WO2016019790A1 - Verification method, client, server and system for installation package - Google Patents

Verification method, client, server and system for installation package Download PDF

Info

Publication number
WO2016019790A1
WO2016019790A1 PCT/CN2015/084272 CN2015084272W WO2016019790A1 WO 2016019790 A1 WO2016019790 A1 WO 2016019790A1 CN 2015084272 W CN2015084272 W CN 2015084272W WO 2016019790 A1 WO2016019790 A1 WO 2016019790A1
Authority
WO
WIPO (PCT)
Prior art keywords
apk
client
signature value
value
byte stream
Prior art date
Application number
PCT/CN2015/084272
Other languages
French (fr)
Chinese (zh)
Inventor
陈桌升
杨允乐
王传举
Original Assignee
优视科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 优视科技有限公司 filed Critical 优视科技有限公司
Publication of WO2016019790A1 publication Critical patent/WO2016019790A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating

Definitions

  • the present invention relates to the field of data processing of mobile communications, and more particularly to a method, a client, a server and a system for verifying an installation package.
  • the current market mainly uses the tamper-proof verification scheme, and the verification process is implemented in the Java language.
  • the verification process is as follows: in the NDK (Native Development Kit) layer, the Java language is used to obtain the APK. Signature value, check whether the APK (Android Package, Android installation package) signature value matches the pre-configured APK signature value; if it matches, the APK is genuine and has not been tampered with; if it does not match, the APK has been tampered with.
  • Java is an interpreted language, it runs in the virtual machine environment in the form of intermediate code during verification. This makes the check logic easy to be decompiled, and the check logic is restored or deleted in '*.smali'. This will not achieve the purpose of the installation package verification, reducing the reliability of the installation package inspection.
  • the object of the present invention is to provide a verification method, a client, a server and a system for an installation package, which can prevent the verification logic of the installation package from being decompiled and improve the reliability of the installation package inspection.
  • a verification method of an installation package comprising the steps of:
  • the first APK is information about the tampering APK.
  • the signature value of the first APK is obtained in a C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a verification method of an installation package comprising the steps of:
  • an encrypted byte stream where the encrypted byte stream is obtained by encrypting a request parameter for requesting network data by using a signature value of the first APK acquired by the client; a signature value of the second APK, decrypting the encrypted byte stream; wherein the second APK is an original APK; if the request parameter is not decrypted, returning to the client for identifying the first APK as being tampered with APK information.
  • the client obtains the signature value of the first APK in the C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a verification method of an installation package comprising the steps of:
  • the client obtains the signature value of the first APK; the client performs a first encryption process on the request parameter for requesting the network data by using the signature value of the first APK to obtain an encrypted byte stream; the client encrypts the encrypted byte.
  • the terminal returns information for identifying that the first APK is a tampered APK.
  • the client obtains the signature value of the first APK in the C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a verification method of an installation package comprising the steps of:
  • the client obtains the signature value of the first APK
  • the client determines whether the signature value of the first APK is equal to the signature value of the pre-configured second APK; wherein the second APK is the original APK; if the determination result is no, the client returns to identify the first APK as being tampered with If the result of the determination is yes, the client uses the signature value of the first APK to perform a first encryption process on the request parameter for requesting the network data to obtain an encrypted byte stream;
  • the client sends the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK;
  • the client receives information returned by the server for identifying the first APK as the original APK when the server decrypts the request parameter; and when the server does not decrypt the request parameter, the server returns the identifier for identifying the first APK to be tampered with APK information.
  • the client obtains the signature value of the first APK in the C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a client including:
  • a first acquiring unit configured to acquire a signature value of the first APK
  • An encryption unit configured to perform, by using a signature value of the first APK, a first encryption process on a request parameter used to request network data, to obtain an encrypted byte stream;
  • a first sending unit configured to send the encrypted byte stream to a server, where the server decrypts the encrypted byte stream by using a pre-configured second APK signature value; wherein the second APK is a raw APK ;
  • a first receiving unit configured to receive, when the server does not decrypt the request parameter, information used to identify the first APK as a tampered APK.
  • the first obtaining unit acquires the signature value of the first APK in a C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a server comprising:
  • a second receiving unit configured to receive an encrypted byte stream sent by the client, where the encrypted byte stream is obtained by encrypting a request parameter for requesting network data by using a signature value of the first APK acquired by the client of;
  • a decrypting unit configured to decrypt the encrypted byte stream by using a signature value of a pre-configured second APK; wherein the second APK is an original APK;
  • the second sending unit is configured to return, to the client, information for identifying that the first APK is a tampered APK if the request parameter is not decrypted.
  • the client obtains the signature value of the first APK in the C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a verification system for an installation package comprising: the above client and the server.
  • the client preferably obtains the signature value of the APK in the C language environment and uses the signature value to encrypt the network data request of the APK and sends the encrypted byte stream to the server for verification, because the above process logic is in C After compiling in the language, the '*.so file' is generated. It is difficult to crack the logic in the '*.so file' by the decompilation tool. The solution to the technical difficulty is much more complicated than the one achieved by using the Java language. On the server side, Decrypting the encrypted byte stream by using the signature value of the pre-configured original APK.
  • the original APK is installed on the client, and if the network data request cannot be decrypted, It means that the tamper-proof APK is installed on the above client, so that the related function of the client with the tamper-proof APK installed can be prohibited. Therefore, by the above processing, it is possible to prevent the check logic of the APK from being decompiled, and to improve the reliability of the installation package check.
  • FIG. 1 is a flow chart showing a verification method of an installation package proposed by the present invention
  • FIG. 2 is another flow chart showing a verification method of an installation package proposed by the present invention
  • FIG. 3 is another flow chart showing a verification method of an installation package proposed by the present invention.
  • FIG. 4 is another flow chart showing a verification method of an installation package proposed by the present invention.
  • FIG. 5 is a schematic structural diagram of a client according to the present invention.
  • FIG. 6 is a schematic diagram showing another structure of a client according to the present invention.
  • FIG. 7 is a schematic diagram showing another structure of a client proposed by the present invention.
  • FIG. 8 is a schematic structural diagram of a server according to the present invention.
  • FIG. 9 is a block diagram showing the structure of a calibration system for an installation package according to the present invention.
  • the present invention provides a verification method for an installation package, and the flow thereof can be referred to FIG. 1; specifically, the steps include:
  • Step S101 Acquire a signature value of the first APK
  • the first APK refers to the APK that the user downloads to the client; specifically, when the signature value of the first APK is obtained, the getSign function may be called by the getPost function to obtain the signature value of the first APK;
  • the C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
  • Step S102 Perform a first encryption process on the request parameter for requesting network data by using a signature value of the first APK, to obtain an encrypted byte stream.
  • the getPost function may be used to call the encodeData function to perform the first encryption process on the request parameter of the request network data by using the signature value of the first APK as the encryption key to obtain an encrypted byte stream.
  • the encryption algorithm used in the first encryption process is a reversible symmetric algorithm, such as a DES algorithm, an RC5 algorithm, or an M9 encryption algorithm.
  • the encrypted byte stream is in the form of a *.so file.
  • step S103 sending the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK;
  • the second APK is the original APK; in step S101 and step S102 in the C language environment, and the encrypted byte stream is sent to the server, since the above process logic is compiled in the C language to generate a '*.so file', It is very difficult to crack the logic in the '*.so file' by decompilation tools, which greatly increases the technical difficulty of cracking than the implementation using Java language.
  • Step S104 Receive information for identifying that the first APK is a tampered APK when the server does not decrypt the request parameter.
  • the information returned when the server decrypts the request parameter is used to identify that the first APK is the original APK.
  • the client obtains the signature value of the APK in the C language environment and encrypts the network data request of the APK by using the signature value, and sends the encrypted byte stream to the server for verification, because the above process logic is performed in the C language.
  • the '*.so file' is generated. It is very difficult to crack the logic in the '*.so file' by decompilation tool. The solution is much more difficult to solve in the technical difficulty than using the Java language.
  • the pre-configuration is utilized. The signature value of the original APK to decrypt the encrypted byte stream.
  • the original APK installed on the client may not decrypt the above network data request, indicating the above client.
  • the tamper-proof APK is installed on the side, so that the related functions of the client with the tamper-proof APK can be disabled; therefore, the check logic of the APK can be prevented from being decompiled, and the reliability of the package inspection is improved.
  • the first encryption of the request parameter for requesting the network data is performed by using the signature value of the first APK.
  • the processing may be performed as follows: 1) performing a second encryption process on the signature value of the first APK according to a predetermined algorithm to obtain a signature value of the encrypted first APK; specifically, when performing the second encryption process, The getKey function may be called by the getPost function to encrypt the signature value of the APK according to a predetermined algorithm; wherein the predetermined algorithm may be an md5 encryption algorithm or an algorithm capable of generating a fixed length string; 2) using the encrypted first The signature value of the APK performs a first encryption process on the request parameters used to request the network data.
  • the server decrypts the encrypted byte stream by using a pre-configured signature value of the second APK encrypted by the predetermined algorithm. That is to say, the way to encrypt the client and decrypt it in the server is pre-agreed. This method is only known by the client and the server, and since it is performed in the C language environment, this method will not be decompiled. Obtained to ensure full security.
  • the initial detection of the APK may be performed on the client first, and only after the initial detection, the installation package detection after step S102 in the above embodiment is performed.
  • An optional method for initial detection is to detect the APK signature value; specifically, the initial detection is performed after step S101, including the steps:
  • the client compares the signature value of the first APK with the signature value of the second APK pre-configured on the client. If they are equal, the client performs the detection process of step S102 and subsequent; if not, returns the identifier for The first APK is information of the tampering APK.
  • Another optional method for initial detection is to obtain the CRC (Cyclical Redundancy Check) value of the dex (type of executable file on the Android platform) file, and compare the obtained CRC value with the pre-configured CRC value.
  • the initial detection is performed after step S101, including the steps:
  • the client obtains the CRC value of the dex file of the first APK
  • the client compares the CRC value of the dex file with a pre-configured CRC value, wherein the pre-configured CRC value is a CRC value of a dex file of the original APK;
  • the client When the CRC value of the dex file is equal to the pre-configured CRC value, the client performs the above-described step S102 and the subsequent detection process. If the CRC value of the dex file is not equal to the pre-configured CRC value, information indicating that the first APK is the tampered APK is returned.
  • Another alternative to the initial detection is to perform a first detection (or first comparison) of the APK signature value, and a second detection of the CRC value of the dex file when the detection result is yes (or The second comparison); specifically, the initial detection is performed after step S101, including the steps:
  • the client compares the signature value of the first APK with the signature value of the second APK pre-configured on the client. If they are equal, the client obtains the CRC value of the dex file and compares it with the pre-configured CRC value; if not, Returning information for identifying the first APK as a tampered APK;
  • the client When the CRC value of the dex file is equal to the pre-configured CRC value, the client performs the S102 step and the subsequent detection process; if not, returns information for identifying the first APK as the tampered APK.
  • the dex file will change and the CRC value will change.
  • the CRC value of the dex file it can be initially determined whether the first APK has been tampered with.
  • FIG. 2 A preferred embodiment flow is shown in Figure 2, which is based on the client side.
  • Step S201 The client acquires the signature value of the first APK.
  • Step S202 The client determines whether the signature value of the first APK is equal to the signature value of the pre-configured second APK; wherein the second APK is the original APK; if the determination result is no, proceed to step S203; if the determination result is yes , proceeding to step S204;
  • Step S203 The client returns information for identifying that the first APK is a tampered APK
  • Step S204 The client acquires the CRC value of the dex file of the first APK
  • Step S205 The client determines whether the CRC value of the dex file is equal to the pre-configured CRC value; wherein, the pre-configured CRC value is a CRC value for reference, that is, a CRC value of the original APK dex file; when determining the dex file When the CRC value is not equal to the pre-configured CRC value, proceed to step S203; when it is determined that the CRC value of the dex file is equal to the pre-configured CRC value, proceed to step S206;
  • Step S206 The client uses the signature value of the first APK to perform a first encryption process on the request parameter for requesting the network data, to obtain an encrypted byte stream. Specifically, the client may also first sign the first APK according to a predetermined algorithm. The value is subjected to encryption processing; and then the first encryption processing is performed by requesting the request parameter of the network data according to the encrypted signature value of the first APK.
  • Step S207 The client sends the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK. Specifically, in step S206, according to the encrypted first APK.
  • the server decrypts the encrypted byte stream by using the pre-configured signature value of the second APK encrypted by the predetermined algorithm.
  • Step S208 The client receives, when the server decrypts the request parameter, the information returned by the server for identifying the first APK as the original APK; and when the server does not decrypt the request parameter, the first APK returned by the server is used to identify the first APK. Information for the tampering APK.
  • the C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • the present invention also proposes another verification method of the installation package, which is based on the server side, and the flow thereof can be referred to FIG. 3, including the steps:
  • Step S301 The server receives the encrypted byte stream sent by the client, where the encrypted byte stream is encrypted by using the signature value of the first APK acquired by the client in the C language environment for requesting the network data. owned;
  • Step S302 The server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK; wherein the second APK is the original APK;
  • Step S303 If the server decrypts the request parameter, the server returns information for identifying the first APK as the original APK, and if the server does not decrypt the request parameter, returns to the client to identify that the first APK is tampered with. APK information.
  • the C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • the present invention also provides another verification method for the installation package.
  • the process can be referred to FIG. 4, which is based on the interaction between the client and the server.
  • the specific steps include:
  • Step S401 The client acquires the signature value of the first APK.
  • Step S402 The client performs a first encryption process on the request parameter for requesting network data by using the signature value of the first APK to obtain an encrypted byte stream.
  • Step S403 The client sends the encrypted byte stream to the server.
  • Step S404 The server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK; wherein the second APK is the original APK; and then proceeds to step S405 or step S406 according to the decrypted result.
  • Step S405 If the server decrypts the request parameter, the server returns information for identifying the first APK as the original APK.
  • Step S406 If the server does not decrypt the request parameter, the server returns information for identifying the first APK as the tampered APK.
  • the C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
  • the encrypted byte stream is in the form of a *.so file.
  • a client 801 is also provided.
  • the structure of the client 801 is as shown in FIG. 5.
  • the client 801 includes:
  • the first obtaining unit 601 is configured to acquire a signature value of the first APK.
  • the C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
  • the encryption unit 602 is configured to perform, by using a signature value of the first APK, a first encryption process on a request parameter used to request network data, to obtain an encrypted byte stream.
  • the encrypted byte stream is in the form of a *.so file.
  • the first sending unit 603 is configured to send the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using a pre-configured second APK signature value; wherein the second APK is an original APK;
  • the first receiving unit 604 is configured to receive, when the server does not decrypt the request parameter, the information that is used to identify the first APK as a tampered APK. And receiving information returned by the server when the request parameter is decrypted to identify the first APK as the original APK.
  • the client can also perform initial detection on the APK according to the APK signature value. Specifically, refer to FIG. 6; the client further includes:
  • the first comparison unit 605 is configured to compare the signature value of the first APK with the signature value of the pre-configured second APK;
  • a first notification unit 606, configured to: when the comparison result of the first comparison unit is equal, Notifying the encryption unit to perform a first encryption process on the request parameter for requesting the network data; and when the comparison result of the first comparison unit is unequal, returning information for identifying the first APK as the tampered APK;
  • the second APK is the original APK.
  • the client can also perform initial detection on the APK according to the CRC value.
  • the client further includes:
  • a second obtaining unit 607 configured to acquire a CRC value of a dex file of the first APK
  • the second comparison unit 608 is configured to compare the CRC value of the dex file with the pre-configured CRC value
  • the second notification unit 609 is configured to notify the encryption unit to perform a first encryption process on the request parameter for requesting network data when the comparison result of the second comparison unit is equal; and when the comparison result of the second comparison unit is unequal And returning information for identifying the first APK as the tampered APK; wherein the pre-configured CRC value is a CRC value of the dex file of the original APK.
  • the client can also perform initial detection on the APK according to the APK signature value and the CRC value.
  • the client also includes:
  • a third comparing unit configured to compare a signature value of the first APK with a signature value of a pre-configured second APK
  • a third acquiring unit configured to acquire a CRC value of the dex file of the first APK when the comparison result of the third comparing unit is equal
  • a fourth comparing unit configured to compare a CRC value of the dex file acquired by the third acquiring unit with a pre-configured CRC value
  • a third notification unit configured to notify the encryption unit to perform a first encryption process on a request parameter for requesting network data when the comparison result of the fourth comparison unit is equal; when the third comparison unit or the fourth comparison When the comparison result of the units is unequal, the information for identifying the first APK as the falsified APK is returned; wherein the pre-configured CRC value is the CRC value of the dex file of the original APK.
  • server 802 includes:
  • the second receiving unit 701 is configured to receive an encrypted byte stream sent by the client, where the encrypted byte stream is a request for requesting network data by using a signature value of the first APK acquired by the client in a C language environment.
  • the parameters are obtained by encryption processing;
  • the decryption unit 702 is configured to decrypt the encrypted byte stream by using a signature value of the second APK configured in advance; wherein the second APK is an original APK;
  • the second sending unit 703 is configured to: if the request parameter is decrypted, return information for identifying the first APK as the original APK to the client; if the request parameter is not decrypted, return the identifier for the client
  • the first APK is information of the tampering APK.
  • a verification system for an installation package is also provided.
  • the system includes: a client 801 shown in FIG. 5 and a server 802 shown in FIG. 8. It may also be the client of Figure 6 or Figure 7 and the server of Figure 8.
  • the client obtains the signature value of the APK in the C language environment and encrypts the network data request of the APK by using the signature value, and sends the encrypted byte stream to the server for verification, because the above process logic is in the C language.
  • the packaging party will be difficult to crack the logic in *.so through the decompilation tool, which greatly increases the technical difficulty of the cracking than the implementation using the Java language; on the server side, the pre-configured
  • the signature value of the original APK is used to decrypt the encrypted byte stream. If the network data request is successfully decrypted, the original APK installed on the client may not decrypt the network data request, indicating the client.
  • the tamper-proof APK is installed on the website, so that the related functions of the client with the tamper-proof APK can be disabled; therefore, the check logic of the APK can be prevented from being decompiled, and the reliability of the package inspection is improved.
  • the mobile terminal of the present invention can be a variety of Bluetooth-enabled handheld terminal devices, such as a Bluetooth-enabled mobile phone, a personal digital assistant (PDA).
  • a Bluetooth-enabled mobile phone such as a Bluetooth-enabled mobile phone, a personal digital assistant (PDA).
  • PDA personal digital assistant
  • the method according to the invention can also be implemented as a computer program executed by a processor (such as a CPU) in a mobile terminal and stored in a memory of the mobile terminal.
  • a processor such as a CPU
  • the above-described functions defined in the method of the present invention are performed when the computer program is executed by the processor.
  • the method according to the invention may also be embodied as a computer program product comprising a computer readable medium on which is stored a computer program for performing the functions described above in the method of the invention. .
  • the method steps and system units described above may also be implemented with a controller and a computer readable storage device for storing a computer program that causes the controller to implement the steps or unit functions described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

A verification method, client, server and system for an installation package. The method comprises: acquiring a signature value of a first APK in a C language environment (S101); using the signature value of the first APK to perform first encryption processing on a request parameter for requesting a network data, to obtain an encrypted byte stream (S102); sending the encrypted byte stream to a server, for the server to decode the encrypted byte stream by means of a pre-configured signature value of a second APK (S103), wherein the second APK is an original APK; and receiving information returned when the server fails to decode the request parameter and used for identifying the first APK as a tampered APK (S104).By utilizing the method, a verification logic of the installation package can be prevented from being decompiled, and the reliability for verifying the installation package is improved.

Description

一种安装包的校验方法、客户端、服务器及系统Method for verifying installation package, client, server and system 技术领域Technical field
本发明涉及移动通信的数据处理领域,更为具体地,涉及一种安装包的校验方法、客户端、服务器及系统。The present invention relates to the field of data processing of mobile communications, and more particularly to a method, a client, a server and a system for verifying an installation package.
发明背景Background of the invention
随着Android平台的流行,很多优秀的Android安装包被不法分子篡改:或植入恶意病毒;或添加广告,然后通过二次打包再次进入渠道。With the popularity of the Android platform, many excellent Android installation packages have been tampered with by lawless elements: or implanted with malicious viruses; or add ads, and then re-enter the channel through secondary packaging.
针对安装包防篡改,目前市场主要使用防篡改校验方案,校验过程用Java语言实现,其中,校验流程如下:在NDK(Native Development Kit,原生开发工具包)层中用Java语言获取APK签名值,检验APK(Android Package,安卓安装包)签名值与预先配置的APK签名值是否匹配;如匹配,则说明APK是正版未被篡改的;如不匹配,则说明APK被篡改。For the anti-tampering of the installation package, the current market mainly uses the tamper-proof verification scheme, and the verification process is implemented in the Java language. The verification process is as follows: in the NDK (Native Development Kit) layer, the Java language is used to obtain the APK. Signature value, check whether the APK (Android Package, Android installation package) signature value matches the pre-configured APK signature value; if it matches, the APK is genuine and has not been tampered with; if it does not match, the APK has been tampered with.
然而由于Java是解释型语言,进行校验时以中间代码的形式运行在虚拟机环境中,这使得校验逻辑容易被反编译,将校验逻辑在‘*.smali’中被还原或删除掉,这样就达不到安装包校验的目的,降低了安装包检验的可靠性。However, since Java is an interpreted language, it runs in the virtual machine environment in the form of intermediate code during verification. This makes the check logic easy to be decompiled, and the check logic is restored or deleted in '*.smali'. This will not achieve the purpose of the installation package verification, reducing the reliability of the installation package inspection.
发明内容Summary of the invention
本发明的目的在于提出一种安装包的校验方法、客户端、服务器及系统,可以防止安装包的校验逻辑被反编译,提高安装包检验的可靠性。 The object of the present invention is to provide a verification method, a client, a server and a system for an installation package, which can prevent the verification logic of the installation package from being decompiled and improve the reliability of the installation package inspection.
根据本发明的一个方面,提供了一种安装包的校验方法,其中,包括步骤:According to an aspect of the present invention, a verification method of an installation package is provided, comprising the steps of:
获取第一APK的签名值;以及利用所述第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;将所述加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值,解密所述加密字节流;其中,所述第二APK是原始APK;接收当服务器未解密出所述请求参数时返回的用于标识所述第一APK为被篡改的APK的信息。Obtaining a signature value of the first APK; and performing a first encryption process on the request parameter for requesting the network data by using the signature value of the first APK to obtain an encrypted byte stream; and sending the encrypted byte stream to the server, And the server decrypts the encrypted byte stream by using a signature value of the pre-configured second APK; wherein the second APK is an original APK; and receiving the identifier for returning when the server does not decrypt the request parameter The first APK is information about the tampering APK.
优选的,在C语言环境下获取第一APK的签名值。Preferably, the signature value of the first APK is obtained in a C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
根据本发明的另一个方面,提供了一种安装包的校验方法,其中,包括步骤:According to another aspect of the present invention, a verification method of an installation package is provided, comprising the steps of:
接收客户端发送的加密字节流;其中,所述加密字节流是利用客户端获取的第一APK的签名值对用于请求网络数据的请求参数进行加密处理得到的;利用预先配置的第二APK的签名值,解密所述加密字节流;其中,所述第二APK是原始APK;若未解密出所述请求参数,则向客户端返回用于标识所述第一APK为被篡改的APK的信息。Receiving, by the client, an encrypted byte stream, where the encrypted byte stream is obtained by encrypting a request parameter for requesting network data by using a signature value of the first APK acquired by the client; a signature value of the second APK, decrypting the encrypted byte stream; wherein the second APK is an original APK; if the request parameter is not decrypted, returning to the client for identifying the first APK as being tampered with APK information.
优选的,客户端在C语言环境下获取第一APK的签名值。Preferably, the client obtains the signature value of the first APK in the C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
根据本发明的另一个方面,提供了一种安装包的校验方法,其中,包括步骤:According to another aspect of the present invention, a verification method of an installation package is provided, comprising the steps of:
客户端获取第一APK的签名值;客户端利用所述第一APK的签名值对用于请求网络数据的请求参数进行第一加密处理,得到加密字节流;客户端将所述加密字节流发送至服务器;所述服务器利用预先配置的第二APK的签名值,解密所述加密字节流;其中,所述第二APK是原始APK;若未解密出所述请求参数,则向客户端返回用于标识所述第一APK为被篡改的APK的信息。 The client obtains the signature value of the first APK; the client performs a first encryption process on the request parameter for requesting the network data by using the signature value of the first APK to obtain an encrypted byte stream; the client encrypts the encrypted byte. Sending to the server; the server decrypting the encrypted byte stream by using a pre-configured second APK signature value; wherein the second APK is an original APK; if the request parameter is not decrypted, then the client The terminal returns information for identifying that the first APK is a tampered APK.
优选的,客户端在C语言环境下获取第一APK的签名值。Preferably, the client obtains the signature value of the first APK in the C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
根据本发明的另一个方面,提供了一种安装包的校验方法,其中,包括步骤:According to another aspect of the present invention, a verification method of an installation package is provided, comprising the steps of:
客户端获取第一APK的签名值;The client obtains the signature value of the first APK;
客户端判断第一APK的签名值与预先配置的第二APK的签名值是否相等;其中,第二APK为原始APK;若判断结果为否,则客户端返回用于标识第一APK为被篡改的APK的信息;若判断结果为是,则客户端利用第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;The client determines whether the signature value of the first APK is equal to the signature value of the pre-configured second APK; wherein the second APK is the original APK; if the determination result is no, the client returns to identify the first APK as being tampered with If the result of the determination is yes, the client uses the signature value of the first APK to perform a first encryption process on the request parameter for requesting the network data to obtain an encrypted byte stream;
客户端将加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值解密该加密字节流;The client sends the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK;
客户端接收当服务器解密出请求参数时,由服务器返回的用于标识第一APK为原始APK的信息;以及当服务器未解密出请求参数时,由服务器返回的用于标识第一APK为被篡改的APK的信息。The client receives information returned by the server for identifying the first APK as the original APK when the server decrypts the request parameter; and when the server does not decrypt the request parameter, the server returns the identifier for identifying the first APK to be tampered with APK information.
优选的,客户端在C语言环境下获取第一APK的签名值。Preferably, the client obtains the signature value of the first APK in the C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
根据本发明的另一个方面,提供了一种客户端,其中,包括:According to another aspect of the present invention, a client is provided, including:
第一获取单元,用于获取第一APK的签名值;a first acquiring unit, configured to acquire a signature value of the first APK;
加密单元,用于利用所述第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;An encryption unit, configured to perform, by using a signature value of the first APK, a first encryption process on a request parameter used to request network data, to obtain an encrypted byte stream;
第一发送单元,用于将所述加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值,解密所述加密字节流;其中,所述第二APK是原始APK;a first sending unit, configured to send the encrypted byte stream to a server, where the server decrypts the encrypted byte stream by using a pre-configured second APK signature value; wherein the second APK is a raw APK ;
第一接收单元,用于接收当服务器未解密出所述请求参数时返回的用于标识所述第一APK为被篡改的APK的信息。And a first receiving unit, configured to receive, when the server does not decrypt the request parameter, information used to identify the first APK as a tampered APK.
优选的,第一获取单元在C语言环境下获取第一APK的签名值。 Preferably, the first obtaining unit acquires the signature value of the first APK in a C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
根据本发明的另一个方面,提供了一种服务器,其中,包括:According to another aspect of the present invention, a server is provided, comprising:
第二接收单元,用于接收客户端发送的加密字节流;其中,所述加密字节流是利用客户端获取的第一APK的签名值对用于请求网络数据的请求参数进行加密处理得到的;a second receiving unit, configured to receive an encrypted byte stream sent by the client, where the encrypted byte stream is obtained by encrypting a request parameter for requesting network data by using a signature value of the first APK acquired by the client of;
解密单元,用于利用预先配置的第二APK的签名值,解密所述加密字节流;其中,所述第二APK是原始APK;a decrypting unit, configured to decrypt the encrypted byte stream by using a signature value of a pre-configured second APK; wherein the second APK is an original APK;
第二发送单元,用于若未解密出所述请求参数,则向客户端返回用于标识所述第一APK为被篡改的APK的信息。The second sending unit is configured to return, to the client, information for identifying that the first APK is a tampered APK if the request parameter is not decrypted.
优选的,客户端在C语言环境下获取第一APK的签名值。Preferably, the client obtains the signature value of the first APK in the C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
根据本发明的另一个方面,提供了一种安装包的校验系统,其中,包括:上述客户端和上述服务器。According to another aspect of the present invention, a verification system for an installation package is provided, comprising: the above client and the server.
利用本发明的方案,客户端优选在C语言环境中获取APK的签名值以及利用该签名值加密APK的网络数据请求并将加密后的字节流发送至服务器校验,由于上述过程逻辑在C语言中进行编译后产生‘*.so文件’,通过反编译工具将很难破解‘*.so文件’里的逻辑,在破解技术难度上比使用Java语言实现的方案大大增加;在服务器侧,利用预先配置的原始APK的签名值去解密上述加密的字节流,若能成功解密出上述网络数据请求,则说明上述客户端上安装的是原始的APK,若不能解密出上述网络数据请求,则说明上述客户端上安装的是被篡改的APK,从而可以禁止安装有被篡改的APK的客户端的相关功能。因此,通过上述处理,可以防止APK的校验逻辑被反编译,提高安装包检验的可靠性。With the solution of the present invention, the client preferably obtains the signature value of the APK in the C language environment and uses the signature value to encrypt the network data request of the APK and sends the encrypted byte stream to the server for verification, because the above process logic is in C After compiling in the language, the '*.so file' is generated. It is difficult to crack the logic in the '*.so file' by the decompilation tool. The solution to the technical difficulty is much more complicated than the one achieved by using the Java language. On the server side, Decrypting the encrypted byte stream by using the signature value of the pre-configured original APK. If the network data request is successfully decrypted, the original APK is installed on the client, and if the network data request cannot be decrypted, It means that the tamper-proof APK is installed on the above client, so that the related function of the client with the tamper-proof APK installed can be prohibited. Therefore, by the above processing, it is possible to prevent the check logic of the APK from being decompiled, and to improve the reliability of the installation package check.
为了实现上述目的,本发明的一个或多个方面包括后面将详细说明并在权利要求中特别指出的特征。下面的说明以及附图详细说明了本发明的某些示例性方面。然而,这些方面指示的仅仅是可使用本发明 的原理的各种方式中的一些方式。此外,本发明旨在包括所有这些方面以及它们的等同物。In order to achieve the above objects, the one or more aspects of the present invention include the features which are described in detail below and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail However, these aspects indicate that only the invention can be used. Some of the ways in which the principles are. Furthermore, the invention is intended to cover all such aspects and their equivalents.
附图简要说明BRIEF DESCRIPTION OF THE DRAWINGS
根据下述参照附图进行的详细描述,本发明的上述和其他目的、特征和优点将变得更加显而易见。在附图中:The above and other objects, features and advantages of the present invention will become more apparent from the Detailed Description In the drawing:
图1示出了本发明提出的一种安装包的校验方法的一个流程图;1 is a flow chart showing a verification method of an installation package proposed by the present invention;
图2示出了本发明提出的一种安装包的校验方法的另一个流程图;2 is another flow chart showing a verification method of an installation package proposed by the present invention;
图3示出了本发明提出的一种安装包的校验方法的另一个流程图;3 is another flow chart showing a verification method of an installation package proposed by the present invention;
图4示出了本发明提出的一种安装包的校验方法的另一个流程图;4 is another flow chart showing a verification method of an installation package proposed by the present invention;
图5示出了本发明提出的一种客户端的一个结构示意图;FIG. 5 is a schematic structural diagram of a client according to the present invention; FIG.
图6示出了本发明提出的一种客户端的另一个结构示意图;FIG. 6 is a schematic diagram showing another structure of a client according to the present invention;
图7示出了本发明提出的一种客户端的另一个结构示意图;FIG. 7 is a schematic diagram showing another structure of a client proposed by the present invention;
图8示出了本发明提出的一种服务器的结构示意图;FIG. 8 is a schematic structural diagram of a server according to the present invention;
图9示出了本发明提出的一种安装包的校验系统的结构示意图。FIG. 9 is a block diagram showing the structure of a calibration system for an installation package according to the present invention.
在所有附图中相同的标号指示相似或相应的特征或功能。The same reference numerals are used throughout the drawings to refer to the
实施本发明的方式Mode for carrying out the invention
下面描述本公开的各个方面。应该明白的是,本文的教导可以以多种多样形式具体体现,并且在本文中公开的任何具体结构、功能或两者仅仅是代表性的。基于本文的教导,本领域技术人员应该明白的是,本文所公开的一个方面可以独立于任何其它方面实现,并且这些方面中的两个或多个方面可以按照各种方式组合。例如,可以使用本文所阐述的任何数目的方面,实现装置或实践方法。另外,可以使用其它结构、功能、或除了本文所阐述的一个或多个方面之外或不是本文所阐述的一个或多个方面的结构和功能,实现这种装置或实践这种方法。此外,本文所描述的任何方面可以包括权利要求的至少一个元素。 Various aspects of the disclosure are described below. It should be understood that the teachings herein may be embodied in a variety of forms and that any specific structure, function, or both disclosed herein are merely representative. Based on the teachings herein, one of ordinary skill in the art will appreciate that one aspect disclosed herein can be implemented independently of any other aspects, and two or more of these aspects can be combined in various ways. For example, an apparatus or a method of practice can be implemented using any number of the aspects set forth herein. In addition, such an apparatus may be implemented or practiced using other structures, functions, or structures and functions in addition to or in one or more aspects than those set forth herein. Furthermore, any aspect described herein can include at least one element of the claims.
下面将参照附图描述本发明的各个实施例。Various embodiments of the present invention will be described below with reference to the drawings.
本发明提出一种安装包的校验方法,其流程可参考图1;具体的,包括步骤:The present invention provides a verification method for an installation package, and the flow thereof can be referred to FIG. 1; specifically, the steps include:
步骤S101:获取第一APK的签名值;Step S101: Acquire a signature value of the first APK;
其中,第一APK指的是用户下载到客户端的APK;具体的,获取第一APK的签名值时,可以通过getPost函数调用getSign函数获得第一APK的签名值sign;The first APK refers to the APK that the user downloads to the client; specifically, when the signature value of the first APK is obtained, the getSign function may be called by the getPost function to obtain the signature value of the first APK;
其中,C语言环境为优选方案,即获取第一APK的签名值优选在C语言环境下实现。The C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
步骤S102:利用第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;Step S102: Perform a first encryption process on the request parameter for requesting network data by using a signature value of the first APK, to obtain an encrypted byte stream.
具体的,可以通过getPost函数调用encodeData函数利用第一APK的签名值作为加密密钥对请求网络数据的请求参数进行第一加密处理,得到加密字节流。其中,第一加密处理采用的加密算法为可逆对称算法,如:DES算法、RC5算法,也可以采用M9加密算法。Specifically, the getPost function may be used to call the encodeData function to perform the first encryption process on the request parameter of the request network data by using the signature value of the first APK as the encryption key to obtain an encrypted byte stream. The encryption algorithm used in the first encryption process is a reversible symmetric algorithm, such as a DES algorithm, an RC5 algorithm, or an M9 encryption algorithm.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
然后进行步骤S103:将加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值解密该加密字节流;Then proceeding to step S103: sending the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK;
其中,第二APK是原始APK;在C语言环境下进行步骤S101及步骤S102,及将加密字节流发送给服务器,由于上述过程逻辑在C语言中进行编译后产生‘*.so文件’,通过反编译工具将很难破解‘*.so文件’里的逻辑,在破解技术难度上比使用Java语言实现的方案大大增加;The second APK is the original APK; in step S101 and step S102 in the C language environment, and the encrypted byte stream is sent to the server, since the above process logic is compiled in the C language to generate a '*.so file', It is very difficult to crack the logic in the '*.so file' by decompilation tools, which greatly increases the technical difficulty of cracking than the implementation using Java language.
步骤S104:接收当服务器未解密出请求参数时返回的用于标识第一APK为被篡改的APK的信息。其中,当服务器解密出请求参数时返回的用于标识第一APK为原始APK的信息。Step S104: Receive information for identifying that the first APK is a tampered APK when the server does not decrypt the request parameter. The information returned when the server decrypts the request parameter is used to identify that the first APK is the original APK.
以上提到的函数getPost、getSign、encodeData,实现过程都位于Android NDK层,用C语言实现,属于系统原生代码,编译后会产生‘*.so 文件’,用反编译工具无法反编译出此类文件。The above mentioned functions getPost, getSign, encodeData, the implementation process is located in the Android NDK layer, implemented in C language, belongs to the system native code, will generate ‘*.so after compilation File ', such files cannot be decompiled with decompilation tools.
利用本发明,客户端在C语言环境中获取APK的签名值以及利用该签名值加密APK的网络数据请求并将加密后的字节流发送至服务器校验,由于上述过程逻辑在C语言中进行编译后产生‘*.so文件’,通过反编译工具将很难破解‘*.so文件’里的逻辑,在破解技术难度上比使用Java语言实现的方案大大增加;在服务器侧,利用预先配置的原始APK的签名值去解密上述加密的字节流,若能成功解密出上述网络数据请求,则说明上述客户端上安装的原始的APK,若不能解密出上述网络数据请求,则说明上述客户端上安装的是被篡改的APK,从而可以禁止安装有被篡改的APK的客户端的相关功能;因此可以防止APK的校验逻辑被反编译,提高安装包检验的可靠性。With the present invention, the client obtains the signature value of the APK in the C language environment and encrypts the network data request of the APK by using the signature value, and sends the encrypted byte stream to the server for verification, because the above process logic is performed in the C language. After compiling, the '*.so file' is generated. It is very difficult to crack the logic in the '*.so file' by decompilation tool. The solution is much more difficult to solve in the technical difficulty than using the Java language. On the server side, the pre-configuration is utilized. The signature value of the original APK to decrypt the encrypted byte stream. If the above network data request can be successfully decrypted, the original APK installed on the client may not decrypt the above network data request, indicating the above client. The tamper-proof APK is installed on the side, so that the related functions of the client with the tamper-proof APK can be disabled; therefore, the check logic of the APK can be prevented from being decompiled, and the reliability of the package inspection is improved.
为了进一步防止APK的校验逻辑被反编译,提高安装包检测的可靠性,针对上述实施例,在步骤S102中,利用第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理时,具体可以按以下步骤进行:1)按预定算法对该第一APK的签名值进行第二加密处理,得到加密后的第一APK的签名值;具体的,进行第二加密处理时,可通过getPost函数调用getKey函数根据预定算法来对APK的签名值进行加密处理;其中,预定算法可以是md5加密算法也可以是可产生固定长度字符串的算法;2)利用该加密后的第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理。In order to further prevent the check logic of the APK from being decompiled and improve the reliability of the installation package detection, in the above embodiment, in step S102, the first encryption of the request parameter for requesting the network data is performed by using the signature value of the first APK. The processing may be performed as follows: 1) performing a second encryption process on the signature value of the first APK according to a predetermined algorithm to obtain a signature value of the encrypted first APK; specifically, when performing the second encryption process, The getKey function may be called by the getPost function to encrypt the signature value of the APK according to a predetermined algorithm; wherein the predetermined algorithm may be an md5 encryption algorithm or an algorithm capable of generating a fixed length string; 2) using the encrypted first The signature value of the APK performs a first encryption process on the request parameters used to request the network data.
对应的,经步骤S103将加密字节流发送给服务器后,服务器利用预先配置的按该预定算法加密后的第二APK的签名值解密该加密字节流。即是说,预先约定好在客户端加密和在服务器中解密的方式,这种方式只有客户端和服务器知道,同时由于是在C语言的环境下进行,因此这种方式不会被反编译而被获取,可以充分保证安全性。Correspondingly, after the encrypted byte stream is sent to the server in step S103, the server decrypts the encrypted byte stream by using a pre-configured signature value of the second APK encrypted by the predetermined algorithm. That is to say, the way to encrypt the client and decrypt it in the server is pre-agreed. This method is only known by the client and the server, and since it is performed in the C language environment, this method will not be decompiled. Obtained to ensure full security.
在本发明的一个方面,可以先在客户端进行APK的初始检测,只有通过初始检测的,才进行上述实施例中步骤S102之后的安装包检测 流程;初始检测的一个可选方法是检测APK签名值;具体的,初始检测在步骤S101之后进行,包括步骤:In an aspect of the present invention, the initial detection of the APK may be performed on the client first, and only after the initial detection, the installation package detection after step S102 in the above embodiment is performed. An optional method for initial detection is to detect the APK signature value; specifically, the initial detection is performed after step S101, including the steps:
客户端将第一APK的签名值与在客户端预先配置的第二APK的签名值进行比较,若相等,则客户端进行该S102步骤及之后的检测流程;若不相等,则返回用于标识该第一APK为被篡改的APK的信息。The client compares the signature value of the first APK with the signature value of the second APK pre-configured on the client. If they are equal, the client performs the detection process of step S102 and subsequent; if not, returns the identifier for The first APK is information of the tampering APK.
初始检测的另一个可选方法是获取dex(Android平台上可执行文件的类型)文件的CRC(Cyclical Redundancy Check,循环冗余码校验)值,将获取的CRC值与预配置的CRC值比较;具体的,初始检测在步骤S101之后进行,包括步骤:Another optional method for initial detection is to obtain the CRC (Cyclical Redundancy Check) value of the dex (type of executable file on the Android platform) file, and compare the obtained CRC value with the pre-configured CRC value. Specifically, the initial detection is performed after step S101, including the steps:
客户端获取第一APK的dex文件的CRC值;The client obtains the CRC value of the dex file of the first APK;
客户端将该dex文件的CRC值与预配置的CRC值比较,其中,预配置的CRC值为原始APK的dex文件的CRC值;The client compares the CRC value of the dex file with a pre-configured CRC value, wherein the pre-configured CRC value is a CRC value of a dex file of the original APK;
当dex文件的CRC值与预配置的CRC值相等时,客户端进行上述S102步骤及之后的检测流程。若dex文件的CRC值与预配置的CRC值不相等,则返回用于标识该第一APK为被篡改的APK的信息。When the CRC value of the dex file is equal to the pre-configured CRC value, the client performs the above-described step S102 and the subsequent detection process. If the CRC value of the dex file is not equal to the pre-configured CRC value, information indicating that the first APK is the tampered APK is returned.
初始检测的另一个可选方法是对APK签名值进行第一次检测(或者说第一次比较),以及在检测结果为是时,再对dex文件的CRC值进行第二次检测(或者说第二次比较);具体的,初始检测在步骤S101之后进行,包括步骤:Another alternative to the initial detection is to perform a first detection (or first comparison) of the APK signature value, and a second detection of the CRC value of the dex file when the detection result is yes (or The second comparison); specifically, the initial detection is performed after step S101, including the steps:
客户端将第一APK的签名值与在客户端预先配置的第二APK的签名值进行比较,若相等,则客户端获取dex文件的CRC值并与预配置的CRC值比较;若不相等,则返回用于标识该第一APK为被篡改的APK的信息;The client compares the signature value of the first APK with the signature value of the second APK pre-configured on the client. If they are equal, the client obtains the CRC value of the dex file and compares it with the pre-configured CRC value; if not, Returning information for identifying the first APK as a tampered APK;
当该dex文件的CRC值与预配置的CRC值相等时,客户端进行该S102步骤及之后的检测流程;若不相等,则返回用于标识第一APK为被篡改的APK的信息。When the CRC value of the dex file is equal to the pre-configured CRC value, the client performs the S102 step and the subsequent detection process; if not, returns information for identifying the first APK as the tampered APK.
只要APK被反编译,dex文件就会产生变化,CRC值也会改变。因 此根据dex文件的CRC值,可以初步判断第一APK是否被篡改。As long as the APK is decompiled, the dex file will change and the CRC value will change. Cause According to the CRC value of the dex file, it can be initially determined whether the first APK has been tampered with.
一个优选的实施例流程如图2所示,该方法基于客户端侧。在进行具体流程前,可先进行代码混淆:将第一APK的类名、包名混淆为Window系统和Linux系统两个系统命名系统严令禁止使用的文件名,如com1、Com1等,其中,混淆指的是对第一APK的类名、包名进行重新组织和处理,得到Window系统和Linux系统两个系统命名系统严令禁止使用的文件名;然后进行以下处理流程:A preferred embodiment flow is shown in Figure 2, which is based on the client side. Before proceeding with the specific process, you can first confuse the code: confuse the class name and package name of the first APK into the file names strictly forbidden by the two system naming systems of Window System and Linux system, such as com1, Com1, etc. Refers to the reorganization and processing of the class name and package name of the first APK, and obtains the file name strictly prohibited by the two system naming systems of the Window system and the Linux system; then the following processing flow is performed:
步骤S201:客户端获取第一APK的签名值;Step S201: The client acquires the signature value of the first APK.
步骤S202:客户端判断第一APK的签名值与预先配置的第二APK的签名值是否相等;其中,第二APK为原始APK;若判断结果为否,则进行步骤S203;若判断结果为是,则进行步骤S204;Step S202: The client determines whether the signature value of the first APK is equal to the signature value of the pre-configured second APK; wherein the second APK is the original APK; if the determination result is no, proceed to step S203; if the determination result is yes , proceeding to step S204;
步骤S203:客户端返回用于标识第一APK为被篡改的APK的信息;Step S203: The client returns information for identifying that the first APK is a tampered APK;
步骤S204:客户端获取第一APK的dex文件的CRC值;Step S204: The client acquires the CRC value of the dex file of the first APK;
步骤S205:客户端判断dex文件的CRC值与预配置的CRC值是否相等;其中,预配置的CRC值是用于参考的CRC值,即原始APK的dex文件的CRC值;当判断dex文件的CRC值与预配置的CRC值不相等时,进行步骤S203;当判断dex文件的CRC值与预配置的CRC值相等时,进行步骤S206;Step S205: The client determines whether the CRC value of the dex file is equal to the pre-configured CRC value; wherein, the pre-configured CRC value is a CRC value for reference, that is, a CRC value of the original APK dex file; when determining the dex file When the CRC value is not equal to the pre-configured CRC value, proceed to step S203; when it is determined that the CRC value of the dex file is equal to the pre-configured CRC value, proceed to step S206;
步骤S206:客户端利用第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;具体的,客户端还可以按预定算法先对第一APK的签名值进行加密处理;然后再根据加密后的第一APK的签名值用来请求网络数据的请求参数进行第一加密处理。Step S206: The client uses the signature value of the first APK to perform a first encryption process on the request parameter for requesting the network data, to obtain an encrypted byte stream. Specifically, the client may also first sign the first APK according to a predetermined algorithm. The value is subjected to encryption processing; and then the first encryption processing is performed by requesting the request parameter of the network data according to the encrypted signature value of the first APK.
步骤S207:客户端将加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值解密该加密字节流;具体的,当步骤S206中,根据加密后的第一APK的签名值用来请求网络数据的请求参数进行第一加密处理时,服务器利用预先配置的按预定算法加密后的第二APK的签名值,解密该加密字节流。 Step S207: The client sends the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK. Specifically, in step S206, according to the encrypted first APK. When the signature value is used to request the request parameter of the network data to perform the first encryption process, the server decrypts the encrypted byte stream by using the pre-configured signature value of the second APK encrypted by the predetermined algorithm.
步骤S208:客户端接收当服务器解密出请求参数时,由服务器返回的用于标识第一APK为原始APK的信息;以及当服务器未解密出请求参数时,由服务器返回的用于标识第一APK为被篡改的APK的信息。Step S208: The client receives, when the server decrypts the request parameter, the information returned by the server for identifying the first APK as the original APK; and when the server does not decrypt the request parameter, the first APK returned by the server is used to identify the first APK. Information for the tampering APK.
其中,C语言环境为优选方案,即获取第一APK的签名值优选在C语言环境下实现。优选的,所述加密字节流为*.so文件的形式。The C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment. Preferably, the encrypted byte stream is in the form of a *.so file.
本发明还提出了另一种安装包的校验方法,该方法基于服务器侧,其流程可参考图3所示,包括步骤:The present invention also proposes another verification method of the installation package, which is based on the server side, and the flow thereof can be referred to FIG. 3, including the steps:
步骤S301:服务器接收客户端发送的加密字节流;其中,该加密字节流是利用客户端在C语言环境下获取的第一APK的签名值对用于请求网络数据的请求参数进行加密处理得到的;Step S301: The server receives the encrypted byte stream sent by the client, where the encrypted byte stream is encrypted by using the signature value of the first APK acquired by the client in the C language environment for requesting the network data. owned;
步骤S302:服务器利用预先配置的第二APK的签名值解密加密字节流;其中,该第二APK是原始APK;Step S302: The server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK; wherein the second APK is the original APK;
步骤S303:服务器若解密出请求参数,则向客户端返回用于标识第一APK为原始APK的信息;若服务器未解密出请求参数,则向客户端返回用于标识第一APK为被篡改的APK的信息。Step S303: If the server decrypts the request parameter, the server returns information for identifying the first APK as the original APK, and if the server does not decrypt the request parameter, returns to the client to identify that the first APK is tampered with. APK information.
其中,C语言环境为优选方案,即获取第一APK的签名值优选在C语言环境下实现。The C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
本发明还提出了另一种安装包的校验方法,其流程可参考图4所示,该方法基于客户端与服务器的交互,具体步骤包括:The present invention also provides another verification method for the installation package. The process can be referred to FIG. 4, which is based on the interaction between the client and the server. The specific steps include:
步骤S401:客户端获取第一APK的签名值;Step S401: The client acquires the signature value of the first APK.
步骤S402:客户端利用第一APK的签名值对用于请求网络数据的请求参数进行第一加密处理,得到加密字节流;Step S402: The client performs a first encryption process on the request parameter for requesting network data by using the signature value of the first APK to obtain an encrypted byte stream.
步骤S403:客户端发送上述加密字节流给服务器;Step S403: The client sends the encrypted byte stream to the server.
步骤S404:服务器利用预先配置的第二APK的签名值解密加密字节流;其中,该第二APK是原始APK;然后根据解密结果进行步骤S405或者步骤S406。 Step S404: The server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK; wherein the second APK is the original APK; and then proceeds to step S405 or step S406 according to the decrypted result.
步骤S405:服务器若解密出该请求参数,则向客户端返回用于标识该第一APK为该原始APK的信息;Step S405: If the server decrypts the request parameter, the server returns information for identifying the first APK as the original APK.
步骤S406:服务器若未解密出该请求参数,则向客户端返回用于标识该第一APK为被篡改的APK的信息。Step S406: If the server does not decrypt the request parameter, the server returns information for identifying the first APK as the tampered APK.
其中,C语言环境为优选方案,即获取第一APK的签名值优选在C语言环境下实现。The C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
本发明的另一方面,还提出了一种客户端801,其结构示意图可参考图5,客户端801包括:In another aspect of the present invention, a client 801 is also provided. The structure of the client 801 is as shown in FIG. 5. The client 801 includes:
第一获取单元601,用于获取第一APK的签名值;The first obtaining unit 601 is configured to acquire a signature value of the first APK.
其中,C语言环境为优选方案,即获取第一APK的签名值优选在C语言环境下实现。The C language environment is a preferred solution, that is, the signature value of the first APK is preferably implemented in a C language environment.
加密单元602,用于利用该第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;The encryption unit 602 is configured to perform, by using a signature value of the first APK, a first encryption process on a request parameter used to request network data, to obtain an encrypted byte stream.
优选的,所述加密字节流为*.so文件的形式。Preferably, the encrypted byte stream is in the form of a *.so file.
第一发送单元603,用于将该加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值,解密该加密字节流;其中,该第二APK是原始APK;The first sending unit 603 is configured to send the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using a pre-configured second APK signature value; wherein the second APK is an original APK;
第一接收单元604,用于接收当服务器未解密出该请求参数时返回的用于标识该第一APK为被篡改的APK的信息。以及,接收当服务器解密出该请求参数时返回的用于标识该第一APK为该原始APK的信息。The first receiving unit 604 is configured to receive, when the server does not decrypt the request parameter, the information that is used to identify the first APK as a tampered APK. And receiving information returned by the server when the request parameter is decrypted to identify the first APK as the original APK.
上述客户端的另一方面,客户端还可以根据APK签名值对APK进行初始检测,具体的,参见图6;客户端还包括:On the other hand, on the other hand, the client can also perform initial detection on the APK according to the APK signature value. Specifically, refer to FIG. 6; the client further includes:
第一比较单元605,用于将第一APK的签名值与预先配置的第二APK的签名值进行比较;The first comparison unit 605 is configured to compare the signature value of the first APK with the signature value of the pre-configured second APK;
第一通知单元606,用于当该第一比较单元的比较结果为相等时, 通知该加密单元对用于请求网络数据的请求参数进行第一加密处理;当第一比较单元的比较结果为不相等时,返回用于标识该第一APK为被篡改的APK的信息;其中,该第二APK为原始APK。a first notification unit 606, configured to: when the comparison result of the first comparison unit is equal, Notifying the encryption unit to perform a first encryption process on the request parameter for requesting the network data; and when the comparison result of the first comparison unit is unequal, returning information for identifying the first APK as the tampered APK; The second APK is the original APK.
上述客户端的另一方面,客户端还可以根据CRC值对APK进行初始检测。具体的,参见图7,客户端还包括:On the other hand, on the other hand, the client can also perform initial detection on the APK according to the CRC value. Specifically, referring to FIG. 7, the client further includes:
第二获取单元607,用于获取第一APK的dex文件的CRC值;a second obtaining unit 607, configured to acquire a CRC value of a dex file of the first APK;
第二比较单元608,用于将该dex文件的CRC值与预配置的CRC值进行比较;The second comparison unit 608 is configured to compare the CRC value of the dex file with the pre-configured CRC value;
第二通知单元609,用于当第二比较单元的比较结果为相等时,通知该加密单元对用于请求网络数据的请求参数进行第一加密处理;当第二比较单元的比较结果为不相等时,返回用于标识该第一APK为被篡改的APK的信息;其中,预配置的CRC值为原始APK的dex文件的CRC值。The second notification unit 609 is configured to notify the encryption unit to perform a first encryption process on the request parameter for requesting network data when the comparison result of the second comparison unit is equal; and when the comparison result of the second comparison unit is unequal And returning information for identifying the first APK as the tampered APK; wherein the pre-configured CRC value is a CRC value of the dex file of the original APK.
上述客户端的另一方面,客户端还可以根据APK签名值和CRC值对APK进行初始检测。具体的,客户端还包括:On the other hand, on the other hand, the client can also perform initial detection on the APK according to the APK signature value and the CRC value. Specifically, the client also includes:
第三比较单元,用于将所述第一APK的签名值与预先配置的第二APK的签名值进行比较;a third comparing unit, configured to compare a signature value of the first APK with a signature value of a pre-configured second APK;
第三获取单元,用于在所述第三比较单元的比较结果为相等时,获取所述第一APK的dex文件的CRC值;a third acquiring unit, configured to acquire a CRC value of the dex file of the first APK when the comparison result of the third comparing unit is equal;
第四比较单元,用于将所述第三获取单元获取的dex文件的CRC值与预配置的CRC值进行比较;a fourth comparing unit, configured to compare a CRC value of the dex file acquired by the third acquiring unit with a pre-configured CRC value;
第三通知单元,用于当所述第四比较单元的比较结果为相等时,通知所述加密单元对用于请求网络数据的请求参数进行第一加密处理;当第三比较单元或第四比较单元的比较结果为不相等时,返回用于标识所述第一APK为被篡改的APK的信息;其中,预配置的CRC值为原始APK的dex文件的CRC值。a third notification unit, configured to notify the encryption unit to perform a first encryption process on a request parameter for requesting network data when the comparison result of the fourth comparison unit is equal; when the third comparison unit or the fourth comparison When the comparison result of the units is unequal, the information for identifying the first APK as the falsified APK is returned; wherein the pre-configured CRC value is the CRC value of the dex file of the original APK.
本发明的另一方面,还提出了一种服务器802,其结构示意图可参 考图8,服务器802包括:In another aspect of the present invention, a server 802 is also proposed, the structure diagram of which can be referred to Referring to Figure 8, server 802 includes:
第二接收单元701,用于接收客户端发送的加密字节流;其中,该加密字节流是利用客户端在C语言环境下获取的第一APK的签名值对用于请求网络数据的请求参数进行加密处理得到的;The second receiving unit 701 is configured to receive an encrypted byte stream sent by the client, where the encrypted byte stream is a request for requesting network data by using a signature value of the first APK acquired by the client in a C language environment. The parameters are obtained by encryption processing;
解密单元702,用于利用预先配置的第二APK的签名值解密该加密字节流;其中,该第二APK是原始APK;The decryption unit 702 is configured to decrypt the encrypted byte stream by using a signature value of the second APK configured in advance; wherein the second APK is an original APK;
第二发送单元703,用于若解密出该请求参数,则向客户端返回用于标识该第一APK为该原始APK的信息;若未解密出该请求参数,则向客户端返回用于标识该第一APK为被篡改的APK的信息。The second sending unit 703 is configured to: if the request parameter is decrypted, return information for identifying the first APK as the original APK to the client; if the request parameter is not decrypted, return the identifier for the client The first APK is information of the tampering APK.
本发明的另一方面,还提出了一种安装包的校验系统,其结构示意图可参考图9,该系统包括:图5所示的客户端801以及图8所示的服务器802。也可以是图6或图7的客户端以及图8的服务器。In another aspect of the present invention, a verification system for an installation package is also provided. Referring to FIG. 9 for a schematic structural diagram, the system includes: a client 801 shown in FIG. 5 and a server 802 shown in FIG. 8. It may also be the client of Figure 6 or Figure 7 and the server of Figure 8.
利用本发明的方案,客户端在C语言环境中获取APK的签名值以及利用该签名值加密APK的网络数据请求并将加密后的字节流发送至服务器校验,由于上述过程逻辑在C语言中进行编译后产生*.so文件,打包党通过反编译工具将很难破解*.so里的逻辑,在破解技术难度上比使用Java语言实现的方案大大增加;在服务器侧,利用预先配置的原始APK的签名值去解密上述加密的字节流,若能成功解密出上述网络数据请求,则说明上述客户端上安装的原始的APK,若不能解密出上述网络数据请求,则说明上述客户端上安装的是被篡改的APK,从而可以禁止安装有被篡改的APK的客户端的相关功能;因此可以防止APK的校验逻辑被反编译,提高安装包检验的可靠性。With the solution of the present invention, the client obtains the signature value of the APK in the C language environment and encrypts the network data request of the APK by using the signature value, and sends the encrypted byte stream to the server for verification, because the above process logic is in the C language. After compiling and generating *.so files, the packaging party will be difficult to crack the logic in *.so through the decompilation tool, which greatly increases the technical difficulty of the cracking than the implementation using the Java language; on the server side, the pre-configured The signature value of the original APK is used to decrypt the encrypted byte stream. If the network data request is successfully decrypted, the original APK installed on the client may not decrypt the network data request, indicating the client. The tamper-proof APK is installed on the website, so that the related functions of the client with the tamper-proof APK can be disabled; therefore, the check logic of the APK can be prevented from being decompiled, and the reliability of the package inspection is improved.
此外,典型地,本发明所述的移动终端可为各种具有蓝牙功能的手持终端设备,例如具有蓝牙功能的手机、个人数字助理(PDA)。In addition, the mobile terminal of the present invention can be a variety of Bluetooth-enabled handheld terminal devices, such as a Bluetooth-enabled mobile phone, a personal digital assistant (PDA).
此外,根据本发明的方法还可以被实现为由移动终端中的处理器(比如CPU)执行的计算机程序,并且存储在移动终端的存储器中。在该计算机程序被处理器执行时,执行本发明的方法中限定的上述功能。 Furthermore, the method according to the invention can also be implemented as a computer program executed by a processor (such as a CPU) in a mobile terminal and stored in a memory of the mobile terminal. The above-described functions defined in the method of the present invention are performed when the computer program is executed by the processor.
此外,根据本发明的方法还可以实现为一种计算机程序产品,该计算机程序产品包括计算机可读介质,在该计算机可读介质上存储有用于执行本发明的方法中限定的上述功能的计算机程序。Furthermore, the method according to the invention may also be embodied as a computer program product comprising a computer readable medium on which is stored a computer program for performing the functions described above in the method of the invention. .
此外,上述方法步骤以及系统单元也可以利用控制器以及用于存储使得控制器实现上述步骤或单元功能的计算机程序的计算机可读存储设备实现。Furthermore, the method steps and system units described above may also be implemented with a controller and a computer readable storage device for storing a computer program that causes the controller to implement the steps or unit functions described above.
本领域技术人员还将明白的是,结合这里的公开所描述的各种示例性逻辑块、模块、电路和算法步骤可以被实现为电子硬件、计算机软件或两者的组合。为了清楚地说明硬件和软件的这种可互换性,已经就各种示意性组件、方块、模块、电路和步骤的功能对其进行了一般性的描述。这种功能是被实现为软件还是被实现为硬件取决于具体应用以及施加给整个系统的设计约束。本领域技术人员可以针对每种具体应用以各种方式来实现所述的功能,但是这种实现决定不应被解释为导致脱离本发明的范围。The various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described. Whether such functionality is implemented as software or as hardware depends on the particular application and design constraints imposed on the overall system. A person skilled in the art can implement the described functions in various ways for each specific application, but such implementation decisions should not be construed as causing a departure from the scope of the invention.
尽管前面公开的内容示出了本发明的示例性实施例,但是应当注意,在不背离权利要求限定的本发明的范围的前提下,可以进行多种改变和修改。根据这里描述的发明实施例的方法权利要求的功能、步骤和/或动作不需以任何特定顺序执行。此外,尽管本发明的元素可以以个体形式描述或要求,但是也可以设想多个,除非明确限制为单数。While the foregoing disclosure shows exemplary embodiments of the present invention, it should be understood that various changes and modifications may be made without departing from the scope of the invention. The functions, steps and/or actions of the method claims according to the embodiments of the invention described herein are not required to be performed in any particular order. In addition, although elements of the invention may be described or claimed in the form of an individual, many are contemplated, unless explicitly limited to the singular.
虽然如上参照图描述了根据本发明的各个实施例进行了描述,但是本领域技术人员应当理解,对上述本发明所提出的各个实施例,还可以在不脱离本发明内容的基础上做出各种改进。因此,本发明的保护范围应当由所附的权利要求书的内容确定。 Although the description has been made in accordance with the various embodiments of the present invention as described above, those skilled in the art should understand that the various embodiments of the present invention described above may also be made without departing from the scope of the present invention. Improvements. Therefore, the scope of the invention should be determined by the content of the appended claims.

Claims (31)

  1. 一种安装包的校验方法,其中,包括步骤:A method for verifying an installation package, comprising the steps of:
    获取第一APK的签名值;以及利用所述第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;Obtaining a signature value of the first APK; and performing a first encryption process on the request parameter for requesting the network data by using the signature value of the first APK to obtain an encrypted byte stream;
    将所述加密字节流发送至服务器,以供所述服务器利用预先配置的第二APK的签名值解密所述加密字节流;其中,所述第二APK是原始APK;Sending the encrypted byte stream to a server, for the server to decrypt the encrypted byte stream by using a signature value of a pre-configured second APK; wherein the second APK is an original APK;
    接收当所述服务器未解密出所述请求参数时返回的用于标识所述第一APK为被篡改的APK的信息。Receiving information for identifying that the first APK is a tampered APK when the server does not decrypt the request parameter.
  2. 如权利要求1所述的安装包的校验方法,其中,所述利用所述第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理的步骤包括:The method of verifying an installation package according to claim 1, wherein the step of performing a first encryption process on a request parameter for requesting network data by using a signature value of the first APK comprises:
    按预定算法对所述第一APK的签名值进行第二加密处理,得到加密后的第一APK的签名值;Performing a second encryption process on the signature value of the first APK according to a predetermined algorithm to obtain a signature value of the encrypted first APK;
    利用所述加密后的第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理。And performing a first encryption process on the request parameter for requesting network data by using the encrypted signature value of the first APK.
  3. 如权利要求2所述的安装包的校验方法,其中,所述预定算法为可产生固定长度字符串的算法;所述第一加密处理采用的加密算法为可逆对称算法。The method of verifying an installation package according to claim 2, wherein the predetermined algorithm is an algorithm that can generate a fixed-length character string; and the encryption algorithm used in the first encryption process is a reversible symmetric algorithm.
  4. 如权利要求1所述的安装包的校验方法,其中,所述获取第一APK的签名值的步骤之后,还包括步骤:The method for verifying an installation package according to claim 1, wherein the step of acquiring the signature value of the first APK further comprises the steps of:
    将所述第一APK的签名值与预先配置的第二APK的签名值进行比较,若比较结果为相等,则进行所述对用于请求网络数据的请求参数进行第一加密处理的步骤;若比较结果为不相等,则返回用于标识所述第一APK为被篡改的APK的信息;其中,所述第二APK为原始APK。Comparing the signature value of the first APK with the signature value of the second APK configured in advance, and if the comparison result is equal, performing the step of performing the first encryption processing on the request parameter for requesting the network data; If the comparison result is unequal, the information for identifying the first APK as the falsified APK is returned; wherein the second APK is the original APK.
  5. 如权利要求1所述的安装包的校验方法,其中,所述获取第一 APK的签名值的步骤之后,还包括步骤:The method of verifying an installation package according to claim 1, wherein said obtaining the first After the step of signing the value of the APK, the steps are also included:
    获取第一APK的dex文件的CRC值;Obtaining the CRC value of the dex file of the first APK;
    将获取的所述dex文件的CRC值与预配置的CRC值进行比较;当所述dex文件的CRC值与预配置的CRC值相等时,进行所述对用于请求网络数据的请求参数进行第一加密处理的步骤;以及,Comparing the obtained CRC value of the dex file with a pre-configured CRC value; when the CRC value of the dex file is equal to the pre-configured CRC value, performing the request parameter for requesting network data a step of encryption processing; and,
    当所述dex文件的CRC值与预配置的CRC值不相等时,则返回用于标识所述第一APK为被篡改的APK的信息;其中,预配置的CRC值为原始APK的dex文件的CRC值。When the CRC value of the dex file is not equal to the pre-configured CRC value, returning information for identifying the first APK as the tampered APK; wherein the pre-configured CRC value is the dex file of the original APK CRC value.
  6. 如权利要求1所述的安装包的校验方法,其中,所述服务器利用预先配置的第二APK的签名值解密所述加密字节流的步骤包括:The method of verifying an installation package according to claim 1, wherein the step of decrypting the encrypted byte stream by the server using a signature value of a pre-configured second APK comprises:
    所述服务器利用预先配置的按所述预定算法加密后的第二APK的签名值,解密所述加密字节流。The server decrypts the encrypted byte stream by using a pre-configured signature value of the second APK encrypted by the predetermined algorithm.
  7. 如权利要求1所述的安装包的校验方法,其中,所述获取第一APK的签名值的步骤之后,还包括步骤:The method for verifying an installation package according to claim 1, wherein the step of acquiring the signature value of the first APK further comprises the steps of:
    将所述第一APK的签名值与预先配置的第二APK的签名值进行比较:Comparing the signature value of the first APK with the signature value of the pre-configured second APK:
    若比较结果为相等,则获取第一APK的dex文件的CRC值;将获取的所述dex文件的CRC值与预配置的CRC值进行比较;当所述dex文件的CRC值与预配置的CRC值相等时,进行所述对用于请求网络数据的请求参数进行第一加密处理的步骤;当所述dex文件的CRC值与预配置的CRC值不相等时,则返回用于标识所述第一APK为被篡改的APK的信息;其中,预配置的CRC值为原始APK的dex文件的CRC值;If the comparison result is equal, obtaining a CRC value of the dex file of the first APK; comparing the obtained CRC value of the dex file with a pre-configured CRC value; when the CRC value of the dex file and the pre-configured CRC When the values are equal, performing the step of performing a first encryption process on the request parameter for requesting network data; when the CRC value of the dex file is not equal to the pre-configured CRC value, returning to identify the first An APK is the information of the tampered APK; wherein the pre-configured CRC value is the CRC value of the original APK dex file;
    若比较结果为不相等,则返回用于标识所述第一APK为被篡改的APK的信息;其中,所述第二APK为原始APK。If the comparison result is not equal, returning information for identifying that the first APK is a tampered APK; wherein the second APK is the original APK.
  8. 如权利要求1所述的安装包的校验方法,其中,所述加密字节流为*.so文件的形式。 The verification method of an installation package according to claim 1, wherein said encrypted byte stream is in the form of a *.so file.
  9. 如权利要求1所述的安装包的校验方法,其中,在C语言环境下获取第一APK的签名值。The verification method of the installation package according to claim 1, wherein the signature value of the first APK is acquired in a C language environment.
  10. 一种安装包的校验方法,其中,包括步骤:A method for verifying an installation package, comprising the steps of:
    接收客户端发送的加密字节流;其中,所述加密字节流是利用客户端获取的第一APK的签名值对用于请求网络数据的请求参数进行加密处理得到的;Receiving, by the client, an encrypted byte stream, where the encrypted byte stream is obtained by encrypting a request parameter for requesting network data by using a signature value of the first APK acquired by the client;
    利用预先配置的第二APK的签名值解密所述加密字节流;其中,所述第二APK是原始APK;Decrypting the encrypted byte stream with a signature value of a pre-configured second APK; wherein the second APK is an original APK;
    若未解密出所述请求参数,则向客户端返回用于标识所述第一APK为被篡改的APK的信息。If the request parameter is not decrypted, information indicating that the first APK is a tampered APK is returned to the client.
  11. 如权利要求10所述的安装包的校验方法,其中,所述加密字节流为*.so文件的形式。The verification method of an installation package according to claim 10, wherein said encrypted byte stream is in the form of a *.so file.
  12. 如权利要求10所述的安装包的校验方法,其中,客户端在C语言环境下获取第一APK的签名值。The verification method of the installation package according to claim 10, wherein the client obtains the signature value of the first APK in the C language environment.
  13. 一种安装包的校验方法,其中,包括步骤:A method for verifying an installation package, comprising the steps of:
    客户端获取第一APK的签名值;The client obtains the signature value of the first APK;
    客户端利用所述第一APK的签名值对用于请求网络数据的请求参数进行第一加密处理,得到加密字节流;The client performs a first encryption process on the request parameter for requesting network data by using the signature value of the first APK, to obtain an encrypted byte stream;
    客户端将所述加密字节流发送至服务器;The client sends the encrypted byte stream to the server;
    所述服务器利用预先配置的第二APK的签名值,解密接收的所述加密字节流;其中,所述第二APK是原始APK;The server decrypts the received encrypted byte stream by using a pre-configured second APK signature value; wherein the second APK is an original APK;
    若所述服务器未解密出所述请求参数,则向所述客户端返回用于标识所述第一APK为被篡改的APK的信息。If the server does not decrypt the request parameter, returning information to the client for identifying the first APK as a tampered APK.
  14. 如权利要求13所述的安装包的校验方法,其中,所述加密字节流为*.so文件的形式。The verification method of an installation package according to claim 13, wherein said encrypted byte stream is in the form of a *.so file.
  15. 如权利要求13所述的安装包的校验方法,其中,客户端在C语言环境下获取第一APK的签名值。 The verification method of the installation package according to claim 13, wherein the client acquires the signature value of the first APK in a C language environment.
  16. 一种安装包的校验方法,其中,包括步骤:A method for verifying an installation package, comprising the steps of:
    客户端获取第一APK的签名值;The client obtains the signature value of the first APK;
    客户端判断第一APK的签名值与预先配置的第二APK的签名值是否相等;其中,第二APK为原始APK;若判断结果为否,则客户端返回用于标识第一APK为被篡改的APK的信息;若判断结果为是,则客户端利用第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;The client determines whether the signature value of the first APK is equal to the signature value of the pre-configured second APK; wherein the second APK is the original APK; if the determination result is no, the client returns to identify the first APK as being tampered with If the result of the determination is yes, the client uses the signature value of the first APK to perform a first encryption process on the request parameter for requesting the network data to obtain an encrypted byte stream;
    客户端将加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值解密该加密字节流;The client sends the encrypted byte stream to the server, so that the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK;
    客户端接收当服务器解密出请求参数时,由服务器返回的用于标识第一APK为原始APK的信息;以及当服务器未解密出请求参数时,由服务器返回的用于标识第一APK为被篡改的APK的信息。The client receives information returned by the server for identifying the first APK as the original APK when the server decrypts the request parameter; and when the server does not decrypt the request parameter, the server returns the identifier for identifying the first APK to be tampered with APK information.
  17. 如权利要求16所述的安装包的校验方法,其中,所述加密字节流为*.so文件的形式。The verification method of an installation package according to claim 16, wherein said encrypted byte stream is in the form of a *.so file.
  18. 如权利要求16所述的安装包的校验方法,其中,客户端在C语言环境下获取第一APK的签名值。The verification method of the installation package according to claim 16, wherein the client acquires the signature value of the first APK in the C language environment.
  19. 如权利要求16所述的安装包的校验方法,其中,客户端判断第一APK的签名值与预先配置的第二APK的签名值相等时,客户端获取第一APK的dex文件的CRC值,客户端判断dex文件的CRC值与预配置的CRC值是否相等;其中,预配置的CRC值是用于参考的CRC值,即原始APK的dex文件的CRC值;当判断dex文件的CRC值与预配置的CRC值不相等时,则客户端返回用于标识第一APK为被篡改的APK的信息;当判断dex文件的CRC值与预配置的CRC值相等时,客户端利用第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流。The method for verifying an installation package according to claim 16, wherein the client obtains the CRC value of the dex file of the first APK when the client determines that the signature value of the first APK is equal to the signature value of the pre-configured second APK. The client determines whether the CRC value of the dex file is equal to the pre-configured CRC value; wherein, the pre-configured CRC value is the CRC value used for reference, that is, the CRC value of the original APK dex file; when determining the CRC value of the dex file If the CRC value is not equal to the pre-configured CRC, the client returns information for identifying the first APK as the falsified APK; when determining that the CRC value of the dex file is equal to the pre-configured CRC value, the client utilizes the first APK. The signature value performs a first encryption process on the request parameter used to request the network data to obtain an encrypted byte stream.
  20. 如权利要求16-19之一所述的安装包的校验方法,其中,客户端利用第一APK的签名值对用来请求网络数据的请求参数进行第一加 密处理时,按预定算法先对第一APK的签名值进行加密处理;然后再根据加密后的第一APK的签名值用来请求网络数据的请求参数进行第一加密处理。The method for verifying an installation package according to any one of claims 16 to 19, wherein the client uses the signature value of the first APK to perform the first addition of the request parameter for requesting the network data. In the case of the secret processing, the signature value of the first APK is first encrypted according to a predetermined algorithm; and then the first encryption processing is performed by requesting the request parameter of the network data according to the encrypted signature value of the first APK.
  21. 如权利要求20所述的安装包的校验方法,其中,服务器利用预先配置的第二APK的签名值解密该加密字节流时,服务器利用预先配置的按预定算法加密后的第二APK的签名值,解密该加密字节流。The verification method of the installation package according to claim 20, wherein, when the server decrypts the encrypted byte stream by using the signature value of the pre-configured second APK, the server uses the pre-configured second APK encrypted by the predetermined algorithm. The signature value decrypts the encrypted byte stream.
  22. 一种客户端,其中,包括:A client that includes:
    第一获取单元,用于获取第一APK的签名值;a first acquiring unit, configured to acquire a signature value of the first APK;
    加密单元,用于利用所述第一APK的签名值对用来请求网络数据的请求参数进行第一加密处理,得到加密字节流;An encryption unit, configured to perform, by using a signature value of the first APK, a first encryption process on a request parameter used to request network data, to obtain an encrypted byte stream;
    第一发送单元,用于将所述加密字节流发送至服务器,以供服务器利用预先配置的第二APK的签名值解密所述加密字节流;其中,所述第二APK是原始APK;a first sending unit, configured to send the encrypted byte stream to a server, where the server decrypts the encrypted byte stream by using a signature value of a pre-configured second APK; wherein the second APK is an original APK;
    第一接收单元,用于接收当服务器未解密出所述请求参数时返回的用于标识所述第一APK为被篡改的APK的信息。And a first receiving unit, configured to receive, when the server does not decrypt the request parameter, information used to identify the first APK as a tampered APK.
  23. 如权利要求22所述的客户端,其中,所述加密字节流为*.so文件的形式。The client of claim 22 wherein said encrypted byte stream is in the form of a *.so file.
  24. 如权利要求22所述的客户端,其中,第一获取单元在C语言环境下获取第一APK的签名值。The client according to claim 22, wherein the first obtaining unit acquires the signature value of the first APK in a C language environment.
  25. 如权利要求22所述的客户端,其中,所述客户端还包括:The client of claim 22, wherein the client further comprises:
    第一比较单元,用于将所述第一APK的签名值与预先配置的第二APK的签名值进行比较;a first comparing unit, configured to compare a signature value of the first APK with a signature value of a pre-configured second APK;
    第一通知单元,用于当所述第一比较单元的比较结果为相等时,通知所述加密单元对用于请求网络数据的请求参数进行第一加密处理;当所述第一比较单元的比较结果为不相等时,返回用于标识所述第一APK为被篡改的APK的信息;其中,所述第二APK为原始APK。a first notification unit, configured to notify the encryption unit to perform a first encryption process on a request parameter for requesting network data when the comparison result of the first comparison unit is equal; when comparing the first comparison unit When the result is unequal, information indicating that the first APK is a tampered APK is returned; wherein the second APK is the original APK.
  26. 如权利要求22所述的客户端,其中,所述客户端还包括: The client of claim 22, wherein the client further comprises:
    第二获取单元,用于获取所述第一APK的dex文件的CRC值;a second acquiring unit, configured to acquire a CRC value of the dex file of the first APK;
    第二比较单元,用于将所述dex文件的CRC值与预配置的CRC值进行比较;a second comparing unit, configured to compare a CRC value of the dex file with a pre-configured CRC value;
    第二通知单元,用于当所述第二比较单元的比较结果为相等时,通知所述加密单元对用于请求网络数据的请求参数进行第一加密处理;当第二比较单元的比较结果为不相等时,返回用于标识所述第一APK为被篡改的APK的信息;其中,预配置的CRC值为原始APK的dex文件的CRC值。a second notification unit, configured to: when the comparison result of the second comparison unit is equal, notify the encryption unit to perform a first encryption process on a request parameter for requesting network data; and when the comparison result of the second comparison unit is When not equal, information indicating that the first APK is a tampered APK is returned; wherein the pre-configured CRC value is a CRC value of a dex file of the original APK.
  27. 如权利要求22所述的客户端,其中,所述客户端还包括:The client of claim 22, wherein the client further comprises:
    第三比较单元,用于将所述第一APK的签名值与预先配置的第二APK的签名值进行比较;a third comparing unit, configured to compare a signature value of the first APK with a signature value of a pre-configured second APK;
    第三获取单元,用于在所述第三比较单元的比较结果为相等时,获取所述第一APK的dex文件的CRC值;a third acquiring unit, configured to acquire a CRC value of the dex file of the first APK when the comparison result of the third comparing unit is equal;
    第四比较单元,用于将所述第三获取单元获取的dex文件的CRC值与预配置的CRC值进行比较;a fourth comparing unit, configured to compare a CRC value of the dex file acquired by the third acquiring unit with a pre-configured CRC value;
    第三通知单元,用于当所述第四比较单元的比较结果为相等时,通知所述加密单元对用于请求网络数据的请求参数进行第一加密处理;当第三比较单元或第四比较单元的比较结果为不相等时,返回用于标识所述第一APK为被篡改的APK的信息;其中,预配置的CRC值为原始APK的dex文件的CRC值。a third notification unit, configured to notify the encryption unit to perform a first encryption process on a request parameter for requesting network data when the comparison result of the fourth comparison unit is equal; when the third comparison unit or the fourth comparison When the comparison result of the units is unequal, the information for identifying the first APK as the falsified APK is returned; wherein the pre-configured CRC value is the CRC value of the dex file of the original APK.
  28. 一种服务器,其中,包括:A server, including:
    第二接收单元,用于接收客户端发送的加密字节流;其中,所述加密字节流是利用客户端获取的第一APK的签名值对用于请求网络数据的请求参数进行加密处理得到的;a second receiving unit, configured to receive an encrypted byte stream sent by the client, where the encrypted byte stream is obtained by encrypting a request parameter for requesting network data by using a signature value of the first APK acquired by the client of;
    解密单元,用于利用预先配置的第二APK的签名值,解密所述加密字节流;其中,所述第二APK是原始APK;a decrypting unit, configured to decrypt the encrypted byte stream by using a signature value of a pre-configured second APK; wherein the second APK is an original APK;
    第二发送单元,用于在所述解密单元未解密出所述请求参数时,则 向客户端返回用于标识所述第一APK为被篡改的APK的信息。a second sending unit, configured to: when the decryption unit does not decrypt the request parameter, Information for identifying the first APK as a tampered APK is returned to the client.
  29. 如权利要求28所述的服务器,其中,所述加密字节流为*.so文件的形式。The server of claim 28, wherein the encrypted byte stream is in the form of a *.so file.
  30. 如权利要求28所述的服务器,其中,客户端在C语言环境下获取第一APK的签名值。The server of claim 28, wherein the client obtains the signature value of the first APK in a C language environment.
  31. 一种安装包的校验系统,其中,包括:如权利要求22所述的客户端和权利要求28所述的服务器。 A verification system for an installation package, comprising: the client of claim 22 and the server of claim 28.
PCT/CN2015/084272 2014-08-04 2015-07-16 Verification method, client, server and system for installation package WO2016019790A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410379582.9 2014-08-04
CN201410379582.9A CN105320535B (en) 2014-08-04 2014-08-04 A kind of method of calibration of installation kit, client, server and system

Publications (1)

Publication Number Publication Date
WO2016019790A1 true WO2016019790A1 (en) 2016-02-11

Family

ID=55247961

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/084272 WO2016019790A1 (en) 2014-08-04 2015-07-16 Verification method, client, server and system for installation package

Country Status (2)

Country Link
CN (1) CN105320535B (en)
WO (1) WO2016019790A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110262834A (en) * 2019-06-25 2019-09-20 上海缤游网络科技有限公司 A kind of method and device producing installation kit
CN110278115A (en) * 2019-06-20 2019-09-24 京东方科技集团股份有限公司 Hot update method and device
CN110276173A (en) * 2019-06-18 2019-09-24 福州数据技术研究院有限公司 Dual system termi-nal with server prevents bis- packing operation methods of apk
CN112114824A (en) * 2020-09-07 2020-12-22 上海上讯信息技术股份有限公司 Linux-based software deployment method and equipment
CN114760078A (en) * 2022-06-15 2022-07-15 北京亿赛通科技发展有限责任公司 Method and system for preventing malicious tampering of page request parameters
CN115495716A (en) * 2022-08-15 2022-12-20 荣耀终端有限公司 Local authentication method and electronic equipment

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106778099A (en) * 2016-11-29 2017-05-31 北京奇虎科技有限公司 The generation method and device of anti-tamper APK, install and operation method and device
CN107046541B (en) * 2017-04-18 2023-02-03 深圳市法马新智能设备有限公司 Wireless transceiving encryption communication method and device thereof
CN108563953B (en) * 2018-03-26 2021-12-21 南京微可信信息技术有限公司 Safe and extensible trusted application development method
CN108923910B (en) * 2018-07-12 2021-06-25 南方电网科学研究院有限责任公司 Mobile application APK tamper-proofing method
CN113094660A (en) * 2021-04-02 2021-07-09 上海中通吉网络技术有限公司 Interface calling method, device and equipment and storage medium
CN112861191B (en) * 2021-04-23 2023-01-10 腾讯科技(深圳)有限公司 Application program monitoring method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050102669A1 (en) * 2003-10-15 2005-05-12 Siemens Medical Solutions Usa, Inc. Software installation file verification media and methods for medical equipment
CN101256607A (en) * 2008-03-10 2008-09-03 北京深思洛克数据保护中心 Method for remote updating and controlling use of software protection apparatus
CN103544046A (en) * 2013-10-25 2014-01-29 苏州通付盾信息技术有限公司 Mobile application software reinforcement method
CN103577206A (en) * 2012-07-27 2014-02-12 北京三星通信技术研究有限公司 Method and device for installing application software
CN103823751A (en) * 2013-12-13 2014-05-28 国家计算机网络与信息安全管理中心 Counterfeit application program monitoring method based on characteristic implantation

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457574A (en) * 2011-10-21 2012-05-16 北京安天电子设备有限公司 Method and system for intelligent multi-address downloading of installation package
CN102982258B (en) * 2012-11-09 2016-03-16 北京深思数盾科技有限公司 A kind of system of mobile applications being carried out to master verification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050102669A1 (en) * 2003-10-15 2005-05-12 Siemens Medical Solutions Usa, Inc. Software installation file verification media and methods for medical equipment
CN101256607A (en) * 2008-03-10 2008-09-03 北京深思洛克数据保护中心 Method for remote updating and controlling use of software protection apparatus
CN103577206A (en) * 2012-07-27 2014-02-12 北京三星通信技术研究有限公司 Method and device for installing application software
CN103544046A (en) * 2013-10-25 2014-01-29 苏州通付盾信息技术有限公司 Mobile application software reinforcement method
CN103823751A (en) * 2013-12-13 2014-05-28 国家计算机网络与信息安全管理中心 Counterfeit application program monitoring method based on characteristic implantation

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110276173A (en) * 2019-06-18 2019-09-24 福州数据技术研究院有限公司 Dual system termi-nal with server prevents bis- packing operation methods of apk
CN110278115A (en) * 2019-06-20 2019-09-24 京东方科技集团股份有限公司 Hot update method and device
CN110278115B (en) * 2019-06-20 2022-11-08 京东方科技集团股份有限公司 Hot update method and device
US11797296B2 (en) 2019-06-20 2023-10-24 Boe Technology Group Co., Ltd. Hot updating method of script file package and hot updating device of script file package
CN110262834A (en) * 2019-06-25 2019-09-20 上海缤游网络科技有限公司 A kind of method and device producing installation kit
CN112114824A (en) * 2020-09-07 2020-12-22 上海上讯信息技术股份有限公司 Linux-based software deployment method and equipment
CN112114824B (en) * 2020-09-07 2023-05-02 上海上讯信息技术股份有限公司 Linux-based software deployment method and device
CN114760078A (en) * 2022-06-15 2022-07-15 北京亿赛通科技发展有限责任公司 Method and system for preventing malicious tampering of page request parameters
CN114760078B (en) * 2022-06-15 2022-09-06 北京亿赛通科技发展有限责任公司 Method and system for preventing malicious tampering of page request parameters
CN115495716A (en) * 2022-08-15 2022-12-20 荣耀终端有限公司 Local authentication method and electronic equipment
CN115495716B (en) * 2022-08-15 2023-10-10 荣耀终端有限公司 Local authentication method and electronic equipment

Also Published As

Publication number Publication date
CN105320535B (en) 2019-02-15
CN105320535A (en) 2016-02-10

Similar Documents

Publication Publication Date Title
WO2016019790A1 (en) Verification method, client, server and system for installation package
US9281949B2 (en) Device using secure processing zone to establish trust for digital rights management
CN108140093B (en) Migrating secrets using a hardware root of trust for a device
US9521001B2 (en) Privacy preserving electronic document signature service
CN109194625B (en) Client application protection method and device based on cloud server and storage medium
CN114374559A (en) Platform attestation and registration for servers
CN111708991A (en) Service authorization method, service authorization device, computer equipment and storage medium
TW202109320A (en) Trusted execution environment-based application activation method and apparatus
WO2021114614A1 (en) Application program secure startup method and apparatus, computer device, and storage medium
US20180204004A1 (en) Authentication method and apparatus for reinforced software
JP6190404B2 (en) Receiving node, message receiving method and computer program
KR102137122B1 (en) Security check method, device, terminal and server
US9893882B1 (en) Apparatus, system, and method for detecting device tampering
US20150113272A1 (en) Method and apparatus for authenticating and managing application using trusted platform module
CN106055936A (en) Method and device for encryption/decryption of executable program data package
US20160330030A1 (en) User Terminal For Detecting Forgery Of Application Program Based On Hash Value And Method Of Detecting Forgery Of Application Program Using The Same
JP6387908B2 (en) Authentication system
WO2017066995A1 (en) Method and device for preventing unauthorized access to server
KR20170089352A (en) Firmware integrity verification for performing the virtualization system
US20210111892A1 (en) Scalabe attestation for trusted execution environments
CN111479265B (en) Information dissemination method and device, computer equipment and storage medium
US8745375B2 (en) Handling of the usage of software in a disconnected computing environment
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN114499879A (en) Method, system, equipment and storage medium for transmitting trusted message of internet of things based on block chain technology
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15829480

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15829480

Country of ref document: EP

Kind code of ref document: A1