WO2012139323A1 - Method and system for monitoring application - Google Patents

Method and system for monitoring application Download PDF

Info

Publication number
WO2012139323A1
WO2012139323A1 PCT/CN2011/075480 CN2011075480W WO2012139323A1 WO 2012139323 A1 WO2012139323 A1 WO 2012139323A1 CN 2011075480 W CN2011075480 W CN 2011075480W WO 2012139323 A1 WO2012139323 A1 WO 2012139323A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
system resource
invoke
user
security policy
Prior art date
Application number
PCT/CN2011/075480
Other languages
French (fr)
Chinese (zh)
Inventor
刘雪芹
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012139323A1 publication Critical patent/WO2012139323A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls

Definitions

  • the present invention relates to the field of mobile terminals, and in particular, to a method and system for monitoring an application. Background technique
  • Android Open source, open source, also referred to as open source
  • OHA Open Handset Alliance
  • Android mobile terminals also provide a variety of means to install applications, including downloading from the android market (Android market), downloading from the Internet (Internet), direct installation from SD (Secure Digital Card) cards, and so on.
  • the Android platform is a very open platform, and applications can easily obtain access to various system resources, such as using data services, using wireless communication services, copying private information on mobile phones, and so on.
  • the present invention provides a method for monitoring an application, which is applied to a terminal using an open source operating system, including:
  • the method further includes:
  • the method further includes:
  • the terminal updates the operation information of each application calling system resource to the server periodically or irregularly, and the server updates and processes the information according to the operation information received from each terminal. security strategy.
  • the maximum number of times the application uses the system resource is set in the security policy.
  • the recording the call operation information includes: recording the number of times the application invokes the system resource; and determining, according to the pre-configured security policy, the The application does not have permission to invoke the system resources, including:
  • the terminal obtains the pre-configured security policy by using one of the following manners: the terminal provides a human-computer interaction interface for the user to set the security policy; The terminal acquires the security policy periodically or irregularly from the designated server side and updates to the local.
  • the prohibiting the application from invoking the system resource includes:
  • the present invention also provides a system for monitoring an application, which is applied to a terminal using an open source operating system, including:
  • a first device configured to: monitor a local application in real time
  • a second device configured to: when monitoring the local application to invoke the system resource, if it is determined according to the pre-configured security policy that the application does not have the right to invoke the system resource, prohibiting the application from calling the system Resources.
  • the second device is further configured to: if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, allowing the application to invoke the system resource, and in the After the application invokes the system resource, the call operation information is recorded.
  • the system further comprises:
  • a third device configured to: periodically update the operation information of the application calling system resources recorded by the second device to the server.
  • the security policy is configured with a maximum number of times the application uses system resources; the second device is configured to:
  • Recording the call operation information includes: recording the number of times the application invokes the system resource;
  • Determining, according to the pre-configured security policy, that the application does not have the right to invoke the system resource includes: determining, according to the recorded call operation information corresponding to the application, that the recorded application invokes the system resource has The maximum number of times is reached.
  • the second device is configured to: prohibiting the application from invoking the system resource, including: prompting a user to request the application to invoke the system resource; receiving a ban from the user After the application invokes the command of the system resource, the application is prohibited from calling the system resource.
  • the purpose of improving the security performance of the data service and the wireless application, effectively protecting the privacy of the user, and helping to reduce the user data service fee and the wireless application tariff, thereby improving the user experience, can satisfy the user's massive amount.
  • the random installation requirements of the application can improve the security performance of the terminal data service and the wireless communication service, and improve the security control capability of the terminal device and the application security performance of the terminal by the operator and the device manufacturer.
  • FIG. 1 is a flowchart of a method for monitoring an application according to an embodiment of the present invention
  • FIG. 2 is a flow chart of implementing a user configuration and viewing security information design implementation process
  • FIG. 3 is a flowchart of implementation of terminal security information collection and security policy implementation process design
  • FIG. 4 is a flowchart of design and implementation of terminal vendor or operator terminal side security policy
  • Figure 5 is a flow chart showing the implementation of the security policy design of the server vendor on the terminal vendor or carrier;
  • FIG. 6 is a flow chart of an application example of the present invention.
  • a method for monitoring an application is applied to a terminal using an open source operating system, as shown in FIG. 1, including:
  • the local application is monitored in real time.
  • the local application wants to invoke the system resource, if the application determines that the application does not have the right to invoke the system resource according to the pre-configured security policy, the application is prohibited from calling the system resource.
  • the terminal can obtain the above pre-configured security policy in the following manner:
  • Method 1 Provide a human-computer interaction interface for the user to set a security policy
  • Method 2 Update the security policy periodically or irregularly from the specified server side.
  • the application if it is determined according to the pre-configured security policy that the application has the right to invoke the system resource, the application is allowed to invoke the system resource, and after the application invokes the system resource, the calling operation is recorded.
  • the recorded content may include: the name of the application, the name of the called system resource, and the number of calls, and the time and duration of using the system resource.
  • the terminal can display the details of the call operation recorded by the terminal to the user.
  • the terminal may periodically or irregularly update the operation information of the recorded application calling system resources to the designated server side, and the server analyzes and sorts according to the operation information received from each terminal to update the local security policy.
  • the application is prohibited from invoking the system resource, and may be: prompting the user to request the system resource to be invoked; and after receiving the command sent by the user to prohibit the application from calling the system resource, the application is prohibited from calling the system resource.
  • the application may be allowed to invoke the system resource upon receiving a command from the user that allows the application to invoke the system resource.
  • the user can know the statistical analysis of the call of the malicious application to the resource, and the server deployed by the terminal manufacturer or the operator to analyze and analyze the malicious application, and reduce the security risk of the malicious application.
  • the server deployed by the terminal manufacturer or the operator to analyze and analyze the malicious application, and reduce the security risk of the malicious application.
  • Terminal vendor or carrier terminal side security policy design process
  • the terminal vendor or carrier server side security policy design process The terminal vendor or carrier server side security policy design process.
  • the process of configuring and viewing security information by users includes:
  • Step one the terminal is powered on and the booting is started;
  • Step 2 The terminal starts and monitors the behavior of the terminal in real time;
  • Step 3 The user configures to enable and disable the use notification of the real-time data service, the wireless communication service, and other system resources through the menu configuration;
  • Step 4 The user configures at least part of the application authority information of using the system resource
  • Step 5 The user can view the data service sent by the terminal and the request for the wireless communication service and other system resources through the menu;
  • Step 6 If the user opens the security information usage notification, when the configured application requests to use the configured system resource request, the prompt box is used to prompt the user whether to prohibit the request; if the user does not open the security information usage notification, Do not prompt the user;
  • Step 7 In the factory setting, if the server synchronization analysis and management is set, the terminal can be used by the user to check which applications and detailed security policies are controlled by the server.
  • the terminal security information collection and security policy implementation process includes the following steps: Step 1: The terminal is powered on and started;
  • Step 2 Read the user configuration information, if the user has not configured, the factory setting is the default; Step 3, real-time monitoring the API of the calling system resource sent by the application installed on the terminal
  • Step 4 When the user-configured or system-configured application calls the API of the system resource, the following information is recorded: the name of the application, the name of the called system resource, the time and duration of using the system resource, the number of calls, and the like;
  • Step 5 In the case that the server synchronization analysis and management is set, the security policy synchronized from the server side is invoked, the system resource invocation request initiated by the malicious application is filtered, and the information is recorded for the user to monitor and view;
  • Step 6 Calculate terminal security information, such as performing statistical analysis of system resource invocation requests initiated by the monitored application;
  • Step 7 In the case that the server synchronization analysis and management is set, the terminal side can synchronize the information of the system resource called by the locally recorded application request to the server side;
  • Step 8 Synchronize periodically or irregularly when the server synchronization analysis and management is set. Security policy on the server side.
  • Step 1 The terminal is powered on and started.
  • Step 2 After the security management function is activated, the terminal reports the application request resource information recorded by the terminal to the network provider deployed by the terminal manufacturer or the operator;
  • Step 3 During standby, the terminal waits for a security policy update of the network server deployed by the terminal manufacturer or the operator;
  • Step 4 When a new security policy can be updated, the user is prompted to have the latest security policy, and asks whether the latest security policy needs to be updated in time; after the user selects the update, the new security policy is downloaded to the local;
  • Step 5 Start a real-time application monitoring security policy
  • Step 6 When monitoring that system resources within the scope of the policy are used, intercept and record information for the user to view;
  • Step 7 When the frequency of calling an application resource reaches a certain limit, the application is determined to be a malicious application, and the user is notified in time to prompt the security risk of the application;
  • Step 8 Assist the user to uninstall the identified malicious application. That is, the user is provided with an interface asking whether to uninstall the application. If the user selects the uninstall operation, the user directly jumps to the uninstall interface of the application for the user to perform the subsequent uninstall operation.
  • Step 1 Configure the server on the network side to deploy the model batch information of the terminal that needs to be controlled. At this time, the terminal is required to report the application request. When the information of the system resource is called, the model and batch information of the system are reported together;
  • Step 2 The server collects the usage information of the system resources reported by the terminal of the model batch of the terminal that needs to be controlled and controlled in real time.
  • Step 3 batch statistical analysis of malicious applications
  • Step 4 screening the malicious application and writing the malicious application to the security policy
  • Step 5 Synchronize security policies to the terminal periodically to prevent malicious applications from abusing user resources. Curb the scope of security risks;
  • Step 6 Regularly collect the security management and control information obtained by other channels, and timely synchronize the security policies updated according to these security management information to the terminal, prevent malicious applications from abusing user resources, and curb the scope of security risks.
  • a system for monitoring an application is applied to a terminal using an open source operating system, including:
  • a first device configured to monitor a local application in real time
  • the second device is configured to, when monitoring, that the local application is to invoke the system resource, if the application determines that the application does not have the right to invoke the system resource according to the pre-configured security policy, prohibiting the application from invoking the system resource.
  • the second device is further configured to: if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, permit the application to invoke the system resource, and invoke the After the system resources are recorded, the call operation information is recorded.
  • the system further comprises:
  • a third device configured to update operation information of each application calling system resource recorded by the second device to the server periodically or irregularly.
  • the maximum number of times the application uses system resources is set in the security policy
  • the second device is configured to record the call operation information, where the second device is configured to record the number of times the application invokes the system resource;
  • the second device is configured to determine, according to the pre-configured security policy, that the application does not have the right to invoke the system resource, and specifically includes:
  • the second device is configured to determine, according to the recorded call operation information corresponding to the application, that the number of times the recorded application invokes the system resource has reached the maximum number of times.
  • the second device is configured to prohibit the application from invoking the system resource, and specifically includes: The second device is configured to prompt the user to request the system resource to be invoked; after receiving the command sent by the user to prohibit the application from calling the system resource, the second device is configured to prohibit the application from calling the system resource .
  • This embodiment is designed by taking an operator customization requirement and a user experience improvement requirement as an example.
  • the present invention is fully described. According to different system resources used by different applications initiated by the user, corresponding to different scenarios, the three scenarios are respectively For:
  • Scenario 1 The scenario when each application customized by the operator requests to use system resources.
  • the security management and control of this kind of scenario can minimize the amount of security control.
  • This type of application is a reliable and reliable security application, and can call any system resources of the terminal. However, the terminal still needs to use security management to count the number of calls for users to view and protect the user's right to know;
  • Scenario 2 An application that users download in their own reliable application market, requesting the use of system resources.
  • the source of the application can be checked, so the security level of each application market can be classified in the security policy.
  • Applications that are downloaded from the reliable application market generally do not prompt the user for security monitoring settings, and the security monitoring system can be appropriately reduced.
  • Scenario 3 The application that each user downloads on the network by itself, that is, the application installed by the network or downloaded to the SD card, requests the use of system resources.
  • the source of the application is not available and the source is very unsafe.
  • the security control factor must be mentioned as the highest, prompting the user to perform security monitoring settings, and filtering through the security policy during installation. If the security policy is prohibited, the user should be prompted if the application has a slight malicious call record. To inform the app. If the user insists on installing, when the application uses system resources to a certain amount, it should prompt the user for security risks and assist the user to close and uninstall the application.
  • the terminal is powered on and started;
  • the user configures the application resource and the monitored system resource item to be monitored through the menu. If not configured, the terminal is configured according to the factory settings of the terminal;
  • the user starts an application that has a resource calling requirement
  • the application is a customized application of each operator, since it is a built-in application of the system, the application is a reliable and trusted security application, so the system resources of the terminal can be arbitrarily invoked.
  • the terminal does not control, only records the simple operation information, and uses security control to count the number of calls for the user to view, and protect the user's right to know;
  • the application is an application downloaded by the user in a reliable application market
  • the application may be classified according to the security control coefficient of the application market itself.
  • the security monitoring coefficient is Can be reduced appropriately.
  • a user installs the app there is no need to initiate a security policy.
  • the application calls the resource, the user does not control, only records the operation simple information.
  • the application uses the system resource to a certain amount, the user should promptly prompt the user for security risks and assist the user to close and uninstall the application.
  • a new security policy is synchronized by the server to the terminal, check whether the application is in the new policy control scope, and if so, prompt the user to close the uninstallation;
  • the terminal may prompt the user to perform security monitoring settings, and filter through the security policy during installation. It is already in the scope of the security policy prohibition, to prompt the user, if the application has a slight malicious call record, also inform the application. If the user insists on installing, when the application uses system resources to a certain amount, it should prompt the user for security risks and assist the user to close and uninstall the application.
  • the method further comprises:
  • the user can view the resource call statistics record information of all applications
  • the user configures resource calling rights of each application through a menu to prevent security risks of malicious applications.
  • the purpose of improving the security performance of the data service and the wireless application, effectively protecting the user's personal privacy, and helping to reduce the user data service fee and the wireless application fee are achieved, thereby improving the user experience and satisfying the requirements.
  • the user's random installation requirements for mass applications can improve the security performance of the terminal data service and the wireless communication service, and improve the security control capability of the terminal device and the application security performance of the terminal by the operator and the device manufacturer.

Abstract

The invention discloses a method for monitoring application of a terminal that utilizes an open source operating system, the method includes: monitoring the location application instantly; forbidding the location application from invoking the system resource if the location application is determined, based on the preset security policy when the location application is monitored to invoke the system resource, not to be provided with the authority for invoking the system resource. The invention also discloses the corresponding system. The invention can enhance the security performance of the terminal data service and wireless application, and reduce the user data service cost and wireless application cost while protecting the user privacy effectively.

Description

一种对应用进行监控的方法及系统  Method and system for monitoring application
技术领域 Technical field
本发明涉及移动终端领域,尤其涉及一种对应用进行监控的方法及系统。 背景技术  The present invention relates to the field of mobile terminals, and in particular, to a method and system for monitoring an application. Background technique
在日益竟争激烈的电子市场, 为了提高用户体验, 越来越多的多模终端 集成了网络应用, 来满足用户类似于在 PC机上对网络的需求, 事实证明这 类集成了大量网络应用的电子设备受到了用户一致的追捧, 并被视为高端电 子消费的高优先配置选择。  In the increasingly competitive electronic market, in order to improve the user experience, more and more multi-mode terminals integrate network applications to meet the needs of users similar to the network on the PC. It turns out that this type of network application is integrated. Electronic devices are consistently sought after by users and are seen as a high-priority configuration option for high-end electronic consumption.
值得一提的是, 在 OHA ( Open Handset Alliance, 开放手机联盟 )联盟支 持的开源 Android (安卓 ) OS ( Open source , 源代码开放, 亦可简称为开 源)系统中, 本身自带了对互联网应用很好的支持度, Android平台中集成了 大量如 Email (电子邮箱) 、 Market (市场) 、 Youtube等需要大量数据业务 支持的应用。 同时 Android移动终端还提供了多种安装应用的手段, 包括从 android market (安卓市场)下载、从 internet (互联网)上下载、从 SD ( Secure Digital Card, 安全数码卡)卡直接安装等等。  It is worth mentioning that in the open source Android (Android) OS (Open source, open source, also referred to as open source) system supported by the OHA (Open Handset Alliance) alliance, it has its own Internet application. Very good support, the Android platform integrates a lot of applications such as Email (E-mail), Market (Market), Youtube and so on that require a lot of data service support. At the same time, Android mobile terminals also provide a variety of means to install applications, including downloading from the android market (Android market), downloading from the Internet (Internet), direct installation from SD (Secure Digital Card) cards, and so on.
随着成千上万的 Android应用海量涌入用户选择范围, 巨大的安全隐患 也随之出现。 众所周知, Android平台是一个很开放的平台, 应用可以轻易的 获取各种系统资源的使用权限, 比如使用数据业务、 使用无线通讯业务、 拷 贝手机上的私人信息等等。  With thousands of Android apps flooding into user choices, huge security risks are emerging. As we all know, the Android platform is a very open platform, and applications can easily obtain access to various system resources, such as using data services, using wireless communication services, copying private information on mobile phones, and so on.
下面用一个简单的例子进行说明。 用户在安装应用时, 应用至多给出以 下两种简单的提示: 1、 是否支持未知来源安装; 2、 本应用需要使用到哪些 系统资源。 而用户一旦选择了未知来源安装并许可了该应用提出的需要使用 系统资源的要求后, 用户对该应用如何使用系统资源 (包括频率、 内容等) 将毫不知情。 一旦用户不经意的安装了恶意应用, 用户的个人隐私和通讯费 用将陷入恶意应用的黑洞, 该应用可以随意使用移动终端的各个系统资源。 随着 Android终端的普及, 运营商和设备生产厂商已经收到越来越多的关于 Android终端安全隐患方面的投诉。 发明内容 The following is a simple example. When the user installs the application, the application gives at most two simple tips: 1. Whether to support the installation of unknown sources; 2. Which system resources are needed for this application. Once the user selects an unknown source to install and licenses the application's requirements for using system resources, the user will be unaware of how the application uses system resources (including frequency, content, etc.). Once the user has inadvertently installed a malicious application, the user's personal privacy and communication costs will fall into the black hole of the malicious application, and the application can freely use the various system resources of the mobile terminal. With the popularity of Android terminals, operators and equipment manufacturers have received more and more information about Complaints about security risks in Android terminals. Summary of the invention
本发明的目的是提供一种对应用进行监控的方法及系统, 以解决现有使 用开源操作系统的终端存在的安全隐患问题。  It is an object of the present invention to provide a method and system for monitoring an application to solve the security risks of existing terminals using an open source operating system.
为解决上述问题, 本发明提供了一种对应用进行监控的方法, 应用于使 用开源操作系统的终端中, 包括:  To solve the above problems, the present invention provides a method for monitoring an application, which is applied to a terminal using an open source operating system, including:
实时对本地应用进行监控;  Monitor local applications in real time;
在监控到本地应用欲调用系统资源时, 若根据预配置的安全策略判断出 所述应用不具有调用所述系统资源的权限, 则禁止所述应用调用所述系统资 源。  When monitoring the local application to invoke the system resource, if it is determined according to the pre-configured security policy that the application does not have the right to invoke the system resource, the application is prohibited from invoking the system resource.
优选地, 所述方法还包括:  Preferably, the method further includes:
若根据所述预配置的安全策略判断出所述应用具有调用所述系统资源的 权限, 则允许所述应用调用所述系统资源, 并在所述应用调用所述系统资源 后, 记录此次调用操作信息。  And if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, allowing the application to invoke the system resource, and after the application invokes the system resource, recording the call. Operational information.
优选地, 所述方法还包括:  Preferably, the method further includes:
所述终端将记录的各应用调用系统资源的操作信息定期或不定期的更新 到服务器, 由所述服务器根据从各终端处接收到的所述操作信息进行分析整 理后, 更新所述服务器上的安全策略。  The terminal updates the operation information of each application calling system resource to the server periodically or irregularly, and the server updates and processes the information according to the operation information received from each terminal. security strategy.
优选地, 所述安全策略中设置有应用使用系统资源的最大次数; 记录此次调用操作信息包括: 记录所述应用调用所述系统资源的次数; 所述根据预配置的安全策略判断出所述应用不具有调用所述系统资源的 权限, 包括:  Preferably, the maximum number of times the application uses the system resource is set in the security policy. The recording the call operation information includes: recording the number of times the application invokes the system resource; and determining, according to the pre-configured security policy, the The application does not have permission to invoke the system resources, including:
根据记录的所述应用对应的调用操作信息, 判断出记录的所述应用调用 所述系统资源的次数已达到所述最大次数值。  And determining, according to the recorded call operation information corresponding to the application, that the number of times the recorded application invokes the system resource has reached the maximum number of times.
优选地, 所述终端通过以下方式之一获得所述预配置的安全策略: 所述终端提供人机交互界面供用户自设置所述安全策略; 所述终端从指定服务器侧定期或不定期地获取所述安全策略并更新到本 地。 Preferably, the terminal obtains the pre-configured security policy by using one of the following manners: the terminal provides a human-computer interaction interface for the user to set the security policy; The terminal acquires the security policy periodically or irregularly from the designated server side and updates to the local.
优选地, 所述禁止该应用调用该系统资源, 包括:  Preferably, the prohibiting the application from invoking the system resource includes:
提示用户所述应用请求调用所述系统资源;  Prompting the user that the application requests to invoke the system resource;
在接收到所述用户发来的禁止所述应用调用所述系统资源的命令后, 禁 止该应用调用该系统资源。  After receiving the command sent by the user to prohibit the application from invoking the system resource, the application is prohibited from calling the system resource.
相应地, 本发明还提供了一种对应用进行监控的系统, 应用于使用开源 操作系统的终端中, 包括:  Correspondingly, the present invention also provides a system for monitoring an application, which is applied to a terminal using an open source operating system, including:
第一装置, 其设置为: 实时对本地应用进行监控;  a first device, configured to: monitor a local application in real time;
第二装置, 其设置为: 在监控到本地应用欲调用系统资源时, 若根据预 配置的安全策略判断出所述应用不具有调用所述系统资源的权限, 则禁止所 述应用调用所述系统资源。  a second device, configured to: when monitoring the local application to invoke the system resource, if it is determined according to the pre-configured security policy that the application does not have the right to invoke the system resource, prohibiting the application from calling the system Resources.
优选地, 所述第二装置还设置为: 若根据所述预配置的安全策略判断出 所述应用具有调用所述系统资源的权限,则允许所述应用调用所述系统资源, 并在所述应用调用所述系统资源后, 记录此次调用操作信息。  Preferably, the second device is further configured to: if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, allowing the application to invoke the system resource, and in the After the application invokes the system resource, the call operation information is recorded.
优选地, 所述系统还包括:  Preferably, the system further comprises:
第三装置, 其设置为: 将所述第二装置记录的各应用调用系统资源的操 作信息定期或不定期的更新到服务器。  And a third device, configured to: periodically update the operation information of the application calling system resources recorded by the second device to the server.
优选地, 所述安全策略中设置有应用使用系统资源的最大次数; 所述第二装置设置为:  Preferably, the security policy is configured with a maximum number of times the application uses system resources; the second device is configured to:
记录此次调用操作信息包括: 记录所述应用调用所述系统资源的次数; 以及  Recording the call operation information includes: recording the number of times the application invokes the system resource;
根据预配置的安全策略判断出所述应用不具有调用所述系统资源的权 限, 包括: 根据记录的所述应用对应的调用操作信息, 判断出记录的所述应 用调用所述系统资源的次数已达到所述最大次数值。  Determining, according to the pre-configured security policy, that the application does not have the right to invoke the system resource, the method includes: determining, according to the recorded call operation information corresponding to the application, that the recorded application invokes the system resource has The maximum number of times is reached.
优选地, 所述第二装置设置为: 禁止该应用调用该系统资源, 包括: 提示用户所述应用请求调用所述系统资源; 在接收到所述用户发来的禁 止所述应用调用所述系统资源的命令后, 禁止该应用调用该系统资源。 Preferably, the second device is configured to: prohibiting the application from invoking the system resource, including: prompting a user to request the application to invoke the system resource; receiving a ban from the user After the application invokes the command of the system resource, the application is prohibited from calling the system resource.
釆用本发明后, 达到了提高数据业务和无线应用的安全性能、 有效保护 用户个人隐私的同时帮助降低用户数据业务资费和无线应用资费的目的, 提 高了用户体验度, 既能满足用户对海量应用的随意安装需求, 又能提高终端 数据业务和无线通讯业务的安全性能, 提高了运营商和设备生产厂商对终端 设备的安全控制能力及终端的应用安全性能。  After the invention is used, the purpose of improving the security performance of the data service and the wireless application, effectively protecting the privacy of the user, and helping to reduce the user data service fee and the wireless application tariff, thereby improving the user experience, can satisfy the user's massive amount. The random installation requirements of the application can improve the security performance of the terminal data service and the wireless communication service, and improve the security control capability of the terminal device and the application security performance of the terminal by the operator and the device manufacturer.
附图概述 BRIEF abstract
图 1为本发明实施例中对应用进行监控的方法流程图;  1 is a flowchart of a method for monitoring an application according to an embodiment of the present invention;
图 2为用户配置和查看安全信息设计实现流程的实施流程图;  2 is a flow chart of implementing a user configuration and viewing security information design implementation process;
图 3为终端安全信息收集和安全策略实现流程设计的实施流程图; 图 4为终端厂商或运营商终端侧安全策略设计实施流程图;  FIG. 3 is a flowchart of implementation of terminal security information collection and security policy implementation process design; FIG. 4 is a flowchart of design and implementation of terminal vendor or operator terminal side security policy;
图 5为终端厂商或运营商服务器侧安全策略设计实施流程图;  Figure 5 is a flow chart showing the implementation of the security policy design of the server vendor on the terminal vendor or carrier;
图 6为本发明应用示例流程图。  FIG. 6 is a flow chart of an application example of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
为使本发明的目的、 技术方案和优点更加清楚明白, 下文中将结合附图 对本发明的实施例进行详细说明。 需要说明的是, 在不冲突的情况下, 本申 请中的实施例及实施例中的特征可以相互任意组合。  In order to make the objects, the technical solutions and the advantages of the present invention more clearly, the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments of the present application may be arbitrarily combined with each other.
在本实施例中, 一种对应用进行监控的方法, 应用于使用开源操作系统 的终端中, 如图 1所示, 包括:  In this embodiment, a method for monitoring an application is applied to a terminal using an open source operating system, as shown in FIG. 1, including:
实时对本地应用进行监控; 在监控到本地应用欲调用系统资源时, 若根据预配置的安全策略判断出 该应用不具有调用该系统资源的权限, 则禁止该应用调用该系统资源。  The local application is monitored in real time. When the local application wants to invoke the system resource, if the application determines that the application does not have the right to invoke the system resource according to the pre-configured security policy, the application is prohibited from calling the system resource.
其中, 终端可通过以下方式获得上述预配置的安全策略:  The terminal can obtain the above pre-configured security policy in the following manner:
方式一: 提供人机交互界面供用户自设置安全策略;  Method 1: Provide a human-computer interaction interface for the user to set a security policy;
方式二: 从指定服务器侧定期或不定期地更新安全策略。 在上述方法中, 若根据预配置的安全策略判断出该应用具有调用该系统 资源的权限, 则允许该应用调用该系统资源, 并在该应用调用该系统资源后, 记录此次调用操作。 其中, 记录的内容可包括: 该应用的名称、 调用的系统 资源的名称及调用次数, 还可以记录使用系统资源的时间和时长。 Method 2: Update the security policy periodically or irregularly from the specified server side. In the above method, if it is determined according to the pre-configured security policy that the application has the right to invoke the system resource, the application is allowed to invoke the system resource, and after the application invokes the system resource, the calling operation is recorded. The recorded content may include: the name of the application, the name of the called system resource, and the number of calls, and the time and duration of using the system resource.
当用户想查看系统资源使用情况时, 终端可以将其记录的调用操作详情 显示给用户。 另外, 终端还可以将记录的各应用调用系统资源的操作信息定 期或不定期的更新到指定服务器侧, 由服务器根据从各终端处接收到的上述 操作信息进行分析整理, 以更新本地安全策略。  When the user wants to view the system resource usage, the terminal can display the details of the call operation recorded by the terminal to the user. In addition, the terminal may periodically or irregularly update the operation information of the recorded application calling system resources to the designated server side, and the server analyzes and sorts according to the operation information received from each terminal to update the local security policy.
此外, 上述安全策略中设置有应用使用系统资源的最大次数; 则根据预 配置的安全策略判断出该应用不具有调用该系统资源的权限可以是: 根据该 应用对应的调用操作记录, 判断出该应用调用该系统资源的次数已达到上述 最大次数的值。  In addition, the maximum number of times the application uses the system resource is set in the foregoing security policy; determining that the application does not have the right to invoke the system resource according to the pre-configured security policy may be: determining, according to the call operation record corresponding to the application, The number of times the application has called the system resource has reached the maximum number of times mentioned above.
禁止该应用调用该系统资源, 可以是指: 提示用户该应用请求调用该系 统资源; 并在接收到用户发来的禁止该应用调用该系统资源的命令后, 禁止 该应用调用该系统资源。 此外, 若接收到用户发来的允许该应用调用该系统 资源的命令后, 可允许该应用调用该系统资源。  The application is prohibited from invoking the system resource, and may be: prompting the user to request the system resource to be invoked; and after receiving the command sent by the user to prohibit the application from calling the system resource, the application is prohibited from calling the system resource. In addition, the application may be allowed to invoke the system resource upon receiving a command from the user that allows the application to invoke the system resource.
釆用上述方法后, 可以让用户及时的知道恶意应用对资源的调用统计分 析, 配合终端厂商或运营商部署的服务器来统计分析恶意应用, 尽可能的减 少用户使用恶意应用的安全风险。 通过服务器的强大计算统计能力, 和终端 厂商、 运营商的强大信息来源、 信息安全知识库来协助用户方法恶意应用的 安全风险。  After using the above method, the user can know the statistical analysis of the call of the malicious application to the resource, and the server deployed by the terminal manufacturer or the operator to analyze and analyze the malicious application, and reduce the security risk of the malicious application. Through the powerful computing and statistical capabilities of the server, and the powerful information sources of terminal vendors and operators, and the information security knowledge base to assist users in the security risks of malicious applications.
为对本发明进行进一步说明, 从以下几方面进行进一步说明:  In order to further illustrate the present invention, further explanation will be made from the following aspects:
用户配置和查看安全信息流程;  User configuration and viewing of security information processes;
终端安全信息收集和安全策略实现流程;  Terminal security information collection and security policy implementation process;
终端厂商或运营商终端侧安全策略设计流程;  Terminal vendor or carrier terminal side security policy design process;
终端厂商或运营商服务器侧安全策略设计流程。  The terminal vendor or carrier server side security policy design process.
如图 2所示, 用户配置和查看安全信息流程包括:  As shown in Figure 2, the process of configuring and viewing security information by users includes:
步骤一, 终端上电完成开机启动; 步骤二, 终端启动并实时监测终端行为; Step one, the terminal is powered on and the booting is started; Step 2: The terminal starts and monitors the behavior of the terminal in real time;
步骤三, 用户通过菜单配置开启和关闭实时数据业务、 无线通讯业务及 其他系统资源的使用通知;  Step 3: The user configures to enable and disable the use notification of the real-time data service, the wireless communication service, and other system resources through the menu configuration;
步骤四: 用户配置至少部分应用使用系统资源的权限信息;  Step 4: The user configures at least part of the application authority information of using the system resource;
步骤五, 用户通过菜单可以查看终端截获的应用发送的数据业务和无线 通讯业务和其他系统资源的请求;  Step 5: The user can view the data service sent by the terminal and the request for the wireless communication service and other system resources through the menu;
步骤六, 若用户开启了安全信息使用通知, 在收到配置的应用请求使用 配置的系统资源的请求时, 使用提示框来提示用户是否需要禁止该请求; 如 果用户没有开启安全信息使用通知, 则不对用户进行提示;  Step 6: If the user opens the security information usage notification, when the configured application requests to use the configured system resource request, the prompt box is used to prompt the user whether to prohibit the request; if the user does not open the security information usage notification, Do not prompt the user;
步骤七, 在出厂设置中, 若设置了服务器同步分析管控的情况下, 终端 可供用户查看服务器管控了哪些应用和详细的安全策略介绍。  Step 7: In the factory setting, if the server synchronization analysis and management is set, the terminal can be used by the user to check which applications and detailed security policies are controlled by the server.
如图 3所示, 终端安全信息收集和安全策略实现流程, 包括如下步骤: 步骤一, 终端上电开机启动;  As shown in FIG. 3, the terminal security information collection and security policy implementation process includes the following steps: Step 1: The terminal is powered on and started;
步骤二, 读取用户配置信息, 如果用户尚未配置, 以出厂设置为默认; 步骤三, 实时监控本终端上安装的应用发送的调用系统资源的 API Step 2: Read the user configuration information, if the user has not configured, the factory setting is the default; Step 3, real-time monitoring the API of the calling system resource sent by the application installed on the terminal
( Application Programming Interface , 应用程序编程接口 ) ; ( Application Programming Interface , Application Programming Interface ) ;
步骤四, 监控到用户配置的或系统配置的应用调用系统资源的 API时记 录以下信息: 应用的名称、 调用的系统资源名称、 使用系统资源的时间和时 长、 调用次数等;  Step 4: When the user-configured or system-configured application calls the API of the system resource, the following information is recorded: the name of the application, the name of the called system resource, the time and duration of using the system resource, the number of calls, and the like;
步骤五, 在设置了服务器同步分析管控的情况下, 调用从服务器侧同步 的安全策略, 过滤恶意应用发起的系统资源调用请求, 并记录该信息供用户 监控查看;  Step 5: In the case that the server synchronization analysis and management is set, the security policy synchronized from the server side is invoked, the system resource invocation request initiated by the malicious application is filtered, and the information is recorded for the user to monitor and view;
步骤六, 统计终端安全信息, 如进行被监控的应用发起的系统资源调用 请求的统计分析;  Step 6: Calculate terminal security information, such as performing statistical analysis of system resource invocation requests initiated by the monitored application;
步骤七, 在设置了服务器同步分析管控的情况下, 终端侧可将本地记录 的应用请求调用的系统资源的信息同步到服务器侧;  Step 7: In the case that the server synchronization analysis and management is set, the terminal side can synchronize the information of the system resource called by the locally recorded application request to the server side;
步骤八, 在设置了服务器同步分析管控的情况下, 定期或不定期地同步 服务器侧的安全策略。 Step 8: Synchronize periodically or irregularly when the server synchronization analysis and management is set. Security policy on the server side.
如图 4所示, 终端厂商或运营商终端侧同步安全策略的过程如下: 步骤一, 终端上电开机启动;  As shown in Figure 4, the process of synchronizing security policies on the terminal manufacturer or the carrier terminal side is as follows: Step 1: The terminal is powered on and started.
步骤二, 在被激活安全管控功能后, 终端上报本终端记录的应用请求使 用资源的信息到终端厂商或运营商部署的网络 Λ良务器中;  Step 2: After the security management function is activated, the terminal reports the application request resource information recorded by the terminal to the network provider deployed by the terminal manufacturer or the operator;
步骤三, 待机时, 终端等待终端厂商或运营商部署的网络服务器的安全 策略更新;  Step 3: During standby, the terminal waits for a security policy update of the network server deployed by the terminal manufacturer or the operator;
步骤四, 当有新的安全策略可以更新时, 提示用户有最新的安全策略, 并询问是否需要及时更新安装最新的安全策略; 在用户选择更新后, 将新的 安全策略下载到本地;  Step 4: When a new security policy can be updated, the user is prompted to have the latest security policy, and asks whether the latest security policy needs to be updated in time; after the user selects the update, the new security policy is downloaded to the local;
步骤五, 启动实时应用监控安全策略;  Step 5: Start a real-time application monitoring security policy;
步骤六, 当监控到有策略范围内的系统资源被使用时, 拦截并记录信息 供用户查看;  Step 6: When monitoring that system resources within the scope of the policy are used, intercept and record information for the user to view;
步骤七, 当某应用调用系统资源的频率达到一定限度时, 判断出该应用 为恶意应用, 并及时通知用户提示该应用的安全风险;  Step 7: When the frequency of calling an application resource reaches a certain limit, the application is determined to be a malicious application, and the user is notified in time to prompt the security risk of the application;
步骤八, 协助用户卸载识别出的恶意应用。 即向用户提供询问是否卸载 该应用的界面, 如用户选择卸载操作, 则直接跳转到卸载该应用的入口界面 供用户进行后续卸载操作。  Step 8: Assist the user to uninstall the identified malicious application. That is, the user is provided with an interface asking whether to uninstall the application. If the user selects the uninstall operation, the user directly jumps to the uninstall interface of the application for the user to perform the subsequent uninstall operation.
如图 5所示, 终端厂商或运营商服务器侧安全策略设计流程如下: 步骤一: 在网络侧配置服务器, 部署需要管控的终端的型号批次信息; 此时就要求终端在上报记录的应用请求调用的系统资源的信息时, 一并上报 自身的型号及批次信息;  As shown in Figure 5, the terminal vendor or carrier server-side security policy design process is as follows: Step 1: Configure the server on the network side to deploy the model batch information of the terminal that needs to be controlled. At this time, the terminal is required to report the application request. When the information of the system resource is called, the model and batch information of the system are reported together;
步骤二, 服务器实时收集符合配置的需要管控的终端的型号批次的终端 上报的系统资源的使用信息。  Step 2: The server collects the usage information of the system resources reported by the terminal of the model batch of the terminal that needs to be controlled and controlled in real time.
步骤三, 批量统计分析恶意应用;  Step 3, batch statistical analysis of malicious applications;
步骤四, 筛选恶意应用, 并将该恶意应用写入安全策略;  Step 4: screening the malicious application and writing the malicious application to the security policy;
步骤五, 定期的将安全策略同步到终端, 防控恶意应用滥用用户资源, 遏制安全隐患波及范围; Step 5: Synchronize security policies to the terminal periodically to prevent malicious applications from abusing user resources. Curb the scope of security risks;
步骤六, 定期统计其他渠道获得的安全管控信息, 并及时的将根据这些 安全管控信息更新的安全策略同步到终端, 防控恶意应用滥用用户资源, 遏 制安全隐患波及范围。  Step 6: Regularly collect the security management and control information obtained by other channels, and timely synchronize the security policies updated according to these security management information to the terminal, prevent malicious applications from abusing user resources, and curb the scope of security risks.
在本实施例中, 一种对应用进行监控的系统, 应用于使用开源操作系统 的终端中, 包括:  In this embodiment, a system for monitoring an application is applied to a terminal using an open source operating system, including:
第一装置, 用于实时对本地应用进行监控;  a first device, configured to monitor a local application in real time;
第二装置, 用于在监控到本地应用欲调用系统资源时, 若根据预配置的 安全策略判断出所述应用不具有调用所述系统资源的权限, 则禁止所述应用 调用所述系统资源。  The second device is configured to, when monitoring, that the local application is to invoke the system resource, if the application determines that the application does not have the right to invoke the system resource according to the pre-configured security policy, prohibiting the application from invoking the system resource.
较佳地,  Preferably,
所述第二装置还用于若根据所述预配置的安全策略判断出所述应用具有 调用所述系统资源的权限, 则允许所述应用调用所述系统资源, 并在所述应 用调用所述系统资源后, 记录此次调用操作信息。  The second device is further configured to: if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, permit the application to invoke the system resource, and invoke the After the system resources are recorded, the call operation information is recorded.
较佳地, 所述系统还包括:  Preferably, the system further comprises:
第三装置, 用于将所述第二装置记录的各应用调用系统资源的操作信息 定期或不定期的更新到服务器。  And a third device, configured to update operation information of each application calling system resource recorded by the second device to the server periodically or irregularly.
较佳地,  Preferably,
所述安全策略中设置有应用使用系统资源的最大次数;  The maximum number of times the application uses system resources is set in the security policy;
所述第二装置用于记录此次调用操作信息包括: 所述第二装置用于记录 所述应用调用所述系统资源的次数;  The second device is configured to record the call operation information, where the second device is configured to record the number of times the application invokes the system resource;
所述第二装置用于根据预配置的安全策略判断出所述应用不具有调用所 述系统资源的权限, 具体包括:  The second device is configured to determine, according to the pre-configured security policy, that the application does not have the right to invoke the system resource, and specifically includes:
第二装置用于根据记录的所述应用对应的调用操作信息, 判断出记录的 所述应用调用所述系统资源的次数已达到所述最大次数值。  The second device is configured to determine, according to the recorded call operation information corresponding to the application, that the number of times the recorded application invokes the system resource has reached the maximum number of times.
较佳地,  Preferably,
所述第二装置用于禁止该应用调用该系统资源, 具体包括: 所述第二装置用于提示用户所述应用请求调用所述系统资源; 在接收到 所述用户发来的禁止所述应用调用所述系统资源的命令后, 用于禁止该应用 调用该系统资源。 The second device is configured to prohibit the application from invoking the system resource, and specifically includes: The second device is configured to prompt the user to request the system resource to be invoked; after receiving the command sent by the user to prohibit the application from calling the system resource, the second device is configured to prohibit the application from calling the system resource .
以下将结合附图和实施例对本发明进行描述。  The invention will now be described in conjunction with the drawings and embodiments.
本实施例以某运营商定制要求和用户体验改善需求为例来设计, 对本发 明进行全面阐述, 根据用户启动的不同应用使用的不同系统资源, 对应到不 同的三种场景, 这三种场景分别为:  This embodiment is designed by taking an operator customization requirement and a user experience improvement requirement as an example. The present invention is fully described. According to different system resources used by different applications initiated by the user, corresponding to different scenarios, the three scenarios are respectively For:
场景一: 各个运营商定制的应用请求使用系统资源时的场景。 这种场景 的安全管控, 安全管控量可以减到最低, 该类应用是可靠的、 可信的安全应 用, 可以任意调用使用终端的系统资源。 但终端还是需要使用安全管控来统 计调用次数, 供用户查看, 保护用户的知情权;  Scenario 1: The scenario when each application customized by the operator requests to use system resources. The security management and control of this kind of scenario can minimize the amount of security control. This type of application is a reliable and reliable security application, and can call any system resources of the terminal. However, the terminal still needs to use security management to count the number of calls for users to view and protect the user's right to know;
场景二: 用户自行在可靠的应用市场下载的应用, 请求使用系统资源时 的场景。 在此种场景下, 应用的来源可查, 因此可在安全策略中对各应用市 场进行安全等级划分。 可靠的应用市场下载的应用, 一般不提示用户进行安 全监控设置, 安全监控系统可适当减低。  Scenario 2: An application that users download in their own reliable application market, requesting the use of system resources. In this scenario, the source of the application can be checked, so the security level of each application market can be classified in the security policy. Applications that are downloaded from the reliable application market generally do not prompt the user for security monitoring settings, and the security monitoring system can be appropriately reduced.
用户安装该应用时, 不需要启动安全策略。 用户在该类应用调用资源时, 不控制, 仅记录该操作简单信息, 当该类应用使用系统资源到一定额度时, 要及时提示用户安全风险, 并协助用户关闭卸载该应用。 当有新的安全策略 由服务器同步到终端时, 检查该类应用是否在新的策略管控范围, 如果是, 提示通知用户关闭卸载。  When a user installs the app, there is no need to initiate a security policy. When the application invokes resources in this type of application, the user does not control and records only the simple operation information. When the application uses the system resources to a certain amount, the user should prompt the user for security risks and assist the user to close and uninstall the application. When there is a new security policy, when the server synchronizes to the terminal, it checks whether the application is in the new policy control scope. If it is, it prompts the user to close the uninstall.
场景三: 各个用户自行在网络上下载的应用, 即通过网络安装或通过下 载到 SD卡来安装的应用, 请求使用系统资源时的场景。 在这种场景下, 应 用的来源不可查, 来源很不安全。 必须将安全控制系数提到最高, 提示用户 进行安全监控设置, 并在安装时通过安全策略进行过滤, 如果已经在安全策 略禁止范围, 要提示用户, 如果该应用有过轻微的恶意调用记录, 也要告知 应用。 如果用户执意安装, 当该类应用使用系统资源到一定额度时, 要及时 提示用户安全风险, 并协助用户关闭卸载该应用。  Scenario 3: The application that each user downloads on the network by itself, that is, the application installed by the network or downloaded to the SD card, requests the use of system resources. In this scenario, the source of the application is not available and the source is very unsafe. The security control factor must be mentioned as the highest, prompting the user to perform security monitoring settings, and filtering through the security policy during installation. If the security policy is prohibited, the user should be prompted if the application has a slight malicious call record. To inform the app. If the user insists on installing, when the application uses system resources to a certain amount, it should prompt the user for security risks and assist the user to close and uninstall the application.
针对上面的三个场景, 下面列出具体实施中的步骤, 该步骤可配合图 6 进行说明, 步骤如下: For the above three scenarios, the steps in the specific implementation are listed below, which can be combined with Figure 6. To explain, the steps are as follows:
101 , 终端上电开机启动;  101, the terminal is powered on and started;
102 , 用户通过菜单自行配置需要进行监控的应用和监控的系统资源项 目, 不配置的情况下, 按终端出厂设置来配置;  102. The user configures the application resource and the monitored system resource item to be monitored through the menu. If not configured, the terminal is configured according to the factory settings of the terminal;
103 , 用户启动有资源调用需求的应用;  103, the user starts an application that has a resource calling requirement;
104, 若该应用是各个运营商定制的应用, 由于是系统的内置应用, 该类 应用是可靠的、 可信的安全应用, 因此可以任意调用终端的系统资源。 终端 在该类应用调用系统资源时, 不进行控制, 仅记录该操作简单信息, 使用安 全管控来统计调用次数供用户查看, 保护用户的知情权;  104. If the application is a customized application of each operator, since it is a built-in application of the system, the application is a reliable and trusted security application, so the system resources of the terminal can be arbitrarily invoked. When the application invokes system resources, the terminal does not control, only records the simple operation information, and uses security control to count the number of calls for the user to view, and protect the user's right to know;
105 , 若该应用是用户自行在可靠的应用市场下载的应用, 可根据应用市 场本身的安全控制系数进行分级, 对于可靠的应用市场下载的应用, 一般不 提示用户进行安全监控设置, 安全监控系数可适当减低。 用户安装该应用时, 不需要启动安全策略。 用户在该类应用调用资源时, 不控制, 仅记录该操作 简单信息, 当该类应用使用系统资源到一定额度时, 要及时提示用户安全风 险, 并协助用户关闭卸载该应用。 当有新的安全策略由服务器同步到终端时, 检查该类应用是否在新的策略管控范围, 如果是, 提示通知用户关闭卸载; 105. If the application is an application downloaded by the user in a reliable application market, the application may be classified according to the security control coefficient of the application market itself. For a reliable application market download application, the user is generally not prompted to perform security monitoring settings, and the security monitoring coefficient is Can be reduced appropriately. When a user installs the app, there is no need to initiate a security policy. When the application calls the resource, the user does not control, only records the operation simple information. When the application uses the system resource to a certain amount, the user should promptly prompt the user for security risks and assist the user to close and uninstall the application. When a new security policy is synchronized by the server to the terminal, check whether the application is in the new policy control scope, and if so, prompt the user to close the uninstallation;
106, 若该应用是用户自行在网络上下载的应用, 即通过网络安装或通过 下载到 SD卡来安装的应用, 终端可提示用户进行安全监控设置, 并在安装 时通过安全策略来过滤, 如果已经在安全策略禁止范围, 要提示用户, 如果 该应用有过轻微的恶意调用记录, 也要告知应用。 如果用户执意安装, 当该 类应用使用系统资源到一定额度时, 要及时提示用户安全风险, 并协助用户 关闭卸载该应用。 106. If the application is an application downloaded by the user on the network, that is, an application installed through a network installation or downloaded to an SD card, the terminal may prompt the user to perform security monitoring settings, and filter through the security policy during installation. It is already in the scope of the security policy prohibition, to prompt the user, if the application has a slight malicious call record, also inform the application. If the user insists on installing, when the application uses system resources to a certain amount, it should prompt the user for security risks and assist the user to close and uninstall the application.
优选地, 该方法还包括:  Preferably, the method further comprises:
107 , 用户可查看所有应用的资源调用统计记录信息;  107, the user can view the resource call statistics record information of all applications;
108, 用户通过菜单来配置各个应用的资源调用权限, 防止恶意应用的安 全隐患。  108. The user configures resource calling rights of each application through a menu to prevent security risks of malicious applications.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art can understand that all or part of the above steps can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, such as read only. Memory, disk or disc, etc. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
以上所述仅为本发明的优选实施例而已, 并非用于限定本发明的保护范 围。 根据本发明的发明内容, 还可有其他多种实施例, 在不背离本发明精神 改变和变形, 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above description is only a preferred embodiment of the present invention and is not intended to limit the scope of protection of the present invention. In view of the present invention, various other modifications, equivalents, improvements, etc., should be made without departing from the spirit and scope of the invention. It is included in the scope of protection of the present invention.
工业实用性 釆用本发明后, 达到了提高数据业务和无线应用的安全性能、 有效保护 用户个人隐私的同时帮助降低用户数据业务资费和无线应用资费的目的, 提 高了用户体验度, 既能满足用户对海量应用的随意安装需求, 又能提高终端 数据业务和无线通讯业务的安全性能, 提高了运营商和设备生产厂商对终端 设备的安全控制能力及终端的应用安全性能。 Industrial Applicability After the present invention, the purpose of improving the security performance of the data service and the wireless application, effectively protecting the user's personal privacy, and helping to reduce the user data service fee and the wireless application fee are achieved, thereby improving the user experience and satisfying the requirements. The user's random installation requirements for mass applications can improve the security performance of the terminal data service and the wireless communication service, and improve the security control capability of the terminal device and the application security performance of the terminal by the operator and the device manufacturer.

Claims

权 利 要 求 书 Claim
1、 一种对应用进行监控的方法, 应用于使用开源操作系统的终端中, 包 括:  A method for monitoring an application, which is applied to a terminal using an open source operating system, including:
实时对本地应用进行监控;  Monitor local applications in real time;
在监控到本地应用欲调用系统资源时, 若根据预配置的安全策略判断出 所述应用不具有调用所述系统资源的权限, 则禁止所述应用调用所述系统资 源。  When monitoring the local application to invoke the system resource, if it is determined according to the pre-configured security policy that the application does not have the right to invoke the system resource, the application is prohibited from invoking the system resource.
2、 如权利要求 1所述的方法, 其中, 所述方法还包括:  2. The method according to claim 1, wherein the method further comprises:
若根据所述预配置的安全策略判断出所述应用具有调用所述系统资源的 权限, 则允许所述应用调用所述系统资源, 并在所述应用调用所述系统资源 后, 记录此次调用操作信息。  And if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, allowing the application to invoke the system resource, and after the application invokes the system resource, recording the call. Operational information.
3、 如权利要求 2所述的方法, 其中, 所述方法还包括:  3. The method of claim 2, wherein the method further comprises:
所述终端将记录的各应用调用系统资源的操作信息定期或不定期的更新 到服务器, 由所述服务器根据从各终端处接收到的所述操作信息进行分析整 理后, 更新所述服务器上的安全策略。  The terminal updates the operation information of each application calling system resource to the server periodically or irregularly, and the server updates and processes the information according to the operation information received from each terminal. security strategy.
4、 如权利要求 2所述的方法, 其中,  4. The method of claim 2, wherein
所述安全策略中设置有应用使用系统资源的最大次数;  The maximum number of times the application uses system resources is set in the security policy;
记录此次调用操作信息包括: 记录所述应用调用所述系统资源的次数; 所述根据预配置的安全策略判断出所述应用不具有调用所述系统资源的 权限, 包括:  Recording the call operation information includes: recording the number of times the application invokes the system resource; and determining, according to the pre-configured security policy, that the application does not have the permission to invoke the system resource, including:
根据记录的所述应用对应的调用操作信息, 判断出记录的所述应用调用 所述系统资源的次数已达到所述最大次数值。  And determining, according to the recorded call operation information corresponding to the application, that the number of times the recorded application invokes the system resource has reached the maximum number of times.
5、 如权利要求 1~4中任意一项所述的方法, 其中,  The method according to any one of claims 1 to 4, wherein
所述终端通过以下方式之一获得所述预配置的安全策略:  The terminal obtains the pre-configured security policy in one of the following manners:
所述终端提供人机交互界面供用户自设置所述安全策略;  The terminal provides a human-machine interaction interface for the user to set the security policy;
所述终端从指定服务器侧定期或不定期地获取所述安全策略并更新到本 地。 The terminal acquires the security policy periodically or irregularly from the designated server side and updates to the local.
6、 如权利要求 1所述的方法, 其中, 6. The method of claim 1, wherein
所述禁止该应用调用该系统资源, 包括:  The prohibiting the application from invoking the system resource includes:
提示用户所述应用请求调用所述系统资源;  Prompting the user that the application requests to invoke the system resource;
在接收到所述用户发来的禁止所述应用调用所述系统资源的命令后, 禁 止该应用调用该系统资源。  After receiving the command sent by the user to prohibit the application from invoking the system resource, the application is prohibited from calling the system resource.
7、 一种对应用进行监控的系统, 应用于使用开源操作系统的终端中, 包 括:  7. A system for monitoring an application, applied to a terminal using an open source operating system, including:
第一装置, 其设置为: 实时对本地应用进行监控;  a first device, configured to: monitor a local application in real time;
第二装置, 其设置为: 在监控到本地应用欲调用系统资源时, 若根据预 配置的安全策略判断出所述应用不具有调用所述系统资源的权限, 则禁止所 述应用调用所述系统资源。  a second device, configured to: when monitoring the local application to invoke the system resource, if it is determined according to the pre-configured security policy that the application does not have the right to invoke the system resource, prohibiting the application from calling the system Resources.
8、 如权利要求 7所述的系统, 其中,  8. The system of claim 7, wherein
所述第二装置还设置为: 若根据所述预配置的安全策略判断出所述应用 具有调用所述系统资源的权限, 则允许所述应用调用所述系统资源, 并在所 述应用调用所述系统资源后, 记录此次调用操作信息。  The second device is further configured to: if the application determines that the application has the right to invoke the system resource according to the pre-configured security policy, allowing the application to invoke the system resource, and calling the application in the application After the system resources are described, the call operation information is recorded.
9、 如权利要求 8所述的系统, 其中, 还包括:  9. The system of claim 8, further comprising:
第三装置, 其设置为: 将所述第二装置记录的各应用调用系统资源的操 作信息定期或不定期的更新到服务器。  And a third device, configured to: periodically update the operation information of the application calling system resources recorded by the second device to the server.
10、 如权利要求 8所述的系统, 其中,  10. The system of claim 8 wherein
所述安全策略中设置有应用使用系统资源的最大次数;  The maximum number of times the application uses system resources is set in the security policy;
所述第二装置设置为: 记录此次调用操作信息包括: 记录所述应用调用所述系统资源的次数; 以及  The second device is configured to: record the call operation information, including: recording a number of times the application invokes the system resource;
根据预配置的安全策略判断出所述应用不具有调用所述系统资源的权 限, 包括: 根据记录的所述应用对应的调用操作信息, 判断出记录的所述应 用调用所述系统资源的次数已达到所述最大次数值。  Determining, according to the pre-configured security policy, that the application does not have the right to invoke the system resource, the method includes: determining, according to the recorded call operation information corresponding to the application, that the recorded application invokes the system resource has The maximum number of times is reached.
11、 如权利要求 7所述的系统, 其中, 所述第二装置设置为: 禁止该应用调用该系统资源, 包括: 提示用户所 述应用请求调用所述系统资源; 在接收到所述用户发来的禁止所述应用调用 所述系统资源的命令后, 禁止该应用调用该系统资源。 11. The system of claim 7 wherein The second device is configured to: prohibit the application from invoking the system resource, including: prompting the user that the application requests to invoke the system resource; receiving a command sent by the user to prohibit the application from invoking the system resource After that, the application is prohibited from calling the system resource.
PCT/CN2011/075480 2011-04-11 2011-06-08 Method and system for monitoring application WO2012139323A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110089643.4A CN102186167B (en) 2011-04-11 2011-04-11 A kind of to applying the method and system monitored
CN201110089643.4 2011-04-11

Publications (1)

Publication Number Publication Date
WO2012139323A1 true WO2012139323A1 (en) 2012-10-18

Family

ID=44572225

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/075480 WO2012139323A1 (en) 2011-04-11 2011-06-08 Method and system for monitoring application

Country Status (2)

Country Link
CN (1) CN102186167B (en)
WO (1) WO2012139323A1 (en)

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9603085B2 (en) 2010-02-16 2017-03-21 Qualcomm Incorporated Methods and apparatus providing intelligent radio selection for legacy and non-legacy applications
US9264868B2 (en) 2011-01-19 2016-02-16 Qualcomm Incorporated Management of network access requests
US9178965B2 (en) 2011-03-18 2015-11-03 Qualcomm Incorporated Systems and methods for synchronization of application communications
US9571952B2 (en) 2011-04-22 2017-02-14 Qualcomm Incorporatd Offloading of data to wireless local area network
US9137737B2 (en) 2011-08-29 2015-09-15 Qualcomm Incorporated Systems and methods for monitoring of background application events
WO2013052897A1 (en) * 2011-10-05 2013-04-11 Qualcomm Incorporated Systems and methods for management of background application events
CN102413221B (en) * 2011-11-24 2014-03-12 中兴通讯股份有限公司 Method for protecting privacy information and mobile terminal
CN102521548B (en) * 2011-11-24 2014-11-05 中兴通讯股份有限公司 Method for managing using rights of function and mobile terminal
CN102404706B (en) * 2011-11-24 2014-08-13 中兴通讯股份有限公司 Method for managing tariff safety and mobile terminal
CN102572804B (en) * 2011-12-27 2014-11-26 奇智软件(北京)有限公司 Data calling method and device
CN103516863A (en) * 2012-06-18 2014-01-15 华为终端有限公司 Equipment capacity management method and mobile terminal
CN102868813A (en) * 2012-09-05 2013-01-09 广东欧珀移动通信有限公司 Method for realizing safety management mechanism and cell phone
CN102915417A (en) * 2012-09-18 2013-02-06 鸿富锦精密工业(深圳)有限公司 Application monitoring system and application monitoring method
CN102938789B (en) * 2012-11-19 2015-04-29 江苏省公用信息有限公司 Download combination analysis method and device for mobile internet mobile phone applications
CN103065083A (en) * 2013-01-31 2013-04-24 晨风云(北京)科技有限公司 Method and system for monitoring application program interface of intelligent mobile terminal
CN104066090B (en) * 2013-03-21 2018-12-14 联想(北京)有限公司 A kind of information processing method and electronic equipment
CN103544447B (en) * 2013-05-30 2016-10-12 Tcl集团股份有限公司 A kind of method preventing confidential information from revealing based on Android system and terminal
CN103747433B (en) * 2013-12-02 2020-03-20 上海斐讯数据通信技术有限公司 Method for realizing root request management through manufacturer server and mobile terminal
CN103648114A (en) * 2013-12-24 2014-03-19 北京奇虎科技有限公司 Method, system and device for monitoring usage amount information of working area through mobile terminal
CN103634481A (en) * 2013-12-24 2014-03-12 江苏优控新能源科技有限公司 Novel functional limitation operating mode of Android mobile phone
CN104951715A (en) * 2015-06-11 2015-09-30 联想(北京)有限公司 Information processing method and electronic equipment
CN105608369B (en) * 2015-10-30 2019-06-25 周奇 The installation method and device of application software
CN105553963B (en) * 2015-12-10 2019-11-29 小米科技有限责任公司 The control method and device of positioning service
CN106778236B (en) * 2016-11-29 2019-08-30 努比亚技术有限公司 A kind of access control apparatus and method
CN106598858B (en) * 2016-12-14 2019-10-22 合一网络技术(北京)有限公司 Resource transfer analysis method and device
CN106897608A (en) * 2017-01-19 2017-06-27 北京奇虎科技有限公司 A kind of authority processing method of application program, device and mobile terminal
CN108833690B (en) * 2018-05-31 2021-11-16 努比亚技术有限公司 Authority control method, terminal and computer readable storage medium
CN108829484B (en) * 2018-06-21 2022-01-28 聚好看科技股份有限公司 Method and device for generating navigation operation interface of local application program of control terminal
CN109062800A (en) * 2018-07-28 2018-12-21 安徽捷兴信息安全技术有限公司 A kind of mobile phone application testing method and device
CN112199720A (en) * 2020-10-12 2021-01-08 广州虎牙科技有限公司 Authority monitoring processing method, device, computer equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1816192A (en) * 2005-02-04 2006-08-09 法国无线电话公司 Process for the secure management of the execution of an application
CN1863038A (en) * 2005-05-12 2006-11-15 中国电信股份有限公司 Method of implementing control and management of applied program in terminal apparatus
CN101557383A (en) * 2008-04-11 2009-10-14 中国移动通信集团公司 Professional ability resource management system and professional ability resource use management method
CN101901321A (en) * 2010-06-04 2010-12-01 华为终端有限公司 Method, device and system for defending malicious program for terminal
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101231768B (en) * 2008-01-25 2010-09-08 北京深思洛克软件技术股份有限公司 Multi-application intelligent card and method for realizing intelligent card multi application
HK1122436A1 (en) * 2009-03-23 2009-05-15 Alibaba Group Holding Ltd Method for positioning bottleneck of system resources based on analysis result for a log file

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1816192A (en) * 2005-02-04 2006-08-09 法国无线电话公司 Process for the secure management of the execution of an application
CN1863038A (en) * 2005-05-12 2006-11-15 中国电信股份有限公司 Method of implementing control and management of applied program in terminal apparatus
CN101557383A (en) * 2008-04-11 2009-10-14 中国移动通信集团公司 Professional ability resource management system and professional ability resource use management method
CN101901321A (en) * 2010-06-04 2010-12-01 华为终端有限公司 Method, device and system for defending malicious program for terminal
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof

Also Published As

Publication number Publication date
CN102186167A (en) 2011-09-14
CN102186167B (en) 2016-02-10

Similar Documents

Publication Publication Date Title
WO2012139323A1 (en) Method and system for monitoring application
US10972467B2 (en) Certificate based profile confirmation
Barrera et al. Secure software installation on smartphones
EP2641407B1 (en) Management of mobile applications
US9066230B1 (en) Trusted policy and charging enforcement function
EP3101921B1 (en) Postponed carrier configuration
US8812868B2 (en) Secure execution of unsecured apps on a device
KR101285394B1 (en) Apparatus and Method for Controlling Permission in Mobile Terminal
WO2014040461A1 (en) Access control method and device
US9576153B2 (en) Device and method for providing information from a backend component to a frontend component by a secure device management abstraction and unification module
WO2012154828A1 (en) Permission-based administrative controls
EP2730054A1 (en) Portable computing device and method of operation of same
EP2973250A1 (en) Incremental compliance remediation
WO2013075412A1 (en) Security control method and device for mobile terminal
US20160248810A1 (en) Method and System for Operating and Monitoring Permissions for Applications in a Electronic Device
WO2017063424A1 (en) Private information leakage prevention method, device and terminal
US11503080B2 (en) Remote management of a user device
US10038598B2 (en) Leveraging and extending mobile operating system MDM protocol
JP6091854B2 (en) Information processing apparatus and control method
CN113806718A (en) Access right management method and terminal device
KR20110136423A (en) Mobile terminal for limitting an occurrence of application accounting, and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11863486

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11863486

Country of ref document: EP

Kind code of ref document: A1