first operation area, If it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, execution of at least a part of the functions installed in the first operation region in the second operation region The combination of the isolated execution environment that is not exposed from the security threats and the hardware security technology prevents the leakage of personal information due to the loss and prevents illegal use through the initialization (routing) of the user device .

1 is a schematic configuration diagram of a lost processing system according to an embodiment of the present invention;
2 is a configuration diagram of a user apparatus according to an embodiment of the present invention;
FIG. 3 is a block diagram of a user apparatus employing a TrustZone technology according to an embodiment of the present invention. FIG.
FIG. 4 is a schematic flowchart for explaining an operation flow in a loss processing system according to an embodiment of the present invention; FIG.
5 is a schematic flow diagram illustrating operation of a user device according to an embodiment of the present invention;

Hereinafter, an embodiment of the present invention will be described with reference to the accompanying drawings.

1 is a diagram illustrating a lost processing system according to an embodiment of the present invention.

1, the loss processing system according to an embodiment of the present invention includes a management apparatus 100 that manages a loss processing object to which a loss notification is received, And a user device (200) for limiting the execution of the user device (200).

Herein, the management apparatus 100 refers to a server operated by a mobile communication company. When a loss notification about a user apparatus owned by the mobile communication service subscriber is received, the user apparatus 100, Is designated and managed as a lost processing object.

The user device 200 refers to a mobile device for using a mobile communication service. For example, the user device 200 may be a smart phone, a tablet PC, a PDA, or the like. All devices capable of communicating with the network 100 can be included.

Meanwhile, according to one embodiment of the present invention, a hardware security solution is adopted as a security platform technology for providing high security from a security threat component due to loss of the user device 200. [

In this regard, there are UICC (Universal Integrated Circuit Card), Mobile TPM (Trusted Platform Module), and the like as a hardware security solution that provides high security in a mobile terminal such as the user device 200.

Here, the UICC is a smart card for storing personal information such as messages, e-mail and address book as well as subscriber, network and authentication information in 3G mobile network, and is generally called a 'Universal Subscriber Identity Module (USIM) card'.

The Mobile TPM is a Mobile TPM that enables the TPM (Trusted Platform Module) defined by TCG (Trusted Computing Group), a standardization organization developing business standards for hardware-based trusted computing and security technologies, to be used in mobile terminals as well. Algorithm, and provides user, terminal authentication and terminal integrity verification, and user data protection.

UICC, however, can not satisfy the Trusted Execution Environment (TEE), which defines security hardware and software functions that provide a secure execution environment for security-related applications on mobile terminals due to limited performance processors and low transfer rates.

In addition, in the case of Mobile TPM, it has a disadvantage that cost increase due to the use of a separate chip and application code protection are difficult.

Therefore, in an embodiment of the present invention, a TrustZone technology that provides a hardware isolated environment from security threats, rather than using a separate hardware security chip such as the UICC and the Mobile TPM, I want to apply.

3, the trust zone is divided into a 'Normal World' (hereinafter, referred to as a 'first operating region') and a 'Secure World' (hereinafter referred to as a 'second operating region' The general application provides an execution environment that operates in the first operating area and the application that requires security is operated in the second operating area.

That is, the first operating region and the second operating region are isolated from each other in hardware and operate only by respective operating systems (first operating system and second operating system), and the first operating region is attacked from malicious code The applet and the stored data in the second operating area are ensured to be securely managed and executed from malicious code.

In other words, in the case of the first operating area, security can not be assured against various security threats by operating on a general-purpose operating system (first operating system) disclosed to others, but in the case of the second operating area, (Second operating system), which is not disclosed to a third party differently from the first operating region, in a hardware-isolated environment, and thus various security You will be assured of security from threats.

As described above, in the embodiment of the present invention, the trust zone technique is applied as described above. Hereinafter, a method for restricting execution of some functions among the functions installed in the user device 200, Which will be described in detail below.

The management apparatus 100 performs a function of managing a loss processing object in a state where a loss notification has been received.

More specifically, when the management server 100 receives a lost report on the user apparatus 100 owned by the mobile communication service subscriber, the management apparatus 100 designates the user apparatus 100 that has received the lost report as a lost processing target And allows the user device 100 to which the loss report is connected to recognize that the user device 100 is the loss process target.

At this time, the management apparatus 100 may transmit a message (e.g., push, OTA, SMS) to the user apparatus 200 to recognize that the loss notification is received as soon as the loss notification is received from the mobile communication service subscriber, The user device 200 can recognize that the user device 200 is a lost processing object by confirming that the user device 200 is a lost processing object.

Herein, in the case of inducing the connection of the user device 200, the user device 200 is automatically connected to the management device 100 at every set period, or the user device 200 performs a specific function, for example, Function is executed, or when the security release function is executed, the management apparatus 100 is automatically connected.

The user device 100 performs a function of determining whether execution restrictions on the loaded functions are required.

More specifically, the user device 100 judges that execution restriction on the mounted function is required when the user device 100 is confirmed that the user device 100 is the subject of the loss processing, from the management apparatus 100 that designates and manages the loss processing object.

At this time, the user device 100 detects that the mounted function is executed and detects that a specific function specified in association with the execution restriction, for example, a booting function is executed or a security release function is executed , It is connected to the management apparatus 100 to confirm that it is the object of the loss processing.

Of course, the user equipment 100 may be configured such that the user equipment 200 accesses the management apparatus 100 every set period, confirms that the user equipment 200 is the target of the loss processing, or receives the loss report from the mobile communication service subscriber, (E.g., push, OTA, SMS) for recognizing that the user is a loss-handling object, the user can confirm that the user is a loss-handling object.

That is, referring to FIG. 3, it is determined whether execution restriction is required for a loaded function by executing an application (APP) installed in the first operating area. If it is determined that the application is to be lost , It is determined that the execution restriction on the function installed in the first operation area is required.

In addition, the user device 100 performs a function of causing the loaded functions to be restricted.

More specifically, when it is confirmed that the user device 100 is the object of the loss processing, and the execution restriction on the mounted function is requested, the user device 100 executes the entire function or some important functions (e.g., wireless Internet access) The request is not executed even if it is received.

At this time, when the execution request for the mounted function is received, the user device 100 verifies the execution request or determines whether or not to block the execution request, thereby preventing the entire mounted function or some important functions from being executed .

Here, in the case of the execution request verification, when an execution request for all or some of the mounted functions is received, the user is prompted to input a predetermined password. Only when the password input from the user is confirmed to be valid, Or by allowing execution to occur.

That is, referring to FIG. 3, by executing an applet related to a loss process installed in the second operation region, it is firstly confirmed that an execution request for a function loaded in the first operation region is received, A method of inducing a user to input a password set in advance and verifying an execution request, or blocking a confirmed execution request.

Hereinafter, the configuration of the user apparatus 200 according to an embodiment of the present invention will be described in more detail with reference to FIG.

That is, the user device 200 according to an exemplary embodiment of the present invention includes a determination unit 210 for determining whether execution restriction of a loaded function is required, and a control unit 220 for preventing the loaded function from being executed .

In addition to the above-described configuration, the user device 200 according to an exemplary embodiment of the present invention further includes a sensing unit 230 for sensing that the mounted function is executed, and a communication function for interlocking with the management device 100 And an interlocking unit 240 for interlocking with the interlocking unit 240.

Here, the determination unit 210, the sensing unit 230, and the interlocking unit 240 may be implemented as a software module, corresponding to an application (APP) installed in the first operating area.

The first operating system includes an Open Application Program Interface (API) for supporting the operation of each of the determination unit 210, the sensing unit 230, and the link unit 240 located in the first operating region General-purpose operating system (for example, Android).

On the other hand, in the case of the controller 220, it may be implemented as a software module in a configuration corresponding to an applet mounted in the second operating area.

Here, the second operating system refers to a dedicated operating system that provides an API for supporting only the operation of the control unit 220 located in the second operating area.

The determination unit 210 performs a function of determining whether execution restriction on the loaded function is required.

More specifically, the determination unit 210 determines from the management apparatus 100 that designates and manages a lost processing object that execution restriction of the loaded function is required when it is confirmed that the target is a lost processing target.

At this time, if the determination unit 210 detects that a specific function, for example, a booting function, or an unsecure function is executed according to the execution restriction among the functions installed through the sensing unit 230, In addition, it is connected to the management apparatus 100 every set period to confirm that it is a lost processing object.

That is, the determination unit 210 calls the open API provided by the first operating system and interlocks with the sensing unit 230 so that the sensing unit 230 senses that the function loaded in the first operating region is executed And the detection unit 230 confirms that the specific function specified in relation to the execution restriction has detected execution.

The determining unit 210 calls the open API provided by the first operating system and interlocks with the interlocking unit 240 so that the interlocking unit 240 confirms that the interlocking unit 240 is the object of the loss processing from the management apparatus 100, If it is determined that the execution restriction on the function installed in the operation region is required, the control unit 220 located in the second operation region transmits the determination result.

On the other hand, when a message (e.g., Push, OTA, SMS) for notifying the loss of the lost object is received from the management apparatus 100 that received the loss report from the mobile communication service subscriber, Can be confirmed.

The control unit 220 performs a function of causing the loaded functions to be restricted.

More specifically, when the control unit 220 is determined to be the object of the loss processing and requests execution restriction on the mounted function, the control unit 220 receives an execution request from the user for all the mounted functions or some important functions (e.g., wireless Internet access) Even if they are not executed.

At this time, if an execution request for the mounted function is received, the control unit 220 verifies the execution request or determines whether or not to block the execution request, thereby preventing the entire mounted function or some important functions from being executed.

Here, in the case of the execution request verification, when an execution request for all or some of the mounted functions is received, the user is prompted to input a predetermined password. Only when the password input from the user is confirmed to be valid, Or by allowing execution to occur.

That is, when the determination result of the execution restriction request is received from the determination unit 210 located in the first operating area, the control unit 220 calls the API provided by the second operating system and interlocks with the first operating system, It is possible to preferentially confirm that an execution request for a function mounted in the area is received.

When the execution request received from the first operating area is confirmed, the control unit 220 induces the user to input a password set in advance in the second operating area to verify the execution request, or to block the confirmed execution request Thereby preventing a function loaded in the first operating area from being executed by calling an API provided by the first operating system.

In other words, when the control unit 220 is located in a second operating area in which a dedicated operating system that is not disclosed to a third party is installed in addition to being isolated from hardware, the control unit 220 operates to initialize (route) the user device 200, It is not initialized unlike the first operating area on which the operating system is mounted. Therefore, execution of the functions mounted on the first operating area is continuously restricted, thereby preventing the user device 200 from being used illegally.

As described above, according to the lost processing system according to the embodiment of the present invention, when the user device 200 is requested to perform an execution restriction on a function installed in the first operation area based on the TrustZone technology If it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, at least a part of the functions installed in the first operation region in the second operation region It is possible not only to prevent the leakage of personal information due to the loss through the combination of the isolated execution environment not exposed from the security threat and the hardware security technology but also to prevent the illegal Can be prevented.

Hereinafter, an advertisement service method according to an embodiment of the present invention will be described with reference to FIGS. 4 and 5. FIG. Here, for convenience of description, the components shown in FIGS. 1 to 3 will be described with reference to corresponding reference numerals.

First, the operation flow in the lost processing system according to an embodiment of the present invention will be described with reference to FIG.

First, when the management server 100 receives a lost report about the user apparatus 100 owned by the mobile communication service subscriber, the management apparatus 100 designates the user apparatus 100 having received the lost report as a lost processing target, , And makes the user device 100 to which the loss report is connected can recognize that the user device 100 is a loss process target (S110 - S130).

At this time, the management apparatus 100 may transmit a message (e.g., push, OTA, SMS) to the user apparatus 200 to recognize that the loss notification is received as soon as the loss notification is received from the mobile communication service subscriber, The user device 200 can recognize that the user device 200 is a lost processing object by confirming that the user device 200 is a lost processing object.

Then, when it is confirmed that the user device 100 is the object of the loss processing and the execution restriction on the mounted function is requested, the user device 100 requests execution of the execution request from the user for the entire mounted function or some important function (e.g., wireless Internet access) (S140-S160).

At this time, when the execution request for all or a part of the installed functions is received, the user device 100 prompts the user to input a predetermined password, and only when the password input from the user is confirmed to be valid, Thereby preventing execution of all or some of the mounted functions by determining whether to block the execution request or not.

Hereinafter, the operation of the user apparatus 200 according to an embodiment of the present invention will be described in detail with reference to FIG.

First, when the determination unit 210 detects that a specific function, for example, a booting function or an unsecure function is executed according to the execution restriction among the functions installed through the sensing unit 230, In addition, it is connected to the management apparatus 100 every set period to confirm that it is a lost processing object (S210 - S230).

At this time, the determination unit 210 calls the open API provided by the first operating system and interlocks with the sensing unit 230 so that the sensing unit 230 senses the execution of the function installed in the first operating region And the detection unit 230 confirms that the specific function specified in relation to the execution restriction has detected execution.

The determining unit 210 calls the open API provided by the first operating system and interlocks with the interlocking unit 240 so that the interlocking unit 240 confirms that the interlocking unit 240 is the object of the loss processing from the management apparatus 100, If it is determined that the execution restriction on the function installed in the operation region is required, the control unit 220 located in the second operation region transmits the determination result.

Then, if it is determined that the target function is to be executed and the execution restriction of the mounted function is requested, the control unit 220 verifies the execution request for the loaded function, (S240-S250), it is determined that the entire function or some important functions are not executed.

In this case, when a determination result that the execution restriction is requested is received from the determination unit 210 located in the first operating region, the control unit 220 calls the API provided by the second operating system and interlocks with the first operating system, It is possible to preferentially confirm that an execution request for a function mounted in the area is received.

When the execution request received in the first operating area is confirmed, the controller 220 induces the user to input a password set in advance in the second operating area, and verifies the execution request or blocks the confirmed execution request Thus, a function loaded in the first operating area prevents a function loaded in the first operating area from being executed by calling an API provided by the first operating system.

As described above, according to the lost processing method according to an embodiment of the present invention, when the user device 200 is requested to perform an execution restriction on a function installed in the first operation area based on the TrustZone technology If it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, at least a part of the functions installed in the first operation region in the second operation region It is possible not only to prevent the leakage of personal information due to the loss through the combination of the isolated execution environment not exposed from the security threat and the hardware security technology but also to prevent the illegal Can be prevented.

Meanwhile, the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, or may be embodied in a computer readable medium, in the form of a program instruction, which may be carried out through various computer means. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

According to the loss processing system and method of the present invention, and the device applied thereto, it is possible to prevent the occurrence of a loss notification based on the trust zone (TrustZone) It is an invention that is industrially applicable because it is beyond the limit of the existing technology, and it is not only the use of the related technology, but also the possibility of commercialization or operation of the applied device is sufficient and practically possible.

100: management device
200: User device
210: determination unit 220:
230: sensing unit 240:

Claims (11)

A determination unit for determining whether execution restriction is required for a function installed in the first operation region; And
If it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, execution of at least a part of the functions installed in the first operation region in the second operation region And a control unit for controlling the operation of the user device. The method according to claim 1,
Wherein,
A function of at least a part of functions installed in the first operating area is not executed by verifying an execution request for the function loaded in the first operating area or by determining whether to block the execution request. Lt; / RTI > The method according to claim 1,
The user device comprising:
And a sensing unit for sensing that a function mounted on the first operating area is executed according to the execution request,
Wherein,
Wherein the detecting unit determines whether execution restriction is required for a function loaded in the first operating area when it is detected that a predetermined function previously designated in connection with the execution restriction is executed. The method according to claim 1 or 3,
The user device comprising:
Further comprising an interlocking unit that interlocks with a management apparatus that manages a lost processing object in a state in which a lost report has been received,
Wherein,
And determines that execution restriction on a function mounted on the first operation area is required when the user apparatus is confirmed to be the loss processing object from the management apparatus. The method according to claim 1,
The user device comprising:
Further comprising a first operating system mounted on the first operating area and a second operating system mounted on the second operating area,
Wherein the first operating system comprises:
A general-purpose operating system that provides an open application program interface (API) for supporting the execution of functions installed in the first operating area,
Wherein the second operating system comprises:
And an application program interface (API) for supporting the execution of a function installed in the second operation area. The method of claim 3,
The particular function designated in connection with the execution restriction,
A booting function, and a security release function. A determination step of determining whether an execution restriction is required for a function installed in the first operation area; And
If it is determined that the execution restriction of the function installed in the first operation region is required as a result of the determination, execution of at least a part of the functions installed in the first operation region in the second operation region And a control step of controlling the operation of the user device. 8. The method of claim 7,
Wherein the control step comprises:
A function of at least a part of functions installed in the first operating area is not executed by verifying an execution request for the function loaded in the first operating area or by determining whether to block the execution request. Lt; / RTI > 8. The method of claim 7,
The method comprises:
Further comprising a detecting step of detecting, before the determining step, that a function mounted on the first operating area is executed in accordance with the execution request,
Wherein,
Wherein if it is detected in the detecting step that a predetermined function previously designated in connection with the execution restriction is detected, it is determined whether execution restriction is required for the function loaded in the first operation region Way. 10. The method according to claim 7 or 9,
The method comprises:
Further comprising an interlocking step of interlocking with a management apparatus for managing a loss processing object in a state in which a lost notification has been received,
Wherein,
Wherein the control unit determines that an execution restriction on a function mounted on the first operation area is required when the user apparatus is confirmed to be the object of the loss processing from the management apparatus. 10. The method of claim 9,
The particular function designated in connection with the execution restriction,
A booting function, and a security release function.
KR1020130032254A 2013-03-26 2013-03-26 Financial service system and method thereof, and apparatus applied to the same KR20140117164A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020130032254A KR20140117164A (en) 2013-03-26 2013-03-26 Financial service system and method thereof, and apparatus applied to the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020130032254A KR20140117164A (en) 2013-03-26 2013-03-26 Financial service system and method thereof, and apparatus applied to the same

Publications (1)

Publication Number Publication Date
KR20140117164A true KR20140117164A (en) 2014-10-07

Family

ID=51990604

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020130032254A KR20140117164A (en) 2013-03-26 2013-03-26 Financial service system and method thereof, and apparatus applied to the same

Country Status (1)

Country Link
KR (1) KR20140117164A (en)

Similar Documents

Publication Publication Date Title
US9787681B2 (en) Systems and methods for enforcing access control policies on privileged accesses for mobile devices
US9609020B2 (en) Systems and methods to enforce security policies on the loading, linking, and execution of native code by mobile applications running inside of virtual machines
US9773107B2 (en) Systems and methods for enforcing security in mobile computing
Jeon et al. A practical analysis of smartphone security
Rhee et al. Security requirements of a mobile device management system
KR101700552B1 (en) Context based switching to a secure operating system environment
US20130312058A1 (en) Systems and methods for enhancing mobile security via aspect oriented programming
US20140157355A1 (en) Systems and methods for enhancing mobile device security with a processor trusted zone
KR20070099200A (en) Apparatus for restricting access to application module in mobile wireless device and method of restricting access to application module using the same
KR20140074252A (en) Secure execution of unsecured apps on a device
KR101403626B1 (en) Method of integrated smart terminal security management in cloud computing environment
KR20140023606A (en) Device and method for processing transaction request in processing environment of trust zone
KR20160039234A (en) Systems and methods for enhancing mobile security via aspect oriented programming
US20150106871A1 (en) System and method for controlling access to security engine of mobile terminal
KR20140112785A (en) Financial service system and method thereof, and apparatus applied to the same
WO2015138931A1 (en) Systems and methods for enforcing security in mobile computing
Zhao et al. An overview of mobile devices security issues and countermeasures
Gupta et al. A risk-driven model to minimize the effects of human factors on smart devices
EP2884786B1 (en) Restricting software to authorized wireless environments
KR101591503B1 (en) Method of operating package application including self-defense security module and computer readable medium
Jeong et al. SafeGuard: a behavior based real-time malware detection scheme for mobile multimedia applications in android platform
CN111209561B (en) Application calling method and device of terminal equipment and terminal equipment
KR102201218B1 (en) Access control system and method to security engine of mobile terminal
KR20140117164A (en) Financial service system and method thereof, and apparatus applied to the same
KR101775515B1 (en) Apparatus and method for security check

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application